diff --git a/codeArena/CodeArena Chat.ipynb b/codeArena/CodeArena Chat.ipynb new file mode 100644 index 0000000..e2f8a08 --- /dev/null +++ b/codeArena/CodeArena Chat.ipynb @@ -0,0 +1,5776 @@ +{ + "cells": [ + { + "cell_type": "code", + "execution_count": null, + "id": "44354e16", + "metadata": {}, + "outputs": [], + "source": [ + "#Code4rena_-_Main_-_questions.html" + ] + }, + { + "cell_type": "code", + "execution_count": 1, + "id": "0d03702d", + "metadata": { + "collapsed": true + }, + "outputs": [ + { + "name": "stdout", + "output_type": "stream", + "text": [ + "Requirement already satisfied: beautifulsoup4 in /Users/allanniemerg/miniconda3/envs/ollama-test/lib/python3.11/site-packages (4.12.2)\n", + "Requirement already satisfied: lxml in /Users/allanniemerg/miniconda3/envs/ollama-test/lib/python3.11/site-packages (4.9.2)\n", + "Requirement already satisfied: soupsieve>1.2 in /Users/allanniemerg/miniconda3/envs/ollama-test/lib/python3.11/site-packages (from beautifulsoup4) (2.4)\n", + "Note: you may need to restart the kernel to use updated packages.\n" + ] + } + ], + "source": [ + "%pip install beautifulsoup4 lxml" + ] + }, + { + "cell_type": "code", + "execution_count": 3, + "id": "82826cd2", + "metadata": { + "collapsed": true + }, + "outputs": [ + { + "name": "stdout", + "output_type": "stream", + "text": [ + "Requirement already satisfied: faiss-cpu in /Users/allanniemerg/miniconda3/envs/ollama-test/lib/python3.11/site-packages (1.7.4)\n", + "Requirement already satisfied: matplotlib in /Users/allanniemerg/miniconda3/envs/ollama-test/lib/python3.11/site-packages (3.8.0)\n", + "Requirement already satisfied: openai in /Users/allanniemerg/miniconda3/envs/ollama-test/lib/python3.11/site-packages (0.28.0)\n", + "Requirement already satisfied: plotly in /Users/allanniemerg/miniconda3/envs/ollama-test/lib/python3.11/site-packages (5.17.0)\n", + "Requirement already satisfied: pandas in /Users/allanniemerg/miniconda3/envs/ollama-test/lib/python3.11/site-packages (2.1.1)\n", + "Requirement already satisfied: scipy in /Users/allanniemerg/miniconda3/envs/ollama-test/lib/python3.11/site-packages (1.11.2)\n", + "Collecting scikit-learn\n", + " Obtaining dependency information for scikit-learn from https://files.pythonhosted.org/packages/db/0d/1f6d2cd52c886707b00ddb7ed2504cbf10903a60a7bebcd71f0f77d53505/scikit_learn-1.3.1-cp311-cp311-macosx_12_0_arm64.whl.metadata\n", + " Downloading scikit_learn-1.3.1-cp311-cp311-macosx_12_0_arm64.whl.metadata (11 kB)\n", + "Requirement already satisfied: contourpy>=1.0.1 in /Users/allanniemerg/miniconda3/envs/ollama-test/lib/python3.11/site-packages (from matplotlib) (1.1.1)\n", + "Requirement already satisfied: cycler>=0.10 in /Users/allanniemerg/miniconda3/envs/ollama-test/lib/python3.11/site-packages (from matplotlib) (0.11.0)\n", + "Requirement already satisfied: fonttools>=4.22.0 in /Users/allanniemerg/miniconda3/envs/ollama-test/lib/python3.11/site-packages (from matplotlib) (4.42.1)\n", + "Requirement already satisfied: kiwisolver>=1.0.1 in /Users/allanniemerg/miniconda3/envs/ollama-test/lib/python3.11/site-packages (from matplotlib) (1.4.5)\n", + "Requirement already satisfied: numpy<2,>=1.21 in /Users/allanniemerg/miniconda3/envs/ollama-test/lib/python3.11/site-packages (from matplotlib) (1.25.2)\n", + "Requirement already satisfied: packaging>=20.0 in /Users/allanniemerg/miniconda3/envs/ollama-test/lib/python3.11/site-packages (from matplotlib) (23.0)\n", + "Requirement already satisfied: pillow>=6.2.0 in /Users/allanniemerg/miniconda3/envs/ollama-test/lib/python3.11/site-packages (from matplotlib) (10.0.1)\n", + "Requirement already satisfied: pyparsing>=2.3.1 in /Users/allanniemerg/miniconda3/envs/ollama-test/lib/python3.11/site-packages (from matplotlib) (3.1.1)\n", + "Requirement already satisfied: python-dateutil>=2.7 in /Users/allanniemerg/miniconda3/envs/ollama-test/lib/python3.11/site-packages (from matplotlib) (2.8.2)\n", + "Requirement already satisfied: requests>=2.20 in /Users/allanniemerg/miniconda3/envs/ollama-test/lib/python3.11/site-packages (from openai) (2.31.0)\n", + "Requirement already satisfied: tqdm in /Users/allanniemerg/miniconda3/envs/ollama-test/lib/python3.11/site-packages (from openai) (4.66.1)\n", + "Requirement already satisfied: aiohttp in /Users/allanniemerg/miniconda3/envs/ollama-test/lib/python3.11/site-packages (from openai) (3.8.5)\n", + "Requirement already satisfied: tenacity>=6.2.0 in /Users/allanniemerg/miniconda3/envs/ollama-test/lib/python3.11/site-packages (from plotly) (8.2.3)\n", + "Requirement already satisfied: pytz>=2020.1 in /Users/allanniemerg/miniconda3/envs/ollama-test/lib/python3.11/site-packages (from pandas) (2022.7)\n", + "Requirement already satisfied: tzdata>=2022.1 in /Users/allanniemerg/miniconda3/envs/ollama-test/lib/python3.11/site-packages (from pandas) (2023.3)\n", + "Collecting joblib>=1.1.1 (from scikit-learn)\n", + " Obtaining dependency information for joblib>=1.1.1 from https://files.pythonhosted.org/packages/10/40/d551139c85db202f1f384ba8bcf96aca2f329440a844f924c8a0040b6d02/joblib-1.3.2-py3-none-any.whl.metadata\n", + " Downloading joblib-1.3.2-py3-none-any.whl.metadata (5.4 kB)\n", + "Collecting threadpoolctl>=2.0.0 (from scikit-learn)\n", + " Obtaining dependency information for threadpoolctl>=2.0.0 from https://files.pythonhosted.org/packages/81/12/fd4dea011af9d69e1cad05c75f3f7202cdcbeac9b712eea58ca779a72865/threadpoolctl-3.2.0-py3-none-any.whl.metadata\n", + " Downloading threadpoolctl-3.2.0-py3-none-any.whl.metadata (10.0 kB)\n", + "Requirement already satisfied: six>=1.5 in /Users/allanniemerg/miniconda3/envs/ollama-test/lib/python3.11/site-packages (from python-dateutil>=2.7->matplotlib) (1.16.0)\n", + "Requirement already satisfied: charset-normalizer<4,>=2 in /Users/allanniemerg/miniconda3/envs/ollama-test/lib/python3.11/site-packages (from requests>=2.20->openai) (2.0.4)\n", + "Requirement already satisfied: idna<4,>=2.5 in /Users/allanniemerg/miniconda3/envs/ollama-test/lib/python3.11/site-packages (from requests>=2.20->openai) (3.4)\n", + "Requirement already satisfied: urllib3<3,>=1.21.1 in /Users/allanniemerg/miniconda3/envs/ollama-test/lib/python3.11/site-packages (from requests>=2.20->openai) (1.26.16)\n", + "Requirement already satisfied: certifi>=2017.4.17 in /Users/allanniemerg/miniconda3/envs/ollama-test/lib/python3.11/site-packages (from requests>=2.20->openai) (2023.7.22)\n", + "Requirement already satisfied: attrs>=17.3.0 in /Users/allanniemerg/miniconda3/envs/ollama-test/lib/python3.11/site-packages (from aiohttp->openai) (22.1.0)\n", + "Requirement already satisfied: multidict<7.0,>=4.5 in /Users/allanniemerg/miniconda3/envs/ollama-test/lib/python3.11/site-packages (from aiohttp->openai) (6.0.4)\n", + "Requirement already satisfied: async-timeout<5.0,>=4.0.0a3 in /Users/allanniemerg/miniconda3/envs/ollama-test/lib/python3.11/site-packages (from aiohttp->openai) (4.0.3)\n", + "Requirement already satisfied: yarl<2.0,>=1.0 in /Users/allanniemerg/miniconda3/envs/ollama-test/lib/python3.11/site-packages (from aiohttp->openai) (1.9.2)\n", + "Requirement already satisfied: frozenlist>=1.1.1 in /Users/allanniemerg/miniconda3/envs/ollama-test/lib/python3.11/site-packages (from aiohttp->openai) (1.4.0)\n", + "Requirement already satisfied: aiosignal>=1.1.2 in /Users/allanniemerg/miniconda3/envs/ollama-test/lib/python3.11/site-packages (from aiohttp->openai) (1.3.1)\n", + "Downloading scikit_learn-1.3.1-cp311-cp311-macosx_12_0_arm64.whl (9.4 MB)\n", + "\u001b[2K \u001b[38;2;114;156;31m━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━\u001b[0m \u001b[32m9.4/9.4 MB\u001b[0m \u001b[31m38.0 MB/s\u001b[0m eta \u001b[36m0:00:00\u001b[0m[36m0:00:01\u001b[0mm eta \u001b[36m0:00:01\u001b[0m\n", + "\u001b[?25hDownloading joblib-1.3.2-py3-none-any.whl (302 kB)\n", + "\u001b[2K \u001b[38;2;114;156;31m━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━\u001b[0m \u001b[32m302.2/302.2 kB\u001b[0m \u001b[31m33.2 MB/s\u001b[0m eta \u001b[36m0:00:00\u001b[0m\n", + "\u001b[?25hDownloading threadpoolctl-3.2.0-py3-none-any.whl (15 kB)\n", + "Installing collected packages: threadpoolctl, joblib, scikit-learn\n", + "Successfully installed joblib-1.3.2 scikit-learn-1.3.1 threadpoolctl-3.2.0\n", + "Note: you may need to restart the kernel to use updated packages.\n" + ] + } + ], + "source": [ + "%pip install faiss-cpu matplotlib openai plotly pandas scipy scikit-learn" + ] + }, + { + "cell_type": "code", + "execution_count": 7, + "id": "5576b518", + "metadata": {}, + "outputs": [], + "source": [ + "from langchain.llms import OpenAI\n", + "from langchain.chat_models import ChatOpenAI\n", + "from langchain.schema import HumanMessage, AIMessage, SystemMessage\n", + "from getpass import getpass\n", + "import os\n", + "import json" + ] + }, + { + "cell_type": "code", + "execution_count": 194, + "id": "bace3e92", + "metadata": {}, + "outputs": [], + "source": [ + "from IPython.display import HTML, display\n", + "import faiss \n", + "import openai\n", + "from openai.embeddings_utils import get_embedding, cosine_similarity\n", + "import pandas as pd\n", + "import numpy as np\n", + "from sklearn.cluster import KMeans\n", + "from langchain.vectorstores import FAISS\n", + "from langchain.docstore.document import Document" + ] + }, + { + "cell_type": "code", + "execution_count": 12, + "id": "71255862", + "metadata": {}, + "outputs": [ + { + "name": "stdout", + "output_type": "stream", + "text": [ + "········\n" + ] + } + ], + "source": [ + "# setting up an OpenAI template on the run\n", + "OPENAI_API_KEY = getpass()\n", + "\n", + "os.environ['OPENAI_API_KEY'] = OPENAI_API_KEY" + ] + }, + { + "cell_type": "code", + "execution_count": 16, + "id": "8b28588e", + "metadata": {}, + "outputs": [ + { + "data": { + "text/plain": [ + "'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'" + ] + }, + "execution_count": 16, + "metadata": {}, + "output_type": "execute_result" + } + ], + "source": [ + "os.environ['OPENAI_API_KEY']" + ] + }, + { + "cell_type": "code", + "execution_count": 18, + "id": "e2ad189c", + "metadata": {}, + "outputs": [], + "source": [ + "openai.api_key = os.environ['OPENAI_API_KEY']" + ] + }, + { + "cell_type": "markdown", + "id": "ada636ef", + "metadata": {}, + "source": [ + "### Load the Chat" + ] + }, + { + "cell_type": "code", + "execution_count": 82, + "id": "ae84613c", + "metadata": {}, + "outputs": [], + "source": [ + "from bs4 import BeautifulSoup\n", + "\n", + "chat_lines = []\n", + "\n", + "# Load the HTML content from the file\n", + "with open('Code4rena_-_Main_-_questions.html', 'r', encoding='utf-8') as file:\n", + " html_content = file.read()\n", + "\n", + "\n", + "# Parse the HTML using BeautifulSoup\n", + "soup = BeautifulSoup(html_content, 'html.parser')\n", + "\n" + ] + }, + { + "cell_type": "code", + "execution_count": 83, + "id": "3b7b272d", + "metadata": {}, + "outputs": [], + "source": [ + "chat_data = []\n", + "\n", + "# Loop through each chat message block\n", + "for message_block in soup.find_all('div', class_='chatlog__message-group'):\n", + " username_elem = message_block.find('span', class_='chatlog__author')\n", + " reply_to = message_block.find('span', class_='chatlog__author')\n", + " message_elem = message_block.find('div', class_='chatlog__content chatlog__markdown')\n", + "\n", + " # If both username and message elements are found, append to the chat_data\n", + " if username_elem and message_elem:\n", + " username = username_elem.get_text().strip()\n", + " message = message_elem.get_text().strip()\n", + " chat_data.append((username, message))" + ] + }, + { + "cell_type": "code", + "execution_count": 86, + "id": "1d93a98b", + "metadata": {}, + "outputs": [], + "source": [ + "chat_data = []\n", + "# Loop through each chat message block\n", + "for message_block in soup.find_all('div', class_='chatlog__message-group'):\n", + " username_elem = message_block.find('span', class_='chatlog__author')\n", + " message_elem = message_block.find('div', class_='chatlog__content chatlog__markdown')\n", + " reply_elem = message_block.find('div', class_='chatlog__reply-content')\n", + "\n", + " # If both username and message elements are found, append to the chat_data\n", + " if username_elem and message_elem:\n", + " username = username_elem.get_text().strip()\n", + " message = message_elem.get_text().strip()\n", + "\n", + " # If the message has a reply, prepend it to the primary message\n", + " if reply_elem:\n", + " reply_content = reply_elem.get_text().strip()\n", + " message = f\"(Reply to: {reply_content}) {message}\"\n", + " \n", + " chat_data.append((username, message))\n" + ] + }, + { + "cell_type": "code", + "execution_count": 87, + "id": "42b80752", + "metadata": {}, + "outputs": [ + { + "data": { + "text/plain": [ + "6372" + ] + }, + "execution_count": 87, + "metadata": {}, + "output_type": "execute_result" + } + ], + "source": [ + "len(chat_data)" + ] + }, + { + "cell_type": "code", + "execution_count": 154, + "id": "19a878ae", + "metadata": {}, + "outputs": [ + { + "data": { + "text/plain": [ + "[('🧦 sockdrawer | C4',\n", + " '(Reply to: Question for C4 team: Is there any reason not to release all the unverified submissions a few days after contest ends, before judging?\\n\\nI ask because one of the best things about this process is learning from what others found, and it’d be great to do that while protocol still fresh on my mind.) In the works. Several moving pieces involved here. https://forum.code4rena.com/t/rfc-certified-wardens-rulebook-scout-role-contest-qa-and-mitigation-review-services/123'),\n", + " ('Dravee',\n", + " 'Just to make it clear: are high risk findings still game if they are out of scope? Does it depend on the contest?'),\n", + " ('🧦 sockdrawer | C4',\n", + " '(Reply to: Just to make it clear: are high risk findings still game if they are out of scope? Does it depend on the contest?) Definitely depends on the contest and the judge I think. I’d say you should make a case to the judge in your submission if you think it should be considered.'),\n", + " ('p_crypt0',\n", + " 'Any useful resources/tips for a beginner? I would appreciate some direction if anyone is willing to give'),\n", + " ('abhinavmir / evmsecurity.org',\n", + " \"Can't send a text on #😃chat - any clue what's up?\"),\n", + " ('🧦 sockdrawer | C4',\n", + " \"(Reply to: Can't send a text on #😃chat - any clue what's up?) The main chat is locked to just contributors at the moment to reduce spam and offtopic stuff. If you’d like to join as a warden, you can do that in #🐺i-want-to-be-a-warden\"),\n", + " ('🧦 sockdrawer | C4',\n", + " '(Reply to: Any useful resources/tips for a beginner? I would appreciate some direction if anyone is willing to give) Check out @cmichel’s great post https://cmichel.io/how-to-become-a-smart-contract-auditor/'),\n", + " ('abhinavmir / evmsecurity.org',\n", + " \"(Reply to: The main chat is locked to just contributors at the moment to reduce spam and offtopic stuff. If you’d like to join as a warden, you can do that in #🐺i-want-to-be-a-warden) Sent! I'll try and audit the upcoming JPEGD contracts. Seems fun! Also, great work @cmichel !\"),\n", + " ('p_crypt0',\n", + " \"(Reply to: Check out @cmichel’s great post https://cmichel.io/how-to-become-a-smart-contract-auditor/) Thank you so much! I'm hoping to get started shortly and spend the next couple of weeks studying\"),\n", + " ('M2-DEMOS',\n", + " 'Hello! I was curious to see if you and your team would like to have a quick chat about how Governor DAO Proof of Existence Token can solve your Sybil resistance issues you might have?'),\n", + " ('Dravee',\n", + " \"Mmmhhh I can't prove that this is true anymore for keccak expressions on recent solidity versions: https://github.com/ethereum/solidity/issues/9232 . \\nIt's a gas optimization that's been existing for a while (and we can even see it on recently audited projects, like Axelar on solidity 0.8.9: // AUDIT: constants should be literal and their derivation should be in comments)\\nWhen did this optimization become obsolete? (edited)\"),\n", + " ('TomFrenchBlockchain',\n", + " \"(Reply to: Mmmhhh I can't prove that this is true anymore for keccak expressions on recent solidity versions: https://github.com/ethereum/solidity/issues/9232 . \\nIt's a gas optimization that's been existing for a while (and we can even see it on recently audited projects, like Axelar on solidity 0.8.9: // AUDIT: constants should be literal and their derivation should be in comments)\\nWhen did this optimization become obsolete? (edited)) Sorry, I think I'm responsible for this piece of misinformation entering the C4 hivemind and it's been amplified by wardens pulling findings from previous contest reports ever since.\\n\\nYou can see that this was fixed in 0.6.12 in this changelog: https://github.com/ethereum/solidity/blob/develop/Changelog.md#0612-2020-07-22\"),\n", + " ('Dravee',\n", + " \"(Reply to: Realistically this finding should be rejected on all contests as it's very unlikely that someone will be using <0.6.12) Wow thanks for making it clear!\"),\n", + " ('Kathleen_O',\n", + " 'Hi everyone! I’m Kathleen from IdleDAO (Idle.finance). Could someone please point me to a treasury manager?'),\n", + " ('🧦 sockdrawer | C4',\n", + " '(Reply to: Hi everyone! I’m Kathleen from IdleDAO (Idle.finance). Could someone please point me to a treasury manager?) @🦖 eric (ninek) | C4 is probably the closest thing to that?'),\n", + " ('100proof',\n", + " 'Is the Total column on the Leaderboard the number of audits done by that particular person?'),\n", + " ('🧦 sockdrawer | C4',\n", + " '(Reply to: Is the Total column on the Leaderboard the number of audits done by that particular person?) total number of valid findings of all severity levels'),\n", + " ('100proof',\n", + " \"I see that High, Med, and Gas are titles. Is there any particular reason why Low is not there (seeing as you've got a Total column)?\"),\n", + " ('🧦 sockdrawer | C4',\n", + " \"(Reply to: I see that High, Med, and Gas are titles. Is there any particular reason why Low is not there (seeing as you've got a Total column)?) low and non-critical issues are now grouped together as a single report by each warden.\"),\n", + " ('100proof',\n", + " 'That seems fair enough! Thank you so much for your prompt responses.')]" + ] + }, + "execution_count": 154, + "metadata": {}, + "output_type": "execute_result" + } + ], + "source": [ + "chat_data[1000:1020]" + ] + }, + { + "cell_type": "code", + "execution_count": null, + "id": "acf73a10", + "metadata": {}, + "outputs": [], + "source": [ + "- CodeArena deals with smart contracts that are intended to be used in real-world applications, not just for the sake of competition. \n", + "- Smart contracts are set to be deployed after they are audited.\n", + "- Teams do not intentionally hide issues in the smart contracts.\n", + "- All smart contracts can be expected to have issues. \n", + "- You can read how to disclose issues at https://medium.com/@scott_lew_is/slingshot-finance-sponsors-20-000-usdc-guaranteed-distribution-bounty-pool-for-code-432n4s-first-789514a8dc99\n", + "- CodeArena is involved in auditing real-world smart contracts, places importance on transparency and proper reporting, and has partnerships and guidelines to ensure a structured approach to their activities." + ] + }, + { + "cell_type": "code", + "execution_count": null, + "id": "13ccb7c8", + "metadata": {}, + "outputs": [], + "source": [ + "\n", + "Smart contracts in the context of the discussion are from the \"real world\" and will be used in practice.\n", + "These smart contracts will be deployed after being audited.\n", + "The mentioned smart contracts are not just made for the purpose of competition.\n", + "There is an expectation that the team should not hide issues in the smart contracts on purpose.\n", + "There are guidelines on how to report issues related to these smart contracts.\n", + "There is a medium article that provides more information about the subject.\n", + "There's a GitHub link pointing to a submission policy for CodeArena contests." + ] + }, + { + "cell_type": "code", + "execution_count": 92, + "id": "09b98885", + "metadata": {}, + "outputs": [ + { + "ename": "SyntaxError", + "evalue": "invalid syntax (4146194856.py, line 1)", + "output_type": "error", + "traceback": [ + "\u001b[0;36m Cell \u001b[0;32mIn[92], line 1\u001b[0;36m\u001b[0m\n\u001b[0;31m - A leaderboard of the best contestants will be manually updated until a system is built to track it automatically.\u001b[0m\n\u001b[0m ^\u001b[0m\n\u001b[0;31mSyntaxError\u001b[0m\u001b[0;31m:\u001b[0m invalid syntax\n" + ] + } + ], + "source": [ + "Long Prompt:\n", + "\n", + "- A leaderboard of the best contestants will be manually updated until a system is built to track it automatically.\n", + "- Participants can review and submit their findings on the last day and still be rewarded if they find a good exploit.\n", + "- All submissions will be made available after the contest ends, once the possible exploits have been patched.\n", + "- The focus of the contest is on the smart contracts, but suggestions for other relevant areas are open.\n", + "- The submission policy allows for submissions up to 3 hours prior to the contest stop time.\n", + "- A suggestion is made to allow submissions anytime prior to the contest end time and only accept the first or last entry from a person/team.\n", + "- Documentation will be updated to reflect the suggestion regarding code submissions for proof-of-concepts (POCs).\n", + "- Each POC is approximately 50 lines of code.\n", + "- Github usernames will be added to the submissions.\n", + "- There is a discussion on how to approach the potential misbehavior of the owner of the contract.\n", + "- A trust model description is suggested to clarify the behavior and roles of the owner and other roles involved.\n", + "- Mitigation measures can be created considering potential social engineering attacks on the owner.\n", + "- A compromised or malicious owner is considered out-of-scope for the contest." + ] + }, + { + "cell_type": "code", + "execution_count": null, + "id": "827dc33d", + "metadata": {}, + "outputs": [], + "source": [ + "- There is a suggestion to have a leaderboard of the best contestants after the results of the contest.\n", + "- Participants can review and send their submissions on the last day and still be rewarded if they find a good exploit.\n", + "- The smart contract review contest focuses on smart contracts, but other relevant suggestions are open.\n", + "- The submission policy allows submissions up to 3 hours prior to the contest stop time, but the latest submission time is not mentioned.\n", + "- A suggestion is made to allow submissions any time prior to the contest end time, with a policy to accept only the first or last entry from a person/team.\n", + "- The suggestion to submit code that runs proof of concept (poc) for each bug can be done by adding a zip file or sharing a private GitHub repository.\n", + "- There is a specific GitHub link provided for sharing vulnerability discovery poc: https://github.com/code-423n4/code-contests/tree/main/contests/01-slingshot#sharing-vulnerabilitydiscovery-poc\n", + "- There is a discussion about considering the potential impact of misbehavior of the contract owner and the need for a trust model description for involved roles.\n", + "- Mitigation measures can be created to address social engineering attacks on the contract owner." + ] + }, + { + "cell_type": "markdown", + "id": "7d31915b", + "metadata": {}, + "source": [ + "### Load the models" + ] + }, + { + "cell_type": "code", + "execution_count": 163, + "id": "f761ed3c", + "metadata": {}, + "outputs": [], + "source": [ + "model = ChatOpenAI(model=\"gpt-4-0613\")\n", + "model.temperature = 0.8" + ] + }, + { + "cell_type": "code", + "execution_count": null, + "id": "05bdecd7", + "metadata": {}, + "outputs": [], + "source": [] + }, + { + "cell_type": "markdown", + "id": "d426b6ba", + "metadata": {}, + "source": [ + "### Construct the prompt" + ] + }, + { + "cell_type": "code", + "execution_count": 105, + "id": "f97556c6", + "metadata": {}, + "outputs": [], + "source": [ + "user1 = '''\n", + "We are building a knowledge base using unstructured information from a chat room. \n", + "Specifically, we are using information from the questions channel of the Discord\n", + "of CodeArena (C4), a company that performs audits of smart contracts. Your task \n", + "is to review an excerpt from the chat and identify all information in the chat\n", + "that gives information about CodeArena, it's activities, user questions and concerns, etc.\n", + "\n", + "Please carefully review the chat log and write whole sentences that carefully describe \n", + "information you found in the chat. Please keep extracting information until you've extracted \n", + "all the information from the chat. \n", + "\n", + "Chat:\n", + "('Cheetah',\n", + " \"Are those smart contracts from the 'real world' (i.e. will be used in practice) or only made for the purpose of this competition?\"),\n", + " ('shinobi',\n", + " '@Cheetah they are real smart contracts that will be deployed after being audited'),\n", + " ('zscole', 'yes, they are smart contracts from the \"real world\" (edited)'),\n", + " ('Cheetah',\n", + " 'thanks for the clarification, so theoretically there should be no issues hidden by the team on purpose'),\n", + " ('Matthias | ChainSecurity', 'Hehe, would be the first without issues'),\n", + " ('shinobi', 'No, but there are guidelines on how to report those'),\n", + " ('zscole', \"no, there shouldn't be.\"),\n", + " ('Matthias | ChainSecurity', 'how to disclose issues?'),\n", + " ('shinobi',\n", + " 'You can read More https://medium.com/@scott_lew_is/slingshot-finance-sponsors-20-000-usdc-guaranteed-distribution-bounty-pool-for-code-432n4s-first-789514a8dc99'),\n", + " ('zscole',\n", + " 'https://github.com/code-423n4/code-contests/blob/main/SUBMISSION_POLICY.md'),\n", + "\n", + "Remember, please provide a bulleted list of facts from this chat. \n", + "Do not mention or reference any chat usernames or individuals. \n", + "Only extract factual information without adding additional context or interpretation. \n", + "When a fact relates to a link, ALWAYS include the link. If possible, try to figure out \n", + "a specific thing when a general noun is used (for example use \"blue finance contest\" rather \n", + "than \"contest\" if the context supports it). \n", + "'''\n", + "\n", + "assistant1 = '''\n", + "- Smart contracts in the context of the discussion are from the \"real world\" and will be used in practice.\n", + "- Smart contracts will be deployed after being audited.\n", + "- Smart contracts are not just made for the purpose of competition.\n", + "- There is an expectation that teams should not hide issues in the smart contracts on purpose.\n", + "- Guidelines on how to report issues related to smart contracts can be found at https://github.com/code-423n4/code-contests/blob/main/SUBMISSION_POLICY.md\n", + "- More information on the slingshot finance competition can be found at the following medium article: https://medium.com/@scott_lew_is/slingshot-finance-sponsors-20-000-usdc-guaranteed-distribution-bounty-pool-for-code-432n4s-first-789514a8dc99\n", + "'''\n", + "\n", + "user2 = '''\n", + "Great, now review this excerpt:\n", + "{}\n", + "\n", + "Remember, please provide a bulleted list of facts from this chat. Do not mention or reference any chat usernames or individuals. Only extract factual information without adding additional context or interpretation. When a fact relates to a link, ALWAYS include the link. If possible, try to figure out a specific thing when a general noun is used (for example use \"blue finance contest\" rather than \"contest\" if the context supports it). \n", + "'''\n" + ] + }, + { + "cell_type": "code", + "execution_count": 15, + "id": "6f89621c", + "metadata": {}, + "outputs": [], + "source": [ + "excerpt = chat_data[30:60]\n", + "prompt = user2.format(excerpt)" + ] + }, + { + "cell_type": "code", + "execution_count": 24, + "id": "29fb15b0", + "metadata": {}, + "outputs": [ + { + "data": { + "text/plain": [ + "'\\nGreat, now review this excerpt:\\n[(\\'shinobi\\', \\'You found a critical one already\\'), (\\'zscole\\', \\'i need to make it more clear, but reports should be submitted at the end of the contest period\\'), (\\'Thunder\\', \\'what happens then if 2 participants submit the same bug at the end of the contest?\\'), (\\'zscole\\', \\'https://github.com/code-423n4/code-contests/blob/main/JUDGING_CRITERIA.md#duplicate-submissions\\'), (\\'Thunder\\', \\'so no hurry guyz, see you in 4 dayz\\'), (\\'zscole\\', \\'are you participating as a warden?\\'), (\\'Thunder\\', \\'idk just looking around for now\\'), (\\'zscole\\', \"sounds good. let me know if you\\'d like to be added to the warden role.\"), (\\'Luke\\', \\'Are there any well recommended resources on Solidity? Background is in vulnerability analysis but have not touched smart contracts etc so would probably need to do some deep diving before I can be of use\\'), (\\'zscole\\', \\'https://solidity-by-example.org/0.6\\\\nhttps://docs.soliditylang.org/en/v0.7.5/ (edited)\\'), (\\'zscole\\', \\'i would also recommend checking out the #⚽team-formation channel and joining someone in there\\'), (\\'pdizzy\\', \\'how are you guys choosing \"judges\" and how do they show what their decision on a bounty is?\\'), (\\'scott_L\\', \\'@pdizzy based on experience/reputation. someone we think will do a good job. zak ( @zscole ) is judging the first contest.\\\\n\\\\nwe are going to publish the results after the contest concludes. because all of the pool is paid out, regardless of how many bugs are found, there is not an incentive for the judge to \"downgrade\" bugs or deny people bounty shares they have earned.\\'), (\\'zscole\\', \\'https://github.com/code-423n4/code-contests/blob/main/JUDGING_CRITERIA.md\\'), (\\'WillieBeamin\\', \\'Hi. Is there a \"Getting Started\" or something similar that shows how we run the slingshot code as it executes in the overall system?\\'), (\\'scott_L\\', \\'@zscole ^\\'), (\\'zscole\\', \\'https://github.com/code-423n4/code-contests/tree/main/contests/01-slingshot#how-it-works\\'), (\\'WillieBeamin\\', \\'So we need to slingshot backend running locally, and that’s it?\\'), (\\'zscole\\', \\'the contracts can be compiled and function independently of the back end (edited)\\'), (\\'WillieBeamin\\', \\'cool, thanks\\'), (\\'0xDolus\\', \\'Happy to do a Loom video in the AM to show how to get the environment set up if that would be helpful\\'), (\\'zscole\\', \\'that would be great!\\'), (\\'0xDolus\\', \\'\\'), (\\'Thunder\\', \\'can we get a countdown timer so we do not miss the submission deadline?\\'), (\\'zscole\\', \"sure i\\'ll see how we can go about implementing something like that\"), (\\'🧦 sockdrawer | C4\\', \\'@zscole lmk when the deadline is and I’ll add one to the site.\\'), (\\'shinobi\\', \\'Hey man ! Yeah for sure, would be great to read your opinion, I’ll see read and comment on it\\'), (\\'🧦 sockdrawer | C4\\', \\'@zscole @shinobi what do you think about requesting links and preferred avatars from competing wardens and adding them to the home page along with the countdown?\\'), (\\'zscole\\', \\'stop time is Feb 21, 2359 UTC\\'), (\\'🧦 sockdrawer | C4\\', \\'Basically: “here’s who’s judging and who’s competing in this contest so far... also you can still join them”\\')]\\n\\nRemember, please provide a bulleted list of facts from this chat. Do not mention or reference any chat usernames or individuals. Only extract factual information without adding additional context or interpretation. When a fact relates to a link, ALWAYS include the link. If possible, try to figure out a specific thing when a general noun is used (for example use \"blue finance contest\" rather than \"contest\" if the context supports it). \\n'" + ] + }, + "execution_count": 24, + "metadata": {}, + "output_type": "execute_result" + } + ], + "source": [ + "prompt" + ] + }, + { + "cell_type": "code", + "execution_count": 25, + "id": "c60c9e86", + "metadata": {}, + "outputs": [], + "source": [ + "facts = model.predict_messages([HumanMessage(content=user1),\n", + " AIMessage(content=assistant1),\n", + " HumanMessage(content=prompt)\n", + " ]) " + ] + }, + { + "cell_type": "code", + "execution_count": 28, + "id": "5facd784", + "metadata": {}, + "outputs": [ + { + "name": "stdout", + "output_type": "stream", + "text": [ + "- Reports of found issues should be submitted at the end of the contest period.\n", + "- There is a policy on how to handle duplicate submissions at the end of the contest, which can be found at https://github.com/code-423n4/code-contests/blob/main/JUDGING_CRITERIA.md#duplicate-submissions\n", + "- Participants can be added to the \"warden\" role.\n", + "- There are recommended resources on Solidity at https://solidity-by-example.org/0.6 and https://docs.soliditylang.org/en/v0.7.5/\n", + "- There is a #⚽team-formation channel where participants can join others.\n", + "- Judges are chosen based on experience and reputation.\n", + "- The results of the contest will be published after it concludes.\n", + "- All of the pool is paid out, regardless of how many bugs are found, so there is no incentive for the judge to \"downgrade\" bugs or deny people bounty shares they have earned.\n", + "- The judging criteria can be found at https://github.com/code-423n4/code-contests/blob/main/JUDGING_CRITERIA.md\n", + "- There is a \"Getting Started\" guide on how to run the slingshot code at https://github.com/code-423n4/code-contests/tree/main/contests/01-slingshot#how-it-works\n", + "- The contracts can be compiled and function independently of the back end.\n", + "- There is a plan to create a Loom video to show how to set up the environment.\n", + "- There is a plan to implement a countdown timer for the submission deadline.\n", + "- The stop time for the contest is Feb 21, 2359 UTC.\n", + "- There is a suggestion to request links and preferred avatars from competing wardens and adding them to the home page along with the countdown.\n" + ] + } + ], + "source": [ + "print(facts.content)" + ] + }, + { + "cell_type": "code", + "execution_count": 35, + "id": "7d4bde2b", + "metadata": {}, + "outputs": [ + { + "data": { + "text/plain": [ + "['Reports of found issues should be submitted at the end of the contest period.', 'There is a policy on how to handle duplicate submissions at the end of the contest, which can be found at https://github.com/code-423n4/code-contests/blob/main/JUDGING_CRITERIA.md#duplicate-submissions', 'Participants can be added to the \"warden\" role.', 'There are recommended resources on Solidity at https://solidity-by-example.org/0.6 and https://docs.soliditylang.org/en/v0.7.5/', 'There is a #⚽team-formation channel where participants can join others.', 'Judges are chosen based on experience and reputation.', 'The results of the contest will be published after it concludes.', 'All of the pool is paid out, regardless of how many bugs are found, so there is no incentive for the judge to \"downgrade\" bugs or deny people bounty shares they have earned.', 'The judging criteria can be found at https://github.com/code-423n4/code-contests/blob/main/JUDGING_CRITERIA.md', 'There is a \"Getting Started\" guide on how to run the slingshot code at https://github.com/code-423n4/code-contests/tree/main/contests/01-slingshot#how-it-works', 'The contracts can be compiled and function independently of the back end.', 'There is a plan to create a Loom video to show how to set up the environment.', 'There is a plan to implement a countdown timer for the submission deadline.', 'The stop time for the contest is Feb 21, 2359 UTC.', 'There is a suggestion to request links and preferred avatars from competing wardens and adding them to the home page along with the countdown.']" + ] + }, + "execution_count": 35, + "metadata": {}, + "output_type": "execute_result" + } + ], + "source": [ + "[x.strip(\"\\n\").strip(\" \") for x in facts.content.split(\"- \") if x != '']" + ] + }, + { + "cell_type": "markdown", + "id": "6fe22f86", + "metadata": {}, + "source": [ + "### Process the whole chat" + ] + }, + { + "cell_type": "code", + "execution_count": 97, + "id": "ef0c16a0", + "metadata": {}, + "outputs": [], + "source": [ + "all_facts = []\n", + "interval_start = 0" + ] + }, + { + "cell_type": "code", + "execution_count": 101, + "id": "9709f063", + "metadata": {}, + "outputs": [ + { + "data": { + "text/plain": [ + "0" + ] + }, + "execution_count": 101, + "metadata": {}, + "output_type": "execute_result" + } + ], + "source": [ + "interval_start" + ] + }, + { + "cell_type": "code", + "execution_count": 106, + "id": "d1916e27", + "metadata": {}, + "outputs": [ + { + "name": "stdout", + "output_type": "stream", + "text": [ + "Current Interval: 0 - 30\n", + "Current Interval: 25 - 55\n", + "Current Interval: 50 - 80\n", + "Current Interval: 75 - 105\n", + "Current Interval: 100 - 130\n", + "Current Interval: 125 - 155\n", + "Current Interval: 150 - 180\n", + "Current Interval: 175 - 205\n", + "Current Interval: 200 - 230\n", + "Current Interval: 225 - 255\n", + "Current Interval: 250 - 280\n", + "Current Interval: 275 - 305\n", + "Current Interval: 300 - 330\n", + "Current Interval: 325 - 355\n", + "Current Interval: 350 - 380\n", + "Current Interval: 375 - 405\n", + "Current Interval: 400 - 430\n", + "Current Interval: 425 - 455\n", + "Current Interval: 450 - 480\n", + "Current Interval: 475 - 505\n", + "Current Interval: 500 - 530\n", + "Current Interval: 525 - 555\n", + "Current Interval: 550 - 580\n", + "Current Interval: 575 - 605\n", + "Current Interval: 600 - 630\n", + "Current Interval: 625 - 655\n", + "Current Interval: 650 - 680\n", + "Current Interval: 675 - 705\n", + "Current Interval: 700 - 730\n", + "Current Interval: 725 - 755\n", + "Current Interval: 750 - 780\n", + "Current Interval: 775 - 805\n", + "Current Interval: 800 - 830\n", + "Current Interval: 825 - 855\n", + "Current Interval: 850 - 880\n", + "Current Interval: 875 - 905\n", + "Current Interval: 900 - 930\n", + "Current Interval: 925 - 955\n", + "Current Interval: 950 - 980\n", + "Current Interval: 975 - 1005\n", + "Current Interval: 1000 - 1030\n", + "Current Interval: 1025 - 1055\n" + ] + }, + { + "name": "stderr", + "output_type": "stream", + "text": [ + "Retrying langchain.chat_models.openai.ChatOpenAI.completion_with_retry.._completion_with_retry in 4.0 seconds as it raised Timeout: Request timed out: HTTPSConnectionPool(host='api.openai.com', port=443): Read timed out. (read timeout=600).\n" + ] + }, + { + "name": "stdout", + "output_type": "stream", + "text": [ + "Current Interval: 1050 - 1080\n", + "Current Interval: 1075 - 1105\n", + "Current Interval: 1100 - 1130\n", + "Current Interval: 1125 - 1155\n", + "Current Interval: 1150 - 1180\n", + "Current Interval: 1175 - 1205\n", + "Current Interval: 1200 - 1230\n" + ] + }, + { + "name": "stderr", + "output_type": "stream", + "text": [ + "Retrying langchain.chat_models.openai.ChatOpenAI.completion_with_retry.._completion_with_retry in 4.0 seconds as it raised Timeout: Request timed out: HTTPSConnectionPool(host='api.openai.com', port=443): Read timed out. (read timeout=600).\n" + ] + }, + { + "name": "stdout", + "output_type": "stream", + "text": [ + "Current Interval: 1225 - 1255\n", + "Current Interval: 1250 - 1280\n", + "Current Interval: 1275 - 1305\n", + "Current Interval: 1300 - 1330\n", + "Current Interval: 1325 - 1355\n", + "Current Interval: 1350 - 1380\n", + "Current Interval: 1375 - 1405\n", + "Current Interval: 1400 - 1430\n", + "Current Interval: 1425 - 1455\n", + "Current Interval: 1450 - 1480\n", + "Current Interval: 1475 - 1505\n", + "Current Interval: 1500 - 1530\n", + "Current Interval: 1525 - 1555\n", + "Current Interval: 1550 - 1580\n", + "Current Interval: 1575 - 1605\n", + "Current Interval: 1600 - 1630\n", + "Current Interval: 1625 - 1655\n", + "Current Interval: 1650 - 1680\n", + "Current Interval: 1675 - 1705\n", + "Current Interval: 1700 - 1730\n", + "Current Interval: 1725 - 1755\n", + "Current Interval: 1750 - 1780\n", + "Current Interval: 1775 - 1805\n", + "Current Interval: 1800 - 1830\n", + "Current Interval: 1825 - 1855\n", + "Current Interval: 1850 - 1880\n", + "Current Interval: 1875 - 1905\n", + "Current Interval: 1900 - 1930\n", + "Current Interval: 1925 - 1955\n", + "Current Interval: 1950 - 1980\n", + "Current Interval: 1975 - 2005\n", + "Current Interval: 2000 - 2030\n", + "Current Interval: 2025 - 2055\n", + "Current Interval: 2050 - 2080\n", + "Current Interval: 2075 - 2105\n", + "Current Interval: 2100 - 2130\n", + "Current Interval: 2125 - 2155\n", + "Current Interval: 2150 - 2180\n", + "Current Interval: 2175 - 2205\n", + "Current Interval: 2200 - 2230\n", + "Current Interval: 2225 - 2255\n", + "Current Interval: 2250 - 2280\n", + "Current Interval: 2275 - 2305\n", + "Current Interval: 2300 - 2330\n", + "Current Interval: 2325 - 2355\n", + "Current Interval: 2350 - 2380\n", + "Current Interval: 2375 - 2405\n", + "Current Interval: 2400 - 2430\n", + "Current Interval: 2425 - 2455\n", + "Current Interval: 2450 - 2480\n", + "Current Interval: 2475 - 2505\n", + "Current Interval: 2500 - 2530\n", + "Current Interval: 2525 - 2555\n", + "Current Interval: 2550 - 2580\n", + "Current Interval: 2575 - 2605\n", + "Current Interval: 2600 - 2630\n", + "Current Interval: 2625 - 2655\n", + "Current Interval: 2650 - 2680\n", + "Current Interval: 2675 - 2705\n", + "Current Interval: 2700 - 2730\n", + "Current Interval: 2725 - 2755\n", + "Current Interval: 2750 - 2780\n", + "Current Interval: 2775 - 2805\n", + "Current Interval: 2800 - 2830\n", + "Current Interval: 2825 - 2855\n", + "Current Interval: 2850 - 2880\n", + "Current Interval: 2875 - 2905\n", + "Current Interval: 2900 - 2930\n", + "Current Interval: 2925 - 2955\n", + "Current Interval: 2950 - 2980\n", + "Current Interval: 2975 - 3005\n", + "Current Interval: 3000 - 3030\n", + "Current Interval: 3025 - 3055\n", + "Current Interval: 3050 - 3080\n", + "Current Interval: 3075 - 3105\n", + "Current Interval: 3100 - 3130\n", + "Current Interval: 3125 - 3155\n", + "Current Interval: 3150 - 3180\n", + "Current Interval: 3175 - 3205\n", + "Current Interval: 3200 - 3230\n", + "Current Interval: 3225 - 3255\n", + "Current Interval: 3250 - 3280\n", + "Current Interval: 3275 - 3305\n", + "Current Interval: 3300 - 3330\n", + "Current Interval: 3325 - 3355\n", + "Current Interval: 3350 - 3380\n", + "Current Interval: 3375 - 3405\n", + "Current Interval: 3400 - 3430\n", + "Current Interval: 3425 - 3455\n", + "Current Interval: 3450 - 3480\n", + "Current Interval: 3475 - 3505\n", + "Current Interval: 3500 - 3530\n", + "Current Interval: 3525 - 3555\n", + "Current Interval: 3550 - 3580\n", + "Current Interval: 3575 - 3605\n", + "Current Interval: 3600 - 3630\n", + "Current Interval: 3625 - 3655\n", + "Current Interval: 3650 - 3680\n", + "Current Interval: 3675 - 3705\n", + "Current Interval: 3700 - 3730\n", + "Current Interval: 3725 - 3755\n", + "Current Interval: 3750 - 3780\n", + "Current Interval: 3775 - 3805\n", + "Current Interval: 3800 - 3830\n", + "Current Interval: 3825 - 3855\n", + "Current Interval: 3850 - 3880\n", + "Current Interval: 3875 - 3905\n", + "Current Interval: 3900 - 3930\n", + "Current Interval: 3925 - 3955\n", + "Current Interval: 3950 - 3980\n", + "Current Interval: 3975 - 4005\n", + "Current Interval: 4000 - 4030\n", + "Current Interval: 4025 - 4055\n", + "Current Interval: 4050 - 4080\n", + "Current Interval: 4075 - 4105\n", + "Current Interval: 4100 - 4130\n", + "Current Interval: 4125 - 4155\n", + "Current Interval: 4150 - 4180\n", + "Current Interval: 4175 - 4205\n", + "Current Interval: 4200 - 4230\n", + "Current Interval: 4225 - 4255\n", + "Current Interval: 4250 - 4280\n", + "Current Interval: 4275 - 4305\n", + "Current Interval: 4300 - 4330\n", + "Current Interval: 4325 - 4355\n", + "Current Interval: 4350 - 4380\n", + "Current Interval: 4375 - 4405\n", + "Current Interval: 4400 - 4430\n", + "Current Interval: 4425 - 4455\n", + "Current Interval: 4450 - 4480\n", + "Current Interval: 4475 - 4505\n", + "Current Interval: 4500 - 4530\n", + "Current Interval: 4525 - 4555\n", + "Current Interval: 4550 - 4580\n", + "Current Interval: 4575 - 4605\n", + "Current Interval: 4600 - 4630\n", + "Current Interval: 4625 - 4655\n", + "Current Interval: 4650 - 4680\n", + "Current Interval: 4675 - 4705\n", + "Current Interval: 4700 - 4730\n", + "Current Interval: 4725 - 4755\n", + "Current Interval: 4750 - 4780\n", + "Current Interval: 4775 - 4805\n", + "Current Interval: 4800 - 4830\n", + "Current Interval: 4825 - 4855\n", + "Current Interval: 4850 - 4880\n", + "Current Interval: 4875 - 4905\n", + "Current Interval: 4900 - 4930\n", + "Current Interval: 4925 - 4955\n", + "Current Interval: 4950 - 4980\n", + "Current Interval: 4975 - 5005\n", + "Current Interval: 5000 - 5030\n", + "Current Interval: 5025 - 5055\n", + "Current Interval: 5050 - 5080\n", + "Current Interval: 5075 - 5105\n", + "Current Interval: 5100 - 5130\n", + "Current Interval: 5125 - 5155\n", + "Current Interval: 5150 - 5180\n", + "Current Interval: 5175 - 5205\n", + "Current Interval: 5200 - 5230\n", + "Current Interval: 5225 - 5255\n", + "Current Interval: 5250 - 5280\n", + "Current Interval: 5275 - 5305\n", + "Current Interval: 5300 - 5330\n", + "Current Interval: 5325 - 5355\n", + "Current Interval: 5350 - 5380\n", + "Current Interval: 5375 - 5405\n", + "Current Interval: 5400 - 5430\n", + "Current Interval: 5425 - 5455\n", + "Current Interval: 5450 - 5480\n", + "Current Interval: 5475 - 5505\n", + "Current Interval: 5500 - 5530\n", + "Current Interval: 5525 - 5555\n", + "Current Interval: 5550 - 5580\n", + "Current Interval: 5575 - 5605\n", + "Current Interval: 5600 - 5630\n", + "Current Interval: 5625 - 5655\n", + "Current Interval: 5650 - 5680\n", + "Current Interval: 5675 - 5705\n", + "Current Interval: 5700 - 5730\n", + "Current Interval: 5725 - 5755\n", + "Current Interval: 5750 - 5780\n", + "Current Interval: 5775 - 5805\n", + "Current Interval: 5800 - 5830\n", + "Current Interval: 5825 - 5855\n", + "Current Interval: 5850 - 5880\n", + "Current Interval: 5875 - 5905\n", + "Current Interval: 5900 - 5930\n", + "Current Interval: 5925 - 5955\n", + "Current Interval: 5950 - 5980\n", + "Current Interval: 5975 - 6005\n", + "Current Interval: 6000 - 6030\n", + "Current Interval: 6025 - 6055\n", + "Current Interval: 6050 - 6080\n", + "Current Interval: 6075 - 6105\n", + "Current Interval: 6100 - 6130\n", + "Current Interval: 6125 - 6155\n", + "Current Interval: 6150 - 6180\n", + "Current Interval: 6175 - 6205\n", + "Current Interval: 6200 - 6230\n", + "Current Interval: 6225 - 6255\n", + "Current Interval: 6250 - 6280\n", + "Current Interval: 6275 - 6305\n", + "Current Interval: 6300 - 6330\n", + "Current Interval: 6325 - 6355\n", + "Current Interval: 6350 - 6380\n", + "Current Interval: 6375 - 6405\n", + "Current Interval: 6400 - 6430\n", + "Current Interval: 6425 - 6455\n", + "Current Interval: 6450 - 6480\n", + "Current Interval: 6475 - 6505\n", + "Current Interval: 6500 - 6530\n", + "Current Interval: 6525 - 6555\n", + "Current Interval: 6550 - 6580\n", + "Current Interval: 6575 - 6605\n", + "Current Interval: 6600 - 6630\n", + "Current Interval: 6625 - 6655\n", + "Current Interval: 6650 - 6680\n", + "Current Interval: 6675 - 6705\n", + "Current Interval: 6700 - 6730\n", + "Current Interval: 6725 - 6755\n", + "Current Interval: 6750 - 6780\n", + "Current Interval: 6775 - 6805\n", + "Current Interval: 6800 - 6830\n", + "Current Interval: 6825 - 6855\n", + "Current Interval: 6850 - 6880\n", + "Current Interval: 6875 - 6905\n", + "Current Interval: 6900 - 6930\n", + "Current Interval: 6925 - 6955\n", + "Current Interval: 6950 - 6980\n", + "Current Interval: 6975 - 7005\n", + "Current Interval: 7000 - 7030\n", + "Current Interval: 7025 - 7055\n", + "Current Interval: 7050 - 7080\n", + "Current Interval: 7075 - 7105\n", + "Current Interval: 7100 - 7130\n", + "Current Interval: 7125 - 7155\n", + "Current Interval: 7150 - 7180\n", + "Current Interval: 7175 - 7205\n", + "Current Interval: 7200 - 7230\n", + "Current Interval: 7225 - 7255\n", + "Current Interval: 7250 - 7280\n", + "Current Interval: 7275 - 7305\n", + "Current Interval: 7300 - 7330\n", + "Current Interval: 7325 - 7355\n", + "Current Interval: 7350 - 7380\n", + "Current Interval: 7375 - 7405\n", + "Current Interval: 7400 - 7430\n", + "Current Interval: 7425 - 7455\n", + "Current Interval: 7450 - 7480\n", + "Current Interval: 7475 - 7505\n", + "Current Interval: 7500 - 7530\n", + "Current Interval: 7525 - 7555\n", + "Current Interval: 7550 - 7580\n", + "Current Interval: 7575 - 7605\n", + "Current Interval: 7600 - 7630\n", + "Current Interval: 7625 - 7655\n", + "Current Interval: 7650 - 7680\n", + "Current Interval: 7675 - 7705\n", + "Current Interval: 7700 - 7730\n", + "Current Interval: 7725 - 7755\n", + "Current Interval: 7750 - 7780\n", + "Current Interval: 7775 - 7805\n", + "Current Interval: 7800 - 7830\n", + "Current Interval: 7825 - 7855\n", + "Current Interval: 7850 - 7880\n", + "Current Interval: 7875 - 7905\n", + "Current Interval: 7900 - 7930\n", + "Current Interval: 7925 - 7955\n", + "Current Interval: 7950 - 7980\n", + "Current Interval: 7975 - 8005\n", + "Current Interval: 8000 - 8030\n", + "Current Interval: 8025 - 8055\n", + "Current Interval: 8050 - 8080\n" + ] + }, + { + "name": "stdout", + "output_type": "stream", + "text": [ + "Current Interval: 8075 - 8105\n", + "Current Interval: 8100 - 8130\n", + "Current Interval: 8125 - 8155\n", + "Current Interval: 8150 - 8180\n", + "Current Interval: 8175 - 8205\n", + "Current Interval: 8200 - 8230\n", + "Current Interval: 8225 - 8255\n", + "Current Interval: 8250 - 8280\n", + "Current Interval: 8275 - 8305\n", + "Current Interval: 8300 - 8330\n", + "Current Interval: 8325 - 8355\n", + "Current Interval: 8350 - 8380\n", + "Current Interval: 8375 - 8405\n", + "Current Interval: 8400 - 8430\n", + "Current Interval: 8425 - 8455\n", + "Current Interval: 8450 - 8480\n", + "Current Interval: 8475 - 8505\n", + "Current Interval: 8500 - 8530\n", + "Current Interval: 8525 - 8555\n", + "Current Interval: 8550 - 8580\n", + "Current Interval: 8575 - 8605\n", + "Current Interval: 8600 - 8630\n", + "Current Interval: 8625 - 8655\n", + "Current Interval: 8650 - 8680\n", + "Current Interval: 8675 - 8705\n", + "Current Interval: 8700 - 8730\n", + "Current Interval: 8725 - 8755\n", + "Current Interval: 8750 - 8780\n", + "Current Interval: 8775 - 8805\n", + "Current Interval: 8800 - 8830\n", + "Current Interval: 8825 - 8855\n", + "Current Interval: 8850 - 8880\n", + "Current Interval: 8875 - 8905\n", + "Current Interval: 8900 - 8930\n", + "Current Interval: 8925 - 8955\n", + "Current Interval: 8950 - 8980\n", + "Current Interval: 8975 - 9005\n", + "Current Interval: 9000 - 9030\n", + "Current Interval: 9025 - 9055\n", + "Current Interval: 9050 - 9080\n" + ] + }, + { + "ename": "KeyboardInterrupt", + "evalue": "", + "output_type": "error", + "traceback": [ + "\u001b[0;31m---------------------------------------------------------------------------\u001b[0m", + "\u001b[0;31mKeyboardInterrupt\u001b[0m Traceback (most recent call last)", + "Cell \u001b[0;32mIn[106], line 11\u001b[0m\n\u001b[1;32m 9\u001b[0m excerpt \u001b[38;5;241m=\u001b[39m chat_data[interval_start:end_interval]\n\u001b[1;32m 10\u001b[0m prompt \u001b[38;5;241m=\u001b[39m user2\u001b[38;5;241m.\u001b[39mformat(excerpt)\n\u001b[0;32m---> 11\u001b[0m facts \u001b[38;5;241m=\u001b[39m model\u001b[38;5;241m.\u001b[39mpredict_messages([HumanMessage(content\u001b[38;5;241m=\u001b[39muser1),\n\u001b[1;32m 12\u001b[0m AIMessage(content\u001b[38;5;241m=\u001b[39massistant1),\n\u001b[1;32m 13\u001b[0m HumanMessage(content\u001b[38;5;241m=\u001b[39mprompt)\n\u001b[1;32m 14\u001b[0m ]) \n\u001b[1;32m 15\u001b[0m list_of_facts \u001b[38;5;241m=\u001b[39m [x\u001b[38;5;241m.\u001b[39mstrip(\u001b[38;5;124m\"\u001b[39m\u001b[38;5;130;01m\\n\u001b[39;00m\u001b[38;5;124m\"\u001b[39m)\u001b[38;5;241m.\u001b[39mstrip(\u001b[38;5;124m\"\u001b[39m\u001b[38;5;124m \u001b[39m\u001b[38;5;124m\"\u001b[39m) \u001b[38;5;28;01mfor\u001b[39;00m x \u001b[38;5;129;01min\u001b[39;00m facts\u001b[38;5;241m.\u001b[39mcontent\u001b[38;5;241m.\u001b[39msplit(\u001b[38;5;124m\"\u001b[39m\u001b[38;5;124m- \u001b[39m\u001b[38;5;124m\"\u001b[39m) \u001b[38;5;28;01mif\u001b[39;00m x \u001b[38;5;241m!=\u001b[39m \u001b[38;5;124m'\u001b[39m\u001b[38;5;124m'\u001b[39m]\n\u001b[1;32m 16\u001b[0m all_facts \u001b[38;5;241m+\u001b[39m\u001b[38;5;241m=\u001b[39m list_of_facts\n", + "File \u001b[0;32m~/miniconda3/envs/ollama-test/lib/python3.11/site-packages/langchain/chat_models/base.py:601\u001b[0m, in \u001b[0;36mBaseChatModel.predict_messages\u001b[0;34m(self, messages, stop, **kwargs)\u001b[0m\n\u001b[1;32m 599\u001b[0m \u001b[38;5;28;01melse\u001b[39;00m:\n\u001b[1;32m 600\u001b[0m _stop \u001b[38;5;241m=\u001b[39m \u001b[38;5;28mlist\u001b[39m(stop)\n\u001b[0;32m--> 601\u001b[0m \u001b[38;5;28;01mreturn\u001b[39;00m \u001b[38;5;28mself\u001b[39m(messages, stop\u001b[38;5;241m=\u001b[39m_stop, \u001b[38;5;241m*\u001b[39m\u001b[38;5;241m*\u001b[39mkwargs)\n", + "File \u001b[0;32m~/miniconda3/envs/ollama-test/lib/python3.11/site-packages/langchain/chat_models/base.py:551\u001b[0m, in \u001b[0;36mBaseChatModel.__call__\u001b[0;34m(self, messages, stop, callbacks, **kwargs)\u001b[0m\n\u001b[1;32m 544\u001b[0m \u001b[38;5;28;01mdef\u001b[39;00m \u001b[38;5;21m__call__\u001b[39m(\n\u001b[1;32m 545\u001b[0m \u001b[38;5;28mself\u001b[39m,\n\u001b[1;32m 546\u001b[0m messages: List[BaseMessage],\n\u001b[0;32m (...)\u001b[0m\n\u001b[1;32m 549\u001b[0m \u001b[38;5;241m*\u001b[39m\u001b[38;5;241m*\u001b[39mkwargs: Any,\n\u001b[1;32m 550\u001b[0m ) \u001b[38;5;241m-\u001b[39m\u001b[38;5;241m>\u001b[39m BaseMessage:\n\u001b[0;32m--> 551\u001b[0m generation \u001b[38;5;241m=\u001b[39m \u001b[38;5;28mself\u001b[39m\u001b[38;5;241m.\u001b[39mgenerate(\n\u001b[1;32m 552\u001b[0m [messages], stop\u001b[38;5;241m=\u001b[39mstop, callbacks\u001b[38;5;241m=\u001b[39mcallbacks, \u001b[38;5;241m*\u001b[39m\u001b[38;5;241m*\u001b[39mkwargs\n\u001b[1;32m 553\u001b[0m )\u001b[38;5;241m.\u001b[39mgenerations[\u001b[38;5;241m0\u001b[39m][\u001b[38;5;241m0\u001b[39m]\n\u001b[1;32m 554\u001b[0m \u001b[38;5;28;01mif\u001b[39;00m \u001b[38;5;28misinstance\u001b[39m(generation, ChatGeneration):\n\u001b[1;32m 555\u001b[0m \u001b[38;5;28;01mreturn\u001b[39;00m generation\u001b[38;5;241m.\u001b[39mmessage\n", + "File \u001b[0;32m~/miniconda3/envs/ollama-test/lib/python3.11/site-packages/langchain/chat_models/base.py:309\u001b[0m, in \u001b[0;36mBaseChatModel.generate\u001b[0;34m(self, messages, stop, callbacks, tags, metadata, **kwargs)\u001b[0m\n\u001b[1;32m 307\u001b[0m \u001b[38;5;28;01mif\u001b[39;00m run_managers:\n\u001b[1;32m 308\u001b[0m run_managers[i]\u001b[38;5;241m.\u001b[39mon_llm_error(e)\n\u001b[0;32m--> 309\u001b[0m \u001b[38;5;28;01mraise\u001b[39;00m e\n\u001b[1;32m 310\u001b[0m flattened_outputs \u001b[38;5;241m=\u001b[39m [\n\u001b[1;32m 311\u001b[0m LLMResult(generations\u001b[38;5;241m=\u001b[39m[res\u001b[38;5;241m.\u001b[39mgenerations], llm_output\u001b[38;5;241m=\u001b[39mres\u001b[38;5;241m.\u001b[39mllm_output)\n\u001b[1;32m 312\u001b[0m \u001b[38;5;28;01mfor\u001b[39;00m res \u001b[38;5;129;01min\u001b[39;00m results\n\u001b[1;32m 313\u001b[0m ]\n\u001b[1;32m 314\u001b[0m llm_output \u001b[38;5;241m=\u001b[39m \u001b[38;5;28mself\u001b[39m\u001b[38;5;241m.\u001b[39m_combine_llm_outputs([res\u001b[38;5;241m.\u001b[39mllm_output \u001b[38;5;28;01mfor\u001b[39;00m res \u001b[38;5;129;01min\u001b[39;00m results])\n", + "File \u001b[0;32m~/miniconda3/envs/ollama-test/lib/python3.11/site-packages/langchain/chat_models/base.py:299\u001b[0m, in \u001b[0;36mBaseChatModel.generate\u001b[0;34m(self, messages, stop, callbacks, tags, metadata, **kwargs)\u001b[0m\n\u001b[1;32m 296\u001b[0m \u001b[38;5;28;01mfor\u001b[39;00m i, m \u001b[38;5;129;01min\u001b[39;00m \u001b[38;5;28menumerate\u001b[39m(messages):\n\u001b[1;32m 297\u001b[0m \u001b[38;5;28;01mtry\u001b[39;00m:\n\u001b[1;32m 298\u001b[0m results\u001b[38;5;241m.\u001b[39mappend(\n\u001b[0;32m--> 299\u001b[0m \u001b[38;5;28mself\u001b[39m\u001b[38;5;241m.\u001b[39m_generate_with_cache(\n\u001b[1;32m 300\u001b[0m m,\n\u001b[1;32m 301\u001b[0m stop\u001b[38;5;241m=\u001b[39mstop,\n\u001b[1;32m 302\u001b[0m run_manager\u001b[38;5;241m=\u001b[39mrun_managers[i] \u001b[38;5;28;01mif\u001b[39;00m run_managers \u001b[38;5;28;01melse\u001b[39;00m \u001b[38;5;28;01mNone\u001b[39;00m,\n\u001b[1;32m 303\u001b[0m \u001b[38;5;241m*\u001b[39m\u001b[38;5;241m*\u001b[39mkwargs,\n\u001b[1;32m 304\u001b[0m )\n\u001b[1;32m 305\u001b[0m )\n\u001b[1;32m 306\u001b[0m \u001b[38;5;28;01mexcept\u001b[39;00m (\u001b[38;5;167;01mKeyboardInterrupt\u001b[39;00m, \u001b[38;5;167;01mException\u001b[39;00m) \u001b[38;5;28;01mas\u001b[39;00m e:\n\u001b[1;32m 307\u001b[0m \u001b[38;5;28;01mif\u001b[39;00m run_managers:\n", + "File \u001b[0;32m~/miniconda3/envs/ollama-test/lib/python3.11/site-packages/langchain/chat_models/base.py:446\u001b[0m, in \u001b[0;36mBaseChatModel._generate_with_cache\u001b[0;34m(self, messages, stop, run_manager, **kwargs)\u001b[0m\n\u001b[1;32m 442\u001b[0m \u001b[38;5;28;01mraise\u001b[39;00m \u001b[38;5;167;01mValueError\u001b[39;00m(\n\u001b[1;32m 443\u001b[0m \u001b[38;5;124m\"\u001b[39m\u001b[38;5;124mAsked to cache, but no cache found at `langchain.cache`.\u001b[39m\u001b[38;5;124m\"\u001b[39m\n\u001b[1;32m 444\u001b[0m )\n\u001b[1;32m 445\u001b[0m \u001b[38;5;28;01mif\u001b[39;00m new_arg_supported:\n\u001b[0;32m--> 446\u001b[0m \u001b[38;5;28;01mreturn\u001b[39;00m \u001b[38;5;28mself\u001b[39m\u001b[38;5;241m.\u001b[39m_generate(\n\u001b[1;32m 447\u001b[0m messages, stop\u001b[38;5;241m=\u001b[39mstop, run_manager\u001b[38;5;241m=\u001b[39mrun_manager, \u001b[38;5;241m*\u001b[39m\u001b[38;5;241m*\u001b[39mkwargs\n\u001b[1;32m 448\u001b[0m )\n\u001b[1;32m 449\u001b[0m \u001b[38;5;28;01melse\u001b[39;00m:\n\u001b[1;32m 450\u001b[0m \u001b[38;5;28;01mreturn\u001b[39;00m \u001b[38;5;28mself\u001b[39m\u001b[38;5;241m.\u001b[39m_generate(messages, stop\u001b[38;5;241m=\u001b[39mstop, \u001b[38;5;241m*\u001b[39m\u001b[38;5;241m*\u001b[39mkwargs)\n", + "File \u001b[0;32m~/miniconda3/envs/ollama-test/lib/python3.11/site-packages/langchain/chat_models/openai.py:345\u001b[0m, in \u001b[0;36mChatOpenAI._generate\u001b[0;34m(self, messages, stop, run_manager, stream, **kwargs)\u001b[0m\n\u001b[1;32m 343\u001b[0m message_dicts, params \u001b[38;5;241m=\u001b[39m \u001b[38;5;28mself\u001b[39m\u001b[38;5;241m.\u001b[39m_create_message_dicts(messages, stop)\n\u001b[1;32m 344\u001b[0m params \u001b[38;5;241m=\u001b[39m {\u001b[38;5;241m*\u001b[39m\u001b[38;5;241m*\u001b[39mparams, \u001b[38;5;241m*\u001b[39m\u001b[38;5;241m*\u001b[39mkwargs}\n\u001b[0;32m--> 345\u001b[0m response \u001b[38;5;241m=\u001b[39m \u001b[38;5;28mself\u001b[39m\u001b[38;5;241m.\u001b[39mcompletion_with_retry(\n\u001b[1;32m 346\u001b[0m messages\u001b[38;5;241m=\u001b[39mmessage_dicts, run_manager\u001b[38;5;241m=\u001b[39mrun_manager, \u001b[38;5;241m*\u001b[39m\u001b[38;5;241m*\u001b[39mparams\n\u001b[1;32m 347\u001b[0m )\n\u001b[1;32m 348\u001b[0m \u001b[38;5;28;01mreturn\u001b[39;00m \u001b[38;5;28mself\u001b[39m\u001b[38;5;241m.\u001b[39m_create_chat_result(response)\n", + "File \u001b[0;32m~/miniconda3/envs/ollama-test/lib/python3.11/site-packages/langchain/chat_models/openai.py:278\u001b[0m, in \u001b[0;36mChatOpenAI.completion_with_retry\u001b[0;34m(self, run_manager, **kwargs)\u001b[0m\n\u001b[1;32m 274\u001b[0m \u001b[38;5;129m@retry_decorator\u001b[39m\n\u001b[1;32m 275\u001b[0m \u001b[38;5;28;01mdef\u001b[39;00m \u001b[38;5;21m_completion_with_retry\u001b[39m(\u001b[38;5;241m*\u001b[39m\u001b[38;5;241m*\u001b[39mkwargs: Any) \u001b[38;5;241m-\u001b[39m\u001b[38;5;241m>\u001b[39m Any:\n\u001b[1;32m 276\u001b[0m \u001b[38;5;28;01mreturn\u001b[39;00m \u001b[38;5;28mself\u001b[39m\u001b[38;5;241m.\u001b[39mclient\u001b[38;5;241m.\u001b[39mcreate(\u001b[38;5;241m*\u001b[39m\u001b[38;5;241m*\u001b[39mkwargs)\n\u001b[0;32m--> 278\u001b[0m \u001b[38;5;28;01mreturn\u001b[39;00m _completion_with_retry(\u001b[38;5;241m*\u001b[39m\u001b[38;5;241m*\u001b[39mkwargs)\n", + "File \u001b[0;32m~/miniconda3/envs/ollama-test/lib/python3.11/site-packages/tenacity/__init__.py:289\u001b[0m, in \u001b[0;36mBaseRetrying.wraps..wrapped_f\u001b[0;34m(*args, **kw)\u001b[0m\n\u001b[1;32m 287\u001b[0m \u001b[38;5;129m@functools\u001b[39m\u001b[38;5;241m.\u001b[39mwraps(f)\n\u001b[1;32m 288\u001b[0m \u001b[38;5;28;01mdef\u001b[39;00m \u001b[38;5;21mwrapped_f\u001b[39m(\u001b[38;5;241m*\u001b[39margs: t\u001b[38;5;241m.\u001b[39mAny, \u001b[38;5;241m*\u001b[39m\u001b[38;5;241m*\u001b[39mkw: t\u001b[38;5;241m.\u001b[39mAny) \u001b[38;5;241m-\u001b[39m\u001b[38;5;241m>\u001b[39m t\u001b[38;5;241m.\u001b[39mAny:\n\u001b[0;32m--> 289\u001b[0m \u001b[38;5;28;01mreturn\u001b[39;00m \u001b[38;5;28mself\u001b[39m(f, \u001b[38;5;241m*\u001b[39margs, \u001b[38;5;241m*\u001b[39m\u001b[38;5;241m*\u001b[39mkw)\n", + "File \u001b[0;32m~/miniconda3/envs/ollama-test/lib/python3.11/site-packages/tenacity/__init__.py:379\u001b[0m, in \u001b[0;36mRetrying.__call__\u001b[0;34m(self, fn, *args, **kwargs)\u001b[0m\n\u001b[1;32m 377\u001b[0m retry_state \u001b[38;5;241m=\u001b[39m RetryCallState(retry_object\u001b[38;5;241m=\u001b[39m\u001b[38;5;28mself\u001b[39m, fn\u001b[38;5;241m=\u001b[39mfn, args\u001b[38;5;241m=\u001b[39margs, kwargs\u001b[38;5;241m=\u001b[39mkwargs)\n\u001b[1;32m 378\u001b[0m \u001b[38;5;28;01mwhile\u001b[39;00m \u001b[38;5;28;01mTrue\u001b[39;00m:\n\u001b[0;32m--> 379\u001b[0m do \u001b[38;5;241m=\u001b[39m \u001b[38;5;28mself\u001b[39m\u001b[38;5;241m.\u001b[39miter(retry_state\u001b[38;5;241m=\u001b[39mretry_state)\n\u001b[1;32m 380\u001b[0m \u001b[38;5;28;01mif\u001b[39;00m \u001b[38;5;28misinstance\u001b[39m(do, DoAttempt):\n\u001b[1;32m 381\u001b[0m \u001b[38;5;28;01mtry\u001b[39;00m:\n", + "File \u001b[0;32m~/miniconda3/envs/ollama-test/lib/python3.11/site-packages/tenacity/__init__.py:314\u001b[0m, in \u001b[0;36mBaseRetrying.iter\u001b[0;34m(self, retry_state)\u001b[0m\n\u001b[1;32m 312\u001b[0m is_explicit_retry \u001b[38;5;241m=\u001b[39m fut\u001b[38;5;241m.\u001b[39mfailed \u001b[38;5;129;01mand\u001b[39;00m \u001b[38;5;28misinstance\u001b[39m(fut\u001b[38;5;241m.\u001b[39mexception(), TryAgain)\n\u001b[1;32m 313\u001b[0m \u001b[38;5;28;01mif\u001b[39;00m \u001b[38;5;129;01mnot\u001b[39;00m (is_explicit_retry \u001b[38;5;129;01mor\u001b[39;00m \u001b[38;5;28mself\u001b[39m\u001b[38;5;241m.\u001b[39mretry(retry_state)):\n\u001b[0;32m--> 314\u001b[0m \u001b[38;5;28;01mreturn\u001b[39;00m fut\u001b[38;5;241m.\u001b[39mresult()\n\u001b[1;32m 316\u001b[0m \u001b[38;5;28;01mif\u001b[39;00m \u001b[38;5;28mself\u001b[39m\u001b[38;5;241m.\u001b[39mafter \u001b[38;5;129;01mis\u001b[39;00m \u001b[38;5;129;01mnot\u001b[39;00m \u001b[38;5;28;01mNone\u001b[39;00m:\n\u001b[1;32m 317\u001b[0m \u001b[38;5;28mself\u001b[39m\u001b[38;5;241m.\u001b[39mafter(retry_state)\n", + "File \u001b[0;32m~/miniconda3/envs/ollama-test/lib/python3.11/concurrent/futures/_base.py:449\u001b[0m, in \u001b[0;36mFuture.result\u001b[0;34m(self, timeout)\u001b[0m\n\u001b[1;32m 447\u001b[0m \u001b[38;5;28;01mraise\u001b[39;00m CancelledError()\n\u001b[1;32m 448\u001b[0m \u001b[38;5;28;01melif\u001b[39;00m \u001b[38;5;28mself\u001b[39m\u001b[38;5;241m.\u001b[39m_state \u001b[38;5;241m==\u001b[39m FINISHED:\n\u001b[0;32m--> 449\u001b[0m \u001b[38;5;28;01mreturn\u001b[39;00m \u001b[38;5;28mself\u001b[39m\u001b[38;5;241m.\u001b[39m__get_result()\n\u001b[1;32m 451\u001b[0m \u001b[38;5;28mself\u001b[39m\u001b[38;5;241m.\u001b[39m_condition\u001b[38;5;241m.\u001b[39mwait(timeout)\n\u001b[1;32m 453\u001b[0m \u001b[38;5;28;01mif\u001b[39;00m \u001b[38;5;28mself\u001b[39m\u001b[38;5;241m.\u001b[39m_state \u001b[38;5;129;01min\u001b[39;00m [CANCELLED, CANCELLED_AND_NOTIFIED]:\n", + "File \u001b[0;32m~/miniconda3/envs/ollama-test/lib/python3.11/concurrent/futures/_base.py:401\u001b[0m, in \u001b[0;36mFuture.__get_result\u001b[0;34m(self)\u001b[0m\n\u001b[1;32m 399\u001b[0m \u001b[38;5;28;01mif\u001b[39;00m \u001b[38;5;28mself\u001b[39m\u001b[38;5;241m.\u001b[39m_exception:\n\u001b[1;32m 400\u001b[0m \u001b[38;5;28;01mtry\u001b[39;00m:\n\u001b[0;32m--> 401\u001b[0m \u001b[38;5;28;01mraise\u001b[39;00m \u001b[38;5;28mself\u001b[39m\u001b[38;5;241m.\u001b[39m_exception\n\u001b[1;32m 402\u001b[0m \u001b[38;5;28;01mfinally\u001b[39;00m:\n\u001b[1;32m 403\u001b[0m \u001b[38;5;66;03m# Break a reference cycle with the exception in self._exception\u001b[39;00m\n\u001b[1;32m 404\u001b[0m \u001b[38;5;28mself\u001b[39m \u001b[38;5;241m=\u001b[39m \u001b[38;5;28;01mNone\u001b[39;00m\n", + "File \u001b[0;32m~/miniconda3/envs/ollama-test/lib/python3.11/site-packages/tenacity/__init__.py:382\u001b[0m, in \u001b[0;36mRetrying.__call__\u001b[0;34m(self, fn, *args, **kwargs)\u001b[0m\n\u001b[1;32m 380\u001b[0m \u001b[38;5;28;01mif\u001b[39;00m \u001b[38;5;28misinstance\u001b[39m(do, DoAttempt):\n\u001b[1;32m 381\u001b[0m \u001b[38;5;28;01mtry\u001b[39;00m:\n\u001b[0;32m--> 382\u001b[0m result \u001b[38;5;241m=\u001b[39m fn(\u001b[38;5;241m*\u001b[39margs, \u001b[38;5;241m*\u001b[39m\u001b[38;5;241m*\u001b[39mkwargs)\n\u001b[1;32m 383\u001b[0m \u001b[38;5;28;01mexcept\u001b[39;00m \u001b[38;5;167;01mBaseException\u001b[39;00m: \u001b[38;5;66;03m# noqa: B902\u001b[39;00m\n\u001b[1;32m 384\u001b[0m retry_state\u001b[38;5;241m.\u001b[39mset_exception(sys\u001b[38;5;241m.\u001b[39mexc_info()) \u001b[38;5;66;03m# type: ignore[arg-type]\u001b[39;00m\n", + "File \u001b[0;32m~/miniconda3/envs/ollama-test/lib/python3.11/site-packages/langchain/chat_models/openai.py:276\u001b[0m, in \u001b[0;36mChatOpenAI.completion_with_retry.._completion_with_retry\u001b[0;34m(**kwargs)\u001b[0m\n\u001b[1;32m 274\u001b[0m \u001b[38;5;129m@retry_decorator\u001b[39m\n\u001b[1;32m 275\u001b[0m \u001b[38;5;28;01mdef\u001b[39;00m \u001b[38;5;21m_completion_with_retry\u001b[39m(\u001b[38;5;241m*\u001b[39m\u001b[38;5;241m*\u001b[39mkwargs: Any) \u001b[38;5;241m-\u001b[39m\u001b[38;5;241m>\u001b[39m Any:\n\u001b[0;32m--> 276\u001b[0m \u001b[38;5;28;01mreturn\u001b[39;00m \u001b[38;5;28mself\u001b[39m\u001b[38;5;241m.\u001b[39mclient\u001b[38;5;241m.\u001b[39mcreate(\u001b[38;5;241m*\u001b[39m\u001b[38;5;241m*\u001b[39mkwargs)\n", + "File \u001b[0;32m~/miniconda3/envs/ollama-test/lib/python3.11/site-packages/openai/api_resources/chat_completion.py:25\u001b[0m, in \u001b[0;36mChatCompletion.create\u001b[0;34m(cls, *args, **kwargs)\u001b[0m\n\u001b[1;32m 23\u001b[0m \u001b[38;5;28;01mwhile\u001b[39;00m \u001b[38;5;28;01mTrue\u001b[39;00m:\n\u001b[1;32m 24\u001b[0m \u001b[38;5;28;01mtry\u001b[39;00m:\n\u001b[0;32m---> 25\u001b[0m \u001b[38;5;28;01mreturn\u001b[39;00m \u001b[38;5;28msuper\u001b[39m()\u001b[38;5;241m.\u001b[39mcreate(\u001b[38;5;241m*\u001b[39margs, \u001b[38;5;241m*\u001b[39m\u001b[38;5;241m*\u001b[39mkwargs)\n\u001b[1;32m 26\u001b[0m \u001b[38;5;28;01mexcept\u001b[39;00m TryAgain \u001b[38;5;28;01mas\u001b[39;00m e:\n\u001b[1;32m 27\u001b[0m \u001b[38;5;28;01mif\u001b[39;00m timeout \u001b[38;5;129;01mis\u001b[39;00m \u001b[38;5;129;01mnot\u001b[39;00m \u001b[38;5;28;01mNone\u001b[39;00m \u001b[38;5;129;01mand\u001b[39;00m time\u001b[38;5;241m.\u001b[39mtime() \u001b[38;5;241m>\u001b[39m start \u001b[38;5;241m+\u001b[39m timeout:\n", + "File \u001b[0;32m~/miniconda3/envs/ollama-test/lib/python3.11/site-packages/openai/api_resources/abstract/engine_api_resource.py:153\u001b[0m, in \u001b[0;36mEngineAPIResource.create\u001b[0;34m(cls, api_key, api_base, api_type, request_id, api_version, organization, **params)\u001b[0m\n\u001b[1;32m 127\u001b[0m \u001b[38;5;129m@classmethod\u001b[39m\n\u001b[1;32m 128\u001b[0m \u001b[38;5;28;01mdef\u001b[39;00m \u001b[38;5;21mcreate\u001b[39m(\n\u001b[1;32m 129\u001b[0m \u001b[38;5;28mcls\u001b[39m,\n\u001b[0;32m (...)\u001b[0m\n\u001b[1;32m 136\u001b[0m \u001b[38;5;241m*\u001b[39m\u001b[38;5;241m*\u001b[39mparams,\n\u001b[1;32m 137\u001b[0m ):\n\u001b[1;32m 138\u001b[0m (\n\u001b[1;32m 139\u001b[0m deployment_id,\n\u001b[1;32m 140\u001b[0m engine,\n\u001b[0;32m (...)\u001b[0m\n\u001b[1;32m 150\u001b[0m api_key, api_base, api_type, api_version, organization, \u001b[38;5;241m*\u001b[39m\u001b[38;5;241m*\u001b[39mparams\n\u001b[1;32m 151\u001b[0m )\n\u001b[0;32m--> 153\u001b[0m response, _, api_key \u001b[38;5;241m=\u001b[39m requestor\u001b[38;5;241m.\u001b[39mrequest(\n\u001b[1;32m 154\u001b[0m \u001b[38;5;124m\"\u001b[39m\u001b[38;5;124mpost\u001b[39m\u001b[38;5;124m\"\u001b[39m,\n\u001b[1;32m 155\u001b[0m url,\n\u001b[1;32m 156\u001b[0m params\u001b[38;5;241m=\u001b[39mparams,\n\u001b[1;32m 157\u001b[0m headers\u001b[38;5;241m=\u001b[39mheaders,\n\u001b[1;32m 158\u001b[0m stream\u001b[38;5;241m=\u001b[39mstream,\n\u001b[1;32m 159\u001b[0m request_id\u001b[38;5;241m=\u001b[39mrequest_id,\n\u001b[1;32m 160\u001b[0m request_timeout\u001b[38;5;241m=\u001b[39mrequest_timeout,\n\u001b[1;32m 161\u001b[0m )\n\u001b[1;32m 163\u001b[0m \u001b[38;5;28;01mif\u001b[39;00m stream:\n\u001b[1;32m 164\u001b[0m \u001b[38;5;66;03m# must be an iterator\u001b[39;00m\n\u001b[1;32m 165\u001b[0m \u001b[38;5;28;01massert\u001b[39;00m \u001b[38;5;129;01mnot\u001b[39;00m \u001b[38;5;28misinstance\u001b[39m(response, OpenAIResponse)\n", + "File \u001b[0;32m~/miniconda3/envs/ollama-test/lib/python3.11/site-packages/openai/api_requestor.py:288\u001b[0m, in \u001b[0;36mAPIRequestor.request\u001b[0;34m(self, method, url, params, headers, files, stream, request_id, request_timeout)\u001b[0m\n\u001b[1;32m 277\u001b[0m \u001b[38;5;28;01mdef\u001b[39;00m \u001b[38;5;21mrequest\u001b[39m(\n\u001b[1;32m 278\u001b[0m \u001b[38;5;28mself\u001b[39m,\n\u001b[1;32m 279\u001b[0m method,\n\u001b[0;32m (...)\u001b[0m\n\u001b[1;32m 286\u001b[0m request_timeout: Optional[Union[\u001b[38;5;28mfloat\u001b[39m, Tuple[\u001b[38;5;28mfloat\u001b[39m, \u001b[38;5;28mfloat\u001b[39m]]] \u001b[38;5;241m=\u001b[39m \u001b[38;5;28;01mNone\u001b[39;00m,\n\u001b[1;32m 287\u001b[0m ) \u001b[38;5;241m-\u001b[39m\u001b[38;5;241m>\u001b[39m Tuple[Union[OpenAIResponse, Iterator[OpenAIResponse]], \u001b[38;5;28mbool\u001b[39m, \u001b[38;5;28mstr\u001b[39m]:\n\u001b[0;32m--> 288\u001b[0m result \u001b[38;5;241m=\u001b[39m \u001b[38;5;28mself\u001b[39m\u001b[38;5;241m.\u001b[39mrequest_raw(\n\u001b[1;32m 289\u001b[0m method\u001b[38;5;241m.\u001b[39mlower(),\n\u001b[1;32m 290\u001b[0m url,\n\u001b[1;32m 291\u001b[0m params\u001b[38;5;241m=\u001b[39mparams,\n\u001b[1;32m 292\u001b[0m supplied_headers\u001b[38;5;241m=\u001b[39mheaders,\n\u001b[1;32m 293\u001b[0m files\u001b[38;5;241m=\u001b[39mfiles,\n\u001b[1;32m 294\u001b[0m stream\u001b[38;5;241m=\u001b[39mstream,\n\u001b[1;32m 295\u001b[0m request_id\u001b[38;5;241m=\u001b[39mrequest_id,\n\u001b[1;32m 296\u001b[0m request_timeout\u001b[38;5;241m=\u001b[39mrequest_timeout,\n\u001b[1;32m 297\u001b[0m )\n\u001b[1;32m 298\u001b[0m resp, got_stream \u001b[38;5;241m=\u001b[39m \u001b[38;5;28mself\u001b[39m\u001b[38;5;241m.\u001b[39m_interpret_response(result, stream)\n\u001b[1;32m 299\u001b[0m \u001b[38;5;28;01mreturn\u001b[39;00m resp, got_stream, \u001b[38;5;28mself\u001b[39m\u001b[38;5;241m.\u001b[39mapi_key\n", + "File \u001b[0;32m~/miniconda3/envs/ollama-test/lib/python3.11/site-packages/openai/api_requestor.py:596\u001b[0m, in \u001b[0;36mAPIRequestor.request_raw\u001b[0;34m(self, method, url, params, supplied_headers, files, stream, request_id, request_timeout)\u001b[0m\n\u001b[1;32m 594\u001b[0m _thread_context\u001b[38;5;241m.\u001b[39msession_create_time \u001b[38;5;241m=\u001b[39m time\u001b[38;5;241m.\u001b[39mtime()\n\u001b[1;32m 595\u001b[0m \u001b[38;5;28;01mtry\u001b[39;00m:\n\u001b[0;32m--> 596\u001b[0m result \u001b[38;5;241m=\u001b[39m _thread_context\u001b[38;5;241m.\u001b[39msession\u001b[38;5;241m.\u001b[39mrequest(\n\u001b[1;32m 597\u001b[0m method,\n\u001b[1;32m 598\u001b[0m abs_url,\n\u001b[1;32m 599\u001b[0m headers\u001b[38;5;241m=\u001b[39mheaders,\n\u001b[1;32m 600\u001b[0m data\u001b[38;5;241m=\u001b[39mdata,\n\u001b[1;32m 601\u001b[0m files\u001b[38;5;241m=\u001b[39mfiles,\n\u001b[1;32m 602\u001b[0m stream\u001b[38;5;241m=\u001b[39mstream,\n\u001b[1;32m 603\u001b[0m timeout\u001b[38;5;241m=\u001b[39mrequest_timeout \u001b[38;5;28;01mif\u001b[39;00m request_timeout \u001b[38;5;28;01melse\u001b[39;00m TIMEOUT_SECS,\n\u001b[1;32m 604\u001b[0m proxies\u001b[38;5;241m=\u001b[39m_thread_context\u001b[38;5;241m.\u001b[39msession\u001b[38;5;241m.\u001b[39mproxies,\n\u001b[1;32m 605\u001b[0m )\n\u001b[1;32m 606\u001b[0m \u001b[38;5;28;01mexcept\u001b[39;00m requests\u001b[38;5;241m.\u001b[39mexceptions\u001b[38;5;241m.\u001b[39mTimeout \u001b[38;5;28;01mas\u001b[39;00m e:\n\u001b[1;32m 607\u001b[0m \u001b[38;5;28;01mraise\u001b[39;00m error\u001b[38;5;241m.\u001b[39mTimeout(\u001b[38;5;124m\"\u001b[39m\u001b[38;5;124mRequest timed out: \u001b[39m\u001b[38;5;132;01m{}\u001b[39;00m\u001b[38;5;124m\"\u001b[39m\u001b[38;5;241m.\u001b[39mformat(e)) \u001b[38;5;28;01mfrom\u001b[39;00m \u001b[38;5;21;01me\u001b[39;00m\n", + "File \u001b[0;32m~/miniconda3/envs/ollama-test/lib/python3.11/site-packages/requests/sessions.py:589\u001b[0m, in \u001b[0;36mSession.request\u001b[0;34m(self, method, url, params, data, headers, cookies, files, auth, timeout, allow_redirects, proxies, hooks, stream, verify, cert, json)\u001b[0m\n\u001b[1;32m 584\u001b[0m send_kwargs \u001b[38;5;241m=\u001b[39m {\n\u001b[1;32m 585\u001b[0m \u001b[38;5;124m\"\u001b[39m\u001b[38;5;124mtimeout\u001b[39m\u001b[38;5;124m\"\u001b[39m: timeout,\n\u001b[1;32m 586\u001b[0m \u001b[38;5;124m\"\u001b[39m\u001b[38;5;124mallow_redirects\u001b[39m\u001b[38;5;124m\"\u001b[39m: allow_redirects,\n\u001b[1;32m 587\u001b[0m }\n\u001b[1;32m 588\u001b[0m send_kwargs\u001b[38;5;241m.\u001b[39mupdate(settings)\n\u001b[0;32m--> 589\u001b[0m resp \u001b[38;5;241m=\u001b[39m \u001b[38;5;28mself\u001b[39m\u001b[38;5;241m.\u001b[39msend(prep, \u001b[38;5;241m*\u001b[39m\u001b[38;5;241m*\u001b[39msend_kwargs)\n\u001b[1;32m 591\u001b[0m \u001b[38;5;28;01mreturn\u001b[39;00m resp\n", + "File \u001b[0;32m~/miniconda3/envs/ollama-test/lib/python3.11/site-packages/requests/sessions.py:703\u001b[0m, in \u001b[0;36mSession.send\u001b[0;34m(self, request, **kwargs)\u001b[0m\n\u001b[1;32m 700\u001b[0m start \u001b[38;5;241m=\u001b[39m preferred_clock()\n\u001b[1;32m 702\u001b[0m \u001b[38;5;66;03m# Send the request\u001b[39;00m\n\u001b[0;32m--> 703\u001b[0m r \u001b[38;5;241m=\u001b[39m adapter\u001b[38;5;241m.\u001b[39msend(request, \u001b[38;5;241m*\u001b[39m\u001b[38;5;241m*\u001b[39mkwargs)\n\u001b[1;32m 705\u001b[0m \u001b[38;5;66;03m# Total elapsed time of the request (approximately)\u001b[39;00m\n\u001b[1;32m 706\u001b[0m elapsed \u001b[38;5;241m=\u001b[39m preferred_clock() \u001b[38;5;241m-\u001b[39m start\n", + "File \u001b[0;32m~/miniconda3/envs/ollama-test/lib/python3.11/site-packages/requests/adapters.py:486\u001b[0m, in \u001b[0;36mHTTPAdapter.send\u001b[0;34m(self, request, stream, timeout, verify, cert, proxies)\u001b[0m\n\u001b[1;32m 483\u001b[0m timeout \u001b[38;5;241m=\u001b[39m TimeoutSauce(connect\u001b[38;5;241m=\u001b[39mtimeout, read\u001b[38;5;241m=\u001b[39mtimeout)\n\u001b[1;32m 485\u001b[0m \u001b[38;5;28;01mtry\u001b[39;00m:\n\u001b[0;32m--> 486\u001b[0m resp \u001b[38;5;241m=\u001b[39m conn\u001b[38;5;241m.\u001b[39murlopen(\n\u001b[1;32m 487\u001b[0m method\u001b[38;5;241m=\u001b[39mrequest\u001b[38;5;241m.\u001b[39mmethod,\n\u001b[1;32m 488\u001b[0m url\u001b[38;5;241m=\u001b[39murl,\n\u001b[1;32m 489\u001b[0m body\u001b[38;5;241m=\u001b[39mrequest\u001b[38;5;241m.\u001b[39mbody,\n\u001b[1;32m 490\u001b[0m headers\u001b[38;5;241m=\u001b[39mrequest\u001b[38;5;241m.\u001b[39mheaders,\n\u001b[1;32m 491\u001b[0m redirect\u001b[38;5;241m=\u001b[39m\u001b[38;5;28;01mFalse\u001b[39;00m,\n\u001b[1;32m 492\u001b[0m assert_same_host\u001b[38;5;241m=\u001b[39m\u001b[38;5;28;01mFalse\u001b[39;00m,\n\u001b[1;32m 493\u001b[0m preload_content\u001b[38;5;241m=\u001b[39m\u001b[38;5;28;01mFalse\u001b[39;00m,\n\u001b[1;32m 494\u001b[0m decode_content\u001b[38;5;241m=\u001b[39m\u001b[38;5;28;01mFalse\u001b[39;00m,\n\u001b[1;32m 495\u001b[0m retries\u001b[38;5;241m=\u001b[39m\u001b[38;5;28mself\u001b[39m\u001b[38;5;241m.\u001b[39mmax_retries,\n\u001b[1;32m 496\u001b[0m timeout\u001b[38;5;241m=\u001b[39mtimeout,\n\u001b[1;32m 497\u001b[0m chunked\u001b[38;5;241m=\u001b[39mchunked,\n\u001b[1;32m 498\u001b[0m )\n\u001b[1;32m 500\u001b[0m \u001b[38;5;28;01mexcept\u001b[39;00m (ProtocolError, \u001b[38;5;167;01mOSError\u001b[39;00m) \u001b[38;5;28;01mas\u001b[39;00m err:\n\u001b[1;32m 501\u001b[0m \u001b[38;5;28;01mraise\u001b[39;00m \u001b[38;5;167;01mConnectionError\u001b[39;00m(err, request\u001b[38;5;241m=\u001b[39mrequest)\n", + "File \u001b[0;32m~/miniconda3/envs/ollama-test/lib/python3.11/site-packages/urllib3/connectionpool.py:714\u001b[0m, in \u001b[0;36mHTTPConnectionPool.urlopen\u001b[0;34m(self, method, url, body, headers, retries, redirect, assert_same_host, timeout, pool_timeout, release_conn, chunked, body_pos, **response_kw)\u001b[0m\n\u001b[1;32m 711\u001b[0m \u001b[38;5;28mself\u001b[39m\u001b[38;5;241m.\u001b[39m_prepare_proxy(conn)\n\u001b[1;32m 713\u001b[0m \u001b[38;5;66;03m# Make the request on the httplib connection object.\u001b[39;00m\n\u001b[0;32m--> 714\u001b[0m httplib_response \u001b[38;5;241m=\u001b[39m \u001b[38;5;28mself\u001b[39m\u001b[38;5;241m.\u001b[39m_make_request(\n\u001b[1;32m 715\u001b[0m conn,\n\u001b[1;32m 716\u001b[0m method,\n\u001b[1;32m 717\u001b[0m url,\n\u001b[1;32m 718\u001b[0m timeout\u001b[38;5;241m=\u001b[39mtimeout_obj,\n\u001b[1;32m 719\u001b[0m body\u001b[38;5;241m=\u001b[39mbody,\n\u001b[1;32m 720\u001b[0m headers\u001b[38;5;241m=\u001b[39mheaders,\n\u001b[1;32m 721\u001b[0m chunked\u001b[38;5;241m=\u001b[39mchunked,\n\u001b[1;32m 722\u001b[0m )\n\u001b[1;32m 724\u001b[0m \u001b[38;5;66;03m# If we're going to release the connection in ``finally:``, then\u001b[39;00m\n\u001b[1;32m 725\u001b[0m \u001b[38;5;66;03m# the response doesn't need to know about the connection. Otherwise\u001b[39;00m\n\u001b[1;32m 726\u001b[0m \u001b[38;5;66;03m# it will also try to release it and we'll have a double-release\u001b[39;00m\n\u001b[1;32m 727\u001b[0m \u001b[38;5;66;03m# mess.\u001b[39;00m\n\u001b[1;32m 728\u001b[0m response_conn \u001b[38;5;241m=\u001b[39m conn \u001b[38;5;28;01mif\u001b[39;00m \u001b[38;5;129;01mnot\u001b[39;00m release_conn \u001b[38;5;28;01melse\u001b[39;00m \u001b[38;5;28;01mNone\u001b[39;00m\n", + "File \u001b[0;32m~/miniconda3/envs/ollama-test/lib/python3.11/site-packages/urllib3/connectionpool.py:466\u001b[0m, in \u001b[0;36mHTTPConnectionPool._make_request\u001b[0;34m(self, conn, method, url, timeout, chunked, **httplib_request_kw)\u001b[0m\n\u001b[1;32m 461\u001b[0m httplib_response \u001b[38;5;241m=\u001b[39m conn\u001b[38;5;241m.\u001b[39mgetresponse()\n\u001b[1;32m 462\u001b[0m \u001b[38;5;28;01mexcept\u001b[39;00m \u001b[38;5;167;01mBaseException\u001b[39;00m \u001b[38;5;28;01mas\u001b[39;00m e:\n\u001b[1;32m 463\u001b[0m \u001b[38;5;66;03m# Remove the TypeError from the exception chain in\u001b[39;00m\n\u001b[1;32m 464\u001b[0m \u001b[38;5;66;03m# Python 3 (including for exceptions like SystemExit).\u001b[39;00m\n\u001b[1;32m 465\u001b[0m \u001b[38;5;66;03m# Otherwise it looks like a bug in the code.\u001b[39;00m\n\u001b[0;32m--> 466\u001b[0m six\u001b[38;5;241m.\u001b[39mraise_from(e, \u001b[38;5;28;01mNone\u001b[39;00m)\n\u001b[1;32m 467\u001b[0m \u001b[38;5;28;01mexcept\u001b[39;00m (SocketTimeout, BaseSSLError, SocketError) \u001b[38;5;28;01mas\u001b[39;00m e:\n\u001b[1;32m 468\u001b[0m \u001b[38;5;28mself\u001b[39m\u001b[38;5;241m.\u001b[39m_raise_timeout(err\u001b[38;5;241m=\u001b[39me, url\u001b[38;5;241m=\u001b[39murl, timeout_value\u001b[38;5;241m=\u001b[39mread_timeout)\n", + "File \u001b[0;32m:3\u001b[0m, in \u001b[0;36mraise_from\u001b[0;34m(value, from_value)\u001b[0m\n", + "File \u001b[0;32m~/miniconda3/envs/ollama-test/lib/python3.11/site-packages/urllib3/connectionpool.py:461\u001b[0m, in \u001b[0;36mHTTPConnectionPool._make_request\u001b[0;34m(self, conn, method, url, timeout, chunked, **httplib_request_kw)\u001b[0m\n\u001b[1;32m 458\u001b[0m \u001b[38;5;28;01mexcept\u001b[39;00m \u001b[38;5;167;01mTypeError\u001b[39;00m:\n\u001b[1;32m 459\u001b[0m \u001b[38;5;66;03m# Python 3\u001b[39;00m\n\u001b[1;32m 460\u001b[0m \u001b[38;5;28;01mtry\u001b[39;00m:\n\u001b[0;32m--> 461\u001b[0m httplib_response \u001b[38;5;241m=\u001b[39m conn\u001b[38;5;241m.\u001b[39mgetresponse()\n\u001b[1;32m 462\u001b[0m \u001b[38;5;28;01mexcept\u001b[39;00m \u001b[38;5;167;01mBaseException\u001b[39;00m \u001b[38;5;28;01mas\u001b[39;00m e:\n\u001b[1;32m 463\u001b[0m \u001b[38;5;66;03m# Remove the TypeError from the exception chain in\u001b[39;00m\n\u001b[1;32m 464\u001b[0m \u001b[38;5;66;03m# Python 3 (including for exceptions like SystemExit).\u001b[39;00m\n\u001b[1;32m 465\u001b[0m \u001b[38;5;66;03m# Otherwise it looks like a bug in the code.\u001b[39;00m\n\u001b[1;32m 466\u001b[0m six\u001b[38;5;241m.\u001b[39mraise_from(e, \u001b[38;5;28;01mNone\u001b[39;00m)\n", + "File \u001b[0;32m~/miniconda3/envs/ollama-test/lib/python3.11/http/client.py:1378\u001b[0m, in \u001b[0;36mHTTPConnection.getresponse\u001b[0;34m(self)\u001b[0m\n\u001b[1;32m 1376\u001b[0m \u001b[38;5;28;01mtry\u001b[39;00m:\n\u001b[1;32m 1377\u001b[0m \u001b[38;5;28;01mtry\u001b[39;00m:\n\u001b[0;32m-> 1378\u001b[0m response\u001b[38;5;241m.\u001b[39mbegin()\n\u001b[1;32m 1379\u001b[0m \u001b[38;5;28;01mexcept\u001b[39;00m \u001b[38;5;167;01mConnectionError\u001b[39;00m:\n\u001b[1;32m 1380\u001b[0m \u001b[38;5;28mself\u001b[39m\u001b[38;5;241m.\u001b[39mclose()\n", + "File \u001b[0;32m~/miniconda3/envs/ollama-test/lib/python3.11/http/client.py:318\u001b[0m, in \u001b[0;36mHTTPResponse.begin\u001b[0;34m(self)\u001b[0m\n\u001b[1;32m 316\u001b[0m \u001b[38;5;66;03m# read until we get a non-100 response\u001b[39;00m\n\u001b[1;32m 317\u001b[0m \u001b[38;5;28;01mwhile\u001b[39;00m \u001b[38;5;28;01mTrue\u001b[39;00m:\n\u001b[0;32m--> 318\u001b[0m version, status, reason \u001b[38;5;241m=\u001b[39m \u001b[38;5;28mself\u001b[39m\u001b[38;5;241m.\u001b[39m_read_status()\n\u001b[1;32m 319\u001b[0m \u001b[38;5;28;01mif\u001b[39;00m status \u001b[38;5;241m!=\u001b[39m CONTINUE:\n\u001b[1;32m 320\u001b[0m \u001b[38;5;28;01mbreak\u001b[39;00m\n", + "File \u001b[0;32m~/miniconda3/envs/ollama-test/lib/python3.11/http/client.py:279\u001b[0m, in \u001b[0;36mHTTPResponse._read_status\u001b[0;34m(self)\u001b[0m\n\u001b[1;32m 278\u001b[0m \u001b[38;5;28;01mdef\u001b[39;00m \u001b[38;5;21m_read_status\u001b[39m(\u001b[38;5;28mself\u001b[39m):\n\u001b[0;32m--> 279\u001b[0m line \u001b[38;5;241m=\u001b[39m \u001b[38;5;28mstr\u001b[39m(\u001b[38;5;28mself\u001b[39m\u001b[38;5;241m.\u001b[39mfp\u001b[38;5;241m.\u001b[39mreadline(_MAXLINE \u001b[38;5;241m+\u001b[39m \u001b[38;5;241m1\u001b[39m), \u001b[38;5;124m\"\u001b[39m\u001b[38;5;124miso-8859-1\u001b[39m\u001b[38;5;124m\"\u001b[39m)\n\u001b[1;32m 280\u001b[0m \u001b[38;5;28;01mif\u001b[39;00m \u001b[38;5;28mlen\u001b[39m(line) \u001b[38;5;241m>\u001b[39m _MAXLINE:\n\u001b[1;32m 281\u001b[0m \u001b[38;5;28;01mraise\u001b[39;00m LineTooLong(\u001b[38;5;124m\"\u001b[39m\u001b[38;5;124mstatus line\u001b[39m\u001b[38;5;124m\"\u001b[39m)\n", + "File \u001b[0;32m~/miniconda3/envs/ollama-test/lib/python3.11/socket.py:706\u001b[0m, in \u001b[0;36mSocketIO.readinto\u001b[0;34m(self, b)\u001b[0m\n\u001b[1;32m 704\u001b[0m \u001b[38;5;28;01mwhile\u001b[39;00m \u001b[38;5;28;01mTrue\u001b[39;00m:\n\u001b[1;32m 705\u001b[0m \u001b[38;5;28;01mtry\u001b[39;00m:\n\u001b[0;32m--> 706\u001b[0m \u001b[38;5;28;01mreturn\u001b[39;00m \u001b[38;5;28mself\u001b[39m\u001b[38;5;241m.\u001b[39m_sock\u001b[38;5;241m.\u001b[39mrecv_into(b)\n\u001b[1;32m 707\u001b[0m \u001b[38;5;28;01mexcept\u001b[39;00m timeout:\n\u001b[1;32m 708\u001b[0m \u001b[38;5;28mself\u001b[39m\u001b[38;5;241m.\u001b[39m_timeout_occurred \u001b[38;5;241m=\u001b[39m \u001b[38;5;28;01mTrue\u001b[39;00m\n", + "File \u001b[0;32m~/miniconda3/envs/ollama-test/lib/python3.11/ssl.py:1278\u001b[0m, in \u001b[0;36mSSLSocket.recv_into\u001b[0;34m(self, buffer, nbytes, flags)\u001b[0m\n\u001b[1;32m 1274\u001b[0m \u001b[38;5;28;01mif\u001b[39;00m flags \u001b[38;5;241m!=\u001b[39m \u001b[38;5;241m0\u001b[39m:\n\u001b[1;32m 1275\u001b[0m \u001b[38;5;28;01mraise\u001b[39;00m \u001b[38;5;167;01mValueError\u001b[39;00m(\n\u001b[1;32m 1276\u001b[0m \u001b[38;5;124m\"\u001b[39m\u001b[38;5;124mnon-zero flags not allowed in calls to recv_into() on \u001b[39m\u001b[38;5;132;01m%s\u001b[39;00m\u001b[38;5;124m\"\u001b[39m \u001b[38;5;241m%\u001b[39m\n\u001b[1;32m 1277\u001b[0m \u001b[38;5;28mself\u001b[39m\u001b[38;5;241m.\u001b[39m\u001b[38;5;18m__class__\u001b[39m)\n\u001b[0;32m-> 1278\u001b[0m \u001b[38;5;28;01mreturn\u001b[39;00m \u001b[38;5;28mself\u001b[39m\u001b[38;5;241m.\u001b[39mread(nbytes, buffer)\n\u001b[1;32m 1279\u001b[0m \u001b[38;5;28;01melse\u001b[39;00m:\n\u001b[1;32m 1280\u001b[0m \u001b[38;5;28;01mreturn\u001b[39;00m \u001b[38;5;28msuper\u001b[39m()\u001b[38;5;241m.\u001b[39mrecv_into(buffer, nbytes, flags)\n", + "File \u001b[0;32m~/miniconda3/envs/ollama-test/lib/python3.11/ssl.py:1134\u001b[0m, in \u001b[0;36mSSLSocket.read\u001b[0;34m(self, len, buffer)\u001b[0m\n\u001b[1;32m 1132\u001b[0m \u001b[38;5;28;01mtry\u001b[39;00m:\n\u001b[1;32m 1133\u001b[0m \u001b[38;5;28;01mif\u001b[39;00m buffer \u001b[38;5;129;01mis\u001b[39;00m \u001b[38;5;129;01mnot\u001b[39;00m \u001b[38;5;28;01mNone\u001b[39;00m:\n\u001b[0;32m-> 1134\u001b[0m \u001b[38;5;28;01mreturn\u001b[39;00m \u001b[38;5;28mself\u001b[39m\u001b[38;5;241m.\u001b[39m_sslobj\u001b[38;5;241m.\u001b[39mread(\u001b[38;5;28mlen\u001b[39m, buffer)\n\u001b[1;32m 1135\u001b[0m \u001b[38;5;28;01melse\u001b[39;00m:\n\u001b[1;32m 1136\u001b[0m \u001b[38;5;28;01mreturn\u001b[39;00m \u001b[38;5;28mself\u001b[39m\u001b[38;5;241m.\u001b[39m_sslobj\u001b[38;5;241m.\u001b[39mread(\u001b[38;5;28mlen\u001b[39m)\n", + "\u001b[0;31mKeyboardInterrupt\u001b[0m: " + ] + } + ], + "source": [ + "\n", + "length = 30\n", + "overlap = 5\n", + "\n", + "\n", + "while True:\n", + " try:\n", + " end_interval = interval_start + length\n", + " print(\"Current Interval:\", interval_start, \"-\", end_interval)\n", + " excerpt = chat_data[interval_start:end_interval]\n", + " prompt = user2.format(excerpt)\n", + " facts = model.predict_messages([HumanMessage(content=user1),\n", + " AIMessage(content=assistant1),\n", + " HumanMessage(content=prompt)\n", + " ]) \n", + " list_of_facts = [x.strip(\"\\n\").strip(\" \") for x in facts.content.split(\"- \") if x != '']\n", + " all_facts += list_of_facts\n", + " interval_start += (length - overlap)\n", + " except Exception as e: \n", + " print(e)\n", + " break" + ] + }, + { + "cell_type": "code", + "execution_count": 122, + "id": "ed90d59a", + "metadata": {}, + "outputs": [ + { + "data": { + "text/plain": [ + "3235" + ] + }, + "execution_count": 122, + "metadata": {}, + "output_type": "execute_result" + } + ], + "source": [ + "len(all_facts)" + ] + }, + { + "cell_type": "code", + "execution_count": 123, + "id": "19f74573", + "metadata": {}, + "outputs": [ + { + "data": { + "text/plain": [ + "['An audit on Basin was cancelled without any notice, leaving some users in the dark about the situation.',\n", + " \"Becoming a certified warden, a part of the verification process, might need a passport or a certified copy of an individual's identity.\",\n", + " 'Certification process details can be found at https://docs.code4rena.com/roles/certified-contributors.',\n", + " 'To gain backstage access one may need to qualify and then request backstage access via a help desk request. More details about backstage access can be found at https://docs.code4rena.com/roles/certified-contributors/backstage-wardens and the help desk request page is https://code4rena.com/help.',\n", + " 'To participate in Chainlink contests and be eligible for rewards, one must go through a KYC process before submitting.',\n", + " 'Users can submit report without being certified, however certification is needed to receive rewards.',\n", + " 'There are questions about how to embed code on reports.',\n", + " 'Pancakeswap V2 and Uniswap V2 have different formulas for protocol fees, with PancakeSwap V2 utilizing 8/25 of the growth in the square root of K as its protocol fee, while Uniswap V2 employs a 5 basis point (0.05%) protocol fee. The code for PancakeSwap V2 can be found at https://bscscan.com/address/0xcA143Ce32Fe78f1f7019d7d551a6402fC5350c73#code.',\n", + " 'There are concerns about the lack of feedback on bug submissions.',\n", + " 'Participation in some contests can be done without being certified, but some contests require certification for payouts if any submissions are awarded.']" + ] + }, + "execution_count": 123, + "metadata": {}, + "output_type": "execute_result" + } + ], + "source": [ + "all_facts[-10:]" + ] + }, + { + "cell_type": "code", + "execution_count": 121, + "id": "0f6824cc", + "metadata": {}, + "outputs": [], + "source": [] + }, + { + "cell_type": "code", + "execution_count": 124, + "id": "1998521b", + "metadata": {}, + "outputs": [], + "source": [ + "\n", + "\n", + "# Convert the list to a JSON formatted string\n", + "json_string = json.dumps(all_facts)\n", + "\n", + "# Write the JSON string to a file\n", + "with open(\"./codearena/codearena-2.json\", \"w\") as file:\n", + " file.write(json_string)\n" + ] + }, + { + "cell_type": "code", + "execution_count": 125, + "id": "1683cf43", + "metadata": {}, + "outputs": [], + "source": [ + "# Read the JSON string from the file\n", + "with open(\"./codearena/codearena-2.json\", \"r\") as file:\n", + " json_string = file.read()\n", + "\n", + "# Convert the JSON formatted string back to a Python list\n", + "all_facts = json.loads(json_string)\n" + ] + }, + { + "cell_type": "code", + "execution_count": 195, + "id": "986d3810", + "metadata": {}, + "outputs": [ + { + "data": { + "text/plain": [ + "'The experiment being discussed is an interesting variation of a bug-bounty, where it is time-limited and has a guaranteed pot that pays out.'" + ] + }, + "execution_count": 195, + "metadata": {}, + "output_type": "execute_result" + } + ], + "source": [ + "all_facts[0]" + ] + }, + { + "cell_type": "code", + "execution_count": null, + "id": "49d889d9", + "metadata": {}, + "outputs": [], + "source": [] + }, + { + "cell_type": "code", + "execution_count": null, + "id": "ae9f6062", + "metadata": {}, + "outputs": [], + "source": [] + }, + { + "cell_type": "code", + "execution_count": null, + "id": "f034a1be", + "metadata": {}, + "outputs": [], + "source": [] + }, + { + "cell_type": "markdown", + "id": "6d7736b1", + "metadata": {}, + "source": [ + "### Cluster the facts" + ] + }, + { + "cell_type": "code", + "execution_count": 126, + "id": "5e378e0e", + "metadata": {}, + "outputs": [], + "source": [ + "facts_embeddings = []\n", + "for fact in all_facts:\n", + " embed = get_embedding(fact)\n", + " facts_embeddings.append((fact, embed))\n", + " " + ] + }, + { + "cell_type": "code", + "execution_count": 127, + "id": "204c91b5", + "metadata": {}, + "outputs": [], + "source": [ + "import pickle\n", + "\n", + "# open a file, where you want to store the data\n", + "file = open('./codearena/embeddings-09_22.pickle', 'wb')\n", + "\n", + "# dump information to that file\n", + "pickle.dump(facts_embeddings, file)\n", + "\n", + "# close the file\n", + "file.close()\n" + ] + }, + { + "cell_type": "code", + "execution_count": 128, + "id": "00d95c6d", + "metadata": {}, + "outputs": [], + "source": [ + "# open a file, where you stored the pickled data\n", + "file = open('./codearena/embeddings-09_22.pickle', 'rb')\n", + "\n", + "# dump information to that file\n", + "data = pickle.load(file)\n", + "\n", + "# close the file\n", + "file.close()" + ] + }, + { + "cell_type": "code", + "execution_count": 130, + "id": "48b87717", + "metadata": {}, + "outputs": [], + "source": [] + }, + { + "cell_type": "code", + "execution_count": null, + "id": "424c6fbe", + "metadata": {}, + "outputs": [], + "source": [] + }, + { + "cell_type": "code", + "execution_count": 140, + "id": "3dbd1364", + "metadata": {}, + "outputs": [ + { + "name": "stderr", + "output_type": "stream", + "text": [ + "/Users/allanniemerg/miniconda3/envs/ollama-test/lib/python3.11/site-packages/sklearn/cluster/_kmeans.py:1416: FutureWarning: The default value of `n_init` will change from 10 to 'auto' in 1.4. Set the value of `n_init` explicitly to suppress the warning\n", + " super()._check_params_vs_input(X, default_n_init=10)\n" + ] + } + ], + "source": [ + "# Convert the data into a DataFrame\n", + "labels, values = zip(*facts_embeddings)\n", + "df = pd.DataFrame({'Label': labels, 'Values': values})\n", + "df_values = pd.DataFrame(df['Values'].to_list())\n", + "df = pd.concat([df[['Label']], df_values], axis=1)\n", + "\n", + "# Drop the 'Label' column to use only numeric columns for KMeans\n", + "X = df.drop('Label', axis=1)\n", + "\n", + "# Define the KMeans model\n", + "kmeans = KMeans(n_clusters=200) # for demonstration, we're using 2 clusters\n", + "\n", + "# Fit the model to the data\n", + "kmeans.fit(X)\n", + "\n", + "# Get cluster assignments for each row in the DataFrame\n", + "df['Cluster'] = kmeans.labels_" + ] + }, + { + "cell_type": "code", + "execution_count": 141, + "id": "5042e723", + "metadata": {}, + "outputs": [], + "source": [ + "df['Cluster'] = kmeans.labels_" + ] + }, + { + "cell_type": "code", + "execution_count": 142, + "id": "ca603c98", + "metadata": {}, + "outputs": [], + "source": [ + "# Group by the 'Cluster' column and get the 'Label' values\n", + "grouped = df.groupby('Cluster')['Label'].apply(list)" + ] + }, + { + "cell_type": "code", + "execution_count": 143, + "id": "f3a65e68", + "metadata": {}, + "outputs": [ + { + "data": { + "text/plain": [ + "200" + ] + }, + "execution_count": 143, + "metadata": {}, + "output_type": "execute_result" + } + ], + "source": [ + "len(grouped)" + ] + }, + { + "cell_type": "code", + "execution_count": 144, + "id": "918a9699", + "metadata": {}, + "outputs": [ + { + "data": { + "text/plain": [ + "" + ] + }, + "execution_count": 144, + "metadata": {}, + "output_type": "execute_result" + }, + { + "data": { + "image/png": "iVBORw0KGgoAAAANSUhEUgAAAh8AAAGdCAYAAACyzRGfAAAAOXRFWHRTb2Z0d2FyZQBNYXRwbG90bGliIHZlcnNpb24zLjguMCwgaHR0cHM6Ly9tYXRwbG90bGliLm9yZy81sbWrAAAACXBIWXMAAA9hAAAPYQGoP6dpAAAfXUlEQVR4nO3db0zV5/3/8ddBDgepHii0BZmgNm2lrdGmWPBk7VYVIc44O7nhWrM5Z9asQ1Nl/yRZK7ZdtC7RthvaZnOa3WB2NrGN/aeEVkxXsIo11W4j2tjhxr+tDaBQjufLuX43/HnWM5BxDh+uw8HnIzmRc53POefKmyM8czhwXMYYIwAAAEsSYr0BAABwfSE+AACAVcQHAACwivgAAABWER8AAMAq4gMAAFhFfAAAAKuIDwAAYFVirDfw34LBoFpaWjR58mS5XK5YbwcAAAyDMUYXL15Udna2EhKGfm5jzMVHS0uLcnJyYr0NAAAQhQsXLmjq1KlDHjPm4mPy5MmSrmze6/WG1gOBgA4fPqzi4mK53e5YbW/cYJ7OYZbOYp7OYZbOYp5D6+7uVk5OTuj7+FDGXHxc/VGL1+sdEB8pKSnyer180h3APJ3DLJ3FPJ3DLJ3FPIdnOC+Z4AWnAADAKuIDAABYRXwAAACriA8AAGAV8QEAAKwiPgAAgFXEBwAAsIr4AAAAVhEfAADAKuIDAABYRXwAAACriA8AAGAV8QEAAKwiPgAAgFWJsd4AxqfpG9+I9RYi9unWJbHeAgBcF3jmAwAAWEV8AAAAq4gPAABgFfEBAACsIj4AAIBVxAcAALCK+AAAAFYRHwAAwCriAwAAWEV8AAAAq4gPAABgFfEBAACsIj4AAIBVxAcAALCK+AAAAFYRHwAAwCriAwAAWEV8AAAAq4gPAABgFfEBAACsIj4AAIBVxAcAALCK+AAAAFYRHwAAwCriAwAAWEV8AAAAq4gPAABgFfEBAACsIj4AAIBVxAcAALCK+AAAAFYRHwAAwCriAwAAWEV8AAAAq4gPAABgFfEBAACsIj4AAIBVxAcAALAqoviorKyUy+UKO+Xl5YUu7+vrU1lZmTIyMjRp0iSVlpaqvb3d8U0DAID4FfEzH3fffbdaW1tDp/feey902YYNG3Tw4EHt379fdXV1amlp0fLlyx3dMAAAiG+JEV8hMVFZWVkD1ru6urR7925VV1drwYIFkqQ9e/bozjvvVENDg+bNmzfy3QIAgLgX8TMfZ8+eVXZ2tm699VatXLlSzc3NkqTGxkYFAgEVFRWFjs3Ly1Nubq7q6+ud2zEAAIhrET3zUVhYqL1792rmzJlqbW3V5s2b9cADD+jMmTNqa2tTUlKS0tLSwq6TmZmptra2a96m3++X3+8Pne/u7pYkBQIBBQKB0PrVj7+8huiN9jw9E8yo3O5oinYWPDadxTydwyydxTyHFslcXMaYqL9LdHZ2atq0adq+fbsmTpyo1atXh4WEJBUUFGj+/Pl69tlnB72NyspKbd68ecB6dXW1UlJSot0aAACwqLe3V4888oi6urrk9XqHPDbi13x8WVpamu644w6dO3dOixYt0uXLl9XZ2Rn27Ed7e/ugrxG5qqKiQuXl5aHz3d3dysnJUXFxcdjmA4GAampqtGjRIrnd7pFsGxr9ec6qPOT4bY62M5UlUV2Px6azmKdzmKWzmOfQrv7kYjhGFB+XLl3SJ598ou985zvKz8+X2+1WbW2tSktLJUlNTU1qbm6Wz+e75m14PB55PJ4B6263e9BP7rXWEZ3Rmqe/3+X4bY62kc6Bx6azmKdzmKWzmOfgIplJRPHxk5/8REuXLtW0adPU0tKiTZs2acKECXr44YeVmpqqNWvWqLy8XOnp6fJ6vVq3bp18Ph+/6QIAAEIiio9//OMfevjhh/XZZ5/p5ptv1v3336+GhgbdfPPNkqQdO3YoISFBpaWl8vv9Kikp0c6dO0dl4wAAID5FFB/79u0b8vLk5GRVVVWpqqpqRJsCAADjF+/tAgAArCI+AACAVcQHAACwivgAAABWER8AAMAq4gMAAFg1or9wCjumb3zD8dv0TDDaVnDlz6DH418jBQDEL575AAAAVhEfAADAKuIDAABYRXwAAACriA8AAGAV8QEAAKwiPgAAgFXEBwAAsIr4AAAAVhEfAADAKuIDAABYRXwAAACriA8AAGAV8QEAAKwiPgAAgFXEBwAAsIr4AAAAVhEfAADAKuIDAABYRXwAAACriA8AAGAV8QEAAKwiPgAAgFXEBwAAsIr4AAAAVhEfAADAKuIDAABYRXwAAACriA8AAGAV8QEAAKwiPgAAgFXEBwAAsIr4AAAAVhEfAADAKuIDAABYRXwAAACriA8AAGAV8QEAAKwiPgAAgFXEBwAAsIr4AAAAVhEfAADAKuIDAABYRXwAAACrRhQfW7dulcvl0vr160NrfX19KisrU0ZGhiZNmqTS0lK1t7ePdJ8AAGCciDo+jh8/rpdeekmzZ88OW9+wYYMOHjyo/fv3q66uTi0tLVq+fPmINwoAAMaHqOLj0qVLWrlypX7729/qxhtvDK13dXVp9+7d2r59uxYsWKD8/Hzt2bNH77//vhoaGhzbNAAAiF+J0VyprKxMS5YsUVFRkZ555pnQemNjowKBgIqKikJreXl5ys3NVX19vebNmzfgtvx+v/x+f+h8d3e3JCkQCCgQCITWr3785bXrhWeCcf42E0zYv4j+sXU9PzZHA/N0DrN0FvMcWiRziTg+9u3bp5MnT+r48eMDLmtra1NSUpLS0tLC1jMzM9XW1jbo7W3ZskWbN28esH748GGlpKQMWK+pqYl0y3FvW8Ho3fbTc4Ojd+Nx5s033xzR9a/Hx+ZoYp7OYZbOYp6D6+3tHfaxEcXHhQsX9Pjjj6umpkbJyckRb2wwFRUVKi8vD53v7u5WTk6OiouL5fV6Q+uBQEA1NTVatGiR3G63I/cdL2ZVHnL8Nj0JRk/PDeqJEwnyB12O3348OlNZEtX1rufH5mhgns5hls5inkO7+pOL4YgoPhobG9XR0aF77703tNbf36+jR4/qN7/5jQ4dOqTLly+rs7Mz7NmP9vZ2ZWVlDXqbHo9HHo9nwLrb7R70k3ut9fHM3z96ceAPukb19uPJSB9X1+NjczQxT+cwS2cxz8FFMpOI4mPhwoU6ffp02Nrq1auVl5enn//858rJyZHb7VZtba1KS0slSU1NTWpubpbP54vkrgAAwDgVUXxMnjxZs2bNClu74YYblJGREVpfs2aNysvLlZ6eLq/Xq3Xr1snn8w36YlMAAHD9ieq3XYayY8cOJSQkqLS0VH6/XyUlJdq5c6fTdwMAAOLUiOPjyJEjYeeTk5NVVVWlqqqqkd40AAAYh3hvFwAAYBXxAQAArCI+AACAVcQHAACwivgAAABWER8AAMAq4gMAAFhFfAAAAKuIDwAAYBXxAQAArCI+AACAVcQHAACwivgAAABWER8AAMAq4gMAAFhFfAAAAKuIDwAAYBXxAQAArCI+AACAVcQHAACwivgAAABWER8AAMAq4gMAAFhFfAAAAKuIDwAAYBXxAQAArCI+AACAVcQHAACwivgAAABWER8AAMAq4gMAAFhFfAAAAKuIDwAAYBXxAQAArCI+AACAVcQHAACwivgAAABWER8AAMAq4gMAAFhFfAAAAKuIDwAAYBXxAQAArCI+AACAVcQHAACwivgAAABWER8AAMAq4gMAAFhFfAAAAKuIDwAAYBXxAQAArCI+AACAVRHFx65duzR79mx5vV55vV75fD699dZbocv7+vpUVlamjIwMTZo0SaWlpWpvb3d80wAAIH5FFB9Tp07V1q1b1djYqBMnTmjBggVatmyZPv74Y0nShg0bdPDgQe3fv191dXVqaWnR8uXLR2XjAAAgPiVGcvDSpUvDzv/yl7/Url271NDQoKlTp2r37t2qrq7WggULJEl79uzRnXfeqYaGBs2bN8+5XQMAgLgVUXx8WX9/v/bv36+enh75fD41NjYqEAioqKgodExeXp5yc3NVX19/zfjw+/3y+/2h893d3ZKkQCCgQCAQWr/68ZfXrheeCcb520wwYf8i+sfW9fzYHA3M0znM0lnMc2iRzMVljInou8/p06fl8/nU19enSZMmqbq6Wt/4xjdUXV2t1atXh4WEJBUUFGj+/Pl69tlnB729yspKbd68ecB6dXW1UlJSItkaAACIkd7eXj3yyCPq6uqS1+sd8tiIn/mYOXOmTp06pa6uLr3yyitatWqV6urqot5sRUWFysvLQ+e7u7uVk5Oj4uLisM0HAgHV1NRo0aJFcrvdUd/frMpDUV93PPEkGD09N6gnTiTIH3TFejtjwpnKkqiu59RjE1cwT+cwS2cxz6Fd/cnFcEQcH0lJSbrtttskSfn5+Tp+/Lief/55rVixQpcvX1ZnZ6fS0tJCx7e3tysrK+uat+fxeOTxeAasu93uQT+511ofLn8/32i/zB90MZP/b6RfTEb62EQ45ukcZuks5jm4SGYy4r/zEQwG5ff7lZ+fL7fbrdra2tBlTU1Nam5uls/nG+ndAACAcSKiZz4qKiq0ePFi5ebm6uLFi6qurtaRI0d06NAhpaamas2aNSovL1d6erq8Xq/WrVsnn8/Hb7oAAICQiOKjo6ND3/3ud9Xa2qrU1FTNnj1bhw4d0qJFiyRJO3bsUEJCgkpLS+X3+1VSUqKdO3eOysYBAEB8iig+du/ePeTlycnJqqqqUlVV1Yg2BQAAxi/e2wUAAFhFfAAAAKuIDwAAYBXxAQAArCI+AACAVVG/sRww3kzf+EZU1/NMMNpWcOVP99v+a7Gfbl1i9f4AwAk88wEAAKwiPgAAgFXEBwAAsIr4AAAAVhEfAADAKuIDAABYRXwAAACriA8AAGAV8QEAAKwiPgAAgFXEBwAAsIr4AAAAVhEfAADAKuIDAABYRXwAAACriA8AAGAV8QEAAKwiPgAAgFXEBwAAsIr4AAAAVhEfAADAKuIDAABYRXwAAACriA8AAGAV8QEAAKwiPgAAgFXEBwAAsIr4AAAAVhEfAADAKuIDAABYRXwAAACriA8AAGAV8QEAAKwiPgAAgFXEBwAAsIr4AAAAVhEfAADAKuIDAABYRXwAAACriA8AAGAV8QEAAKwiPgAAgFXEBwAAsIr4AAAAVhEfAADAqojiY8uWLbrvvvs0efJk3XLLLXrooYfU1NQUdkxfX5/KysqUkZGhSZMmqbS0VO3t7Y5uGgAAxK+I4qOurk5lZWVqaGhQTU2NAoGAiouL1dPTEzpmw4YNOnjwoPbv36+6ujq1tLRo+fLljm8cAADEp8RIDn777bfDzu/du1e33HKLGhsb9bWvfU1dXV3avXu3qqurtWDBAknSnj17dOedd6qhoUHz5s1zbucAACAuRRQf/62rq0uSlJ6eLklqbGxUIBBQUVFR6Ji8vDzl5uaqvr5+0Pjw+/3y+/2h893d3ZKkQCCgQCAQWr/68ZfXouGZYEZ0/fHCk2DC/kX0YjnLkf5/GIuc+r8OZuk05jm0SObiMsZE9RUzGAzqm9/8pjo7O/Xee+9Jkqqrq7V69eqwmJCkgoICzZ8/X88+++yA26msrNTmzZsHrFdXVyslJSWarQEAAMt6e3v1yCOPqKurS16vd8hjo37mo6ysTGfOnAmFR7QqKipUXl4eOt/d3a2cnBwVFxeHbT4QCKimpkaLFi2S2+2O+v5mVR4a0X7HC0+C0dNzg3riRIL8QVestxPXYjnLM5UlVu/PBqf+r4NZOo15Du3qTy6GI6r4WLt2rV5//XUdPXpUU6dODa1nZWXp8uXL6uzsVFpaWmi9vb1dWVlZg96Wx+ORx+MZsO52uwf95F5rfbj8/Xyj/TJ/0MVMHBKLWY7nL4Aj/b+O/2CWzmKeg4tkJhH9tosxRmvXrtWBAwf0zjvvaMaMGWGX5+fny+12q7a2NrTW1NSk5uZm+Xy+SO4KAACMUxE981FWVqbq6mq99tprmjx5stra2iRJqampmjhxolJTU7VmzRqVl5crPT1dXq9X69atk8/n4zddAACApAjjY9euXZKkBx98MGx9z549+t73vidJ2rFjhxISElRaWiq/36+SkhLt3LnTkc0CAID4F1F8DOcXY5KTk1VVVaWqqqqoNwVgeKZvfCPWW4jYp1uXxHoLAGKM93YBAABWER8AAMAq4gMAAFhFfAAAAKuIDwAAYBXxAQAArCI+AACAVcQHAACwivgAAABWER8AAMAq4gMAAFhFfAAAAKuIDwAAYBXxAQAArCI+AACAVcQHAACwivgAAABWER8AAMAq4gMAAFhFfAAAAKuIDwAAYBXxAQAArCI+AACAVcQHAACwivgAAABWER8AAMAq4gMAAFhFfAAAAKuIDwAAYBXxAQAArCI+AACAVcQHAACwivgAAABWER8AAMAq4gMAAFhFfAAAAKsSY70BANeX6RvfGPJyzwSjbQXSrMpD8ve7LO1qaJ9uXRLrLQDjCs98AAAAq4gPAABgFfEBAACsIj4AAIBVxAcAALCK+AAAAFYRHwAAwCriAwAAWEV8AAAAq4gPAABgFfEBAACsIj4AAIBVxAcAALAq4vg4evSoli5dquzsbLlcLr366qthlxtj9OSTT2rKlCmaOHGiioqKdPbsWaf2CwAA4lzE8dHT06M5c+aoqqpq0Mu3bdumF154QS+++KKOHTumG264QSUlJerr6xvxZgEAQPxLjPQKixcv1uLFiwe9zBij5557Tr/4xS+0bNkySdIf/vAHZWZm6tVXX9W3v/3tke0WAADEPUdf83H+/Hm1tbWpqKgotJaamqrCwkLV19c7eVcAACBORfzMx1Da2tokSZmZmWHrmZmZocv+m9/vl9/vD53v7u6WJAUCAQUCgdD61Y+/vBYNzwQzouuPF54EE/YvoscsnTUW5znSrzux4tTXTVzBPIcWyVwcjY9obNmyRZs3bx6wfvjwYaWkpAxYr6mpGdH9bSsY0dXHnafnBmO9hXGDWTprLM3zzTffjPUWRmSkXzcRjnkOrre3d9jHOhofWVlZkqT29nZNmTIltN7e3q577rln0OtUVFSovLw8dL67u1s5OTkqLi6W1+sNrQcCAdXU1GjRokVyu91R73FW5aGorzueeBKMnp4b1BMnEuQPumK9nbjGLJ01Fud5prIk1luIilNfN3EF8xza1Z9cDIej8TFjxgxlZWWptrY2FBvd3d06duyYHnvssUGv4/F45PF4Bqy73e5BP7nXWh8uf//Y+GI2VviDLmbiEGbprLE0z3j/RjPSr5sIxzwHF8lMIo6PS5cu6dy5c6Hz58+f16lTp5Senq7c3FytX79ezzzzjG6//XbNmDFDTzzxhLKzs/XQQw9FelcAAGAcijg+Tpw4ofnz54fOX/2RyapVq7R371797Gc/U09Pjx599FF1dnbq/vvv19tvv63k5GTndg0AAOJWxPHx4IMPyphrvwrd5XLpqaee0lNPPTWijQEAgPGJ93YBAABWER8AAMAq4gMAAFhFfAAAAKuIDwAAYBXxAQAArCI+AACAVcQHAACwivgAAABWER8AAMAq4gMAAFhFfAAAAKuIDwAAYBXxAQAArCI+AACAVcQHAACwivgAAABWER8AAMAq4gMAAFhFfAAAAKuIDwAAYBXxAQAArCI+AACAVcQHAACwivgAAABWER8AAMAq4gMAAFhFfAAAAKuIDwAAYBXxAQAArCI+AACAVcQHAACwivgAAABWER8AAMAq4gMAAFhFfAAAAKuIDwAAYFVirDcAAGPd9I1vxHoLUTn7dHGstwAMimc+AACAVcQHAACwivgAAABWER8AAMAq4gMAAFhFfAAAAKuIDwAAYBXxAQAArCI+AACAVcQHAACwivgAAABW8d4uADBOzao8pG0FV/7197tivZ1h+XTrklhvIWLx+N4/sZ4zz3wAAACrRi0+qqqqNH36dCUnJ6uwsFAffPDBaN0VAACII6MSHy+//LLKy8u1adMmnTx5UnPmzFFJSYk6OjpG4+4AAEAcGZX42L59u37wgx9o9erVuuuuu/Tiiy8qJSVFv//970fj7gAAQBxx/AWnly9fVmNjoyoqKkJrCQkJKioqUn19/YDj/X6//H5/6HxXV5ck6fPPP1cgEAitBwIB9fb26rPPPpPb7Y56f4n/1xP1dceTxKBRb29QiYEE9Qfj44VoYxWzdBbzdE48zvKzzz6L9Rau6Vrfh+Lx+8pozPnixYuSJGPM/z7YOOyf//ynkWTef//9sPWf/vSnpqCgYMDxmzZtMpI4ceLEiRMnTuPgdOHChf/ZCjH/VduKigqVl5eHzgeDQX3++efKyMiQy/WfUu/u7lZOTo4uXLggr9cbi62OK8zTOczSWczTOczSWcxzaMYYXbx4UdnZ2f/zWMfj46abbtKECRPU3t4ett7e3q6srKwBx3s8Hnk8nrC1tLS0a96+1+vlk+4g5ukcZuks5ukcZuks5nltqampwzrO8RecJiUlKT8/X7W1taG1YDCo2tpa+Xw+p+8OAADEmVH5sUt5eblWrVqluXPnqqCgQM8995x6enq0evXq0bg7AAAQR0YlPlasWKF//etfevLJJ9XW1qZ77rlHb7/9tjIzM6O+TY/Ho02bNg34EQ2iwzydwyydxTydwyydxTyd4zJmOL8TAwAA4Aze2wUAAFhFfAAAAKuIDwAAYBXxAQAArIqb+KiqqtL06dOVnJyswsJCffDBB7He0ph39OhRLV26VNnZ2XK5XHr11VfDLjfG6Mknn9SUKVM0ceJEFRUV6ezZs7HZ7Bi3ZcsW3XfffZo8ebJuueUWPfTQQ2pqago7pq+vT2VlZcrIyNCkSZNUWlo64I/t4Ypdu3Zp9uzZoT/W5PP59NZbb4UuZ5bR27p1q1wul9avXx9aY57DV1lZKZfLFXbKy8sLXc4snREX8fHyyy+rvLxcmzZt0smTJzVnzhyVlJSoo6Mj1lsb03p6ejRnzhxVVVUNevm2bdv0wgsv6MUXX9SxY8d0ww03qKSkRH19fZZ3OvbV1dWprKxMDQ0NqqmpUSAQUHFxsXp6/vOGUhs2bNDBgwe1f/9+1dXVqaWlRcuXL4/hrseuqVOnauvWrWpsbNSJEye0YMECLVu2TB9//LEkZhmt48eP66WXXtLs2bPD1plnZO6++261traGTu+9917oMmbpEEfeTW6UFRQUmLKystD5/v5+k52dbbZs2RLDXcUXSebAgQOh88Fg0GRlZZlf/epXobXOzk7j8XjMH//4xxjsML50dHQYSaaurs4Yc2V2brfb7N+/P3TMX//6VyPJ1NfXx2qbceXGG280v/vd75hllC5evGhuv/12U1NTY77+9a+bxx9/3BjDYzNSmzZtMnPmzBn0MmbpnDH/zMfly5fV2NiooqKi0FpCQoKKiopUX18fw53Ft/Pnz6utrS1srqmpqSosLGSuw9DV1SVJSk9PlyQ1NjYqEAiEzTMvL0+5ubnM83/o7+/Xvn371NPTI5/PxyyjVFZWpiVLloTNTeKxGY2zZ88qOztbt956q1auXKnm5mZJzNJJMX9X2//l3//+t/r7+wf8ddTMzEz97W9/i9Gu4l9bW5skDTrXq5dhcMFgUOvXr9dXv/pVzZo1S9KVeSYlJQ14U0TmeW2nT5+Wz+dTX1+fJk2apAMHDuiuu+7SqVOnmGWE9u3bp5MnT+r48eMDLuOxGZnCwkLt3btXM2fOVGtrqzZv3qwHHnhAZ86cYZYOGvPxAYw1ZWVlOnPmTNjPgRG5mTNn6tSpU+rq6tIrr7yiVatWqa6uLtbbijsXLlzQ448/rpqaGiUnJ8d6O3Fv8eLFoY9nz56twsJCTZs2TX/60580ceLEGO5sfBnzP3a56aabNGHChAGvJm5vb1dWVlaMdhX/rs6OuUZm7dq1ev311/Xuu+9q6tSpofWsrCxdvnxZnZ2dYcczz2tLSkrSbbfdpvz8fG3ZskVz5szR888/zywj1NjYqI6ODt17771KTExUYmKi6urq9MILLygxMVGZmZnMcwTS0tJ0xx136Ny5czw2HTTm4yMpKUn5+fmqra0NrQWDQdXW1srn88VwZ/FtxowZysrKCptrd3e3jh07xlwHYYzR2rVrdeDAAb3zzjuaMWNG2OX5+flyu91h82xqalJzczPzHKZgMCi/388sI7Rw4UKdPn1ap06dCp3mzp2rlStXhj5mntG7dOmSPvnkE02ZMoXHppNi/YrX4di3b5/xeDxm79695i9/+Yt59NFHTVpammlra4v11sa0ixcvmg8//NB8+OGHRpLZvn27+fDDD83f//53Y4wxW7duNWlpaea1114zH330kVm2bJmZMWOG+eKLL2K887HnscceM6mpqebIkSOmtbU1dOrt7Q0d88Mf/tDk5uaad955x5w4ccL4fD7j8/liuOuxa+PGjaaurs6cP3/efPTRR2bjxo3G5XKZw4cPG2OY5Uh9+bddjGGekfjxj39sjhw5Ys6fP2/+/Oc/m6KiInPTTTeZjo4OYwyzdEpcxIcxxvz61782ubm5JikpyRQUFJiGhoZYb2nMe/fdd42kAadVq1YZY678uu0TTzxhMjMzjcfjMQsXLjRNTU2x3fQYNdgcJZk9e/aEjvniiy/Mj370I3PjjTealJQU861vfcu0trbGbtNj2Pe//30zbdo0k5SUZG6++WazcOHCUHgYwyxH6r/jg3kO34oVK8yUKVNMUlKS+cpXvmJWrFhhzp07F7qcWTrDZYwxsXnOBQAAXI/G/Gs+AADA+EJ8AAAAq4gPAABgFfEBAACsIj4AAIBVxAcAALCK+AAAAFYRHwAAwCriAwAAWEV8AAAAq4gPAABgFfEBAACs+n+toJjBOMDY5AAAAABJRU5ErkJggg==", + "text/plain": [ + "
" + ] + }, + "metadata": {}, + "output_type": "display_data" + } + ], + "source": [ + "pd.Series([len(group) for group in grouped]).hist()" + ] + }, + { + "cell_type": "code", + "execution_count": 151, + "id": "64d39cdf", + "metadata": {}, + "outputs": [ + { + "data": { + "text/plain": [ + "['Certain files like \"FloatCapital_v0.sol\", \"Treasury_v0.sol\" and \"oracles/\" are not in the scope for the bounty program.',\n", + " 'There is a guideline not to submit assumptions such as the owner may be compromised or centralized. The methods with the onlyowner/onlygovernance modifiers are strictly coming through the trustful bodies.',\n", + " 'Participants who started doing contests since June are not eligible to receive any token airdrop. They would have needed to start in 2021.',\n", + " 'The Code4rena staff are employees of a corporation hired by a DAO, so they can’t sign on behalf of the DAO.',\n", + " 'Rewards are distributed by the CodeArena team and cannot be withdrawn via a smart contract.',\n", + " \"Leaderboard standing in CodeArena is not transferrable. Findings submitted under a user's current handle or username are not moved to another account.\",\n", + " 'Listing any of the C4udit gas findings will void your report and count as 3 rejected reports.',\n", + " 'Creating an alternate account and submitting the same issue from both accounts does not increase share, it decreases due to sybil protection.',\n", + " 'Labels like \"bug\", \"grade-c\", and \"unsatisfactory\" on an issue indicate that it is not eligible for rewards.',\n", + " 'Findings listed in the best bot-generated report are out of the contest’s scope, similar to the current “Automated Findings”.',\n", + " \"Users cannot receive a reward for findings made with ChatGPT. If they wish to use AI in auditing, they're advised to enter the bot races instead.\",\n", + " \"Regarding the bot races, the bots are considered a warden's intellectual property and are unlikely to be open sourced by CodeArena.\",\n", + " 'The same issues reported by a bot should not be included in the report unless they build a more complex exploit.',\n", + " 'For each contest, the Readme Page has a section titled \"Known Findings\" where automated findings not accepted in the contests are listed.',\n", + " 'If a bot finds a high or medium finding, it only gets the bot pool reward based on the bot race rank. Bots can only gain more rewards by having more points and shifting the rank cutoffs, thus bumping others to lower ranks.',\n", + " \"A user's submitted bug report that has been rejected can be found in Github's closed issues.\",\n", + " 'QA reports that include QA bot findings from bot races but develop their explanation more and are more detailed are not eligible for QA report rewards.',\n", + " 'If a participant submitted issues for a contest but did not make the award list, it is likely that their issues were rejected. Confirmation can be done by reviewing the available report.',\n", + " 'Users may not submit different issues with different impacts or different attack scenarios if they all originate from the same root cause.']" + ] + }, + "execution_count": 151, + "metadata": {}, + "output_type": "execute_result" + } + ], + "source": [ + "grouped[175]" + ] + }, + { + "cell_type": "markdown", + "id": "322abb1a", + "metadata": {}, + "source": [ + "### Add Facts to Faiss" + ] + }, + { + "cell_type": "code", + "execution_count": 337, + "id": "f6207b93", + "metadata": {}, + "outputs": [], + "source": [ + "from langchain.embeddings.openai import OpenAIEmbeddings\n", + "embeddings = OpenAIEmbeddings()\n", + "embedding_class = UseExisting()\n", + "facts_db = FAISS.from_texts(all_facts, embeddings)\n" + ] + }, + { + "cell_type": "code", + "execution_count": 338, + "id": "47186640", + "metadata": {}, + "outputs": [ + { + "data": { + "text/plain": [ + "[Document(page_content='Users are allowed to present their proofs of concept (PoC) in either code or plain English.', metadata={}),\n", + " Document(page_content='Some participants are curious about the use of fuzzing tools like Echidna for auditing in contests.', metadata={}),\n", + " Document(page_content=\"It's acceptable to submit a (very long) proof of concept (POC) using external platforms such as gist.\", metadata={}),\n", + " Document(page_content=\"It's not necessary for a PoC to be exact code.\", metadata={}),\n", + " Document(page_content='Users are curious about the use of fuzzing tools like Echidna for auditing in contests.', metadata={}),\n", + " Document(page_content='There is a GitHub link that provides instructions on sharing vulnerability discovery PoCs: https://github.com/code-423n4/code-contests/tree/main/contests/01-slingshot#sharing-vulnerabilitydiscovery-poc', metadata={}),\n", + " Document(page_content=\"There's a question on whether potential medium findings need to include Proof of Concept (POC).\", metadata={}),\n", + " Document(page_content='It is suggested that auditors can create coded Proof-of-Concepts (POCs) to further explain their reported issues, but it will not have an effect on awards or the contest per C4 guidelines.', metadata={}),\n", + " Document(page_content='While submitting an issue for any contest, it is beneficial to include a proof of concept and a case made for how an item can be exploited to avoid being marked as invalid.', metadata={}),\n", + " Document(page_content='Users can submit code for proof of concepts (PoC) for each bug they find.', metadata={}),\n", + " Document(page_content='Users can write Proof of Concept (PoC) in any language, as long as it demonstrates the vulnerability.', metadata={}),\n", + " Document(page_content='Web applications might be in the scope of certain contests.', metadata={}),\n", + " Document(page_content=\"The discussion includes a query about whether a bug report without Proof of Concept (PoC) would be accepted; the response suggests that without a PoC, a finding may be disregarded unless the issue is extremely obvious (such as a wrong parameter, typo, or code that doesn't compile).\", metadata={}),\n", + " Document(page_content='If a user has written a Proof of Concept (POC) script for a vulnerability, they can include the link in the submission wherever relevant.', metadata={}),\n", + " Document(page_content='It is acceptable to submit long proofs of concept (POC) using external platforms like Gist.', metadata={}),\n", + " Document(page_content='Instructions on how to include a PoC are available at https://docs.code4rena.com/roles/wardens/submission-policy#how-to-include-a-proof-of-concept.', metadata={}),\n", + " Document(page_content=\"Code4rena encourages participants to reach out to the sponsor team during the contest if they think they've found something and want to ask questions. Participants can also disclose a vulnerability directly to them, but they need to submit it via the contest submission form or it won't be eligible for awards.\", metadata={}),\n", + " Document(page_content='Proof of Concepts (POCs) can be submitted by creating a public Github repository or by providing a diff of an existing sponsor-supplied test/contract.', metadata={}),\n", + " Document(page_content='There was a question about whether citing similar findings from other contests is allowed to justify the severity and validity within submissions.', metadata={}),\n", + " Document(page_content='A query about whether a POC (Proof of Concept) should fully show every step in code is raised but not answered in the excerpt.', metadata={})]" + ] + }, + "execution_count": 338, + "metadata": {}, + "output_type": "execute_result" + } + ], + "source": [ + "facts_db.similarity_search(\"Is it allowed to use arbitrary tools for PoC? Or must I use the framework which the contest project is set up with?\", k=20)" + ] + }, + { + "cell_type": "markdown", + "id": "831a07c0", + "metadata": {}, + "source": [ + "### Topic Modeling" + ] + }, + { + "cell_type": "code", + "execution_count": 64, + "id": "87fd515e", + "metadata": {}, + "outputs": [ + { + "name": "stdout", + "output_type": "stream", + "text": [ + "Collecting gensim\n", + " Obtaining dependency information for gensim from https://files.pythonhosted.org/packages/63/46/5feab9c524a380bfa9f9f1c0d065743280dca30b216ab4c7a231f22dbed7/gensim-4.3.2-cp311-cp311-macosx_11_0_arm64.whl.metadata\n", + " Downloading gensim-4.3.2-cp311-cp311-macosx_11_0_arm64.whl.metadata (8.3 kB)\n", + "Collecting nltk\n", + " Downloading nltk-3.8.1-py3-none-any.whl (1.5 MB)\n", + "\u001b[2K \u001b[38;2;114;156;31m━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━\u001b[0m \u001b[32m1.5/1.5 MB\u001b[0m \u001b[31m17.8 MB/s\u001b[0m eta \u001b[36m0:00:00\u001b[0m31m18.4 MB/s\u001b[0m eta \u001b[36m0:00:01\u001b[0m\n", + "\u001b[?25hRequirement already satisfied: numpy>=1.18.5 in /Users/allanniemerg/miniconda3/envs/ollama-test/lib/python3.11/site-packages (from gensim) (1.25.2)\n", + "Requirement already satisfied: scipy>=1.7.0 in /Users/allanniemerg/miniconda3/envs/ollama-test/lib/python3.11/site-packages (from gensim) (1.11.2)\n", + "Collecting smart-open>=1.8.1 (from gensim)\n", + " Obtaining dependency information for smart-open>=1.8.1 from https://files.pythonhosted.org/packages/fc/d9/d97f1db64b09278aba64e8c81b5d322d436132df5741c518f3823824fae0/smart_open-6.4.0-py3-none-any.whl.metadata\n", + " Downloading smart_open-6.4.0-py3-none-any.whl.metadata (21 kB)\n", + "Collecting click (from nltk)\n", + " Obtaining dependency information for click from https://files.pythonhosted.org/packages/00/2e/d53fa4befbf2cfa713304affc7ca780ce4fc1fd8710527771b58311a3229/click-8.1.7-py3-none-any.whl.metadata\n", + " Downloading click-8.1.7-py3-none-any.whl.metadata (3.0 kB)\n", + "Requirement already satisfied: joblib in /Users/allanniemerg/miniconda3/envs/ollama-test/lib/python3.11/site-packages (from nltk) (1.3.2)\n", + "Requirement already satisfied: regex>=2021.8.3 in /Users/allanniemerg/miniconda3/envs/ollama-test/lib/python3.11/site-packages (from nltk) (2023.8.8)\n", + "Requirement already satisfied: tqdm in /Users/allanniemerg/miniconda3/envs/ollama-test/lib/python3.11/site-packages (from nltk) (4.66.1)\n", + "Downloading gensim-4.3.2-cp311-cp311-macosx_11_0_arm64.whl (24.0 MB)\n", + "\u001b[2K \u001b[38;2;114;156;31m━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━\u001b[0m \u001b[32m24.0/24.0 MB\u001b[0m \u001b[31m50.2 MB/s\u001b[0m eta \u001b[36m0:00:00\u001b[0mm eta \u001b[36m0:00:01\u001b[0m[36m0:00:01\u001b[0m\n", + "\u001b[?25hDownloading smart_open-6.4.0-py3-none-any.whl (57 kB)\n", + "\u001b[2K \u001b[38;2;114;156;31m━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━\u001b[0m \u001b[32m57.0/57.0 kB\u001b[0m \u001b[31m6.2 MB/s\u001b[0m eta \u001b[36m0:00:00\u001b[0m\n", + "\u001b[?25hDownloading click-8.1.7-py3-none-any.whl (97 kB)\n", + "\u001b[2K \u001b[38;2;114;156;31m━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━\u001b[0m \u001b[32m97.9/97.9 kB\u001b[0m \u001b[31m10.2 MB/s\u001b[0m eta \u001b[36m0:00:00\u001b[0m\n", + "\u001b[?25hInstalling collected packages: smart-open, click, nltk, gensim\n", + "Successfully installed click-8.1.7 gensim-4.3.2 nltk-3.8.1 smart-open-6.4.0\n", + "Note: you may need to restart the kernel to use updated packages.\n" + ] + } + ], + "source": [ + "%pip install gensim nltk" + ] + }, + { + "cell_type": "code", + "execution_count": 68, + "id": "c3b04044", + "metadata": {}, + "outputs": [ + { + "name": "stderr", + "output_type": "stream", + "text": [ + "[nltk_data] Downloading package stopwords to\n", + "[nltk_data] /Users/allanniemerg/nltk_data...\n", + "[nltk_data] Package stopwords is already up-to-date!\n", + "[nltk_data] Downloading package wordnet to\n", + "[nltk_data] /Users/allanniemerg/nltk_data...\n" + ] + }, + { + "data": { + "text/plain": [ + "True" + ] + }, + "execution_count": 68, + "metadata": {}, + "output_type": "execute_result" + } + ], + "source": [ + "import nltk\n", + "nltk.download('stopwords')\n", + "nltk.download('wordnet')" + ] + }, + { + "cell_type": "code", + "execution_count": 71, + "id": "a4f3208d", + "metadata": {}, + "outputs": [ + { + "name": "stdout", + "output_type": "stream", + "text": [ + "[(0, '0.049*\"email\" + 0.030*\"issue\" + 0.027*\"question\" + 0.020*\"user\" + 0.020*\"whether\"'), (1, '0.047*\"contest\" + 0.018*\"question\" + 0.016*\"participant\" + 0.014*\"testing\" + 0.012*\"bug\"'), (2, '0.026*\"report\" + 0.019*\"code\" + 0.013*\"issue\" + 0.011*\"project\" + 0.011*\"line\"'), (3, '0.020*\"pool\" + 0.017*\"question\" + 0.015*\"contract\" + 0.012*\"sherlock\" + 0.012*\"protocol\"'), (4, '0.075*\"contract\" + 0.052*\"smart\" + 0.017*\"team\" + 0.017*\"distributed\" + 0.016*\"award\"'), (5, '0.025*\"contest\" + 0.015*\"finding\" + 0.015*\"contract\" + 0.013*\"test\" + 0.013*\"submit\"'), (6, '0.029*\"issue\" + 0.025*\"process\" + 0.023*\"handle\" + 0.023*\"award\" + 0.018*\"finding\"'), (7, '0.038*\"report\" + 0.027*\"contest\" + 0.015*\"issue\" + 0.014*\"suggestion\" + 0.014*\"published\"'), (8, '0.061*\"contest\" + 0.012*\"gas\" + 0.011*\"warden\" + 0.010*\"website\" + 0.010*\"finding\"'), (9, '0.038*\"contest\" + 0.021*\"report\" + 0.018*\"address\" + 0.018*\"finding\" + 0.018*\"question\"'), (10, '0.023*\"contest\" + 0.013*\"link\" + 0.013*\"reality\" + 0.013*\"card\" + 0.012*\"protocol\"'), (11, '0.039*\"submission\" + 0.020*\"time\" + 0.017*\"sponsor\" + 0.017*\"gas\" + 0.016*\"contest\"'), (12, '0.027*\"contest\" + 0.015*\"code\" + 0.015*\"finding\" + 0.012*\"test\" + 0.012*\"submitted\"'), (13, '0.050*\"contest\" + 0.033*\"submission\" + 0.021*\"time\" + 0.017*\"issue\" + 0.012*\"github\"'), (14, '0.031*\"user\" + 0.023*\"address\" + 0.020*\"question\" + 0.017*\"submission\" + 0.014*\"specific\"')]\n" + ] + } + ], + "source": [ + "import gensim\n", + "from gensim import corpora\n", + "from nltk.corpus import stopwords\n", + "from nltk.stem.wordnet import WordNetLemmatizer\n", + "import string\n", + "\n", + "# Download if you haven't\n", + "# import nltk\n", + "# nltk.download('stopwords')\n", + "# nltk.download('wordnet')\n", + "\n", + "# Load stopwords and lemmatizer\n", + "stop = set(stopwords.words('english'))\n", + "exclude = set(string.punctuation)\n", + "lemma = WordNetLemmatizer()\n", + "\n", + "# Data cleaning function\n", + "def clean(doc):\n", + " stop_free = \" \".join([i for i in doc.lower().split() if i not in stop])\n", + " punc_free = ''.join(ch for ch in stop_free if ch not in exclude)\n", + " normalized = \" \".join(lemma.lemmatize(word) for word in punc_free.split())\n", + " return normalized\n", + "\n", + "# Prepare data\n", + "data_clean = [clean(doc).split() for doc in all_facts] # assuming \"facts\" is your list of sentences\n", + "\n", + "# Create term dictionary\n", + "dictionary = corpora.Dictionary(data_clean)\n", + "\n", + "# Create document-term matrix\n", + "doc_term_matrix = [dictionary.doc2bow(doc) for doc in data_clean]\n", + "\n", + "# Create LDA model\n", + "lda = gensim.models.ldamodel.LdaModel\n", + "\n", + "# Train LDA model (for example, with 5 topics)\n", + "ldamodel = lda(doc_term_matrix, num_topics=15, id2word = dictionary, passes=50)\n", + "\n", + "# Print topics\n", + "print(ldamodel.print_topics(num_topics=30, num_words=5))\n", + "\n" + ] + }, + { + "cell_type": "code", + "execution_count": 72, + "id": "2d34ef03", + "metadata": {}, + "outputs": [], + "source": [ + "from gensim.models import CoherenceModel\n", + "\n", + "coherence_model_lda = CoherenceModel(model=ldamodel, texts=data_clean, dictionary=dictionary, coherence='c_v')\n", + "coherence_lda = coherence_model_lda.get_coherence_per_topic()" + ] + }, + { + "cell_type": "code", + "execution_count": 75, + "id": "b8c06796", + "metadata": {}, + "outputs": [], + "source": [ + "# After training the LDA model\n", + "\n", + "# Get the topic distribution for all documents\n", + "document_topics = ldamodel.get_document_topics(doc_term_matrix, minimum_probability=0)\n", + "\n", + "# Filter documents that correlate strongly with a given topic (e.g., topic 0)\n", + "topic_id = 0\n", + "threshold = 0.5 # adjust this threshold as needed\n", + "\n", + "strongly_correlated_docs = []\n", + "for doc_id, topics in enumerate(document_topics):\n", + " for topic, prob in topics:\n", + " if topic == topic_id and prob >= threshold:\n", + " strongly_correlated_docs.append((doc_id, prob))\n", + "\n", + "# Sort by correlation strength\n", + "sorted_docs = sorted(strongly_correlated_docs, key=lambda x: x[1], reverse=True)\n", + "\n", + "# Get the actual documents\n", + "correlated_documents = [all_facts[doc_id] for doc_id, _ in sorted_docs]" + ] + }, + { + "cell_type": "code", + "execution_count": 76, + "id": "f8bb91cc", + "metadata": {}, + "outputs": [ + { + "data": { + "text/plain": [ + "['The maple-core repo has a test script set to use 100 fuzz runs, but for first time users, it is recommended to use 1 fuzz run and then increase to 10-100 fuzz runs after the first run.',\n", + " 'It was clarified that when the report is out, the repo will be fully opened and participants will be able to see the discussion among sponsors and judges on the specific issue.',\n", + " 'Auditors may need to manually check the differences between contracts, or they might be able to run a diff command on the two contracts.',\n", + " 'A question was raised about whether wardens who report the same vulnerability but with different severities are given the same severity for award calculation.',\n", + " 'Users are advised to switch to a different email address if they are experiencing issues with receiving emails.',\n", + " 'Questions about the Vader protocol can be directed to a specific individual, and the latest updates have been posted at https://github.com/code-423n4/2021-04-vader.',\n", + " 'A forum post that works through all the moving pieces in the opening constitution and delegation can be found at https://forum.code4rena.com/t/c4ip-1-2-3-4-5-constitution-dao-bootstrapping-reimbursements-token-sale/93.',\n", + " 'If wardens report the same vulnerability but with different severities, they are given the same severity for award calculation.',\n", + " 'Two big bugs have been found in the internal audit that have not been picked up by any wardens yet.',\n", + " 'The term \"gov-wg\" refers to a Working Group set up for a DAO structure.',\n", + " 'The tool that generates a specific output is not known, but most people use Slither.',\n", + " \"InvariantTransactionData.transactionId is a unique identifier for the crosschain transfer to be used in Connext's protocol.\",\n", + " 'The question of whether a minter or burner role is an issue was raised.',\n", + " 'There was a spam issue with Yahoo and Hotmail email addresses in the past.',\n", + " 'There is an outreach effort to connect with users and ask them about their experiences with C4.',\n", + " 'There is a question about whether a minter or burner role is an issue.',\n", + " 'Questions can be asked in private for detailed answers and guidance.',\n", + " 'There are pending awards for LPT tokens and NFTX.',\n", + " 'LPT tokens and NFTX awards are pending.',\n", + " 'There is no email notification for the validity of each submitted issue.',\n", + " 'There is a question about the difference between low/medium/high risk finds.',\n", + " 'There has been an effort to move to authenticated warden accounts.',\n", + " 'Results for past projects are being worked on and should be up soon.',\n", + " 'The address of the C4 token is 0x6847D3A4c80a82e1fb26f1fC6F09F3Ad5BEB5222.',\n", + " '\"gov-wg\" refers to a Working Group set up to establish a DAO structure.',\n", + " 'There is a request to check https://github.com/code-423n4/code423n4.com/pull/62',\n", + " \"There was an issue with a user's email flagging C4 emails as spam.\",\n", + " 'Some users have experienced issues with receiving emails from CodeArena, with emails being flagged as spam.',\n", + " 'There is a suggestion to add the severity of the bug to the C4 emails that are sent out after an issue is submitted.',\n", + " 'After submitting a finding, users do not need to do anything else but wait until the contest ends and check the results on the website.']" + ] + }, + "execution_count": 76, + "metadata": {}, + "output_type": "execute_result" + } + ], + "source": [ + "correlated_documents" + ] + }, + { + "cell_type": "code", + "execution_count": null, + "id": "42fc5917", + "metadata": {}, + "outputs": [], + "source": [] + }, + { + "cell_type": "markdown", + "id": "0d834962", + "metadata": {}, + "source": [ + "### Extract Questions and Answers" + ] + }, + { + "cell_type": "code", + "execution_count": 159, + "id": "54240436", + "metadata": {}, + "outputs": [], + "source": [ + "u1 = '''\n", + "We are trying to build a FAQ using questions and answers present in our Discord chatroom. Our company is CodeArena (C4), a company that helps other companies receive audits of their smart contracts. You are an expert at constructing frequently asked question documents. \n", + "\n", + "Please carefully review the chat log and extract question and answer pairs. Please keep extracting questions and answers until you've extracted them all. Questions may be implicit, so read between the lines. There may not always be an answer provided by another user in the chat. Please just leave the answer blank, if that's the case. \n", + "\n", + "Chat: \n", + "{}\n", + "\n", + "Please provide a bulleted list of questions and answers from this chat. Do not mention or reference any chat usernames or individuals. When a question or answer relates to a link, ALWAYS include the link. If possible, try to figure out \n", + "a specific thing when a general noun is used (for example use \"ribbon finance contest\" rather \n", + "than \"contest\" if the context supports it). \n", + "Format: \n", + "Q: [Question] \n", + "A: [Answer]\n", + "\n", + "Q: [Question] \n", + "A: [Answer]\n", + "'''\n", + "\n", + "all_qs = []\n", + "interval_start = 0" + ] + }, + { + "cell_type": "code", + "execution_count": 179, + "id": "affc8408", + "metadata": {}, + "outputs": [ + { + "name": "stdout", + "output_type": "stream", + "text": [ + "Current Interval: 5655 - 5675\n", + "Current Interval: 5670 - 5690\n", + "Current Interval: 5685 - 5705\n", + "Current Interval: 5700 - 5720\n", + "Current Interval: 5715 - 5735\n", + "Current Interval: 5730 - 5750\n", + "Current Interval: 5745 - 5765\n", + "Current Interval: 5760 - 5780\n", + "Current Interval: 5775 - 5795\n", + "Current Interval: 5790 - 5810\n", + "Current Interval: 5805 - 5825\n", + "Current Interval: 5820 - 5840\n", + "Current Interval: 5835 - 5855\n", + "Current Interval: 5850 - 5870\n", + "Current Interval: 5865 - 5885\n", + "Current Interval: 5880 - 5900\n", + "Current Interval: 5895 - 5915\n", + "Current Interval: 5910 - 5930\n", + "Current Interval: 5925 - 5945\n", + "Current Interval: 5940 - 5960\n", + "Current Interval: 5955 - 5975\n", + "Current Interval: 5970 - 5990\n", + "Current Interval: 5985 - 6005\n", + "Current Interval: 6000 - 6020\n", + "Current Interval: 6015 - 6035\n", + "Current Interval: 6030 - 6050\n", + "Current Interval: 6045 - 6065\n", + "Current Interval: 6060 - 6080\n", + "Current Interval: 6075 - 6095\n", + "Current Interval: 6090 - 6110\n", + "Current Interval: 6105 - 6125\n", + "Current Interval: 6120 - 6140\n", + "Current Interval: 6135 - 6155\n", + "Current Interval: 6150 - 6170\n", + "Current Interval: 6165 - 6185\n", + "Current Interval: 6180 - 6200\n", + "Current Interval: 6195 - 6215\n", + "Current Interval: 6210 - 6230\n", + "Current Interval: 6225 - 6245\n", + "Current Interval: 6240 - 6260\n", + "Current Interval: 6255 - 6275\n", + "Current Interval: 6270 - 6290\n", + "Current Interval: 6285 - 6305\n", + "Current Interval: 6300 - 6320\n", + "Current Interval: 6315 - 6335\n", + "Current Interval: 6330 - 6350\n", + "Current Interval: 6345 - 6365\n", + "Current Interval: 6360 - 6380\n" + ] + } + ], + "source": [ + "\n", + "\n", + "length = 20\n", + "overlap = 5\n", + "\n", + "\n", + "while True:\n", + " try:\n", + " if interval_start > len(chat_data):\n", + " break\n", + " end_interval = interval_start + length\n", + " print(\"Current Interval:\", interval_start, \"-\", end_interval)\n", + " excerpt = chat_data[interval_start:end_interval]\n", + " prompt = u1.format(excerpt)\n", + " qs = model.predict_messages([HumanMessage(content=prompt)]) \n", + " list_of_qs = [x.strip(\"\\n\").strip(\" \") for x in qs.content.split(\"Q: \") if x != '']\n", + " all_qs += list_of_qs\n", + " interval_start += (length - overlap)\n", + " except Exception as e: \n", + " print(e)\n", + " break" + ] + }, + { + "cell_type": "code", + "execution_count": 181, + "id": "d3efdb6d", + "metadata": {}, + "outputs": [ + { + "data": { + "text/plain": [ + "3595" + ] + }, + "execution_count": 181, + "metadata": {}, + "output_type": "execute_result" + } + ], + "source": [ + "len(all_qs)" + ] + }, + { + "cell_type": "code", + "execution_count": 182, + "id": "e989ed4f", + "metadata": {}, + "outputs": [ + { + "data": { + "text/plain": [ + "'Can I participate in contests without being a certified contributor?\\nA: You may participate without being certified. However, some contests will require certification for payouts if any of your submissions are awarded.'" + ] + }, + "execution_count": 182, + "metadata": {}, + "output_type": "execute_result" + } + ], + "source": [ + "all_qs[-1]" + ] + }, + { + "cell_type": "code", + "execution_count": 183, + "id": "a62db2ac", + "metadata": {}, + "outputs": [], + "source": [ + "# Convert the list to a JSON formatted string\n", + "json_string = json.dumps(all_qs)\n", + "\n", + "# Write the JSON string to a file\n", + "with open(\"./codearena/codearena-qs_09_23.json\", \"w\") as file:\n", + " file.write(json_string)\n" + ] + }, + { + "cell_type": "code", + "execution_count": 184, + "id": "dc357744", + "metadata": {}, + "outputs": [], + "source": [ + "# Read the JSON string from the file\n", + "with open(\"./codearena/codearena-qs_09_23.json\", \"r\") as file:\n", + " json_string = file.read()\n", + "\n", + "# Convert the JSON formatted string back to a Python list\n", + "all_qs2 = json.loads(json_string)\n" + ] + }, + { + "cell_type": "code", + "execution_count": 185, + "id": "ac3b0281", + "metadata": {}, + "outputs": [ + { + "data": { + "text/plain": [ + "3595" + ] + }, + "execution_count": 185, + "metadata": {}, + "output_type": "execute_result" + } + ], + "source": [ + "len(all_qs2)" + ] + }, + { + "cell_type": "code", + "execution_count": 249, + "id": "d9794cd9", + "metadata": {}, + "outputs": [ + { + "name": "stdout", + "output_type": "stream", + "text": [ + "How should we treat upgradeable contracts findings in case of Medium-risk vulnerabilities, for example DoSing or bricking the contract?\n", + "A: If the protocol can be bricked until the upgrade takes place, it's the text book definition of a Medium risk bug.\n" + ] + } + ], + "source": [ + "import random\n", + "index = random.randrange(len(all_qs2))\n", + "print(all_qs2[index])" + ] + }, + { + "cell_type": "code", + "execution_count": null, + "id": "7f5ddaab", + "metadata": {}, + "outputs": [], + "source": [] + }, + { + "cell_type": "markdown", + "id": "eaaf7f92", + "metadata": {}, + "source": [ + "### De-duplicate Questions" + ] + }, + { + "cell_type": "code", + "execution_count": null, + "id": "87afad28", + "metadata": {}, + "outputs": [], + "source": [ + "embeddings = OpenAIEmbeddings()\n", + "embedding_class = UseExisting()\n" + ] + }, + { + "cell_type": "code", + "execution_count": 272, + "id": "4a0e9663", + "metadata": {}, + "outputs": [ + { + "name": "stdout", + "output_type": "stream", + "text": [ + "I am an undergrad IT student currently in my 3rd year. My current goal is to make my career in cybersecurity. I am totally invested in learning about smart contracts, but I fear that by doing so, my web2 security skills would be on a halt which I don't want. My only motivation learning about smart contracts is 'money' than bugcrowd/hackerone. What should I do? Should I complete focus on smart contract and make money or focus on web2 security and do this as a sidekick?\n", + "A1: The focus shouldn’t be on money, but on growing your skillset and knowledge. If that’s the sole reason for learning about Web3, then you should focus on building a strong foundation in Web2 security. You’re still young, make full use of your time to discover what you’re competent at and what interests you more. \n", + "A2: Only you can answer that question. You know what matters more for you personally. Good money can be made both in Web2 and Web3 if you are good. It seems you still have a very on the surface understanding of both types of security practices. Perhaps you should deepen your knowledge in both until one side \"grabs\" you more than the other. \n", + "A3: The focus should be on what you enjoy the most. If you like the crypto/finance world, you should focus on that.\n", + "A4: The choice is all yours. Cybersecurity is a broad career path with many domains. If you want to focus as a Penetration Tester and juggle smart contract auditing, your first step is to learn about the technology then apply the cybersecurity concepts to it with an attacker mindset.\n", + "-\n" + ] + } + ], + "source": [ + "question_and_answers = []\n", + "for q_a in all_qs2:\n", + " try:\n", + " question = q_a.split(\"A:\")[0]\n", + " answer = q_a.split(\"A:\")[1]\n", + " question_and_answers.append((question, {'answer': answer}))\n", + " except:\n", + " print(q_a)\n", + " \n", + " " + ] + }, + { + "cell_type": "code", + "execution_count": 267, + "id": "a9a64c69", + "metadata": {}, + "outputs": [ + { + "data": { + "text/plain": [ + "3593" + ] + }, + "execution_count": 267, + "metadata": {}, + "output_type": "execute_result" + } + ], + "source": [ + "len(question_and_answers)" + ] + }, + { + "cell_type": "code", + "execution_count": null, + "id": "174360c4", + "metadata": {}, + "outputs": [], + "source": [] + }, + { + "cell_type": "code", + "execution_count": 273, + "id": "704a2e73", + "metadata": {}, + "outputs": [], + "source": [ + "# Convert the data into a DataFrame\n", + "all_questions, all_answers = zip(*question_and_answers)" + ] + }, + { + "cell_type": "code", + "execution_count": 274, + "id": "c00462b0", + "metadata": {}, + "outputs": [ + { + "data": { + "text/plain": [ + "('Can I participate in contests without being a certified contributor?\\n',\n", + " {'answer': ' You may participate without being certified. However, some contests will require certification for payouts if any of your submissions are awarded.'})" + ] + }, + "execution_count": 274, + "metadata": {}, + "output_type": "execute_result" + } + ], + "source": [ + "all_questions[-1], all_answers[-1]" + ] + }, + { + "cell_type": "code", + "execution_count": 275, + "id": "534c24e0", + "metadata": {}, + "outputs": [], + "source": [ + "db = FAISS.from_texts(all_questions, embeddings, metadatas=all_answers)" + ] + }, + { + "cell_type": "code", + "execution_count": 276, + "id": "f4f709d7", + "metadata": {}, + "outputs": [ + { + "data": { + "text/plain": [ + "[Document(page_content='More contest please?\\n', metadata={'answer': ' Ethos is big enough to keep wardens busy for a while.'}),\n", + " Document(page_content='More contest coming out?\\n', metadata={'answer': ' [No answer provided]'}),\n", + " Document(page_content='What is vs contest? \\n', metadata={'answer': ' A slightly different contest with only 3 wardens!'}),\n", + " Document(page_content='Where can we see current ongoing contests?\\n', metadata={'answer': ' The team is currently talking to a number of projects about upcoming audits, implying that there are currently no ongoing contests.'})]" + ] + }, + "execution_count": 276, + "metadata": {}, + "output_type": "execute_result" + } + ], + "source": [ + "db.similarity_search(\"contests\")" + ] + }, + { + "cell_type": "code", + "execution_count": 315, + "id": "0cbb2e24", + "metadata": {}, + "outputs": [], + "source": [ + "# Assume you have the FAISS index loaded as 'index'\n", + "\n", + "threshold_distance = 0.3 # Define a suitable threshold, 0.2 is very good\n", + "groups = []\n", + "grouped_indices = set()\n", + "\n", + "for i in range(db.index.ntotal):\n", + " if i not in grouped_indices:\n", + " query_embedding = np.array([db.index.reconstruct(i)]) # Get the embedding for the i-th index\n", + " D, I = db.index.search(query_embedding, db.index.ntotal)\n", + " similar_indices = I[D < threshold_distance**2].ravel() # Squaring threshold because L2 distance\n", + " groups.append(similar_indices.tolist())\n", + " grouped_indices.update(similar_indices)\n", + "\n" + ] + }, + { + "cell_type": "code", + "execution_count": 316, + "id": "8e918626", + "metadata": {}, + "outputs": [ + { + "data": { + "text/plain": [ + "2767" + ] + }, + "execution_count": 316, + "metadata": {}, + "output_type": "execute_result" + } + ], + "source": [ + "len(groups)" + ] + }, + { + "cell_type": "code", + "execution_count": 317, + "id": "94e7636d", + "metadata": {}, + "outputs": [ + { + "data": { + "text/plain": [ + "" + ] + }, + "execution_count": 317, + "metadata": {}, + "output_type": "execute_result" + }, + { + "data": { + "image/png": "iVBORw0KGgoAAAANSUhEUgAAAjAAAAGdCAYAAAAMm0nCAAAAOXRFWHRTb2Z0d2FyZQBNYXRwbG90bGliIHZlcnNpb24zLjguMCwgaHR0cHM6Ly9tYXRwbG90bGliLm9yZy81sbWrAAAACXBIWXMAAA9hAAAPYQGoP6dpAAAuyUlEQVR4nO3dfXRU9Z3H8c8kzAyEJoGgySTHECNteX5GIFUpCCTGFOvKtoug0EqlcoIKsRSjgAGswVDxkeqyK+IeYUXPUVRkMQMooISn2ClPbioUjV2Z0BVhhKzDkMz+0c2sYxIgOJO5P/J+nTPH3Ht/87vfe78e8jn33snYgsFgUAAAAAaJi3UBAAAALUWAAQAAxiHAAAAA4xBgAACAcQgwAADAOAQYAABgHAIMAAAwDgEGAAAYp12sC4iW+vp6ff7550pMTJTNZot1OQAA4AIEg0F99dVXysjIUFxc89dZLtkA8/nnnyszMzPWZQAAgIvw2Wef6Yorrmh2+yUbYBITEyX9/QQkJSXFuBrrCQQCKi8vV25urux2e6zLgeiJ1dAPa6Ef1hLNfvh8PmVmZoZ+jzfnkg0wDbeNkpKSCDBNCAQCSkhIUFJSEv8YWAQ9sRb6YS30w1paox/ne/yDh3gBAIBxCDAAAMA4BBgAAGAcAgwAADAOAQYAABiHAAMAAIxDgAEAAMYhwAAAAOMQYAAAgHFaFGBKS0t19dVXKzExUampqbr55ptVVVUVNubrr79WYWGhunTpou9973saP368ampqwsZUV1eroKBACQkJSk1N1ezZs3X27NmwMe+9954GDRokp9Op73//+1q5cuXFHSEAALjktCjAbNmyRYWFhdqxY4fcbrcCgYByc3N1+vTp0JhZs2bprbfe0quvvqotW7bo888/1y233BLaXldXp4KCAp05c0bbt2/Xiy++qJUrV2r+/PmhMUeOHFFBQYFGjRolj8ejmTNn6le/+pXeeeedCBwyAAAwXYu+C2nDhg1hyytXrlRqaqoqKys1YsQInTx5Us8//7xWr16t66+/XpL0wgsvqGfPntqxY4eGDx+u8vJyHTx4UBs3blRaWpoGDBigRYsWac6cOSopKZHD4dBzzz2n7OxsPfbYY5Kknj176v3339fjjz+uvLy8CB06AAAw1Xf6MseTJ09KklJSUiRJlZWVCgQCGjNmTGhMjx491LVrV1VUVGj48OGqqKhQ3759lZaWFhqTl5en6dOn68CBAxo4cKAqKirC5mgYM3PmzGZr8fv98vv9oWWfzyfp7184FQgEvsthXpIazgnnxjroibXQD2uhH9YSzX5c6JwXHWDq6+s1c+ZMXXPNNerTp48kyev1yuFwqFOnTmFj09LS5PV6Q2O+GV4atjdsO9cYn8+n//mf/1GHDh0a1VNaWqoFCxY0Wl9eXq6EhISLO8g2wO12x7oEfAs9sRb6YS30w1qi0Y/a2toLGnfRAaawsFD79+/X+++/f7FTRFRxcbGKiopCyz6fT5mZmcrNzVVSUlJE99WnxLxncfaXhN96CwQCcrvdGjt2LF9NbxH0xFroh7XQD2uJZj8a7qCcz0UFmBkzZmjdunXaunWrrrjiitB6l8ulM2fO6MSJE2FXYWpqauRyuUJjdu3aFTZfw6eUvjnm259cqqmpUVJSUpNXXyTJ6XTK6XQ2Wm+32yN+cv11tojO1xqaOwfROD/4buiJtdAPa6Ef1hKNflzofC36FFIwGNSMGTP0+uuva/PmzcrOzg7bPnjwYNntdm3atCm0rqqqStXV1crJyZEk5eTkaN++fTp27FhojNvtVlJSknr16hUa8805GsY0zAEAANq2Fl2BKSws1OrVq/XGG28oMTEx9MxKcnKyOnTooOTkZE2dOlVFRUVKSUlRUlKS7r77buXk5Gj48OGSpNzcXPXq1Uu33367ysrK5PV6NXfuXBUWFoauoNx111165pln9Nvf/lZ33HGHNm/erFdeeUVvv/12hA8fAACYqEVXYJ599lmdPHlSI0eOVHp6eui1Zs2a0JjHH39cP/nJTzR+/HiNGDFCLpdLr732Wmh7fHy81q1bp/j4eOXk5Oi2227T5MmTtXDhwtCY7Oxsvf3223K73erfv78ee+wx/eu//isfoQYAAJJaeAUmGAyed0z79u21bNkyLVu2rNkxWVlZWr9+/TnnGTlypP74xz+2pDwAANBG8F1IAADAOAQYAABgHAIMAAAwDgEGAAAYhwADAACMQ4ABAADGIcAAAADjEGAAAIBxCDAAAMA4BBgAAGAcAgwAADAOAQYAABiHAAMAAIxDgAEAAMYhwAAAAOMQYAAAgHEIMAAAwDgEGAAAYBwCDAAAMA4BBgAAGIcAAwAAjEOAAQAAxiHAAAAA4xBgAACAcQgwAADAOAQYAABgHAIMAAAwDgEGAAAYhwADAACMQ4ABAADGIcAAAADjEGAAAIBxCDAAAMA4LQ4wW7du1bhx45SRkSGbzaa1a9eGbbfZbE2+lixZEhpz5ZVXNtq+ePHisHn27t2r6667Tu3bt1dmZqbKysou7ggBAMAlp8UB5vTp0+rfv7+WLVvW5PajR4+GvVasWCGbzabx48eHjVu4cGHYuLvvvju0zefzKTc3V1lZWaqsrNSSJUtUUlKi5cuXt7RcAABwCWrX0jfk5+crPz+/2e0ulyts+Y033tCoUaN01VVXha1PTExsNLbBqlWrdObMGa1YsUIOh0O9e/eWx+PR0qVLNW3atJaWDAAALjEtDjAtUVNTo7ffflsvvvhio22LFy/WokWL1LVrV02cOFGzZs1Su3Z/L6eiokIjRoyQw+EIjc/Ly9Ojjz6qL7/8Up07d240n9/vl9/vDy37fD5JUiAQUCAQiOhxOeODEZ2vNXz7HDQsR/rc4OLRE2uhH9ZCP6wlmv240DmjGmBefPFFJSYm6pZbbglbf88992jQoEFKSUnR9u3bVVxcrKNHj2rp0qWSJK/Xq+zs7LD3pKWlhbY1FWBKS0u1YMGCRuvLy8uVkJAQqUOSJJUNjeh0rWL9+vVNrne73a1cCc6HnlgL/bAW+mEt0ehHbW3tBY2LaoBZsWKFJk2apPbt24etLyoqCv3cr18/ORwO/frXv1ZpaamcTudF7au4uDhsXp/Pp8zMTOXm5iopKeniDqAZfUreieh8rWF/SV7YciAQkNvt1tixY2W322NUFb6JnlgL/bAW+mEt0exHwx2U84lagNm2bZuqqqq0Zs2a844dNmyYzp49q08++UTdu3eXy+VSTU1N2JiG5eaem3E6nU2GH7vdHvGT66+zRXS+1tDcOYjG+cF3Q0+shX5YC/2wlmj040Lni9rfgXn++ec1ePBg9e/f/7xjPR6P4uLilJqaKknKycnR1q1bw+6Dud1ude/evcnbRwAAoG1pcYA5deqUPB6PPB6PJOnIkSPyeDyqrq4OjfH5fHr11Vf1q1/9qtH7Kyoq9MQTT+hPf/qT/vKXv2jVqlWaNWuWbrvttlA4mThxohwOh6ZOnaoDBw5ozZo1evLJJ8NuEQEAgLarxbeQ9uzZo1GjRoWWG0LFlClTtHLlSknSyy+/rGAwqFtvvbXR+51Op15++WWVlJTI7/crOztbs2bNCgsnycnJKi8vV2FhoQYPHqzLLrtM8+fP5yPUAABA0kUEmJEjRyoYPPfHiKdNm9Zs2Bg0aJB27Nhx3v3069dP27Zta2l5AACgDeC7kAAAgHEIMAAAwDgEGAAAYBwCDAAAMA4BBgAAGIcAAwAAjEOAAQAAxiHAAAAA4xBgAACAcQgwAADAOAQYAABgHAIMAAAwDgEGAAAYhwADAACMQ4ABAADGIcAAAADjEGAAAIBxCDAAAMA4BBgAAGAcAgwAADAOAQYAABiHAAMAAIxDgAEAAMYhwAAAAOMQYAAAgHEIMAAAwDgEGAAAYBwCDAAAMA4BBgAAGIcAAwAAjEOAAQAAxiHAAAAA4xBgAACAcVocYLZu3apx48YpIyNDNptNa9euDdv+i1/8QjabLex1ww03hI05fvy4Jk2apKSkJHXq1ElTp07VqVOnwsbs3btX1113ndq3b6/MzEyVlZW1/OgAAMAlqcUB5vTp0+rfv7+WLVvW7JgbbrhBR48eDb3+/d//PWz7pEmTdODAAbndbq1bt05bt27VtGnTQtt9Pp9yc3OVlZWlyspKLVmyRCUlJVq+fHlLywUAAJegdi19Q35+vvLz8885xul0yuVyNbnto48+0oYNG7R7924NGTJEkvT000/rxhtv1O9//3tlZGRo1apVOnPmjFasWCGHw6HevXvL4/Fo6dKlYUEHAAC0TS0OMBfivffeU2pqqjp37qzrr79eDz/8sLp06SJJqqioUKdOnULhRZLGjBmjuLg47dy5U//wD/+giooKjRgxQg6HIzQmLy9Pjz76qL788kt17ty50T79fr/8fn9o2efzSZICgYACgUBEj88ZH4zofK3h2+egYTnS5wYXj55YC/2wFvphLdHsx4XOGfEAc8MNN+iWW25Rdna2Dh8+rAceeED5+fmqqKhQfHy8vF6vUlNTw4to104pKSnyer2SJK/Xq+zs7LAxaWlpoW1NBZjS0lItWLCg0fry8nIlJCRE6vAkSWVDIzpdq1i/fn2T691udytXgvOhJ9ZCP6yFflhLNPpRW1t7QeMiHmAmTJgQ+rlv377q16+funXrpvfee0+jR4+O9O5CiouLVVRUFFr2+XzKzMxUbm6ukpKSIrqvPiXvRHS+1rC/JC9sORAIyO12a+zYsbLb7TGqCt9ET6yFflgL/bCWaPaj4Q7K+UTlFtI3XXXVVbrssst06NAhjR49Wi6XS8eOHQsbc/bsWR0/fjz03IzL5VJNTU3YmIbl5p6tcTqdcjqdjdbb7faIn1x/nS2i87WG5s5BNM4Pvht6Yi30w1roh7VEox8XOl/U/w7MX//6V33xxRdKT0+XJOXk5OjEiROqrKwMjdm8ebPq6+s1bNiw0JitW7eG3Qdzu93q3r17k7ePAABA29LiAHPq1Cl5PB55PB5J0pEjR+TxeFRdXa1Tp05p9uzZ2rFjhz755BNt2rRJP/3pT/X9739feXl/v4XRs2dP3XDDDbrzzju1a9cuffDBB5oxY4YmTJigjIwMSdLEiRPlcDg0depUHThwQGvWrNGTTz4ZdosIAAC0XS0OMHv27NHAgQM1cOBASVJRUZEGDhyo+fPnKz4+Xnv37tVNN92kH/7wh5o6daoGDx6sbdu2hd3eWbVqlXr06KHRo0frxhtv1LXXXhv2N16Sk5NVXl6uI0eOaPDgwbrvvvs0f/58PkINAAAkXcQzMCNHjlQw2PzHiN955/wPuKakpGj16tXnHNOvXz9t27atpeUBAIA2gO9CAgAAxiHAAAAA4xBgAACAcQgwAADAOAQYAABgHAIMAAAwDgEGAAAYhwADAACMQ4ABAADGIcAAAADjEGAAAIBxCDAAAMA4BBgAAGAcAgwAADAOAQYAABiHAAMAAIxDgAEAAMYhwAAAAOMQYAAAgHEIMAAAwDgEGAAAYBwCDAAAMA4BBgAAGIcAAwAAjEOAAQAAxiHAAAAA4xBgAACAcQgwAADAOAQYAABgHAIMAAAwDgEGAAAYhwADAACMQ4ABAADGaXGA2bp1q8aNG6eMjAzZbDatXbs2tC0QCGjOnDnq27evOnbsqIyMDE2ePFmff/552BxXXnmlbDZb2Gvx4sVhY/bu3avrrrtO7du3V2ZmpsrKyi7uCAEAwCWnxQHm9OnT6t+/v5YtW9ZoW21trT788EPNmzdPH374oV577TVVVVXppptuajR24cKFOnr0aOh19913h7b5fD7l5uYqKytLlZWVWrJkiUpKSrR8+fKWlgsAAC5B7Vr6hvz8fOXn5ze5LTk5WW63O2zdM888o6FDh6q6ulpdu3YNrU9MTJTL5WpynlWrVunMmTNasWKFHA6HevfuLY/Ho6VLl2ratGktLRkAAFxiov4MzMmTJ2Wz2dSpU6ew9YsXL1aXLl00cOBALVmyRGfPng1tq6io0IgRI+RwOELr8vLyVFVVpS+//DLaJQMAAItr8RWYlvj66681Z84c3XrrrUpKSgqtv+eeezRo0CClpKRo+/btKi4u1tGjR7V06VJJktfrVXZ2dthcaWlpoW2dO3dutC+/3y+/3x9a9vl8kv7+XE4gEIjocTnjgxGdrzV8+xw0LEf63ODi0RNroR/WQj+sJZr9uNA5oxZgAoGAfv7znysYDOrZZ58N21ZUVBT6uV+/fnI4HPr1r3+t0tJSOZ3Oi9pfaWmpFixY0Gh9eXm5EhISLmrO5pQNjeh0rWL9+vVNrv/2LT/EHj2xFvphLfTDWqLRj9ra2gsaF5UA0xBePv30U23evDns6ktThg0bprNnz+qTTz5R9+7d5XK5VFNTEzamYbm552aKi4vDgpHP51NmZqZyc3PPu/+W6lPyTkTnaw37S/LClgOBgNxut8aOHSu73R6jqvBN9MRa6Ie10A9riWY/Gu6gnE/EA0xDePn444/17rvvqkuXLud9j8fjUVxcnFJTUyVJOTk5evDBBxUIBEInxu12q3v37k3ePpIkp9PZ5NUbu90e8ZPrr7NFdL7W0Nw5iMb5wXdDT6yFflgL/bCWaPTjQudrcYA5deqUDh06FFo+cuSIPB6PUlJSlJ6ern/8x3/Uhx9+qHXr1qmurk5er1eSlJKSIofDoYqKCu3cuVOjRo1SYmKiKioqNGvWLN12222hcDJx4kQtWLBAU6dO1Zw5c7R//349+eSTevzxx1taLgAAuAS1OMDs2bNHo0aNCi033LaZMmWKSkpK9Oabb0qSBgwYEPa+d999VyNHjpTT6dTLL7+skpIS+f1+ZWdna9asWWG3f5KTk1VeXq7CwkINHjxYl112mebPn89HqAEAgKSLCDAjR45UMNj8p3DOtU2SBg0apB07dpx3P/369dO2bdtaWh4AAGgD+C4kAABgHAIMAAAwDgEGAAAYhwADAACMQ4ABAADGIcAAAADjEGAAAIBxCDAAAMA4BBgAAGAcAgwAADAOAQYAABiHAAMAAIxDgAEAAMYhwAAAAOMQYAAAgHEIMAAAwDgEGAAAYBwCDAAAMA4BBgAAGIcAAwAAjEOAAQAAxiHAAAAA4xBgAACAcQgwAADAOAQYAABgHAIMAAAwDgEGAAAYhwADAACMQ4ABAADGIcAAAADjEGAAAIBxCDAAAMA4BBgAAGCcFgeYrVu3aty4ccrIyJDNZtPatWvDtgeDQc2fP1/p6enq0KGDxowZo48//jhszPHjxzVp0iQlJSWpU6dOmjp1qk6dOhU2Zu/evbruuuvUvn17ZWZmqqysrOVHBwAALkktDjCnT59W//79tWzZsia3l5WV6amnntJzzz2nnTt3qmPHjsrLy9PXX38dGjNp0iQdOHBAbrdb69at09atWzVt2rTQdp/Pp9zcXGVlZamyslJLlixRSUmJli9ffhGHCAAALjXtWvqG/Px85efnN7ktGAzqiSee0Ny5c/XTn/5UkvRv//ZvSktL09q1azVhwgR99NFH2rBhg3bv3q0hQ4ZIkp5++mndeOON+v3vf6+MjAytWrVKZ86c0YoVK+RwONS7d295PB4tXbo0LOgAAIC2KaLPwBw5ckRer1djxowJrUtOTtawYcNUUVEhSaqoqFCnTp1C4UWSxowZo7i4OO3cuTM0ZsSIEXI4HKExeXl5qqqq0pdffhnJkgEAgIFafAXmXLxeryQpLS0tbH1aWlpom9frVWpqangR7dopJSUlbEx2dnajORq2de7cudG+/X6//H5/aNnn80mSAoGAAoHAdzmsRpzxwYjO1xq+fQ4aliN9bnDx6Im10A9roR/WEs1+XOicEQ0wsVRaWqoFCxY0Wl9eXq6EhISI7qtsaESnaxXr169vcr3b7W7lSnA+9MRa6Ie10A9riUY/amtrL2hcRAOMy+WSJNXU1Cg9PT20vqamRgMGDAiNOXbsWNj7zp49q+PHj4fe73K5VFNTEzamYblhzLcVFxerqKgotOzz+ZSZmanc3FwlJSV9twP7lj4l70R0vtawvyQvbDkQCMjtdmvs2LGy2+0xqgrfRE+shX5YC/2wlmj2o+EOyvlENMBkZ2fL5XJp06ZNocDi8/m0c+dOTZ8+XZKUk5OjEydOqLKyUoMHD5Ykbd68WfX19Ro2bFhozIMPPqhAIBA6MW63W927d2/y9pEkOZ1OOZ3ORuvtdnvET66/zhbR+VpDc+cgGucH3w09sRb6YS30w1qi0Y8Lna/FD/GeOnVKHo9HHo9H0t8f3PV4PKqurpbNZtPMmTP18MMP680339S+ffs0efJkZWRk6Oabb5Yk9ezZUzfccIPuvPNO7dq1Sx988IFmzJihCRMmKCMjQ5I0ceJEORwOTZ06VQcOHNCaNWv05JNPhl1hAQAAbVeLr8Ds2bNHo0aNCi03hIopU6Zo5cqV+u1vf6vTp09r2rRpOnHihK699lpt2LBB7du3D71n1apVmjFjhkaPHq24uDiNHz9eTz31VGh7cnKyysvLVVhYqMGDB+uyyy7T/Pnz+Qg1AACQdBEBZuTIkQoGm/8Ujs1m08KFC7Vw4cJmx6SkpGj16tXn3E+/fv20bdu2lpYHAADaAL4LCQAAGIcAAwAAjEOAAQAAxiHAAAAA4xBgAACAcQgwAADAOAQYAABgHAIMAAAwDgEGAAAYhwADAACMQ4ABAADGIcAAAADjEGAAAIBxCDAAAMA4BBgAAGAcAgwAADAOAQYAABiHAAMAAIxDgAEAAMYhwAAAAOMQYAAAgHEIMAAAwDgEGAAAYBwCDAAAMA4BBgAAGIcAAwAAjEOAAQAAxiHAAAAA4xBgAACAcQgwAADAOAQYAABgHAIMAAAwDgEGAAAYhwADAACME/EAc+WVV8pmszV6FRYWSpJGjhzZaNtdd90VNkd1dbUKCgqUkJCg1NRUzZ49W2fPno10qQAAwFDtIj3h7t27VVdXF1rev3+/xo4dq5/97GehdXfeeacWLlwYWk5ISAj9XFdXp4KCArlcLm3fvl1Hjx7V5MmTZbfb9cgjj0S6XAAAYKCIB5jLL788bHnx4sXq1q2bfvzjH4fWJSQkyOVyNfn+8vJyHTx4UBs3blRaWpoGDBigRYsWac6cOSopKZHD4Yh0yQAAwDARDzDfdObMGb300ksqKiqSzWYLrV+1apVeeukluVwujRs3TvPmzQtdhamoqFDfvn2VlpYWGp+Xl6fp06frwIEDGjhwYJP78vv98vv9oWWfzydJCgQCCgQCET0uZ3wwovO1hm+fg4blSJ8bXDx6Yi30w1roh7VEsx8XOmdUA8zatWt14sQJ/eIXvwitmzhxorKyspSRkaG9e/dqzpw5qqqq0muvvSZJ8nq9YeFFUmjZ6/U2u6/S0lItWLCg0fry8vKwW1SRUDY0otO1ivXr1ze53u12t3IlOB96Yi30w1roh7VEox+1tbUXNC6qAeb5559Xfn6+MjIyQuumTZsW+rlv375KT0/X6NGjdfjwYXXr1u2i91VcXKyioqLQss/nU2ZmpnJzc5WUlHTR8zalT8k7EZ2vNewvyQtbDgQCcrvdGjt2rOx2e4yqwjfRE2uhH9ZCP6wlmv1ouINyPlELMJ9++qk2btwYurLSnGHDhkmSDh06pG7dusnlcmnXrl1hY2pqaiSp2edmJMnpdMrpdDZab7fbI35y/XW28w+ymB/MKw9bdsYHVTZUGvi7zZY+nk8WF8S6hFYXjf9ncfHoh7XQD2uJRj8udL6o/R2YF154QampqSooOPcvII/HI0lKT0+XJOXk5Gjfvn06duxYaIzb7VZSUpJ69eoVrXIBAIBBonIFpr6+Xi+88IKmTJmidu3+fxeHDx/W6tWrdeONN6pLly7au3evZs2apREjRqhfv36SpNzcXPXq1Uu33367ysrK5PV6NXfuXBUWFjZ5hQUAALQ9UQkwGzduVHV1te64446w9Q6HQxs3btQTTzyh06dPKzMzU+PHj9fcuXNDY+Lj47Vu3TpNnz5dOTk56tixo6ZMmRL2d2MAAEDbFpUAk5ubq2Cw8UeNMzMztWXLlvO+Pysrq9lPzQAAAPBdSAAAwDgEGAAAYBwCDAAAMA4BBgAAGIcAAwAAjEOAAQAAxiHAAAAA4xBgAACAcQgwAADAOAQYAABgHAIMAAAwDgEGAAAYhwADAACMQ4ABAADGIcAAAADjEGAAAIBxCDAAAMA4BBgAAGAcAgwAADAOAQYAABiHAAMAAIxDgAEAAMYhwAAAAOMQYAAAgHEIMAAAwDgEGAAAYBwCDAAAMA4BBgAAGIcAAwAAjEOAAQAAxiHAAAAA4xBgAACAcQgwAADAOBEPMCUlJbLZbGGvHj16hLZ//fXXKiwsVJcuXfS9731P48ePV01NTdgc1dXVKigoUEJCglJTUzV79mydPXs20qUCAABDtYvGpL1799bGjRv/fyft/n83s2bN0ttvv61XX31VycnJmjFjhm655RZ98MEHkqS6ujoVFBTI5XJp+/btOnr0qCZPniy73a5HHnkkGuUCAADDRCXAtGvXTi6Xq9H6kydP6vnnn9fq1at1/fXXS5JeeOEF9ezZUzt27NDw4cNVXl6ugwcPauPGjUpLS9OAAQO0aNEizZkzRyUlJXI4HNEoGQAAGCQqAebjjz9WRkaG2rdvr5ycHJWWlqpr166qrKxUIBDQmDFjQmN79Oihrl27qqKiQsOHD1dFRYX69u2rtLS00Ji8vDxNnz5dBw4c0MCBA5vcp9/vl9/vDy37fD5JUiAQUCAQiOjxOeODEZ0vFpxxwbD/WlWke2dlDcfalo7ZyuiHtdAPa4lmPy50zogHmGHDhmnlypXq3r27jh49qgULFui6667T/v375fV65XA41KlTp7D3pKWlyev1SpK8Xm9YeGnY3rCtOaWlpVqwYEGj9eXl5UpISPiORxWubGhEp4upRUPqY13COa1fvz7WJbQ6t9sd6xLwDfTDWuiHtUSjH7W1tRc0LuIBJj8/P/Rzv379NGzYMGVlZemVV15Rhw4dIr27kOLiYhUVFYWWfT6fMjMzlZubq6SkpIjuq0/JOxGdLxaccUEtGlKveXvi5K+3xbqcZu0vyYt1Ca0mEAjI7XZr7NixstvtsS6nzaMf1kI/rCWa/Wi4g3I+UbmF9E2dOnXSD3/4Qx06dEhjx47VmTNndOLEibCrMDU1NaFnZlwul3bt2hU2R8OnlJp6rqaB0+mU0+lstN5ut0f85PrrrPsLv6X89TZLH09b/IcqGv/P4uLRD2uhH9YSjX5c6HxR/zswp06d0uHDh5Wenq7BgwfLbrdr06ZNoe1VVVWqrq5WTk6OJCknJ0f79u3TsWPHQmPcbreSkpLUq1evaJcLAAAMEPErML/5zW80btw4ZWVl6fPPP9dDDz2k+Ph43XrrrUpOTtbUqVNVVFSklJQUJSUl6e6771ZOTo6GDx8uScrNzVWvXr10++23q6ysTF6vV3PnzlVhYWGTV1gAAEDbE/EA89e//lW33nqrvvjiC11++eW69tprtWPHDl1++eWSpMcff1xxcXEaP368/H6/8vLy9Ic//CH0/vj4eK1bt07Tp09XTk6OOnbsqClTpmjhwoWRLhUAABgq4gHm5ZdfPuf29u3ba9myZVq2bFmzY7Kystrkp08AAMCF4buQAACAcQgwAADAOAQYAABgHAIMAAAwDgEGAAAYhwADAACMQ4ABAADGIcAAAADjEGAAAIBxCDAAAMA4BBgAAGAcAgwAADAOAQYAABiHAAMAAIxDgAEAAMYhwAAAAOMQYAAAgHEIMAAAwDgEGAAAYBwCDAAAMA4BBgAAGIcAAwAAjEOAAQAAxiHAAAAA4xBgAACAcQgwAADAOAQYAABgHAIMAAAwDgEGAAAYhwADAACMQ4ABAADGIcAAAADjEGAAAIBxIh5gSktLdfXVVysxMVGpqam6+eabVVVVFTZm5MiRstlsYa+77rorbEx1dbUKCgqUkJCg1NRUzZ49W2fPno10uQAAwEDtIj3hli1bVFhYqKuvvlpnz57VAw88oNzcXB08eFAdO3YMjbvzzju1cOHC0HJCQkLo57q6OhUUFMjlcmn79u06evSoJk+eLLvdrkceeSTSJQMAAMNEPMBs2LAhbHnlypVKTU1VZWWlRowYEVqfkJAgl8vV5Bzl5eU6ePCgNm7cqLS0NA0YMECLFi3SnDlzVFJSIofDEemyAQCAQSIeYL7t5MmTkqSUlJSw9atWrdJLL70kl8ulcePGad68eaGrMBUVFerbt6/S0tJC4/Py8jR9+nQdOHBAAwcObLQfv98vv98fWvb5fJKkQCCgQCAQ0WNyxgcjOl8sOOOCYf+1qkj3zsoajrUtHbOV0Q9roR/WEs1+XOictmAwGLXfYPX19brpppt04sQJvf/++6H1y5cvV1ZWljIyMrR3717NmTNHQ4cO1WuvvSZJmjZtmj799FO98847offU1taqY8eOWr9+vfLz8xvtq6SkRAsWLGi0fvXq1WG3pwAAgHXV1tZq4sSJOnnypJKSkpodF9UrMIWFhdq/f39YeJH+HlAa9O3bV+np6Ro9erQOHz6sbt26XdS+iouLVVRUFFr2+XzKzMxUbm7uOU/AxehT8s75B1mcMy6oRUPqNW9PnPz1tliX06z9JXmxLqHVBAIBud1ujR07Vna7PdbltHn0w1roh7VEsx8Nd1DOJ2oBZsaMGVq3bp22bt2qK6644pxjhw0bJkk6dOiQunXrJpfLpV27doWNqampkaRmn5txOp1yOp2N1tvt9oifXH+ddX/ht5S/3mbp42mL/1BF4/9ZXDz6YS30w1qi0Y8LnS/iH6MOBoOaMWOGXn/9dW3evFnZ2dnnfY/H45EkpaenS5JycnK0b98+HTt2LDTG7XYrKSlJvXr1inTJAADAMBG/AlNYWKjVq1frjTfeUGJiorxeryQpOTlZHTp00OHDh7V69WrdeOON6tKli/bu3atZs2ZpxIgR6tevnyQpNzdXvXr10u23366ysjJ5vV7NnTtXhYWFTV5lAQAAbUvEr8A8++yzOnnypEaOHKn09PTQa82aNZIkh8OhjRs3Kjc3Vz169NB9992n8ePH66233grNER8fr3Xr1ik+Pl45OTm67bbbNHny5LC/GwMAANquiF+BOd+HmjIzM7Vly5bzzpOVlaX169dHqiwAAHAJ4buQAACAcQgwAADAOAQYAABgHAIMAAAwDgEGAAAYhwADAACMQ4ABAADGIcAAAADjEGAAAIBxCDAAAMA4BBgAAGAcAgwAADAOAQYAABiHAAMAAIxDgAEAAMYhwAAAAOMQYAAAgHEIMAAAwDgEGAAAYBwCDAAAMA4BBgAAGIcAAwAAjEOAAQAAxiHAAAAA4xBgAACAcQgwAADAOAQYAABgHAIMAAAwDgEGAAAYhwADAACMQ4ABAADGIcAAAADjEGAAAIBx2sW6gHNZtmyZlixZIq/Xq/79++vpp5/W0KFDY10WWtGV978d6xJa7JPFBbEuAQAueZa9ArNmzRoVFRXpoYce0ocffqj+/fsrLy9Px44di3VpAAAgxiwbYJYuXao777xTv/zlL9WrVy8999xzSkhI0IoVK2JdGgAAiDFL3kI6c+aMKisrVVxcHFoXFxenMWPGqKKiosn3+P1++f3+0PLJkyclScePH1cgEIhofe3Ono7ofLHQrj6o2tp6tQvEqa7eFutyLinf/80rF/U+Z1xQcwfWa8CDr8nfyj3ZWTy6VfdngkAgoNraWn3xxRey2+2xLqfNox/WEs1+fPXVV5KkYDB4znGWDDD//d//rbq6OqWlpYWtT0tL03/+5382+Z7S0lItWLCg0frs7Oyo1HgpmBjrAtBIrHpy2WMx2jEANOOrr75ScnJys9stGWAuRnFxsYqKikLL9fX1On78uLp06SKbjSsM3+bz+ZSZmanPPvtMSUlJsS4HoidWQz+shX5YSzT7EQwG9dVXXykjI+Oc4ywZYC677DLFx8erpqYmbH1NTY1cLleT73E6nXI6nWHrOnXqFK0SLxlJSUn8Y2Ax9MRa6Ie10A9riVY/znXlpYElH+J1OBwaPHiwNm3aFFpXX1+vTZs2KScnJ4aVAQAAK7DkFRhJKioq0pQpUzRkyBANHTpUTzzxhE6fPq1f/vKXsS4NAADEmGUDzD/90z/pb3/7m+bPny+v16sBAwZow4YNjR7sxcVxOp166KGHGt12Q+zQE2uhH9ZCP6zFCv2wBc/3OSUAAACLseQzMAAAAOdCgAEAAMYhwAAAAOMQYAAAgHEIMG1MaWmprr76aiUmJio1NVU333yzqqqqYl0W/s/ixYtls9k0c+bMWJfSZv3Xf/2XbrvtNnXp0kUdOnRQ3759tWfPnliX1WbV1dVp3rx5ys7OVocOHdStWzctWrTovN+Tg8jYunWrxo0bp4yMDNlsNq1duzZsezAY1Pz585Wenq4OHTpozJgx+vjjj1ulNgJMG7NlyxYVFhZqx44dcrvdCgQCys3N1enT5n9Bpel2796tf/7nf1a/fv1iXUqb9eWXX+qaa66R3W7Xf/zHf+jgwYN67LHH1Llz51iX1mY9+uijevbZZ/XMM8/oo48+0qOPPqqysjI9/fTTsS6tTTh9+rT69++vZcuWNbm9rKxMTz31lJ577jnt3LlTHTt2VF5enr7++uuo18bHqNu4v/3tb0pNTdWWLVs0YsSIWJfTZp06dUqDBg3SH/7wBz388MMaMGCAnnjiiViX1ebcf//9+uCDD7Rt27ZYl4L/85Of/ERpaWl6/vnnQ+vGjx+vDh066KWXXophZW2PzWbT66+/rptvvlnS36++ZGRk6L777tNvfvMbSdLJkyeVlpamlStXasKECVGthyswbdzJkyclSSkpKTGupG0rLCxUQUGBxowZE+tS2rQ333xTQ4YM0c9+9jOlpqZq4MCB+pd/+ZdYl9Wm/ehHP9KmTZv05z//WZL0pz/9Se+//77y8/NjXBmOHDkir9cb9u9WcnKyhg0bpoqKiqjv37J/iRfRV19fr5kzZ+qaa65Rnz59Yl1Om/Xyyy/rww8/1O7du2NdSpv3l7/8Rc8++6yKior0wAMPaPfu3brnnnvkcDg0ZcqUWJfXJt1///3y+Xzq0aOH4uPjVVdXp9/97neaNGlSrEtr87xeryQ1+gv5aWlpoW3RRIBpwwoLC7V//369//77sS6lzfrss8907733yu12q3379rEup82rr6/XkCFD9Mgjj0iSBg4cqP379+u5554jwMTIK6+8olWrVmn16tXq3bu3PB6PZs6cqYyMDHrSxnELqY2aMWOG1q1bp3fffVdXXHFFrMtpsyorK3Xs2DENGjRI7dq1U7t27bRlyxY99dRTateunerq6mJdYpuSnp6uXr16ha3r2bOnqqurY1QRZs+erfvvv18TJkxQ3759dfvtt2vWrFkqLS2NdWltnsvlkiTV1NSEra+pqQltiyYCTBsTDAY1Y8YMvf7669q8ebOys7NjXVKbNnr0aO3bt08ejyf0GjJkiCZNmiSPx6P4+PhYl9imXHPNNY3+rMCf//xnZWVlxagi1NbWKi4u/FdVfHy86uvrY1QRGmRnZ8vlcmnTpk2hdT6fTzt37lROTk7U988tpDamsLBQq1ev1htvvKHExMTQfcrk5GR16NAhxtW1PYmJiY2eP+rYsaO6dOnCc0kxMGvWLP3oRz/SI488op///OfatWuXli9fruXLl8e6tDZr3Lhx+t3vfqeuXbuqd+/e+uMf/6ilS5fqjjvuiHVpbcKpU6d06NCh0PKRI0fk8XiUkpKirl27aubMmXr44Yf1gx/8QNnZ2Zo3b54yMjJCn1SKqiDaFElNvl544YVYl4b/8+Mf/zh47733xrqMNuutt94K9unTJ+h0OoM9evQILl++PNYltWk+ny947733Brt27Rps37598Kqrrgo++OCDQb/fH+vS2oR33323yd8ZU6ZMCQaDwWB9fX1w3rx5wbS0tKDT6QyOHj06WFVV1Sq18XdgAACAcXgGBgAAGIcAAwAAjEOAAQAAxiHAAAAA4xBgAACAcQgwAADAOAQYAABgHAIMAAAwDgEGAAAYhwADAACMQ4ABAADGIcAAAADj/C9cyqmXScq1xwAAAABJRU5ErkJggg==", + "text/plain": [ + "
" + ] + }, + "metadata": {}, + "output_type": "display_data" + } + ], + "source": [ + "pd.Series([len(group) for group in groups]).hist()" + ] + }, + { + "cell_type": "code", + "execution_count": 360, + "id": "fb9b7258", + "metadata": {}, + "outputs": [ + { + "name": "stdout", + "output_type": "stream", + "text": [ + "4 199\n", + "4 218\n", + "10 508\n", + "3 775\n", + "5 1014\n", + "3 1037\n", + "3 1208\n", + "3 1315\n", + "3 1366\n", + "3 1405\n", + "4 1427\n", + "3 1441\n", + "3 1455\n", + "3 1457\n", + "3 1479\n", + "3 1488\n", + "3 1512\n", + "4 1534\n", + "3 1554\n", + "5 1598\n", + "4 1643\n", + "3 1649\n", + "3 1728\n", + "3 1814\n", + "3 1916\n", + "3 1983\n", + "3 2007\n", + "3 2186\n", + "3 2204\n", + "4 2245\n", + "4 2352\n", + "3 2399\n", + "3 2402\n", + "6 2407\n", + "4 2481\n", + "3 2489\n", + "3 2551\n" + ] + } + ], + "source": [ + "for x in range(len(groups)):\n", + " if len(groups[x]) > 2:\n", + " print(len(groups[x]), x)" + ] + }, + { + "cell_type": "code", + "execution_count": 318, + "id": "90c979c7", + "metadata": {}, + "outputs": [ + { + "data": { + "text/plain": [ + "[[241, 1034, 1037, 2152],\n", + " [264, 268, 265, 267],\n", + " [623, 624, 1348, 1615, 2388, 2385, 2314, 2318, 2194, 2197],\n", + " [966, 969, 979],\n", + " [1267, 1983, 1988, 2672, 2674],\n", + " [1293, 2391, 1605],\n", + " [1509, 1512, 1348],\n", + " [1657, 1661, 1674],\n", + " [1727, 1731, 1753],\n", + " [1782, 2702, 2705],\n", + " [1808, 2729, 2616, 2364],\n", + " [1824, 1828, 2149],\n", + " [1844, 1853, 1855],\n", + " [1846, 1850, 1847],\n", + " [1880, 1883, 3368],\n", + " [1891, 1912, 1894],\n", + " [1925, 1938, 1942],\n", + " [1954, 1989, 1957, 1984],\n", + " [1985, 1990, 2019],\n", + " [2046, 2937, 3098, 3095, 3528],\n", + " [2102, 2105, 2355, 2217],\n", + " [2110, 2178, 2181],\n", + " [2213, 2217, 2355],\n", + " [2333, 2347, 2337],\n", + " [2466, 2470, 2479],\n", + " [2556, 2566, 2569],\n", + " [2591, 2595, 2597],\n", + " [2824, 3000, 2997],\n", + " [2847, 2857, 2854],\n", + " [2899, 3120, 3424, 3243],\n", + " [3038, 3041, 3124, 3125],\n", + " [3093, 3108, 3105],\n", + " [3097, 3100, 3107],\n", + " [3106, 3109, 3133, 3135, 3152, 3167],\n", + " [3208, 3211, 3227, 3230],\n", + " [3219, 3222, 3254],\n", + " [3309, 3320, 3312]]" + ] + }, + "execution_count": 318, + "metadata": {}, + "output_type": "execute_result" + } + ], + "source": [ + "[group for group in groups if len(group) > 2]" + ] + }, + { + "cell_type": "code", + "execution_count": 297, + "id": "48d09628", + "metadata": {}, + "outputs": [], + "source": [ + "vector_at_i = db.index.reconstruct(1348)" + ] + }, + { + "cell_type": "code", + "execution_count": 298, + "id": "b6383ed1", + "metadata": {}, + "outputs": [ + { + "data": { + "text/plain": [ + "array([ 4.5435183e-02, -1.6280942e-02, -9.6684992e-03, ...,\n", + " 1.4441899e-02, 5.8949114e-05, -8.2718907e-05], dtype=float32)" + ] + }, + "execution_count": 298, + "metadata": {}, + "output_type": "execute_result" + } + ], + "source": [ + "vector_at_i" + ] + }, + { + "cell_type": "code", + "execution_count": 322, + "id": "395910f6", + "metadata": {}, + "outputs": [ + { + "data": { + "text/plain": [ + "[(Document(page_content=\"For submissions, if we have code that runs poc for each bug, how should we submit it? I'm thinking just adding a zip file to the submission is probably easiest but I could also share my private github repo with someone.\\n\", metadata={'answer': ' How large is the poc?'}),\n", + " 0.0)]" + ] + }, + "execution_count": 322, + "metadata": {}, + "output_type": "execute_result" + } + ], + "source": [ + "db.similarity_search_with_score_by_vector(db.index.reconstruct(30), k=1)" + ] + }, + { + "cell_type": "code", + "execution_count": 328, + "id": "e811c611", + "metadata": {}, + "outputs": [], + "source": [ + "def get_at_index(array):\n", + " return [db.similarity_search_by_vector(db.index.reconstruct(x), k=1)[0] for x in array]" + ] + }, + { + "cell_type": "code", + "execution_count": 329, + "id": "072d890d", + "metadata": {}, + "outputs": [ + { + "data": { + "text/plain": [ + "[Document(page_content='How can we apply to become a certified warden?\\n', metadata={'answer': ' You can apply to become a certified warden by filling this form: https://code4rena.com/certified-contributor-application.'}),\n", + " Document(page_content='How can we apply to become a certified warden?\\n', metadata={'answer': ' You can apply to become a certified warden by filling this form: https://code4rena.com/certified-contributor-application.'}),\n", + " Document(page_content='How to become a certified warden?\\n', metadata={'answer': ' You can become a certified warden by following the process outlined in this link: https://docs.code4rena.com/roles/certified-contributors'}),\n", + " Document(page_content='How does one become a certified warden?\\n', metadata={'answer': ' Read the documentation, you need to complete a KYC (Know Your Customer) process.'}),\n", + " Document(page_content='How does one become a certified warden?\\n', metadata={'answer': ' Read the documentation, you need to complete a KYC (Know Your Customer) process.'}),\n", + " Document(page_content='How does one become a certified warden? \\n', metadata={'answer': ' You can read more about becoming certified here: https://docs.code4rena.com/roles/certified-contributors.'}),\n", + " Document(page_content='What is the process of becoming a certified warden?\\n', metadata={'answer': ''}),\n", + " Document(page_content='What is the process of becoming a certified warden?\\n', metadata={'answer': ''}),\n", + " Document(page_content='What do you need to do to become a certified warden?\\n', metadata={'answer': ' You can find information on becoming a certified warden at this link: https://docs.code4rena.com/roles/certified-contributors'}),\n", + " Document(page_content='What do you need to do to become a certified warden?\\n', metadata={'answer': ' You can find information on becoming a certified warden at this link: https://docs.code4rena.com/roles/certified-contributors'})]" + ] + }, + "execution_count": 329, + "metadata": {}, + "output_type": "execute_result" + } + ], + "source": [ + "get_at_index([623, 624, 1348, 1615, 2388, 2385, 2314, 2318, 2194, 2197])" + ] + }, + { + "cell_type": "code", + "execution_count": 314, + "id": "bf08eb3c", + "metadata": {}, + "outputs": [ + { + "data": { + "text/plain": [ + "[(Document(page_content='Will there be a mitigation review for Chainlink CCIP as mentioned in the original RSVP message?\\n', metadata={'answer': ' Yes, this is still planned.'}),\n", + " 0.0),\n", + " (Document(page_content='Will there be a mitigation review for Chainlink CCIP as mentioned in the original RSVP message?\\n', metadata={'answer': ' Yes this is still planned.'}),\n", + " 1.5012198e-05),\n", + " (Document(page_content='Will there be a mitigation review for Chainlink CCIP as mentioned in the original RSVP message https://discord.com/channels/810916927919620096/958800160870240286/1111007546183012382?\\n', metadata={'answer': ''}),\n", + " 0.03938529),\n", + " (Document(page_content='Will the mitigation review be limited to the top wardens of the corresponding initial contest?\\n', metadata={'answer': ' Yes, correct.'}),\n", + " 0.34130633),\n", + " (Document(page_content='Is the xETH - Mitigation Review Open for all the certificates users?\\n', metadata={'answer': ' Hi there. xETH Mit Rev. will be open to those who participated in the original Invitational audit.'}),\n", + " 0.35897225),\n", + " (Document(page_content='Is mitigation review limited to the top wardens of the corresponding initial contest?\\n', metadata={'answer': ' Yes, mitigation review will be limited to the top wardens of the corresponding initial contest.'}),\n", + " 0.37170786),\n", + " (Document(page_content='What is Mitigation review contest?\\n', metadata={'answer': ' Sometimes projects want to invite the top wardens back after the contests to review bug mitigations.'}),\n", + " 0.37368223),\n", + " (Document(page_content='What is Mitigation review contest?\\n', metadata={'answer': ''}),\n", + " 0.3737302),\n", + " (Document(page_content='Is the \"Mitigation review contest\" only in GoGoPool contest or will it be on any future contest?\\n', metadata={'answer': ' Yes, there will be more contests with this structure going forward: an initial audit prize pool + a mitigation review pool.'}),\n", + " 0.37432125),\n", + " (Document(page_content='What does a general Mitigation Review process consist of and who are eligible to participate?\\n', metadata={'answer': ' N/A'}),\n", + " 0.37906706)]" + ] + }, + "execution_count": 314, + "metadata": {}, + "output_type": "execute_result" + } + ], + "source": [ + "db.similarity_search_with_score_by_vector(db.index.reconstruct(3312), k=10)" + ] + }, + { + "cell_type": "markdown", + "id": "8a759875", + "metadata": {}, + "source": [ + "### FAISS" + ] + }, + { + "cell_type": "code", + "execution_count": 355, + "id": "f9882c3d", + "metadata": {}, + "outputs": [], + "source": [ + "q_a_enhance = '''\n", + "You are an expert at constructing frequently asked question documents. We are trying to improve a FAQ using information present in our Discord chatroom. Our company is CodeArena (C4), a company that helps other companies receive audits of their smart contracts. \n", + "\n", + "Your task will be to create a high quality question and answer pair. Below you are given several related questions we've seen and an answer for each (if we currently have one). After that we include a collection of observations from the chat history in our questions channel, please use these observations to improve your answer.\n", + "\n", + "\n", + "Questions and Answers:\n", + "{}\n", + "\n", + "Observations from the chat:\n", + "{}\n", + "\n", + "Please respond with just one improved question and answer. When a link is relevant to the answer, ALWAYS include the link. Try to include all information of value from the observations in the answer, but you can omit information not related to the question's topic. It's ok to express uncertainity. Adding additional context, definitions, or insights from the observations is welcome.\n", + "'''" + ] + }, + { + "cell_type": "code", + "execution_count": 356, + "id": "c1f49ed6", + "metadata": {}, + "outputs": [], + "source": [ + "q_a_string = \"\"\n", + "for x in get_at_index([623, 624, 1348, 1615, 2388, 2385, 2314, 2318, 2194, 2197]):\n", + " q_a_string += \" \".join([\"Q:\", x.page_content.rstrip(\"\\n\"), \"\\n\" \"A:\", x.metadata['answer'], \"\\n\"])\n", + " q_a_string += \"\\n\"\n" + ] + }, + { + "cell_type": "code", + "execution_count": 341, + "id": "1b4ece10", + "metadata": {}, + "outputs": [], + "source": [ + "facts_ = facts_db.similarity_search(\"How can we apply to become a certified warden?\" , k=30)" + ] + }, + { + "cell_type": "code", + "execution_count": 347, + "id": "984ee3d8", + "metadata": {}, + "outputs": [], + "source": [ + "facts_to_include = '\\n'.join([x.page_content for x in facts_])" + ] + }, + { + "cell_type": "code", + "execution_count": 351, + "id": "b99a629c", + "metadata": {}, + "outputs": [], + "source": [] + }, + { + "cell_type": "code", + "execution_count": 366, + "id": "140fc118", + "metadata": {}, + "outputs": [ + { + "name": "stdout", + "output_type": "stream", + "text": [ + "Working on 0\n", + "Working on 1\n", + "Working on 2\n", + "Working on 3\n", + "Working on 4\n", + "Working on 5\n", + "Working on 6\n", + "Working on 7\n", + "Working on 8\n", + "Working on 9\n", + "Working on 10\n", + "Working on 11\n", + "Working on 12\n", + "Working on 13\n", + "Working on 14\n", + "Working on 15\n", + "Working on 16\n", + "Working on 17\n", + "Working on 18\n", + "Working on 19\n", + "Working on 20\n", + "Working on 21\n", + "Working on 22\n", + "Working on 23\n", + "Working on 24\n", + "Working on 25\n", + "Working on 26\n", + "Working on 27\n", + "Working on 28\n", + "Working on 29\n", + "Working on 30\n", + "Working on 31\n", + "Working on 32\n", + "Working on 33\n", + "Working on 34\n", + "Working on 35\n", + "Working on 36\n", + "Working on 37\n", + "Working on 38\n", + "Working on 39\n", + "Working on 40\n", + "Working on 41\n", + "Working on 42\n", + "Working on 43\n", + "Working on 44\n", + "Working on 45\n", + "Working on 46\n", + "Working on 47\n", + "Working on 48\n", + "Working on 49\n", + "Working on 50\n", + "Working on 51\n", + "Working on 52\n", + "Working on 53\n", + "Working on 54\n", + "Working on 55\n", + "Working on 56\n", + "Working on 57\n", + "Working on 58\n", + "Working on 59\n", + "Working on 60\n", + "Working on 61\n", + "Working on 62\n", + "Working on 63\n", + "Working on 64\n", + "Working on 65\n", + "Working on 66\n", + "Working on 67\n", + "Working on 68\n", + "Working on 69\n", + "Working on 70\n", + "Working on 71\n", + "Working on 72\n", + "Working on 73\n" + ] + }, + { + "name": "stderr", + "output_type": "stream", + "text": [ + "Retrying langchain.chat_models.openai.ChatOpenAI.completion_with_retry.._completion_with_retry in 4.0 seconds as it raised Timeout: Request timed out: HTTPSConnectionPool(host='api.openai.com', port=443): Read timed out. (read timeout=600).\n" + ] + }, + { + "name": "stdout", + "output_type": "stream", + "text": [ + "Working on 74\n", + "Working on 75\n", + "Working on 76\n", + "Working on 77\n", + "Working on 78\n", + "Working on 79\n", + "Working on 80\n", + "Working on 81\n", + "Working on 82\n", + "Working on 83\n", + "Working on 84\n", + "Working on 85\n", + "Working on 86\n", + "Working on 87\n", + "Working on 88\n", + "Working on 89\n", + "Working on 90\n", + "Working on 91\n", + "Working on 92\n", + "Working on 93\n", + "Working on 94\n", + "Working on 95\n", + "Working on 96\n", + "Working on 97\n", + "Working on 98\n", + "Working on 99\n", + "Working on 100\n", + "Working on 101\n", + "Working on 102\n", + "Working on 103\n", + "Working on 104\n", + "Working on 105\n", + "Working on 106\n", + "Working on 107\n", + "Working on 108\n", + "Working on 109\n", + "Working on 110\n", + "Working on 111\n", + "Working on 112\n", + "Working on 113\n", + "Working on 114\n", + "Working on 115\n", + "Working on 116\n", + "Working on 117\n", + "Working on 118\n", + "Working on 119\n", + "Working on 120\n", + "Working on 121\n", + "Working on 122\n", + "Working on 123\n", + "Working on 124\n", + "Working on 125\n", + "Working on 126\n", + "Working on 127\n", + "Working on 128\n", + "Working on 129\n", + "Working on 130\n", + "Working on 131\n", + "Working on 132\n", + "Working on 133\n", + "Working on 134\n", + "Working on 135\n", + "Working on 136\n", + "Working on 137\n", + "Working on 138\n", + "Working on 139\n", + "Working on 140\n", + "Working on 141\n", + "Working on 142\n", + "Working on 143\n", + "Working on 144\n", + "Working on 145\n", + "Working on 146\n", + "Working on 147\n", + "Working on 148\n", + "Working on 149\n", + "Working on 150\n", + "Working on 151\n", + "Working on 152\n", + "Working on 153\n", + "Working on 154\n", + "Working on 155\n", + "Working on 156\n", + "Working on 157\n", + "Working on 158\n", + "Working on 159\n", + "Working on 160\n", + "Working on 161\n", + "Working on 162\n", + "Working on 163\n", + "Working on 164\n", + "Working on 165\n", + "Working on 166\n", + "Working on 167\n", + "Working on 168\n", + "Working on 169\n", + "Working on 170\n", + "Working on 171\n", + "Working on 172\n", + "Working on 173\n", + "Working on 174\n", + "Working on 175\n", + "Working on 176\n", + "Working on 177\n", + "Working on 178\n", + "Working on 179\n", + "Working on 180\n", + "Working on 181\n", + "Working on 182\n", + "Working on 183\n", + "Working on 184\n", + "Working on 185\n", + "Working on 186\n", + "Working on 187\n", + "Working on 188\n", + "Working on 189\n", + "Working on 190\n", + "Working on 191\n", + "Working on 192\n", + "Working on 193\n", + "Working on 194\n", + "Working on 195\n", + "Working on 196\n", + "Working on 197\n", + "Working on 198\n", + "Working on 199\n", + "Working on 200\n", + "Working on 201\n", + "Working on 202\n", + "Working on 203\n", + "Working on 204\n", + "Working on 205\n", + "Working on 206\n", + "Working on 207\n", + "Working on 208\n", + "Working on 209\n", + "Working on 210\n", + "Working on 211\n", + "Working on 212\n", + "Working on 213\n", + "Working on 214\n", + "Working on 215\n", + "Working on 216\n", + "Working on 217\n", + "Working on 218\n", + "Working on 219\n", + "Working on 220\n", + "Working on 221\n", + "Working on 222\n", + "Working on 223\n", + "Working on 224\n", + "Working on 225\n", + "Working on 226\n", + "Working on 227\n", + "Working on 228\n", + "Working on 229\n", + "Working on 230\n", + "Working on 231\n", + "Working on 232\n", + "Working on 233\n", + "Working on 234\n", + "Working on 235\n", + "Working on 236\n", + "Working on 237\n", + "Working on 238\n", + "Working on 239\n", + "Working on 240\n", + "Working on 241\n", + "Working on 242\n", + "Working on 243\n", + "Working on 244\n", + "Working on 245\n", + "Working on 246\n", + "Working on 247\n", + "Working on 248\n", + "Working on 249\n", + "Working on 250\n", + "Working on 251\n", + "Working on 252\n", + "Working on 253\n", + "Working on 254\n", + "Working on 255\n", + "Working on 256\n", + "Working on 257\n", + "Working on 258\n", + "Working on 259\n", + "Working on 260\n", + "Working on 261\n", + "Working on 262\n", + "Working on 263\n", + "Working on 264\n", + "Working on 265\n", + "Working on 266\n", + "Working on 267\n", + "Working on 268\n", + "Working on 269\n", + "Working on 270\n", + "Working on 271\n", + "Working on 272\n", + "Working on 273\n", + "Working on 274\n", + "Working on 275\n", + "Working on 276\n", + "Working on 277\n", + "Working on 278\n", + "Working on 279\n", + "Working on 280\n", + "Working on 281\n", + "Working on 282\n", + "Working on 283\n", + "Working on 284\n", + "Working on 285\n", + "Working on 286\n", + "Working on 287\n", + "Working on 288\n", + "Working on 289\n", + "Working on 290\n", + "Working on 291\n", + "Working on 292\n", + "Working on 293\n", + "Working on 294\n", + "Working on 295\n", + "Working on 296\n", + "Working on 297\n", + "Working on 298\n", + "Working on 299\n", + "Working on 300\n", + "Working on 301\n", + "Working on 302\n", + "Working on 303\n", + "Working on 304\n", + "Working on 305\n", + "Working on 306\n", + "Working on 307\n", + "Working on 308\n", + "Working on 309\n", + "Working on 310\n", + "Working on 311\n", + "Working on 312\n", + "Working on 313\n", + "Working on 314\n", + "Working on 315\n", + "Working on 316\n", + "Working on 317\n", + "Working on 318\n", + "Working on 319\n", + "Working on 320\n", + "Working on 321\n", + "Working on 322\n", + "Working on 323\n", + "Working on 324\n", + "Working on 325\n", + "Working on 326\n", + "Working on 327\n", + "Working on 328\n", + "Working on 329\n", + "Working on 330\n", + "Working on 331\n", + "Working on 332\n", + "Working on 333\n", + "Working on 334\n", + "Working on 335\n", + "Working on 336\n", + "Working on 337\n", + "Working on 338\n", + "Working on 339\n", + "Working on 340\n", + "Working on 341\n", + "Working on 342\n", + "Working on 343\n", + "Working on 344\n", + "Working on 345\n", + "Working on 346\n", + "Working on 347\n", + "Working on 348\n", + "Working on 349\n", + "Working on 350\n", + "Working on 351\n", + "Working on 352\n", + "Working on 353\n", + "Working on 354\n", + "Working on 355\n", + "Working on 356\n", + "Working on 357\n", + "Working on 358\n", + "Working on 359\n", + "Working on 360\n", + "Working on 361\n", + "Working on 362\n", + "Working on 363\n", + "Working on 364\n", + "Working on 365\n", + "Working on 366\n", + "Working on 367\n", + "Working on 368\n", + "Working on 369\n", + "Working on 370\n", + "Working on 371\n", + "Working on 372\n", + "Working on 373\n", + "Working on 374\n", + "Working on 375\n", + "Working on 376\n", + "Working on 377\n", + "Working on 378\n", + "Working on 379\n", + "Working on 380\n", + "Working on 381\n", + "Working on 382\n", + "Working on 383\n", + "Working on 384\n", + "Working on 385\n", + "Working on 386\n", + "Working on 387\n", + "Working on 388\n", + "Working on 389\n", + "Working on 390\n", + "Working on 391\n", + "Working on 392\n", + "Working on 393\n", + "Working on 394\n", + "Working on 395\n", + "Working on 396\n", + "Working on 397\n", + "Working on 398\n", + "Working on 399\n", + "Working on 400\n", + "Working on 401\n", + "Working on 402\n", + "Working on 403\n", + "Working on 404\n", + "Working on 405\n", + "Working on 406\n", + "Working on 407\n", + "Working on 408\n", + "Working on 409\n", + "Working on 410\n", + "Working on 411\n", + "Working on 412\n", + "Working on 413\n", + "Working on 414\n", + "Working on 415\n", + "Working on 416\n", + "Working on 417\n" + ] + }, + { + "name": "stderr", + "output_type": "stream", + "text": [ + "Retrying langchain.chat_models.openai.ChatOpenAI.completion_with_retry.._completion_with_retry in 4.0 seconds as it raised Timeout: Request timed out: HTTPSConnectionPool(host='api.openai.com', port=443): Read timed out. (read timeout=600).\n" + ] + }, + { + "name": "stdout", + "output_type": "stream", + "text": [ + "Working on 418\n", + "Working on 419\n", + "Working on 420\n", + "Working on 421\n", + "Working on 422\n", + "Working on 423\n", + "Working on 424\n", + "Working on 425\n", + "Working on 426\n", + "Working on 427\n", + "Working on 428\n", + "Working on 429\n", + "Working on 430\n", + "Working on 431\n", + "Working on 432\n", + "Working on 433\n", + "Working on 434\n", + "Working on 435\n", + "Working on 436\n", + "Working on 437\n", + "Working on 438\n", + "Working on 439\n", + "Working on 440\n", + "Working on 441\n", + "Working on 442\n", + "Working on 443\n", + "Working on 444\n", + "Working on 445\n", + "Working on 446\n", + "Working on 447\n", + "Working on 448\n", + "Working on 449\n", + "Working on 450\n", + "Working on 451\n", + "Working on 452\n", + "Working on 453\n", + "Working on 454\n", + "Working on 455\n", + "Working on 456\n", + "Working on 457\n", + "Working on 458\n", + "Working on 459\n", + "Working on 460\n", + "Working on 461\n", + "Working on 462\n", + "Working on 463\n", + "Working on 464\n", + "Working on 465\n", + "Working on 466\n", + "Working on 467\n", + "Working on 468\n", + "Working on 469\n", + "Working on 470\n", + "Working on 471\n", + "Working on 472\n", + "Working on 473\n", + "Working on 474\n", + "Working on 475\n", + "Working on 476\n", + "Working on 477\n", + "Working on 478\n", + "Working on 479\n", + "Working on 480\n", + "Working on 481\n", + "Working on 482\n", + "Working on 483\n", + "Working on 484\n", + "Working on 485\n", + "Working on 486\n", + "Working on 487\n", + "Working on 488\n", + "Working on 489\n", + "Working on 490\n", + "Working on 491\n", + "Working on 492\n", + "Working on 493\n", + "Working on 494\n", + "Working on 495\n", + "Working on 496\n", + "Working on 497\n", + "Working on 498\n", + "Working on 499\n", + "Working on 500\n", + "Working on 501\n", + "Working on 502\n", + "Working on 503\n", + "Working on 504\n", + "Working on 505\n", + "Working on 506\n", + "Working on 507\n", + "Working on 508\n", + "Working on 509\n", + "Working on 510\n", + "Working on 511\n", + "Working on 512\n", + "Working on 513\n", + "Working on 514\n", + "Working on 515\n", + "Working on 516\n", + "Working on 517\n", + "Working on 518\n", + "Working on 519\n", + "Working on 520\n", + "Working on 521\n", + "Working on 522\n", + "Working on 523\n", + "Working on 524\n", + "Working on 525\n", + "Working on 526\n", + "Working on 527\n", + "Working on 528\n" + ] + }, + { + "name": "stderr", + "output_type": "stream", + "text": [ + "Retrying langchain.embeddings.openai.embed_with_retry.._embed_with_retry in 4.0 seconds as it raised APIError: HTTP code 502 from API (\r\n", + "502 Bad Gateway\r\n", + "\r\n", + "

502 Bad Gateway

\r\n", + "
cloudflare
\r\n", + "\r\n", + "\r\n", + ").\n" + ] + }, + { + "name": "stdout", + "output_type": "stream", + "text": [ + "Working on 529\n", + "Working on 530\n", + "Working on 531\n", + "Working on 532\n", + "Working on 533\n", + "Working on 534\n", + "Working on 535\n", + "Working on 536\n", + "Working on 537\n", + "Working on 538\n", + "Working on 539\n", + "Working on 540\n", + "Working on 541\n", + "Working on 542\n", + "Working on 543\n", + "Working on 544\n", + "Working on 545\n", + "Working on 546\n", + "Working on 547\n", + "Working on 548\n", + "Working on 549\n", + "Working on 550\n", + "Working on 551\n", + "Working on 552\n", + "Working on 553\n", + "Working on 554\n", + "Working on 555\n", + "Working on 556\n", + "Working on 557\n", + "Working on 558\n", + "Working on 559\n", + "Working on 560\n", + "Working on 561\n", + "Working on 562\n", + "Working on 563\n", + "Working on 564\n", + "Working on 565\n", + "Working on 566\n", + "Working on 567\n", + "Working on 568\n", + "Working on 569\n", + "Working on 570\n", + "Working on 571\n", + "Working on 572\n", + "Working on 573\n", + "Working on 574\n", + "Working on 575\n", + "Working on 576\n", + "Working on 577\n", + "Working on 578\n", + "Working on 579\n", + "Working on 580\n", + "Working on 581\n", + "Working on 582\n", + "Working on 583\n", + "Working on 584\n", + "Working on 585\n", + "Working on 586\n", + "Working on 587\n", + "Working on 588\n", + "Working on 589\n", + "Working on 590\n", + "Working on 591\n", + "Working on 592\n", + "Working on 593\n", + "Working on 594\n", + "Working on 595\n", + "Working on 596\n", + "Working on 597\n", + "Working on 598\n", + "Working on 599\n", + "Working on 600\n", + "Working on 601\n", + "Working on 602\n", + "Working on 603\n", + "Working on 604\n", + "Working on 605\n", + "Working on 606\n", + "Working on 607\n", + "Working on 608\n", + "Working on 609\n", + "Working on 610\n", + "Working on 611\n", + "Working on 612\n", + "Working on 613\n", + "Working on 614\n", + "Working on 615\n", + "Working on 616\n", + "Working on 617\n", + "Working on 618\n", + "Working on 619\n", + "Working on 620\n", + "Working on 621\n", + "Working on 622\n", + "Working on 623\n", + "Working on 624\n", + "Working on 625\n", + "Working on 626\n", + "Working on 627\n", + "Working on 628\n", + "Working on 629\n", + "Working on 630\n", + "Working on 631\n", + "Working on 632\n", + "Working on 633\n", + "Working on 634\n", + "Working on 635\n", + "Working on 636\n", + "Working on 637\n", + "Working on 638\n", + "Working on 639\n", + "Working on 640\n", + "Working on 641\n", + "Working on 642\n", + "Working on 643\n", + "Working on 644\n", + "Working on 645\n", + "Working on 646\n", + "Working on 647\n", + "Working on 648\n", + "Working on 649\n", + "Working on 650\n", + "Working on 651\n", + "Working on 652\n", + "Working on 653\n", + "Working on 654\n", + "Working on 655\n", + "Working on 656\n", + "Working on 657\n", + "Working on 658\n", + "Working on 659\n", + "Working on 660\n", + "Working on 661\n", + "Working on 662\n", + "Working on 663\n", + "Working on 664\n", + "Working on 665\n", + "Working on 666\n", + "Working on 667\n", + "Working on 668\n", + "Working on 669\n", + "Working on 670\n", + "Working on 671\n", + "Working on 672\n", + "Working on 673\n", + "Working on 674\n", + "Working on 675\n", + "Working on 676\n", + "Working on 677\n", + "Working on 678\n", + "Working on 679\n", + "Working on 680\n", + "Working on 681\n", + "Working on 682\n", + "Working on 683\n", + "Working on 684\n", + "Working on 685\n", + "Working on 686\n", + "Working on 687\n", + "Working on 688\n", + "Working on 689\n", + "Working on 690\n", + "Working on 691\n", + "Working on 692\n", + "Working on 693\n", + "Working on 694\n", + "Working on 695\n", + "Working on 696\n", + "Working on 697\n", + "Working on 698\n", + "Working on 699\n", + "Working on 700\n", + "Working on 701\n", + "Working on 702\n", + "Working on 703\n", + "Working on 704\n", + "Working on 705\n", + "Working on 706\n", + "Working on 707\n", + "Working on 708\n", + "Working on 709\n", + "Working on 710\n", + "Working on 711\n", + "Working on 712\n", + "Working on 713\n", + "Working on 714\n", + "Working on 715\n", + "Working on 716\n", + "Working on 717\n", + "Working on 718\n", + "Working on 719\n", + "Working on 720\n", + "Working on 721\n", + "Working on 722\n", + "Working on 723\n", + "Working on 724\n", + "Working on 725\n", + "Working on 726\n", + "Working on 727\n", + "Working on 728\n", + "Working on 729\n", + "Working on 730\n", + "Working on 731\n", + "Working on 732\n", + "Working on 733\n", + "Working on 734\n", + "Working on 735\n", + "Working on 736\n", + "Working on 737\n", + "Working on 738\n", + "Working on 739\n", + "Working on 740\n", + "Working on 741\n", + "Working on 742\n", + "Working on 743\n", + "Working on 744\n", + "Working on 745\n", + "Working on 746\n", + "Working on 747\n", + "Working on 748\n", + "Working on 749\n", + "Working on 750\n", + "Working on 751\n", + "Working on 752\n", + "Working on 753\n", + "Working on 754\n", + "Working on 755\n", + "Working on 756\n", + "Working on 757\n", + "Working on 758\n", + "Working on 759\n", + "Working on 760\n", + "Working on 761\n", + "Working on 762\n", + "Working on 763\n", + "Working on 764\n", + "Working on 765\n", + "Working on 766\n", + "Working on 767\n", + "Working on 768\n", + "Working on 769\n", + "Working on 770\n", + "Working on 771\n", + "Working on 772\n", + "Working on 773\n", + "Working on 774\n", + "Working on 775\n", + "Working on 776\n", + "Working on 777\n", + "Working on 778\n", + "Working on 779\n", + "Working on 780\n", + "Working on 781\n", + "Working on 782\n", + "Working on 783\n", + "Working on 784\n", + "Working on 785\n", + "Working on 786\n", + "Working on 787\n", + "Working on 788\n", + "Working on 789\n", + "Working on 790\n", + "Working on 791\n", + "Working on 792\n", + "Working on 793\n", + "Working on 794\n", + "Working on 795\n", + "Working on 796\n", + "Working on 797\n", + "Working on 798\n", + "Working on 799\n", + "Working on 800\n", + "Working on 801\n", + "Working on 802\n", + "Working on 803\n", + "Working on 804\n", + "Working on 805\n", + "Working on 806\n", + "Working on 807\n", + "Working on 808\n", + "Working on 809\n", + "Working on 810\n", + "Working on 811\n", + "Working on 812\n", + "Working on 813\n", + "Working on 814\n", + "Working on 815\n", + "Working on 816\n", + "Working on 817\n", + "Working on 818\n", + "Working on 819\n", + "Working on 820\n", + "Working on 821\n", + "Working on 822\n", + "Working on 823\n", + "Working on 824\n", + "Working on 825\n", + "Working on 826\n", + "Working on 827\n", + "Working on 828\n", + "Working on 829\n", + "Working on 830\n", + "Working on 831\n", + "Working on 832\n", + "Working on 833\n", + "Working on 834\n", + "Working on 835\n", + "Working on 836\n", + "Working on 837\n", + "Working on 838\n", + "Working on 839\n", + "Working on 840\n", + "Working on 841\n", + "Working on 842\n", + "Working on 843\n", + "Working on 844\n", + "Working on 845\n", + "Working on 846\n", + "Working on 847\n", + "Working on 848\n", + "Working on 849\n", + "Working on 850\n", + "Working on 851\n", + "Working on 852\n", + "Working on 853\n", + "Working on 854\n", + "Working on 855\n", + "Working on 856\n", + "Working on 857\n", + "Working on 858\n", + "Working on 859\n", + "Working on 860\n", + "Working on 861\n", + "Working on 862\n", + "Working on 863\n", + "Working on 864\n", + "Working on 865\n", + "Working on 866\n", + "Working on 867\n", + "Working on 868\n", + "Working on 869\n", + "Working on 870\n", + "Working on 871\n", + "Working on 872\n", + "Working on 873\n", + "Working on 874\n", + "Working on 875\n", + "Working on 876\n", + "Working on 877\n", + "Working on 878\n", + "Working on 879\n", + "Working on 880\n", + "Working on 881\n", + "Working on 882\n", + "Working on 883\n", + "Working on 884\n", + "Working on 885\n", + "Working on 886\n", + "Working on 887\n", + "Working on 888\n" + ] + }, + { + "ename": "KeyboardInterrupt", + "evalue": "", + "output_type": "error", + "traceback": [ + "\u001b[0;31m---------------------------------------------------------------------------\u001b[0m", + "\u001b[0;31mKeyboardInterrupt\u001b[0m Traceback (most recent call last)", + "Cell \u001b[0;32mIn[366], line 15\u001b[0m\n\u001b[1;32m 13\u001b[0m prompt \u001b[38;5;241m=\u001b[39m q_a_enhance\u001b[38;5;241m.\u001b[39mformat(q_a_string, facts_to_include)\n\u001b[1;32m 14\u001b[0m \u001b[38;5;66;03m#print(prompt)\u001b[39;00m\n\u001b[0;32m---> 15\u001b[0m qs \u001b[38;5;241m=\u001b[39m model\u001b[38;5;241m.\u001b[39mpredict_messages([HumanMessage(content\u001b[38;5;241m=\u001b[39mprompt)]) \n\u001b[1;32m 16\u001b[0m \u001b[38;5;66;03m#print(qs.content)\u001b[39;00m\n\u001b[1;32m 17\u001b[0m new_qa_pairs\u001b[38;5;241m.\u001b[39mappend(qs\u001b[38;5;241m.\u001b[39mcontent)\n", + "File \u001b[0;32m~/miniconda3/envs/ollama-test/lib/python3.11/site-packages/langchain/chat_models/base.py:601\u001b[0m, in \u001b[0;36mBaseChatModel.predict_messages\u001b[0;34m(self, messages, stop, **kwargs)\u001b[0m\n\u001b[1;32m 599\u001b[0m \u001b[38;5;28;01melse\u001b[39;00m:\n\u001b[1;32m 600\u001b[0m _stop \u001b[38;5;241m=\u001b[39m \u001b[38;5;28mlist\u001b[39m(stop)\n\u001b[0;32m--> 601\u001b[0m \u001b[38;5;28;01mreturn\u001b[39;00m \u001b[38;5;28mself\u001b[39m(messages, stop\u001b[38;5;241m=\u001b[39m_stop, \u001b[38;5;241m*\u001b[39m\u001b[38;5;241m*\u001b[39mkwargs)\n", + "File \u001b[0;32m~/miniconda3/envs/ollama-test/lib/python3.11/site-packages/langchain/chat_models/base.py:551\u001b[0m, in \u001b[0;36mBaseChatModel.__call__\u001b[0;34m(self, messages, stop, callbacks, **kwargs)\u001b[0m\n\u001b[1;32m 544\u001b[0m \u001b[38;5;28;01mdef\u001b[39;00m \u001b[38;5;21m__call__\u001b[39m(\n\u001b[1;32m 545\u001b[0m \u001b[38;5;28mself\u001b[39m,\n\u001b[1;32m 546\u001b[0m messages: List[BaseMessage],\n\u001b[0;32m (...)\u001b[0m\n\u001b[1;32m 549\u001b[0m \u001b[38;5;241m*\u001b[39m\u001b[38;5;241m*\u001b[39mkwargs: Any,\n\u001b[1;32m 550\u001b[0m ) \u001b[38;5;241m-\u001b[39m\u001b[38;5;241m>\u001b[39m BaseMessage:\n\u001b[0;32m--> 551\u001b[0m generation \u001b[38;5;241m=\u001b[39m \u001b[38;5;28mself\u001b[39m\u001b[38;5;241m.\u001b[39mgenerate(\n\u001b[1;32m 552\u001b[0m [messages], stop\u001b[38;5;241m=\u001b[39mstop, callbacks\u001b[38;5;241m=\u001b[39mcallbacks, \u001b[38;5;241m*\u001b[39m\u001b[38;5;241m*\u001b[39mkwargs\n\u001b[1;32m 553\u001b[0m )\u001b[38;5;241m.\u001b[39mgenerations[\u001b[38;5;241m0\u001b[39m][\u001b[38;5;241m0\u001b[39m]\n\u001b[1;32m 554\u001b[0m \u001b[38;5;28;01mif\u001b[39;00m \u001b[38;5;28misinstance\u001b[39m(generation, ChatGeneration):\n\u001b[1;32m 555\u001b[0m \u001b[38;5;28;01mreturn\u001b[39;00m generation\u001b[38;5;241m.\u001b[39mmessage\n", + "File \u001b[0;32m~/miniconda3/envs/ollama-test/lib/python3.11/site-packages/langchain/chat_models/base.py:309\u001b[0m, in \u001b[0;36mBaseChatModel.generate\u001b[0;34m(self, messages, stop, callbacks, tags, metadata, **kwargs)\u001b[0m\n\u001b[1;32m 307\u001b[0m \u001b[38;5;28;01mif\u001b[39;00m run_managers:\n\u001b[1;32m 308\u001b[0m run_managers[i]\u001b[38;5;241m.\u001b[39mon_llm_error(e)\n\u001b[0;32m--> 309\u001b[0m \u001b[38;5;28;01mraise\u001b[39;00m e\n\u001b[1;32m 310\u001b[0m flattened_outputs \u001b[38;5;241m=\u001b[39m [\n\u001b[1;32m 311\u001b[0m LLMResult(generations\u001b[38;5;241m=\u001b[39m[res\u001b[38;5;241m.\u001b[39mgenerations], llm_output\u001b[38;5;241m=\u001b[39mres\u001b[38;5;241m.\u001b[39mllm_output)\n\u001b[1;32m 312\u001b[0m \u001b[38;5;28;01mfor\u001b[39;00m res \u001b[38;5;129;01min\u001b[39;00m results\n\u001b[1;32m 313\u001b[0m ]\n\u001b[1;32m 314\u001b[0m llm_output \u001b[38;5;241m=\u001b[39m \u001b[38;5;28mself\u001b[39m\u001b[38;5;241m.\u001b[39m_combine_llm_outputs([res\u001b[38;5;241m.\u001b[39mllm_output \u001b[38;5;28;01mfor\u001b[39;00m res \u001b[38;5;129;01min\u001b[39;00m results])\n", + "File \u001b[0;32m~/miniconda3/envs/ollama-test/lib/python3.11/site-packages/langchain/chat_models/base.py:299\u001b[0m, in \u001b[0;36mBaseChatModel.generate\u001b[0;34m(self, messages, stop, callbacks, tags, metadata, **kwargs)\u001b[0m\n\u001b[1;32m 296\u001b[0m \u001b[38;5;28;01mfor\u001b[39;00m i, m \u001b[38;5;129;01min\u001b[39;00m \u001b[38;5;28menumerate\u001b[39m(messages):\n\u001b[1;32m 297\u001b[0m \u001b[38;5;28;01mtry\u001b[39;00m:\n\u001b[1;32m 298\u001b[0m results\u001b[38;5;241m.\u001b[39mappend(\n\u001b[0;32m--> 299\u001b[0m \u001b[38;5;28mself\u001b[39m\u001b[38;5;241m.\u001b[39m_generate_with_cache(\n\u001b[1;32m 300\u001b[0m m,\n\u001b[1;32m 301\u001b[0m stop\u001b[38;5;241m=\u001b[39mstop,\n\u001b[1;32m 302\u001b[0m run_manager\u001b[38;5;241m=\u001b[39mrun_managers[i] \u001b[38;5;28;01mif\u001b[39;00m run_managers \u001b[38;5;28;01melse\u001b[39;00m \u001b[38;5;28;01mNone\u001b[39;00m,\n\u001b[1;32m 303\u001b[0m \u001b[38;5;241m*\u001b[39m\u001b[38;5;241m*\u001b[39mkwargs,\n\u001b[1;32m 304\u001b[0m )\n\u001b[1;32m 305\u001b[0m )\n\u001b[1;32m 306\u001b[0m \u001b[38;5;28;01mexcept\u001b[39;00m (\u001b[38;5;167;01mKeyboardInterrupt\u001b[39;00m, \u001b[38;5;167;01mException\u001b[39;00m) \u001b[38;5;28;01mas\u001b[39;00m e:\n\u001b[1;32m 307\u001b[0m \u001b[38;5;28;01mif\u001b[39;00m run_managers:\n", + "File \u001b[0;32m~/miniconda3/envs/ollama-test/lib/python3.11/site-packages/langchain/chat_models/base.py:446\u001b[0m, in \u001b[0;36mBaseChatModel._generate_with_cache\u001b[0;34m(self, messages, stop, run_manager, **kwargs)\u001b[0m\n\u001b[1;32m 442\u001b[0m \u001b[38;5;28;01mraise\u001b[39;00m \u001b[38;5;167;01mValueError\u001b[39;00m(\n\u001b[1;32m 443\u001b[0m \u001b[38;5;124m\"\u001b[39m\u001b[38;5;124mAsked to cache, but no cache found at `langchain.cache`.\u001b[39m\u001b[38;5;124m\"\u001b[39m\n\u001b[1;32m 444\u001b[0m )\n\u001b[1;32m 445\u001b[0m \u001b[38;5;28;01mif\u001b[39;00m new_arg_supported:\n\u001b[0;32m--> 446\u001b[0m \u001b[38;5;28;01mreturn\u001b[39;00m \u001b[38;5;28mself\u001b[39m\u001b[38;5;241m.\u001b[39m_generate(\n\u001b[1;32m 447\u001b[0m messages, stop\u001b[38;5;241m=\u001b[39mstop, run_manager\u001b[38;5;241m=\u001b[39mrun_manager, \u001b[38;5;241m*\u001b[39m\u001b[38;5;241m*\u001b[39mkwargs\n\u001b[1;32m 448\u001b[0m )\n\u001b[1;32m 449\u001b[0m \u001b[38;5;28;01melse\u001b[39;00m:\n\u001b[1;32m 450\u001b[0m \u001b[38;5;28;01mreturn\u001b[39;00m \u001b[38;5;28mself\u001b[39m\u001b[38;5;241m.\u001b[39m_generate(messages, stop\u001b[38;5;241m=\u001b[39mstop, \u001b[38;5;241m*\u001b[39m\u001b[38;5;241m*\u001b[39mkwargs)\n", + "File \u001b[0;32m~/miniconda3/envs/ollama-test/lib/python3.11/site-packages/langchain/chat_models/openai.py:345\u001b[0m, in \u001b[0;36mChatOpenAI._generate\u001b[0;34m(self, messages, stop, run_manager, stream, **kwargs)\u001b[0m\n\u001b[1;32m 343\u001b[0m message_dicts, params \u001b[38;5;241m=\u001b[39m \u001b[38;5;28mself\u001b[39m\u001b[38;5;241m.\u001b[39m_create_message_dicts(messages, stop)\n\u001b[1;32m 344\u001b[0m params \u001b[38;5;241m=\u001b[39m {\u001b[38;5;241m*\u001b[39m\u001b[38;5;241m*\u001b[39mparams, \u001b[38;5;241m*\u001b[39m\u001b[38;5;241m*\u001b[39mkwargs}\n\u001b[0;32m--> 345\u001b[0m response \u001b[38;5;241m=\u001b[39m \u001b[38;5;28mself\u001b[39m\u001b[38;5;241m.\u001b[39mcompletion_with_retry(\n\u001b[1;32m 346\u001b[0m messages\u001b[38;5;241m=\u001b[39mmessage_dicts, run_manager\u001b[38;5;241m=\u001b[39mrun_manager, \u001b[38;5;241m*\u001b[39m\u001b[38;5;241m*\u001b[39mparams\n\u001b[1;32m 347\u001b[0m )\n\u001b[1;32m 348\u001b[0m \u001b[38;5;28;01mreturn\u001b[39;00m \u001b[38;5;28mself\u001b[39m\u001b[38;5;241m.\u001b[39m_create_chat_result(response)\n", + "File \u001b[0;32m~/miniconda3/envs/ollama-test/lib/python3.11/site-packages/langchain/chat_models/openai.py:278\u001b[0m, in \u001b[0;36mChatOpenAI.completion_with_retry\u001b[0;34m(self, run_manager, **kwargs)\u001b[0m\n\u001b[1;32m 274\u001b[0m \u001b[38;5;129m@retry_decorator\u001b[39m\n\u001b[1;32m 275\u001b[0m \u001b[38;5;28;01mdef\u001b[39;00m \u001b[38;5;21m_completion_with_retry\u001b[39m(\u001b[38;5;241m*\u001b[39m\u001b[38;5;241m*\u001b[39mkwargs: Any) \u001b[38;5;241m-\u001b[39m\u001b[38;5;241m>\u001b[39m Any:\n\u001b[1;32m 276\u001b[0m \u001b[38;5;28;01mreturn\u001b[39;00m \u001b[38;5;28mself\u001b[39m\u001b[38;5;241m.\u001b[39mclient\u001b[38;5;241m.\u001b[39mcreate(\u001b[38;5;241m*\u001b[39m\u001b[38;5;241m*\u001b[39mkwargs)\n\u001b[0;32m--> 278\u001b[0m \u001b[38;5;28;01mreturn\u001b[39;00m _completion_with_retry(\u001b[38;5;241m*\u001b[39m\u001b[38;5;241m*\u001b[39mkwargs)\n", + "File \u001b[0;32m~/miniconda3/envs/ollama-test/lib/python3.11/site-packages/tenacity/__init__.py:289\u001b[0m, in \u001b[0;36mBaseRetrying.wraps..wrapped_f\u001b[0;34m(*args, **kw)\u001b[0m\n\u001b[1;32m 287\u001b[0m \u001b[38;5;129m@functools\u001b[39m\u001b[38;5;241m.\u001b[39mwraps(f)\n\u001b[1;32m 288\u001b[0m \u001b[38;5;28;01mdef\u001b[39;00m \u001b[38;5;21mwrapped_f\u001b[39m(\u001b[38;5;241m*\u001b[39margs: t\u001b[38;5;241m.\u001b[39mAny, \u001b[38;5;241m*\u001b[39m\u001b[38;5;241m*\u001b[39mkw: t\u001b[38;5;241m.\u001b[39mAny) \u001b[38;5;241m-\u001b[39m\u001b[38;5;241m>\u001b[39m t\u001b[38;5;241m.\u001b[39mAny:\n\u001b[0;32m--> 289\u001b[0m \u001b[38;5;28;01mreturn\u001b[39;00m \u001b[38;5;28mself\u001b[39m(f, \u001b[38;5;241m*\u001b[39margs, \u001b[38;5;241m*\u001b[39m\u001b[38;5;241m*\u001b[39mkw)\n", + "File \u001b[0;32m~/miniconda3/envs/ollama-test/lib/python3.11/site-packages/tenacity/__init__.py:379\u001b[0m, in \u001b[0;36mRetrying.__call__\u001b[0;34m(self, fn, *args, **kwargs)\u001b[0m\n\u001b[1;32m 377\u001b[0m retry_state \u001b[38;5;241m=\u001b[39m RetryCallState(retry_object\u001b[38;5;241m=\u001b[39m\u001b[38;5;28mself\u001b[39m, fn\u001b[38;5;241m=\u001b[39mfn, args\u001b[38;5;241m=\u001b[39margs, kwargs\u001b[38;5;241m=\u001b[39mkwargs)\n\u001b[1;32m 378\u001b[0m \u001b[38;5;28;01mwhile\u001b[39;00m \u001b[38;5;28;01mTrue\u001b[39;00m:\n\u001b[0;32m--> 379\u001b[0m do \u001b[38;5;241m=\u001b[39m \u001b[38;5;28mself\u001b[39m\u001b[38;5;241m.\u001b[39miter(retry_state\u001b[38;5;241m=\u001b[39mretry_state)\n\u001b[1;32m 380\u001b[0m \u001b[38;5;28;01mif\u001b[39;00m \u001b[38;5;28misinstance\u001b[39m(do, DoAttempt):\n\u001b[1;32m 381\u001b[0m \u001b[38;5;28;01mtry\u001b[39;00m:\n", + "File \u001b[0;32m~/miniconda3/envs/ollama-test/lib/python3.11/site-packages/tenacity/__init__.py:314\u001b[0m, in \u001b[0;36mBaseRetrying.iter\u001b[0;34m(self, retry_state)\u001b[0m\n\u001b[1;32m 312\u001b[0m is_explicit_retry \u001b[38;5;241m=\u001b[39m fut\u001b[38;5;241m.\u001b[39mfailed \u001b[38;5;129;01mand\u001b[39;00m \u001b[38;5;28misinstance\u001b[39m(fut\u001b[38;5;241m.\u001b[39mexception(), TryAgain)\n\u001b[1;32m 313\u001b[0m \u001b[38;5;28;01mif\u001b[39;00m \u001b[38;5;129;01mnot\u001b[39;00m (is_explicit_retry \u001b[38;5;129;01mor\u001b[39;00m \u001b[38;5;28mself\u001b[39m\u001b[38;5;241m.\u001b[39mretry(retry_state)):\n\u001b[0;32m--> 314\u001b[0m \u001b[38;5;28;01mreturn\u001b[39;00m fut\u001b[38;5;241m.\u001b[39mresult()\n\u001b[1;32m 316\u001b[0m \u001b[38;5;28;01mif\u001b[39;00m \u001b[38;5;28mself\u001b[39m\u001b[38;5;241m.\u001b[39mafter \u001b[38;5;129;01mis\u001b[39;00m \u001b[38;5;129;01mnot\u001b[39;00m \u001b[38;5;28;01mNone\u001b[39;00m:\n\u001b[1;32m 317\u001b[0m \u001b[38;5;28mself\u001b[39m\u001b[38;5;241m.\u001b[39mafter(retry_state)\n", + "File \u001b[0;32m~/miniconda3/envs/ollama-test/lib/python3.11/concurrent/futures/_base.py:449\u001b[0m, in \u001b[0;36mFuture.result\u001b[0;34m(self, timeout)\u001b[0m\n\u001b[1;32m 447\u001b[0m \u001b[38;5;28;01mraise\u001b[39;00m CancelledError()\n\u001b[1;32m 448\u001b[0m \u001b[38;5;28;01melif\u001b[39;00m \u001b[38;5;28mself\u001b[39m\u001b[38;5;241m.\u001b[39m_state \u001b[38;5;241m==\u001b[39m FINISHED:\n\u001b[0;32m--> 449\u001b[0m \u001b[38;5;28;01mreturn\u001b[39;00m \u001b[38;5;28mself\u001b[39m\u001b[38;5;241m.\u001b[39m__get_result()\n\u001b[1;32m 451\u001b[0m \u001b[38;5;28mself\u001b[39m\u001b[38;5;241m.\u001b[39m_condition\u001b[38;5;241m.\u001b[39mwait(timeout)\n\u001b[1;32m 453\u001b[0m \u001b[38;5;28;01mif\u001b[39;00m \u001b[38;5;28mself\u001b[39m\u001b[38;5;241m.\u001b[39m_state \u001b[38;5;129;01min\u001b[39;00m [CANCELLED, CANCELLED_AND_NOTIFIED]:\n", + "File \u001b[0;32m~/miniconda3/envs/ollama-test/lib/python3.11/concurrent/futures/_base.py:401\u001b[0m, in \u001b[0;36mFuture.__get_result\u001b[0;34m(self)\u001b[0m\n\u001b[1;32m 399\u001b[0m \u001b[38;5;28;01mif\u001b[39;00m \u001b[38;5;28mself\u001b[39m\u001b[38;5;241m.\u001b[39m_exception:\n\u001b[1;32m 400\u001b[0m \u001b[38;5;28;01mtry\u001b[39;00m:\n\u001b[0;32m--> 401\u001b[0m \u001b[38;5;28;01mraise\u001b[39;00m \u001b[38;5;28mself\u001b[39m\u001b[38;5;241m.\u001b[39m_exception\n\u001b[1;32m 402\u001b[0m \u001b[38;5;28;01mfinally\u001b[39;00m:\n\u001b[1;32m 403\u001b[0m \u001b[38;5;66;03m# Break a reference cycle with the exception in self._exception\u001b[39;00m\n\u001b[1;32m 404\u001b[0m \u001b[38;5;28mself\u001b[39m \u001b[38;5;241m=\u001b[39m \u001b[38;5;28;01mNone\u001b[39;00m\n", + "File \u001b[0;32m~/miniconda3/envs/ollama-test/lib/python3.11/site-packages/tenacity/__init__.py:382\u001b[0m, in \u001b[0;36mRetrying.__call__\u001b[0;34m(self, fn, *args, **kwargs)\u001b[0m\n\u001b[1;32m 380\u001b[0m \u001b[38;5;28;01mif\u001b[39;00m \u001b[38;5;28misinstance\u001b[39m(do, DoAttempt):\n\u001b[1;32m 381\u001b[0m \u001b[38;5;28;01mtry\u001b[39;00m:\n\u001b[0;32m--> 382\u001b[0m result \u001b[38;5;241m=\u001b[39m fn(\u001b[38;5;241m*\u001b[39margs, \u001b[38;5;241m*\u001b[39m\u001b[38;5;241m*\u001b[39mkwargs)\n\u001b[1;32m 383\u001b[0m \u001b[38;5;28;01mexcept\u001b[39;00m \u001b[38;5;167;01mBaseException\u001b[39;00m: \u001b[38;5;66;03m# noqa: B902\u001b[39;00m\n\u001b[1;32m 384\u001b[0m retry_state\u001b[38;5;241m.\u001b[39mset_exception(sys\u001b[38;5;241m.\u001b[39mexc_info()) \u001b[38;5;66;03m# type: ignore[arg-type]\u001b[39;00m\n", + "File \u001b[0;32m~/miniconda3/envs/ollama-test/lib/python3.11/site-packages/langchain/chat_models/openai.py:276\u001b[0m, in \u001b[0;36mChatOpenAI.completion_with_retry.._completion_with_retry\u001b[0;34m(**kwargs)\u001b[0m\n\u001b[1;32m 274\u001b[0m \u001b[38;5;129m@retry_decorator\u001b[39m\n\u001b[1;32m 275\u001b[0m \u001b[38;5;28;01mdef\u001b[39;00m \u001b[38;5;21m_completion_with_retry\u001b[39m(\u001b[38;5;241m*\u001b[39m\u001b[38;5;241m*\u001b[39mkwargs: Any) \u001b[38;5;241m-\u001b[39m\u001b[38;5;241m>\u001b[39m Any:\n\u001b[0;32m--> 276\u001b[0m \u001b[38;5;28;01mreturn\u001b[39;00m \u001b[38;5;28mself\u001b[39m\u001b[38;5;241m.\u001b[39mclient\u001b[38;5;241m.\u001b[39mcreate(\u001b[38;5;241m*\u001b[39m\u001b[38;5;241m*\u001b[39mkwargs)\n", + "File \u001b[0;32m~/miniconda3/envs/ollama-test/lib/python3.11/site-packages/openai/api_resources/chat_completion.py:25\u001b[0m, in \u001b[0;36mChatCompletion.create\u001b[0;34m(cls, *args, **kwargs)\u001b[0m\n\u001b[1;32m 23\u001b[0m \u001b[38;5;28;01mwhile\u001b[39;00m \u001b[38;5;28;01mTrue\u001b[39;00m:\n\u001b[1;32m 24\u001b[0m \u001b[38;5;28;01mtry\u001b[39;00m:\n\u001b[0;32m---> 25\u001b[0m \u001b[38;5;28;01mreturn\u001b[39;00m \u001b[38;5;28msuper\u001b[39m()\u001b[38;5;241m.\u001b[39mcreate(\u001b[38;5;241m*\u001b[39margs, \u001b[38;5;241m*\u001b[39m\u001b[38;5;241m*\u001b[39mkwargs)\n\u001b[1;32m 26\u001b[0m \u001b[38;5;28;01mexcept\u001b[39;00m TryAgain \u001b[38;5;28;01mas\u001b[39;00m e:\n\u001b[1;32m 27\u001b[0m \u001b[38;5;28;01mif\u001b[39;00m timeout \u001b[38;5;129;01mis\u001b[39;00m \u001b[38;5;129;01mnot\u001b[39;00m \u001b[38;5;28;01mNone\u001b[39;00m \u001b[38;5;129;01mand\u001b[39;00m time\u001b[38;5;241m.\u001b[39mtime() \u001b[38;5;241m>\u001b[39m start \u001b[38;5;241m+\u001b[39m timeout:\n", + "File \u001b[0;32m~/miniconda3/envs/ollama-test/lib/python3.11/site-packages/openai/api_resources/abstract/engine_api_resource.py:153\u001b[0m, in \u001b[0;36mEngineAPIResource.create\u001b[0;34m(cls, api_key, api_base, api_type, request_id, api_version, organization, **params)\u001b[0m\n\u001b[1;32m 127\u001b[0m \u001b[38;5;129m@classmethod\u001b[39m\n\u001b[1;32m 128\u001b[0m \u001b[38;5;28;01mdef\u001b[39;00m \u001b[38;5;21mcreate\u001b[39m(\n\u001b[1;32m 129\u001b[0m \u001b[38;5;28mcls\u001b[39m,\n\u001b[0;32m (...)\u001b[0m\n\u001b[1;32m 136\u001b[0m \u001b[38;5;241m*\u001b[39m\u001b[38;5;241m*\u001b[39mparams,\n\u001b[1;32m 137\u001b[0m ):\n\u001b[1;32m 138\u001b[0m (\n\u001b[1;32m 139\u001b[0m deployment_id,\n\u001b[1;32m 140\u001b[0m engine,\n\u001b[0;32m (...)\u001b[0m\n\u001b[1;32m 150\u001b[0m api_key, api_base, api_type, api_version, organization, \u001b[38;5;241m*\u001b[39m\u001b[38;5;241m*\u001b[39mparams\n\u001b[1;32m 151\u001b[0m )\n\u001b[0;32m--> 153\u001b[0m response, _, api_key \u001b[38;5;241m=\u001b[39m requestor\u001b[38;5;241m.\u001b[39mrequest(\n\u001b[1;32m 154\u001b[0m \u001b[38;5;124m\"\u001b[39m\u001b[38;5;124mpost\u001b[39m\u001b[38;5;124m\"\u001b[39m,\n\u001b[1;32m 155\u001b[0m url,\n\u001b[1;32m 156\u001b[0m params\u001b[38;5;241m=\u001b[39mparams,\n\u001b[1;32m 157\u001b[0m headers\u001b[38;5;241m=\u001b[39mheaders,\n\u001b[1;32m 158\u001b[0m stream\u001b[38;5;241m=\u001b[39mstream,\n\u001b[1;32m 159\u001b[0m request_id\u001b[38;5;241m=\u001b[39mrequest_id,\n\u001b[1;32m 160\u001b[0m request_timeout\u001b[38;5;241m=\u001b[39mrequest_timeout,\n\u001b[1;32m 161\u001b[0m )\n\u001b[1;32m 163\u001b[0m \u001b[38;5;28;01mif\u001b[39;00m stream:\n\u001b[1;32m 164\u001b[0m \u001b[38;5;66;03m# must be an iterator\u001b[39;00m\n\u001b[1;32m 165\u001b[0m \u001b[38;5;28;01massert\u001b[39;00m \u001b[38;5;129;01mnot\u001b[39;00m \u001b[38;5;28misinstance\u001b[39m(response, OpenAIResponse)\n", + "File \u001b[0;32m~/miniconda3/envs/ollama-test/lib/python3.11/site-packages/openai/api_requestor.py:288\u001b[0m, in \u001b[0;36mAPIRequestor.request\u001b[0;34m(self, method, url, params, headers, files, stream, request_id, request_timeout)\u001b[0m\n\u001b[1;32m 277\u001b[0m \u001b[38;5;28;01mdef\u001b[39;00m \u001b[38;5;21mrequest\u001b[39m(\n\u001b[1;32m 278\u001b[0m \u001b[38;5;28mself\u001b[39m,\n\u001b[1;32m 279\u001b[0m method,\n\u001b[0;32m (...)\u001b[0m\n\u001b[1;32m 286\u001b[0m request_timeout: Optional[Union[\u001b[38;5;28mfloat\u001b[39m, Tuple[\u001b[38;5;28mfloat\u001b[39m, \u001b[38;5;28mfloat\u001b[39m]]] \u001b[38;5;241m=\u001b[39m \u001b[38;5;28;01mNone\u001b[39;00m,\n\u001b[1;32m 287\u001b[0m ) \u001b[38;5;241m-\u001b[39m\u001b[38;5;241m>\u001b[39m Tuple[Union[OpenAIResponse, Iterator[OpenAIResponse]], \u001b[38;5;28mbool\u001b[39m, \u001b[38;5;28mstr\u001b[39m]:\n\u001b[0;32m--> 288\u001b[0m result \u001b[38;5;241m=\u001b[39m \u001b[38;5;28mself\u001b[39m\u001b[38;5;241m.\u001b[39mrequest_raw(\n\u001b[1;32m 289\u001b[0m method\u001b[38;5;241m.\u001b[39mlower(),\n\u001b[1;32m 290\u001b[0m url,\n\u001b[1;32m 291\u001b[0m params\u001b[38;5;241m=\u001b[39mparams,\n\u001b[1;32m 292\u001b[0m supplied_headers\u001b[38;5;241m=\u001b[39mheaders,\n\u001b[1;32m 293\u001b[0m files\u001b[38;5;241m=\u001b[39mfiles,\n\u001b[1;32m 294\u001b[0m stream\u001b[38;5;241m=\u001b[39mstream,\n\u001b[1;32m 295\u001b[0m request_id\u001b[38;5;241m=\u001b[39mrequest_id,\n\u001b[1;32m 296\u001b[0m request_timeout\u001b[38;5;241m=\u001b[39mrequest_timeout,\n\u001b[1;32m 297\u001b[0m )\n\u001b[1;32m 298\u001b[0m resp, got_stream \u001b[38;5;241m=\u001b[39m \u001b[38;5;28mself\u001b[39m\u001b[38;5;241m.\u001b[39m_interpret_response(result, stream)\n\u001b[1;32m 299\u001b[0m \u001b[38;5;28;01mreturn\u001b[39;00m resp, got_stream, \u001b[38;5;28mself\u001b[39m\u001b[38;5;241m.\u001b[39mapi_key\n", + "File \u001b[0;32m~/miniconda3/envs/ollama-test/lib/python3.11/site-packages/openai/api_requestor.py:596\u001b[0m, in \u001b[0;36mAPIRequestor.request_raw\u001b[0;34m(self, method, url, params, supplied_headers, files, stream, request_id, request_timeout)\u001b[0m\n\u001b[1;32m 594\u001b[0m _thread_context\u001b[38;5;241m.\u001b[39msession_create_time \u001b[38;5;241m=\u001b[39m time\u001b[38;5;241m.\u001b[39mtime()\n\u001b[1;32m 595\u001b[0m \u001b[38;5;28;01mtry\u001b[39;00m:\n\u001b[0;32m--> 596\u001b[0m result \u001b[38;5;241m=\u001b[39m _thread_context\u001b[38;5;241m.\u001b[39msession\u001b[38;5;241m.\u001b[39mrequest(\n\u001b[1;32m 597\u001b[0m method,\n\u001b[1;32m 598\u001b[0m abs_url,\n\u001b[1;32m 599\u001b[0m headers\u001b[38;5;241m=\u001b[39mheaders,\n\u001b[1;32m 600\u001b[0m data\u001b[38;5;241m=\u001b[39mdata,\n\u001b[1;32m 601\u001b[0m files\u001b[38;5;241m=\u001b[39mfiles,\n\u001b[1;32m 602\u001b[0m stream\u001b[38;5;241m=\u001b[39mstream,\n\u001b[1;32m 603\u001b[0m timeout\u001b[38;5;241m=\u001b[39mrequest_timeout \u001b[38;5;28;01mif\u001b[39;00m request_timeout \u001b[38;5;28;01melse\u001b[39;00m TIMEOUT_SECS,\n\u001b[1;32m 604\u001b[0m proxies\u001b[38;5;241m=\u001b[39m_thread_context\u001b[38;5;241m.\u001b[39msession\u001b[38;5;241m.\u001b[39mproxies,\n\u001b[1;32m 605\u001b[0m )\n\u001b[1;32m 606\u001b[0m \u001b[38;5;28;01mexcept\u001b[39;00m requests\u001b[38;5;241m.\u001b[39mexceptions\u001b[38;5;241m.\u001b[39mTimeout \u001b[38;5;28;01mas\u001b[39;00m e:\n\u001b[1;32m 607\u001b[0m \u001b[38;5;28;01mraise\u001b[39;00m error\u001b[38;5;241m.\u001b[39mTimeout(\u001b[38;5;124m\"\u001b[39m\u001b[38;5;124mRequest timed out: \u001b[39m\u001b[38;5;132;01m{}\u001b[39;00m\u001b[38;5;124m\"\u001b[39m\u001b[38;5;241m.\u001b[39mformat(e)) \u001b[38;5;28;01mfrom\u001b[39;00m \u001b[38;5;21;01me\u001b[39;00m\n", + "File \u001b[0;32m~/miniconda3/envs/ollama-test/lib/python3.11/site-packages/requests/sessions.py:589\u001b[0m, in \u001b[0;36mSession.request\u001b[0;34m(self, method, url, params, data, headers, cookies, files, auth, timeout, allow_redirects, proxies, hooks, stream, verify, cert, json)\u001b[0m\n\u001b[1;32m 584\u001b[0m send_kwargs \u001b[38;5;241m=\u001b[39m {\n\u001b[1;32m 585\u001b[0m \u001b[38;5;124m\"\u001b[39m\u001b[38;5;124mtimeout\u001b[39m\u001b[38;5;124m\"\u001b[39m: timeout,\n\u001b[1;32m 586\u001b[0m \u001b[38;5;124m\"\u001b[39m\u001b[38;5;124mallow_redirects\u001b[39m\u001b[38;5;124m\"\u001b[39m: allow_redirects,\n\u001b[1;32m 587\u001b[0m }\n\u001b[1;32m 588\u001b[0m send_kwargs\u001b[38;5;241m.\u001b[39mupdate(settings)\n\u001b[0;32m--> 589\u001b[0m resp \u001b[38;5;241m=\u001b[39m \u001b[38;5;28mself\u001b[39m\u001b[38;5;241m.\u001b[39msend(prep, \u001b[38;5;241m*\u001b[39m\u001b[38;5;241m*\u001b[39msend_kwargs)\n\u001b[1;32m 591\u001b[0m \u001b[38;5;28;01mreturn\u001b[39;00m resp\n", + "File \u001b[0;32m~/miniconda3/envs/ollama-test/lib/python3.11/site-packages/requests/sessions.py:703\u001b[0m, in \u001b[0;36mSession.send\u001b[0;34m(self, request, **kwargs)\u001b[0m\n\u001b[1;32m 700\u001b[0m start \u001b[38;5;241m=\u001b[39m preferred_clock()\n\u001b[1;32m 702\u001b[0m \u001b[38;5;66;03m# Send the request\u001b[39;00m\n\u001b[0;32m--> 703\u001b[0m r \u001b[38;5;241m=\u001b[39m adapter\u001b[38;5;241m.\u001b[39msend(request, \u001b[38;5;241m*\u001b[39m\u001b[38;5;241m*\u001b[39mkwargs)\n\u001b[1;32m 705\u001b[0m \u001b[38;5;66;03m# Total elapsed time of the request (approximately)\u001b[39;00m\n\u001b[1;32m 706\u001b[0m elapsed \u001b[38;5;241m=\u001b[39m preferred_clock() \u001b[38;5;241m-\u001b[39m start\n", + "File \u001b[0;32m~/miniconda3/envs/ollama-test/lib/python3.11/site-packages/requests/adapters.py:486\u001b[0m, in \u001b[0;36mHTTPAdapter.send\u001b[0;34m(self, request, stream, timeout, verify, cert, proxies)\u001b[0m\n\u001b[1;32m 483\u001b[0m timeout \u001b[38;5;241m=\u001b[39m TimeoutSauce(connect\u001b[38;5;241m=\u001b[39mtimeout, read\u001b[38;5;241m=\u001b[39mtimeout)\n\u001b[1;32m 485\u001b[0m \u001b[38;5;28;01mtry\u001b[39;00m:\n\u001b[0;32m--> 486\u001b[0m resp \u001b[38;5;241m=\u001b[39m conn\u001b[38;5;241m.\u001b[39murlopen(\n\u001b[1;32m 487\u001b[0m method\u001b[38;5;241m=\u001b[39mrequest\u001b[38;5;241m.\u001b[39mmethod,\n\u001b[1;32m 488\u001b[0m url\u001b[38;5;241m=\u001b[39murl,\n\u001b[1;32m 489\u001b[0m body\u001b[38;5;241m=\u001b[39mrequest\u001b[38;5;241m.\u001b[39mbody,\n\u001b[1;32m 490\u001b[0m headers\u001b[38;5;241m=\u001b[39mrequest\u001b[38;5;241m.\u001b[39mheaders,\n\u001b[1;32m 491\u001b[0m redirect\u001b[38;5;241m=\u001b[39m\u001b[38;5;28;01mFalse\u001b[39;00m,\n\u001b[1;32m 492\u001b[0m assert_same_host\u001b[38;5;241m=\u001b[39m\u001b[38;5;28;01mFalse\u001b[39;00m,\n\u001b[1;32m 493\u001b[0m preload_content\u001b[38;5;241m=\u001b[39m\u001b[38;5;28;01mFalse\u001b[39;00m,\n\u001b[1;32m 494\u001b[0m decode_content\u001b[38;5;241m=\u001b[39m\u001b[38;5;28;01mFalse\u001b[39;00m,\n\u001b[1;32m 495\u001b[0m retries\u001b[38;5;241m=\u001b[39m\u001b[38;5;28mself\u001b[39m\u001b[38;5;241m.\u001b[39mmax_retries,\n\u001b[1;32m 496\u001b[0m timeout\u001b[38;5;241m=\u001b[39mtimeout,\n\u001b[1;32m 497\u001b[0m chunked\u001b[38;5;241m=\u001b[39mchunked,\n\u001b[1;32m 498\u001b[0m )\n\u001b[1;32m 500\u001b[0m \u001b[38;5;28;01mexcept\u001b[39;00m (ProtocolError, \u001b[38;5;167;01mOSError\u001b[39;00m) \u001b[38;5;28;01mas\u001b[39;00m err:\n\u001b[1;32m 501\u001b[0m \u001b[38;5;28;01mraise\u001b[39;00m \u001b[38;5;167;01mConnectionError\u001b[39;00m(err, request\u001b[38;5;241m=\u001b[39mrequest)\n", + "File \u001b[0;32m~/miniconda3/envs/ollama-test/lib/python3.11/site-packages/urllib3/connectionpool.py:714\u001b[0m, in \u001b[0;36mHTTPConnectionPool.urlopen\u001b[0;34m(self, method, url, body, headers, retries, redirect, assert_same_host, timeout, pool_timeout, release_conn, chunked, body_pos, **response_kw)\u001b[0m\n\u001b[1;32m 711\u001b[0m \u001b[38;5;28mself\u001b[39m\u001b[38;5;241m.\u001b[39m_prepare_proxy(conn)\n\u001b[1;32m 713\u001b[0m \u001b[38;5;66;03m# Make the request on the httplib connection object.\u001b[39;00m\n\u001b[0;32m--> 714\u001b[0m httplib_response \u001b[38;5;241m=\u001b[39m \u001b[38;5;28mself\u001b[39m\u001b[38;5;241m.\u001b[39m_make_request(\n\u001b[1;32m 715\u001b[0m conn,\n\u001b[1;32m 716\u001b[0m method,\n\u001b[1;32m 717\u001b[0m url,\n\u001b[1;32m 718\u001b[0m timeout\u001b[38;5;241m=\u001b[39mtimeout_obj,\n\u001b[1;32m 719\u001b[0m body\u001b[38;5;241m=\u001b[39mbody,\n\u001b[1;32m 720\u001b[0m headers\u001b[38;5;241m=\u001b[39mheaders,\n\u001b[1;32m 721\u001b[0m chunked\u001b[38;5;241m=\u001b[39mchunked,\n\u001b[1;32m 722\u001b[0m )\n\u001b[1;32m 724\u001b[0m \u001b[38;5;66;03m# If we're going to release the connection in ``finally:``, then\u001b[39;00m\n\u001b[1;32m 725\u001b[0m \u001b[38;5;66;03m# the response doesn't need to know about the connection. Otherwise\u001b[39;00m\n\u001b[1;32m 726\u001b[0m \u001b[38;5;66;03m# it will also try to release it and we'll have a double-release\u001b[39;00m\n\u001b[1;32m 727\u001b[0m \u001b[38;5;66;03m# mess.\u001b[39;00m\n\u001b[1;32m 728\u001b[0m response_conn \u001b[38;5;241m=\u001b[39m conn \u001b[38;5;28;01mif\u001b[39;00m \u001b[38;5;129;01mnot\u001b[39;00m release_conn \u001b[38;5;28;01melse\u001b[39;00m \u001b[38;5;28;01mNone\u001b[39;00m\n", + "File \u001b[0;32m~/miniconda3/envs/ollama-test/lib/python3.11/site-packages/urllib3/connectionpool.py:466\u001b[0m, in \u001b[0;36mHTTPConnectionPool._make_request\u001b[0;34m(self, conn, method, url, timeout, chunked, **httplib_request_kw)\u001b[0m\n\u001b[1;32m 461\u001b[0m httplib_response \u001b[38;5;241m=\u001b[39m conn\u001b[38;5;241m.\u001b[39mgetresponse()\n\u001b[1;32m 462\u001b[0m \u001b[38;5;28;01mexcept\u001b[39;00m \u001b[38;5;167;01mBaseException\u001b[39;00m \u001b[38;5;28;01mas\u001b[39;00m e:\n\u001b[1;32m 463\u001b[0m \u001b[38;5;66;03m# Remove the TypeError from the exception chain in\u001b[39;00m\n\u001b[1;32m 464\u001b[0m \u001b[38;5;66;03m# Python 3 (including for exceptions like SystemExit).\u001b[39;00m\n\u001b[1;32m 465\u001b[0m \u001b[38;5;66;03m# Otherwise it looks like a bug in the code.\u001b[39;00m\n\u001b[0;32m--> 466\u001b[0m six\u001b[38;5;241m.\u001b[39mraise_from(e, \u001b[38;5;28;01mNone\u001b[39;00m)\n\u001b[1;32m 467\u001b[0m \u001b[38;5;28;01mexcept\u001b[39;00m (SocketTimeout, BaseSSLError, SocketError) \u001b[38;5;28;01mas\u001b[39;00m e:\n\u001b[1;32m 468\u001b[0m \u001b[38;5;28mself\u001b[39m\u001b[38;5;241m.\u001b[39m_raise_timeout(err\u001b[38;5;241m=\u001b[39me, url\u001b[38;5;241m=\u001b[39murl, timeout_value\u001b[38;5;241m=\u001b[39mread_timeout)\n", + "File \u001b[0;32m:3\u001b[0m, in \u001b[0;36mraise_from\u001b[0;34m(value, from_value)\u001b[0m\n", + "File \u001b[0;32m~/miniconda3/envs/ollama-test/lib/python3.11/site-packages/urllib3/connectionpool.py:461\u001b[0m, in \u001b[0;36mHTTPConnectionPool._make_request\u001b[0;34m(self, conn, method, url, timeout, chunked, **httplib_request_kw)\u001b[0m\n\u001b[1;32m 458\u001b[0m \u001b[38;5;28;01mexcept\u001b[39;00m \u001b[38;5;167;01mTypeError\u001b[39;00m:\n\u001b[1;32m 459\u001b[0m \u001b[38;5;66;03m# Python 3\u001b[39;00m\n\u001b[1;32m 460\u001b[0m \u001b[38;5;28;01mtry\u001b[39;00m:\n\u001b[0;32m--> 461\u001b[0m httplib_response \u001b[38;5;241m=\u001b[39m conn\u001b[38;5;241m.\u001b[39mgetresponse()\n\u001b[1;32m 462\u001b[0m \u001b[38;5;28;01mexcept\u001b[39;00m \u001b[38;5;167;01mBaseException\u001b[39;00m \u001b[38;5;28;01mas\u001b[39;00m e:\n\u001b[1;32m 463\u001b[0m \u001b[38;5;66;03m# Remove the TypeError from the exception chain in\u001b[39;00m\n\u001b[1;32m 464\u001b[0m \u001b[38;5;66;03m# Python 3 (including for exceptions like SystemExit).\u001b[39;00m\n\u001b[1;32m 465\u001b[0m \u001b[38;5;66;03m# Otherwise it looks like a bug in the code.\u001b[39;00m\n\u001b[1;32m 466\u001b[0m six\u001b[38;5;241m.\u001b[39mraise_from(e, \u001b[38;5;28;01mNone\u001b[39;00m)\n", + "File \u001b[0;32m~/miniconda3/envs/ollama-test/lib/python3.11/http/client.py:1378\u001b[0m, in \u001b[0;36mHTTPConnection.getresponse\u001b[0;34m(self)\u001b[0m\n\u001b[1;32m 1376\u001b[0m \u001b[38;5;28;01mtry\u001b[39;00m:\n\u001b[1;32m 1377\u001b[0m \u001b[38;5;28;01mtry\u001b[39;00m:\n\u001b[0;32m-> 1378\u001b[0m response\u001b[38;5;241m.\u001b[39mbegin()\n\u001b[1;32m 1379\u001b[0m \u001b[38;5;28;01mexcept\u001b[39;00m \u001b[38;5;167;01mConnectionError\u001b[39;00m:\n\u001b[1;32m 1380\u001b[0m \u001b[38;5;28mself\u001b[39m\u001b[38;5;241m.\u001b[39mclose()\n", + "File \u001b[0;32m~/miniconda3/envs/ollama-test/lib/python3.11/http/client.py:318\u001b[0m, in \u001b[0;36mHTTPResponse.begin\u001b[0;34m(self)\u001b[0m\n\u001b[1;32m 316\u001b[0m \u001b[38;5;66;03m# read until we get a non-100 response\u001b[39;00m\n\u001b[1;32m 317\u001b[0m \u001b[38;5;28;01mwhile\u001b[39;00m \u001b[38;5;28;01mTrue\u001b[39;00m:\n\u001b[0;32m--> 318\u001b[0m version, status, reason \u001b[38;5;241m=\u001b[39m \u001b[38;5;28mself\u001b[39m\u001b[38;5;241m.\u001b[39m_read_status()\n\u001b[1;32m 319\u001b[0m \u001b[38;5;28;01mif\u001b[39;00m status \u001b[38;5;241m!=\u001b[39m CONTINUE:\n\u001b[1;32m 320\u001b[0m \u001b[38;5;28;01mbreak\u001b[39;00m\n", + "File \u001b[0;32m~/miniconda3/envs/ollama-test/lib/python3.11/http/client.py:279\u001b[0m, in \u001b[0;36mHTTPResponse._read_status\u001b[0;34m(self)\u001b[0m\n\u001b[1;32m 278\u001b[0m \u001b[38;5;28;01mdef\u001b[39;00m \u001b[38;5;21m_read_status\u001b[39m(\u001b[38;5;28mself\u001b[39m):\n\u001b[0;32m--> 279\u001b[0m line \u001b[38;5;241m=\u001b[39m \u001b[38;5;28mstr\u001b[39m(\u001b[38;5;28mself\u001b[39m\u001b[38;5;241m.\u001b[39mfp\u001b[38;5;241m.\u001b[39mreadline(_MAXLINE \u001b[38;5;241m+\u001b[39m \u001b[38;5;241m1\u001b[39m), \u001b[38;5;124m\"\u001b[39m\u001b[38;5;124miso-8859-1\u001b[39m\u001b[38;5;124m\"\u001b[39m)\n\u001b[1;32m 280\u001b[0m \u001b[38;5;28;01mif\u001b[39;00m \u001b[38;5;28mlen\u001b[39m(line) \u001b[38;5;241m>\u001b[39m _MAXLINE:\n\u001b[1;32m 281\u001b[0m \u001b[38;5;28;01mraise\u001b[39;00m LineTooLong(\u001b[38;5;124m\"\u001b[39m\u001b[38;5;124mstatus line\u001b[39m\u001b[38;5;124m\"\u001b[39m)\n", + "File \u001b[0;32m~/miniconda3/envs/ollama-test/lib/python3.11/socket.py:706\u001b[0m, in \u001b[0;36mSocketIO.readinto\u001b[0;34m(self, b)\u001b[0m\n\u001b[1;32m 704\u001b[0m \u001b[38;5;28;01mwhile\u001b[39;00m \u001b[38;5;28;01mTrue\u001b[39;00m:\n\u001b[1;32m 705\u001b[0m \u001b[38;5;28;01mtry\u001b[39;00m:\n\u001b[0;32m--> 706\u001b[0m \u001b[38;5;28;01mreturn\u001b[39;00m \u001b[38;5;28mself\u001b[39m\u001b[38;5;241m.\u001b[39m_sock\u001b[38;5;241m.\u001b[39mrecv_into(b)\n\u001b[1;32m 707\u001b[0m \u001b[38;5;28;01mexcept\u001b[39;00m timeout:\n\u001b[1;32m 708\u001b[0m \u001b[38;5;28mself\u001b[39m\u001b[38;5;241m.\u001b[39m_timeout_occurred \u001b[38;5;241m=\u001b[39m \u001b[38;5;28;01mTrue\u001b[39;00m\n", + "File \u001b[0;32m~/miniconda3/envs/ollama-test/lib/python3.11/ssl.py:1278\u001b[0m, in \u001b[0;36mSSLSocket.recv_into\u001b[0;34m(self, buffer, nbytes, flags)\u001b[0m\n\u001b[1;32m 1274\u001b[0m \u001b[38;5;28;01mif\u001b[39;00m flags \u001b[38;5;241m!=\u001b[39m \u001b[38;5;241m0\u001b[39m:\n\u001b[1;32m 1275\u001b[0m \u001b[38;5;28;01mraise\u001b[39;00m \u001b[38;5;167;01mValueError\u001b[39;00m(\n\u001b[1;32m 1276\u001b[0m \u001b[38;5;124m\"\u001b[39m\u001b[38;5;124mnon-zero flags not allowed in calls to recv_into() on \u001b[39m\u001b[38;5;132;01m%s\u001b[39;00m\u001b[38;5;124m\"\u001b[39m \u001b[38;5;241m%\u001b[39m\n\u001b[1;32m 1277\u001b[0m \u001b[38;5;28mself\u001b[39m\u001b[38;5;241m.\u001b[39m\u001b[38;5;18m__class__\u001b[39m)\n\u001b[0;32m-> 1278\u001b[0m \u001b[38;5;28;01mreturn\u001b[39;00m \u001b[38;5;28mself\u001b[39m\u001b[38;5;241m.\u001b[39mread(nbytes, buffer)\n\u001b[1;32m 1279\u001b[0m \u001b[38;5;28;01melse\u001b[39;00m:\n\u001b[1;32m 1280\u001b[0m \u001b[38;5;28;01mreturn\u001b[39;00m \u001b[38;5;28msuper\u001b[39m()\u001b[38;5;241m.\u001b[39mrecv_into(buffer, nbytes, flags)\n", + "File \u001b[0;32m~/miniconda3/envs/ollama-test/lib/python3.11/ssl.py:1134\u001b[0m, in \u001b[0;36mSSLSocket.read\u001b[0;34m(self, len, buffer)\u001b[0m\n\u001b[1;32m 1132\u001b[0m \u001b[38;5;28;01mtry\u001b[39;00m:\n\u001b[1;32m 1133\u001b[0m \u001b[38;5;28;01mif\u001b[39;00m buffer \u001b[38;5;129;01mis\u001b[39;00m \u001b[38;5;129;01mnot\u001b[39;00m \u001b[38;5;28;01mNone\u001b[39;00m:\n\u001b[0;32m-> 1134\u001b[0m \u001b[38;5;28;01mreturn\u001b[39;00m \u001b[38;5;28mself\u001b[39m\u001b[38;5;241m.\u001b[39m_sslobj\u001b[38;5;241m.\u001b[39mread(\u001b[38;5;28mlen\u001b[39m, buffer)\n\u001b[1;32m 1135\u001b[0m \u001b[38;5;28;01melse\u001b[39;00m:\n\u001b[1;32m 1136\u001b[0m \u001b[38;5;28;01mreturn\u001b[39;00m \u001b[38;5;28mself\u001b[39m\u001b[38;5;241m.\u001b[39m_sslobj\u001b[38;5;241m.\u001b[39mread(\u001b[38;5;28mlen\u001b[39m)\n", + "\u001b[0;31mKeyboardInterrupt\u001b[0m: " + ] + } + ], + "source": [ + "new_qa_pairs = []\n", + "for x in range(len(dc)):\n", + " try:\n", + " print(\"Working on\", x)\n", + " group = groups[x]\n", + " q_a_string = \"\"\n", + " docs = get_at_index(group)\n", + " for x in docs:\n", + " q_a_string += \" \".join([\"Q:\", x.page_content.rstrip(\"\\n\"), \"\\n\" \"A:\", x.metadata['answer'], \"\\n\"])\n", + " q_a_string += \"\\n\"\n", + " facts_ = facts_db.similarity_search(docs[0].page_content , k=30)\n", + " facts_to_include = '\\n'.join([x.page_content for x in facts_])\n", + " prompt = q_a_enhance.format(q_a_string, facts_to_include)\n", + " #print(prompt)\n", + " qs = model.predict_messages([HumanMessage(content=prompt)]) \n", + " #print(qs.content)\n", + " new_qa_pairs.append(qs.content)\n", + " except Exception as e: \n", + " print(e)\n", + " \n", + "\n", + "\n", + "\n", + "\n" + ] + }, + { + "cell_type": "code", + "execution_count": 367, + "id": "00cc0fd0", + "metadata": {}, + "outputs": [ + { + "data": { + "text/plain": [ + "888" + ] + }, + "execution_count": 367, + "metadata": {}, + "output_type": "execute_result" + } + ], + "source": [ + "len(new_qa_pairs)" + ] + }, + { + "cell_type": "code", + "execution_count": 368, + "id": "56f3f86a", + "metadata": {}, + "outputs": [ + { + "data": { + "text/plain": [ + "\"Q: How can I best provide code for a test or proof of concept in my CodeArena submission?\\nA: The best method to provide code for a test or proof of concept in your CodeArena submission depends on various factors such as the length of the code, potential exposure of vulnerabilities, and the complexity of the code's setup. If the code is not too lengthy, you can add it directly to the report under the 'Proof of Concept' section. You can also provide direct links to all referenced code in GitHub, along with screenshots, logs, or any other relevant proof that illustrates the concept. \\n\\nIf the proof of concept is too large to be embedded directly or if the code reveals potential vulnerabilities, it is recommended to use a private gist or a private GitHub repo. Some wardens have also added a zip file to the submission. It's important to note, when linking to a GitHub repo, it does not automatically pull in that code snippet to the report.\\n\\nIt is also acceptable to use external platforms like Gist for submitting long proofs of concept. However, when showing places of vulnerability, it's recommended to include both the URL to the repository with the line number and a code block. \\n\\nUnderstanding the markdown code to include GitHub code in report can also be helpful. Here is a link to learn how to include that: [https://docs.github.com/en/get-started/writing-on-github/working-with-advanced-formatting/creating-and-highlighting-code-blocks].\\n\\nRemember, the 'Proof of Concept' section is just one part of your submission. You should also clearly explain the vulnerability and its impact on the protocol/code in the 'Impact' section.\\n\\nFor more detailed guidance, you can refer to the Code4Arena's submission policy at [https://docs.code4rena.com/roles/wardens/submission-policy#how-to-include-a-proof-of-concept].\"" + ] + }, + "execution_count": 368, + "metadata": {}, + "output_type": "execute_result" + } + ], + "source": [ + "new_qa_pairs" + ] + }, + { + "cell_type": "code", + "execution_count": 385, + "id": "a8bf189b", + "metadata": {}, + "outputs": [], + "source": [ + "# Convert the list to a JSON formatted string\n", + "json_string = json.dumps(new_qa_pairs2)\n", + "\n", + "# Write the JSON string to a file\n", + "with open(\"./codearena/new_qa_pairs_09_24.json\", \"w\") as file:\n", + " file.write(json_string)\n" + ] + }, + { + "cell_type": "code", + "execution_count": 386, + "id": "827c0832", + "metadata": {}, + "outputs": [], + "source": [ + "# Read the JSON string from the file\n", + "with open(\"./codearena/new_qa_pairs_09_24.json\", \"r\") as file:\n", + " json_string = file.read()\n", + "\n", + "# Convert the JSON formatted string back to a Python list\n", + "new_qa_pairs2 = json.loads(json_string)\n" + ] + }, + { + "cell_type": "code", + "execution_count": 387, + "id": "f82312ba", + "metadata": {}, + "outputs": [ + { + "data": { + "text/plain": [ + "2767" + ] + }, + "execution_count": 387, + "metadata": {}, + "output_type": "execute_result" + } + ], + "source": [ + "len(new_qa_pairs2)" + ] + }, + { + "cell_type": "code", + "execution_count": 383, + "id": "f851ac46", + "metadata": {}, + "outputs": [], + "source": [ + "new_qa_pairs2 += new_qa_pairs" + ] + }, + { + "cell_type": "code", + "execution_count": 384, + "id": "d1cf592d", + "metadata": {}, + "outputs": [ + { + "data": { + "text/plain": [ + "2767" + ] + }, + "execution_count": 384, + "metadata": {}, + "output_type": "execute_result" + } + ], + "source": [ + "len(new_qa_pairs2)" + ] + }, + { + "cell_type": "code", + "execution_count": 381, + "id": "80d578b4", + "metadata": {}, + "outputs": [ + { + "name": "stdout", + "output_type": "stream", + "text": [ + "Working on 0\n", + "Working on 1\n", + "Working on 2\n", + "Working on 3\n", + "Working on 4\n", + "Working on 5\n", + "Working on 6\n", + "Working on 7\n", + "Working on 8\n", + "Working on 9\n", + "Working on 16\n", + "Working on 17\n", + "Working on 18\n", + "Working on 19\n", + "Working on 20\n", + "Working on 21\n", + "Working on 22\n", + "Working on 23\n", + "Working on 24\n", + "Working on 25\n", + "Working on 26\n", + "Working on 27\n", + "Working on 28\n", + "Working onWorking on 30\n", + " 29\n", + "Working on 31\n", + "Working on 32\n", + "Working on 33\n", + "Working on 34\n", + "Working on 35\n", + "Working on 36\n", + "Working on 37\n", + "Working on 38\n", + "Working on 39\n", + "Working on 40\n", + "Working on 41\n", + "Working on 42\n", + "Working on 43\n", + "Working on 44\n", + "Working on 45\n", + "Working on 46\n", + "Working on 47\n", + "Working on 48\n", + "Working on 49\n", + "Working on 50\n", + "Working on 51\n", + "Working on 52\n", + "Working on 53\n", + "Working on 54\n", + "Working on 55\n", + "Working on 56\n", + "Working onWorking on 58\n", + " 57\n", + "Working on 59\n", + "Working on 60\n", + "Working on 61\n", + "Working on 62\n", + "Working on 63\n", + "Working on 64\n", + "Working on 65\n", + "Working on 66\n", + "Working on 67\n", + "Working on 68\n", + "Working on 69\n", + "Working on 70\n", + "Working on 71\n", + "Working on 72\n", + "Working on 73\n", + "Working on 74\n", + "Working on 75\n", + "Working on 76\n", + "Working on 77\n", + "Working on 78\n", + "Working on 79\n", + "Working on 80\n", + "Working on 81\n", + "Working on 82\n", + "Working on 83\n", + "Working on 84\n", + "Working on 85\n", + "Working on 86\n", + "Working on 87\n", + "Working on 88\n", + "Working on 89\n", + "Working on 90\n", + "Working on 91\n", + "Working on 92\n", + "Working on 93\n", + "Working onWorking on 95\n", + " 94\n", + "Working on 96\n", + "Working on 97\n", + "Working on 98\n", + "Working on 99\n", + "Working on 100\n", + "Working on 101\n", + "Working on 102\n", + "Working on 103\n", + "Working on 104\n", + "Working on 105\n", + "Working on 106\n", + "Working on 107\n", + "Working on 108\n", + "Working on 109\n", + "Working on 110\n", + "Working on 111\n", + "Working on 112\n", + "Working on 113\n", + "Working on 114\n", + "Working on 115\n", + "Working on 116\n", + "Working on 117\n", + "Working on 118\n", + "Working on 119\n", + "Working on 120\n", + "Working on 121\n", + "Working on 122\n", + "Working on 123\n", + "Working on 124\n", + "Working on 125\n", + "Working on 126\n", + "Working on 127\n", + "Working on 128\n", + "Working on 129\n", + "Working on 130\n", + "Working on 131\n", + "Working on 132\n", + "Working on 133\n", + "Working on 134\n", + "Working on 135\n", + "Working on 136\n", + "Working on 137\n", + "Working on 138\n", + "Working on 139\n", + "Working on 140\n", + "Working on 141\n", + "Working on 142\n", + "Working on 143\n", + "Working on 144\n", + "Working on 145\n", + "Working on 146\n", + "Working on 147\n", + "Working on 148\n", + "Working on 149\n", + "Working onWorking on 151\n", + " 150\n", + "Working on 152\n", + "Working on 153\n", + "Working on 154\n", + "Working on 155\n", + "Working on 156\n", + "Working on 157\n", + "Working on 158\n", + "Working on 159\n", + "Working on 160\n", + "Working on 161\n", + "Working on 162\n", + "Working on 163\n", + "Working on 164\n", + "Working on 165\n", + "Working on 166\n", + "Working on 167\n", + "Working on 168\n", + "Working on 169\n", + "Working on 170\n", + "Working on 171\n", + "Working on 172\n", + "Working on 173\n", + "Working on 174\n", + "Working on 175\n", + "Working on 176\n", + "Working on 177\n", + "Working on 178\n", + "Working on 179\n", + "Working onWorking on 181\n", + " 180\n", + "Working on 182\n", + "Working on 183\n", + "Working on 184\n", + "Working on 185\n", + "Working on 186\n", + "Working on 187\n", + "Working on 188\n", + "Working on 189\n", + "Working on 190\n", + "Working on 191\n", + "Working on 192\n", + "Working on 193\n", + "Working on 194\n", + "Working on 195\n", + "Working on 196\n", + "Working on 197\n", + "Working on 198\n", + "Working on 199\n", + "Working on 200\n", + "Working on 201\n", + "Working on 202\n", + "Working on 203\n", + "Working on 204\n", + "Working on 205\n", + "Working on 206\n", + "Working on 207\n", + "Working on 208\n", + "Working on 209\n", + "Working on 210\n", + "Working on 211\n", + "Working on 212\n", + "Working on 213\n", + "Working on 214\n", + "Working on 215\n", + "Working on 216\n", + "Working on 217\n", + "Working on 218\n", + "Working on 219\n", + "Working on 220\n", + "Working on 221\n", + "Working on 222\n", + "Working on 223\n", + "Working on 224\n", + "Working on 225\n", + "Working on 226\n", + "Working on 227\n", + "Working on 228\n", + "Working on 229\n", + "Working on 230\n", + "Working on 231\n", + "Working on 232\n", + "Working on 233\n", + "Working on 234\n", + "Working on 235\n", + "Working on 236\n", + "Working on 237\n", + "Working on 238\n", + "Working on 239\n", + "Working on 240\n", + "Working on 241\n", + "Working on 242\n", + "Working on 243\n", + "Working on 244\n", + "Working on 245\n", + "Working on 246\n", + "Working on 247\n", + "Working on 248\n", + "Working on 249\n", + "Working on 250\n", + "Working on 251\n", + "Working on 252\n", + "Working on 253\n", + "Working on 254\n", + "Working on 255\n", + "Working on 256\n", + "Working on 257\n", + "Working on 258\n", + "Working on 259\n", + "Working onWorking on 261\n", + " 260\n", + "Working on 262\n", + "Working on 263\n", + "Working on 264\n", + "Working on 265\n", + "Working on 266\n", + "Working on 267\n", + "Working on 268\n", + "Working on 269\n", + "Working on 270\n", + "Working on 271\n", + "Working on 272\n", + "Working on 273\n", + "Working on 274\n", + "Working on 275\n", + "Working on 276\n", + "Working on 277\n", + "Working on 278\n", + "Working on 279\n", + "Working on 280\n", + "Working on 281\n", + "Working on 282\n", + "Working on 283\n", + "Working on 284\n", + "Working on 285\n", + "Working on 286\n", + "Working on 287\n", + "Working on 288\n", + "Working on 289\n", + "Working on 290\n", + "Working on 291\n", + "Working on 292\n", + "Working on 293\n", + "Working on 294\n", + "Working on 295\n", + "Working on 296\n", + "Working on 297\n", + "Working on 298\n", + "Working on 299\n", + "Working on 300\n", + "Working on 301\n", + "Working on 302\n", + "Working on 303\n", + "Working on 304\n", + "Working on 305\n", + "Working on 306\n", + "Working on 307\n", + "Working on 308\n", + "Working on 309\n", + "Working on 310\n", + "Working on 311\n", + "Working on 312\n", + "Working on 313\n", + "Working on 314\n", + "Working on 315\n", + "Working on 316\n", + "Working on 317\n", + "Working on 318\n", + "Working on 319\n", + "Working on 320\n", + "Working on 321\n", + "Working on 322\n", + "Working on 323\n", + "Working on 324\n", + "Working on 325\n", + "Working on 326\n", + "Working on 327\n", + "Working on 328\n", + "Working onWorking on 330\n", + " 329\n", + "Working on 331\n", + "Working on 332\n", + "Working on 333\n", + "Working on 334\n", + "Working on 335\n", + "Working on 336\n", + "Working on 337\n", + "Working on 338\n", + "Working on 339\n", + "Working on 340\n", + "Working on 341\n", + "Working on 342\n", + "Working on 343\n", + "Working onWorking on 345\n", + " 344\n", + "Working on 346\n", + "Working on 347\n", + "Working on 348\n", + "Working on 349\n", + "Working on 350\n", + "Working on 351\n", + "Working onWorking on 353\n", + " 352\n", + "Working on 354\n", + "Working on 355\n", + "Working on 356\n", + "Working on 357\n", + "Working on 358\n", + "Working on 359\n", + "Working on 360\n", + "Working on 361\n", + "Working on 362\n", + "Working on 363\n", + "Working on 364\n", + "Working on 365\n", + "Working on 366\n", + "Working on 367\n", + "Working on 368\n", + "Working on 369\n", + "Working on 370\n", + "Working on 371\n", + "Working on 372\n", + "Working on 373\n", + "Working on 374\n", + "Working on 375\n", + "Working on 376\n", + "Working on 377\n", + "Working on 378\n", + "Working on 379\n", + "Working on 380\n", + "Working on 381\n", + "Working on 382\n", + "Working on 383\n", + "Working on 384\n", + "Working on 385\n", + "Working on 386\n", + "Working on 387\n", + "Working on 388\n", + "Working on 389\n", + "Working on 390\n", + "Working on 391\n", + "Working on 392\n", + "Working on 393\n", + "Working on 394\n", + "Working on 395\n", + "Working on 396\n", + "Working on 397\n", + "Working on 398\n", + "Working on 399\n", + "Working on 400\n", + "Working on 401\n", + "Working on 402\n", + "Working on 403\n", + "Working on 404\n", + "Working on 405\n", + "Working on 406\n", + "Working onWorking on 408\n", + " 407\n", + "Working on 409\n", + "Working on 410\n", + "Working on 411\n", + "Working on 412\n", + "Working on 413\n", + "Working on 414\n", + "Working on 415\n", + "Working on 416\n", + "Working on 417\n", + "Working on 418\n", + "Working on 419\n", + "Working on 420\n", + "Working on 421\n", + "Working on 422\n", + "Working on 423\n", + "Working on 424\n", + "Working on 425\n", + "Working on 426\n", + "Working on 427\n", + "Working on 428\n", + "Working on 429\n", + "Working on 430\n", + "Working on 431\n", + "Working on 432\n", + "Working on 433\n", + "Working on 434\n", + "Working on 435\n", + "Working on 436\n", + "Working on 437\n", + "Working on 438\n", + "Working on 439\n", + "Working on 440\n", + "Working on 441\n", + "Working on 442\n", + "Working on 443\n", + "Working on 444\n", + "Working on 445\n", + "Working on 446\n", + "Working on 447\n", + "Working on 448\n", + "Working on 449\n", + "Working on 450\n", + "Working on 451\n", + "Working on 452\n", + "Working on 453\n", + "Working on 454\n", + "Working on 455\n", + "Working on 456\n", + "Working on 457\n", + "Working on 458\n", + "Working on 459\n", + "Working on 460\n", + "Working on 461\n", + "Working on 462\n", + "Working on 463\n", + "Working on 464\n", + "Working on 465\n", + "Working on 466\n", + "Working on 467\n", + "Working on 468\n", + "Working on 469\n", + "Working onWorking on 471\n", + " 470\n", + "Working on 472\n", + "Working on 473\n", + "Working on 474\n", + "Working on 475\n", + "Working on 476\n", + "Working on 477\n", + "Working on 478\n", + "Working on 479\n", + "Working on 480\n", + "Working on 481\n", + "Working on 482\n", + "Working on 483\n", + "Working on 484\n", + "Working onWorking on 486\n", + " 485\n", + "Working on 487\n", + "Working on 488\n", + "Working on 489\n", + "Working on 490\n", + "Working on 491\n", + "Working on 492\n", + "Working on 493\n", + "Working on 494\n", + "Working on 495\n", + "Working on 496\n", + "Working on 497\n", + "Working on 498\n", + "Working on 499\n", + "Working on 500\n", + "Working on 501\n", + "Working on 502\n", + "Working on 503\n", + "Working on 504\n", + "Working onWorking on 506\n", + " 505\n", + "Working on 507\n", + "Working on 508\n", + "Working on 509\n", + "Working on 510\n", + "Working on 511\n", + "Working on 512\n", + "Working on 513\n", + "Working on 514\n", + "Working on 515\n", + "Working on 516\n", + "Working on 517\n", + "Working on 518\n", + "Working on 519\n", + "Working on 520\n", + "Working on 521\n", + "Working on 522\n", + "Working on 523\n", + "Working on 524\n", + "Working on 525\n", + "Working on 526\n", + "Working on 527\n", + "Working on 528\n", + "Working on 529\n", + "Working on 530\n", + "Working on 531\n", + "Working on 532\n", + "Working on 533\n", + "Working on 534\n", + "Working on 535\n", + "Working on 536\n", + "Working on 537\n", + "Working on 538\n", + "Working on 539\n", + "Working on 540\n", + "Working on 541\n", + "Working on 542\n", + "Working on 543\n", + "Working on 544\n", + "Working on 545\n", + "Working onWorking on 547\n", + " 546\n", + "Working on 548\n", + "Working on 549\n", + "Working on 550\n", + "Working on 551\n", + "Working on 552\n", + "Working on 553\n", + "Working on 554\n", + "Working on 555\n", + "Working on 556\n", + "Working on 557\n", + "Working on 558\n", + "Working on 559\n" + ] + }, + { + "name": "stdout", + "output_type": "stream", + "text": [ + "Working on 560\n", + "Working on 561\n", + "Working on 562\n", + "Working on 563\n", + "Working on 564\n", + "Working on 565\n", + "Working on 566\n", + "Working on 567\n", + "Working on 568\n", + "Working on 569\n", + "Working on 570\n", + "Working on 571\n", + "Working on 572\n", + "Working on 573\n", + "Working onWorking on 575\n", + " 574\n", + "Working on 576\n", + "Working on 577\n", + "Working on 578\n", + "Working on 579\n", + "Working on 580\n", + "Working on 581\n", + "Working on 582\n", + "Working on 583\n", + "Working on 584\n", + "Working on 585\n", + "Working on 586\n", + "Working on 587\n", + "Working on 588\n", + "Working on 589\n", + "Working on 590\n", + "Working on 591\n", + "Working on 592\n", + "Working on 593\n", + "Working on 594\n", + "Working on 595\n", + "Working on 596\n", + "Working on 597\n", + "Working on 598\n", + "Working on 599\n", + "Working on 600\n", + "Working on 601\n", + "Working on 602\n", + "Working on 603\n", + "Working on 604\n", + "Working on 605\n", + "Working on 606\n", + "Working on 607\n", + "Working on 608\n", + "Working on 609\n", + "Working on 610\n", + "Working on 611\n", + "Working on 612\n", + "Working on 613\n", + "Working on 614\n", + "Working on 615\n", + "Working on 616\n", + "Working on 617\n", + "Working on 618\n", + "Working onWorking on 620\n", + " 619\n", + "Working on 621\n", + "Working on 622\n", + "Working on 623\n", + "Working on 624\n", + "Working on 625\n", + "Working onWorking on 627\n", + " 626\n", + "Working on 628\n", + "Working on 629\n", + "Working on 630\n", + "Working on 631\n", + "Working on 632\n", + "Working on 633\n", + "Working on 634\n", + "Working on 635\n", + "Working on 636\n", + "Working onWorking on 638\n", + " 637\n", + "Working on 639\n", + "Working on 640\n", + "Working on 641\n", + "Working on 642\n", + "Working on 643\n", + "Working on 644\n", + "Working on 645\n", + "Working on 646\n", + "Working on 647\n", + "Working on 648\n", + "Working on 649\n", + "Working on 650\n", + "Working on 651\n", + "Working on 652\n", + "Working on 653\n", + "Working on 654\n", + "Working on 655\n", + "Working on 656\n", + "Working on 657\n", + "Working on 658\n", + "Working on 659\n", + "Working on 660\n", + "Working onWorking on 662\n", + " 661\n", + "Working on 663\n", + "Working on 664\n", + "Working on 665\n", + "Working on 666\n", + "Working on 667\n", + "Working onWorking on 669\n", + " 668\n", + "Working on 670\n", + "Working on 671\n", + "Working on 672\n", + "Working on 673\n", + "Working on 674\n", + "Working onWorking on 676\n", + " 675\n", + "Working on 677\n", + "Working on 678\n", + "Working on 679\n", + "Working on 680\n", + "Working on 681\n", + "Working on 682\n", + "Working on 683\n", + "Working on 684\n", + "Working on 685\n", + "Working on 686\n", + "Working on 687\n", + "Working on 688\n", + "Working on 689\n", + "Working on 690\n", + "Working on 691\n", + "Working on 692\n", + "Working on 693\n", + "Working on 694\n", + "Working onWorking on 696\n", + " 695\n", + "Working on 697\n", + "Working on 698\n", + "Working on 699\n", + "Working onWorking on 701\n", + " 700\n", + "Working on 702\n", + "Working on 703\n", + "Working on 704\n", + "Working on 705\n", + "Working on 706\n", + "Working on 707\n", + "Working on 708\n", + "Working on 709\n", + "Working on 710\n", + "Working on 711\n", + "Working on 712\n", + "Working on 713\n", + "Working on 714\n", + "Working on 715\n", + "Working on 716\n", + "Working on 717\n", + "Working on 718\n", + "Working on 719\n", + "Working on 720\n", + "Working on 721\n", + "Working on 722\n", + "Working on 723\n", + "Working on 724\n", + "Working on 725\n", + "Working on 726\n", + "Working on 727\n", + "Working on 728\n", + "Working on 729\n", + "Working on 730\n", + "Working on 731\n", + "Working on 732\n", + "Working on 733\n", + "Working on 734\n", + "Working on 735\n", + "Working on 736\n", + "Working on 737\n", + "Working on 738\n", + "Working on 739\n", + "Working on 740\n", + "Working on 741\n", + "Working on 742\n", + "Working on 743\n", + "Working on 744\n", + "Working on 745\n", + "Working on 746\n", + "Working on 747\n", + "Working on 748\n", + "Working on 749\n", + "Working on 750\n", + "Working on 751\n", + "Working on 752\n", + "Working on 753\n", + "Working on 754\n", + "Working on 755\n", + "Working on 756\n", + "Working on 757\n", + "Working on 758\n", + "Working on 759\n", + "Working on 760\n", + "Working on 761\n", + "Working on 762\n", + "Working on 763\n", + "Working on 764\n", + "Working on 765\n", + "Working on 766\n", + "Working on 767\n", + "Working on 768\n", + "Working on 769\n", + "Working on 770\n", + "Working on 771\n", + "Working on 772\n", + "Working on 773\n", + "Working on 774\n", + "Working on 775\n", + "Working on 776\n", + "Working on 777\n", + "Working on 778\n", + "Working on 779\n", + "Working on 780\n", + "Working on 781\n", + "Working on 782\n", + "Working on 783\n", + "Working on 784\n", + "Working on 785\n", + "Working on 786\n", + "Working on 787\n", + "Working on 788\n", + "Working on 789\n", + "Working on 790\n", + "Working on 791\n", + "Working on 792\n", + "Working on 793\n", + "Working on 794\n", + "Working on 795\n", + "Working on 796\n", + "Working on 797\n", + "Working on 798\n", + "Working on 799\n", + "Working on 800\n", + "Working on 801\n", + "Working on 802\n", + "Working on 803\n", + "Working on 804\n", + "Working on 805\n", + "Working on 806\n", + "Working on 807\n", + "Working on 808\n", + "Working on 809\n", + "Working on 810\n", + "Working on 811\n", + "Working on 812\n", + "Working on 813\n", + "Working on 814\n", + "Working on 815\n", + "Working on 816\n", + "Working on 817\n", + "Working on 818\n", + "Working on 819\n", + "Working on 820\n", + "Working on 821\n", + "Working on 822\n", + "Working on 823\n", + "Working on 824\n", + "Working on 825\n", + "Working on 826\n", + "Working on 827\n", + "Working on 828\n", + "Working on 829\n", + "Working on 830\n", + "Working on 831\n", + "Working on 832\n", + "Working on 833\n", + "Working on 834\n", + "Working on 835\n", + "Working on 836\n", + "Working on 837\n", + "Working on 838\n", + "Working on 839\n", + "Working on 840\n", + "Working on 841\n", + "Working on 842\n", + "Working on 843\n", + "Working on 844\n", + "Working on 845\n", + "Working on 846\n", + "Working on 847\n", + "Working on 848\n", + "Working on 849\n", + "Working on 850\n", + "Working on 851\n", + "Working on 852\n", + "Working on 853\n", + "Working on 854\n", + "Working on 855\n", + "Working on 856\n", + "Working on 857\n", + "Working on 858\n", + "Working on 859\n", + "Working on 860\n", + "Working on 861\n", + "Working on 862\n", + "Working on 863\n", + "Working on 864\n", + "Working on 865\n", + "Working on 866\n", + "Working on 867\n", + "Working on 868\n", + "Working on 869\n", + "Working on 870\n", + "Working on 871\n", + "Working on 872\n", + "Working on 873\n", + "Working on 874\n", + "Working on 875\n", + "Working on 876\n", + "Working on 877\n", + "Working on 878\n", + "Working on 879\n", + "Working on 880\n", + "Working on 881\n", + "Working on 882\n", + "Working on 883\n", + "Working on 884\n", + "Working on 885\n", + "Working on 886\n", + "Working on 887\n", + "Working on 888\n", + "Working on 889\n", + "Working on 890\n", + "Working on 891\n", + "Working on 892\n", + "Working on 893\n", + "Working on 894\n", + "Working on 895\n", + "Working on 896\n", + "Working on 897\n", + "Working on 898\n", + "Working on 899\n", + "Working on 900\n", + "Working on 901\n", + "Working on 902\n", + "Working on 903\n", + "Working on 904\n", + "Working on 905\n", + "Working on 906\n", + "Working on 907\n", + "Working on 908\n", + "Working on 909\n", + "Working onWorking on 911\n", + " 910\n", + "Working on 912\n", + "Working on 913\n", + "Working on 914\n", + "Working on 915\n", + "Working on 916\n", + "Working on 917\n", + "Working on 918\n", + "Working on 919\n", + "Working on 920\n", + "Working on 921\n", + "Working on 922\n", + "Working on 923\n", + "Working on 924\n", + "Working on 925\n", + "Working on 926\n", + "Working on 927\n", + "Working on 928\n", + "Working on 929\n", + "Working on 930\n", + "Working on 931\n", + "Working on 932\n", + "Working on 933\n", + "Working on 934\n", + "Working on 935\n", + "Working on 936\n", + "Working on 937\n", + "Working on 938\n", + "Working on 939\n", + "Working on 940\n", + "Working on 941\n", + "Working on 942\n", + "Working on 943\n", + "Working on 944\n", + "Working on 945\n", + "Working on 946\n", + "Working on 947\n", + "Working onWorking on 949\n", + " 948\n", + "Working on 950\n", + "Working on 951\n", + "Working on 952\n", + "Working on 953\n", + "Working on 954\n", + "Working on 955\n", + "Working on 956\n", + "Working on 957\n", + "Working on 958\n", + "Working on 959\n", + "Working on 960\n", + "Working on 961\n", + "Working on 962\n", + "Working on 963\n", + "Working on 964\n", + "Working on 965\n", + "Working on 966\n", + "Working on 967\n", + "Working on 968\n", + "Working on 969\n", + "Working on 970\n", + "Working on 971\n", + "Working on 972\n", + "Working on 973\n", + "Working on 974\n", + "Working on 975\n", + "Working on 976\n", + "Working on 977\n", + "Working on 978\n", + "Working on 979\n", + "Working on 980\n", + "Working on 981\n", + "Working on 982\n", + "Working on 983\n", + "Working on 984\n", + "Working on 985\n", + "Working onWorking on 987\n", + " 986\n", + "Working on 988\n", + "Working on 989\n", + "Working on 990\n", + "Working on 991\n", + "Working on 992\n", + "Working on 993\n", + "Working on 994\n", + "Working on 995\n", + "Working on 996\n", + "Working on 997\n", + "Working on 998\n", + "Working on 999\n", + "Working on 1000\n", + "Working on 1001\n", + "Working on 1002\n", + "Working on 1003\n", + "Working on 1004\n", + "Working on 1005\n", + "Working on 1006\n", + "Working on 1007\n", + "Working on 1008\n", + "Working on 1009\n", + "Working on 1010\n", + "Working on 1011\n", + "Working on 1012\n", + "Working on 1013\n", + "Working on 1014\n", + "Working on 1015\n", + "Working on 1016\n", + "Working on 1017\n", + "Working on 1018\n", + "Working on 1019\n", + "Working on 1020\n", + "Working on 1021\n", + "Working on 1022\n", + "Working on 1023\n", + "Working on 1024\n", + "Working on 1025\n", + "Working on 1026\n", + "Working on 1027\n", + "Working on 1028\n", + "Working on 1029\n", + "Working on 1030\n", + "Working on 1031\n", + "Working on 1032\n", + "Working on 1033\n", + "Working on 1034\n", + "Working on 1035\n", + "Working on 1036\n", + "Working on 1037\n", + "Working on 1038\n", + "Working on 1039\n", + "Working on 1040\n", + "Working on 1041\n", + "Working on 1042\n", + "Working on 1043\n", + "Working on 1044\n", + "Working on 1045\n", + "Working on 1046\n", + "Working on 1047\n", + "Working on 1048\n", + "Working on 1049\n", + "Working on 1050\n", + "Working on 1051\n", + "Working on 1052\n", + "Working on 1053\n", + "Working on 1054\n", + "Working on 1055\n", + "Working on 1056\n", + "Working on 1057\n", + "Working on 1058\n", + "Working on 1059\n", + "Working on 1060\n", + "Working on 1061\n", + "Working on 1062\n", + "Working on 1063\n", + "Working on 1064\n", + "Working on 1065\n", + "Working on 1066\n", + "Working on 1067\n", + "Working on 1068\n", + "Working on 1069\n", + "Working on 1070\n", + "Working on 1071\n", + "Working on 1072\n", + "Working on 1073\n", + "Working on 1074\n", + "Working on 1075\n", + "Working on 1076\n", + "Working on 1077\n", + "Working on 1078\n", + "Working on 1079\n", + "Working on 1080\n", + "Working on 1081\n", + "Working on 1082\n", + "Working on 1083\n", + "Working on 1084\n", + "Working on 1085\n", + "Working on 1086\n", + "Working on 1087\n", + "Working on 1088\n", + "Working on 1089\n", + "Working on 1090\n", + "Working on 1091\n", + "Working on 1092\n", + "Working on 1093\n", + "Working on 1094\n", + "Working on 1095\n", + "Working on 1096\n", + "Working on 1097\n", + "Working on 1098\n", + "Working on 1099\n" + ] + }, + { + "name": "stdout", + "output_type": "stream", + "text": [ + "Working on 1100\n", + "Working on 1101\n", + "Working on 1102\n", + "Working on 1103\n", + "Working on 1104\n", + "Working on 1105\n", + "Working on 1106\n", + "Working on 1107\n", + "Working on 1108\n", + "Working on 1109\n", + "Working on 1110\n", + "Working on 1111\n", + "Working on 1112\n", + "Working on 1113\n", + "Working on 1114\n", + "Working on 1115\n", + "Working on 1116\n", + "Working on 1117\n", + "Working on 1118\n", + "Working on 1119\n", + "Working on 1120\n", + "Working on 1121\n", + "Working on 1122\n", + "Working on 1123\n", + "Working on 1124\n", + "Working on 1125\n", + "Working on 1126\n", + "Working on 1127\n", + "Working on 1128\n", + "Working on 1129\n", + "Working on 1130\n", + "Working on 1131\n", + "Working on 1132\n", + "Working on 1133\n", + "Working on 1134\n", + "Working on 1135\n", + "Working on 1136\n", + "Working on 1137\n", + "Working on 1138\n", + "Working on 1139\n", + "Working on 1140\n", + "Working on 1141\n", + "Working on 1142\n", + "Working on 1143\n", + "Working on 1144\n", + "Working on 1145\n", + "Working on 1146\n", + "Working on 1147\n", + "Working on 1148\n", + "Working on 1149\n", + "Working on 1150\n", + "Working on 1151\n", + "Working on 1152\n", + "Working on 1153\n", + "Working on 1154\n", + "Working on 1155\n", + "Working on 1156\n", + "Working on 1157\n", + "Working on 1158\n", + "Working on 1159\n", + "Working on 1160\n", + "Working on 1161\n", + "Working on 1162\n", + "Working on 1163\n", + "Working on 1164\n", + "Working on 1165\n", + "Working on 1166\n", + "Working on 1167\n", + "Working on 1168\n", + "Working on 1169\n", + "Working on 1170\n", + "Working on 1171\n", + "Working on 1172\n", + "Working on 1173\n", + "Working on 1174\n", + "Working on 1175\n", + "Working onWorking on 1177\n", + " 1176\n", + "Working on 1178\n", + "Working on 1179\n", + "Working on 1180\n", + "Working on 1181\n", + "Working on 1182\n", + "Working on 1183\n", + "Working on 1184\n", + "Working on 1185\n", + "Working on 1186\n", + "Working on 1187\n", + "Working on 1188\n", + "Working on 1189\n", + "Working on 1190\n", + "Working on 1191\n", + "Working on 1192\n", + "Working on 1193\n", + "Working on 1194\n", + "Working on 1195\n", + "Working on 1196\n", + "Working on 1197\n", + "Working on 1198\n", + "Working on 1199\n", + "Working on 1200\n", + "Working on 1201\n", + "Working on 1202\n", + "Working on 1203\n", + "Working on 1204\n", + "Working on 1205\n", + "Working on 1206\n", + "Working on 1207\n", + "Working on 1208\n", + "Working on 1209\n", + "Working on 1210\n", + "Working on 1211\n", + "Working on 1212\n", + "Working on 1213\n", + "Working on 1214\n", + "Working on 1215\n", + "Working on 1216\n", + "Working on 1217\n", + "Working on 1218\n", + "Working on 1219\n", + "Working on 1220\n", + "Working on 1221\n", + "Working on 1222\n", + "Working on 1223\n", + "Working on 1224\n", + "Working on 1225\n", + "Working on 1226\n", + "Working on 1227\n", + "Working on 1228\n", + "Working on 1229\n", + "Working on 1230\n", + "Working on 1231\n", + "Working on 1232\n", + "Working on 1233\n", + "Working on 1234\n", + "Working on 1235\n", + "Working on 1236\n", + "Working on 1237\n", + "Working on 1238\n", + "Working on 1239\n", + "Working on 1240\n", + "Working on 1241\n", + "Working on 1242\n", + "Working on 1243\n", + "Working on 1244\n", + "Working on 1245\n", + "Working on 1246\n", + "Working on 1247\n", + "Working on 1248\n", + "Working on 1249\n", + "Working on 1250\n", + "Working on 1251\n", + "Working on 1252\n", + "Working on 1253\n", + "Working on 1254\n", + "Working on 1255\n", + "Working on 1256\n", + "Working on 1257\n", + "Working on 1258\n", + "Working on 1259\n", + "Working on 1260\n", + "Working on 1261\n", + "Working on 1262\n", + "Working on 1263\n", + "Working on 1264\n", + "Working on 1265\n", + "Working on 1266\n", + "Working on 1267\n", + "Working on 1268\n", + "Working on 1269\n", + "Working on 1270\n", + "Working on 1271\n", + "Working on 1272\n", + "Working on 1273\n", + "Working on 1274\n", + "Working on 1275\n", + "Working on 1276\n", + "Working on 1277\n", + "Working on 1278\n", + "Working on 1279\n", + "Working on 1280\n", + "Working on 1281\n", + "Working on 1282\n", + "Working on 1283\n", + "Working on 1284\n", + "Working on 1285\n", + "Working on 1286\n", + "Working on 1287\n", + "Working on 1288\n", + "Working on 1289\n", + "Working onWorking on 1291\n", + " 1290\n", + "Working on 1292\n", + "Working on 1293\n", + "Working on 1294\n", + "Working on 1295\n", + "Working on 1296\n", + "Working on 1297\n", + "Working onWorking on 1299\n", + " 1298\n", + "Working on 1300\n", + "Working on 1301\n", + "Working on 1302\n", + "Working on 1303\n", + "Working on 1304\n", + "Working on 1305\n", + "Working on 1306\n", + "Working on 1307\n", + "Working on 1308\n", + "Working on 1309\n", + "Working on 1310\n", + "Working on 1311\n", + "Working on 1312\n", + "Working on 1313\n", + "Working on 1314\n", + "Working on 1315\n", + "Working on 1316\n", + "Working on 1317\n", + "Working on 1318\n", + "Working on 1319\n", + "Working on 1320\n", + "Working on 1321\n", + "Working on 1322\n", + "Working on 1323\n", + "Working on 1324\n", + "Working on 1325\n", + "Working on 1326\n", + "Working on 1327\n", + "Working on 1328\n", + "Working on 1329\n", + "Working on 1330\n", + "Working on 1331\n", + "Working on 1332\n", + "Working on 1333\n", + "Working on 1334\n", + "Working on 1335\n", + "Working on 1336\n", + "Working on 1337\n", + "Working on 1338\n", + "Working on 1339\n", + "Working on 1340\n", + "Working on 1341\n", + "Working on 1342\n", + "Working on 1343\n", + "Working on 1344\n", + "Working on 1345\n", + "Working on 1346\n", + "Working on 1347\n", + "Working on 1348\n", + "Working on 1349\n", + "Working on 1350\n", + "Working on 1351\n", + "Working on 1352\n", + "Working onWorking on 1354\n", + " 1353\n", + "Working on 1355\n", + "Working on 1356\n", + "Working on 1357\n", + "Working on 1358\n", + "Working on 1359\n", + "Working on 1360\n", + "Working on 1361\n", + "Working on 1362\n", + "Working on 1363\n", + "Working on 1364\n", + "Working on 1365\n", + "Working on 1366\n", + "Working on 1367\n", + "Working on 1368\n", + "Working on 1369\n", + "Working on 1370\n", + "Working on 1371\n", + "Working on 1372\n", + "Working on 1373\n", + "Working on 1374\n", + "Working on 1375\n", + "Working on 1376\n", + "Working on 1377\n", + "Working on 1378\n", + "Working on 1379\n", + "Working on 1380\n", + "Working on 1381\n", + "Working on 1382\n", + "Working onWorking on 1384\n", + " 1383\n", + "Working on 1385\n", + "Working on 1386\n", + "Working on 1387\n", + "Working on 1388\n", + "Working on 1389\n", + "Working on 1390\n", + "Working onWorking on 1392\n", + " 1391\n" + ] + }, + { + "name": "stderr", + "output_type": "stream", + "text": [ + "Retrying langchain.chat_models.openai.ChatOpenAI.completion_with_retry.._completion_with_retry in 4.0 seconds as it raised APIError: Bad gateway. {\"error\":{\"code\":502,\"message\":\"Bad gateway.\",\"param\":null,\"type\":\"cf_bad_gateway\"}} 502 {'error': {'code': 502, 'message': 'Bad gateway.', 'param': None, 'type': 'cf_bad_gateway'}} {'Date': 'Mon, 25 Sep 2023 01:51:14 GMT', 'Content-Type': 'application/json', 'Content-Length': '84', 'Connection': 'keep-alive', 'X-Frame-Options': 'SAMEORIGIN', 'Referrer-Policy': 'same-origin', 'Cache-Control': 'private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0', 'Expires': 'Thu, 01 Jan 1970 00:00:01 GMT', 'Server': 'cloudflare', 'CF-RAY': '80bf9e41f930e254-ORD', 'alt-svc': 'h3=\":443\"; ma=86400'}.\n" + ] + }, + { + "name": "stdout", + "output_type": "stream", + "text": [ + "Working on 1393\n", + "Working on 1394\n", + "Working on 1395\n", + "Working on 1396\n", + "Working on 1397\n", + "Working on 1398\n", + "Working on 1399\n", + "Working on 1400\n" + ] + }, + { + "name": "stderr", + "output_type": "stream", + "text": [ + "Retrying langchain.chat_models.openai.ChatOpenAI.completion_with_retry.._completion_with_retry in 4.0 seconds as it raised APIError: Bad gateway. {\"error\":{\"code\":502,\"message\":\"Bad gateway.\",\"param\":null,\"type\":\"cf_bad_gateway\"}} 502 {'error': {'code': 502, 'message': 'Bad gateway.', 'param': None, 'type': 'cf_bad_gateway'}} {'Date': 'Mon, 25 Sep 2023 01:51:35 GMT', 'Content-Type': 'application/json', 'Content-Length': '84', 'Connection': 'keep-alive', 'X-Frame-Options': 'SAMEORIGIN', 'Referrer-Policy': 'same-origin', 'Cache-Control': 'private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0', 'Expires': 'Thu, 01 Jan 1970 00:00:01 GMT', 'Server': 'cloudflare', 'CF-RAY': '80bf9f49ee1929e8-ORD', 'alt-svc': 'h3=\":443\"; ma=86400'}.\n" + ] + }, + { + "name": "stdout", + "output_type": "stream", + "text": [ + "Working on 1401\n", + "Working on 1402\n", + "Working on 1403\n", + "Working on 1404\n", + "Working on 1405\n", + "Working on 1406\n", + "Working on 1407\n", + "Working on 1408\n", + "Working on 1409\n", + "Working on 1410\n" + ] + }, + { + "name": "stderr", + "output_type": "stream", + "text": [ + "Retrying langchain.chat_models.openai.ChatOpenAI.completion_with_retry.._completion_with_retry in 4.0 seconds as it raised APIError: Bad gateway. {\"error\":{\"code\":502,\"message\":\"Bad gateway.\",\"param\":null,\"type\":\"cf_bad_gateway\"}} 502 {'error': {'code': 502, 'message': 'Bad gateway.', 'param': None, 'type': 'cf_bad_gateway'}} {'Date': 'Mon, 25 Sep 2023 01:52:02 GMT', 'Content-Type': 'application/json', 'Content-Length': '84', 'Connection': 'keep-alive', 'X-Frame-Options': 'SAMEORIGIN', 'Referrer-Policy': 'same-origin', 'Cache-Control': 'private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0', 'Expires': 'Thu, 01 Jan 1970 00:00:01 GMT', 'Server': 'cloudflare', 'CF-RAY': '80bf9ff7dc6761e0-ORD', 'alt-svc': 'h3=\":443\"; ma=86400'}.\n" + ] + }, + { + "name": "stdout", + "output_type": "stream", + "text": [ + "Working on 1411\n", + "Working on 1412\n", + "Working on 1413\n", + "Working on 1414\n", + "Working on 1415\n", + "Working on 1416\n", + "Working on 1417\n", + "Working on 1418\n", + "Working on 1419\n", + "Working on 1420\n", + "Working on 1421\n", + "Working on 1422\n", + "Working on 1423\n", + "Working on 1424\n", + "Working on 1425\n", + "Working on 1426\n", + "Working on 1427\n", + "Working on 1428\n", + "Working on 1429\n", + "Working on 1430\n", + "Working on 1431\n", + "Working on 1432\n", + "Working on 1433\n", + "Working on 1434\n", + "Working on 1435\n", + "Working on 1436\n", + "Working on 1437\n", + "Working on 1438\n", + "Working on 1439\n", + "Working on 1440\n", + "Working on 1441\n", + "Working on 1442\n", + "Working on 1443\n", + "Working onWorking on 1445\n", + " 1444\n", + "Working on 1446\n", + "Working on 1447\n", + "Working on 1448\n", + "Working on 1449\n", + "Working on 1450\n", + "Working on 1451\n", + "Working on 1452\n", + "Working on 1453\n", + "Working on 1454\n", + "Working on 1455\n", + "Working on 1456\n", + "Working on 1457\n", + "Working on 1458\n", + "Working on 1459\n", + "Working on 1460\n", + "Working on 1461\n", + "Working on 1462\n", + "Working on 1463\n", + "Working on 1464\n", + "Working on 1465\n", + "Working on 1466\n", + "Working on 1467\n", + "Working on 1468\n", + "Working onWorking on 1470\n", + " 1469\n", + "Working on 1471\n", + "Working on 1472\n", + "Working on 1473\n", + "Working on 1474\n", + "Working on 1475\n", + "Working on 1476\n", + "Working on 1477\n", + "Working on 1478\n", + "Working on 1479\n", + "Working on 1480\n", + "Working on 1481\n", + "Working on 1482\n", + "Working on 1483\n", + "Working on 1484\n", + "Working on 1485\n", + "Working on 1486\n", + "Working on 1487\n", + "Working on 1488\n", + "Working on 1489\n", + "Working on 1490\n", + "Working on 1491\n", + "Working on 1492\n", + "Working onWorking on 1494\n", + " 1493\n", + "Working on 1495\n", + "Working on 1496\n", + "Working on 1497\n", + "Working on 1498\n", + "Working on 1499\n", + "Working on 1500\n", + "Working on 1501\n", + "Working on 1502\n", + "Working on 1503\n", + "Working on 1504\n", + "Working on 1505\n", + "Working on 1506\n", + "Working on 1507\n", + "Working on 1508\n", + "Working on 1509\n", + "Working on 1510\n", + "Working onWorking on 1512\n", + "Working on 1513\n", + "Working on 1514\n", + " 1511\n", + "Working on 1515\n", + "Working on 1516\n", + "Working on 1517\n", + "Working on 1518\n", + "Working on 1519\n", + "Working on 1520\n", + "Working on 1521\n", + "Working on 1522\n", + "Working on 1523\n", + "Working on 1524\n", + "Working on 1525\n", + "Working on 1526\n", + "Working on 1527\n", + "Working on 1528\n", + "Working on 1529\n" + ] + }, + { + "name": "stderr", + "output_type": "stream", + "text": [ + "Retrying langchain.chat_models.openai.ChatOpenAI.completion_with_retry.._completion_with_retry in 4.0 seconds as it raised APIError: Bad gateway. {\"error\":{\"code\":502,\"message\":\"Bad gateway.\",\"param\":null,\"type\":\"cf_bad_gateway\"}} 502 {'error': {'code': 502, 'message': 'Bad gateway.', 'param': None, 'type': 'cf_bad_gateway'}} {'Date': 'Mon, 25 Sep 2023 01:57:40 GMT', 'Content-Type': 'application/json', 'Content-Length': '84', 'Connection': 'keep-alive', 'X-Frame-Options': 'SAMEORIGIN', 'Referrer-Policy': 'same-origin', 'Cache-Control': 'private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0', 'Expires': 'Thu, 01 Jan 1970 00:00:01 GMT', 'Server': 'cloudflare', 'CF-RAY': '80bfa82a9c402c84-ORD', 'alt-svc': 'h3=\":443\"; ma=86400'}.\n" + ] + }, + { + "name": "stdout", + "output_type": "stream", + "text": [ + "Working on 1530\n", + "Working on 1531\n", + "Working on 1532\n", + "Working on 1533\n", + "Working on 1534\n", + "Working on 1535\n", + "Working on 1536\n", + "Working on 1537\n", + "Working on 1538\n", + "Working on 1539\n", + "Working on 1540\n", + "Working on 1541\n", + "Working on 1542\n", + "Working on 1543\n", + "Working on 1544\n", + "Working on 1545\n", + "Working on 1546\n", + "Working on 1547\n", + "Working on 1548\n", + "Working onWorking on 1550\n", + " 1549\n", + "Working on 1551\n", + "Working on 1552\n", + "Working on 1553\n", + "Working on 1554\n", + "Working on 1555\n", + "Working on 1556\n", + "Working on 1557\n", + "Working on 1558\n", + "Working on 1559\n", + "Working on 1560\n", + "Working onWorking on 1562\n", + " 1561\n", + "Working on 1563\n", + "Working on 1564\n", + "Working on 1565\n", + "Working on 1566\n", + "Working on 1567\n", + "Working on 1568\n", + "Working on 1569\n", + "Working onWorking on 1571\n", + " 1570\n", + "Working on 1572\n", + "Working on 1573\n", + "Working on 1574\n", + "Working on 1575\n", + "Working on 1576\n", + "Working on 1577\n", + "Working on 1578\n", + "Working on 1579\n", + "Working on 1580\n", + "Working on 1581\n", + "Working on 1582\n", + "Working on 1583\n", + "Working on 1584\n", + "Working on 1585\n", + "Working on 1586\n", + "Working on 1587\n", + "Working on 1588\n", + "Working on 1589\n", + "Working on 1590\n", + "Working on 1591\n", + "Working on 1592\n", + "Working on 1593\n", + "Working on 1594\n", + "Working on 1595\n", + "Working on 1596\n", + "Working on 1597\n", + "Working on 1598\n", + "Working on 1599\n", + "Working on 1600\n", + "Working on 1601\n", + "Working on 1602\n", + "Working on 1603\n", + "Working on 1604\n", + "Working on 1605\n", + "Working on 1606\n", + "Working on 1607\n", + "Working on 1608\n", + "Working on 1609\n", + "Working on 1610\n", + "Working on 1611\n", + "Working on 1612\n", + "Working on 1613\n", + "Working on 1614\n", + "Working on 1615\n", + "Working on 1616\n", + "Working on 1617\n", + "Working on 1618\n", + "Working on 1619\n", + "Working on 1620\n", + "Working on 1621\n", + "Working on 1622\n", + "Working on 1623\n", + "Working on 1624\n", + "Working on 1625\n", + "Working on 1626\n", + "Working on 1627\n", + "Working on 1628\n", + "Working on 1629\n", + "Working on 1630\n", + "Working on 1631\n", + "Working on 1632\n", + "Working on 1633\n", + "Working on 1634\n", + "Working on 1635\n", + "Working on 1636\n", + "Working on 1637\n", + "Working on 1638\n", + "Working on 1639\n", + "Working on 1640\n", + "Working on 1641\n", + "Working on 1642\n", + "Working on 1643\n", + "Working on 1644\n", + "Working on 1645\n", + "Working on 1646\n", + "Working on 1647\n", + "Working on 1648\n", + "Working on 1649\n", + "Working on 1650\n", + "Working on 1651\n", + "Working on 1652\n", + "Working on 1653\n", + "Working on 1654\n", + "Working on 1655\n", + "Working on 1656\n", + "Working on 1657\n", + "Working on 1658\n", + "Working on 1659\n", + "Working on 1660\n", + "Working on 1661\n", + "Working on 1662\n", + "Working on 1663\n", + "Working on 1664\n", + "Working on 1665\n", + "Working on 1666\n", + "Working on 1667\n", + "Working on 1668\n", + "Working on 1669\n", + "Working on 1670\n", + "Working on 1671\n", + "Working on 1672\n", + "Working on 1673\n", + "Working on 1674\n", + "Working on 1675\n", + "Working on 1676\n", + "Working on 1677\n", + "Working on 1678\n", + "Working on 1679\n", + "Working on 1680\n", + "Working on 1681\n", + "Working on 1682\n", + "Working onWorking on 1684\n", + " 1683\n", + "Working on 1685\n", + "Working on 1686\n", + "Working on 1687\n", + "Working on 1688\n", + "Working on 1689\n", + "Working on 1690\n", + "Working on 1691\n", + "Working on 1692\n", + "Working on 1693\n", + "Working on 1694\n", + "Working on 1695\n", + "Working on 1696\n", + "Working on 1697\n", + "Working on 1698\n", + "Working on 1699\n", + "Working on 1700\n", + "Working on 1701\n", + "Working on 1702\n", + "Working on 1703\n", + "Working on 1704\n", + "Working on 1705\n", + "Working on 1706\n", + "Working on 1707\n", + "Working on 1708\n", + "Working on 1709\n", + "Working on 1710\n", + "Working on 1711\n", + "Working on 1712\n", + "Working on 1713\n", + "Working on 1714\n", + "Working on 1715\n", + "Working on 1716\n", + "Working on 1717\n", + "Working on 1718\n", + "Working on 1719\n", + "Working on 1720\n", + "Working on 1721\n", + "Working on 1722\n", + "Working on 1723\n", + "Working on 1724\n", + "Working on 1725\n", + "Working on 1726\n", + "Working on 1727\n", + "Working on 1728\n", + "Working on 1729\n", + "Working on 1730\n", + "Working on 1731\n", + "Working on 1732\n", + "Working on 1733\n", + "Working on 1734\n", + "Working on 1735\n", + "Working on 1736\n", + "Working on 1737\n", + "Working on 1738\n", + "Working on 1739\n", + "Working on 1740\n", + "Working on 1741\n", + "Working on 1742\n", + "Working on 1743\n", + "Working on 1744\n", + "Working on 1745\n", + "Working on 1746\n", + "Working on 1747\n", + "Working on 1748\n", + "Working on 1749\n", + "Working on 1750\n", + "Working on 1751\n", + "Working on 1752\n", + "Working on 1753\n", + "Working on 1754\n", + "Working on 1755\n", + "Working on 1756\n", + "Working on 1757\n", + "Working on 1758\n", + "Working on 1759\n", + "Working on 1760\n", + "Working on 1761\n", + "Working on 1762\n", + "Working on 1763\n", + "Working on 1764\n", + "Working on 1765\n", + "Working on 1766\n", + "Working on 1767\n", + "Working on 1768\n", + "Working on 1769\n", + "Working on 1770\n", + "Working on 1771\n", + "Working on 1772\n", + "Working on 1773\n", + "Working on 1774\n", + "Working on 1775\n", + "Working on 1776\n", + "Working on 1777\n", + "Working on 1778\n", + "Working on 1779\n", + "Working on 1780\n", + "Working on 1781\n", + "Working on 1782\n", + "Working on 1783\n", + "Working on 1784\n", + "Working on 1785\n", + "Working on 1786\n", + "Working on 1787\n", + "Working on 1788\n", + "Working on 1789\n", + "Working on 1790\n", + "Working on 1791\n", + "Working on 1792\n", + "Working on 1793\n", + "Working on 1794\n", + "Working on 1795\n", + "Working on 1796\n", + "Working on 1797\n", + "Working on 1798\n", + "Working on 1799\n", + "Working on 1800\n", + "Working on 1801\n", + "Working on 1802\n", + "Working on 1803\n", + "Working on 1804\n", + "Working on 1805\n", + "Working on 1806\n", + "Working on 1807\n", + "Working on 1808\n", + "Working on 1809\n", + "Working on 1810\n", + "Working on 1811\n", + "Working on 1812\n", + "Working on 1813\n", + "Working on 1814\n", + "Working on 1815\n", + "Working on 1816\n", + "Working on 1817\n", + "Working on 1818\n", + "Working on 1819\n", + "Working on 1820\n", + "Working on 1821\n", + "Working on 1822\n", + "Working on 1823\n", + "Working on 1824\n", + "Working on 1825\n", + "Working on 1826\n", + "Working on 1827\n", + "Working on 1828\n", + "Working on 1829\n", + "Working on 1830\n", + "Working on 1831\n", + "Working onWorking on 1833\n", + " 1832\n", + "Working on 1834\n", + "Working on 1835\n", + "Working on 1836\n", + "Working on 1837\n", + "Working on 1838\n", + "Working on 1839\n", + "Working on 1840\n", + "Working on 1841\n", + "Working on 1842\n", + "Working on 1843\n", + "Working on 1844\n", + "Working on 1845\n", + "Working on 1846\n", + "Working on 1847\n", + "Working on 1848\n", + "Working on 1849\n", + "Working on 1850\n", + "Working on 1851\n", + "Working on 1852\n", + "Working on 1853\n", + "Working on 1854\n", + "Working on 1855\n", + "Working on 1856\n", + "Working on 1857\n", + "Working on 1858\n", + "Working on 1859\n", + "Working on 1860\n", + "Working on 1861\n", + "Working on 1862\n", + "Working on 1863\n", + "Working on 1864\n", + "Working on 1865\n", + "Working on 1866\n", + "Working on 13\n", + "Working on 15\n", + "Working on 14\n", + "Working on 12\n", + "Working on 10\n", + "Working on 11\n" + ] + } + ], + "source": [ + "import concurrent.futures\n", + "import threading\n", + "import time\n", + "\n", + "# Define a function to process a group\n", + "def process_group(x, groups, facts_db, model, q_a_enhance):\n", + " try:\n", + " print(\"Working on\", x)\n", + " group = groups[x]\n", + " q_a_string = \"\"\n", + " docs = get_at_index(group)\n", + " for x in docs:\n", + " q_a_string += \" \".join([\"Q:\", x.page_content.rstrip(\"\\n\"), \"\\n\" \"A:\", x.metadata['answer'], \"\\n\"])\n", + " q_a_string += \"\\n\"\n", + " facts_ = facts_db.similarity_search(docs[0].page_content, k=30)\n", + " facts_to_include = '\\n'.join([x.page_content for x in facts_])\n", + " prompt = q_a_enhance.format(q_a_string, facts_to_include)\n", + " #print(prompt)\n", + " \n", + " qs = model.predict_messages([HumanMessage(content=prompt)])\n", + " #print(qs.content)\n", + " return qs.content\n", + " except Exception as e:\n", + " print(e)\n", + " return None\n", + "\n", + "new_qa_pairs = []\n", + "remaining_groups = groups[900:]\n", + "\n", + "# Define the rate limit (in seconds per call)\n", + "rate_limit = 1.0 / 100 # 100 calls per second\n", + "\n", + "# Define the maximum number of concurrent tasks\n", + "max_concurrent_tasks = 10 # Adjust as needed\n", + "\n", + "# Create a bounded semaphore to limit concurrent tasks\n", + "semaphore = threading.BoundedSemaphore(max_concurrent_tasks)\n", + "\n", + "def submit_task(x):\n", + " with semaphore:\n", + " return process_group(x, remaining_groups, facts_db, model, q_a_enhance)\n", + "\n", + "with concurrent.futures.ThreadPoolExecutor() as executor:\n", + " # Submit the tasks to the thread pool\n", + " futures = [executor.submit(submit_task, x) for x in range(len(remaining_groups))]\n", + "\n", + " # Collect the results as they become available\n", + " for future in concurrent.futures.as_completed(futures):\n", + " result = future.result()\n", + " if result is not None:\n", + " new_qa_pairs.append(result)" + ] + }, + { + "cell_type": "code", + "execution_count": 382, + "id": "2370a2f2", + "metadata": {}, + "outputs": [ + { + "data": { + "text/plain": [ + "1867" + ] + }, + "execution_count": 382, + "metadata": {}, + "output_type": "execute_result" + } + ], + "source": [ + "len(new_qa_pairs)" + ] + }, + { + "cell_type": "code", + "execution_count": null, + "id": "75905704", + "metadata": {}, + "outputs": [], + "source": [] + } + ], + "metadata": { + "kernelspec": { + "display_name": "Python 3 (ipykernel)", + "language": "python", + "name": "python3" + }, + "language_info": { + "codemirror_mode": { + "name": "ipython", + "version": 3 + }, + "file_extension": ".py", + "mimetype": "text/x-python", + "name": "python", + "nbconvert_exporter": "python", + "pygments_lexer": "ipython3", + "version": "3.11.4" + } + }, + "nbformat": 4, + "nbformat_minor": 5 +} diff --git a/codeArena/codearena/codearena-2.json b/codeArena/codearena/codearena-2.json new file mode 100644 index 0000000..ed74c8d --- /dev/null +++ b/codeArena/codearena/codearena-2.json @@ -0,0 +1 @@ +["The experiment being discussed is an interesting variation of a bug-bounty, where it is time-limited and has a guaranteed pot that pays out.", "The idea of creating a page for the contest has been suggested, with the idea of listing or linking to wardens, judges, and sponsors.", "There was a suggestion to create a GitHub form for people to fill out when joining as a warden, with links to their socials, bio, and avatar.", "A new channel could be added to discuss website-related matters, but there's also an open invitation to submit pull requests with any ideas to the GitHub.", "The codebase will be accessible on February 17 at 1400 UTC (9AM EST).", "The smart contracts in discussion are real and will be deployed after being audited.", "The guidelines on how to report issues related to smart contracts can be found at https://github.com/code-423n4/code-contests/blob/main/SUBMISSION_POLICY.md", "More information on the slingshot finance competition can be found at the following medium article: https://medium.com/@scott_lew_is/slingshot-finance-sponsors-20-000-usdc-guaranteed-distribution-bounty-pool-for-code-432n4s-first-789514a8dc99", "There was an error in message delivery to submissions@code432n4.com because the domain code432n4.com couldn't be found.", "The procedures for disclosing issues related to smart contracts can be found at https://github.com/code-423n4/code-contests/blob/main/SUBMISSION_POLICY.md", "The email \"submissions@code432n4.com\" was not successfully delivered due to an error with the domain.", "Reports for the contest should be submitted at the end of the contest period.", "In case two participants submit the same bug at the end of the contest, the judging criteria for duplicate submissions can be found at https://github.com/code-423n4/code-contests/blob/main/JUDGING_CRITERIA.md#duplicate-submissions", "Recommended resources on Solidity include https://solidity-by-example.org/0.6 and https://docs.soliditylang.org/en/v0.7.5/", "Judges for the contest are chosen based on experience and reputation, and their decisions on a bounty are shared after the contest concludes.", "The judging criteria for the contest can be found at https://github.com/code-423n4/code-contests/blob/main/JUDGING_CRITERIA.md", "Information on how the slingshot code executes in the overall system can be found at https://github.com/code-423n4/code-contests/tree/main/contests/01-slingshot#how-it-works", "The smart contracts can be compiled and function independently of the backend.", "There was a suggestion to create a Loom video to show how to set up the environment.", "There is a request for a countdown timer for the submission deadline.", "A Loom video will be created to show how to set up the environment.", "A countdown timer may be implemented to ensure participants do not miss the submission deadline.", "There was a suggestion to add links and preferred avatars from competing participants to the home page along with the countdown.", "The stop time for submissions was noted as February 21, at 2359 UTC.", "There was a suggestion to create a leaderboard displaying the best contestants after the results of the contest.", "All participants' submissions may be made available after the contest ends, once the possible exploits have been patched.", "The focus should be on smart contracts, although suggestions on other relevant areas are welcomed.", "The Submission Policy states that submissions cannot be made more than 3 hours prior to the contest stop time.", "A suggestion was made to allow submissions at any time prior to the contest end time, with a policy of accepting only the first (or last) entry that a person/team sends.", "If participants have code that runs a proof of concept for each bug, they are considering either adding a zip file to the submission or sharing a private Github repository.", "Each proof of concept is about 50 lines long and can be run using a hardhat project.", "Users can submit code for proof of concepts (PoC) for each bug they find.", "The size of each PoC is around 50 lines of code.", "There are discussions about adding a zip file to a submission or sharing a private GitHub repo.", "There is a GitHub link that provides instructions on sharing vulnerability discovery PoCs: https://github.com/code-423n4/code-contests/tree/main/contests/01-slingshot#sharing-vulnerabilitydiscovery-poc", "The impact of misbehavior by the owner of the contracts should be considered during the review.", "It is suggested that projects should add a trust model description for involved roles.", "Social engineering attacks on the owner should be considered.", "Some users considered a malicious or compromised owner as out-of-scope for the game.", "The correct email for sending submissions is submissions@code423n4.com.", "Trust models for different projects, like ElasticDAO, differ", "for example, the controller/minter/burner can be trusted in ElasticDAO.", "The controller in ElasticDAO is a multisig that enacts the snapshot votes on chain.", "Gas costs on Layer 1 are being offset by snapshot voting.", "Users interested in contributing to the project are advised to consider becoming auditors, and getting there through reverse engineering, reading old audit reports etc. An example set of reports are available at: https://chainsecurity.com/audits/.", "Users interested in contributing can also participate in code contests as wardens.", "Sponsorship of contests was mentioned, but no specific lead time was provided.", "The project primarily targets auditors for contributions.", "Contributors can become auditors through multiple paths, one of which is reverse engineering and understanding old audit reports.", "Old audit reports can be accessed at https://chainsecurity.com/audits/.", "Code contests are recommended for those who want to start contributing.", "The lead time for sponsoring a contest is not explicitly defined, but it's suggested to be not long.", "The source code for Maple Finance is discussed in the context of participation as a warden.", "HEVM tests for the maple-core repo are set to use 100 fuzz runs, which could take hours for first-time test runs. It is recommended to use 1 fuzz run for the first test and increase to 10-100 fuzz runs for subsequent local tests.", "The results of previous competitions, both findings and awards, can be found on CodeArena's website.", "The ElasticDAO report is publicly available at https://ipfs.io/ipfs/QmU7JQUCuciGJ9EVApWnPvBCy32eYQnREDFGsxoyDR6w3j", "The cumulative results from the first two contests can be viewed on the leaderboard at https://code423n4.com/leaderboard/.", "The announcement of public results and findings is made in the #announcements channel.", "To contribute as a warden, one must register by joining the #\ud83d\udc3ai-want-to-be-a-warden channel.", "A team can be registered by creating a team handle, as demonstrated here: https://github.com/code-423n4/code423n4.com/blob/main/data/handles/pocotiempo.json", "Team handles can be created by dropping a PR and using the team handle when submitting issues.", "Teams can submit their issues through a PR and add their team handles when reporting issues.", "For the maple-core repository, the submodules don't update via public git due to 'Permission denied (publickey)' issue.", "For Maple submissions, the recommended channel is https://c4-maple.netlify.app/, not through email.", "Handles can be added to the code423n4.com repository, and it can be any handle, not just Github or Gab. This handle is used for code423n4.com/leaderboard and handling award processing.", "A team request can be submitted at https://github.com/code-423n4/code423n4.com/pull/28 and that is all that's needed to add the team.", "The repository for Vader protocol can be found at https://github.com/code-423n4/2021-04-vader/tree/main/vader-protocol.", "Mathematical formula for syntheticAssets can be found at https://github.com/code-423n4/2021-04-vader/commit/3041f20c920821b89d01f652867d5207d18c8703.", "There are a good number of wardens competing for the Vader protocol bounty.", "Updates on past project results are being worked on and should be up soon.", "Marginswap awards and results will be announced soon, while Maple is currently going through sponsor review prior to judging.", "For any questions around the Vader protocol, DMs can be sent to @strictly-scarce.", "Latest updates for Vader protocol, including mathematical formulas of synths, have been posted at https://github.com/code-423n4/2021-04-vader.", "Marginswap awards will be sent out and results announced the day after the chat.", "Maple has just started their sponsor review, after which judging will take place.", "Questions and updates regarding the Vader protocol can be found at https://github.com/code-423n4/2021-04-vader.", "An old and incorrect version of Vether.sol was added to the Vader repository. The correct code that was deployed on the mainnet is available at https://etherscan.io/address/0x4Ba6dDd7b89ed838FEd25d208D4f644106E34279#code. The incorrect testing contract is available at https://github.com/code-423n4/2021-04-vader/blob/main/vader-protocol/contracts/Vether.sol.", "Any other contracts in the Vader repository at https://github.com/code-423n4/2021-04-vader/tree/main/vader-protocol/contracts are classified as applicable for testing.", "In the context of the contest, evaluations are performed on the submitted repository assuming it is complete. Findings that highlight the security impact of missing functionality will be considered.", "The missing logic, as outlined in the README of https://github.com/code-423n4/2021-04-vader#known-deviations-from-spec, is outside the scope of the review.", "Some users experienced a 404 error when trying to access https://github.com/code-423n4/2021-04-redacted, but this issue was later resolved.", "VETH is a fair launch distribution mechanism for VADER, a liquidity protocol. Further explanation and information can be found at https://linktr.ee/VaderProtocol.", "Backlog exists in updating new pulls from individuals and teams in handles. The handles are currently used only for the leaderboard.", "The pull request at https://github.com/heiho1/code423n4.com/pulls was confirmed to have been merged.", "There is a query about the scope of review for Visor Finance contracts.", "New pulls from individuals and teams will be updated in handles, but there's a bit of a backlog of dependencies before that action can be taken.", "Handles are only for the leaderboard.", "The leaderboard will be updated once several of the process pieces have been glued together.", "Merged PRs can be seen at https://github.com/heiho1/code423n4.com/pulls.", "For Visor finance, only the Visor.sol contract should be reviewed.", "Questions related to FairSide can be sent via DM.", "Gas optimizations and better definition of the formula are eligible for the contest.", "There is no dedicated pot for gas optimizations.", "Formula optimizations may result in a medium to high \"share\" allocation depending on the type of optimizations found.", "A whitepaper providing more background to the technical implementation was pushed to the C4 GitHub repository under /docs.", "There is a video explaining the main contracts in the Vault at https://youtu.be/D-hSiGeNpuY.", "A sample script to deploy and set up Yield v2 has been shared.", "Questions about Yield v2 and its code can be asked in private.", "For the competition, there were approximately 36 hours remaining at a certain point.", "Users can privately ask questions and receive guidance on more fragile aspects of the system.", "An explanation of how users interact with Yield v2 was shared in the chat instead of through a video.", "The wardens are advised to assess the severity of the issues based on guidelines mentioned at https://code423n4.com/judging-criteria/.", "There's a concern that no explorations of exploits involving a batch with several actions have been made.", "Handle registration is mandatory to submit something.", "A grace period on submissions is provided.", "The self-assessment of risk is taken into consideration, with the final determination of severity made by a judge, and this can impact award levels.", "A user's credibility is a consideration, and a strategy of rating everything as high risk is discouraged.", "An issue brought up in the chat is reviewed and merged on GitHub, the link to which is https://github.com/code-423n4/code423n4.com/pull/62.", "The group runs week-long contests each week.", "Upcoming audit contests are listed on the website, code423n4.com, which includes Reality Cards starting in about 11 hours and Pool Together starting the following week.", "An introduction of Reality Cards and its upcoming bug bounty is mentioned.", "Enquiries about users' experiences with C4 are being made as part of the warden outreach.", "Upcoming audit contests are listed on the CodeArena website: code423n4.com.", "Proposals have been made to pin key information to specific channels to help newcomers find necessary information.", "Co-founders and engineers from different projects like Reality Cards and Pool Together are present and available for communication about the bug bounty and their respective projects.", "Specific contact points have been established for questions about the Reality Cards code.", "Personal contact and direct messaging has been encouraged for specific questions.", "Co-founders and representatives from other projects like Lion's Mane, Tracer DAO, and Gro are present and available for communication.", "A suggestion was made to register as a warden in order to access the contest preview channel.", "A clarification was sought about where to find detailed information about exploit smart contracts and flash loans.", "There is a video walkthrough for the Connext flash contest at this link: https://youtu.be/ABEOIKzEshA", "A participant asked for clarification about InvariantTransactionData.transactionId, which is used in cross-chain transfers and is not just a counter but a unique identifier.", "Open discussions are encouraged for general/broad questions about the Spartan Protocol contest.", "The Sherlock contest had not received results from their Quantstamp audit at the time of the chat.", "A unique identifier for the crosschain transfer is used, not a counter. The router uses a subgraph so the \u2018transactionId-user-router\u2019 combo should always be unique.", "There is a Spartan Protocol contest ongoing, and participants can ask questions directly or in the open discussion.", "For the Sherlock contest, an advisor to the protocol will not be participating allowing more opportunity for other participants. The protocol is technically unaudited since the results of the Quantstamp audit are not back yet.", "There is a micro-audit for PoolTogether starting, with Brendan as the point of contact. The repo for this is: https://github.com/code-423n4/2021-07-pooltogether.", "There are two contracts in scope for the PoolTogether audit, linked in the README of the mentioned repo.", "There was confusion around tests and peripheral code such as interfaces in the last audit. These pieces were lost because they are in separate repos.", "There is a question about how vulnerabilities are handled if reported by multiple people.", "There is a query about whether some wardens act as teams, with a leaderboard mentioned at https://code423n4.com/leaderboard/.", "For new wardens to team up and collaborate, they can go to the #\u26bdteam-formation channel.", "Forming a team means awards are not split at a decaying level.", "The difference between low/med/high risk finds is explained at https://docs.code4rena.com/roles/wardens/judging-criteria#estimating-risk-tl-dr.", "An independent judge with deep solidity knowledge makes the final determination of severity.", "Beginner solidity developers are encouraged to participate in the competition.", "The float capital $50k audit contest is forthcoming, with well-documented code, a synthetic asset protocol, video walkthroughs, and the team available for questions. The repo for this is: https://github.com/code-423n4/2021-08-floatcapital.", "Resources for beginners who want to start smart contract bug bounty hunting include https://cryptozombies.io/ for solidity and https://capturetheether.com/ for Capture the Flag challenges.", "An OpenZeppelin webinar on governance mechanisms and best practices is being watched, with their first video in the series linked: https://youtu.be/6GaCt_lM_ak.", "CryptoZombies.io and CaptureTheEther.com are recommended resources for beginners to learn about smart contracts and solidity.", "There is a reminder that all relevant information for the audit can be found at https://github.com/code-423n4/2021-08-floatcapital.", "Videos explaining the smart contracts are being added to a playlist and the team is always available to answer questions.", "OpenZeppelin webinars are considered useful for auditors; the first video in their series is at https://youtu.be/6GaCt_lM_ak.", "The amount of time it takes to learn the basics and start finding bugs in smart contracts depends greatly on individual's prior experience and learning capabilities.", "Certain files like \"FloatCapital_v0.sol\", \"Treasury_v0.sol\" and \"oracles/\" are not in the scope for the bounty program.", "A video explaining the SyntheticToken contract has been added to the youtube playlist, the link being https://www.youtube.com/playlist?list=PL7RT-0ybd7joiqKeGklvFxcc8dNWpPBCk.", "The bugs found during the competition are kept confidential until the contest is over and the judging process has been completed. The incentive system and rewards information are available at https://docs.code4rena.com.", "There were at least 2 bugs still to be found at a certain point during the audit process.", "The walkthrough videos have been appreciated by some users for their informative nature.", "The float community has a Discord channel, which can be joined via the link https://discord.gg/5WHvfHeSwr.", "The audit contest had a duration and it was followed by a submission review period.", "The full process of participating in the audit, even if not successful in finding bugs, has been considered a good learning opportunity by some users.", "There is an ongoing audit contest with a prize of $50k.", "Two big bugs have been discovered in the audit contest.", "A Discord server has been set up with individual channels for each contest for questions, code walkthroughs, etc.", "CodeArena has a comparison between bug bounties and C4 audit contests on their documentation page, which can be found at https://docs.code4rena.com/.", "The judging for a competition concerning gravity bridge hasn't ended and the payout is expected to happen two weeks from the time of the chat.", "Participants in the audit contests are referred to as \"wardens\".", "New participants are encouraged to look at the findings of other wardens once the findings repository becomes public.", "There are discussions about the difficulty of setting up certain contract environments with limited documentation, no test cases, and no deployment scripts.", "Some participants suggest running tests in the existing test environment or writing new test cases, instead of setting up full environments. If there's no test setup in the C4 repo, some suggest checking the sponsor's GitHub for a potential test setup or pulling out the code to test it in isolation.", "Participants are called to join the float community via a Discord link: https://discord.gg/5WHvfHeSwr", "There are discussions concerning difficulties with code compilation and requests for technical help on the Discord server.", "Submissions are made through GitHub and require approval, as mentioned in the context of a warden's individual registration.", "New contest channels were created on the Discord server, and each contest will have its own channel for questions and code walkthroughs.", "There are discussions about the nature of CodeArena's operations, with a user asking if it operates similarly to a bug bounty platform where prize pools and fees are defined upfront.", "Setting up the environment for contest repositories can be time-consuming due to multiple interrelated contracts and limited documentation.", "Experienced auditors sometimes use the test environment in the repository to confirm code functionalities.", "Some auditors write new test cases or use existing ones to test the code in the test environment.", "If there is no test environment in the repository, some auditors create their own tests or isolate parts of the code for testing.", "The tool eth-brownie can be useful for mocking contract deployments.", "The audit report for the Yaxis project will take longer to be released due to a high participation rate and numerous submissions to review.", "Rinkeby testnet tokens can be obtained from a faucet, link provided is https://faucet.rinkeby.io.", "Reports from contests can be withdrawn, and this process is described in the CodeArena documentation.", "Findings from bug hunts can be submitted and examples of past submissions can be found at https://code423n4.com/reports.", "CodeArena contest results are usually announced a couple of weeks after the contest ends.", "Changes to the severity of reported bugs after a contest ends can be passed on to the judge through designated contact points.", "All past submissions can also be found in any repository ending with -findings on the CodeArena GitHub: https://github.com/code-423n4", "A number of new contests are expected to take place in the coming month.", "There are many competitions expected in the next month.", "Users can alter the severity of reported bugs after the closing time of the contest either through the PR or by contacting one of the judges.", "There is an indication of a bug in a vault as referenced by this link: https://etherscan.io/address/0x9705e8807aae04c7dc0967da9cab8af65d2f2135", "The report for the Yaxis audit is being worked on, with the sponsors having the final say on the publication timing to allow them sufficient time to mitigate issues.", "The average turnaround time from audit competition to release of reports is about a month, and efforts are being made to decrease this time.", "Users can be added to specific rooms on request.", "The Overlay Protocol contest has been delayed to start on 11/16 at midnight UTC.", "If the same vulnerability is found in multiple different components of the codebase, it might count as two separate findings, but it's ultimately the judge's call to determine if they're duplicates.", "Awards are distributed based on individual issues, so multiple items in one submission count as one submission.", "Code for contest findings can be formatted using markdown, with code blocks surrounded by ``` on either side.", "Non-critical findings do not share in the award pot.", "The current focus is on high/med/low severity vulnerabilities and gas optimizations, and there's no direct incentive to report non-critical findings.", "Suggestions for project improvements can be left in the non-critical findings section.", "Users find it helpful to create issues in Notion, format them, and copy-paste the formatted text when submitting, as it maintains the necessary markdown formatting.", "Non-critical findings do not have a share in the reward pot.", "Currently, there's no intentional incentive for reporting QA type of submissions, as sponsors are interested in high/medium/low severity vulnerabilities and gas optimizations.", "Users often report non-critical findings out of goodwill, despite there being no official incentive.", "The platform is considering adding the severity of bugs to the emails sent out after issue submission.", "Users experience issues with the project names starting with a year when using Brownie as it requires project names to start with an alphabetical character. This is detailed in the link: https://github.com/eth-brownie/brownie/blob/0fa4477a178bd55b6683f60d077b7060df02b2c5/brownie/project/main.py#L740", "Users are interested in adding position numbers to the leaderboard and a Low column.", "Potential improvements to the leaderboard being considered include: a) having different timelines (all-time, last 3 months, etc.), b) adding badges for various achievements (being a hero at gas optimizations, repeat appearances as MVP, etc.), and c) introducing leaderboard seasons, where each season lasts a certain period (for example, a year), and at the end of the season, everyone on the leaderboard gets an NFT with the rank, earnings, and a design.", "It is suggested that a season could end when somebody hits a certain earning target, making each season a race.", "There is a suggestion for having seasons for the leaderboard that could last 4 months or 6 months.", "At the end of the season, everyone on the leaderboard could potentially receive an NFT for that season, which includes metadata of their rank and money made.", "There is an option to end the season when somebody hits a certain dollar target.", "There is a suggestion to include the average percentage of pool awarded as a metric, as not everyone participates in every contest due to various reasons such as time commitments or preferences for the scope of contests.", "The awarding process of the bug bounty is perceived as difficult to understand.", "The risk estimation process for bug bounty is described in detail in the website docs, which ranges from non-critical to high risk.", "Information about the incentive model and awards can be found at https://docs.code4rena.com/#incentive-model-and-awards.", "A suggestion box was established for users to share ideas on how to improve the website, leaderboard systems, contest processes, and Discord setup.", "Users can update their submissions by direct messaging certain identified individuals.", "The awards for a particular contest (Fairside) are expected to be announced the next week.", "The audit reports for contests are published after the stages of contest finish, sponsor reviews, judging, and awarding are completed. The process could take from 2 weeks to over 6 weeks.", "The streaming protocol contest was postponed and will be starting on 11/30.", "Fairside awards are expected to be announced the following week from the date of the chat.", "Audit reports for recent competitions are typically published after contests finish, sponsor reviews, judging, awarding, and reporting.", "The process of getting awards and reports out can take less than a week once sponsor review and judging are done.", "The time taken for sponsor reviews and judging can vary, sometimes taking as long as six weeks.", "The C4 team is continually working on improving their tools and procedures to speed up these steps.", "There are guidelines on how to register for Warden at https://docs.code4rena.com/roles/wardens.", "Warden registration needs to be fully completed before the handle will appear on the leaderboard.", "Findings might be credited to the wrong person if you use someone else's handle.", "There were issues with some users not receiving email receipts for their contest findings.", "The interruption in email receipts might have been caused by an incident on Github, as stated here https://www.githubstatus.com/incidents/r5qrpp2f5fc0.", "Issues can be browsed on https://code4rena.com/reports and each issue provides a link to the relevant Github issue.", "\"gov-wg\" is a Working Group set up to establish a DAO structure.", "There were issues with an individual receiving emails from CodeArena as they were flagged as spam.", "An individual has used the same email address for months with CodeArena and decided to switch to a Gmail address.", "A user asked about the term \"gov-wg\", which was clarified as a Working Group to set up a DAO structure.", "There was a discussion about a submission that was marked as disputed on GitHub. The link to the disputed submission is: https://github.com/code-423n4/2021-10-slingshot-findings/issues/21", "Another link was provided to an accepted submission that supposedly showed the same issue: https://github.com/code-423n4/2021-10-slingshot-findings/issues/82", "There was a question about a contest for streaming protocol, with the contract details provided on the contest page: https://code4rena.com/contests/2021-11-streaming-protocol-contest", "In the repository mentioned in the contest, https://github.com/code-423n4/2021-11-streaming/tree/main/Streaming/src, only Locke and LockeERC20 appear.", "A user questioned how screenshots could be added to the vulnerability report.", "It was clarified that images could be embedded in the report using Markdown.", "A method was suggested for embedding images: creating an issue on a private repo, dropping images there, and grabbing the markdown snippet with the CDN URL.", "An individual asked about the judgment criteria for gas optimizations and their importance.", "It was clarified that gas optimizations are awarded from a separate award pool specified on the C4 website and each contest's page.", "An example was given of a contest that had a $67,500 USDC main award pot and a $7,500 USDC gas optimization award pot.", "The method of award calculation for gas optimizations is outlined in the documentation: https://docs.code4rena.com/#incentive-model-and-awards", "All valid findings for gas optimizations are weighted the same.", "There was a question about contacting the streams' protocol team for clarification.", "The best option to reach out for clarification was suggested to be the contest channel in Discord.", "Users can contact someone on the streams' protocol team for clarification.", "To access the contest channels, users need the warden role, which can be obtained by filling the form on the website.", "There is a process to deal with a source code leak, including the possibility of forking a project and deploying the same code, though users are unlikely to interact with it unless the team endorses it.", "Most people use Slither to generate output.", "There is an incentive for wardens to submit non-critical vulnerabilities as it benefits the sponsor, despite non-critical vulnerabilities not being considered for awards.", "If two separate vulnerabilities can be combined to create a more powerful one, users can submit a third finding explaining the proof of concept.", "Once a finding is submitted for a contest, users should expect a mail copy of the form as the only confirmation.", "Warden resources seem to be geared towards solidity tutorials, with a query about the availability of Cosmos-related learning resources.", "Regardless of wallet settings, funds will be sent to the user's address and the user controls the key to that address. To move the funds, users need to send a transaction on polygon.", "Users can monitor their address on the polygon network at https://polygonscan.com/address/.", "To move funds back to the mainnet, users can use the polygon bridge https://wallet.polygon.technology/.", "In a findings report, adding a link that points to the sponsor's GitHub repo code does not automatically pull in that code snippet to the report.", "A small prize of USDC was won by a participant, with the announcement made on December 6th for Badgerdao ibBTC. This payment will be made on the Polygon network.", "Metamask can show the tokens in the address when swapping networks to Polygon, and if not, they can be manually added.", "Tokens can be monitored on https://polygonscan.com/address/ and funds can be moved back to the mainnet using the polygon bridge https://wallet.polygon.technology/.", "A question was raised about whether adding a link to a sponsor's Github repo code in a findings report would automatically pull in that code snippet to the report. The answer provided indicated this does not happen automatically.", "There was a query about other options to submit findings, outside of the form on the website, as the person was waiting for warden verification.", "A participant placed 2nd in the nested finance audit contest and was waiting for the award to be sent to their MetaMask wallet.", "It was clarified that the funds for the nested finance audit contest would be sent out on a specified Monday or Tuesday.", "A query was raised about not having received an award from Fairside. The respondent mentioned that awards are distributed on the Polygon network.", "A misunderstanding was clarified regarding the distribution of awards for the most recent Fairside contest \u2013 they had not been distributed yet.", "The reward distribution after a competition was discussed, with a participant asking if they should expect rewards two months after the end of the competition. The response indicated that this was a worse-case scenario, and that reducing turnaround times is a high priority.", "A question was raised about successfully calling a certain function for the Amun project.", "A participant had a missing permission issue and was advised to register as a warden.", "The chat participants discuss the possibility to consult with project team members who are listed in a specific discord channel.", "To have permission to a specific channel, one has to register as a warden.", "There were issues with the submission form that replaced the page with a purple screen when a dropdown was clicked.", "The issue with the submission form was acknowledged and subsequently fixed.", "The participants discuss the address for Ethereum mainnet and smart contract wallets like Gnosis and Argent.", "The findings from the contest are confirmed and discussed after the contest ends.", "There's a debate about whether \"missing 0 address check\" is a valid finding with reference to https://github.com/code-423n4/2021-10-badgerdao-findings/issues/5", "Issues from the Fei project are not public at the time of this chat; they will be compiled in a report and shared later.", "There are discussions about what is considered a privilege escalation.", "The participants discuss the practice of taking a \"snapshot\" of OpenZeppelin contracts instead of using them directly from the npm repository. It is suggested this may be done to allow for necessary changes to external contracts to suit project requirements.", "Tools for comparing differences between contracts are discussed.", "Users in the chat discuss the strategy of flagging common issues as non-critical or informational, indicating a need for a list of such issues.", "A user new to audits recognizes that some contracts they're reviewing seem to be \"snapshots\" of OpenZeppelin (OZ) contracts, and inquires why this is the case.", "One reason to include code by directly importing instead of using an npm package is to allow for necessary changes to the external contracts to better suit project requirements.", "It is common for projects to copy and paste OpenZeppelin source code into their repositories instead of using the npm library.", "Auditors can use a diff command to spot differences between two contracts.", "Each issue submitted in a contest is evaluated strictly based on what was submitted, and judges do not have the capability to \"multiply\" an issue.", "A GitHub template for submissions exists, but it's outdated and not updated anymore and users are advised to submit findings using the \"Submit finding\" button of the specific contest on the main page, each finding separately. The link to the old template is: https://github.com/code-423n4/code-contests/blob/4db2720312f0958f2e89f6207a6774c9e5360655/SUBMISSION_TEMPLATE.md", "Users are referred to OpenZeppelin's documentation at: https://docs.openzeppelin.com/contracts/4.x/wizard", "Participants are reminded to familiarize themselves with the submission policy and judging criteria prior to participating, as outlined in the docs at: https://docs.code4rena.com/roles/wardens", "It's advised to create different issues for different optimizations, as single issues will be judged as a single one.", "A question is raised about what happens if two people are part of a team and they find the same issue but submit it with different wallets.", "Participants are advised to create different issues for different optimizations in smart contracts.", "If two people submit the same issue using the same warden but different wallets, each person gets less than half of the reward. More on the incentive model and awards can be found at https://docs.code4rena.com/#incentive-model-and-awards.", "There was a delay in the distribution of awards for the Nested Finance audit contest.", "A user's question about whether they should receive an email if an issue they submitted is valid or not was answered affirmatively. The user should receive an email about their submission, whether it is valid or not.", "The process after a contest is completed includes Sponsor Review, Judging, Awarding, and then Reporting. The final published report allows participants to see the results of their submissions.", "An AMM project on Algorand Blockchain was looking to create a contest for auditing their updated code. This project is already undergoing an official auditing process with two companies, but they wanted to start an additional initiative.", "The Livepeer contest is upcoming and a link to the contest was provided: https://code4rena.com/contests/2022-01-livepeer-contest.", "A user had a question about whether they can create a proposal, but the question was not answered in the provided chat excerpt.", "A user inquired about the address of the C4 token, but the question was not answered in the provided chat excerpt.", "The Livepeer contest page can be found at https://code4rena.com/contests/2022-01-livepeer-contest. The contest opens in 2 days + ~8 hours.", "A proposal can be created with (or by delegating) 50k tokens for an on-chain proposal.", "The address of the C4 token is 0x6847D3A4c80a82e1fb26f1fC6F09F3Ad5BEB5222.", "Twitter handle and profile picture can be attached to a Codearena profile by following the instructions at https://github.com/code-423n4/code423n4.com/tree/main/_data/handles and making a pull request for the user's handle.", "Changing the handle itself is currently not advised as it may cause issues with past/ongoing contests.", "The process of verifying changes to user handles involves creating a signed message on mycrypto.com and adding the json to the PR using a wallet address that has been used in a contest. The link for creating signed messages is: https://app.mycrypto.com/sign-message", "There's a resource on where to buy Matic on Discord at the following link: https://discord.com/channels/810916927919620096/824698635815223316/915880736664461322", "A problem was reported with receiving an award from Mellow Protocol via Metamask with Polygon mainnet.", "Solidity questions can be asked on the platform.", "There are differences in the measures of lines of code in a Solidity contract when using Solidity Coverage (https://www.npmjs.com/package/solidity-coverage) and Solidity Metrics nSLOC (https://github.com/ConsenSys/solidity-metrics).", "The Past Contest Status Updates are listed as a timeline.", "The contests are processed in a specific order, which represents the order of contest progression.", "The reward wallet address can be updated or confirmed.", "Awards are generally paid in the same week they are announced.", "The team aims to process awards much faster and has a goal to process a list of awards by the end of the week.", "The \"Past Contest Status Updates\" section provides a timeline of where contests are currently in the process.", "The order in the \"Past Contest Status Updates\" represents the progression of the contest.", "Rewards are generally aimed to be paid out in the same week they are announced.", "The team is aiming to process and distribute multiple contest rewards by the end of a specified week.", "Participants need to review and make a pull request for their handle at https://github.com/code-423n4/code423n4.com/tree/main/_data/handles to participate in contests.", "Participants can direct message (DM) someone from Code4rena with questions.", "It is possible to change the wallet address to which tokens are received, but it is a significant effort to manage and not centrally stored.", "Due to the complexity of changing wallet addresses, participants are requested to DM only if the change is extremely important (like the old wallet was hacked).", "Teams generally get a few contracts reviewed or entire protocols.", "Reward distribution is planned to be completed by the weekend and likely to go out the next week.", "Participants are recommended to receive an email confirmation for each submission, which should arrive within a few minutes.", "The email confirmation of submission does not include the Ethereum address provided by the participant.", "Judges and sponsors appreciate when similar submission issues are grouped together.", "There was a potential scam alert raised.", "There was an issue with yahoo and hotmail regarding spam.", "There is a recommendation to ensure participants receive email confirmation of each submission.", "Some participants reported not receiving confirmation emails due to them landing in the spam folder.", "Rewards for submissions could be paid partially, or fully.", "Participants raised a concern about the mismatch between the number of lines of code (LOC) mentioned in the README.md and the actual lines in the contract files. The Sherlock finance's repo, where this discrepancy was noticed, is at https://github.com/code-423n4/2022-01-sherlock.", "There was a suggestion to standardize LOCs across different contests to avoid confusion on how LOC is determined.", "Currently, findings of a contest cannot be viewed after it finishes but before the results are published.", "If multiple participants report the same vulnerability but with different severities, they are given the same severity for award calculation.", "When a submission to a contest is not rewarded, there's a process to review why the submission was not accepted once the report is out and the repo is fully opened.", "The leaderboard was reported to not have the Sublime contest, and a response mentioned that it's being worked on.", "If wardens report the same vulnerability but with different severities, they are given the same severity for award calculation. This is due to the deduplication process and the judging/determining severity that happens afterward.", "When a submission to a contest is made but not rewarded, participants can review why their submission was not accepted once the report is out and the repository is fully opened. This allows them to see the discussion among sponsors and judges on the specific issue.", "The order of reported issues doesn't necessarily go according to submission time. The judges pick the primary issue based on the best write-up rather than the order of submission. This practice has been considered for incentivization to encourage high-quality submissions.", "Judges have the authority to mark an issue to have a higher or lower risk than the proposed risk by wardens if they deem it necessary.", "Duplicate submissions of the same vulnerability are subject to some sybil resistance. Each instance is awarded a share of one point depending on the number of duplicates.", "If a warden receives rewards both individually and as part of a team, the team and the individual will appear separately on the leaderboard.", "If no medium or high vulnerabilities are found during a contest, the remaining funds are divided based on the QA Report curve. This situation is considered a rarity as there have only been a few contests without high vulnerabilities and no contests without a medium vulnerability. An example of a contest with only low vulnerabilities is provided at https://code4rena.com/reports/2021-11-fei.", "An individual's name can appear twice on the leaderboard, once individually and once as part of their team.", "In case no Medium/High vulnerabilities are found in the smart contracts, remaining contest funds will be divided based on the Quality Assurance (QA) report curve.", "In the case of a low-impact QA report potentially becoming a high-impact report, the report could be upgraded. However, part of the auditing process involves demonstrating an understanding of how an issue could be exploited. Without such understanding, the job is considered only half-done.", "Non-critical and low severity findings of a given auditor are consolidated into a single QA report.", "The DAO constitution prioritizes actions without a vote, with the DAO voting to delegate responsibility for running contests.", "The definition of actions that need to be delegated to the corporation and those requiring voting can be found in a forum post: https://forum.code4rena.com/t/c4ip-1-2-3-4-5-constitution-dao-bootstrapping-reimbursements-token-sale/93", "Typically, findings repositories are not made public when the awards are published since the sponsor generally has not completed their mitigation work by that time.", "Some of the audited projects are deployed while some are not.", "The prize pool for a contest was adjusted to account for an increase in the judging fee.", "The adjustment of the prize pool was discussed in the wardens channel and was necessary to clear out lagging contests in the backlog due to overwhelming levels of issues and limited judge availability.", "There was a recent contest that was challenging for the judges due to its complexity.", "The increase in issues on some contests and limited judge availability lead to a backlog.", "The administrators had to increase offers for judging compensation for a time to clear out lagging contests from the backlog.", "Discussions about these matters were held in the wardens channel.", "New submission mechanism is slated for implementation in upcoming contests.", "In cases when GitHub failed to take in issues in the past, it has rejected submissions via the API, which has resulted in failed submission.", "During a recent GitHub outage, several submissions were received successfully in the beholder repository.", "As a beginner in the space of smart contract auditing, one can start learning from resources such as https://cmichel.io/how-to-become-a-smart-contract-auditor/ and https://docs.code4rena.com/roles/wardens/tools-and-resources.", "Constants are generally cheaper than immutable variables as constants are calculated and filled in at compile time whereas immutable variables are read-only state variables.", "However, there are cases in which immutable cost less gas than constants, as seen in an example from https://github.com/code-423n4/2021-11-overlay-findings/issues/111.", "The cost of reading the entire bytecode of a contract is constant.", "A user can request for a submission to be withdrawn by directly messaging an administrator.", "It was once true that immutable costs less gas than constants but as of July 2020, this is no longer the case. This information can be supported by this Twitter discussion: https://twitter.com/GalloDaSballo/status/1476925462010122245", "Immutable vs constant have no difference in cost nor in bytecode, but small demos show minor differences.", "For details on the gas cost for constant and immutable, refer to https://ethereum.stackexchange.com/questions/118547/is-the-gas-cost-for-constant-and-immutable-about-equal.", "Users can directly message moderators to withdraw a submission.", "It was questioned whether XDEFI had sent their rewards.", "An explanation was given on what it means that the rewards are allocated on a curve, using the metaphor of a bell curve in grading homework/exams.", "The method for distributing awards on a curve will be designed after observing the scoring of initial contests.", "The concept of distributing a cash prize over a bell curve with different tiers of quality was discussed.", "Trading callbacks in solidity can be activated by several methods, including safeTransferFrom onERC721Received, onERC1155Received of ERC1155 and tokensReceived tokensToSend of ERC777.", "In theory, a low report could be increased to medium by judges, supported by https://discord.com/channels/810916927919620096/810931711609143326/938133534982406144.", "The completion of NFTX findings was in question.", "If a contest is listed as 'awarding', it means the rewards are queued at the multisig and should be distributed within a week.", "The potential for the user to lose funds if an admin is involved in a procedure was discussed, suggesting it could be considered high risk.", "Separate pools for different reports will be announced to distinguish the reward for each pool.", "Users were experiencing errors when making submission, suggesting a potential size limit on submissions.", "Admins can be incentivized to lock tokens permanently in cyberspace to reduce the number of tradable tokens in the market and increase their price.", "The admin is typically a governance framework.", "Separate pools for different reports will have distinct announcements for each reward.", "User submissions may face issues due to possible API limitations.", "QA and gas reports can be sent via email to report@code4rena.com if there are issues with the online submission.", "Investigations will be made into the report limitation issue.", "Low and non-critical reports and gas optimizations for the Badger Citadel should be submitted through the same form.", "If there are issues with the email confirmation of submissions, checking the spam folder is recommended.", "Cosmos, a blockchain network for competitions, uses the Rust programming language.", "A link providing information about Cosmos: https://academy.terra.money/courses/cosmwasm-smart-contracts-i", "Another link with information about Cosmos: https://github.com/Anchor-Protocol", "Smart contracts can be audited, and this includes products built on Polygon.", "The role of a minter or a burner is a subject of discussion.", "The chat includes a discussion on whether competitions are on an EVM compatible chain and if contracts will be in Solidity.", "Additional information related to Cosmos was shared via two links: https://academy.terra.money/courses/cosmwasm-smart-contracts-i and https://github.com/Anchor-Protocol", "There is mention of a product being built on Polygon that requires smart contracts auditing.", "A question about the role of a minter or burner in smart contracts was raised.", "It is mentioned that risk categories could potentially change for non-defi protocols.", "Judges made assessments on non-defi protocols in the past.", "The severity of an attack made by the governance was questioned, and the response indicates that it depends on the judge and that governance is usually assumed to be a trusted party.", "There is an inconsistency noted in judgments, which can be reported at https://GitHub.com/code-423n4/rulebook/issues", "Links to two issues on GitHub related to Livepeer findings were shared: https://github.com/code-423n4/2022-01-livepeer-findings/issues/193 and https://github.com/code-423n4/2022-01-livepeer-findings/issues/195", "The Amun reward was confirmed to have been sent.", "A question was raised about the tools used to find vulnerabilities and bugs in smart contracts.", "A personal approach to navigating multiple smart contracts files was shared: starting with libraries and interfaces that have the least dependencies.", "Information on how to access reports on past competitions was provided: https://code4rena.com/reports", "It was confirmed that past contest reports reveal vulnerabilities, and they can be used for learning purposes.", "The leaderboard link was shared, which gives a sense of what wardens are earning: https://code4rena.com/leaderboard/", "There is a need for participants to register their handle and ETH address to receive their share.", "Reports from past contests are available at https://code4rena.com/reports", "The leaderboard that provides information about what wardens are earning can be found at https://code4rena.com/leaderboard/", "Users need to register their handle and Ethereum (ETH) address to receive their share.", "The submission form for each contest includes a field for users' wallet addresses.", "Code4rena conducts audit contests that are somewhat similar to bug bounty programs.", "More information about audit contests by Code4rena can be found at https://docs.code4rena.com/", "Code4rena charges a fee beyond the bounty for auditing.", "There are discussions about gas and contract-size optimization awards in the context of Ethereum transactions.", "Some participants are discussing the approach to handling upgradeable contract findings in case of medium-risk vulnerabilities.", "There's a new Help Desk at Code4rena to support the growing community and respond to requests efficiently. The Help Desk form can be accessed at https://code4rena.com/help", "The system does not support splitting of payments between multiple ETH addresses for a vulnerability submitted by a team. The best option is to use a multisig.", "Users can check whether their submissions were accepted at https://code4rena.com/reports", "Code4rena has worked with various protocols, however, the specific protocols are not mentioned in the chat. Differences between Code4rena and other entities like Omniscia or Trail of Bits are also being explored in the discussion.", "There is a suggestion for implementing a feature that would be beneficial for teams, though it is not specified what this feature is.", "Results of submissions are posted at https://code4rena.com/reports/ after the entire process is complete.", "Code4Arena has worked with several protocols, details of which can be found at https://code4rena.com/contests.", "Code4Arena uses a process that consistently finds more bugs faster than other methods. \"More auditors, more findings\" is a highlighted mantra, as mentioned by Quantstamp's Sebastian Banescu in the talk https://www.youtube.com/watch?v=O1rKwDv5kLQ", "There is no technical limit to the number of members that can be part of a team.", "There may be a requirement to participate in a certain number of contests and have a certain number of valid findings or reports to be a certified warden.", "There is a suggestion for a two-tier system for access to code", "one for those who provide ID (access to everything) and one for those who don't (access to non-deployed code). The purpose of providing ID is not solely to punish exploits applied to deployed code.", "Questions should ideally be asked on the forum post itself because chat is ephemeral.", "Awards are aimed to be sent within 1-2 weeks after they are announced.", "If the same vulnerability is reported by multiple wardens, they each get the same share.", "There are pending awards for LPT tokens and NFTX.", "If a platform uses Code4Arena to audit their code and no critical or minor vulnerabilities are found, it is not specified what the cost would be.", "LPT tokens and NFTX awards are pending.", "If a platform uses Code4Arena to audit their code and it comes back with no critical or minor vulnerabilities, the cost is not pre-determined but would be handled on a case by case basis.", "The usual process for bounty distribution is that it is split among those who find bugs.", "There is a possibility that a contest could run with zero valid submissions, although this has not happened yet.", "There have been instances of receiving an error message when attempting to submit a form. If a gas report is larger than ~65k characters, it can't be submitted through the form due to Github's max character limit for issue descriptions. In such cases, the submission can be emailed to submissions@code423n4.com.", "There are several contests pending and some have been fully judged but awards still need to be calculated. Changes to the award calculation process are currently underway.", "There have been some difficulties when trying to submit a request via a support request form. In case of persisting issues, requests can be forwarded to submissions@code4rena.com.", "It was not specified which chains are accepted for payment from the sponsor side, whether just ETH L1 or other alt L1s/L2s.", "Mobile users may experience difficulty in performing tasks, such as viewing the console.", "If there are issues with performing tasks via mobile, users can send requests to submissions@code4rena.com for assistance.", "The support team responds to user requests and may send friend requests to sort out the issues.", "ETH or Polygon are accepted for EVM league contests, Cosmos for Cosmos contests.", "Some users experienced errors when submitting help requests.", "Users are advised to unblock captcha in their browsers when experiencing errors in submissions.", "There were reported issues with GitHub which affected the contest submission form.", "As a result of the GitHub issues, the Rolla contest was extended by 24 hours [Link](https://discordapp.com/channels/810916927919620096/953009382021533696/956244354496856174).", "Submissions can also be sent to submissions@code4rena.com if users are unable to use the submission form due to issues.", "Biconomy Hyphen 2.0 contest's audit results are in review and expected to be published in the coming weeks.", "Users can receive a submission confirmation email, but there may be delays.", "There were intermittent issues with the submission process as reported by some users.", "Results of past contests are available at [Link](https://code4rena.com/reports).", "There are discussions around how QA and gas reports handle duplicates and their formulae.", "There are instances where duplicate reports were rewarded, lowering their value for each warden.", "The source code 'findings.csv' contains information about duplicate reports [Link](https://github.com/code-423n4/code423n4.com/blob/main/_data/findings/findings.csv#L9336-L9434).", "There were concerns that changes in the handling of reports may not promote the best efforts in QA/Gas reports but may be fairer for everyone, including newcomers.", "In a contest named \"Redacted Cartel\", gas reports G-04, G-05, G-06, G-07, G-08 were rewarded as duplicates, significantly reducing their value for each warden. Similarly, in QA reports, there were a set of 9 duplicates: Q-15, Q-13, Q-14, Q-24, Q-11, Q-12, Q-05, Q-10, Q-22.", "The source of the above-mentioned information is the source code 'findings.csv', available at https://github.com/code-423n4/code423n4.com/blob/main/_data/findings/findings.csv#L9336-L9434.", "The new award philosophy potentially encourages fairer competition, but there is a concern that it may not motivate the best efforts in QA/Gas reports.", "The QA and Gas awards are given according to judges\u2019 scores, and duplicates are disregarded. However, handling downgraded issues, which need to be paired up with wardens\u2019 QA reports, has been challenging.", "Static security testing involves looking at the code without interacting with it, using tools such as solidity linter and checking contract code in Remix for compilation warnings.", "Symbolic security testing involves interacting with the code without executing transactions on-chain, typically simulating transactions using software.", "All gas findings are supposed to go in one submission.", "The contest price pool is not related to lines of code but is scoped. For example, the ones worth 30k are expected to be smaller.", "The consideration of how comment lines should/shouldn't be accounted for when assessing the potential level of effort a scope will require is mentioned.", "The contest details are available in the #\u270brsvp channel for wardens to decide whether they want to compete.", "A user experienced error when trying to use the help form because there was a space in their discord handle.", "A user reported that they audited the wrong code for Sublime, having spent hours analyzing the master branch instead of the correct hash.", "The organization is updating the documentation to more clearly communicate the new awarding model for QA and Gas reports, and the update can be found at https://discord.com/channels/810916927919620096/810936719003090974/958455244759650344.", "There was an issue with the help form not accepting Discord handles with spaces.", "The issue was escalated to the development team.", "As a workaround, users were advised to either include their email in the help form, or include the Discord handle without spaces in the necessary field, but state the actual handle (with spaces) in the description field.", "Some users mistakenly analyzed and submitted details about the master branch of the code for auditing, instead of the correct hash.", "Payment for the contest is usually released after the announcement. The signatures for the award distribution are generally rounded up in a standing Monday meeting, so any announced awards should usually get processed Monday or Tuesday.", "To receive their share, participants need to register their handle and ETH address. There is a field for the polygon address when participants submit findings.", "Rewards are distributed to one address for one handle per contest.", "The original tools for finding submissions and contest processing were simple tools that have been gradually replaced, with an ongoing effort to move to authenticated warden accounts.", "Awards are named by handle and distributed from the same awards address publicly on the blockchain, so there's no hiding of anyone's wallet address.", "A user queried if a smart contract can create a signature of data so another smart contract can verify that the first smart contract signed the data. A response directed the user to [EIP-1271](https://eips.ethereum.org/EIPS/eip-1271) for more information.", "It was reported that it takes some time for a submission of a finding to be confirmed via email. If the submission fails, the form should return an error.", "There was a query regarding the presence of Solana developers in the community. While there haven't been any Solana contests yet, there is interest to expand beyond EVM and Cosmos chains.", "There was a query regarding why the homepage did not update content reports after February. The response indicated changes to the report and rewards calculation system, which takes time to compile. It was noted that a batch of reports would be published soon.", "It was queried why rewards weren't distributed immediately after computation. The response indicated that this was due to the use of multisignature (\"multisig\") wallets which require signatures from multiple parties before funds can be released. It was mentioned that awards will eventually be distributed via smart contract once more pieces are in place.", "A batch of reports is expected to be published soon.", "There might be Solana developers in the community, but Solana contests have not been hosted yet.", "The company desires to expand beyond EVM and Cosmos chains.", "The reward distribution does not occur immediately after the reward computation due to the involved sponsors' time.", "The company uses a multisig method for transactions which requires multiple signatories.", "There is a standing meeting each Monday to queue up transactions for signature.", "The company plans to distribute awards via smart contracts in the future, but more pieces need to be put in place before this can be implemented.", "The community suggested splitting the 'Awarding' announcement into 'Awarding' and 'Paid' sections for clarity.", "The JPYC Contest did not have any high or medium risk findings as the codebase was a relatively simple fork of a mature project.", "There was a hacking incident reported on the Ronin Bridge, which was possibly done by an insider who got access to a server private key. More information can be found at https://rekt.news/ronin-rekt/", "The company ran into a Discord limit, which imposed a maximum number of channels, which could be put in a single category. Therefore, some improvisation was needed.", "The company plans to export chat logs after contests are completed and the reports are published. These exported contents will be put into contest repositories, allowing to delete old channels and free up space.", "The company is considering archiving contests in quarters to manage the channel limit of Discord.", "The company is considering releasing all unverified submissions a few days after a contest ends, before judging. The related discussion can be found at https://forum.code4rena.com/t/rfc-certified-wardens-rulebook-scout-role-contest-qa-and-mitigation-review-services/123", "The inclusion of high-risk findings depends on the contest and the judge. It is advised to make a case to the judge in the submission if the participant thinks it should be considered.", "There was a reporting issue in the chat platform, where a user was unable to send a text.", "There is a consideration to release all unverified submissions a few days after a contest ends for learning purposes. The details are discussed in this forum post: https://forum.code4rena.com/t/rfc-certified-wardens-rulebook-scout-role-contest-qa-and-mitigation-review-services/123", "Whether high risk findings are considered depends on the specific contest and the judge. Submitters should make a case to the judge in their submission if they believe a high risk finding should be considered.", "The main chat in the discussed platform is locked to contributors to reduce spam and off-topic content. Non-contributors can join as a warden.", "A post by @cmichel is recommended for beginners interested in becoming a smart contract auditor. The post can be found here: https://cmichel.io/how-to-become-a-smart-contract-auditor/", "The platform's leaderboard's \"total\" column represents the total number of valid findings of all severity levels by a specific individual or team.", "Low and non-critical issues are now grouped together as a single report by each warden.", "An audit of a project takes into account the current state of the project. The scope may not include vulnerabilities pertaining to deployment or early actions like initializers, especially for projects with already deployed code.", "Regarding the question about using an oracle in the Scoping form, it originated from the need to understand whether and how external pricing data was entering the project, and whether or not that was by way of an existing, widely-used oracle or whether the project created their own custom oracle.", "Each team determines how to split their portion of a contest's reward amongst themselves. General information on awards can be found here: https://docs.code4rena.com/incentive-model-and-awards", "The platform acknowledges the need for more clarity on how rewards are split for teams, especially regarding the incentive for team formation.", "An individual team determines how to split their portion of a pot amongst themselves, as per the awards information provided on https://docs.code4rena.com/incentive-model-and-awards.", "If a team submits a non-duplicate finding, the team gets more rewards than if they had individually submitted the same finding.", "The prize for a finding reduces by approximately 10% for each duplicate submission.", "The submissions for a contest can be reviewed after the report is published and the findings repo is made public.", "Wardens will soon be able to apply for the certified warden role which will give them access to findings shortly after contests end.", "For report submissions, the report should be pasted in the Vulnerability details section in .md format.", "Instructions to register as an auditor and start auditing can be found at https://docs.code4rena.com/roles/wardens.", "Payouts for contest awards are usually made between 1-2 weeks after the announcement.", "On average, there are 2-5 audit projects per week.", "There is an invite criteria for the c4 dinner, which is mainly for folks with high severity findings on the leaderboard in the past year who said they\u2019d be at devconnect.", "Contest awards payouts are usually made between 1-2 weeks after the announcement.", "There are normally 2-5 audit projects per week at CodeArena.", "Warden avatar and links in the CodeArena website can be changed by looking in the _data folder on the site repo and making a PR.", "A proposal for the listing of the ARENA project on one of the top ranking 40 exchanges is being considered.", "Resource for starting to learn smart contract auditing is available at https://docs.code4rena.com/roles/wardens/tools-and-resources", "If a QA/Gas report does not fit in a single submit request, it can be split into separate sends.", "Email submissions to CodeArena receive a special alert and the team will reach out to confirm receipt.", "The rewards address used to register as a warden can be found in the data folder of a recent contest\u2019s findings repo on GitHub.", "Checks don't fully run for external PRs on the CodeArena platform, link to a specific case is https://github.com/code-423n4/code423n4.com/pull/1584", "There are two contests that last for 13 days (May 5", "May 18).", "A new team creation on CodeArena might face issues with passing the checks, and the link to a specific case is https://github.com/code-423n4/code423n4.com/pull/1620", "Method to submit larger reports by email and then placing a placeholder in the original submission has been suggested to be added to the official documentation.", "The company runs contests that can last up to 13 days.", "There are two contests queued up for the next week.", "Teams can be created on CodeArena.", "A team creation process was started but could not pass the checks.", "The issue with the team creation process was resolved and merged.", "People can engage in the audit process before their code is complete.", "Starting the audit process earlier allows for promotion and preparation time.", "Code Arena hosts repositories ending in suffix -findings, one such repository can be found at https://github.com/code-423n4/2022-04-backed-findings.", "These repositories are usually private until they are made public after the issues have been mitigated and cleared for publication by the sponsors.", "There is a team-building channel on the platform where people can look for teammates.", "To access the team-formation channel, one needs to register as a warden first.", "Users are seeking advice on how to use 'storage' and 'memory' when creating new instances.", "It is currently tricky to change handles on CodeArena due to design decisions, but changes are anticipated in the future.", "If a user has written a Proof of Concept (POC) script for a vulnerability, they can include the link in the submission wherever relevant.", "There are restrictions on reporting anything related to input checks from governance variables in contests.", "If a user has created a POC script for a vulnerability, they can simply drop the link into the submission where it is relevant.", "There is a guideline not to submit assumptions such as the owner may be compromised or centralized. The methods with the onlyowner/onlygovernance modifiers are strictly coming through the trustful bodies.", "It's suggested not to question the deployment of a proxy contract as it will be done correctly.", "If there is disagreement with the sponsor about the scope of a particular issue, it is encouraged to still report the issue.", "The prize pool for bunker.finance increased from $30k to $50k due to the scope being slightly larger than originally anticipated.", "Information about vaults that are meant to be used by individual users can be found at: https://github.com/code-423n4/2022-04-mimo/tree/main/supervaults/docs", "Users are allowed to directly message the project team about a potential vulnerability.", "After clicking \"CREATE ISSUE\" in \"SUBMIT FINDING\", the form data gets turned into a submission that goes into the findings repository for the given contest, which is later evaluated by judges after the contest ends.", "The submission form on Code4rena accepts Markdown for formatting the text.", "A useful resource for those unfamiliar with Markdown can be found at: https://markdown-it.github.io/", "Users who submit QA reports and miss an item are advised to fill out a help form for further assistance: https://code4rena.com/help", "The scope for the contests is decided by the sponsors and is listed in their contest information. Users with specific questions about the scope for a contest are encouraged to connect with that sponsor via their contest channel or DM.", "Web applications might be in the scope of certain contests.", "Sponsors decide the scope for their contests and list it in their contest info.", "Specific questions about the scope for a contest can be addressed to the respective sponsor.", "Contest participants can submit reports more than once if they are missing any items.", "The help form at https://code4rena.com/help can be used to get further assistance from the team.", "A smart contract does not know if someone sent ERC20 tokens to it.", "ERC721 or ERC1155 contracts may know if tokens were sent there because it has a recipient contract call onReceive.", "There is a possibility to add an emergency withdraw to get rid of tokens in smart contracts.", "Information about registering a team can be found at https://docs.code4rena.com/roles/wardens#registering-a-team.", "After a contest is closed, questions related to the contest can be addressed through https://code4rena.com/help.", "There are concerns about the display of rewards on the 60-day leaderboard.", "There's a criterion followed in case the same vulnerability is reported by two or more wardens", "the reward and recognition is split between them irrespective of who found it first. Details can be found at https://docs.code4rena.com/incentive-model-and-awards.", "There is a suggestion to treat each occurrence of the same bug appearing in multiple places separately.", "There is guidance for handling multiple occurrences of the same issue in the discussion at https://github.com/code-423n4/org/issues/8.", "Individuals interested in signing up can check https://code4rena.com.", "There is a discussion thread (#8) with nuanced details regarding the combination of similar issues.", "Users are discussing research regarding auditing and are looking to distribute a survey.", "Assistance for sign up to the Code Arena can be found on the #\ud83d\udc3ai-want-to-be-a-warden channel of the server.", "Reports for certain contests, such as JPEG'd, are not yet announced.", "Team pull requests need to be accepted by someone from the team.", "There was a discrepancy in the bounty for the Cally contest between the #\u270brsvp channel and C4, with the former showing 75k and C4 showing 50k. The information was updated and a note was added indicating that details are subject to change [https://code4rena.com].", "There are available resources for testing contracts downloaded from Github with tools like Mythril and Slither.", "The development team is considering changing the leaderboard from tracking the last number of days to the last number of contests.", "Inconsistencies in the contest process and results can be discussed and reported in the 'issues' section of the organization's Github repository [https://github.com/code-423n4/org/issues].", "Being a certified warden makes one eligible for a judge role, but certification may not be required at the current time.", "There is a professional conduct guideline for certified wardens that requires all findings to be treated as private and confidential until the contest report is made public [https://docs.code4rena.com/roles/wardens/certified-wardens#certified-warden-professional-conduct-guidelines].", "Enums in Solidity are user-defined types that are explicitly convertible to and from all integer types; they require at least one member, and its default value when declared is the first member, and they cannot have more than 256 members [https://docs.soliditylang.org/en/latest/types.html].", "Enums are one way to create a user-defined type in Solidity. They are explicitly convertible to and from all integer types but implicit conversion is not allowed.", "The explicit conversion from integer to an enum checks at runtime that the value lies inside the range of the enum and causes a Panic error otherwise.", "Enums require at least one member, its default value when declared is the first member.", "Enums cannot have more than 256 members.", "If storing an enum, it will take up part of a slot. If using it as a literal, it will be the same as a uint8.", "More information about enums can be found at https://docs.soliditylang.org/en/latest/types.html and https://ethereum.stackexchange.com/a/75961.", "As of version 0.8.0, enums cannot have more than 256 members as per https://docs.soliditylang.org/en/latest/080-breaking-changes.html.", "A question was raised about the LPT reward and its potential impact on the leader board.", "To register a group, one can check the information in the docs specifically the #\u26bdteam-formation channel, and the link is https://docs.code4rena.com/roles/wardens#registering-a-team.", "A user asked about who to contact for collaboration and investment issues.", "An individual asked about the process of checking if they had submitted an address for rewards which can be done using the help form at https://code4rena.com/help.", "There was a question about a solidity issue when trying to implicitly convert and multiply uint values.", "Information about how functions like delegatecall work with storage can be found in the Solidity docs and the Geth source code at https://github.com/ethereum/go-ethereum/blob/master/core/vm/evm.go#L302.", "A video was shared that walks through the eth_call at https://www.youtube.com/watch?v=bEUtGLnCCYM.", "There was a query about what was slowing down the judging of Sublime March 2022.", "It was mentioned that the delay in judging could be due to slow sponsor review.", "In March, a deposit was introduced to incentivize sponsors to complete their review in a timely manner.", "A user asked about the advance announcement of contests, the compensation for finding vulnerabilities, and if there was a way to know which bugs have been found already.", "It was clarified that there is no difference in payout between the first to find a bug and anyone else who finds the same bug. The overall value of the bug is reduced and split based on how many people find it.", "There was a delay in judging the Sublime March 2022 due to slow sponsor review.", "To motivate sponsors to complete their reviews on time, a deposit was introduced in March.", "If sponsors don't fulfill their duties, it makes the task of judging much harder as judges have to identify duplicate submissions.", "Contests are announced in advance, and there is no difference in payout between the first person to find a bug and any subsequent person who finds the same bug. The overall value of the bug is reduced and split based on how many people find it.", "When it comes to reporting bugs, the severity to be reported depends on the impact of the bug. There are guidelines for estimating risk provided in this link https://docs.code4rena.com/roles/wardens/judging-criteria#estimating-risk-tl-dr.", "There is a discussion about making changes to the leaderboard to show current year statistics primarily while keeping the all-time stats visible.", "The channel can be used for general security discussions and not just Code4rena related questions.", "Emails and GitHub usernames of the wardens will not be listed anywhere publicly by C4. However, certified wardens will be part of a permissions group/team on GitHub to give them access to private repos. Individual users can decide to make their membership on private teams public or not.", "Some community members have set up separate GitHub accounts for their Code4rena work for privacy reasons.", "The eligibility requirements to become a certified warden can be found here: https://docs.code4rena.com/roles/wardens/certified-wardens#who-is-eligible-to-be-a-certified-contributor", "In terms of EVM behavior, the chat discusses that self-destruct opcode indicates that the current account is registered to be destroyed, and will be at the end of the current transaction as seen on https://www.evm.codes/#ff.", "The potential optimism hack was discussed, with a focus on the pending deletion that will only be executed at the end of the transaction. More details can be found at https://www.saurik.com/optimism.html.", "It is recommended to complete the Provenance's certified warden process if partway through.", "The criteria to be accepted and become a certified warden involves competing in the audit contests.", "The eligibility requirements to become a certified warden can be found at https://docs.code4rena.com/roles/wardens/certified-wardens#who-is-eligible-to-be-a-certified-contributor.", "To become a certified warden, one needs to have at least 3 top finishes in either the QA or gas report from past contests.", "The criteria for a top-3 finish in either the QA or gas report from past contests can be checked by the organization upon request.", "A potential partnership was discussed with Amber Group's Investment and Research division, whose website is https://ambergroup.io/.", "Doubts related to EVM security can be posted in the #\ud83c\udf33everything-evm channel.", "In order to receive payment for the OpenSea contest, participants need to complete the form at https://code4rena.com/certified-contributor-application and go through the ID verification process run on behalf of CodeArena by Provenance.", "The OpenSea contest requires ID verification which is not usually required.", "The application to become a certified warden can be made at https://code4rena.com/certified-contributor-application.", "The OpenSea contest has a scaling up of the prize pot based on the level of severity of the findings.", "The payment of rewards for the Sherlock contest was discussed.", "The selection of Provenance as a KYC provider was questioned.", "The duration of the OpenSea contest was queried.", "A new competition has terms that scale up the pot based on the severity of the findings.", "The OpenSea contest is mentioned and it has a unique system of scaling up the reward pool.", "There have been instances where rewards for a contest have not yet been paid out to participants.", "Provenance was chosen as the KYC provider based on recommendations from other Cayman-based vendors.", "The OpenSea contest lasted until June 3.", "The organization is planning to phase in certified+ post-contest \"triage swarm\" with progressively larger groups for collaboration.", "The organization had to revisit processes around the OpenSea project as it was a public contest that required KYC.", "There is a process for participants to discuss or argue their case if their submission is rejected.", "The judges are perceived as being fair and have upgraded severities in some cases.", "A post on FEG token flashloan exploit analysis can be found at [https://www.certik.com/resources/blog/w6AxRmf6l2ow4zL884gr8-feg-token-flashloan-exploit-analysis](https://www.certik.com/resources/blog/w6AxRmf6l2ow4zL884gr8-feg-token-flashloan-exploit-analysis).", "A better explanation of the FEGexPro incident can be found at [https://smartstatetech.medium.com/fegexpro-incident-aeae11d87286](https://smartstatetech.medium.com/fegexpro-incident-aeae11d87286).", "There were questions about the detailed prizes for severities in the bounty.", "The full pool of prizes for severities will be paid out as per the standard model.", "The mechanism for prizes in contests can be found at [https://docs.code4rena.com/incentive-model-and-awards](https://docs.code4rena.com/incentive-model-and-awards).", "The OpenSea contest is an exception where the prize pool expanded.", "A warden who has encountered one high severity bug and has competed in at least three contests can be eligible for the certification.", "All wardens registered prior to the OpenSea contest announcement are eligible for certification.", "The severity requirement is now for certified+.", "The immediate access to findings repo has not yet been rolled out and is for Certified+.", "ZRX is a highly used token that doesn't revert on failure and just returns false.", "Eligibility for certification requires encountering 1 high severity bug and competing in at least 3 contests.", "Immediate access to findings repo is for Certified+ users, but as of the time of the chat, it has not been rolled out to anyone.", "ZRX is an example of a highly used token that does not revert on failure but just returns false.", "A helpful repository explaining tokens that do not revert on failure can be found at: https://github.com/d-xo/weird-erc20#no-revert-on-failure", "A tool to debug hardhat tests/introspect contract execution at the EVM opcode level is named \"foundry debug\".", "Warden profile editing (adding profile picture, twitter handle) can be requested via help desk: https://code4rena.com/help", "For some contests, like the one referred to in the link https://code4rena.com/reports/2022-04-dualityfocus, there are no gas optimizations in the final report as there wasn't a gas pool for that particular contest.", "In a web3 console, the calling convention used can differ from what is actually called on the contract in the EVM.", "If 'from: ' is used in a call, it causes 'msg.sender' inside the Solidity contract to be ''.", "Queries about contest updates, results, team information, and rewards seem to be common among users.", "Users express a desire for more high prize contests like the $1M OpenSea contest.", "There is an Enso contest for which participants are awaiting results.", "There are questions about how teams operate on Code4rena, including how prizes are split and how reports are submitted.", "There is curiosity about the LPT Livepeer reward.", "There are questions about future contests with high prizes, similar to the $1M opensea contest.", "While submitting an issue for any contest, it is beneficial to include a proof of concept and a case made for how an item can be exploited to avoid being marked as invalid.", "The Chainsafe contest starting date has been moved back by 6 days.", "An update on the LPT and INS awards is expected in the upcoming week.", "There seems to be a process for becoming a certified warden at Code4rena. More information on this process can be found at https://docs.code4rena.com/roles/wardens/certified-wardens#certified+-contributors", "Code4rena is considering implementing a system for using different wallets for different submissions in a single contest, and the first steps in that direction are underway with wallet auth.", "There are plans to enable the same handle using different wallets in a single contest.", "The process of rolling out wallet authentication is underway.", "To become a certified contributor, there is a process in place which is detailed at https://docs.code4rena.com/roles/wardens/certified-wardens#certified+-contributors.", "Wallet addresses used in a finding can be updated after the finding has been submitted and before the reward payout by submitting a request through the Help Desk at https://code4rena.com/help.", "All team members need to be certified in order to receive funds from OpenSea, due to anti-money laundering laws.", "There are restrictions on discussing bugs and exploits after submissions for a contest are closed and before contest results are out.", "Certified contributors are bound by an agreement that includes a non-disclosure agreement (NDA).", "There are plans to allow certified contributors to view submitted issues right after contest closure and to comment or give input on these issues during judging.", "A section for qualifications has been added to the warden registration page due to an increase in new warden registrations.", "A Know Your Customer (KYC) process is in place for wardens.", "There is a new qualifications section in the warden registration page due to the number of new warden registrations after the OpenSea contest announcement.", "The qualifications section in the warden registration page is expected to go back to normal after the OpenSea contest ends.", "A Know Your Customer (KYC) process is in place for wardens.", "There is a separate process to become a Certified warden, which requires an application and KYC process. The application can be made at https://code4rena.com/certified-contributor-application/ and more information is available at https://docs.code4rena.com/roles/wardens/certified-wardens.", "A break in contests was observed for three days.", "Suggestions were made for sponsors and wardens to take advantage of the break from contests.", "There were discussions about the benefits of physical exercise for auditors.", "A link to repositories implementing proofs of concepts for hacks was provided: https://github.com/Crypto-Virus?tab=repositories.", "A question was raised about automated tools to verify if a contract has been initialized on the Ethereum mainnet.", "Achieving a high finding in AbraNFT can be a step towards requesting for Certified+ status.", "Certified+ status allows wardens to see other submissions immediately after contests end, accelerating their learning process.", "There is a need for a more formal process for requesting Certified+ status.", "A user landed a high finding in AbraNFT and went through certification for OpenSea.", "At the time of the chat, there was no official process for requesting Certified+.", "Wardens with + certification get to see other submissions immediately after contests end.", "The Canto audit mentioned in #\u270brsvp was expected to start on the day of the chat but was delayed to the following Friday.", "The $ARENA token is a minimum-viable-governance token with sovereignty over the DAO treasury. More information can be found at the DAO constitution link: https://github.com/code-423n4/org/blob/main/CONSTITUTION.md.", "Users can join teams and participate in the audits.", "Users can review issues before they are reported.", "When a finding is submitted, users should receive a confirmation email.", "It's possible to record a community call on a discord voice channel. Detailed steps can be found at the following link: https://www.howtogeek.com/677198/how-to-record-discord-audio/", "If a report exceeds the number of characters allowed in the submission form, users can submit a placeholder and send an email. Details can be found at the following link: https://docs.code4rena.com/roles/wardens/qa-gas-report-faq#why-is-a-large-gas-or-qa-report-not-successfully-submitting-through-the-contest-submission-form", "Users who forgot the wallet address to receive the bounty can refer to the email received when the bug report was submitted.", "A bug report was filed in C4 on the 8th of April.", "An individual did not receive an email related to a submission they made on the 8th of April.", "There is a mention of a wallet address and the corresponding private key, indicating some form of transaction.", "The users discuss the basic principle of cryptography; specifically, the inability to derive a private key from a public key, as that would compromise the security of asymmetric cryptography.", "If a user cannot obtain private keys, they are suggested to compete again.", "There's a clarification about the language used in transactions. One user states that they are not called \"deals,\" but \"transactions.\"", "A method to locate transactions quickly was discussed, which involved working backward from past payments made to the individual.", "The payment address of C4 appears to be fixed, as other values sent at the same time matched.", "It's mentioned that C4's payment address is a multisig and would likely remain the same unless there were accounting issues.", "Contest results are announced in the #\ud83d\udce2announcements channel.", "There's a suggestion for an individual to be hired as an official helper due to their helpful nature.", "The order of submitting issues does not matter in the context of the discussion. However, the more wardens find the same issue, the less money each warden receives for this issue. Details can be found at the following link: https://docs.code4rena.com/incentive-model-and-awards.", "There is a mention of Biconomy issues and a report going live soon, indicating that users will be able to view these issues.", "The order of submitting issues does not matter in the competition.", "However, if more wardens find the same issue, the reward money for that issue is divided among them.", "Detailed information on reward division can be found at https://docs.code4rena.com/incentive-model-and-awards", "Biconomy rewards usually take 1 to 2 weeks after the announcement to be sent out.", "Until the report goes live, the issues found cannot be seen by the participants.", "The participants have to wait for the report to go live, even if they've submitted their findings.", "Proof of Concepts (POCs) can be submitted by creating a public Github repository or by providing a diff of an existing sponsor-supplied test/contract.", "A diff is a line-by-line difference between two text files that only shows the lines that are different.", "The submitted proof of concepts (POCs) can also be included in the report submission.", "Private gists can be used to keep the exploits private.", "If a typo is made in a report, it can be corrected by filing a help ticket, unless it doesn't drastically change the meaning of the finding.", "CodeArena provides sponsors with a set of example READMEs to work from, as well as a checklist of items to include.", "The version of a library a contract uses depends on the version specified in the packages.json file.", "After announcing the awards, the rewards are sent out manually in batches for multiple contests at a time.", "To apply for Certified+ after a high finding, one must have completed KYC (Know Your Customer) verification.", "The awards for the contests are announced separately from the disbursement of funds, which is done manually and is usually batched for several contests at once.", "A user can apply to be certified after a high finding by contacting the organization through the help desk form.", "Users can change their account details, like the Twitter username, by submitting a help desk request.", "Detailed documentation of the Infinity NFT Marketplace system parameters can be found in the README file in the contest repository: https://github.com/code-423n4/2022-06-infinity#readme", "Questions related to specific topics or contests are to be asked in designated channels.", "Rewards are sent to the Polygon address, not to the Ethereum address.", "Users are required to submit one Quality Assurance (QA) report per contest and ideally group all issues together. They should also separate the Gas report from the QA report.", "The findings repository becomes public after some time, but the exact timing is not specified.", "Code can be formatted in a submission issue form using Markdown.", "The compilation of reports after an audit payout typically takes a few weeks.", "Rewards are paid out in USDC but over the Polygon network.", "Certified Wardens process related questions can be asked directly to Code4rena.", "Scoring breakdowns for past contests can be found in the announcements channel or on each contest page on the C4 website or at https://github.com/code-423n4/code423n4.com/blob/main/_data/findings/findings.csv", "There is a possibility of conducting bug bounty programs for web in the future, but no specific plans were mentioned.", "Certified Wardens process is a topic that users have questions about.", "Scoring breakdowns for past contests can be viewed in the #\ud83d\udce2announcements channel, on each contest page of the CodeArena website, or at https://github.com/code-423n4/code423n4.com/blob/main/_data/findings/findings.csv", "There is user interest in a bug bounty for web applications.", "If an award is received for a submission report, the user has to wait for the payout.", "The result of copying an array to memory before processing it for reducing gas usage in smart contracts was discussed and tested, concluding that it is not beneficial.", "Users can register as a team and submit findings as a team.", "The ternary operator in coding, specifically for if-then-else statements, was explained.", "Teams are incentivized in the CodeArena process. The reward is reduced semi-geometrically based on the number of people who find an issue when they are separate. However, within a team, the reward is split evenly between the members.", "Some people play different roles on teams, with some better at identifying and theorizing attack paths, which is an important aspect of the process.", "Teams are treated the same as individual wardens by CodeArena.", "There are opportunities for team-up between wardens who are great technical writers but just beginning as auditors and wardens whose technical skills are more advanced than their ability to communicate in English.", "CodeArena is recommended for contract audits in the crypto space, and there is a suggestion that website audits could also be included in CodeArena's scope.", "The reward for a medium/high finding can be calculated using the formula provided in the link: https://docs.code4rena.com/incentive-model-and-awards#high-and-medium-risk-bugs", "There is a concern that the leaderboard does not reflect FactoryDAO even though findings.csv has been updated.", "Teams can comprise of individuals with varying levels of English language proficiency and technical skills.", "CodeArena could potentially add website and other infrastructure pentesting audits in the crypto space.", "The reward split for a case where multiple people, including members of the same team, identify a gas optimization, can be calculated using a formula present at https://docs.code4rena.com/incentive-model-and-awards#high-and-medium-risk-bugs.", "There was an issue with the leaderboard not reflecting FactoryDAO despite findings.csv being updated.", "Some users choose to write their QA/gas reports directly into the submission form without using any special formatting tools.", "Visual Studio's preview tool has been suggested as a helpful tool for formatting reports.", "Markdown and hackmd are mentioned as potential tools for improving report presentation.", "Top QA reports from recent reports can be found at the following links: https://github.com/code-423n4/2022-04-backd-findings/issues/182, https://github.com/code-423n4/2022-04-phuture-findings/issues/56, and https://github.com/code-423n4/2022-04-dualityfocus-findings/issues/33.", "Findings reports become public once the final contest report has been published. Certified+ wardens can view the findings repo immediately after a contest ends.", "There have been issues with submitting findings through Firefox, and sometimes Chrome, due to an error related to the permalink.", "A possible fix for the submission issue has been proposed at https://github.com/code-423n4/code423n4.com/pull/2338.", "Information on judging and payout timelines after a contest ends is documented at https://docs.code4rena.com/structure/our-process.", "Not all gas optimizations are valid when the optimizer is enabled, and this has led to some confusion about what should be reported.", "The system had been under heavy load in the recent weeks.", "There is confusion about the validity of gas optimizations in certain situations, specifically when the optimizer is disabled.", "Some users stopped reporting gas optimizations because certain judges were refusing them, while others accepted them.", "Users have questions about whether or not all applicants for a working group will be contacted or only those who are accepted.", "The working group is not a mentorship opportunity, but rather a group to provide input on creating such an initiative.", "A user asked about a method to check for account existence before calling .call() on it in smart contracts.", "Suggested ways to check for account existence include the use of OpenZeppelin's Address library and checking the length of the account's code.", "One user believes they qualified for Certified+ but cannot find the correct submission form.", "The help desk request form is located at https://code4rena.com/help/", "There is a discussion about whether or not failing to check for an account existence could be considered as a medium issue.", "Other websites to get rewarded for auditing smart contracts include https://immunefi.com/, https://spearbit.com/, and https://hats.finance/.", "Sherlock is another platform for auditing smart contracts, but it seems to require a high level of competence.", "Websites similar to Code4arena for getting rewarded for auditing smart contracts are https://immunefi.com/ (bug bounties), https://spearbit.com/ (freelancing?), and https://hats.finance/ (decentralized bug bounties).", "The platform called Sherlock is another option for auditing smart contracts but it requires a strong competence in the field.", "The findings csv file from Code4arena can be cleaned from empty lines (not rewarded). The link to the file is https://github.com/code-423n4/code423n4.com/blob/f9e0b2ff9f5dc39ab7353b0b869b504fdd827b07/_data/findings/findings.csv#L16.", "To submit findings on Code4arena, a user needs to connect their wallet when they sign in, not every time they submit findings.", "An individual can submit findings on Code4arena as themselves or as their team once their wallet is connected.", "If a user has submitted findings before, they should be redirected to a confirmation page instead of the registration page when they connect their wallet.", "Wallets supported by WalletConnect can be used in the registration process. More details can be found at https://walletconnect.com/registry?type=wallet.", "During the new registration process, if a user can't find their username on the list, the issue is being investigated.", "Sloc, as used in the context of the discussion, stands for \"Source Lines of Code\", which is the number of Lines of Code minus the number of lines that are comments.", "The findings repositories are held private until the final report is available to facilitate learning from others.", "Wallets can be under review on the platform, which may affect the ability to submit findings.", "The term Sloc means Source Lines of Code, which is the number of Lines of Code minus the number of lines that are comments.", "The findings from the CodeArena competitions are kept private until the final report is available because sponsors need time to act on the feedback they have been given.", "If a gas optimisation finding is found that can be applied in more than one line of code, it should be submitted as one finding and mention all lines where it can be applied.", "The process for becoming a Certified+ contributor is detailed at [this link](https://docs.code4rena.com/roles/wardens/certified-wardens#certified+-contributors).", "Slither is a tool that can be used in the process, but some users report limited success in using it as a bug finding tool. It is also possible to write custom checks for Slither.", "Submitted findings may not be editable by the original author, but there is discussion about potentially implementing this feature.", "The difference between a Certified Warden and a Certified Plus Warden is that Certified Plus has some entry requirements and gets access to private repos after a contest is finished.", "The reason findings are kept private until the final report is available is to give sponsors time to act on the feedback.\n\nIt's worth noting that the above are facts derived from the chat and do not necessarily represent the actual state of affairs or policies of CodeArena or associated entities. They simply represent user statements and beliefs.", "Certified Plus has entry requirements and also gets access to private repositories after a contest is finished where they can see what others have submitted and learn more quickly.", "There is a suggestion to have the ability to respond to the submission confirmation email, and the reply would get added as a comment to the GitHub issue.", "There is a concern from users about the need for an editing feature for submitted findings to unburden the team handling tickets.", "There are some Australians participating in the discussion.", "A question is raised about LPT or Insure rewards news.", "There is a mentioned issue about missing indexed fields in the event, and it is discussed that indexing makes parsing easier for off-chain tools, at the expense of gas during emission. A link to the issue is given: https://code4rena.com/reports/2022-05-sturdy/#n-10-event-is-missing-indexed-fields", "More information about the concept of indexing can be found at https://docs.soliditylang.org/en/v0.8.14/abi-spec.html?highlight=indexed#events", "Participants discuss whether to leave direct links to the code on GitHub or to refer to a specific file and line number, implying some debate on how best to reference code in reports.", "There is an issue raised about needing to sign in with MetaMask to submit a report. It is clarified that this is now a requirement: https://discord.com/channels/810916927919620096/810929015509483554/991410741678719278", "There is a discussion about a discrepancy in the sum of rewards for the Forgotten Runes PR. The link to the PR is given: https://github.com/code-423n4/code423n4.com/pull/2353/files#diff-74910905ffc9d3c8f8510410dbaa9089f77209d36db0cf1368c1cb7e32e92473R13694-R13696", "A user seeks help understanding how tokens received by a contract could be less than the amount in a report. The link to the report is given: https://github.com/code-423n4/2022-04-axelar-findings/issues/5", "An explanation is given that fee-on-transfer tokens remove a small fee from every transfer, hence the received amount might be less than the sent amount.", "It's clarified that not all tokens are fee-on-transfer.", "PAXG is identified as one notable example of a fee-on-transfer token. The source code can be found at: https://etherscan.io/address/0x74271f2282ed7ee35c166122a60c9830354be42a#code", "Fee-on-transfer tokens remove a small fee from every transfer, which is why the tokens received by the contract might be less than the transferred amount.", "Not all types of tokens are fee-on-transfer.", "PAXG is an example of a fee-on-transfer token and its source code can be found at https://etherscan.io/address/0x74271f2282ed7ee35c166122a60c9830354be42a#code", "There was a query about discussing high severity issues with a sponsor before submitting them.", "A user had a query about accessing the state variable of a different contract. The given solution was to call the specific instance of the contract being queried.", "A question was raised regarding the reason why assert() does not refund gas for the transaction. It was clarified that since version 0.8.0, assert no longer consumes all gas, so the remaining gas should be refunded if the assert fails.", "Participants will get feedback from a judge if a submitted finding is marked as invalid.", "A user accidentally submitted all their findings to the wrong contest and was advised to submit them again to the correct contest and fill out a form to let the C4 staff know about the incorrect submissions. The form can be found at https://code4rena.com/help/", "If someone submits a vulnerability that turns out to be a mistake on the warden's part, no penalty had been applied in past instances.", "A participant received congratulations for getting their first High score.", "A user inquired about the status of LPT and Insure payments, which were due to be released in the mentioned week.", "Participants were interested in tracking the status of their past reports.", "After completion of the certification process with ProvenanceDAO and participation in more than 3 contests, a user was awaiting the upgrade to Certified+.", "The question of whether obsolete code is a QA issue was raised.", "There are inquiries about the updates on LPT and Insure payments with an expectation to be settled that week.", "Participants express a need to track their past reports and confirm the receipt of their issues.", "One user completed a certification process with ProvenanceDAO and participated in more than 3 contests, seeking to know when their certification+ will be granted.", "It is suggested that the criteria for certification+ could be more stringent, such as being in the Top 3 in 3 contests or making a high finding.", "Two questions are asked about which part of the process takes the most time to be completed and the definition of the reporting part.", "Reference to rebase tokens were made with examples provided at https://github.com/buttonwood-protocol/button-wrappers/blob/main/contracts/ButtonToken.sol#L126 \n and https://github.com/pmerkleplant/elastic-receipt-token/blob/main/src/ElasticReceiptToken.sol.", "Feedback from judges on the invalid findings is appreciated as it aids learning.", "The review and judging phases can take some time, especially with high participation rate and complex codebases.", "Reporting refers to drafting/editing the report for the contest or the sponsor reviewing the report prior to publication.", "Inquiries are made about how to proceed when the team payout address is a smart contract.", "Changing a nickname requires creating a new registration/discord handle and starting over with the new name if the person was on the leaderboard.", "New wardens tend to have a learning curve in understanding the architecture of each project, interacting with the code, and finding vulnerabilities within the allotted time.", "Certified+ wardens get earlier access to the findings repositories, so they can assist with post-contest processes.", "Teams can be created at code4rena.com/register-team.", "There exists a private channel for certified+ wardens, which is a workspace for the various processes they assist with.", "There are inquiries about how to proceed after reporting an issue but being unsure about the severity.", "There is a private channel for certified+ wardens, which assists with various process-related tasks.", "Once wardens find a team, they can create one at code4rena.com/register-team.", "If there is any uncertainty about the severity of a reported issue, it is advised to review the judging criteria and make a case for the chosen severity using evidence. The judging criteria can be found at https://docs.code4rena.com/roles/wardens/judging-criteria#estimating-risk.", "If a submitted bug severity needs to be increased, during a contest, one can submit a help request to remove the original submission and then submit again via code4rena.com/help.", "Every contest releases a report about the bugs found, which can be used for learning.", "Private inquiries to a member of the code4rena team can be made through a Help Desk request.", "Receiving two identical confirmation emails after submitting a finding doesn't require any specific action.", "There is a plan to open up to Solana audits on the platform.", "A discussion about the use of machine learning in smart contract auditing mentions the idea of converting a non-image task into an image task by converting a smart contract into respective shapes, training a model based on a dataset of vulnerable and non-vulnerable shapes, and then using that model to predict if a future contract is vulnerable or not. A related GitHub link mentioned is https://github.com/DanielVF/evm-contract-draw.", "Concerns were raised about USDC, referencing this article: https://taibbi.substack.com/p/the-financial-bubble-era-comes-full?utm_source=substack&%3Butm_campaign=post_embed&%3Butm_medium=email&utm_medium=email.", "The chat participants are discussing concerns about USDC, with a link to an article shared: https://taibbi.substack.com/p/the-financial-bubble-era-comes-full?utm_source=substack&%3Butm_campaign=post_embed&%3Butm_medium=email&utm_medium=email", "Discussions about the application of machine learning for smart contract auditing are being held.", "An idea shared suggests that non-image tasks such as smart contract auditing can be converted into image tasks where a smart contract is visualized into respective shapes, and a model is trained based on these shapes to predict the vulnerability of future contracts.", "A link to a Github repository about smart contract visualization is shared: https://github.com/DanielVF/evm-contract-draw", "A link to a fastai notebook, which demonstrates using image recognizers to tackle non-image tasks, is shared: https://github.com/fastai/fastbook/blob/master/01_intro.ipynb", "The use of graph neural networks for smart contract auditing is mentioned, with a link to a relevant paper given: https://www.ijcai.org/proceedings/2020/0454.pdf", "Users can make submissions of gas optimizations in contests.", "It is possible to submit help requests in case of issues with submissions: https://code4rena.com/help", "Judges have the discretion to determine the severity of identified issues in submitted reports and make changes in severity levels as necessary.", "Changes to teams (such as removal and addition of members) are possible.", "Judges determine the severity of a bug in a smart contract.", "Judges may choose not to increase the level of severity of a bug if it is a duplicate of other bugs and has not been well explained or proven.", "The value of a bug is partly based on correctly assessing its severity and presenting evidence.", "Teams can make changes to their membership, and to get that change sorted, they can open a help desk request at https://code4rena.com/help.", "Problems with a project's license, such as dependencies requiring a specific license that the project doesn't use, can be reported.", "Problems with a project's license are generally considered to be of informational severity.", "After a Provenance application is approved, applicants can expect to receive an email.", "Participants can reach out for help if they are having issues connecting their Discord account with their Code4Arena account.", "Participants can check their participation in an audit outside of the leaderboard showings by creating a help desk request explaining the issue.", "If a single line of code has multiple ways of exploitation, there's a question whether it should be reported as one bug or multiple.", "Inquiries were made about the timing of the next audit event or contest.", "There is an awards list and leaderboard for the participants.", "Participants can find the awards list in the announcements channel.", "If a line of code has multiple ways of exploitation, it seems all the bugs should be reported but priority should be given to the biggest impacting one.", "Future audit events or contests are dependent on sponsors confirming details and dates.", "A pause in contests sometimes happens around big conferences.", "The results of a contest named \"putty\" are expected.", "A tool was shared and identified as a Miro Board, used for collaborative planning and brainstorming. The link to the tool is: https://user-images.githubusercontent.com/13383782/179862144-097cd187-abf6-48bc-b73d-503e9d1e51a3.png", "The process to become a certified member can be found at https://docs.code4rena.com/roles/wardens/certified-wardens", "Backstage access to see submitted reports on Github during the triage process is open to certified wardens with a certain level of established contribution.", "There is a community call planned for the following week.", "Questions can be submitted for the recorded community call.", "Backstage access, which allows users to observe the report submission and triage process, is open to certified wardens with an established level of contribution.", "Community calls are organized for discussion and updates.", "The date for the next community call is expected to be announced following a regrouping after a period of busyness due to the ethcc event.", "Members can submit questions for the next recorded community call.", "The community calls are also available to watch on YouTube.", "There was an issue with a status expected to be multi_select error message that was being looked into.", "Use of the directive \"using SafeMath for uint256\" is not visible in an inheriting contract.", "A function can run out of gas if the input is large enough, a common solution is to have a start offset and a maximum length to process it in batches.", "Participants in contests are discouraged from discussing their findings publicly after a contest is over, even if the final report has not yet come out.", "Some of the contracts being discussed could already be deployed, while others may not be.", "The organization's policy is not to discuss findings publicly until the report is published.", "Audit reports are available in the reports section, and each title is a link which points to one of the warden's reports on GitHub.", "It is also possible to see reports from other wardens who found the same issue.", "C4 has a policy of not discussing findings publicly until the report is published.", "Audit reports can be viewed on GitHub, with each report title being a link pointing to the report.", "Users are trying to understand the meaning of \"input\" and \"output\" in Uniswap methods such as tokenToEthSwapInput, tokenToEthSwapOutput, ethToTokenSwapOutput, and ethToTokenSwapInput.", "The terms \"input\" and \"output\" in the context of Uniswap methods refer to tokens being transferred into a contract (input) and tokens being received from a contract (output). This information was used to solve a challenge on the Uniswap documentation, which can be found at [https://docs.uniswap.org/protocol/V1/reference/exchange](https://docs.uniswap.org/protocol/V1/reference/exchange)", "In the context of bug finding, real bugs get rewarded, but false positives do not. It is recommended to write an executable test to be sure that the bugs are real.", "An issue was reported with the certification process, which was being looked into by the team.", "There is discussion about the severity of issues when reviewing them, with context being important. Specifically, the example given is about upgradeable contracts and storage variables.", "Alchemix contracts were mentioned, with reference to some specific issues. Links to these issues can be found at [https://code4rena.com/reports/2022-05-alchemix/#m-05-no-storage-gap-for-upgradeable-contract-might-lead-to-storage-slot-collision](https://code4rena.com/reports/2022-05-alchemix/#m-05-no-storage-gap-for-upgradeable-contract-might-lead-to-storage-slot-collision) and [https://code4rena.com/reports/2022-05-alchemix/#l-11-upgradeable-contract-is-missing-a-__gap50-storage-variable-to-allow-for-new-storage-variables-in-later-versions](https://code4rena.com/reports/2022-05-alchemix/#l-11-upgradeable-contract-is-missing-a-__gap50-storage-variable-to-allow-for-new-storage-variables-in-later-versions)", "The issue with the certification process was fixed.", "When submitting bug findings, users should make separate submissions depending on the type and severity of the bugs found.", "The chat discusses the context of issues within smart contracts, particularly in relation to slot collisions and the inheritance of upgradeable contracts.", "A user faced an issue while attempting to get certified, which was resolved and required a wait of approximately 10 minutes for the site to redeploy.", "Guidelines were discussed on how to report bugs and optimizations found in the smart contracts. Reports are expected to be specialized, with QA findings and gas findings submitted separately. Medium and high severity findings should be each submitted as separate reports.", "The chat participants are encouraged to review other warden's submissions on GitHub to learn from marked and invalid cases.", "A question was raised about an issue related to EIP1967, with a link provided for reference: https://blog.audius.co/article/audius-governance-takeover-post-mortem-7-23-22", "Users are encouraged to participate in upcoming contests, with advice given to \"just do it\".", "A question was raised about the most stable and secure solidity versions, aside from the latest versions.", "A new participant asked whether they can submit multiple findings or if they should compile all findings into one file for the contest. They were referred to the official documentation: https://docs.code4rena.com/", "A user queried about the GitHub link of all the approved findings and gas optimizations.", "There was a question about whether to audit only contracts or also script folders within the GitHub repo, and a recommendation was given to always read the README.md for each contest, as it outlines what is in scope for auditing and what is not.", "A link was provided to indicate the scope of a specific contest: https://github.com/code-423n4/2022-07-golom#scope. This link defines the code to be audited and what should not be audited.", "There is uncertainty among users about whether the audits should be conducted only on the contracts or also on the script folders.", "The README.md file for each contest is supposed to explain what is in scope and what is not.", "The term \"in scope\" refers to the elements that should be audited.", "A specific example of outlining the code to be audited is provided [here](https://github.com/code-423n4/2022-07-golom#scope). It clarifies that 'In scope' equals 'to be audited' and 'Out of scope' equals 'do not audit'.", "In Solidity, 1e36 is a short version of a big number, equivalent to 10**36.", "The use of 1e36 in Solidity code is a more gas-efficient method of representing big numbers, as per the Solidity documentation [here](https://docs.soliditylang.org/en/v0.8.15/types.html#rational-and-integer-literals).", "In the audits, besides identifying vulnerabilities, it is generally required to provide solutions or mitigations.", "\"eth_call\" in Quicknode includes a \"value\" parameter that refers to the amount of ether sent with the message call.", "A new chat was created to post questions leading up to a monthly call.", "Templates or guides for gas/QA reports in terms of formatting can be found [here](https://github.com/code-423n4).", "The top winning example for each report can be found at [https://code4rena.com/reports]().", "The formatting for the reports is mainly done in markdown.", "There are templates or guides available on how gas/qa reports are supposed to look in terms of formatting.", "These templates can be found in every repository with 'findings' in the name on https://github.com/code-423n4", "The top winning report examples can be found at https://code4rena.com/reports", "There are no standardized guidelines or rules on the formatting of the gas/qa reports, just markdown.", "For training for the Paradigm CTF and to learn advanced solidity and defi industry standards, resources like The Ethernaut challenges and Damn Vulnerable DeFi are recommended: https://ethernaut.openzeppelin.com/ and https://www.damnvulnerabledefi.xyz/", "For reporting a medium risk in the golem event, the following link can be used to understand how to provide a link on the finding form: https://docs.github.com/en/get-started/writing-on-github/working-with-advanced-formatting/creating-a-permanent-link-to-a-code-snippet#linking-to-code", "If there are concerns about the golom contest, participants are advised to resubmit the issue and then create a help desk request to withdraw the invalid submission.", "You can edit your submissions, and the steps for this are outlined in the announcement from this link: https://discord.com/channels/810916927919620096/810929015509483554/1002648649135824906", "The contest pot size depends in part on the number of lines, it's up to the judge to decide whether an out-of-scope med/high will be awarded.", "Approximately 150 contributors have been certified.", "If there's a bug in a contract that's in scope, but it impacts another contract that's out of scope, the impact might count, this decision is generally up to the judge.", "A file containing all findings and payouts, which can be cross-referenced with the contest report, is available at https://raw.githubusercontent.com/code-423n4/code423n4.com/main/_data/findings/findings.csv.", "If there's a bug in a contract that's in scope, but it impacts another contract that's out of scope, it's up to the judge to decide whether an award will be given.", "The contest pot size is partially based on the number of lines.", "A list detailing how much a finding was worth in a contest can be found at https://raw.githubusercontent.com/code-423n4/code423n4.com/main/_data/findings/findings.csv", "Rekt and LobsterDAO are recommended blockchain security Telegram groups.", "Rekt's Telegram group can be accessed at the following link: https://t.me/Rekt_HQ", "Users can submit a help desk request to change their avatar and add a Twitter link to their profile at https://code4rena.com/help/", "If the raw findings.csv file has x entries for a warden and the warden submitted x+1 findings, it could mean one entry was eliminated as invalid or it was judged as a duplicate of one of the other findings.", "The judge has the final say on findings.", "Wardens can see the judging results before they are published, and if they see issues, they can raise them to the judge for reconsideration.", "Gas optimization inside view/pure functions can be reported.", "A finding will get rewarded if disputed by sponsor as won't fix, but is a valid one.", "Calling a view/pure function from a non-view/non-pure function in the same contract does cost more gas.", "Users need to register as a warden to get their wallet whitelisted.", "In the context of the chat, the users are discussing the optimization of smart contracts to reduce gas costs, not just for protocol contracts, but also for other contracts and non-view/non-pure functions.", "User queries regarding the whitelisting of wallets are addressed by directing them to register as wardens and submit help desk requests at https://code4rena.com/help.", "Findings after a contest are reviewed by sponsors soon after the contest ends and then it goes to judging.", "Contest participants are reminded to consolidate gas and/or quality assurance reports into one per warden.", "Participants are allowed to edit or replace their submitted reports with \"withdrawn\" for invalidation.", "Teams are considered when comparing leaderboard ranks to select people for RSVP certified jobs.", "The Arena tokens can be obtained using the contract address 0x6847D3A4c80a82e1fb26f1fC6F09F3Ad5BEB5222.", "The chat includes a discussion on optimizing the purchase of tokens to maximize profits in arbitrage opportunities, with a focus on Uniswap-like scenarios. It is suggested that the user would have to derive it from the Automated Market Maker's (AMM) price formula, using a specific algorithm and taking into account price impacts and transaction costs.", "A detailed mathematical explanation is given on how to calculate the optimal amount of tokens to buy in an arbitrage opportunity.", "There's a discussion about finding the optimal amount of tokens to buy for maximum profit in arbitrage opportunities.", "The conversation includes explanations about how to calculate the optimal amount of tokens using the automated market maker's (AMM) price formula.", "The core UniswapV2 swap formula is discussed. The formula is (x + dx) * (y", "dy) = x * y, where x and y are the initial amounts (reserves) of tokens A and B respectively, dx is the token A amount you input, and dy is the token B amount you receive.", "An example is given of how you could calculate the optimal amount of token A to input to lower the token B / token A ratio to the fair market value.", "The formula to find the optimal dx (token A amount to input) is given as dx = -x + sqrt(x * y / a). This ignores protocol fees which could potentially reduce the profit somewhat.", "The possibility of arbitrage opportunities across multiple tokens (e.g., A -> B1 -> B2 -> A) is also discussed, but a generalized formula for finding the optimal amount to buy is not provided.", "Regarding the payment of awards, it is stated that payments get batched and done once a week but can take up to two weeks due to the need for double-checking at each step to ensure it\u2019s done correctly and securely.", "A participant inquired about the requirements for obtaining the backstage role. It was clarified that several factors can satisfy the requirements, including a high severity finding, three medium severity findings, or a QA or Gas report with a score of over 85.", "A discussion about the delay in judging contests is noted. There is no stated penalty for judges for delayed judging of contests. It is indicated that the number of contest submissions has increased significantly, potentially leading to increased workloads for judges.", "Some contest delays are attributed to factors related to the protocol itself and not the judge.", "It is stated that sponsors also play a part in contest delays.", "It is noted that judging of contests may take a lengthy time period, with factors beyond the judge's control contributing to delays.", "Sponsors are stated to play a role in the delays of contest judgement.", "There are factors affecting the completion of a contest which are not visible to all participants.", "If a judge cannot complete their work in a timely fashion, the contest is reassigned to another judge.", "CodeArena is working on improvements to their processes to prevent long delays in future.", "Most judges have full-time jobs and other commitments on top of their CodeArena judging responsibilities.", "Reports are graded between 0 and 100.", "Grades on published reports are visible to backstage role users, and they can be found in the \u2018score\u2019 column in findings.csv in the code4rena site repo\u2019s _data folder.", "The CodeArena community is not blame-focused, and the organization aims to improve processes rather than focusing on one-off issues.", "CodeArena aims to be more transparent and effective in their operations.", "Contestants can submit a Help Desk request for issues related to rewards distribution through this link: https://code4rena.com/help/", "One big report for gas and one big report for QA is the recommended way of making submissions.", "It is possible to change the wallet address connected to CodeArena.", "Medium/High reports can be submitted without recommended mitigation steps, even if there are no mitigation steps believed to be available.", "For making submissions, it is recommended to have one big report for gas and one big for quality assurance (qa).", "There is a procedure to change the wallet address connected to CodeArena, as detailed at: https://docs.code4rena.com/roles/wardens/warden-auth#can-i-change-my-wallet-address", "Only the team has access to submissions before a contest ends. After the contests end, those with the \"backstage\" role get access to findings to help with triaging.", "It is possible to submit a medium/high report without recommended mitigation steps, but an explanation as to why it cannot be feasibly mitigated should be included.", "If there are the same vulnerabilities on separate functions, they can be included in one report. More discussion on this can be found at: https://github.com/code-423n4/org/issues/8", "Wardens are now required to submit at most one QA report and one gas report per contest. More information on this can be found at: https://docs.code4rena.com/roles/wardens/submission-policy#report-format", "The FAQ on the CodeArena website about large gas or QA report submissions could be updated to reflect recent changes. The current FAQ can be found at: https://docs.code4rena.com/awarding/incentive-model-and-awards/qa-gas-report-faq#why-is-a-large-gas-or-qa-report-not-successfully-submitting-through-the-contest-submission-form", "Changes to the CodeArena documentation can be proposed at: github.com/code-423n4/docs", "There were updates to the result list regarding accepted findings not being merged and reports being removed.", "There is a FAQ page related to incentive model and awards on CodeArena's website that could be updated, located at https://docs.code4rena.com/awarding/incentive-model-and-awards/qa-gas-report-faq#why-is-a-large-gas-or-qa-report-not-successfully-submitting-through-the-contest-submission-form.", "Proposed edits to the CodeArena documentation can be submitted on Github at github.com/code-423n4/docs.", "CodeArena has a help ticket system located at code4rena.com/help, where users can report issues or concerns that need to be looked into by contest administrators.", "The grading system for CodeArena is not currently in place and is expected to be implemented within a few weeks.", "In the context of QA reports, it is possible for a submission to receive a 0 grade if a judge decides it merits that grade.", "Findings that are valid but non-critical, such as the presence of \"Open Todos\" or the \"use of Block.timestamp\", are not rewarded.", "There is a responsible disclosure guideline recommended for reading located at https://github.com/RD-Crypto-Spec/Responsible-Disclosure#the-standard.", "The average award pot for low or non-critical vulnerabilities in contests is typically 10% of the total prize pool.", "For gas optimization reports, the allocation is usually 5% of the prize pool, although this may be increased or decreased depending on how important gas savings are to a specific project.", "A link to a guide on responsible disclosure standards is shared: https://github.com/RD-Crypto-Spec/Responsible-Disclosure#the-standard", "The average award pot for low or non-critical vulnerabilities in contests is typically 10% of the prize pool.", "For gas optimization reports, the award is usually 5% of the prize pool. However, this percentage can be altered by sponsors based on the importance of gas savings to their project.", "To update team information, a PR needs to be created.", "PRs need to be approved by a member of the C4 team before they can be merged.", "A link to a PR for team information update is shared: https://github.com/code-423n4/code423n4.com/pull/3592", "If a C4 wallet is hacked, a help desk request needs to be submitted for assistance. This can be done via https://code4rena.com/help/", "To edit a submitted finding, one needs to go to the contest page.", "There was a discussion on the correct English usage in the chat.", "It was suggested that improving the general level of English would increase the quality of C4 reports.", "The general English level of C4 reports could be improved.", "A string goes above size byte32 when it reaches 33 bytes, with one byte per character, as mentioned in this resource: https://ethereum.stackexchange.com/questions/11556/use-string-type-or-bytes32", "Once it goes past 32 and becomes a string, another word is added for the length.", "Characters such as emojis or any non-ASCII character may require more than one byte.", "There seems to be no issue in sending a finding that one is not 100% sure of.", "Payments for CodeArena get batched and are done once a week.", "There is a double-checking process at each step of the payment process to ensure it\u2019s done correctly and securely.", "There is a service that converts a contract address into a separate solidity file. You can do this on Etherscan by changing .io to .deth.net. For example: https://etherscan.deth.net/address/0x27f461c698844ff51b33ecffa5dc2bd9721060b1/advanced#code", "A finding that is relevant to both QA and gas savings can be included in either report, and judges may decide where it best fits.", "There are more audit contests scheduled in CodeArena. Specific details can be found in #\u270brsvp.", "The importance of mathematics for auditing can vary depending on what is being audited. For most parts, basic calculus would suffice, but some projects involving financial mathematics may require advanced mathematical understanding.", "There are more audit contests coming out in Code4rena.", "The importance of mathematics for auditing depends on the smart contract project being audited, some require basic math while others require advanced financial mathematics.", "Some smart contract projects may require professional mathematicians to audit complex formulas.", "Understanding loan-to-value calculations can be useful in auditing certain smart contracts.", "There is a possibility of needing Matic (a cryptocurrency) to transfer awards to another wallet.", "https://wallet.polygon.technology/gas-swap can be used to swap gas.", "ERC Tokens can be swapped via Uniswap, which has a minimum fee of 0.05%.", "Metamask charges a fee of 0.743% for token swaps.", "There have been no major changes to the rules, contest submission guidelines, or prize splits in the recent past.", "Payments in Code4rena can be received via a connected Metamask wallet.", "Code4rena has a section dedicated to the Cosmos project: https://code4rena.com/cosmos", "The Cosmos project is described as an ever-expanding ecosystem of interconnected apps and services, built for a decentralized future (https://cosmos.network).", "Foundry tests have specific features for transaction prioritization. Transactions can be run by calling functions in a desired order.", "Auditing projects with complex math often requires years of experience and study, not just a quick study of a resource.", "In the context, memes were mentioned as a light-hearted skill, separate from auditing capabilities.", "Metamask wallet is functional for submitting findings in C4 payments.", "Some audit processes, like those done by Elastic DAO, require professional mathematicians to audit a formula. This suggests that there are special math or financial math topics that auditors should know.", "A tool for accessing contest-related information can be found at https://github.com/sseefried/c4-stats.", "The amount of prize money paid to each Medium/High risk can be checked at https://raw.githubusercontent.com/code-423n4/code423n4.com/main/_data/findings/findings.csv.", "Rejected reports can be found at https://github.com/search?q=org%3Acode-423n4+is%3Aissue+label%3Ainvalid.", "There is a leaderboard that can be found at https://github.com/code-423n4/code423n4.com/issues?q=leaderboard.", "Flash loans on BSC network can be obtained, potentially with low fee and several millions in liquidity, from PCS.", "To test certain functions from a smart contract, a mocked token needs to have safeTransfer and safeTransferFrom function.", "Gas optimization is a potential starting point for a first-time audit.", "It is possible for users to change their wallet and username on discord, and presumably have these changes reflected in their C4 account.", "There is a repository where users can view rejected reports. The link to access this is https://github.com/search?q=org%3Acode-423n4+is%3Aissue+label%3Ainvalid.", "A user queried about mocking SafeERC20, mentioning that it doesn't have an ABI like the ERC20.", "Users of the service are looking for resources to start with before diving into auditing contracts, with specific mention of gas optimization.", "Some users may change their names and wallets on the platform, and want to know if their new details can replace the old ones.", "There are questions raised about gas optimization and the use of public functions declared as external.", "The users are interested in knowing if the platform is only focused on auditing, or if they do smart contract gigs as well.", "There was a question regarding the potential anonymity of users in cybersecurity spaces and on the bounty leaderboard.", "Users are curious about what happens to the sponsor reward pot if no issues are found in a contest.", "Users are asking for information on Ethereum bridges that allow sending to a different address.", "Users can apply to be certified plus, with the application guidelines available at https://docs.code4rena.com/roles/certified-contributors.", "Users wondered where they can view their submission replies regarding a contest.", "Users can compare different bridges, their time and fee at https://www.bungee.exchange/.", "A discussion on the choice between Trezor or Ledger was brought up.", "Users question whether Code4rena will remain open to new wardens indefinitely, and if this would dilute the prize funds.", "The platform advises against submitting a high volume of low-quality reports and defines low quality as having no clear explanation or path to the finding. The discussion related to this can be found at: https://github.com/code-423n4/org/discussions/34", "Users sought clarity on what happens when they have findings but the judge and sponsor disagree with their proposed mitigation.", "Users wanted to know if they can simply use a new wallet address in their reports moving forward and if the rewards for the report will then be distributed to the new address.", "If a participant has findings but the judge and sponsor disagree with their mitigation, it's the sponsor's decision on the mitigation part. If a participant points out a judge-approved bug or logic flaw, it's considered an achievement.", "Mitigation is for recommendation only and is not a must-follow.", "Participants can use a new wallet address in reports going forward and rewards for the report will be distributed to the new address.", "The term \"low quality\" in the audit contest guidelines doesn't necessarily mean low risk or non-critical. More clarity can be found at https://github.com/code-423n4/org/discussions/34.", "The grading criteria for quality submissions include: correct identification of the highest severity impact of the bug, making the case for the severity and validity chosen with evidence, and clear and understandable writing.", "Connext, being peer-to-peer, is faster than the one from Polygon, but it has a fee versus no fee from the latter.", "Questions about the average salary for smart contract auditors were posed, but no specific answers were provided.", "To verify if a bug is valid, one suggestion is to write a test for it.", "Participants can track their report status and see and edit their findings in the \"findings\" tab next to the contest description.", "Participants can openly discuss issues with the sponsors before the contest is finished, including severity and in-scope/out of scope questions.", "There is nothing wrong with editing a submission, it's just tagged to track that it\u2019s been edited.", "The method of providing code for a test, either by adding it directly to the report under 'Proof of concept' or linking it on some private repo on Github, depends on the length of the code. More information can be found at https://docs.code4rena.com/roles/wardens/submission-policy#how-to-include-a-proof-of-concept.", "There was a question about the potential penalty for misjudging the severity of a vulnerability, but no specific answer was provided. Participants were recommended to read https://github.com/code-423n4/org/discussions/34 for more insight.", "A participant's concerns about the validity of Gas Optimization reports and the calculation of bounties were presented, but no specific answers were provided.", "If a participant cannot provide a Proof of Concept (PoC) for a medium severity bug, it may cause their finding to be disregarded unless the bug is extremely obvious. It's recommended to always write a PoC to be sure.", "There was a contest involving $20,000 worth of CANTO Canto Dex Oracle which has already taken place.", "The discussion includes a query about whether a bug report without Proof of Concept (PoC) would be accepted; the response suggests that without a PoC, a finding may be disregarded unless the issue is extremely obvious (such as a wrong parameter, typo, or code that doesn't compile).", "Art Gobblers is associated with Justin Roiland, the creator of Rick and Morty, in a collaboration with Paradigm.", "There are users seeking resources for blockchain forensics analysis, specifically for hacks and incidents in smart contracts.", "Some users have faced issues with new warden registration and bug submission. They are encouraged to communicate directly with staff for further clarification.", "After submitting a bug, users can view or edit their own submissions on the site for open contests.", "Creating a new team might require approval from the Code4Arena (C4) team and users are encouraged to open a help desk request when facing issues which is available at: https://code4rena.com/help", "There is an inquiry about the time it takes for project findings to get reviewed. However, there is no clear response provided in the chat.", "Team creation through the site is possible.", "The time taken for project findings to get reviewed varies with each contest.", "A new pull request has been made to update a warden profile.", "Projects have access to submitted findings before the contest completion.", "The findings are posted as GitHub issues on a private repository.", "There are concerns regarding the possibility of a dishonest project cloning white-hat reports to cut down on their payouts.", "Projects have already paid in full at the time the contest starts, giving them no financial incentive to hide reports.", "The potential solution to avoid dishonest practices was proposed as revealing the findings to the project only when the contest is over.", "Only the sponsor, not the judges, see the findings early.", "A proposal to call this issue \"C4 MEV\" was made.", "The level of trust in C4 staff and projects was discussed.", "A suggestion was made to add the discussed issue and its solution to the rulebook at https://github.com/code-423n4/rulebook/", "There was a debate on whether a sponsor could hide bugs in the code base, report them, and hope that no one else finds them.", "Immunefi, a platform for blockchain security, was used as a reference for the discussion. It was noted that Immunefi works differently because only the first valid submission gets a reward.", "It was noted that sponsors may not have access to the findings repo before the contest ends.", "There is a suggestion to add a new rule to the rulebook for further discussion. The rulebook can be found at https://github.com/code-423n4/rulebook/.", "Trust in the sponsors is vital, although potential conflict of interest scenarios, such as sponsors hiding bugs, have been mentioned.", "In the event of a dispute with a project, the assumption is not always that the project is decent.", "Sponsors of the contests do not have access to the findings repo until the contest ends.", "Sponsors are given access to the findings repo either after the contest is over (old contests) or one week after with triaged and deduped issues.", "Wallet address updates are handled through the help desk.", "Teams can be modified by submitting a request through the help desk.", "When entering a contest, participants do not have to submit all reports for high, medium, QA, and gas optimization. They can submit what they find.", "The amount of detail required for QA and Gas Optimization reports is not as comprehensive as for high severity issues. Examples of the top QA/Gas report for each of these contests can be found at https://code4rena.com/reports.", "The judges prefer more detailed reports than one-line summaries.", "The format of the report can influence its evaluation by judges.", "Payouts for contest prizes are received in USDC on Polygon's Mainnet.", "MATIC is used to pay the gas for a certain transfer.", "The acceptance of reported issues in smart contracts depends on their severity as evaluated by the sponsors and judges.", "Vulnerabilities affecting a main contract, even if found in an out-of-scope contract, should be reported.", "Contest winnings are received in USDC on Polygon\u2019s Mainnet.", "MATIC is used to pay the gas for a transfer within the system.", "Gasless swaps can be done at https://polygontimes.com/swap-for-gas-instant-gasless-matic-tokens-on-polygon-pos/", "For the context of CodeArena, the Proof of Concepts (PoCs) don't need to be executable.", "The number of wardens participating in a contest is disclosed only after the contest ends.", "Installation of tools for auditing is considered difficult but persistence is encouraged.", "A digital nomad can become a certified warden using proof of ID, bank account details and other forms of proof of residence.", "Backstage application assistance can be requested through the help desk.", "The bug submission will not be invalidated if the severity level assigned by the submitter is different from the evaluated severity level.", "Switching to Ubuntu 20.04 via WSL2 is suggested when facing installation issues on Windows.", "Changes to the leaderboard/contest results link can be requested through the help desk at https://code4rena.com/help.", "Windows might cause problems with installations; Ubuntu 20.04 is suggested, which runs on windows via WSL2.", "In account settings, users can only change their email, discord and github username, but not the link or photo.", "To change a link with their username in the leaderboard/contest results, users can create a help desk request at https://code4rena.com/help.", "The lowest level of reported vulnerability that isn't a gas optimization is called \"Low\" or \"QA\", where QA includes both Low and non-critical vulnerabilities.", "The estimation of risk for vulnerabilities is detailed at https://docs.code4rena.com/awarding/judging-criteria#estimating-risk.", "QA reports submitted for a contest can be edited if needed.", "Participants who started doing contests since June are not eligible to receive any token airdrop. They would have needed to start in 2021.", "The attribution of the findings ids in the findings.csv file is at the discretion of the judges.", "When the final report is released, the issue numbers will match findings.csv.", "If a finding is mentioned in the known issues section in the contest, it will likely be disqualified.", "If a bug relies on user making a mistake in interaction with a contract, it may still be valid but will probably not have the same severity as if it doesn't require a mistake.", "Markdown formatting can be included in issue titles.", "The advantages of being selected for a primary issue are not mentioned in the chat. The issue in question is found at https://github.com/code-423n4/2022-05-rubicon-findings/issues/148#issuecomment-1167393094.", "There are questions about whether to include markdown formatting in issue titles.", "There is a discussion about the potential risks of depositing funds in an uninitialized contract.", "An example of a potential risk is that the contract could be subject to a ransom attack where an attacker takes ownership of the uninitialized contract and demands a ransom to release it.", "There is a query about a finding in the Nouns DAO contest and whether it can be appealed: https://github.com/code-423n4/2022-08-nounsdao-findings/issues/315", "There are questions about the criteria for a report to get selected in a contest and how the reward for gas optimization is distributed. An example spreadsheet is provided for reference: https://docs.google.com/spreadsheets/d/1qTQ7PApFMwpUFikcHHtww7p1oncPLj_y-UY_SZq6qFg/edit#gid=0", "Code4rena is considering changing its policy so that all submissions are graded and paid accordingly, regardless of the time of submission: https://github.com/code-423n4/org/discussions/34", "There is a question about the meaning of \"Verified Contest\" in the #rsvp channel.", "There is a question about the announcement of Olympus reward PR results.", "Code4rena is planning to host an event at devcon: https://twitter.com/code4rena/status/1577405876952272896?s=21&t=YjWD5aNJCZKKN9jXrRDh7A", "There is a discussion about the financial cost of attending the devcon event.", "A question is asked about the meaning of \"score\", \"pie\", \"split\", and \"slice\" in the findings file. An explanation is provided in the c4 docs: https://docs.code4rena.com/awarding/incentive-model-and-awards/curve-logic", "There is a discussion about the decrease in value of certain portfolios.", "Score, pie, split and slice in the findings file are ways the funds are divided between ranked findings, which is well documented in the C4 documentation: https://docs.code4rena.com/awarding/incentive-model-and-awards/curve-logic", "There is a discussion about issues with the software 'Yarn', including potential permission problems and wrong installation.", "The software 'Yarn' can be reinstalled to fix some users' issues.", "A discussion about potential solutions to software problems includes using Bash commands for environmental variables and using a docker image.", "Users can edit the 'test' command in the 'package.json' file to affect the 'REPORT_GAS' function.", "Participants in a contest are allowed to use the template of a gas report from a previous contest, but changes must be made to fit the current contest.", "A user has questions about a computer hardware issue related to the power supply unit (PSU) or motherboard power module.", "The gas optimization pool is shared among the reporters and is awarded based on the score of each gas report: https://docs.code4rena.com/awarding/incentive-model-and-awards/curve-logic", "In the 'Links to Affected Code' section of high/medium findings, one can add the GitHub permalink for the respective code block.", "Markdown formatting can be used in the finding body, but only links should be included in the small box.", "The command \"REPORT_GAS=true hardhat test\" in package.json can be altered for different operating systems, with a recommendation to use a docker image for Windows cmd.", "In the \"Links to Affected Code\" section for high/medium findings, only the GitHub permalink for the respective code block should be added. Markdown can be added in the finding body.", "Users discuss gas optimization in detail, suggesting that many people may not fully understand it.", "There was a discussion between users about whether to focus on smart contract security or web2 security for a career path, with advice given to focus on what the individual enjoys and is interested in, not just potential earnings.", "Users are advised to conduct benchmarks with real code and develop their own unique style when presenting findings that can withstand scrutiny.", "The process for KYC (Know Your Customer) was requested by a user, but no response was given in the chat excerpt.", "The backstage+ role at CodeArena requires meeting four minimum criteria, according to their documentation found at: https://docs.code4rena.com/roles/certified-contributors/backstage-wardens", "Criteria 2 and 3 for the backstage+ role are considered satisfied when awards are announced and added to the leaderboard.", "There was a question regarding how to complete the KYC process.", "An undergraduate IT student in their 3rd year sought advice on whether to focus primarily on smart contract auditing or continue with traditional hacking and web2 security, while doing smart contract auditing as a side project.", "A user asked if there was an option to submit findings without authenticating.", "One user provided the link to the criteria for becoming a backstage warden according to the Code4Arena documentation: https://docs.code4rena.com/roles/certified-contributors/backstage-wardens.", "It was mentioned that the criteria for becoming a backstage warden are considered to be satisfied when the awards are announced and they are added to the leaderboard.", "A question was raised on how to send ether with the constructor while deploying a contract in Foundry.", "A link to an Ethereum StackExchange thread was shared as a resource for deploying contracts: https://ethereum.stackexchange.com/questions/68519/creating-a-new-contract-specifying-a-sender-and-value-with-factory-pattern.", "A user asked about the process for submitting issues, particularly in relation to gas optimization.", "It was clarified that for gas and low/quality assurance, one issue and send all is sufficient; for medium and high risks, one issue for each finding is required.", "The link to Code4Arena's submission policy was shared: https://docs.code4rena.com/roles/wardens/submission-policy.", "A suggestion was made to consolidate the last 10/15 reports and all detected vulnerabilities into a database for future audits.", "Two GitHub links were shared as additional resources: https://github.com/transmissions11/solcurity and https://github.com/Tomosuke0930/C4-report-categolized.", "A discussion ensued about the timing and process for the announcement and distribution of awards.", "A user asked how to edit a form they had filled out incorrectly.", "There was a question about whether it was safe to use safeTransferFrom in a specific code snippet, particularly because the token was already wrapped inside IERC20.", "A response to the question about safeTransferFrom suggested that the conclusion should be based on the token used and the expectation of the code, providing a link to Etherscan for further information: https://etherscan.io/token/0xdac17f958d2ee523a2206206994597c13d831ec7#code#L95.", "The chat participants are discussing coding issues, specifically related to the use of \"safeTransferFrom\" in smart contracts.", "The code snippet discussed is \"IERC20(USDT_TOKEN).transferFrom(msg.sender, address(this), _amount)\".", "It is mentioned that whether to use \"safeTransferFrom\" or not depends on the token used and the expectation of the code.", "A link to a specific section of the USDT token code on Etherscan is shared: https://etherscan.io/token/0xdac17f958d2ee523a2206206994597c13d831ec7#code#L95.", "The impact of a vulnerability in the code will determine its severity.", "An article about TempleDao is shared to provide further information: https://rekt.news/templedao-rekt/.", "A post mortem analysis of the TempleDao incident is being read: https://twitter.com/staxfinance/status/1580383607541354498?t=gyGLiqWddReeKaKKYCigig&s=19.", "Additional information about not checking failed transfers/approves is provided in a Github link: https://github.com/yearn/yearn-security/blob/master/disclosures/2020-09-25.md.", "It is mentioned that the check \"x != 0\" is cheaper than \"x > 0\" only in require statements and only prior to 0.8.13.", "A question about the term \"bins\" in Trader Joe contracts is raised and a link to the documentation is shared: https://docs.traderjoexyz.com/concepts/concentrated-liquidity.", "The possibility of running multiple contests simultaneously is discussed, with a desire expressed to handle up to 20 contests a week.", "Queries about how to find which findings of a contest were rejected and why, as well as how to view others' findings after a contest finishes, are raised.", "The condition \"x != 0\" is cheaper than \"x > 0\" only in require statements and only prior to 0.8.13.", "Trader Joe contracts have a concept called \"bins\", for which more information can be found in their documentation at https://docs.traderjoexyz.com/concepts/concentrated-liquidity.", "There is a minimum of $5 for eligibility for payout to avoid needing to send dust.", "Invoices regarding the contest payouts should be sent to the Code4rena Foundation.", "The company identification number is missing in the information provided.", "The Code4rena staff are employees of a corporation hired by a DAO, so they can\u2019t sign on behalf of the DAO.", "Code4rena staff can verify the accuracy of a prepared statement and confirm it, if sent as a help request.", "If a vulnerability is found, the work is to find the issue and explain it, a recommended fix is a gift for the sponsor, and the recommendation doesn't affect the criticity.", "Reports can be written using platforms like Github, Joplin, VSCode, Notion, etc. as long as the tool supports markdown.", "It's acceptable to submit a (very long) proof of concept (POC) using external platforms such as gist.", "For each contest, a warden is asked to run c4udit and post the output in the contest channel. If an issue is posted in the channel, it is a known issue and known issues are out of scope.", "Resources for learning the solidity compiler were requested.", "Various platforms such as GitHub, Joplin, VScode, and Notion are used to write reports, and it is essential that the chosen tool supports markdown.", "It is acceptable to submit long proofs of concept (POC) using external platforms like Gist.", "For each contest, CodeArena staff ask a backstage warden to run a specific tool and post the output in the contest channel. If an issue is posted in the channel, it is considered a known issue and is out of scope.", "There has been consideration of a different tool, a \"CodeArena Report Generator,\" but it was not made clear to participants that this tool was being used. It was also not made clear that the person running the tool had the authority to do so.", "Posting tool output without context or triage is seen as an issue. There is an expectation that context must be added and the output should not be pasted directly from a public scanner.", "There is a higher burden of proof for demonstrating to sponsors a relevant high or medium severity exploit path to be considered satisfactory if automated tools are used for initial findings. This expectation is further clarified in the following link: https://github.com/code-423n4/org/discussions/50", "One proposal to address the issue of spam submissions suggests giving a tool to sponsors to fix smaller issues in advance and having a general policy about the usage of said tool to reduce spam.", "The Know Your Customer (KYC) process can take a week or longer to complete.", "It is possible to be a warden and a Manson at the same time.", "It's suggested to have an announcements-like channel named #audit-reports where a new message is posted whenever a new report gets published on the CodeArena website.", "There are no negative consequences for accidentally reporting something that turns out not to be an issue, although it is recommended to withdraw such reports to save the judges' time.", "The severity level for not using a 2-step transfer pattern for access control is classified as low, as per the following link: https://github.com/byterocket/c4-common-issues/blob/main/2-Low-Risk.md#l004---use-two-step-transfer-pattern-for-access-controls", "There is a suggestion to create an announcements channel named #audit-reports where a new message is posted whenever a report gets published on C4 website.", "Accidental reporting of non-issues does not have negative consequences, but it is recommended to withdraw them to save the judges' time.", "Invalid issues could be punished if you submit more than three of them per contest.", "All rewards are sent in USDC on Polygon.", "Guidelines on determining the severity of rug vectors are expected to be available.", "Issues with the case sensitivity of the warden system were discussed.", "Submitting a high severity issue without working code that demonstrates the impact may lead to a high severity issue being downgraded or deemed ineligible for awards.", "KYC might be required to receive prizes for some contests, with the form found at: https://docs.code4rena.com/roles/certified-contributors.", "If an issue is submitted with what is thought to be a high severity issue, and the judge disagrees, the issue might be downgraded but you will still be awarded for the found issue, unless judges invalidate it for overinflating severity.", "The issues in the published reports might be the same as those reported initially, but this point is not entirely clear.", "There was an inquiry about the possibility of changing usernames on Code4rena.", "There was a suggestion to share resources on smart contract security, including books and certifications.", "There was a case where a user couldn't see the $ in their Polygon wallet and suspected that their key might have been compromised.", "There is a question regarding whether the issues in the published reports are the same as those reported and whether the published reports are a summary of what was submitted by the wardens.", "A user is seeking books or certifications about smart contract security.", "Users have the ability to change their username on Code4rena.", "There's a discussion about a user's Polygon wallet being compromised and unauthorized transactions being made.", "The user's Discord was also hacked, and it's suggested that a malicious link might have been clicked on.", "A user is asking for advice on how to prevent future attacks on their wallet.", "It's suggested to use a new wallet to prevent further attacks.", "There's a discussion about how a user's private key might have been leaked and how to verify malicious transactions.", "A new MetaMask wallet on a new device not connected to the internet is suggested as a potential solution.", "A user is looking for guidance on how to deploy a contract on Foundry that takes a struct as an argument in the constructor.", "A user wants to change their wallet address and is told to generate a new private key.", "A user reports a problem regarding their MetaMask wallet being hacked and the reward from Code4rena being stolen.", "A user has changed their payment address on Code4rena to a new wallet address to prevent future rewards from being stolen.", "There's a question about how the DAO voting system works.", "A user is seeking guidance about malicious tokens and the level of findings.", "A user had the same problem of their wallet being hacked and had to change their payment address and remove the compromised address from the login.", "A user suggests that their private key was leaked on a public GitHub repository, resulting in their wallet being hacked. It's suggested that a bot could be monitoring new GitHub repos.", "Some users had their Metamask wallets hacked and had rewards stolen.", "After hacking incident, these users changed their payment addresses and removed the compromised address from their logins.", "Some users accidentally leaked their private keys on public GitHub repositories and suggested that bots might be monitoring new GitHub repositories.", "Users use the Hardhat gas report plugin to benchmark their code for gas savings.", "Some users have been waiting for 10 days after applying for Know Your Customer (KYC) process and it's still pending.", "Some users have queries about submission rules.", "A help request can be submitted if KYC application is still pending after a considerable time.", "Users were looking for ways to get notified when a new report is published.", "Some users had trouble seeing transactions with the award from NounsBuilder.", "When users first sign up, they were asked for a 16-digit password, but such condition was not present when resetting the password.", "Some users were having troubles trying to decode topics/data from event logs without using the web3 library, only with information from Etherscan.", "Some users were unable to submit their QA due to missing the deadline.", "For gas optimization, only those in the generated report are considered invalid, the rest are in https://github.com/byterocket/c4-common-issues/blob/main/0-Gas-Optimizations.md", "There's a discussion about the possibility of demonstrating the actual re-entrancy attack in public testnet.", "Late submissions are not accepted, a firm deadline is maintained.", "Foundry was suggested as a tool for testing scenarios in a local environment, providing an alternative to public testnet.", "The Hardhat Foundry can fork its state from a public testnet or even the mainnet, making it a more convenient option for testing smart contracts.", "Public testnets are used for testing smart contracts, but local forking is preferred to avoid polluting the testnet with unnecessary data.", "Foundry can be used to fork data from a live network such as a main or test net, and once forked, it runs locally.", "Utilising foundry for local forking avoids the need to grab testnet tokens for transactions or wait time on blocks.", "Local forking is convenient and does not pollute the testnet with unnecessary data.", "Public testnet can be used to test a smart contract, particularly for scenarios involving large numbers of users and complex state.", "For simpler contracts or exploratory development, a private testnet can be a more suitable choice.", "Rewards earned from findings can be withdrawn and sent to preferred crypto trading platforms such as Binance.", "Polygon and Ethereum addresses are required for the withdrawal process.", "A user's state will remain the same if a function's state is changed first and then a require statement in that function fails.", "The state will be reverted back to what it was prior to calling the function, should there be a failure in the require statement after a state change.", "A user won a 150k USD bounty for a Youtube interview with Andy Li.", "There was a discussion about local forking and exploiting on the mainnet.", "The term \"totalDueTokensAccrued\" represents total DBR accrued.", "The term \"Judge presort awards\" refers to a service for the sponsor where duplicates are sorted out for easier Sponsor Review. More information can be found at https://github.com/code-423n4/org/discussions/50.", "The best reports are focused on one specific attack or issue, feature the project's code, have a simple to understand POC or specific example, and have a coded test that demonstrates the vulnerability.", "The submission rules prohibit making findings \"public\" until a contest is finalised.", "There was a sudden increase of 200+ new wardens in a 24-hour period. Some users speculate a Sybil attack or a marketing move.", "An increase in new members was also noticed on Immunefi.", "A user raised a question on how mathematical expressions will be displayed on the GitHub findings repo.", "A user reported an issue with not receiving a password reset email from the website. The user's username is lfzkoala, and they have been a warden since June. More details at https://github.com/code-423n4/code423n4.com/pull/2095.", "A discussion occurred regarding the distribution of rewards in the context of multiple wardens finding the same issue. The best report typically receives more money, and duplicates below a threshold might not receive any money. More details can be found at https://docs.code4rena.com/awarding/incentive-model-and-awards.", "In Code4rena, wardens who report a certain finding first, as well as those who also found the same finding, are recognized in reports such as the Olympus report.", "The rules for awarding shares or rewards to wardens who found a certain issue can be found in the Code4rena's awarding policies: https://docs.code4rena.com/awarding/incentive-model-and-awards", "Code4rena's model differs from a bug bounty model where the second person to report a bug receives no reward due to duplication.", "However, the best report will receive more money than other reports, and if a duplicate report is not beyond a certain threshold, there might be no money awarded for it.", "Contest findings cannot be posted and shared by wardens until the contest report has been published.", "The policies related to submission and discussion of findings can be found here: https://docs.code4rena.com/roles/wardens/submission-policy#audit-contest-guidelines", "The review process for findings starts immediately after the contest ends, and includes a sponsor review, judge review, sponsor confirmation, judge's final report, and announcement of the results.", "Wardens can see their submission and the comments in their submission after the announcement once the repo is set to public, unless they are certified for backstage access.", "Questions regarding invoicing can be addressed by referring to this document: https://docs.code4rena.com/awarding/incentive-model-and-awards/awarding-process#tax-and-legal-questions", "There is a question about whether the static analyzer at https://github.com/byterocket/c4udit is currently being used by Code4rena for QA and gas optimization.", "The penalty system for Code4rena involves a high bar for satisfactory performance which might trigger more penalties, and there are a high number of strikes for reports.", "To access private contests, one needs to complete KYC and become a certified warden. Details on the process can be found in the Code4rena documents.", "There is a penalty system in place for certain mistakes or errors, but some users have concerns about its fairness and effectiveness.", "There are private contests and participation depends on certain metrics or prerequisites.", "To become a certified warden, users must complete a Know Your Customer (KYC) process. More information on becoming a certified warden can be found at https://docs.code4rena.com/roles/certified-contributors.", "Some users have submitted applications to become certified wardens and are waiting for KYC emails.", "Users may send support tickets when they need assistance.", "Users can communicate in Spanish during contests such as the threat contest.", "Users are inquiring about different methods to format arguments and function names in audit reports.", "Pending transactions in the blockchain mempool are not hashed, which allows access to the data of the transaction and can potentially enable front-running.", "Team participation is not mandatory, and users have the option to participate individually.", "It might take 2-3 weeks to receive the KYC email after submitting an application to become a certified warden. The email is sent from compliance@provenance.company and may appear in the spam folder.", "Once a participant joins a team, they are not obligated to always participate as a team.", "Questions were raised about the timeline for receiving KYC mail after submitting an application to become certified C4 wardens.", "One user suggested checking the spam section of the email for the KYC mail from \"compliance@provenance.company\".", "There was a query about how the bounty price is handled if two people submit the same or similar bug.", "A site was shared where potentially free matic can be obtained: https://wallet.polygon.technology/gas-swap/", "A user experienced an issue of zero balance in their Metamask wallet even though there was a hash on polygon scan with their address.", "The issue of zero balance on Metamask wallet was suggested to be potentially resolved by adding USDC on polygon to the wallet.", "A question was raised regarding the use of storage instead of memory in the view function and whether that fits into the category of gas report or QA report.", "The estimated wait time for becoming a certified warden after sending a request is usually 2 business days.", "The link for requesting help was shared: https://code4rena.com/help", "Users were discussing whether a capture the flag event (ctf) for rust smart contracts would be useful, with one participant suggesting that terra and solana may be less relevant now.", "A request was made for the link to the c4audit repo.", "A user had issues with receiving an email from Provenance despite sending a request to become a certified warden 12 days ago and checking the spam folder.", "The order of issues in the context of the discussion could be random or judges may put the most interesting issue first.", "Users in the chat room can send help requests.", "The order of issues judged is mostly random, though sometimes Judges might put the most interesting issue first.", "Some users have had negative experiences while pairing in teams, potentially due to differing levels of experience/knowledge or difficulties in establishing trust with anonymous individuals over the internet.", "Rewards are distributed by the CodeArena team and cannot be withdrawn via a smart contract.", "Users can submit reports on vulnerabilities, and they can attach screenshots in the vulnerability details section by copying the Github permalink and the lines of code for the affected code.", "If mitigations are involved, users can use markdown to write the code in the report.", "Users can create .orig files and use 'git diff' of the project folder when submitting a report.", "There's an ongoing process for the judging of contest bounties, which includes the Trader Joe contest.", "Users are allowed to make a \"secret gist\" to show a code example without being disqualified for disclosing a problem.", "Auditors may fork the codebase and create a private repository on Github without it being considered as information disclosure, as the submitted findings will be created as a Github issue.", "Calldata arguments can be used for external/public functions and they can send calldata data pointers to internal and private functions.", "The public report page is updated mid contest.", "Calldata argument in an internal function is just a pointer.", "There was a query about whether calldata arguments can only be used for external/public functions and the response clarified that they can also send calldata data pointers to internal and private functions.", "The public report page is updated mid contest.", "Delegatecall's return value and what happens when a revert occurs in the target function were topics of discussion.", "Clones, as a minimal proxy with a fixed implementation address, don't call the constructor and require a special non-constructor initializer function to set necessary parameters. Here is the link for more details: https://eips.ethereum.org/EIPS/eip-1167.", "There was a question about any vulnerability case studies for front-running the init() function. A user shared a link to an example in a ToB Hermez audit: https://github.com/trailofbits/publications/blob/master/reviews/hermez.pdf.", "Images can be included as part of the Proof of Concept (POC) by linking them externally.", "Some users are waiting to become certified auditors.", "Questions arose about how long it takes to become a certified auditor.", "The RSVP feature requires a reaction to the message in the #\u270brsvp channel.", "A discussion was held on the best practice for submitting bugs and gas optimizations. A link to the submission policy was shared: https://docs.code4rena.com/roles/wardens/submission-policy. Audit contest reports were also recommended for review: https://code4rena.com/reports.", "There was a query about why some of the rewards are pending after the contest has finished.", "Users discussed the gas efficiency of using custom errors instead of require statements with a string and when to use one over the other.", "Some rewards may be pending after a contest has finished, for reasons not specified in the chat.", "There is a discussion about the gas efficiency of custom errors in contrast to require statements with a string in Solidity smart contracts.", "Custom errors save approximately 50 gas each time they're hit by avoiding having to allocate and store the revert string. The link to the detailed explanation is here: https://gist.github.com/IllIllI000/ad1bd0d29a0101b25e57c293b4b0c746 and here: https://blog.soliditylang.org/2021/04/21/custom-errors/#errors-in-depth", "There is a query regarding whether it is required to fill the \"Recommended Mitigation Steps\" in the bug template, with the response indicating it is not strictly necessary but can improve the value of the report.", "For team rewards in an audit contest, the prize is sent to a single address, and it is the team's responsibility to distribute it amongst themselves.", "Discussion about a tool used for viewing on-chain contracts of etherscan in an IDE like remix, with a link shared: https://discord.com/channels/810916927919620096/810931711609143326/1012727690396176484", "A participant is seeking a letter from a security expert confirming that Code4Rena is a high-esteem organization for a US visa application.", "There is a question about possible rewards for submitting a new detector, the answer given is \"Karma Points\".", "The list of optimizations/L1 issues that are looked for in audits can be found here: https://github.com/Picodes/4naly3er/tree/main/src/issues", "A list of optimizations/L1 issues that get looked at for the Code4Rena audits can be found at https://github.com/Picodes/4naly3er/tree/main/src/issues", "There is a possibility of earning Karma Points for submitting a new detector in the audits.", "The reports from the audits are not considered public until they are made public; findings from these should not be discussed on public channels.", "There are hopes that third and fourth place finishes in Code4Rena contests are considered as highly-valued achievements in the industry.", "Early feedback on submissions for improving audits is perhaps available, with an associated link to the judge's post at https://discord.com/channels/810916927919620096/1030197723619659806/1042826344544870440.", "When using markdown, a dollar sign can be used without creating a mathematical expression by typing \"$\".", "There is a link provided for the issue regarding the length to encode the address value at https://github.com/code-423n4/2022-03-maple-findings/issues/16.", "Each slot in the Ethereum Virtual Machine (EVM) is 32 bytes, therefore any extra space in an address field is filled with left padding filled with zeroes.", "There has been a period of 24 days without announcements of rewards.", "There is an expectation of rewards being shipped in the coming week.", "There is a suggestion for an easier way to get notified as soon as a new Audit Report is added on the Code4Rena site.", "There is a possibility of Code4Rena hosting Rust contests in the future.", "There is a question about the possibility of C4 grants for building tools, particularly for building a website to display results in a nice way for job hunting.", "The cheapest way to swap ERC tokens is likely to use a DEX aggregator like https://app.1inch.io.", "There is an interest in hosting Rust contests on CodeArena.", "There is the possibility of C4 grants for building tools.", "The cheapest way to swap ERC tokens is by using a DEX aggregator like https://app.1inch.io.", "Curve Finance has changed its user interface, but the classic version is still available.", "Code4rena contests are generally shorter than Sherlock contests because they have been achieving high-quality results even with a smaller auditor participation.", "Information about how to become a certified warden to participate in private contests can be accessed at https://docs.code4rena.com/roles/certified-contributors#certification-process-and-constraints.", "It is possible to submit findings for 'USDC ENS", "Versus contest' even if the contest details are restricted, but payment won't be received for findings as it's an invite-only contest.", "Private contests have their RSVPs available in a channel only visible to certified wardens. If it\u2019s in the public RSVP channel, it\u2019s a public contest.", "A user can achieve the backstage role after identifying their first high vulnerability, more information can be found at https://docs.code4rena.com/roles/certified-contributors/backstage-wardens.", "An explanation of untyped data signing can be found at https://github.com/code-423n4/2022-08-rigor-findings/issues/75. It involves signing data with a private key and some parameters.", "Untyped data signing, in the context of the chat, involves hashing, private keys, and signing data with your private key and some parameters.", "A question was raised about a contest not being shown in the live contest section that was previously in the upcoming contest section.", "It was clarified that the contest in question was likely delayed.", "For gas optimizations reports, there's a suggestion that the amount of gas saved for every finding might need to be mentioned.", "Someone inquired about resources to learn math regarding solidity projects and how the accountings are done. A YouTube resource was suggested: https://www.youtube.com/@smartcontractprogrammer", "A question was raised about a platform to send tokens from the Polygon network to the BNB network. Binance was suggested as a possible platform.", "A question was raised about the possibility of impersonating an account in Foundry as can be done in Hardhat. It was clarified that it's possible using vm.prank(address).", "A question was raised about using Slither, a static analysis tool for smart contracts.", "A user shared their experience of being approved after sending documentation, possibly in relation to an ID and address verification process.", "A question was raised about the installation of Foundry with Docker and an error that was encountered.", "A comment was made about using NordVPN for online safety and changing IP address.", "A question was raised about VPN recommendations.", "Some users have had no issues with Provenance.", "There is an opt-in ID and address verification process.", "Foundry can be installed with Docker.", "A recommendation was given to use NordVPN for online safety and IP address change.", "Proton and Hoxx VPN are suggested VPN services by other users.", "Users can sign up to be a warden using Github, and to submit a finding, they might need a username and password.", "Users experiencing any issue have to submit a help request through Code4rena.com/help.", "Gas optimization reports can be submitted without specifying the amount of gas saved, however, including that information can potentially increase points.", "Help requests can get delayed due to holidays, such as Thanksgiving.", "After submitting an issue through the form provided on the website, it might not be immediately visible in the Issues in the repo created for the audit.", "Confirmation of issue submission is usually through an email.", "C4udit is used for finding Publicly Known Issues and its newest fork is called Analyzer [https://github.com/Picodes/4naly3er].", "Certified warden certification process might require proof of residence, but some users have completed the process with photo ID and a selfie.", "If users find the same type of issue multiple times, they can report them together or separately; this was left open for discussion in the chat.", "When submitting gas optimization reports, the necessity to specify how much gas is being saved for each optimization is based on the judge's decision.", "Certified Warden certification process can potentially be completed using an identity document like a driving license or passport, not necessarily a proof of residence.", "In case of finding the same type of issue more than once, like a Reentrancy attack or gas optimization of the same type, they should be reported all together.", "When analysing a transaction on https://snowtrace.io/tx/0x0806bc0a28e4d808ac4dba25997e4b68b40595e003adbaa758ce4894ee20e15a, the reason for the transaction getting reverted can be found from the decompiled bytecode.", "Decompiling solidity code can be done on https://library.dedaub.com/decompile.", "In the case of saving gas by not requiring non-zero interval if no linear amount, a Gsset for the claim\u2019s interval can be converted to a Gsreset, saving 17100 gas.", "The term \"Gsset\" refers to set storage from 0 to non-0, and \"Gsreset\" refers to set storage from non-0 to non-0, or anything to 0. The definitions can be found on https://ethereum.github.io/yellowpaper/paper.pdf page 27.", "If a person loses the seed phrase from their wallet, they should follow the steps mentioned here: https://docs.code4rena.com/roles/wardens/warden-auth#what-if-my-wallet-was-hacked.", "It's possible to update your payment addresses from your C4 account screen: https://code4rena.com/account", "For changing the login wallet address, the instructions are provided at https://docs.code4rena.com/roles/wardens/warden-auth#can-i-change-the-wallet-address-i-log-in-with", "To clear KYC and become a Certified contributor, there's a step outlined here: https://docs.code4rena.com/roles/certified-contributors.", "MetaMask is being used in some context.", "Information on changing the wallet address used to log in can be found at https://docs.code4rena.com/roles/wardens/warden-auth#can-i-change-the-wallet-address-i-log-in-with", "Being a warden does not mean that KYC has been passed.", "To clear KYC, one has to become a Certified contributor, as explained at https://docs.code4rena.com/roles/certified-contributors", "There is a query about the meaning of SLOC and the numbers added for every contract.", "Information on the meaning of SLOC is available at https://www.google.com/search?q=SLOC+meaning&oq=SLOC+meaning", "There is a question about whether all bugs/gas optimizations stated in publicly known issues are valid for other files within the same repo.", "There are discussions about the use of fuzzing tools in auditing smart contracts.", "A user is seeking advice on taking Web3 as a full-time career and potentially getting a job as a junior auditor role in an auditing firm during a Bear Market situation.", "An estimation of 150-300 submissions per contest, including QA, gas, duplicates, and invalid ones, is given.", "There is a discussion on how issues marked as high risk are treated by judges, including the possibility of them being downgraded or discarded.", "There is a question about whether it is acceptable to show a proof of concept against a block number known to work on a testnet fork with state changes.", "It is noted that high-risk issues typically have a higher burden of proof.", "There is a discussion about whether abi.encode is preferable over abi.encodePacked in the context of smart contracts.", "A video explaining some aspects of contract auditing is shared: https://www.youtube.com/watch?v=wCD3fOlsGc4", "A query is made about whether it is best practice to prepend all internal functions with an underline and whether the same applies for function parameters.", "There was a minor issue with some items being double counted in the leaderboard, which was meant to be updated later.", "There's a discussion about best practices regarding the use of underline in internal functions and function parameters.", "There's an issue with rewards being announced before the leaderboard is updated.", "An issue was caught with a couple of items being double counted in the leaderboard, with an update to the numbers scheduled for later that day.", "The sponsor for para.space is not responding to queries in both Discord channel and direct messages.", "The process of reporting takes time due to prioritization of other tasks such as merging awards.", "There is a process for understanding why a bug was not accepted to improve future submissions.", "Uncertainty exists on whether to submit findings that the user isn't sure of due to lack of specification in documents. The advice is to submit these findings or direct message the sponsor team for additional context.", "There is no penalty for submitting incorrect findings. However, users are advised to read discussions about grading and awarding, possibly including future penalties", "[https://github.com/code-423n4/org/discussions/50](https://github.com/code-423n4/org/discussions/50)", "Users who have over 3 mediums confirmed are eligible to get the backstage role. To get it, they need to submit a Help Desk request.", "Information on how to get the certified warden role can be found at https://docs.code4rena.com/roles/certified-contributors#certification-process-and-constraints.", "There are questions about gas optimization issues of project Escher being visible before the contest ends.", "Information on 'known issues' policy can be found at https://github.com/code-423n4/org/discussions/50.", "The script used for the contest can be found at https://github.com/Picodes/4naly3er.", "If a team of two submits one finding, one payment will be issued and the team will have discretion over how that money is paid to its members as per https://docs.code4rena.com/roles/wardens.", "Submitting the same item separately decreases the overall value of the submission.", "There is a public script available at https://github.com/Picodes/4naly3er.", "When a team submits a finding, one payment will be issued and the team will have discretion over how that money is paid to its members. This information is outlined at https://docs.code4rena.com/roles/wardens.", "If multiple members of a team submit the same item separately, it decreases the overall value of the submission.", "Users have potentially experienced issues when submitting findings to the Escher contest, where they see 'No findings submitted for this contest' despite having submitted their findings.", "Participants can ask questions about how to exchange USDC on Polygon into BTC.", "There is a question on whether it's acceptable to provide a link to a competitor of the project as a mitigation for an issue when submitting findings.", "There are concerns about the csv design and the leaderboard becoming slow.", "When submitting a finding with a proof of concept, it's possible to include the proof of concept in a gist file.", "Participants are expected to receive a mail regarding their submission.", "Participants can check their issue for the finding they sent on Github from the report.", "There's a question about the understanding of specific Solidity syntax, specifically \"Sale public sale.\"", "Some participants are curious about the use of fuzzing tools like Echidna for auditing in contests.", "A link to a question on Ethereum StackExchange was shared, but the content of the question isn't known from the excerpt: https://ethereum.stackexchange.com/q/140937.", "There is a discussion about understanding solidity syntax and programming.", "Users are curious about the use of fuzzing tools like Echidna for auditing in contests.", "Until solidity 8.0, fuzzing tools were used a lot for auditing, but their usage has decreased after Solidity 8.0 due to the implementation of an overflow/underflow check at the language level.", "Users have questions about distinguishing between different roles in the contest such as a certified role and a backstage role.", "Information on certified contributors and backstage roles can be found at https://docs.code4rena.com/roles/certified-contributors.", "Certified contributors have done KYC and can participate in private contests, while backstage requires certified status and minimum requirements of submissions to access the contest repo post closure and pre-public report release.", "There is a discussion about finding an attack path that can cause a Medium or High impact in a contract and if it can be submitted.", "For users utilizing automated tools for attack findings, there is a higher burden of proof to demonstrate a relevant HM exploit path to be considered satisfactory and the link provided for more information is https://github.com/code-423n4/org/discussions/50.", "There is a conversation about the best practices for immutable state variables in a programming context.", "If the user realizes something is a false positive after submission, they can retract the submission by going to the contest page and clicking the findings tab.", "A question is raised about how judges determine which reports get featured in the client report.", "A user inquires about the detail behind the statement \"INTERNAL FUNCTIONS ONLY CALLED ONCE CAN BE INLINED TO SAVE GAS\".", "A question is raised on how to know the reasons for findings rejection.", "Submissions can be retracted on the contest page under the findings tab.", "There is a process to determine which reports get featured in the client report.", "Function inlining can be used to save gas in smart contracts.", "The reasons for findings rejections are provided in some form.", "Some auditors may automate the process of finding potential issues in the code.", "The term 'Solo' refers to findings that were found only by a particular auditor, with no duplicates.", "It is possible to change one's handle, however, leaderboard standings and submissions under the previous handle are not transferable to the new account.", "Users can link their GitHub repositories as proof of concept in their finding submissions.", "Contestants are allowed to discuss potential issues with the sponsor while the contest is ongoing.", "Each contest has a channel where general questions can be asked, and sponsor team members are available for questions via Direct Message (DM).", "Leaderboard standing in CodeArena is not transferrable. Findings submitted under a user's current handle or username are not moved to another account.", "It is possible to discuss potential issues with the sponsor while the contest is ongoing. There are specific channels to ask general questions and sponsors' team members are available for questions via direct messaging.", "An understanding of EVM can aid in auditing and writing Solidity code, but the specific relevance is not detailed in the chat.", "The results of submitted bugs to the contents in Code4 are revealed once the report is made public. In the meantime, users can check previous reports to see what a high-quality submission looks like.", "There seem to be some issues with the password reset function for some users.", "When a user submits a Quality Assurance report for the first time and receives an error, they can check if it has been successfully submitted by checking their email for confirmation or viewing the findings through the \"View Context\" function.", "Contest rewards are transferred once per month, typically at the beginning of the month.", "When users are having issues, they can open a help desk request at https://code4rena.com/help.", "Updates to roles after approval from provenance typically take a few days.", "Not all reports or findings are guaranteed a reward. Reports are graded and must meet quality standards to be considered valid and satisfactory.", "Reports should contain the issue, description, Proof of Concept (where necessary), and mitigation (where necessary).", "Quality Assurance and gas reports should be written in divided reports.", "Reports related to smart contracts are graded.", "A report should aim to include the issue, description, proof of concept (where necessary), and mitigation (where necessary) in a semi-professional report format.", "Quality Assurance (QA) and gas reports should be written as divided reports.", "If a vulnerability is found but difficult to fix without major changes to the protocol, it can still be reported. Recommendations are appreciated but not a must.", "A vulnerability in an out-of-scope contract can still be reported and may be brought in scope by a judge.", "One byte consists of 8 bits. For example, \"address\" which can be casted to \"bytes20\" is 160 bits, and \"uint256\" is 32 bytes.", "A \"bytes\" variable is an array of bytes32, not just 32 bytes. More information can be found here: https://docs.soliditylang.org/en/v0.5.12/types.html#dynamically-sized-byte-array", "Arrays are stored differently in storage than individual elements.", "When unsure if findings should be submitted as separate issues or as one, it's unclear which way to lean.", "After a contest is closed, there is a certain period of time before the findings repo becomes publicly available for discussion, but the specific duration is not mentioned.", "To qualify for the backstage role, a certain number of findings in different areas or of different scores is required.", "It's possible to submit issues as a team, but the exact process of doing so is not clarified.", "If a vulnerability is found in an out-of-scope contract, it can be included in the C4 report as an unrewarded finding or the project can be directly messaged.", "Writing an attack contract and then explaining the effects of the contract in plain writing could possibly count as a proof of concept.", "The space a \"bytes\" variable occupies in a struct is discussed, but the final answer is not clear in the chat.", "There is a question about whether 'on the fence' vulnerabilities should be rated as High or Medium risk, but no definitive answer is given.", "There is a suggestion to look at different staking contracts to learn about different ways staking functionality can be implemented.", "In the context of storage, arrays do not take up one slot.", "The findings from contests are posted in the section where Contests are posted.", "The GitHub public repositories for Code4rena are located on the Code4rena website, specifically under all live contests.", "The question was raised about the location of findings report repositories to check why certain findings were not accepted.", "A query was made about the function totalSupply() in the solmate ERC20 contract. The contract's link is https://github.com/transmissions11/solmate/blob/main/src/tokens/ERC20.sol", "In the openzeppelin contract, _totalSupply is a private storage variable so it needs a view function to see it, whereas in other contracts, a view function with the same name is automatically generated for public storage variables.", "Functions are automatically generated for public storage variables, constants, and immutables which aren't stored in storage. More information about state variable visibility can be found at https://docs.soliditylang.org/en/v0.8.13/contracts.html#state-variable-visibility", "The Goerli faucet hosted by Mudit is questioned if it's working or not as the user is getting \"insufficient funds for gas * price + value\"", "https://goerli-faucet.mudit.blog", "When a medium finding is marked as invalid and there are many duplicates, it gets marked as scrapped.", "Users can log in to their Code4rena account as usual (individual warden accounts) and then switch back and forth between their individual account and their team account before submitting.", "Code4rena does not currently allow users to change their login wallet address but if they have Metamask they can link multiple addresses. More information here: https://docs.code4rena.com/roles/wardens/warden-auth#can-i-change-the-wallet-address-i-log-in-with", "If team account users are having issues, they are advised to open a help desk ticket at https://code4rena.com/help.", "Code4rena is pronounced as \"Code Arena\".", "C4 is pronounced as \"Code Arena\".", "The login wallet address cannot be changed at present, but multiple addresses can be linked if using Metamask. More information is available at: https://docs.code4rena.com/roles/wardens/warden-auth#can-i-change-the-wallet-address-i-log-in-with", "If there are issues with changes to a team, users are advised to open a help desk ticket at: https://code4rena.com/help.", "There will be more contests with the structure of an initial audit prize pool and a mitigation review pool in the future.", "Mitigation review will be limited to the top wardens of the corresponding initial contest.", "Users can add pictures in the report if it helps the explanation of a proof of concept.", "The report is done in markdown and images can be added in this way, the final report will be compiled with the image(s) if accepted. More on adding images to markdown can be found here: https://docs.github.com/en/get-started/writing-on-github/getting-started-with-writing-and-formatting-on-github/basic-writing-and-formatting-syntax#images", "Users are allowed to submit findings they are unsure about, but getting more than 3 reports rejected in a competition will prevent the user from getting any payout for that competition.", "To become a certified warden, users need to complete a Know Your Customer (KYC) process.", "Currently, there are no certifications to become a \"professional certified\" auditor.", "Listing any of the C4udit gas findings will void your report and count as 3 rejected reports.", "Users are concerned about getting penalized for too many unsatisfactory submissions.", "There is a concern among users about getting penalized for too many unsatisfactory submissions.", "Users are looking for resources to study for regex and analysis of abstract syntax tree.", "There was a question about whether more rewards will be provided before the Christmas break.", "Users have questions on how to make submissions, whether they should find all bugs before creating a final report or create one issue per report.", "Users can edit their submitted gas report findings on the C4 page while the contest is open.", "After submitting an issue on the C4 website, users don't need to create an issue on GitHub as well, as the C4 system does this automatically.", "A new contest was mentioned as being private, leading to questions about how to get access to such contests.", "Users can apply to be a Certified Contributor.", "Help desk requests can be made through the Code4rena website: https://code4rena.com/help", "Users are interested in learning about proxies and upgradeable contracts. A link was shared to learn about proxies: https://proxies.yacademy.dev/", "Users can request to be a backstage warden.", "Users are reviewing previous competition findings to understand areas of improvement. A link to a previous competition finding was shared: https://github.com/code-423n4/2022-09-artgobblers-findings/issues/137.", "Resources to learn and master proxies and upgradeable contracts can be found at https://proxies.yacademy.dev/.", "Help requests to CodeArena can be made for various purposes, such as becoming a backstage warden.", "The CodeArena help desk receives requests and usually responds to them in a certain timeframe.", "Feedback and improvement suggestions are provided for participants in CodeArena's ArtGobblers competition. More information about the competition can be found at https://github.com/code-423n4/2022-09-artgobblers-findings/issues/137.", "Judging in CodeArena competitions involves grouping and scoring findings. A 'C' score is considered unsatisfactory.", "High-quality and high-quantity findings tend to score better in CodeArena competitions. For more insight, participants can compare their findings with winning reports found at https://code4rena.com/reports/2022-09-artgobblers#low-risk-and-non-critical-issues.", "Sandwich/front-running attacks are valid vulnerabilities that are in-scope for CodeArena's competitions.", "The general Mitigation Review process at CodeArena is explained in this article: https://medium.com/code-423n4/a-look-at-code4rena-audits-mitigation-review-3e05f8b7acb7.", "Participants in CodeArena's competitions can name their findings with a number to help judges.", "Understanding the purpose of a codebase generally requires reading the documentation or having previous experience with similar code.", "Payouts to participants are linked to their Discord usernames and specific wallet addresses.", "Participants can check their acceptance as a warden on CodeArena's platform.", "Proof of competency in this space can be demonstrated through Github profiles.", "Running tests for the GoGoPool contest requires certain instructions to be followed.", "Users are trying to run the GoGoPool contest on Windows.", "The running instructions provided in the document are the same for all operating systems.", "Some users are facing difficulties running the contest with the provided instructions.", "'npm install foundry' was suggested as a possible solution for running the contest.", "A user encountered difficulties getting the GoGoPool contest running in VSCode even after cloning the repository.", "VirtualBox running Ubuntu was used as a workaround to successfully run the GoGoPool contest.", "There are delays in bounty payments, likely due to the DAO employees being on holiday.", "High quantity and high-quality reports tend to win in CodeArena contests, as seen in the following report: https://code4rena.com/reports/2022-09-artgobblers#low-risk-and-non-critical-issues.", "There was a question about whether gas optimization and gas reports are the same, to which it was confirmed they are.", "A reference to a recent CodeArena report was given: https://code4rena.com/reports/2022-11-non-fungible/#gas-optimizations.", "Solidity stores state variables in 32 bytes storage slots and packing variables into fewer slots can reduce gas costs, as explained in this document: https://docs.soliditylang.org/en/v0.8.17/internals/layout_in_storage.html.", "One-step changes with critical addresses could lead to errors. Two-step changes are considered safer and better practice.", "It's recommended to report any gas optimizations separately.", "Solidity stores state variables in 32 bytes storage slots, and multiple variables can potentially be packed into a single slot if they are declared next to each other, which can reduce gas costs. [More about this can be read at https://docs.soliditylang.org/en/v0.8.17/internals/layout_in_storage.html]", "Using a two-step change process with critical addresses is considered safer and better practice than a one-step change, as it can help prevent errors such as passing in the wrong address.", "All findings related to gas optimization should be put under one report.", "It was asked if the USDC reserve contest will be open to all or just private.", "Reporting a high or medium severity vulnerability found a few days after the contest ends would most likely involve responsible disclosure to the development team, and it would not be awarded by C4 outside the contest timeframe.", "It was asked if 1inch gets the aggregated price in the native coin that its being called on for the getRateToEth() method or if it just gets the rate to ETH for all chains.", "When a support ticket is created on the homepage, the user might not receive a notification via email, but the ticket was confirmed to have been received.", "If a finding is submitted as medium severity but the judges believe it is high, the severity of the finding can be upgraded, unless there is a reason to penalize it.", "Issues can possibly be upgraded to a higher severity, and the specific severity of an issue does not matter as much as a good explanation of the finding.", "Calling a contract's own function like \"InterfaceA(address(this)).functionA();\" would be considered an external contract call and would change the msg.sender value inside the function.", "A discussion about KYC and OFAC sanctions screening was held with regards to the OpenSea contest, and it was mentioned that KYC confirmations would be processed over the next couple of days. There was a question about how to know if a warden has done the KYC, because it can't be seen from the front-end.", "KYC (Know Your Customer) verification is required in the context of a contest.", "Confirmation of successful KYC is communicated to the organization who then processes it.", "The term \"OFAC sanctions screening\" was brought up in context of a contest. There was a suggestion that the term should be replaced with \"certified\".", "Provenance informs the organization once a user has been KYC'ed.", "Users will receive an email once their certification has been finalized.", "There is the possibility for future audits of rust-based programs, as they have been done in the past.", "In the context of QA and gas reports, rewards are divided into grade A, B, C, based on quality and gas savings. Grade A and B get rewards.", "Regarding the use of foundry in a project that uses hardhat, a base template can be found at https://github.com/foundry-rs/hardhat-foundry-template", "An opcode learning resource was provided: https://www.evm.codes/", "Discussion about a specific contract function context illustrated that if a certain action needs to be voted on before it gets called, the contract itself would call the function.", "Users were directed to the following link for information on the Steakhouse contest: https://discord.com/channels/810916927919620096/810936719003090974/908760695712149515 and https://discord.com/channels/810916927919620096/1040268281040359556/1055712214016868352", "Spearbit DAO was mentioned and it was suggested that yAcademy is better for those new to smart contract security.", "There are questions about a contest referred to as the \"steakhouse contest\", with a suggestion to read the relevant posts for more information.", "There's a user who expressed interest in participating in future contests involving the programming language Rust.", "Foundry can be used in a project that employs Hardhat. A base template for this can be found at https://github.com/foundry-rs/hardhat-foundry-template.", "The platform allows viewing reports from other wardens even after contests have ended, but there is a query regarding visibility if there is no table with results.", "The platform has a tool for running audits, which is work-in-progress, located at https://github.com/HardlyCodeMan/audit_helper/.", "There's confusion about bounty payouts. If multiple auditors report the same bug, they all get a portion of the bounty. Common findings are usually out of scope as they are picked up by the C4udit tool. The findings are linked in each contest readme and if they're not picked up by the tool, they should be submitted.", "All types of accepted reports from high level down to gas optimizations are eligible for payouts, assuming the report is of high quality, the findings are accurate, and there is a working proof of concept.", "There are inquiries about the distribution of payouts for the Stakehouse contest.", "People can join as wardens in the contest as groups or teams. The method of registering a team can be found at https://docs.code4rena.com/roles/wardens#registering-a-team.", "The page doesn't automatically reload when a contest has started.", "There are questions about what a \"Mitigation review contest\" is, with a response suggesting it might be when projects invite top wardens back after the contests to review bug mitigations.", "There are questions about reward distribution, specifically whether duplicate issues receive a reward or just the first reporter.", "There is a query about how to fix missing imports on sol files, related to the error \"not found: File import callback not supported\".", "The chat participants are discussing issues with missing imports on .sol files.", "The solution suggested involves installing dependencies to resolve the issue.", "Errors with missing imports appear at the top of every .sol file.", "The `forge i` command is suggested as a solution to install dependencies.", "The git clone command with submodules, including the specific example `git clone https://github.com/code-423n4/2023-01-astaria.git -j8 --recurse-submodules`, is provided as a way to obtain necessary files.", "A tool named `audit_helper` is mentioned that helps when initializing a freshly cloned audit repo.", "The forge install command is discussed and is said to rely on git submodules, thus the libraries are not lost.", "The terms \"judge + presort\" and \"scout\" are related to the bounties, where \"judge + presort\" refers to the portion of awards set aside for work performed by judges, including consolidating duplicates. Scouts are independent scope judges providing feedback on an audit's scope.", "Once registered in a team for auditing, all audit findings belong to the team and all funds go to a single wallet for dispersal to the team.", "Individuals performing audits can either work solo or in a team, but if in a team, all rewards go to the team and the team is responsible for dispersing the funds.", "Benefits of joining a team for auditing include working together, sharing ideas, and learning faster together.", "More information about team audits can be found at https://docs.code4rena.com/ with specific reference to the section on teams.", "A user can learn more about Code4rena and teams at https://docs.code4rena.com/.", "Joining a team allows members to work together, bounce ideas off each other, and learn faster.", "If a person is part of a team, they can choose to submit solo findings whenever they want. The submission form allows members to select whether they're submitting as an individual or as a team member.", "The rewards for the contest \"stakehouse-nov11\" have been distributed.", "Users are requested not to have public discussions until reports are published.", "A finding may be considered high if it causes a direct loss of assets, such as a large portion of the yields.", "A user's concern about how the same finding submitted by multiple Wardens can result in a significantly different award value was addressed. The level of detail in the submission, for example, the inclusion of a Proof of Concept (PoC), and the way the issue is covered in as many aspects as possible can influence the award amount. The possibility of a bug in the award math was also raised.", "This information was found at https://github.com/code-423n4/code423n4.com/pull/6700/files.", "The time it takes to complete KYC after submitting was asked, but not answered in the excerpt provided.", "A question about the availability of a tool or plugin to check solidity code for syntax mistakes and checks, similar to the functionality of the online Remix IDE, was raised but not answered in the excerpt provided.", "A question about more requests for \"redacted-cartel\" and \"pooltogether\" was asked and addressed privately.", "The C4CAs team is not accepting new members.", "The chat discusses about how rewards are distributed among wardens who find the same issue in the code.", "The amount of rewards for finding issues can vary significantly, with some wardens getting thousands of USDC while others only get hundreds.", "There is a question about whether a link can be provided if the Proof of Concept (PoC) for an issue is too large to be embedded directly in the issue. A participant confirms that this method is known and implemented by many wardens, while another suggests it is best to send in the issue, but providing a gist is acceptable if not.", "Only certified wardens are allowed to participate in mitigation-review contests.", "A participant asks about the process for creating an invoice for the rewards they received from a contest. They are directed to the bottom of the following page for the necessary information: https://docs.code4rena.com/awarding/incentive-model-and-awards/awarding-process#tax-and-legal-questions", "There is a question about what a formal verification contest is, and the participant is directed to the contest repository for more information: https://github.com/code-423n4/2023-01-blockswap-fv", "Backstage passes can be obtained by those who have participated in three contests and have either one high or three medium findings. To apply, they should submit a help desk request: https://code4rena.com/help", "To get a backstage pass, wardens also need to be certified.", "Participants are advised to wait for the report to be published and the findings repo to be made public to check on their submissions.", "There is a discussion about the classification of findings (High, Medium or QA) based on the severity of loss caused by the issue. The severity of loss that qualifies a finding as high, medium or QA is as follows: If all rewards can be lost, it's MED/HIGH. If there's a risk of losing some rewards, it's probably medium. If rewards are lost due to roundings (a negligible amount of rewards), it's probably QA. If the principal can be stolen without needing extra requirements, then it's probably HIGH.", "A participant inquires about their high finding related to buying NFTs with zero amount being categorized as medium. They are told to wait until the report is published to check on their submissions.", "Participants are still learning about the system and process.", "A backstage pass can be obtained if a participant has participated in three contests with either one high or three medium fundings.", "In order to apply for a backstage pass, participants need to submit a help desk request at https://code4rena.com/help", "To get a backstage pass, the participant must also be certified, as described in https://docs.code4rena.com/roles/certified-contributors#certification-process-and-constraints", "The help page of the website was showing an 'Out of Office' message at the time of the chat.", "User error can affect the grading of bug reports.", "There was a question about whether an issue submitted as high severity but downgraded to medium by a judge would be considered overinflated severity and thus be invalidated. This was clarified in the context of the guidelines in https://docs.code4rena.com/awarding/incentive-model-and-awards#satisfactory-unsatisfactory-submissions", "If a low issue/non-critical (QA) bug that also reduces gas is discovered, it should be included in the QA category and mention the gas savings. If the issue is only related to gas savings, it could be downgraded from QA to Gas.", "Information about how awards are divided between grade A and grade B for QA and Gas reports can be found at https://docs.code4rena.com/awarding/incentive-model-and-awards", "A user new to auditing was looking for recommendations on past contests to practice on and to read old reports.", "A user was asking for guidance on how to create specific types of code, involving the use of 'git diff' in the terminal and using backticks in the report.", "There was a query about how to use 'brownie' in the context of auditing.", "The process of linking a C4 profile to a Twitter profile was queried, with the suggestion that it might be for certified auditors.", "There was a query about the difference between two lines of code, involving the use of variables.", "It was stated that the KYC process can take a while, depending on the back and forth between the user and Provenance.", "Provenance was mentioned as being able to update a user's status on the C4 side within a few days.", "Users are seeking help on how to use \"brownie\" tool.", "There are inquiries regarding binding a C4 profile to a Twitter profile.", "Participants are discussing the differences between two distinct lines of code.", "An individual has submitted a report for the first time and is asking how to check the submission status or report.", "Users are discussing whether they can put all non-critical findings in one QA report or create one QA report for every finding.", "There's a request for reporting a spammer.", "There's a question on whether potential medium findings need to include Proof of Concept (POC).", "Submissions are confirmed via email and can be viewed on the C4 Contest page under the \"Findings\" tab.", "Only the findings submitted by a user or their team are visible to them until the final report is made public.", "Users are discussing challenges in understanding reports and concepts related to smart contracts.", "There's a request for a recommended tutorial to study the testing framework of Hardhat.", "Recommendations for learning the testing framework of Hardhat include the Codecademy Javascript testing module and the Alchemy University's Ethereum Bootcamp in week 4.", "Forge init command should be run on clean directories.", "A discussion about the two-step process for making critical changes in smart contracts is taking place.", "Users can submit one combined gas and one combined QA report, and they can edit existing findings.", "After registering with Provenance and getting KYC approved, users can get their roles processed on Code4rena's end. A help desk request can be opened at https://code4rena.com/help if there's no response after a few days.", "Participants can submit one combined gas report and one combined QA report. They also have the ability to edit existing findings.", "After registration with Provenance and KYC approval, there is a processing period. Team will process the user's role after receiving confirmation. In case of delay, users can open a help desk request at https://code4rena.com/help.", "Reports can be found at https://code4rena.com/reports. The recommendation for beginners is to start with reports from smaller bounty contests due to their smaller codebase sizes and less complexity.", "If a user forgets their registration wallet address, they can seek help at https://code4rena.com/help.", "Leaderboard updates are carried out when awards are announced.", "Winning awards from contests are distributed to the user's registered wallet address. Users can check the announcement channel for updates on distribution.", "A user should put their polygon address in their account.", "If a user finds discrepancies or issues with the reports, they can create a ticket.", "For wardens who want to review their findings, they can refer to the data folder in the findings repo. JSON files within the folder are named as [warden-handle]-[issue number], from which the issue numbers can be used to look up the findings directly.", "If participants disagree with a decision about a contest judgement, they can review issues at https://github.com/code-423n4/org/issues. They can add comments on existing issues, support existing suggestions, or open a new issue if their concern is not already addressed.", "The process to get the backstage role was not clarified in this chat excerpt.", "The process to find how findings were judged involves checking the data folder in the findings repo and looking for json files named as [warden-handle]-[issue number].", "If a participant disagrees with a judgment decision, there is no recourse if the contest is already judged.", "However, if the concerns focus on inconsistency, process, or lack of clarity in rules, participants are encouraged to review issues at https://github.com/code-423n4/org/issues. They can add fact-based comments, support suggestions, or open new issues there.", "Information regarding backstage role assignment can be found at https://docs.code4rena.com/roles/certified-contributors/backstage-wardens.", "The purpose of gas reports is not specifically clarified in terms of whether it is necessary to show Proof of Concept for the gas saved or if a description and mention of gas saved is enough.", "Backstage access can be requested through a help request if the criteria are met.", "The \"C4 output\" for the contest can be found within an hour of contest opening. It includes issues reported but at the Judge's discretion, reports that look like copy-pastes or use the same underlying risk may be deemed out of scope/already known.", "If there is no response from Provenance within a couple of days, participants can open a help desk request at https://code4rena.com/help.", "Profile pictures and Twitter links updates can be requested through a help desk request.", "Know Your Customer (KYC) request responses from Provenance may take some time, and users can nudge them for a response.", "Profile picture updates for user profiles require a help desk request.", "There are instances where users send a KYC request to provenance and await confirmation.", "Queries exist regarding how to find out how the users' findings were judged.", "Open source tools are queried that can calculate points & rewards, taking duplicate findings into account.", "The formula is public and users can crawl the findings repository.", "Users participate in various projects like opensea-seaport.", "Wardens are asked to start the process within 48 hours of contest close.", "Awards cannot be distributed until the process is completed.", "Users can earn by identifying gas optimizations, but the earnings depend on their proficiency.", "There are specific contest channels for different protocols, such as the Quests Protocol.", "Users with a grade-B in QA are eligible for awards.", "If a QA issue is submitted, a judge can elevate its severity to M/H if necessary.", "Users can only submit one QA issue, but can edit the existing submission if they find another error.", "The \"Findings\" tab is where users can edit their QA issue submissions.", "If a user's QA entry lacks a description, it's not as detailed as the HM.", "Questions were raised on gas optimization, particularly if swapping the order of a function that first checks from storage, then checks the calldata, could optimize the gas.", "The link to the submission policy for automated findings was shared: https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-ineligible.", "Participants can edit their QA submission if they find another error after submitting once.", "Judges can elevate the severity of a QA issue if it is described in detail.", "Participants can ask for clarification on gas optimization.", "Participants can submit a bug finding in both medium and gas findings if it is of medium severity and affects gas.", "A Scout is a certified contributor in CodeArena and there is an award provided for serving in this capacity. More information can be found at: https://docs.code4rena.com/roles/certified-contributors", "\"The C4audit output\" refers to a tool used by CodeArena to generate automated findings for each contest. The tool currently in use can be found at: https://github.com/Picodes/4naly3er. Automated findings are ineligible for rewards, as detailed at: https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-ineligible", "Participants can upload an image when submitting a report by registering a free account on https://cloudinary.com/, uploading the image and copying the image URL.", "The findings.csv file at https://github.com/code-423n4/code423n4.com/tree/main/_data/findings can be parsed to create a table with all wardens and their deduplicated findings.", "Participants sometimes do not see their submissions on the Findings tab and cannot edit them.", "After submitting a finding, participants can expect a follow-up.", "Participants can fill the Proof of Concept section when submitting a finding by providing direct links to all referenced code in GitHub and adding screenshots, logs, or any other relevant proof that illustrates the concept.", "Participants do not need to be KYC'd or certified to receive rewards from most contests. Contests that require it will have it stated. More information can be found at: https://docs.code4rena.com/roles/certified-contributors", "Once a submission is confirmed and the reward amounts are announced, participants have to wait for it to go to their wallet.", "Participants are unsure if Code4Arena is okay with disclosing vulnerabilities to sponsors.", "The grading and sharing system for QA/GAS reports is explained, with Grade A reports counting as 2 shares, Grade B as 1, and the best report receiving a 30% bonus.", "Most contests do not require being KYC'd, but any contests with that requirement will have it stated.", "Information on becoming a certified contributor can be found at https://docs.code4rena.com/roles/certified-contributors.", "Once a submission is confirmed and reward amounts announced, participants just need to wait for it to go to their wallet.", "An example of how to present a proof of concept (POC) for a bug and its impact can be found at https://github.com/code-423n4/2022-12-caviar-findings/issues/376.", "Another example of an accepted POC is provided, which involves copy pasting the code with a detailed comment about the bug itself and its impact: https://github.com/code-423n4/2022-12-caviar-findings/issues/343.", "A simpler example of a bug report is also shared, with little comments but showing the impact: https://github.com/code-423n4/2022-12-caviar-findings/issues/141.", "Participants can withdraw their old issue if they want to make a new submission of the same issue.", "It is unclear whether a participant will get a reward if they evaluate an issue as low and put it in a QA report but it is judged as medium.", "The question of whether code simplification, such as combining two for loops into one, is a QA report or GAS optimization is raised.", "Text color in reports can be added using presets for code when doing a code block, usually javascript is used for solidity.", "Code4rena encourages participants to reach out to the sponsor team during the contest if they think they've found something and want to ask questions. Participants can also disclose a vulnerability directly to them, but they need to submit it via the contest submission form or it won't be eligible for awards.", "An answer to a question about whether issues can be upgraded from a QA report into med/high is shared: https://docs.code4rena.com/awarding/incentive-model-and-awards/qa-gas-report-faq#what-happens-when-an-issue-submitted-by-the-warden-as-part-of-their-qa-report-an-l-or-n-does-get-bum", "If a participant has a question about one of the contests and it's a security issue, they can submit a help request at https://code4rena.com/help.", "There's a question about whether issues can be upgraded from a QA report to medium or high. Information about this can be found on the Code4Rena help page: https://docs.code4rena.com/awarding/incentive-model-and-awards/qa-gas-report-faq#what-happens-when-an-issue-submitted-by-the-warden-as-part-of-their-qa-report-an-l-or-n-does-get-bum.", "Users with questions about contest security issues are advised to submit a help request at https://code4rena.com/help.", "There's a discussion about the possibility of calling the safeTransferFrom function of an ERC-777 token contract in another smart contract.", "Questions about smart contract issues can be reported differently based on the judgement of the reviewer.", "There's a query about how to see previously available information in \"_data/contests/contests.csv\".", "There's a suggestion for making posts in certain channels into \"announcement channels\".", "There's a discussion about tax reporting for C4 bounty earnings, which clarifies that tax reporting is individual responsibility and not handled by C4 or Provenance.", "There's a question about submitting the same issue that was found with the automated finding but in a different instance.", "There are questions about password retrieval and feedback on submissions.", "There's a discussion about risk labeling for findings and how to decide between high and medium risk.", "There's a question about how to classify a finding between QA and Medium.", "If a finding breaks the protocol but no funds get stolen, it could still be classified as a high risk.", "Doubts about whether a finding is only QA or Medium should be filed as QA unless the proof of concept (POC) is coded.", "Even if a function is called on the contract with address(0) as one of the parameters and it has no impact other than a mapping being filled with random entries, it should be reported as QA", "Informational.", "Known issues should be excluded from gas reports.", "Sponsors generally do not see the submissions before the contest ends.", "There's a mention of a fairness concern that if sponsors have early access to the vulnerability submissions, they might exploit the information.", "Trust between wardens and sponsors is important and there is a concern raised about the potential misuse of disclosed vulnerabilities.", "CodeArena used to allow sponsors to see submissions early, but they found it a better experience if sponsors receive a triaged list after an initial sorting process.", "A table with an overview of the rewards can be found at https://docs.code4rena.com/awarding/incentive-model-and-awards/curve-logic", "Beginners may face issues in understanding certain code instances and they are advised to make one report and reference the related issues in it.", "There are no issues reported with signing into Code4rena.", "An \"edited-by-warden\" tag on a submitted issue means that the submitter has used the website to change the issue after sending it.", "Multiple issues of the same nature in a code can be reported as one.", "Users can sign into Code4rena using username and password.", "A tag named \"edited-by-warden\" on an issue means that the user used the website to change it after it was sent.", "Discussing findings just after a contest ended is not allowed to give sponsors time to fix the issues.", "The order in which wardens report a duplicate bug does not impact how much they get paid. This is supported by the incentive model and awards section of the Code4rena documentation: https://docs.code4rena.com/awarding/incentive-model-and-awards#duplicates-getting-partial-credit.", "If no Medium/High vulnerabilities are found, the full award pool would be divided based on the QA Report curve.", "Upcoming contests get listed on the Code4rena main page: https://code4rena.com.", "Front-running possibilities could be considered either Medium findings or QA, depending on the impact.", "After each contest ends, the leaderboard gets updated and users can see the number of overall issues they reported at https://code4rena.com/leaderboard.", "Users can write Proof of Concept (PoC) in any language, as long as it demonstrates the vulnerability.", "It is possible to report a variety of findings based on different combinations of issues found to create different attacks.", "The reporting section supports Markdown (MD) format, which can be used to add code blocks. The guide to doing so can be found here: https://docs.github.com/en/get-started/writing-on-github/working-with-advanced-formatting/creating-and-highlighting-code-blocks", "Users can check the #\u270brsvp channel to know about upcoming contests.", "Reporting sections in CodeArena support MD format for adding a code block.", "Information on how to add code blocks in MD format can be found at https://docs.github.com/en/get-started/writing-on-github/working-with-advanced-formatting/creating-and-highlighting-code-blocks", "The next contest details after the \"Popcorn\" contest can be checked in the #\u270brsvp channel.", "If the root cause of a finding is the same, it will be accounted as duplicates of each other.", "If a participant's name isn't mentioned in the report, it does not affect future submissions, but it may have a minor impact on the leaderboard ranking.", "The leaderboard ranking is affected by both the current contest and the total participation of a contestant.", "Backstage access request processing was paused at the time of the chat and could take up to 24 hours after KYC is admitted.", "To gain backstage access, a participant should have been part of 3 or more contests.", "Adding Solidity syntax to code blocks can be done using the MD format.", "New contests are announced on the RSVP channel.", "Screenshots are generally recommended not to be added to a finding as they can pose a security issue.", "Reports or findings get reviewed and triaged immediately after contest end, but they await sponsor review and final judging before being made public.", "The review process for reports could take between 3-6 weeks on average, depending on the contest and the number of reports under review.", "Reports from contests are typically checked within an average period of 3-6 weeks, with the precise time depending on the contest and the number of reports on review concurrently.", "There is interest in creating a notification system, such as a Telegram bot, for announcing new contests.", "Reports are generally reviewed and triaged immediately after a contest ends by judges, and then they await sponsor review, final judging, and Quality Assurance before being made public.", "If there are concerns or issues with a report, clarification may be sought from \"wardens\".", "Comments in reports are generally between judges and sponsors, though occasionally there are comments from \"backstage wardens\".", "Current ongoing contests can be found by checking the respective platform, or information can be sought from the team which is regularly in contact with various projects about upcoming audits.", "Money is not necessary for testing smart contracts in a contest; testing can be done using local/testnets.", "The label \"old-submission-method\" in a report refers to a period when wallet-based authentication was rolled out for the website and submission form, but non-logged-in users were still supported to allow time for re-registrations. This label was used to track which version of the submission form was used, in case that data became relevant.", "Medium risk vulnerabilities (Risk 2) ideally require test codes as Proof of Concepts when writing reports, similar to high-risk vulnerabilities.", "The default setting for the leaderboard shows the last 60 days results; one can change the settings to view results for a specific time period.", "A certain automated gas optimization detected by an automated audit tool is called 'Use assembly to check for address(0)'. A description of this issue can be found at https://github.com/0xKitsune/solstat/blob/main/src/report/report_sections/optimizations/address_zero.rs. This optimization using assembly could save a few gas, but it's not necessarily interesting or valuable for sponsors.", "Users are seeking explanations or references on the first automated gas optimization detected by the automated c4udit tool, specifically the one labelled 'Use assembly to check for address(0)'.", "The 'Use assembly to check for address(0)' issue is described at https://github.com/0xKitsune/solstat/blob/main/src/report/report_sections/optimizations/address_zero.rs.", "Using assembly could save a few gas, but it's not considered particularly interesting or valuable for the sponsor.", "There's a question about the significance of a yellow icon, with the response indicating an explanation is available in a specific location.", "Questions were raised about the status of a Blockswap FV contest in past competition status updates.", "The impact of required-KYC contests on the leaderboard is discussed, with differing opinions on its fairness for non-KYC wardens.", "An inquiry was made on whether Code4rena requires any volunteers.", "Versus contests are usually private and open only to top wardens.", "Some users reported not receiving a response after sending a ticket to Code4rena.", "It was asked if Code4rena attends events like ETH.NYC or ETH.Denver, with a response indicating that most of the growth team will be present at such events.", "A user requested for an equivalent for \"upgrades.deployProxy\" from the hardhat in the context of foundry, with one response referring to a GitHub link https://github.com/chugsplash/chugsplash-foundry.", "There is an inquiry about the validity of issues submitted in a contest, specifically 8 issues related to gas reports.", "A question was raised about the meaning of the term \"vs contest\".", "There are pre-written libraries available for wrapping the contract type of implementation around the proxy.", "There are users who are expressing their concerns about the validity and invalidity of the issues they have submitted in the contest.", "There is a contest called \"vs contest\", which involves only 3 wardens, has an RSVP process, and the best performing wardens get first choice.", "Versus contests are only for certified wardens, and one can check the certification documents if interested to learn more about this.", "Users can find out when a contest is going to be open to the public by checking the #\u270brsvp channel.", "Users can change their avatar on the site by submitting a help desk request at https://code4rena.com/help.", "Some links to the repositories in the contests are reported as not working.", "The next public contest was scheduled to begin on February 16th.", "In order to get into the list for private contests, one needs to become a certified warden and getting on the leaderboard can enhance the ability to qualify for private contests.", "Information about becoming a certified warden can be found at https://docs.code4rena.com/roles/certified-contributors.", "A user expressed interest in knowing about the \"scout\" role.", "For each unique High or Medium finding, the submission selected for inclusion in the audit report receives a 30% share bonus.", "The document on the Code4rena site explains that the 30% share bonus is for the users' share or the finding's share.", "One user had a question about the solutions/explanations for the latest version of damn vulnerable defi CTF.", "Registration is not needed for a public audit, as clarified in response to a question about how to register for an upcoming audit.", "Registration is not needed for a public audit in CodeArena.", "For each unique High or Medium finding, the submission selected for inclusion in the audit report receives a 30% share bonus.", "The \"Scout\" role in CodeArena involves technical reviewers looking at repositories ahead of the contest launch to ensure readiness.", "A duplicate finding's best report is eligible for a 30% share bonus.", "Participants need to be a certified warden to participate in private contests.", "The award calculation script for the share bonus is not public.", "All contests, public and private, are listed on the CodeArena website.", "A solo finding, in the absence of duplicates, secures all the share of that finding.", "30% bonus may apply to solo findings leading to a 1.3 share.", "Access to a private audit contest requires certification as a warden as suggested by the link: https://mirror.xyz/c4blog.eth/Ww3sILR-e5iWoMYNpZEB9UME_vA8G0Yqa6TYvpSdEM0", "There was a query regarding the absence of a \"Blockswap FV contest\" in the \"Past competition status updates\".", "Bonus rewards in the contest are given for the best reports.", "To access the private audit contest, one needs to be a certified warden. More details can be found at https://mirror.xyz/c4blog.eth/Ww3sILR-e5iWoMYNpZEB9UME_vA8G0Yqa6TYvpSdEM0", "There is a category of contests called \"FV contest\". Its status updates are not usually visualized due to its different working mechanism, and it is usually judged by Certora.", "Joining a private audit requires completion of the KYC process and obtaining certification. More details are available at https://docs.code4rena.com/roles/certified-contributors#certification-process-and-constraints", "The KYC process usually takes a few days to complete.", "To change an avatar on the site, a request needs to be submitted.", "Some users who have passed the KYC process and got approval still cannot access private contests. This could be due to not having certified status on their handle. In such cases, a help desk request can be created at https://code4rena.com/help", "The results of a contest generally take about 2 months to be announced.", "Even after KYC approval, certain private contests may not be accessible if they have already been assigned.", "The term \"versus\" in the contest name signifies a comparison or challenge between entities.", "Future contests may require an RSVP, and the updates about them can be checked on the RSVP channels.", "After the leaderboard is shown and rewards are sent, the final report of the contest may not immediately appear on the C4 site. It's recommended to wait until the full public report is published before doing a write-up of some issue or bug found on a project.", "The company organizes RSVP contests and updates about them can be found on the RSVP channels.", "The leaderboards and rewards of a project have been shown and sent, but the final report may not always be immediately available on the C4 site.", "Write-ups of issues or bugs found on a project are advised to be held until the final report is published.", "Code4rena focuses heavily on blockchain security and does not speculate on token prices.", "The token provides voting rights for the DAO, which includes authority over treasury.", "It's possible to change the Login Address to a code4rean account.", "Starting a contest or learning about C4 auditing can be done via the #\ud83c\udfebeducation channel.", "The contest page, https://code4rena.com/contests, has information about open competitions.", "Participants need to sign up as a warden to join a competition.", "Private, versus, and mitigation audits do not currently impact the leaderboard but there has been discussion about including them in the future.", "To participate in private contests after certification, RSVP in the rsvp-certified channel and ensure a high position on the leaderboards from the last 90 days.", "The certification process involves sending your identity for verification.", "If not certified after a response is received, it is recommended to create a help desk request for assistance.", "There is no incentive for being the first to submit an issue.", "Announcements about private contests are made but these might be confused with open public audits. Different projects have different audits.", "There are inquiries about which types of findings are considered to be performed by a robot and the procedure of finding bugs via robots like ChatGPT. It was also asked how the company recognizes if a finding is generated by such parties.", "There are both private and public contests on CodeArena.", "The Reserve mitigation review contest is a private contest, while the Ethos Reserve contest is an open public audit.", "There was a confusion related to using robots such as ChatGPT to find bugs in smart contracts. The bug report generated by ChatGPT is considered not very useful without getting the full codebase input.", "The application for the KYC approval does not automatically grant access to private contests.", "The compound codebase can be studied from the compound repo.", "Information about which contests are public can be found on the #\u270brsvp channel.", "When new public contests are confirmed, they will be posted in the #\u270brsvp channel.", "All contests, both public and private, are listed on the website.", "Currently, there is no support for changing the login address on CodeArena. If an account has been compromised, a help desk request needs to be submitted with details and a mycrypto.com signed message.", "During a contest, it's allowed to discuss potential submissions with the project's dev team. The discussions can happen either in the contest channel or through private messaging.", "There is no token staking for the ARENA token.", "It is suggested that potential submissions should not be discussed in the contest channel to prevent revealing it for others.", "There is no specific timeframe for submitting the found high or medium issues to CodeArena. They can be submitted on the last day of the contest, but not too close to the contest close time.", "The number of contests on CodeArena can sometimes decrease, which is considered normal. Top tier projects can suddenly appear in the #rsvp channel.", "It's normal in C4 for the number of contests to fluctuate.", "Top tier projects occasionally appear in the #rsvp channel.", "After a contest has ended and is in the judging process, users cannot see the status of their submissions until the report is published and the repo becomes public.", "When the repo of a contest is made public, everyone has access to all the submissions, irrespective of whether they are valid or not.", "When dealing with upgradeable contracts, the implementation contract storage cannot be used to affect the delegate caller contract when delegatecall is in use.", "Some of the C4 team will be present at ETH.Denver.", "To compile code on Remix, it is advised to clone the whole repository and install the dependencies with forge, or manually include the contracts on remix from OpenZeppelin contract repo (https://github.com/OpenZeppelin/openzeppelin-contracts) and Solmate (https://github.com/transmissions11/solmate).", "To use slither alongside foundry's remappings, it is necessary to identify those remappings for slither.", "To change the profile icon on code4rena.com leaderboard, it is necessary to submit a help desk request: https://code4rena.com/help.", "There is more information about Versus contests on this link: https://medium.com/code4rena/a-look-at-code4rena-audits-versus-6c55d57939ef.", "Profile icons on code4arena.com leaderboard can be changed via a help desk request at https://code4arena.com/help.", "There is more information available about Versus contests at https://medium.com/code4rena/a-look-at-code4rena-audits-versus-6c55d57939ef.", "The Ethos contest seems to be large enough to keep participants engaged for a while.", "There is a possibility to discuss onboarding an entire ecosystem similar to what is being done with Cosmos.", "In relation to smart contracts, a line of code like 'require(abc<123)' is considered a valid low finding as a \"magic number. It has been suggested that declaring constant value will make the code more readable.", "Backstage access can be granted to access findings repo when a contest ends. However, the applications for backstage access are currently suspended until further notice.", "More information about backstage access and its prerequisites can be found at https://docs.code4rena.com/roles/certified-contributors.", "The certification is a prerequisite to get backstage access.", "There is an inquiry about a roadmap or resources to learn about web2 security in the context of web3 security.", "There is an inquiry about the rewarding formula for the mitigation contest.", "There is a question about a tool for Solidity that makes sequence diagrams, other than the UML diagram tool (sol2uml).", "In the categorization of issues, QA (Quality Assurance) issues are defined as low issues and non-critical.", "The use of storage or calldata in an issue is dependent on their costs. Caching a storage pointer avoids re-computing the position, so it's cheaper for that reason. Using calldata for read-only arrays is cheaper because they don't need to be iterated and copied into memory.", "A possible reason for a test contract setup failure could be accessing an index that one did not define for an array.", "Caching a storage pointer in smart contracts can be cheaper as it avoids re-computing the position.", "Calldata is cheaper for read-only arrays because they don't need to be iterated and copied into memory.", "User queries about the consideration of severity while reporting issues on smart contracts, it is suggested that if the severity is not clear, work on the POC should be continued until it becomes clear.", "In Code4Arena, a user's profile name should match with their name in the chat.", "There is an upcoming Aragon contest. The link is https://discord.com/channels/810916927919620096/958800160870240286/1078269625395056680", "The scheduling of contests in Code4Arena is not decided by the community but by the sponsors.", "When adding code blocks in reports, it is advised to use markdown to ensure it shows in the report.", "If a user has forgotten their username or has login issues in Code4Arena, they can seek help in the #auth-help channel.", "Code4Arena uploads contest-related videos on their YouTube channel.", "Users are facing issues in accessing their Code4Arena accounts that were inactive for a long time. An example given is the account participating in the 2022-11-looksrare-aggregator-contest (https://code4arena.com/contests/2022-11-looksrare-aggregator-contest).", "There was a delay in processing some data, and it was anticipated to take approximately 5 hours.", "Users may encounter login issues if they're not using the correct wallet or email.", "In case of login issues, users are advised to contact the #auth-help channel for assistance.", "There is a channel #\ud83d\udce2announcements where updates are posted.", "Users can bind their Twitter accounts to their Code4Arena profiles by creating a help desk request at https://code4rena.com/help.", "QA findings should be compiled into one combined report.", "The term 'Low issue' in the context of discussions refers to QA reports.", "A smart contract scanning tool that can detect price manipulation vulnerabilities was mentioned: https://app.metatrust.io/project.", "The user's reports not being mentioned in the responses could be due to the reports being listed as automated findings and not being awarded or being rated as grade-c in the judgement procedure.", "An office hour for GoGopool was planned where users could ask questions if they participated.", "There is a thread explaining the C4 judging process on Twitter: https://twitter.com/sayan_011/status/1629011044516655104?t=DJz16iE54QkwLxkc3MrQtw&s=19.", "If a user identifies a potential vulnerability and has it confirmed by the sponsor via private DMs, it may still count when submitting it, depending on the judgement.", "Applications to backstage were paused due to an issue and an update about this was anticipated in the next two weeks.", "Code for yield contracts was shared: https://github.com/code-423n4/yield-contracts.", "Applications to backstage at CodeArena are currently paused due to an identified issue.", "An update regarding the paused backstage applications is expected to be posted within two weeks.", "It is inquired whether tests lacking coverage of significant functionality are worth listing as a NC issue in a QA report.", "A question is asked about the judges' preference regarding the inclusion of line numbers in code snippets for h/m issues.", "There is a query about how to change the login with wallet option as a precautionary measure, as no option to update the wallet is apparent.", "A question is raised about whether Contract C can access the internal functions of Contract B if Contract A inherits from Contract B, and Contract C inherits from Contract A.", "A user questions how to prove innocence after receiving a warning indicating the invalidation of their submission due to the use of chatGPT tools.", "A question is asked about the fate of a submitted medium report if it is actually deemed high. It is confirmed that unless there's a reason to penalize it (such as it being incomplete, lacking detail, or not as accurate), it gets raised to high.", "A mitigation strategy against unbounded loops in solidity is requested. A blog post is recommended for understanding the topic: https://blog.b9lab.com/getting-loopy-with-solidity-1d51794622ad", "No ETA is currently available for the resumption of backstage applications.", "A question is raised about the consequence of misclassifying a bug's severity in a submission. It is confirmed that even if a High severity bug turns out to be only Medium, the reward for a Medium bug is still received.", "A query is asked about the validity of a vulnerability finding regarding an external function with the transfer of ERC20 tokens without reentrancy protection. It is clarified that unless there is a clear explanation of the exploit path, such a finding may not be eligible for medium or high categorization and could be downgraded to QA.", "There is a question about the meaning of a 'zero-day exploitable bug.' It is clarified that a '0-day' is an exploit discovered after being used 'in the wild' i.e., on production software.", "It is stated that one can check the success of their report submission by looking out for an email and the ability to edit submitted findings.", "A zero-day is an exploit that was discovered after being used 'in the wild', on production software.", "Users receive an email confirmation upon successful submission of their reports.", "Users can edit their submitted findings on the contest page under 'your findings'.", "An example of an important line of code was discussed in the context of an 'initialize function', because it may get 'frontran'.", "Emails regarding submission confirmations come from submissions@code423n4.com.", "There was a question about whether citing similar findings from other contests is allowed to justify the severity and validity within submissions.", "Some chat members were having trouble submitting a finding, even after trying on two different browsers.", "Users can link their Twitter account to the Code4rena leaderboard by creating a help desk request with their Twitter handle.", "Help desk requests can be made at: https://code4rena.com/help", "There are differences in scoring grade-A QA reports", "only the 'Selected For Report' gets a bonus.", "Difficulty with the 'Create Issue' button was reported, with users noting that it doesn't respond and no console errors are present.", "Help desk requests can be created at the link: https://code4rena.com/help", "There was a technical issue reported where the \"Create Issue\" button was not responding.", "A potential solution for the issue was suggested to clear local storage and try again.", "The problem could be related to a form validation issue not producing an error message.", "A Neotokyo contest is to be started within the week of the chat.", "The identity of the judge for an ongoing contest, such as the Aragon contest, is not published ahead of time.", "Multiple Help Desk requests were successfully fulfilled.", "There is a question about how to copy code from Github with the contract file name and line numbers.", "Help desk requests can be submitted and are fulfilled in a timely manner.", "There is a process for submitting an issue using the C4 form.", "Feedback for submitted issues typically comes within a couple of months, once the contest has closed and the report is published.", "There exist some technical issues on the site which may be related to local storage.", "Some users struggle with understanding the relationship of interfaces to smart contracts in the overall system.", "Submissions can be edited from the contest page, where there is a \"Your Findings\" button.", "The backstage access feature was disabled due to an individual abusing the privilege.", "The violation that led to the disabling of backstage access involved sharing information about findings for judging in progress with other individuals who did not have backstage access.", "This violation was a breach of the confidentiality agreement.", "It's not clear who committed the violation that led to the disabling of backstage access.", "In the past, backstage access was based on a trust model, but future access may involve some constraints or consequences.", "There have been instances of backstage privilege abuse involving sharing information about findings for judging in progress with others who did not have backstage access.", "The backstage access is not granted for every contest but is broader than just where the wardens have submitted issues.", "The process of backstage access is changing and is still in progress.", "Findings submitted for contests may not always make it to the final report, and the reason might not be immediately known. To check, you need to wait until the reports are published, which usually takes at least a month.", "Information on contest findings can be found in the data folder of any C4 report on GitHub.", "The Scout awards are given to those who review code before the start of a contest to ensure it is ready for wardens.", "Backstage functions are currently closed.", "If there is a need to edit a finding, a helpdesk request can be made with all the information and the update to the finding before the contest closes.", "To edit an already submitted finding, you can go to the contest page and click the \"Your Findings\" button. For example: https://code4rena.com/contests/2023-02-ethos-reserve-contest", "Helpdesk requests can be submitted, and the process of submission includes confirmation that the request has been received.", "If a submitted helpdesk request exceeds the character count, the submission can be edited.", "Submitting findings follows a documented process available at https://docs.code4rena.com/roles/wardens/sub.", "Information about backstage function changes can be found at https://discord.com/channels/810916927919620096/810931711609143326/1082437741586960485.", "Users are able to edit their submissions on the Code4rena platform.", "Users can submit their QA reports via help tickets if they exceed the character count for regular submissions.", "To edit a submission, users can go to the contest page and click the \"Your Findings\" button. For example, the Ethos Reserve contest page: https://code4rena.com/contests/2023-02-ethos-reserve-contest", "The Code4rena staff assists users in editing their submissions and resolves help tickets.", "Code4rena staff do not second guess judging decisions, and these decisions are final as per their policy documented at https://docs.code4rena.com/awarding/fairness-and-validity", "A backstage feature exists, but it is closed without exception.", "The backstage feature is not intended for wardens to dispute judges on their submissions.", "Different severity levels for bugs exist within the Code4rena platform, with criteria detailed at https://code4rena.com/judging-criteria/", "There can be issues with creating submissions on the platform, and users are advised to try refreshing the page or changing browsers.", "Valid links to code fields are needed for submissions.", "If platform issues persist, users are advised to back up their findings, clear localStorage, and start afresh.", "It was somehow hinted that the Opera browser might work for creating submissions when others fail.", "Questions about the availability of specific reports, modifying or withdrawing findings, and the difference between two wardens submitting the same issue were raised.", "If two wardens submit the same issues, there is no advantage for the one who submits first.", "The quality of a submission is considered when distributing bonuses, with a higher quality submission potentially receiving a larger bonus.", "It is possible to include an image in a report.", "There is an option to remove a finding submission, likely found under an 'edit' button.", "Citing similar findings from other contests to justify the severity and validity within a submission is allowed, but judges will consider the entire context when judging.", "Multiple instances of the same vulnerability should be reported as one issue.", "To participate in the PolynomialFi contest, an individual needs to be a certified warden, even if they form a team with a certified warden.", "The certification process can be started within 48 hours of the contest and upon completion, the participant might be awarded if they are eligible for an amount.", "Information about the certification process can be found at: https://docs.code4rena.com/roles/certified-contributors", "A user shared their first ever bounty on C4 and announced an AMA on Twitter at the following link: https://twitter.com/gjaldon/status/1633608427628007424?s=46&t=xqo0u8sRkswPAvbe78VrBQ", "To participate in the PolynomialFi contest, one needs to be a certified warden.", "The certification process can be started within 48 hours of the contest, and upon completion, a participant can be awarded if they are eligible.", "The certification process can be started by reading the document at https://docs.code4rena.com/roles/certified-contributors.", "The leaderboard file only contains contest numbers, and it is not immediately obvious what number corresponds to what contest.", "Screenshots can be added in submissions, guidance for which can be found at https://discord.com/channels/810916927919620096/810931711609143326/1083239106223546420.", "If a participant does not receive an email after submitting a finding, they can open a help desk request at https://code4rena.com/help/.", "There's an issue of high CPU usage on the Chrome browser when opening the landing page of code4rena.com, but no such issue on Firefox or Brave.", "Reports on https://code4rena.com/reports seem to be sorted by publication date.", "Sort/filter options for the reports may be planned for future implementation.", "People can choose to participate directly in the competition, complete CTFs, and audit reports based on their preference.", "Information on becoming a certified warden can be found at https://docs.code4rena.com/roles/certified-contributors.", "If no High/Medium (H/M) issues are found in a contest, the entire rewards may move down to Quality Assurance (QA).", "However, it is generally considered unlikely that no H/M issues would be found, as no code is considered perfect.", "There are questions about what happens to the rewards in a contest if no high or medium issues are found.", "The general consensus seems to be that it is unlikely for a contest to have no high or medium issues found as no code is perfect.", "There is a question about how to change a team name in CodeArena.", "Changing a team name in CodeArena requires creating an entirely new team, and this new team wouldn't retain any leaderboard positioning.", "Minimum PC requirements for auditing DeFi protocols are relatively low and even a 10-year-old PC should be capable of handling the task. However, tasks such as fuzzing can benefit from a faster computer.", "There are debates about the benefits and drawbacks of using older PCs for building contests, with some saying it requires a lot of patience due to slower processing speeds.", "For QA reports, sub-categories include Low, Non Critical (NC), and Refactoring.", "There are inquiries about the average payout for gas optimizations, non critical findings and low risk findings.", "Information about issue finding can be obtained via findings.csv file in CodeArena's website repository.", "There are questions about how the reward is distributed in a contest where only one high and one medium issue are found.", "There is a request for information on how to modify submitted findings.", "Information about the average payout for gas optimizations, non-critical findings, and low-risk findings can be found in the findings.csv file on the C4's website repository.", "The link to the findings.csv file is: https://github.com/code-423n4/code423n4.com/blob/main/_data/findings/findings.csv", "In contests, if only one High and one Medium issue are found, information on how the rewards are distributed can be found at: https://docs.code4rena.com/awarding/incentive-model-and-awards", "Submitted findings can be modified through the \"your findings\" button on the contest page.", "If an issue occurs in two places in the same contract and they are not related but carry the same meaning, it can be considered as two different issues.", "The reward amounts in contests come from the sponsor.", "To receive USDC rewards over Coinbase, they can be converted to BTC.", "If no High/Medium issues are found in a contest, the rewards are divided based on Quality Assurance.", "Certified users can access the Polynomial project, by viewing the repo and submitting findings.", "There can be technical issues with viewing the repo or submitting findings which can be resolved by checking if the GitHub account is logged in and it is the same account given for C4.", "Teams can be created but there may be technical issues like a blank page opening when selecting members.", "The role of a lookout is to pre-sort the repo and provide a summary document to the sponsor.", "There was an issue reported where a blank page appeared while trying to create a team and selecting members.", "There are buttons labeled \"View Repo\" and \"Submit Findings\" for certified wardens to use.", "A lookout in the context of the chat pre-sorts the repo and provides a summary document to the sponsor.", "Contest information such as the lookout application window opening is announced on Discord, but applications can be submitted at any time.", "Gas reports that have been uploaded can be changed on the contest details page under \"your findings\".", "There was a question about the tool used in reports that displays code snippets with line numbers on the left.", "Certain contests are only open to certified wardens.", "Information on how to become a certified warden can be found at https://docs.code4rena.com/roles/certified-contributors.", "The \"MIT review\" is limited to those who participated in the original contest.", "The term \"versus\" is used to denote a small invite contest, which could include mitigation reviews or regular contests with a limited number of participants.", "It takes some time for a warden to be marked as certified, even after approval.", "There was a suggestion of creating duplicate accounts to submit the same issue for a greater share of rewards, but this was clarified as not being beneficial due to Sybil protection measures.", "It takes approximately 2 weeks to mark a warden as certified after approval from the kyc firm.", "Users are curious about the possibility of downloading all the smart contracts being deployed at a specific address that can be seen using etherscan.io.", "Creating an alternate account and submitting the same issue from both accounts does not increase share, it decreases due to sybil protection.", "A middle vulnerability in smart contracts like missing zero address check that can lead to loss of funds is still valid. Link to one of the vulnerabilities: https://code4rena.com/reports/2022-06-canto#m-01-missing-zero-address-check-can-set-treasury-to-zero-address.", "The ARENA token exists but does not have the kind of volume that gets it listed on CoinGecko.", "CodeArena handles duplicate submissions by reducing the value of a finding when more of the same finding are submitted during the open submission period.", "Users are curious about the tools used for audits and seek recommendations between Hardhat/Truffle or Foundry.", "Labels like \"bug\", \"grade-c\", and \"unsatisfactory\" on an issue indicate that it is not eligible for rewards.", "More information on the warden-application-reviewers role and its application process would be documented.", "Office hour sessions are recorded and uploaded to a YouTube channel.", "There are no upcoming competitions currently, but the team is in talks with several people about potential audits.", "Wardens need to connect their wallet to their account to submit findings.", "There are two types of wallets, a login wallet and a payment wallet. The login wallet is set up when creating the account, and the payment wallet can be updated in the profile.", "Login with a wallet is not required to participate in contests, only a payment wallet is needed.", "Users are interested in contests that could help them see multiple designs and best security practices for a staking platform they are constructing.", "Users create their accounts using an email and a password.", "Login with a wallet is not required to participate in contests.", "Participants are encouraged to add their payment wallets to their account.", "There are contests related to staking platform contracts available.", "The CodeArena office hour sessions are recorded and uploaded to a YouTube channel.", "There are issues with running the picode 4naly3er globally.", "Hardhat can be used for testing instead of foundry.", "There can be gaps in the schedule for live contests.", "User submissions for completed challenges can be accessed on the concerned GitHub repo once the contest report is published.", "Users can associate their Twitter handles with their CodeArena profiles by sending a helpdesk request.", "Notifications on new contests are provided on the website, the #\u270brsvp, and the Discord channel for the contest.", "Issues related to contest visibility on the website are resolved by the team and are not user-related.", "If a contest starts for a project that also has the same code on immunefi, users cannot submit the same bug to gain rewards from both platforms. For more information: https://docs.code4rena.com/roles/wardens/submission-policy#findings-in-parent-of-forked-projects", "Users can add their public key from Polygon Mainnet to their CodeArena account.", "There are issues with opcode support in foundry.", "Sometimes, user requests can get intercepted by Cloudflare, resulting in errors.", "Users can switch the network in their Metamask to Polygon Mainnet, copy their public keys, and paste them into Code4rena.", "When a submission is marked as \"marked the issue as primary issue\", it is used to cluster duplicates around an issue.", "Once users earn some reward and appear on the leaderboards, they can get the \"leaderboard\" discord role.", "Users can look for answers to their questions related to warden registration, changing the wallet attached to the user account, and other FAQs at https://docs.code4rena.com/roles/wardens/warden-auth#faq-troubleshooting, and if they don't find what they're looking for, they can submit a help request at https://code4rena.com/help.", "Users typically show the places of vulnerability in two ways: 1) Providing a URL to the repository with a line inner in the text, and 2) Providing a solidity code block.", "If two very different issues can be resolved by fixing the same thing, they are considered as one issue, especially if the root cause is the same. However, if fixing the root cause without considering both issues will still lead to one of them being active, the situation might be different.", "Information related to AI security safety audit assurance can be found at https://blog.trailofbits.com/2023/03/14/ai-security-safety-audit-assurance-heidy-khlaaf-odd/.", "Oracle validations, such as checking for stale values and checking for the answer in the same roundid issue, could be considered as one issue if missing.", "When showing places of vulnerability, it's recommended to include both the URL to the repository with the line number and a code block.", "If two different issues can be resolved by fixing the same thing, they would be considered as one issue.", "There is a question about whether a mapping's size could impact EVM execution, and the response indicates that there is no performance overhead regardless of the size due to its constant complexity.", "There is a known issue where numbered lists in markdown do not show numbers in the preview tab, but the numbers are visible when submitted.", "The severity of an issue can be categorized as high, low, or QA.", "There is a question about the concrete threshold for \"marginal\" gas savings.", "Constraints on admin 'setter' functions for state variables can be considered a low or medium finding.", "A user can become a certified contributor by going through a specific process which details can be found at: https://docs.code4rena.com/roles/certified-contributors#certification-process-and-constraints", "It is possible to ask questions about findings of past projects and take part in private competitive audits.", "There is no specific type of laptop needed for auditing a smart contract.", "The process of certifying a warden after the provenance verification process is completed is mentioned to be in queue and the applicant will hear soon.", "Certified wardens are eligible to attend private audits, but there might be other conditions to meet.", "There is a process to follow in order to become a certified warden.", "There is a question about the categorization of severity related to state variable changes in smart contracts.", "The process of certifying a warden after the provenance verification process is completed is discussed, with mention of an application queue.", "The certification of wardens has conditions that may need to be met to attend a private audit.", "The process of becoming a certified warden involves an application, more details of which can be found at https://docs.code4rena.com/roles/certified-contributors#certification-process-and-constraints.", "Certification allows wardens to participate in private contests to a certain extent.", "Versus contests are invitational and opportunities go to wardens by their rank in either specific contests or during a recent window.", "Certified contests, like the upcoming 225, do impact the c4 leaderboard rank.", "Rewards from previous private contests are also added to the leaderboard.", "Staffing hours are discussed, with mention of U.S. hours and the need to hire for additional time zone coverage.", "The requirement for versus audits is that wardens must be certified and opportunities are posted for RSVP.", "Leaderboard role in discord is discussed, with requirements for getting a finding re-evaluated.", "New backstage applications are paused for now.", "Ethos Reserve is mentioned, presumably as an event or achievement to congratulate.", "There is a query about applying for a lookout role using findings that don't have reports out yet.", "New backstage applications are currently paused.", "A user can apply for a lookout role using findings that don't have reports out yet.", "Wardens who had backstage access could see the submissions and provide factual comments at the pre-judging stage, but this is not a continued practice anymore.", "Users can access all the issues, including theirs, once the repo is made public.", "The results of submission can be seen once the report is published, which can take from 2 to 6 weeks or even longer.", "If submitting an issue involves various lines changed, users can send a git patch or a PR to the repo.", "For submitting an issue, the vulnerability and its impact on the protocol/code should be explained in the impact section. The proof of concept section should contain the lines from code/github or add test which is written as an exploit.", "There's a VS code extension called \"Copy With Line Numbers\" used to get code snippet with line numbers.", "There are cases when a centralization risk may be considered valid. These cases include if the centralization does not match the protocol's claims/guarantees in their documentation or marketing material, if the centralization poses a threat to all types of users of the protocol and the protocol itself, or if it is not listed as an issue.", "If a user feels a centralization risk should be flagged, they can report it, stating all their reasons, and let the judge make the final call.", "Users can share their reasons in the report itself. Without the backstage access, there is no way of providing additional context on reported issues.", "A user can speak with the judge to re-evaluate a finding only if they had the backstage access during post-judging with factual comments.", "For more insights on \"Centralization Risks\", users can check at https://github.com/code-423n4/org/issues/54.", "Users can provide their reasons for flagging an issue directly in the report itself.", "Besides backstage access, there's no other way of providing additional context on reported issues.", "Backstage access allows users to speak with the judge to re-evaluate a finding and comment on it.", "There is a useful issue related to \"Centralization Risks\" at https://github.com/code-423n4/org/issues/54.", "Feedback on submissions, including those that were denied, may not be provided directly to the user but can be checked on the public GitHub repository later.", "Contest participants can upgrade the risk level of their submitted findings if the contest is still open.", "Specific findings should not be discussed until the report has been posted for the contest in question.", "Users can edit their submitted findings by navigating to the contest page and clicking on the 'your finding' button.", "An issue related to a potential reentrancy risk without any actual vulnerability was marked as low at https://code4rena.com/reports/2022-12-caviar#l-01-missing-reentrancy-guard-to-withdraw-function.", "The linkage of user's C4 handle and Twitter handle can be done by completing a help desk request.", "The registration mode on the site is limited by original architecture choices made during the initial site and tool setup.", "There were issues reported with logging in and connecting the wallet on the site.", "Some users have experienced a mismatch between their site username and Discord nickname.", "Critique and feedback are allowed and appreciated for improving the platform.", "There were reports of issues with user registration and login on the site.", "It was possible for a user to create two accounts with one email and discord.", "Users were asked to DM for assistance with account issues.", "It can take approximately 2-3 weeks to become certified after filling up forms.", "The certification process can move more quickly if the necessary documents are supplied promptly to the KYC provider.", "Provenance, the KYC provider, may have more detailed requirements for documentation than what is outlined in C4's guidelines.", "There have been instances of phishing scams involving fake Cod4rena accounts.", "Phishing scams involved links to purchase ARENA tokens from untrustworthy URLs like invst.icu.", "C4 doesn't typically operate on weekends.", "There was a question about how winners are decided, pointing out that about 50 people received a reward, but questioning if there were really 50 vulnerabilities.", "A link to an upcoming contest was shared: https://code4rena.com/contests/2023-04-party-protocol-versus-contest.", "A user asked for resources to study the Geth node and Web2 security in the context of Web3.", "C4 is not typically staffed on weekends.", "The process of deciding winners was questioned, indicating that sometimes multiple people are rewarded.", "There was a request for more resources to study Geth node and Web2 security in the context of Web3.", "It was mentioned that automated reports are sometimes uploaded after starting contests reporting gas optimizations.", "Not every bug reported by a warden within an hour of a contest's start is considered.", "Certified wardens may be able to join private auditing contests.", "There was a question about how C4 uses gas reports.", "There was a discussion on how to embed images using markdown.", "The payout for vulnerability issues can be verified by checking the wallet address with which one registered, using polygonscan.com or wallet trackers like debank.com.", "The discussions indicate that there isn't a specific bug-payout list for each contest.", "Past contest awards can be viewed at https://code4rena.com/contests/2023-01-numoen-contest.", "A detailed list of rewards for each warden for each bug per contest is available at https://raw.githubusercontent.com/code-423n4/code423n4.com/main/_data/findings/findings.csv.", "The procedure to become a certified warden is explained at https://docs.code4rena.com/roles/certified-contributors.", "There was a question about the existence of a decent cross-chain dex between polygon and ethereum.", "A user mentioned that they were unable to log in to code4rena.", "Third-party bridges such as wormhold or celer were suggested as potential cross-chain dex between polygon and ethereum.", "There was a question about how to change one's wallet address.", "Some users are having trouble logging into Code4rena.", "Payment wallet addresses can be changed within user profiles on Code4rena.", "Users can switch to using a username and password for login.", "Users are seeking help on participating in private audits.", "To participate in private audits, one needs to become certified.", "Information on becoming a certified contributor can be found at https://docs.code4rena.com/roles/certified-contributors.", "A discussion can be opened if a user disagrees with a judge's decision on an issue.", "Newly joined wardens can join private content and verification can be done through discord link: https://discord.com/channels/810916927919620096/810931711609143326/1092556195337863309.", "Users are having trouble joining private contests even after passing the KYC.", "The certification status from Provenance is generally updated within 5 business days by the C4 team.", "Certified contributors are not obligated to apply to every contest.", "Being certified grants access to more contests.", "Certified status grants access to more contests.", "The process of getting a 'certified' status confirmed and added takes roughly 2 days to 5 business days.", "Once certified, users can join any contest including certified contests.", "Instructions on how to get the 'certified' role can be found at: https://discord.com/channels/810916927919620096/810931711609143326/1092758105646960711", "The winner bot code will not be made public after Bot Races, only their report will be.", "The Consensus event by Coindesk is mentioned, with the link provided: https://consensus.coindesk.com/", "To access private contests such as Party Protocol", "Versus contest, one needs to be certified.", "Versus contests are competitive access for a limited number of the highest performing wardens who RSVP.", "To change a logo on the leaderboard, a helpdesk request with a link to the new logo needs to be submitted.", "To change a C4 id, one needs to re-register, but leaderboard status would not follow.", "Bot-generated reports should theoretically include all kinds of findings, including high, medium, low, non-critical, and gas-related issues.", "A report is run after every contest launch, which allows others to vet their analyzers.", "Findings listed in the best bot-generated report will be out of that contest's scope.", "Findings in non-best, unpublished bot-generated reports are still eligible for submission.", "Findings listed in the best bot-generated report are out of the contest\u2019s scope, similar to the current \u201cAutomated Findings\u201d.", "The current analyzer will be replaced with an open competition, with the current analyzer team expected to compete.", "Findings in non-winning bot-generated reports that remain unpublished are still eligible for submission.", "Submissions for gas reports are best accompanied by how much gas would be saved via the refactored code in a snapshot.", "It's possible to check for opcode usage on-chain.", "Code can be highlighted on Github by clicking on the starting line of code, then holding down ctrl + shift and clicking on the last line to highlight.", "Foundry is a framework to write tests with, and it offers other tools to assist in checking things like storage.", "Tests in solidity are needed to check certain things in the Contracts being audited.", "Two YouTube links were shared to help with understanding the Foundry framework: https://www.youtube.com/watch?v=Rp_V7bYiTCM and https://www.youtube.com/watch?v=EHrvD5c93JU", "The severity classification of vulnerabilities in staking pools when the client doesn't receive a promised amount of rewards, or doesn't receive any rewards at all, depends on the maximum value that is lost due to the precision-loss or other issues and how likely it is to happen.", "The severity of a precision-loss issue can be submitted as medium, so long as the damage done by it justifies it, but a Proof of Concept (PoC) that proves the case is always needed.", "For the Caviar contest post, the highest-ranking wardens from the open contest will be assigned to the Mitigation Review, which has a prize pool of $8,100 USDC.", "More information on Mitigation Reviews can be found here: https://code4rena.com/how-it-works", "Precision-loss issues can be submitted as medium issues in contests, as long as the damage justifies it.", "A Proof of Concept (PoC) should be provided to support submissions about precision-loss issues.", "The Caviar contest conducted a Mitigation Review that involved a prize of $8,100 USDC and the top 3 wardens from the open contest.", "More information on Mitigation Reviews can be found at https://code4rena.com/how-it-works", "There is a process to submit a PoC to report a finding, which includes uploading results of the git diff command.", "It's possible to edit submitted security findings for a contest.", "The Frankencoin contest is public.", "Users can request a logo change via a helpdesk request.", "The H/M reward pool for the Caviar contest has been reduced.", "A user can update their QA report by selecting the \"My findings\" option on the contest page.", "QA/gas report issues should be combined into a single report.", "More information about QA/Gas reports can be found at https://docs.code4rena.com/awarding/incentive-model-and-awards", "It's possible to encounter an error message when trying to submit a Gas Optimization report for a contest if one has already been submitted.", "All QA/gas reports issues should be combined into a single report.", "Only the best or most comprehensive QA/gas reports are accepted.", "There was a question regarding how to use screenshots in a report.", "There was a question about how to calculate the gas cost of a contract.", "Hardhat & Foundry were suggested as tools for generating a gas report.", "There was a question about when findings for an already paid contest are made public. The answer was when the report is posted.", "There was a question about markdown preview not properly displaying lists when submitting issues. This issue was confirmed to only affect the preview and not the final submission.", "There was a discussion about if it's worth mentioning if there are more functions in an interface than are used in the code during a protocol interaction with a contract on-chain.", "There was a question about when the decision about the backstage role will be taken. A response was given that a plan is in place.", "A question was raised on how to find a transaction hash when a user has given allowance to a contract, given only the user's address and the contract's address.", "A decision regarding the backstage role will be taken as per a plan that's been made.", "To find a transaction hash when a user gives allowance to a contract, one must filter the contract's logs and check topics for the specific address.", "It is acceptable to pass a link to a website for QA reports or POCs.", "The exact criteria for low, medium, and high severity issues can be found at https://docs.code4rena.com/awarding/judging-criteria/severity-categorization", "SafeTransferLib is used for safely transferring funds to a user; it checks whether the operation of sending funds is successful by checking the return status of the call.", "It is not necessary to confirm findings with the project's developers before submitting them; however, it's up to the warden to submit a point thought to be a valid finding.", "QA reports can be updated after submission by going to the contest page, clicking on the findings, and editing them.", "Providing proof of how much gas the refactoring saves may affect the grade of the submission.", "Reports or POCs (Proof of Concepts) may be linked for QA reports.", "It is beneficial to include gas savings from refactored code in submissions.", "Not including the amount of gas saved from refactoring might affect the grade of the submission.", "There is a report of a possible scam in direct messages.", "Points for the 60-day leaderboard are counted from the day of the contest announcement, and may expire 60 days after the contest has ended.", "For gas-related submissions, participants are advised to make a single consolidated report.", "Participants have the ability to edit their findings.", "Any findings that are not submitted before the end of the contest will not be eligible.", "Participants can ask judges for feedback about issues to understand the reasoning behind the ruling and to see what could be improved.", "There is a request for a YouTube video on how to audit smart contracts.", "The #\ud83c\udfebeducation channel is suggested as a source of information.", "Users can participate as a warden in upcoming contests by logging into their account.", "Judges for a contest are not known ahead of time.", "Users are unsure if they can contact judges directly to ask if they should submit something.", "There is a #\ud83c\udfebeducation channel where users can learn more about auditing smart contracts.", "Users who wish to become a warden for a contest after having been absent from C4 for a while can log into their account to compete in the audit.", "It's not possible to contact the judge of a contest ahead of time as the identity of the judge is not disclosed by design.", "Sponsor teams have designated contacts that participants can direct message during a contest to ask questions.", "Backstage roles applications are not being accepted at the moment, but there might be a change in the following weeks.", "When submitting through the Code4rena interface, a markdown template is proposed.", "To determine if a finding is of high or medium severity, users rely on experience and a balance of consequence and likelihood. High consequences generally involve sizeable fund loss or other severe consequences and don't require pre-conditions. Medium consequences usually have lesser impact and specific preconditions such as high attack difficulty, specific market conditions, or user unawareness.", "Users cannot receive a reward for findings made with ChatGPT. If they wish to use AI in auditing, they're advised to enter the bot races instead.", "There is an award formula for gas and QA, but it's not clear if the formula is documented.", "There are competitions known as bot races, where users are rewarded for findings made with AI.", "AI is becoming an increasingly important part of auditing.", "There are discussions about the use of a curve formula for the award system.", "The formula used for awarding gas and QA is planned to be updated.", "There are concerns that the leaderboard might not accurately reflect a user's accomplishments, with contest results potentially not being counted for the full duration.", "The company's website does not currently track the dates awards went out, but rather builds the leaderboard off the dates of the audits themselves.", "There are discussions about possibly integrating the website with Github to track specific timestamps.", "Migrations of data from CSV and JSON files to a database and API are planned.", "The top wardens in the 90-day leaderboard are prioritized for contests.", "The ENS contest will be public, and public contests are displayed in the Discord channel.", "Judges review the findings to decide their severity, validity, and quality. These judges also receive a share of the prize pool as an incentive.", "Contestants are given shares for bugs discovered based on severity. These shares give the owner a pro rata piece of the pot.", "The timing of a bug discovery does not affect the reward. The system is not a first-come, first-served basis.", "Findings are reviewed at the end of the audit period, and users are able to edit their findings until the contest closes.", "The Caviar contest had an issue when checking findings.", "Findings from audits are reviewed upon submission at the end of the audit period.", "Contestants can edit their submissions until contest close.", "Some users faced issues when submitting their findings for the Caviar contest.", "The issues with submission were resolved after communicating with the team.", "Email confirmations are sent out upon successful submission of entries in the contest.", "Some participants were unable to submit their entries because of a technical issue, which was then resolved.", "Participants were discussing the minimum rank required on the leaderboards to get the role leaderboards.", "Participants were querying about the announcement of the top 20 bots.", "Participants were seeking information about what 'grade-c' means.", "Participants are discussing how to format a specific type of code into a readable format.", "The code in question was a string representation of a JSON, and it can be made more readable through a custom print logic for each element.", "Once a PR (Pull Request) is merged for the warden, a user should be able to log in.", "If a user faces issues with login, the team can update the database to resolve the issue.", "One participant mentioned their company's interest in running an audit contest and was directed to another individual for follow-up.", "The company maintains a database that users can log into.", "The company has a functionality to update this database to fix login issues.", "There are queries regarding running an audit contest for contracts, with queries about pricing and operational details.", "There is a process in place for submitting a help desk ticket for issues.", "The company has a KYC process, and there may be delays in this process.", "Users can raise a help request through the form on the company's website if they don't get any reply to their KYC application within five business days.", "Hardhat and Foundry can be used to print local variables that are declared inside a function by using console.log.", "The console.sol can be imported inside the original Contract itself and not necessarily be in the x.t.sol file.", "There are issues reported about the \"Source from artifact has no AST.\" error when running forge debug on a hardhat project with foundry integration.", "Questions about constant product amm (xy = k) calculations are discussed, with particular reference to the following link: https://github.com/code-423n4/2023-04-caviar/blob/main/src/PrivatePool.sol#L699", "New users are trying to log gas remaining after the state variable update using foundry but encountering difficulties.", "The company provides a way to format the solidity code in the submissions to make it look better.", "There are questions regarding the calculation of constant product automated market makers (AMM), specifically, how do you get option 1 and why option 2 is used in some implementations.", "A specific code implementation using option 2 for AMM calculation is found in https://github.com/code-423n4/2023-04-caviar/blob/main/src/PrivatePool.sol#L699.", "There are inquiries on how to log gas remaining after the state variable update within Foundry, a smart contract testing framework.", "There are discussions on how to properly format Solidity code in the submissions.", "The Markdown Renderer on the site is not accurate and it is suggested to view the code on Gist for better formatting.", "There are questions about importing screenshots in submissions and it is suggested not to do so but to paste gas report directly.", "There are discussions on how to update submissions and it's mentioned that there should be a \"Your findings\" button to do so.", "There are inquiries about viewing all submissions after a contest.", "Backstage wardens have access to findings soon after an audit, but this role requires Know Your Customer (KYC) and Non-Disclosure Agreement (NDA) procedures for security reasons.", "There are questions about how gas findings are judged and whether it's worth showing significant improvements in important functions.", "Some users have not received an invitation link to Github despite being certified.", "KYC process gives access to backstage, however, there are some changes in the process coming soon.", "Gas findings are judged based on the inefficiency of the current implementation.", "If a significant improvement is found in an important function, it should be showcased.", "Syntax highlighting in a code block in a finding report can be achieved using three backticks and specifying the language (e.g., ```solidity).", "Results for Rubicon are anticipated.", "If a report is accepted, USDC will start flowing into the contributor's wallet.", "The final report for a contest doesn't include wardens whose submissions/findings are not accepted.", "There is a consideration to indicate the number of participants in a given contest.", "The focus of contests is on providing value from a security perspective, delivered by the results.", "Link for accessing findings.csv: [https://code4rena.com/community-resources/findings.csv](https://code4rena.com/community-resources/findings.csv)", "Project owners cannot see the findings as they are reported. If funds are at risk on mainnet, staff should be reached out via a help request.", "The tool that is run for automated findings is not specified if it is available to run locally.", "Beginners in smart contract auditing may seek help in the platform.", "Project owners may take action when funds are at risk on mainnet. For this, it is recommended to reach out to staff via a help request.", "There is a tool that is run for automated findings.", "The platform is working on procedures for sensitive disclosures and updates will be announced soon.", "Backstage+ access has been reopened and previous application requests are being reviewed. More information about Backstage access can be found at https://discord.com/channels/810916927919620096/810936719003090974/1098620465897021490.", "There is a Know Your Customer (KYC) process and some users have experienced delays in the process.", "Information about how to be a judge can be found at https://docs.code4rena.com/roles/judges.", "The platform has several types of contest rewards, such as Scout, Lookout, and Judge awards.", "Information about the lookout role and reward can be found at https://docs.code4rena.com/roles/certified-contributors/lookouts.", "The purpose of the #\ud83d\udd06hm channel doesn't have to do with findings in a contest.", "The awards pool includes several categories: HM awards ($56,250 USDC), QA report awards ($7,500 USDC), Bot race awards ($7,500 USDC), Gas report awards ($3,750 USDC), Judge awards ($9,000 USDC), Lookout awards ($6,000 USDC), and Scout awards ($500 USDC).", "Information about the roles of judges can be found at https://docs.code4rena.com/roles/judges.", "The \"Lookout\" and \"Scout\" awards refer to specific roles within the contest.", "Information about the role of Lookouts can be found at https://docs.code4rena.com/roles/certified-contributors/lookouts#lookouts.", "Scouts are responsible for preparing the contest repo making sure that the provided files by the sponsor are in order, and that the test files don't create any security vulnerabilities.", "The #\ud83d\udd06hm channel does not have to do with findings in a contest.", "Only one gas report should be published for a contest. If additional findings need to be added, the existing report should be updated.", "There is not currently an email notification sent for updated issues.", "Backstage applications have been paused.", "Updates can be found at the following Discord link: https://discord.com/channels/810916927919620096/810936719003090974/1098620465897021490 as well as in #\ud83d\udce2announcements and the C4 newsletter.", "Help desk requests can be created to check on status updates.", "There is no mail notification for updates on issues.", "Backstage applications are currently paused.", "CodeArena has an announcements channel on Discord and a newsletter for updates.", "Users can create a help desk request for issues with their status.", "The Eigenlayer contest has associated HM rewards.", "The Ethereum Beige Paper is mentioned as a more digestible version of the Ethereum Yellow Paper.", "Regarding the bot races, the bots are considered a warden's intellectual property and are unlikely to be open sourced by CodeArena.", "Gas optimisation should be looked for in the contracts only.", "Users can create a Quality Assurance (QA) report and are allowed to edit it for more details.", "After judging is complete and the results have been posted, the release of the report can sometimes take a lot of time because the CodeArena team needs to get the green light from the projects involved.", "It can take about a week to get a response from Provenance.", "For gas optimization, it's recommended not to initialize default variables to 0.", "For loops in Solidity, the initialization of the loop variable to 0 is not necessary, which may lead to gas savings.", "For gas optimization in smart contracts, it is recommended not to initialize default variables to 0.", "There is a discussion about whether this principle applies to variables defined in a for loop.", "A user reported that excluding the increment (++i) in a for loop can reduce gas costs significantly.", "Using the 'unchecked' command in loops is recommended as a way to further optimize for gas.", "There is a significant gas saving difference between using 'for (uint256 i = 0; i < 1000; i++)' and 'for (uint256 i = 0; i < 1000; ++i)'.", "Provenance typically takes about a week to respond to submissions.", "There's a new feature called 'bot race' introduced.", "More information about this feature can be found at https://code4rena.com/register/bot/.", "A user encountered an error and sought for help.", "Users can see when their findings are edited.", "There was a scammer in the chat who was subsequently removed.", "The suggestion was made to use Hashbot to detect scammers, and the link to Hashbot is https://Hashbot.io.", "A user had an issue with submitting findings from the \"Risk rating *\" menu.", "The chat has a feature called '+backstage'.", "Users who believe they meet the criteria for '+backstage' can submit a help desk request at https://docs.code4rena.com/roles/certified-contributors/backstage-wardens.", "Users can contact the Admin through a help desk request at https://code4rena.com/help.", "Certified contributors who believe they meet the criteria for backstage access can confirm their eligibility by submitting a help desk request. The related document can be found at https://docs.code4rena.com/roles/certified-contributors/backstage-wardens.", "Users can submit help desk requests to address any issues they have. The help desk can be accessed at https://code4rena.com/help.", "Users can submit the Binance address for payout, but the addresses can change, and it's reminded that if the keys are not possessed, the coins are not owned.", "Questions about Caviar/Rubicon results were raised, indicating that there are pending results for these audits.", "There are questions about the grading system, specifically how submissions are categorized into grades A, B, C, the difference between \"primary issue\" and \"selected for report\", and what bonuses each category receives. The referenced document for this can be found at https://docs.code4rena.com/awarding/incentive-model-and-awards and https://docs.code4rena.com/awarding/incentive-model-and-awards/curve-logic.", "There is a discussion about changes in Discord usernames and how it will affect C4 authentication.", "Information about what types of findings are no longer valid can be found in the conversations here https://github.com/code-423n4/org/issues?q=is%3Aissue+is%3Aopen+label%3Arules.", "Team members can make submissions on behalf of their teams, and they can select either their solo handle or team handle for submitting a finding.", "There are questions about how to submit additional findings after an initial low-risk finding was submitted.", "Discussions are ongoing about how to manage teams where not all members participate in the same contest and how to distribute rewards among team members who contributed. The relevant discussion can be found here https://github.com/code-423n4/org/discussions/43.", "There are challenges reported by team members in managing the same team name but with different team members working on different contests at the same time or different times.", "Concerns are raised about how to manage team members who want to participate solo in a contest that their team is also auditing.", "The idea of implementing squads to address team management issues is discussed and linked at https://github.com/code-423n4/org/discussions/43.", "Participants can submit low-risk findings and have the ability to report additional findings.", "If participants believe they are eligible for a backstage role or would like to check their eligibility, they can open a help desk request at https://code4rena.com/help.", "Helpdesk requests are typically resolved within 24-48 hours on business days.", "Users can submit a help request to add a Twitter handle to their profile page.", "Inquiries about auditing projects can be made online.", "If the application for certification is approved, certified status is received shortly after the team processes the application.", "The entity to be invoiced for received rewards is Code4rena UNA.", "Tax reporting for wardens is in progress.", "C4, being a DAO, has made changes to allow for invoicing.", "The changes have been discussed at https://github.com/code-423n4/org/discussions/91. This is aimed at helping people comply with tax regulations.", "Inquiries about the Code4rena UNA address details for invoicing purposes can be made.", "There is a possibility to invoice, but it needed to be confirmed by a specific individual.", "The invoicing feature is beneficial for people in the EU for compliance with tax laws such as MiCA.", "Compliance with tax laws was a major reason the DAO wanted to make changes.", "The entity referred to is the Code4rena UNA.", "There is ongoing work on tax reporting for wardens.", "Contest results are posted in the contest channel once judging is complete.", "The findings repo is made public once the report is published.", "If a report is accepted, the reward payment is usually made within 1-2 business days of the announcement.", "The judging process can take anywhere from 2-4 weeks depending on the number of submissions and the complexity of the code.", "There was a user experiencing an error while trying to submit a report, which got resolved after multiple attempts.", "The channel for those who want to be a sponsor is labeled as #\ud83d\udcbci-want-c4-to-audit-our-code.", "There was a KYC inquiry, indicating that KYC is a part of the process.", "The bot race prize pot was initially taken from the HM pot, but this is expected to change soon.", "Information about gsset, gscoldsload and others can be found at https://github.com/wolflo/evm-opcodes/blob/main/gas.md", "Participation in test-coverage, as outlined at https://medium.com/code4rena/new-to-code4rena-test-coverage-c548645404f9, is currently open only to certified wardens.", "Information about gsset, gscoldsload etc. can be found at https://github.com/wolflo/evm-opcodes/blob/main/gas.md.", "Participation in test-coverage is currently open only to certified wardens. More information can be found at https://medium.com/code4rena/new-to-code4rena-test-coverage-c548645404f9.", "After confirmation from provenance, it is possible to participate in a private audit.", "Provenance directly sends the confirmation to process a private audit application.", "The Vine Labs contest got postponed.", "Only one low-severity report among all the low-severity reports submitted is chosen to be included in the final report.", "The occurrence of an \"EvmError: OverflowPayment\" error is due to balance overflow.", "The confirmation of whether issues submitted got accepted or not for the closed contests is known when the report is generated or when one qualifies to be Backstage.", "Qualifying to be Backstage happens through the process detailed at https://docs.code4rena.com/roles/certified-contributors.", "If a team submits 3+ Med and they are accepted, all members become eligible for the backstage role.", "By submitting as a team, all members receive the bug stats.", "The compound cToken exchange rate resets if 100% is repaid.", "The csv which contains all rewards based on each finding can be found at _data/findings/findings.csv before deletion.", "The process of approving a team for contest participation can take up to a few business days.", "Merging a team's PR allows them to submit findings as a team.", "The compound cToken exchange rate resets if 100% is repaid.", "CodeArena conducts audits similar to Venus protocol (lending, borrowing, etc.).", "CodeArena used to have a CSV file which contains all rewards based on each finding, which can now be accessed at https://code4rena.com/community-resources/findings.csv.", "The process of approving a team for CodeArena contests takes up to a few business days.", "Once a team is approved, participants can log in and submit findings as a team.", "Participants are interested in Bot Races and query about their qualifications and upcoming qualifiers.", "Bot Races related questions can be answered in the #bot-race-help.", "After contests close, it is not possible to edit findings. Any required changes need a help desk request.", "The leaderboard gets updated every time awards are announced, however, not all contest types are currently supported.", "Calculation of lines of code can be done using the tool named 'cloc'.", "Usernames on CodeArena are currently immutable and cannot be changed.", "To change the username, one needs to re-register on CodeArena.", "Participants have queries about tools to test code coverage.", "The 4nalyzer requires a specific scope.txt to analyze, rather than being able to analyze a whole folder.", "Participants experience some issues with logging in on the CodeArena platform.", "Users may need to re-register if they want to change their names.", "There exists a report that only shows unique findings.", "In scope.txt, users can execute the 4nalyzer and analyze everything inside a folder.", "Users can encounter login issues where the system shows them as logged in, but the interface does not change.", "Some users have trouble executing foundry fork testing in the polygon POS network.", "There is a feedback channel available for suggestions and other comments.", "Users can receive awards on Polygon that can be connected to MetaMask for conversion and withdrawal. The conversion process from Polygon Token to EUR can be done through MetaMask bridge and Coinbase.", "The BASE contest requires KYC (Know Your Customer) protocol, making it difficult for some participants to form teams. However, KYC is not necessary for the Maia DAO Ecosystem contest.", "Users can edit their submissions after submitting an issue.", "Markdown formatting is allowed in submissions.", "Users can find feedback for their submitted findings.", "The requirements for the backstage role can be found at https://docs.code4rena.com/roles/certified-contributors/backstage-wardens.", "If a user has received a confirmation email from provenance regarding their KYC, they may have to wait for a certain period for the role.", "Users are able to edit their findings in the contest.", "Direct messaging between users is possible.", "The requirements for a backstage role at CodeArena are detailed at https://docs.code4rena.com/roles/certified-contributors/backstage-wardens.", "Users can submit a help desk request to track the status of their KYC confirmation.", "Help desk requests are replied to during business hours, not on weekends.", "There was a question raised about the possibility of precision loss in a specific code snippet (Profit = allProfit", "((allProfit / 100) * fee);).", "Concerns were raised about the limited duration (20 days) for the audit of a project named Maia, which has 12K Source Lines of Code (SLOC).", "The longest duration for an audit at CodeArena has been three weeks.", "A user suggests that for larger codebases, more time might be necessary for a more thorough review, otherwise bugs may be missed.", "Two years ago, an audit with 12 participants was considered big.", "1000 auditors were added to the platform in the past month.", "More audits run simultaneously tend to increase the activity of registered auditors on the platform.", "The project team was open to extending the duration of the audit for Maia to 5 weeks.", "There is an option to extend the project timeline to 4 weeks or more if the sponsor agrees.", "The project timeline was extended to 5 weeks.", "To get the backstage role, one must be certified and meet certain qualifications, then create a help desk request to have their status evaluated.", "The evaluation for the backstage role is usually done within a week if all qualifications are met and nothing is pending.", "For most audits, it's not necessary to be a certified contributor.", "It's possible to apply for a backstage role through a help desk request.", "If competing with a team, all members need to be certified to receive the payout.", "To gain permission to audit private contests, one usually needs to be certified and also rank on the leaderboard.", "The gas cost in the foundry is measured in units of gas.", "There are gatherings such as ETH CC Paris and ETH Belgrad where members are planning to meet.", "The status of a help desk request can be followed up and should get a response within a week.", "There is a process for applying to be a Certified Warden, and subsequent communication regarding the KYC.", "There is a method to participate in the Ambire Contest for those registered as a Warden.", "There may be a delay in receiving responses to certain requests or applications.", "Permission to audit private contests typically requires certification and ranking on the leaderboard.", "Foundry gas cost is measured in units of gas.", "No update has been provided regarding the subject referred to as \"Masons\".", "Judges' comments on contest submissions may be visible, as per the question asked about the Asymmetry contest which can be found at https://code4rena.com/contests/2023-03-asymmetry-contest.", "There might be a ranking cutoff for auditing private contests, with top 3 or 5 usually taken for mit review or invitational.", "For private audits, certification is usually sufficient.", "Identification verification for KYC may not necessarily require a passport; other forms of ID may also be acceptable.", "There are three types of audits: public, private (where certification is usually sufficient), and invitational (only specific wardens are invited).", "For the base and chain link contest, all team members should undergo KYC verification.", "The Code4rena website experienced a \"page not found\" error, which was identified as a DNS issue.", "The term \"Audit summary awards\" was mentioned but not explained, with the promise of more information to be shared prior to the contest start.", "Changing a Twitter username on Code4rena may require creating a help desk request at https://code4rena.com/help.", "In case of errors on the main help page, an alternative link for help is https://old.code4rena.com/help/.", "The meaning of \"I\" in the report judging decisions was questioned but not clarified in the chat.", "Users can change their Twitter username on C4 by creating a help desk request.", "The link to create a help desk request is https://code4rena.com/help.", "An alternative link for help desk requests is https://old.code4rena.com/help/.", "In report judging decisions, the \"I\" may mean \"informational\" which is non-critical, or for bot racing, it may mean \"ignored\".", "An issue might be ignored if it is either extremely small impact or if there isn't enough detail or proof.", "The decision to ignore an issue is up to the judge.", "The discussion about bot race related issues occurs in #bot-race-help.", "No gas optimizations rewards are given on Base.", "Wardens may get paid for sponsor confirmed issues or sometimes even disputed ones.", "To participate in restricted audits, individuals can apply at https://docs.code4rena.com/roles/certified-contributors.", "For becoming a certified contributor, Provenance typically sends the KYC mail within one business day after the application is submitted.", "The Reserve audit is private.", "If a team wins a prize but is unable to claim it due to KYC issues, it's unclear whether the prize will be on hold until they complete the KYC or if it's gone forever.", "Users are considering changing their nickname through registering another account with the same email/Github address.", "Some users have a National Identification Card but don't have a passport and are participating in contests.", "Provenance sends the KYC mail from the email address kobus@provenance.company.", "Applications for certain processes within CodeArena are typically processed within one business day.", "If a team wins an audit but cannot claim the prize due to KYC issues, there's a concern whether the reward will be on hold or lost forever.", "Users can change their nicknames and question the possibility of registering another account with the same email or GitHub address.", "Some participants have national identification cards but no passports, and they inquire if they can verify their identity for KYC purposes.", "CodeArena, at the time of the conversation, does not have a bug bounty award for reporting issues in its DAO governance or web application.", "There are instances where users don't receive emails from Provenance.", "Changes to contest rules can be found in the documentation provided at https://docs.code4rena.com/.", "An analysis reward is mentioned, and it appears to be a new feature. More information can be found at https://discord.com/channels/810916927919620096/810936719003090974/1111666431050919996.", "A user can verify for base but is not receiving emails from Provenance.", "A delegate call from a receive function is possible.", "All members of a team should be KYC'ed in order for the team to get paid after participating in the Base audit.", "More information about joining an invitational can be found at https://medium.com/code4rena/a-look-at-code4rena-audits-versus-6c55d57939ef.", "Updates to the bot race reward structure will be announced before the Maia contest. The update can be found at https://discord.com/channels/810916927919620096/958800160870240286/1109067971915153508.", "The role of a mason can be found at https://discord.com/channels/810916927919620096/810956862609424414/964680554509377577.", "Updates to the bot race reward structure for the Maia contest have been announced in a link: https://discord.com/channels/810916927919620096/958800160870240286/1109067971915153508", "For verification for base, users are advised to check their spam mail.", "Explanation on the \"mason\" role can be found at: https://discord.com/channels/810916927919620096/810956862609424414/964680554509377577", "Information about a certain update can be found at: https://discord.com/channels/810916927919620096/1111666431050919996", "Typing \"#channel\" in the chat tags the intended channel.", "Users can access a blog post at https://blog.bytes032.xyz/p/audit-like-a-pro-my-3-step-game-plan to understand how to approach auditing of big projects.", "Users can re-register to change their username.", "It takes a few days to get the certified role after finishing the KYC process.", "Information about certified wardens is in the documents (docs).", "Information about office hours for audits is shared in the C4 rollup in #announcements.", "The video of the last office hours meeting will be posted on YouTube in the early part of the next week.", "Not all audits at CodeArena have office hours.", "Upcoming office hours are shared in the C4 rollup in their announcements.", "A suggestion for handling flashloans in the context of smart contracts is to use a flag to allow or disallow the flashloan, similar to a reentrancy guard, though this would have a gas overhead.", "An office hours session will be posted on YouTube early the following week.", "In the case of flashloans, it's the responsibility of the recipient contract to perform any necessary validations, such as ensuring they don't lose any funds by the end of the operation.", "The default foundry comes with console.log in the library.", "If a user does not receive an email after registration with CodeArena, they can open a help desk request.", "An issue regarding differences in judging was submitted at https://github.com/code-423n4/org/issues/105.", "Grading of basic analysis is clarified at https://discord.com/channels/810916927919620096/1111666431050919996/1111674611646611567.", "There is a 48-hour deadline for response after providing all documents for KYC to provenance for getting certified.", "An instance of a low severity bot race finding is described, where external calls in an unbounded for-loop may result in a Denial of Service.", "A scenario where a user can push to the array arbitrarily and cause a Denial of Service for everyone else, breaking system functionality, should be submitted as a High/Medium severity issue.", "The submission policy related to automated findings is provided at https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues.", "Auditing security is possible without focusing on the frontend of the blockchain.", "A question was raised about how a scenario where a user can push to the array arbitrarily and cause a DOS for everyone else, breaking system functionality, would be categorized in terms of severity.", "This scenario should be submitted as a High/Medium severity issue according to the submission guidelines.", "The submission guidelines can be found at https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues.", "There was a query about being a security auditor without focusing on the front end of the blockchain.", "There is an inquiry about mismatch between documentation and the code as QA or medium. The response was, it's mostly QA if no impact.", "A question was raised about obtaining ETH in Goerli testnet for ethernaut. The suggested solution was to use polygon/sepolia.", "A query about the backstage role resulted in a link to the description for certified contributors: https://docs.code4rena.com/roles/certified-contributors.", "An issue was reported about adding a member to a team.", "A question was raised about the ability of a foreigner to become a certified warden.", "An inquiry was made about the necessary documentation to submit for becoming a certified warden.", "A question was raised about the rewarding formula for findings of different severity and how the finding count value changes in the case of partial credit.", "An inquiry was made about the necessity of POCs for submissions. The response was that POCs are recommended.", "One user reported difficulties accessing the site.", "A Proof of Concept (PoC) is recommended for smart contract audits.", "Users experience intermittent difficulties accessing the site.", "A vulnerability without a PoC can potentially be rewarded as a high if the process is clearly described in bullet points.", "It's not necessary for a PoC to be exact code.", "Instructions on how to include a PoC are available at https://docs.code4rena.com/roles/wardens/submission-policy#how-to-include-a-proof-of-concept.", "If a user changes their wallet address, rewards are sent to the wallet address on file at the time awards are calculated for an audit.", "A user can change their wallet address where they receive awards, more information about this can be found at https://docs.code4rena.com/roles/wardens/warden-auth#can-i-change-the-wallet-address-where-i-receive-awards.", "For help, users are recommended to submit a help request at https://code4rena.com/help.", "There are questions regarding the rewarding formula in terms of findings count and partial credits.", "The loss of rewards can potentially be considered a \"loss of assets\", the categorization as high or medium risk depends on external conditions or attack difficulty.", "Help desk requests can be made at https://code4rena.com/help.", "There are queries about whether judge payment and lookout/scout payment are included in leaderboard ranking calculations.", "Loss of rewards is considered \"loss of assets\" and it can be designated as high or medium depending on whether there are external conditions, or attack difficulty.", "A help desk request can be made through the following link: https://code4rena.com/help", "Judge payment and lookout/scout payment are not included in leaderboard ranking calculations.", "The submission preview supports mermaid syntax.", "Guidelines for rewards and duplicity of findings are available at: https://docs.code4rena.com/awarding/incentive-model-and-awards#duplicates-getting-partial-credit", "Abstract contracts are meant to be extended and are not supposed to be used on their own. They are like a template contract that needs completion before usage.", "The verification process can be initiated as per the instructions provided at: https://docs.code4rena.com/roles/certified-contributors", "The score for a report may be lowered if it contains a few invalid issues, however, if it's very similar to a bot report it may be further penalized.", "The same issues reported by a bot should not be included in the report unless they build a more complex exploit.", "Post an audit, the review process by the judges can take about 8 weeks and wardens can generally see findings immediately upon audit close. The link to the full process is: https://docs.code4rena.com/roles/certified-contributors", "Generally, it's not worth including instances of the same issue reported by a bot in the reports.", "Known issues can be used to build a more complex exploit.", "It generally takes about 8 weeks for the judges to review the findings and create the leaderboard after an audit ends.", "Judges can see findings immediately upon audit close [link: https://docs.code4rena.com/roles/certified-contributors].", "The team is aware when a site issue arises and they work towards a resolution.", "Findings for completed audits can be checked via the C4 GitHub repo.", "Users can see their submissions by checking their Analysis Report.", "The ability to edit the Analysis report type is not available.", "The xETH", "Mitigation Review is open to those who participated in the original Invitational audit.", "Discord usernames can be updated on the C4 account, but it is advised to submit such questions via the Help Desk for developer team review.", "Issues can be reported with worded descriptions only, and there is no penalty for wrong reasoning as long as it's not spam.", "Having a coded Proof of Concept (PoC) along with the report can increase the chances of the report being selected, which comes with a 30% bonus.", "User queries and issues can be reported via the Help Desk [link: https://code4rena.com/help].", "If a participant needs assistance, they are advised to create a help desk request on https://code4rena.com/help outlining the issue they are experiencing.", "In order to participate in invitational audits, one needs to be certified, and more information on certification can be found at https://docs.code4rena.com/roles/certified-contributors.", "RSVP is a way for participants to signal their interest in audit opportunities.", "The number of issues reported in a Gas and QA report doesn't necessarily determine the grade; it could have one good issue to be a grade B, or it could have multiple low-impact issues and still be a grade C.", "To view issues reported for a contest on the website, one needs a +backstage role.", "Information on how to get the backstage role can be found at https://docs.code4rena.com/roles/certified-contributors/backstage-wardens.", "Additional guidance on how to prepare a Gas and QA report can be found at https://www.youtube.com/watch?v=nady250cNo4.", "For each contest, the Readme Page has a section titled \"Known Findings\" where automated findings not accepted in the contests are listed.", "Bridging from Polygon to Ethereum and withdrawing USDC on Coinbase requires both Matic and Eth if using the Polygon bridge. However, if using the Hop Bridge, only Matic is needed, although less USDC will be received on the Ethereum Mainnet.", "Deposits into Coinbase can be made directly from Polygon.", "To bridge from Polygon to Ethereum and later withdraw USDCs on Coinbase, both Matic and Eth are needed if using the Polygon bridge. If using the Hop Bridge, only Matic is needed but less USDC will be received on the Ethereum Mainnet.", "USDC can be deposited into Coinbase from Polygon.", "Discord's update asks users to use their name without the discriminator and this might affect the warden role. To address this, users need to update their new Discord handle in their profile on the site.", "Changing a username could affect the account registration as a warden.", "If a finding is classified as low risk in QA but is judged and confirmed as medium risk by other wardens, the judge will usually upgrade it automatically.", "Questions were asked about what post-judging QA is and when it happens, how to see the bounties for different exploit types based on a contest, how to apply for private contests and if audit of canto will be in Go.", "Information was shared on how to deal with a changed Discord ID, which can be found here: https://discord.com/channels/810916927919620096/810931711609143326/1119321495987032144", "It's possible to edit a submitted QA report until the audit deadline.", "There was an inquiry about how to get the \"leaderboard\" tag for the profile. If a user is in the top 5 of a contest and has received the reward, the \"leaderboard\" tag should be updated in the roles.", "If an issue was reported, it doesn't need to be sent to the judge/lookout because the judge can see it.", "Users can get the \"leaderboard\" tag in their profile if they get in the Top 5 in the contests.", "Reported issues can be viewed by a judge without needing a direct link sent to them.", "There may be issues with visibility of reported issues on the Issues page, potentially due to GitHub issues.", "Certified warden applications are submitted and feedback is received via email, including from the email address @provenance.company.", "To link to specific lines of code on GitHub, users can click on the code line on the left tab which will change the URL. Holding SHIFT can capture a range of lines.", "Changes in display username do not affect the user's account.", "Payments for contests are made in the cryptocurrency USDC on the Polygon network.", "User's Code4rena profile can be linked to their Twitter account by submitting a help desk request with their warden name and Twitter URL at https://code4rena.com/help.", "Users can get certified by following the guidelines at https://docs.code4rena.com/roles/certified-contributors.", "Backstage access is based on the certified contributor role, the number of findings (at least three medium findings and four total findings) and participation in contests. Access can be applied for once the results are published to the leaderboard.", "The results of contests are dependent on how long judging takes.", "Certified contributors to C4 can join backstage once they meet certain criteria, such as the number of findings and contest participations.", "Participants can apply for backstage access as soon as the contest results are published on the leaderboard, which usually happens shortly after the awards are announced.", "The timeline for publishing contest results depends on the time taken for judging.", "Users can update their Discord name on the Account Management page of their warden profile, however, their Discord nickname should remain as their registered C4 username.", "Contestants of C4 contests can inquire about the progress and schedule of final reports.", "CodeArena can run audits with a Rust focus and can connect participants with the booking team for a conversation.", "Withdrawing a finding in C4 is the same as canceling it.", "If a bot finds a high or medium finding, it only gets the bot pool reward based on the bot race rank. Bots can only gain more rewards by having more points and shifting the rank cutoffs, thus bumping others to lower ranks.", "There were considerations by the UNA to send USD (fiat) to participants instead of USDC to help participants in countries having issues converting crypto to fiat.", "Audit concerns, marked as 'Lookout' category of findings, can be included in the QA report in a detailed Medium finding format (impact/POC/mitigation etc).", "If a function call in a smart contract always reverts but assets are not at risk it can be considered as a Medium or High finding depending on the context.", "Participants can upload images to their report submissions by uploading it to their Gist, submitting the report with the gist link, and later deleting their gist.", "Participants can direct message the C4 staff members.", "CodeArena has performed audits with a Rust focus.", "CodeArena has a booking team that can assist with setting up audits.", "Participants can direct message (DM) CodeArena staff members.", "Reports for CodeArena can be submitted with a Gist link.", "Participants are encouraged to explore other options for exchanging to fiat currency.", "Participant feedback can influence CodeArena's priority operations projects.", "Analysis awards are distributed at CodeArena, but no specific process is mentioned.", "CodeArena runs contests for analyzing smart contracts.", "Participants can ask about the largest contest in terms of Source Lines of Code (SLOC) at CodeArena.", "Images can be included in submissions by following the guidelines at https://www.markdownguide.org/basic-syntax/#images-1", "Issues with image submission guidelines can be resolved by rendering the image correctly in another place like GitHub.", "CodeArena announces awards for specific contests, such as the Stader Labs contest.", "Findings submitted for CodeArena contests can be edited while the audit is open.", "The possibility of editing findings may not be available after the audit has closed.", "Emojis are used in CodeArena for identifying contracts out of scope.", "Incorrect severity settings for issues at CodeArena is a concern for some participants.", "Quality assurance (QA) reports at CodeArena are graded based on the number of low findings. Two reports graded \"A\", one with 2-3 low findings and another with 5-6 low findings, would receive the same award.", "There may be a bonus for each low finding selected for the report.", "There is a penalty for setting incorrect severity of the issue in smart contract auditing.", "The evaluation of QA reports is based on both the quantity and quality of findings.", "All A graded QA reports receive the same award, regardless of the number of Low findings.", "There is a structure of incentives for each Low/N finding selected for report, as explained in the documentation: [https://docs.code4rena.com/awarding/incentive-model-and-awards/awarding-process](https://docs.code4rena.com/awarding/incentive-model-and-awards/awarding-process)", "The uniqueness of Low issues was once a ranking factor, but is no longer relevant.", "Judges consider both quantity and quality of submissions when grading QA reports, and a single item in a QA submission is unlikely to receive a high grade. This information is further explained in the following links: [https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical](https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical) and [https://docs.code4rena.com/awarding/incentive-model-and-awards#qa-and-gas-optimization-reports](https://docs.code4rena.com/awarding/incentive-model-and-awards#qa-and-gas-optimization-reports)", "Judges have the ability to downgrade medium issues to QA and consider them alongside your QA report when grading. They also have the ability to upgrade items from your QA report if they feel severity should be higher.", "Incorrect findings in a QA report can affect the QA grade.", "The #\u270brsvp channel is used to see upcoming public audits and raise a hand if planning to participate.", "A new profile feature was introduced, but to change the profile image, a help desk request needs to be created: [https://code4rena.com/help](https://code4rena.com/help)", "Bugs related to the new profile UI can be reported in the #profile-help channel.", "Information about protocols audited on other bug bounty platforms can be used to fill the new auditors profile.", "To change a profile image, users should create a help desk request on the Code4Arena website (https://code4rena.com/help).", "The #profile-help channel is used to get assistance with profile-related issues.", "Bugs in the new profile UI can be reported in the #profile-help channel.", "Auditors can use information about protocols they have audited on other bug bounty platforms to fill their profiles.", "There are certain features and contests that users would like to see included in the leaderboard ranking.", "The Nouns DAO contest runs from July 3-13.", "Users can check if they are certified by clicking their name to see assigned roles and also via email communication.", "Private contests are only open for certified members and qualifications are described in the #\ud83d\udd96rsvp-certified channel. Some contests are open only to those who participated in the original audit.", "The Analysis awards are $4,250 USDC and the QA awards are $2,000 USDC. Guidelines for analysis can be found at: https://code4rena.notion.site/Analyses-Guidelines-and-FAQ-2808a71e08e44c81a985527194f5f118", "There have been instances of users receiving emails about the updation of payment addresses without their knowledge. Such issues can be reported and will be checked by the team.", "Analysis awards of $4,250 USDC and QA awards of $2,000 USDC were mentioned.", "There are separate guidelines on what should be submitted for analysis awards and it can be found at https://code4rena.notion.site/Analyses-Guidelines-and-FAQ-2808a71e08e44c81a985527194f5f118", "An issue was mentioned about an unexpected email regarding the updating of payment address.", "A question was raised on how to get the OG Warden status on a profile.", "The question form used for analysis submissions supports markdown.", "Information about judges or lookouts is not disclosed before or during the contest to maintain bias-free competitions.", "An issue can be non-critical and also be included in gas optimizations.", "Inquiry was made regarding the timeline for a contest involving over 12k sloc, which was extended to 4 weeks.", "The results for the Stader labs contest were yet to be announced at the time of the conversation.", "An estimated timeline for the process is provided in the organization's docs at https://docs.code4rena.com/structure/our-process", "A question was raised on whether it is worth creating a report for 1-2 Low and 1-2 Gas issues.", "The upcoming contest for the Bean Money protocol was clarified to be the Basin audit, with information found at https://code4rena.com/contests/2023-07-basin", "An issue was reported regarding submitting an analysis as a team due to an error about a saved polygon address, to which assistance was offered through the help desk.", "It is possible to submit more than one high-risk finding in the same audit, but if the root causes are the same, they would be counted as one.", "There are instances of users encountering an error when submitting an analysis as a team regarding a saved polygon address.", "There is a procedure to submit a help desk request when issues arise during the analysis submission process.", "High-risk findings during an audit are counted as one if their root causes are the same.", "On the leaderboard, there is an \"Available for Hire\" filtering option.", "To be marked as \"Available for Hire\", one must be a Certified warden. Profile editing to reflect this status is done via the profile editing screen.", "The option to add \"Available for Hire\" status on a profile may not immediately appear, even after certification, due to manual steps on the backend.", "Help requests can be submitted via https://code4rena.com/help.", "If too much information is accidentally pasted in an issue that should not be publicly available, editing is the suggested course of action.", "Even after editing an issue, the initial (pre-edited) issue may still be publicly available in the edit history.", "Issues that are withdrawn are marked as such and are then closed.", "If a user feels it's a security risk to have issue contents made public, a Help Desk request can be submitted.", "All low/NC issues are to be submitted in one QA report.", "Findings can be withdrawn under \"your findings\" on the contest page.", "Sponsor's decisions are independent and one's decision does not affect the other's decision.", "It's possible to cancel a submission and create another one, by withdrawing the findings under the \"your findings\" on the contest page.", "A user was inquiring about Bot Race, however, no further information was provided in this excerpt.", "To submit findings, there is a form on the website for each contest.", "Post mortems can be found on the YouTube channel: https://www.youtube.com/@code4rena", "Currently, it's not possible to edit or resubmit an analysis report, but this functionality is planned for the future.", "Help desk requests can be used to add changes to the analysis report.", "To participate in judging and gain backstage access, information can be found at https://docs.code4rena.com/roles/certified-contributors/backstage-wardens", "For issues with large text that don't fit in the textbox on the help desk site, users can link a gist.", "Multiple ideas about gas optimizations can be written separately and merged into one report.", "For a bot in bot-racing, the presence of unique vulnerabilities or their number was discussed, as well as whether accuracy (no false positives) would be an advantage. However, no definitive answer was provided within this chat excerpt.", "Users are discussing how to compile multiple ideas about gas optimizations into a single report.", "The importance of unique vulnerabilities in bot-racing was discussed.", "There was a query about creating an analysis report for the Maia contest.", "A user reported an error related to not having a polygon address saved while trying to create an analysis report.", "There was a query about whether it's okay to post a Notion link for the analysis report during the submission process.", "Concerns were raised about the ability to edit a Notion document after the analysis report is closed.", "The mechanism review part of an analysis report was discussed, with the advice given that if a user doesn't have expertise in mechanism and incentive design, they don't need to force it.", "A user asked where to categorize findings that could fit into two categories (mechanism and architecture) in an analysis report.", "The public visibility of analysis reports was confirmed.", "A user reported they were unable to submit their findings for the MaiaDAO contest before the contest deadline due to a power cut.", "Late submissions for contests are not accepted as per the submission policy, available at: https://docs.code4rena.com/roles/wardens/submission-policy#late-submissions.", "A query about the results of the BASE contest was raised.", "Late submissions cannot be accepted according to Code4rena's document on submission policy found at https://docs.code4rena.com/roles/wardens/submission-policy#late-submissions.", "All findings need to be submitted before the audit closes.", "In case of any crisis related to stablecoins, swaps can be made.", "Any issues with logging in to a C4 account can be addressed in the #auth-help channel.", "The tool used to calculate LOC (Lines of Code) is 'cloc'.", "Bot registration is opened every couple of weeks and updates on this are provided in the #\u270brsvp channel.", "Twitter URL in the portal can be changed by creating a help desk request at https://code4rena.com/help.", "Editing the analysis report is expected, but if there's an issue, a help desk request can be created.", "To find reported vulnerabilities in the GitHub repo, one can search for their username or handle.", "Users cannot edit the analysis report directly, but can create a help desk request including a secret gist to have edits added to the comments of their analysis report before the audit closes.", "Users can find their findings in a GitHub repository by searching for their handle.", "Report submissions can be updated as long as the contest has not ended.", "Connection issues with the code arena website using wallet connect can be reported to the #auth-help channel.", "There is a process to edit findings while an audit is still open by going to the contest page and clicking on the \"Your Findings\" button.", "The duration of contests (like Basin and PoolTogether) is not directly proportional to the size of the source code (sloc).", "Information about where low findings go towards can be found at [https://docs.code4rena.com/roles/wardens](https://docs.code4rena.com/roles/wardens).", "The severity of issues can be updated post-submission by judges.", "The editing of a warden profile on the platform is not directly accessible to users.", "Access to the source code of certain protocol files, like the Nouns DAO protocol, may be restricted.", "If the severity of a report is incorrectly categorized as medium, it can be updated to high by C4 judges.", "The users have the ability to edit their warden profiles, however, this feature is currently only available to those who were certified when warden profiles were introduced.", "The certification process is approved by provenance, and after approval, it generally takes a few days for the role to reflect on the profile. The status of the certification process is updated via email.", "The certification process can be initiated by applying through this link: https://code4rena.com/certified-contributor-application", "Users can view their QA reports for contests that have already closed.", "Users have the ability to submit an analysis for contests.", "There is no mechanism to edit the text of a submission after a contest has ended.", "The term \"OG Warden\" refers to a badge on the website for wardens who started a while ago.", "To gain access to 'backstage', a valid high submission is required. More information on backstage qualifications can be found at this link: https://docs.code4rena.com/roles/certified-contributors/backstage-wardens", "Bot qualifiers are held every few weeks and updates for these qualifiers are posted in the #\u270brsvp channel.", "The Canto Jun 20 results have been published.", "To join the backstage, one needs one valid high rating.", "Information on backstage qualifications can be found at: https://docs.code4rena.com/roles/certified-contributors/backstage-wardens", "To gain access to backstage, one can submit a help desk request if they meet the qualifications based on published contest results.", "Information on the next bot qualifier can be found on the #\u270brsvp channel, which usually runs every few weeks.", "Information about submitting an Analysis Report can be found at: https://code4rena.notion.site/Analyses-Guidelines-and-FAQ-2808a71e08e44c81a985527194f5f118", "It is not currently possible to edit analysis submissions, with the possibility of this feature being included in the future.", "Tips for improving skills in auditing include; reading reports, auditing codebases, and persistence.", "Incorrect submissions are usually labelled as \"unsatisfactory\".", "Analysis findings from contests can be located in the findings repo.", "Analysis examples will be available from Maia onwards.", "Top three auditors are selected in the mitigation review, for example in the jul05 Chainlink contest.", "It is questioned whether wardens are paid if no issues are found in mitigation review.", "Questions about understanding audit reports without an overall understanding of the codebase were raised.", "There was a question about the awarding calculations, specifically if submitting two similar reports, and one marked as duplicate, would affect the payout.", "Bot races are an event, with more information available at: https://code4rena.com/register/bot", "In auditing, the types of bugs that are generally considered high are unique.", "Participation in contests is recommended for improving skills.", "There is a concept of \"bot races\" which can be accessed at https://code4rena.com/register/bot.", "Many successful auditors emphasize on reading past audit reports to understand them better.", "Participating in contests is suggested as a way to gain a better understanding of audit reports.", "Submitted reports can be found in the user's email.", "A post judging QA period exists where comments can be made on the judges decisions.", "There is a certain level of restriction on commenting on issues outside of the Q/A.", "Some projects may be live on chain and at the same time being audited on C4.", "There is no strict requirement to write an exploit for medium severity bugs, but it is common to do so.", "If a finding is submitted as a low in QA report, but the judges determine that its a medium, it will be eligible for medium rewards as per https://docs.code4rena.com/awarding/incentive-model-and-awards/qa-gas-report-faq#what-happens-when-an-issue-submitted-by-the-warden-as-part-of-their-qa-report-an-l-or-n-does-get-bum.", "The ranking of the severity of issues can be found at https://docs.code4rena.com/awarding/judging-criteria/severity-categorization.", "There is a possibility of revising the payment amount (increase, decrease) after payout.", "The current bot is advanced enough to capture the issue such as division before multiplication and loss of precision because of the division.", "The Code4 Severity ranking can be found at https://docs.code4rena.com/awarding/judging-criteria/severity-categorization", "There is a question on whether C4 has ever revised payment amount after payout.", "The bot is advanced enough to capture issues such as division before multiplication and loss of precision due to division.", "A valid issue can include the loss of precision described in the context of the code with better impact.", "If a bot race report has a low vulnerability with more than two instances, it should be added to the QA report.", "There was a delay in Base results but they will be available soon.", "A user was having trouble accessing their Findings for Tapioca DAO on the website https://code4rena.com/contests/2023-07-tapioca-dao#top but the issue was resolved.", "People are working on zk.", "There is no website link provided for the amphora protocol in the rsvp channel.", "Information about the next bot qualifier race can be found in the #\u270brsvp channel on Discord.", "Information about Amphora Protocol can be found at https://code4rena.com/contests/2023-07-amphora-protocol#top.", "Updates about bot qualifier races are available in the #\u270brsvp channel.", "On Code4Arena, if a finding is valid but the severity is not correct, there is a discussion about it being automatically re-affected.", "The HM page in the context of the chat likely refers to a high medium level.", "There was a report of api.code4rena.com returning a 500 error.", "At the time of the chat, the API was for internal use only, though some features were exposed to judges.", "Vulnerabilities impacting the Code4Arena webapp should be reported to security@code4rena.com.", "The process for reporting vulnerabilities to Code4Arena was in the process of being established and documented.", "The process to create a bot team involves registering the bot during the qualifier.", "The process to report vulnerabilities impacting the Code4rena's webapp currently involves sending a direct message to a specific individual or emailing the issue to security@code4rena.com.", "There is a 30% bonus for the best advanced analysis report in the competition.", "Bot crews are different from teams and require registration during the qualifier.", "Bot crews need to be KYC'ed to receive payments for some audits, but not all.", "A single report with all occurrences of the same issue is acceptable when submitting findings.", "A user can include both high severity and medium/low severity issues in the same report, but the highest effort should be put into the high severity issues.", "Users have faced issues logging in on the C4 website.", "There were questions regarding the discrepancy in the lines of code mentioned for the #arcade-jul21 contest on different platforms.", "Users can change their username.", "There have been issues with team registration visibility on user profiles.", "Bots sometimes identify issues and propose fixes in the Code4rena context. However, there is a concern that the fixes proposed by bots might introduce more damaging exploits.", "Vulnerabilities identified by bots can potentially be rated lower than their actual severity, and then the vulnerability can be reported again during the contest by a warden and awarded with the higher severity.", "When users submit a \"Proof of Concept\" with Github, they do not have to make the repository public due to the risk of exposing vulnerabilities to the public. Instead, a private gist can be used.", "There are instances where a bot identifies an issue and proposes a fix, but the fix may introduce a more damaging exploit.", "Users are advised to submit such cases for a judge to weigh in.", "Bots are suggested not to propose mitigations.", "If an issue identified in an automated finding can lead to a high severity finding, it has been suggested that it could be reported again during the contest by a warden and could be awarded with higher severity.", "It is questioned whether a \"Proof of Concept\" with Github should be made public due to vulnerability exposure risk. The recommended solution is to use a private gist.", "There is a discussion about issues in logging into CodeArena with Metamask wallet.", "The link to apply for the Bot Race is shared: https://discord.com/channels/810916927919620096/1093914558776758403/1132679460437639248", "Users can check all the reports they submitted during the competition, and will receive confirmation via email.", "Users can change their Code4rena profile picture by submitting a help desk request with a picture link: https://code4rena.com/help", "RSVPs for invitation contests are filled based on sponsor request and the 90 day leaderboard ranking of those who RSVP'ed.", "There is an inquiry about the process of submitting issues found in out of scope contracts.", "There are reports of issues in accessing the C4 website.", "A question is raised on why people still get their smart contracts audited even if automated tools reported vulnerabilities.", "A reported error in viewing findings on Code4rena is being looked into by the developers.", "A question is raised about the use of a graphical interface for understanding smart contract interaction. The deprecated Surya tool: https://github.com/ConsenSys/surya is mentioned.", "There is a discussion on whether bug reports should assume that automated findings will be fixed, particularly if the proposed mitigation introduces a new bug. The response suggests not treating bot mitigations differently from wrong fixes proposed in the chat.", "Some users are interested in graphical interfaces for observing smart contract interactions, with Surya (https://github.com/ConsenSys/surya) noted as a potential, though possibly outdated, tool.", "Questions exist about the impact of automated findings on the contest and whether bugs introduced through mitigation efforts should be reported.", "Users are allowed to present their proofs of concept (PoC) in either code or plain English.", "Access to certain resources, such as the findings page, seems to be restricted based on certain user privileges, like being a part of the \"backstage\" group.", "Users can include replaced lines in their submissions using diff tools, such as those available on Linux.", "The audited reports validated by judges will be received in approximately 4 to 6 weeks.", "Some users have experienced issues with API rate limits when attempting to submit reports.", "There seems to be an error when some users try to access the link: https://github.com/code-423n4/2023-07-axelar-findings.", "The elliptical curve cryptography formula uses a prime number for the modulo operation due to number theory, as it outputs a more normal distribution than modulo of a composite number.", "The issue of signature malleability was discussed and in elliptical curve cryptography, a prime number is taken for the modulo operation to contain the x and y coordinates of the curve up to a finite plain.", "A user's application to be a warden was \"closed due to inactive for 2 days\".", "Users have reported trouble submitting reports due to an error saying \"API rate limit exceeded for user ID 81770958.\"", "Users have reported that they do not have access to the findings repo and requested to be added to the backstage group on Github.", "An audit contest known as the \"Arcade contest\" was mentioned where users encountered the \"API rate limit\" error.", "It was clarified that the projects in audit contests are yet to be deployed.", "A link was shared to show how to change the number of cases generated by foundry fuzz: https://book.getfoundry.sh/reference/config/testing#fuzz", "A user asked about the impact of updating their Discord username on their Code4rena account.", "A query was made about the difference between advice and a valid issue when auditing code and workflows of a project in a contest.", "Users have asked how to check for qualifier results for the bot race.", "An application to be a warden was closed due to being inactive for 2 days.", "It was mentioned that if a user changes their username, their statuses wouldn't carry over to the new account.", "It was clarified that a user could reapply for certified status after changing their username.", "An upcoming contest was mentioned, but it was unclear whether it was a private or public contest. The contest was later posted.", "Results for bot qualifiers are announced in a span of a week.", "There are upcoming contests that might not have been updated on the specific channels yet.", "A separate submission can be linked during the submission of an issue by referring to its number on the \"your findings\" page.", "An issue is valid to submit even if it is found by the bot race but another instance of that issue is not picked up by the bots.", "Reports are graded based on a relative score compared to other reports.", "Judging becomes final after rewards are announced.", "Backstage access to discuss the grading before the rewards are announced can be obtained by following the instructions on https://docs.code4rena.com/roles/certified-contributors/backstage-wardens.", "To get the leaderboard role, it's required to place on the leaderboard.", "There are discussions about alternative payment channels to crypto due to restrictions from certain countries.", "Revolut and ZEN are suggested as alternatives that are crypto-friendly.", "Binance p2p is suggested as a last resort for exchanging crypto.", "ZEN is mentioned as being crypto-friendly.", "Revolut is used widely, with some users reporting no issues.", "There's a report of instances where Revolut freezes accounts and does not return the money.", "As a last resort, Binance P2P is suggested for crypto transactions.", "Concerns are raised about official entities flagging sellers and buyers accounts on Binance P2P, leading to immediate bank account freezes.", "If an issue found is in the same category as a bot report but not included in the bot report, it can be considered a valid finding.", "Users are advised to include such findings in their report and make it clear to the judge that the finding is related to a bot finding.\t", "Queries about how to report issues found in multiple places in the codebase are answered with a link: https://discord.com/channels/810916927919620096/810936719003090974/1134472653437145149", "Queries about risk rating for findings are advised to be resolved by reviewing guidelines, looking at how similar issues were judged in the past and making the best and clearest case possible.", "A query about whether a POC (Proof of Concept) should fully show every step in code is raised but not answered in the excerpt.", "Several users experience the same error when trying to submit to the arcade", "\"API rate limit exceeded\". This is flagged for the developers.", "There's a suggestion to host more web2 whitebox audits.", "A question about what web2 security topics apply to web3 security is answered with the instance of exploiting a Linux kernel 0day and RCE on the node to compromise an Ethereum node.", "There is interest in hosting more web2 whitebox audits.", "If an error in the audit persists until the deadline, it is flagged for the development team to handle.", "Some topics of web2 security also apply to web3 security.", "Ethereum nodes can be compromised using Linux kernel 0days and RCE on the node.", "Reentrancy is a common issue in both web2 and web3 sectors.", "A link to a Blackhat briefing on hunting and exploiting recursive MMIO flaws in QEMU/KVM was shared: https://www.blackhat.com/asia-22/briefings/schedule/index.html#hunting-and-exploiting-recursive-mmio-flaws-in-qemukvm-25484", "There is a debate about the importance of web2 security knowledge for web3 security. Some believe a practical understanding of web2 security, including DDOS attacks, is helpful while others think they only share a common mindset.", "Submission issues that occur on the Code4rena platform are handled by the developers.", "Doubts about how DDOS attacks can affect smart contracts were expressed.", "In the event of submission errors or multiple submissions on Code4rena, participants can seek assistance from the team handling the platform.", "Participants can view their submissions and the reasons for their rejection once the report is published and the findings repo is made public.", "There is a post-judging QA period where wardens can comment on the judges decisions, this is only available for backstage wardens. More on backstage wardens can be found here: https://docs.code4rena.com/roles/certified-contributors/backstage-wardens", "The chainlink staking v 0.2 was delayed and will be reposted once dates are confirmed.", "All bug reports have to be submitted before the closing of the audit.", "A participant expressed difficulty in catching vulnerabilities during CTFs and inquired if more solidity fundamentals or developer experience might help.", "The Chainlink staking v 0.2 contest on the C4 site is delayed and will be re-posted once dates are confirmed.", "Bug reports cannot be submitted after the contest has ended, all findings have to be submitted prior to the audit closing.", "Users are encouraged to practice and improve their skills if they are struggling with catching vulnerabilities during Capture the Flag exercises.", "There's a process for users to change their profile pictures, and these requests are typically addressed within a week.", "The C4 site was temporarily down for a user, the site's status can be checked at https://downforeveryoneorjustme.com/code4rena.com.", "Users are not allowed to change their account names and wallet logins, and it is unclear if they can create another account with the same Github username, email address, and Discord username.", "Users are having difficulty with specific courses due to lack of development background.", "There are issues related to submitting findings and loading submitted findings.", "Once findings are submitted, they are not disclosed to other competing wardens.", "The findings are sealed to other wardens but in order for judging to occur, they have to be visible to C4 staff, sponsors and the judging team.", "There is no reward for submitting findings first, the important thing is to submit before the audit closes.", "It is unclear when most findings are posted.", "Once findings are submitted in the competition, they are not disclosed to other competing wardens.", "The findings are accessible for the sponsor and C4 staff.", "The findings are sealed until the competition is over.", "There is no reward for submitting findings first in the competition.", "Many wardens hold their submissions until the end of the competition.", "There is a link for information related to penalties for invalid issues: https://discord.com/channels/810916927919620096/810931711609143326/1134522735507292230", "The findings are not shared with anyone, including the project team and judge, until after the deadline passes.", "Staff occasionally need to access submissions during an audit to help wardens with any submission errors.", "A question was asked about how grades are assigned for QA and gas reports.", "There was a query about rewards for the #llama-jun06 contest.", "Some participants are looking for ways to participate in bot races.", "An email from provenancecompliance.com, in relation to certification, was verified as legitimate.", "There was a question about whether projects can be written in Foundry if the project uses Brownie for testing.", "A question was raised about a possible typo in the SLOC count for a contest on https://code4rena.com/contests/2023-08-arbitrum-foundation#top", "A concern was raised about the create-issue button not working sometimes.", "A query was raised about becoming a certified warden and eligibility for payout.", "Teams can only receive payments on one address, and then the team needs to distribute funds among themselves.", "There was a question about a mitigation review for Chainlink CCIP as mentioned in the original RSVP message: https://discord.com/channels/810916927919620096/958800160870240286/1111007546183012382", "Participants have 30 days to complete the process after finishing the audit.", "CodeArena only supports payments to one address, and the team can distribute funds as needed.", "There is a possibility of a mitigation review for Chainlink CCIP, as mentioned in the original RSVP message: https://discord.com/channels/810916927919620096/958800160870240286/1111007546183012382", "Participants can open issue tickets regarding problems with their rewards and they are reviewed by the CodeArena team.", "Rewards are sent on the polygon network, not on the ethereum network.", "There is a certification process with backstage access, that allow participants to discuss their findings: https://docs.code4rena.com/roles/certified-contributors/backstage-wardens", "Information about the various rewards can be found at this document: https://docs.code4rena.com/awarding/incentive-model-and-awards", "Certified wardens can apply via this link: https://code4rena.com/certified-contributor-application", "Participants need to complete certification within 30 days of the end of the audit in order to receive their payout.", "Each individual team member needs to be certified in order to be eligible for payout.", "Questions about severity evaluation and specific bugs can be asked and answered in the chat.", "Team stats are considered in relation to individual stats.", "There seems to be a discrepancy between the start date of Chainlink Staking v0.2 in RSVP and the date on the Code4Arena website, necessitating a clarification.", "Applications for becoming a certified contributor at CodeArena can be submitted via this link: https://code4rena.com/certified-contributor-application", "The severity evaluation of a rug-pull vector for smart contracts can be classified as Medium or High but it is uncertain whether it should be reported at all.", "Team statistics may also count towards individual's statistics.", "The start date of Chainlink Staking v0.2 is different on the rsvp and the Code4rena website, the website's date is the correct one.", "Both valid and invalid issues are released when reports are out at Code4rena.", "The entire findings repo is made public, and there are links to the findings repo in each report on the C4 website: https://github.com/code-423n4.", "If a correct bug issue is submitted with an incorrect proposed solution, the submission can be updated if the Contest hasn't ended.", "When a help desk ticket is submitted, it usually gets reviewed within a week.", "A query about vault rebalancing and its working mechanism was raised in the chat.", "The prize winners are announced in the #\ud83d\udce2announcements section.", "To receive a payment for the upcoming arbitrum audit, one must become a Certified Contributor by successfully completing KYC.", "The KYC application process can be started at https://docs.code4rena.com/roles/certified-contributors.", "After applying for KYC, an email is received from Provenance and C4.", "Becoming an eligible contributor means completing the application listed on the above page and getting approval.", "The question about how many audits one needs to participate in to have Activity Stream available on their profile, was raised.", "The issue of multiple broken file path errors in the pool together competition was mentioned.", "A hypothetical situation was noted wherein if a hacker compromises C4's mail server, they could potentially read all findings and submit them as their own.", "The bot crew role involves being in a bot team or having their own bot. Bot races are held for the first hour of an audit. More information can be found at https://code4rena.com/register/bot", "If an analysis is accidentally submitted from a personal account instead of a team account, it is suggested to re-submit it from the team's account and submit a help desk request to withdraw the other one: https://code4rena.com/help", "A bot crew role means the individual is in a bot team or has their own bot.", "Bot races are held for the first hour of an audit.", "Information about bot races can be found at https://code4rena.com/register/bot", "Users can resubmit an analysis from the team's account if it was accidentally submitted from a personal account.", "Users can submit a help desk request to withdraw a wrongly submitted analysis at https://code4rena.com/help", "Help desk requests can be submitted for unresolved issues.", "There are guidelines on how to group different reasons why a function won't work in a report.", "Questions about issue types relating to the platform can be asked.", "There was a typing error in the total amounts for a new GMX contest, which was later corrected.", "Reports from a contest are published and can be read by the participants.", "The amounts for a contest include a judging pot.", "The bugs during a contest will be judged by a c4 judge and the rules will be judged by Certora.", "There is a participation reward for a formal verification contest.", "Issues with the Analysis Report preview to display the embedded images were reported.", "Emails from Provenance are related to the platform activities and are valid, as confirmed at https://discord.com/channels/810916927919620096/810931711609143326/1135988921906495620", "Findings during a contest remain private until the report is published.", "Backstage wardens are added after an audit closes if it is an open audit.", "It's possible to change the registered wallet (login address) on the platform.", "Payment addresses can be updated in the Manage Account section.", "C4 delegates KYC to Provenance for becoming a Certified warden.", "Users can update their payment address in Manage Account.", "The findings repository remains private until the report is published.", "The documentation that refers to email communications from Provenance should have been updated across all instances, but some users identified inconsistencies in the Certified Warden application and response email.", "To become a Certified Warden, applicants must go through a KYC process delegated to Provenance.", "The severity of trapped or inaccessible funds is evaluated based on the impact", "if it affects an end-user in a rare situation it's a medium severity issue but if it locks all the protocol assets it's a high severity.", "Automated findings for a contest can be found in the pinned messages of the contest's channel.", "Change requests for profile avatars can be made through a help request.", "The estimated number of judges at C4 is around 10, with around 5 lookouts.", "Users are allowed to update the format of their findings.", "The initial email from Provenance in the Certified Warden verification process doesn't have a specified timeframe for delivery. However, the process after working with Provenance takes around 1-2 business days.", "Issues encountered while submitting can be addressed by submitting a help ticket at https://code4rena.com/help", "The submission of analysis along with findings is not mandatory.", "Certified Wardens need to have a backstage role to access reports like the Chainlink Staking v0.1 on C4. This is detailed in the link: https://docs.code4rena.com/roles/certified-contributors/backstage-wardens", "Reports are published only on the C4 site; having access to the GitHub repository is an additional feature obtained through the backstage role.", "Reports are published on the Code4rena site.", "To read reports on Code4rena, access to the GitHub repo is required, which can be achieved via having a backstage role.", "Linking to other contests in a report to demonstrate findings is acceptable, but citing examples from Code4rena is more convincing due to a more rigorous judging and QA process.", "User profile changes, like a Github username update, in the Code4rena profile necessitates a manual update to backstage access by Code4rena Github admin", "for which, help can be requested at https://code4rena.com/help.", "For a user to directly call internal functions in the context of foundry, a child contract needs to be written and used like wrappers.", "The markdown code to include GitHub code in report can be found at https://docs.github.com/en/get-started/writing-on-github/working-with-advanced-formatting/creating-and-highlighting-code-blocks.", "A user's submitted bug report that has been rejected can be found in Github's closed issues.", "A submission is considered a duplicate not necessarily because it was not the first, but because another similar report was chosen to be published in the report.", "The decimals() function, while not being a part of the ERC-20 standard, is typically implemented in practice as per https://eips.ethereum.org/EIPS/eip-20.", "Only one report of gas optimization can be submitted per contest, but more findings can be added to the report by going to the contest page and clicking the 'Your Findings' button.", "It is unclear if more than one high/medium bug report can be submitted per contest.", "The decimals() function is technically valid in ERC-20 standard but it's optional, and other contracts must not expect these values to be present, according to the EIP-20 documentation at https://eips.ethereum.org/EIPS/eip-20.", "Users can find direct links to rejected (and accepted) issues in multiple .json files located in the /data/ directory of the published repo.", "There are restrictions on submitting more than one report of gas optimization in a contest; users should compile all findings into one report.", "Users can add more findings to their gas report by navigating to the contest page and clicking the 'Your Findings' button.", "The same rule applies for high/medium bug reports, more details can be found at https://docs.code4rena.com/roles/wardens/submission-policy.", "The escalation of issues in the automated findings report is questioned but no clear answer is provided.", "If a user's wallet is hacked and they change their payment address, they can create a help desk request if they logged in via the same wallet.", "QA reports that include QA bot findings from bot races but develop their explanation more and are more detailed are not eligible for QA report rewards.", "Users can send an analysis report about the system even if they have no significant findings or findings at all, to provide advice on things to take into account in the future of the project.", "The findings report page does not support HTML tags, users are advised to use Markdown instead.", "If the bot race reports a problem but does not report all the actual parts of the codebase where that problem is present, adding them is eligible.", "There is currently no penalty for incorrect medium/high submissions.", "If a submission is downgraded from medium to QA, it will be rewarded unless it's downgraded to grade-c.", "Discussing potential findings with a sponsor over discord or other private messages does not invalidate the finding.", "Currently, the platform does not support editing analyses but it's being worked on.", "Users cannot currently send in updates to their analyses, as highlighted in the Guidelines and FAQ at https://code4rena.notion.site/Analyses-Guidelines-and-FAQ-2808a71e08e44c81a985527194f5f118.", "Discussing potential findings with a sponsor over Discord or other private messages does not invalidate the finding.", "The submission UI on the site does not currently support upgrading an analysis report.", "Editing analyses is currently not supported on the site, but there is work in progress to enable it.", "There was a user who experienced problems while trying to submit their report update.", "A link to the guidelines and FAQ is provided to users for reference: https://code4rena.notion.site/Analyses-Guidelines-and-FAQ-2808a71e08e44c81a985527194f5f118", "Users can change their C4 profile photo by creating a help desk request: https://code4rena.com/help", "A user asked about the difference between flash minting and flash loans.", "A user explained that flash loans are when you buy an asset at one price in one market and sell it higher in another market in a single transaction.", "A user asked whether findings submitted before the deadline are publicly available and if they can check their submission without modifying it.", "To apply for backstage access, one must become a certified contributor as detailed here: https://docs.code4rena.com/roles/certified-contributors", "Not participating in certified events does not affect a user's role, only signing up but not showing up does.", "There is typically one lookout per contest.", "A user submitted a report and experienced a rendering issue with inline math in the preview.", "A question was raised regarding the new functionality of Warden profiles and how private invites work.", "A user asked how to obtain a backstage role and was directed to this link: https://docs.code4rena.com/roles/certified-contributors/backstage-wardens", "A user asked whether they can sign up as a certified contributor with multiple accounts, as long as they only participate with one.", "Once a contest has ended, users cannot fix typos in their submissions.", "The process to get a backstage role can be found at https://docs.code4rena.com/roles/certified-contributors/backstage-wardens", "Participants can sign up as certified contributors with multiple accounts, as long as they only participate with one account.", "Once a contest has ended, submissions for it cannot be amended.", "An analysis of the new try-catch functionality in solidity 0.6 can be found at https://forum.openzeppelin.com/t/a-brief-analysis-of-the-new-try-catch-functionality-in-solidity-0-6/2564", "The next Chainlink contest will be open to all participants, but they will need to become certified, which includes successful completion of KYC, to receive awards.", "For news on contests for non-KYC participants, one should monitor the #\u270brsvp channel.", "Participants can view and participate in contests listed in the #\u270brsvp channel, which can be accessed via the provided discord link.", "The scheduling of contests by CodeArena is based on the timing and needs of the customer.", "A question about a past project, Ajna finding, which is classified as solo high risk can be found at https://github.com/code-423n4/2023-05-ajna-findings/issues/329", "In the Chainlink contest, participants can participate and verify their identity after the contest ends to receive the payout.", "To view reports of past contests, one needs the backstage role. More information about it can be found at https://docs.code4rena.com/roles/certified-contributors/backstage-wardens", "If a participant changes their discord username, they may need to update it in the CodeArena.", "Participants of the chainlink contest can verify their identity after the contest ends to receive the payout.", "Reports for the chainlink's past contest can be viewed by those with the backstage role, more information about it can be found here: https://docs.code4rena.com/roles/certified-contributors/backstage-wardens", "Having an updated discord username tied to a CodeArena account helps ensure participants can be tagged in for any award announcements, but it does not affect receiving awards.", "Fixes to username changes on CodeArena can be reported via https://code4rena.com/help", "Issues can be submitted in a specific format using a tool available at https://marketplace.visualstudio.com/items?itemName=yassh.copy-with-line-numbers", "Know Your Customer (KYC) requests through Provenance may take more than a week to get a response.", "Teams that are completely certified and meet the qualifications of an audit can participate in #\ud83d\udd96rsvp-certified.", "High-ranked teams are eligible to compete in invitation audits that prioritize highest ranked wardens.", "Participants need to be certified if they want to participate in an audit that requires KYC.", "High-ranked teams are eligible to participate in competition.", "If one wishes to participate in an audit, KYC certification may be required. This information will be specified in the applicable channels.", "Participants can signal their team's involvement by responding in created threads or the RSVP.", "Participants can apply for KYC certification.", "Two different exploits from the same root cause are considered as duplicates.", "Change of Github user requests can be made and are processed by the team.", "There is an interest in understanding the grading system used in QA reports.", "For backstage+ access, a high finding or 3 med findings are needed. However, the findings should be public for the role to be received.", "Participants can ask for support from the C4 website.", "The requirement for backstage+ could also be met by participating in a minimum of 3 contests.", "Payouts are made on Polygon and in USDC.", "If a participant submitted issues for a contest but did not make the award list, it is likely that their issues were rejected. Confirmation can be done by reviewing the available report.", "There was an error in the prize amount for the Dopex contest on the website. This error was corrected.", "The SLOCs for Dopex were reported incorrectly, including spaces etc. The correct SLOCs are 2200.", "The rank A in a report indicates good performance. Documentation of the grading system can be reviewed at https://docs.code4rena.com/awarding/incentive-model-and-awards.", "There may have been discrepancies in the reported source lines of code for dopex, as the original count might have included spaces.", "Queries related to profile help should be directed to the #profile-help channel.", "An 'A' grade report is considered good and further information on the ranking system can be found at https://docs.code4rena.com/awarding/incentive-model-and-awards.", "If a team meets certain requirements based on audits with published results, they can submit a helpdesk request.", "Being certified does not automatically grant access to the previously participated contest in progress judging repository. Backstage access is needed for that.", "A helpdesk request can be raised for backstage access once all criteria are met.", "Notification will be provided once a request for backstage access has been reviewed.", "Information on how to request backstage access can be found at https://docs.code4rena.com/roles/certified-contributors/backstage-wardens#to-request-+backstage-access.", "Within an active context, when a second issue is submitted, it is possible to reference the first one submitted.", "After the first issue is submitted, it needs to be edited to see an ID at the end of the URL, which is the same as the GitHub issue ID.", "To reference the first issue, on the second one, write # followed by the previous issue ID.", "A solo finding in a contest means that only one warden found the issue.", "The list of a participant's reported findings that were rewarded can be viewed at https://discord.com/channels/810916927919620096/1095308824354758696/1130212982094299246.", "If a contract is in the scope of the audit but it inherits another contract, both contracts should be audited.", "Arcade rewards and pool together rewards will be given in the next week.", "Certified Warden comes with some privileges, although the specifics have not been detailed.", "There is a process for checking reported findings via a link on the Discord channel.", "Reports are submitted by teams in CodeArena.", "If a contract is within the scope of an audit, it is subject to audit even if it inherits from another contract.", "Rewards for certain activities, such as the \"arcade reward\" and \"pool together reward,\" are expected to be distributed the following week.", "Certified Wardens can receive benefits, including backstage access and payments from KYC-required sponsors like Chainlink.", "Being certified does not prohibit one from being employed elsewhere; it is possible to participate in CodeArena as a side project.", "It is possible to participate and receive payouts without being certified, but some activities require certification or KYC (Know Your Customer) verification.", "Being certified does not require full-time commitment; it indicates that a participant's identity has been verified.", "Participants are expected to conduct all CodeArena-related activities in a timely and professional manner.", "Adding new team members to an existing team is possible.", "The link to understand how the Analysis report works and what needs to be filled is https://docs.code4rena.com/awarding/judging-criteria#analysis.", "If a contest's bot report ranks an issue as low but a participant escalates it to high, the issue is not automatically invalid. However, submissions based on automated tools must provide strong evidence to demonstrate a relevant High or Medium severity exploit path to be considered satisfactory. The policy is explained at https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues.", "Information on how the Analysis report works and what needs to be filled in it can be found at https://docs.code4rena.com/awarding/judging-criteria#analysis.", "If a low severity finding in a contest's bot report is escalated to a high severity, it is not automatically invalid. The criteria for judging such cases is explained at https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues.", "The decision on how to reward severity escalations in a contest report is up to the judge.", "If a team is having trouble adding new members, they should submit a help desk request.", "Private audit contests are not strictly open to only top-ranking wardens. The eligibility criteria for each opportunity is listed in #\ud83d\udd96rsvp-certified.", "If an issue is labeled as \"sponsor-disputed\" but there is no explanation provided, users can check for duplicates and ask the judge after judging.", "An example of a disputed issue can be found at https://github.com/code-423n4/2023-06-lybra-findings/issues/549.", "Once the contest payouts have been sent, the outcome cannot be changed. However, any overlooked issues can be flagged to the judge and sponsor.", "Disagreements with a judge's decision can be discussed according to the policy at https://docs.code4rena.com/awarding/fairness-and-validity#if-you-disagree-with-a-judges-decision.", "To add new members to a team, some issues might be resolved by trying again on a different day.", "The KYC process for users may involve rejections, and the reasons for rejection are not always communicated.", "Not everyone desires to go through the KYC process to become a backstage warden.", "There is an appeal process in place for valid findings that have been classified as invalid. This appeal process is further detailed in a section of their documentation at https://docs.code4rena.com/awarding/fairness-and-validity#if-you-disagree-with-a-judges-decision.", "Some users face issues with adding members to their teams.", "There are certain restrictions in place for the KYC process, primarily OFAC sanctions and background checks.", "If a KYC application is rejected, it's suggested to directly work again with the originator of the application.", "An individual's C4 profile findings can be updated for visibility even if the finding was deemed invalid.", "The process for becoming certified requires the fulfillment of some prerequisites, detailed at https://docs.code4rena.com/roles/certified-contributors.", "The Arbitrum Security Council Election System results are still in the post-judging QA phase, and will be published on the website once ready.", "Ability to edit a user profile on Code4Arena requires certification.", "The judges are expected to provide reasons for classifying an issue as invalid or disputed.", "In-depth discussions on specific issues can be found on the GitHub page of CodeArena, such as https://github.com/code-423n4/2023-06-lybra-findings/issues/364#issuecomment-1689165295.", "It is suggested that auditors can create coded Proof-of-Concepts (POCs) to further explain their reported issues, but it will not have an effect on awards or the contest per C4 guidelines.", "There is a concern about judges labeling issues as invalid without providing an explanation.", "There's a request for tools that can read on-chain storage slot value including private states.", "A link was provided for a reported issue for review and possible creation of a coded POC: https://github.com/code-423n4/2023-06-lybra-findings/issues/364#issuecomment-1689165295", "There is a process for querying an issue marked as invalid by monitoring the backstage channel for the post-judging stage of the concerned contest.", "EVM.storage and Metadock chrome extension from BlockSec are suggested tools that can read on-chain storage slot value even private state.", "There's a query about the time it takes for a Github organization invite to be sent to a certified warden.", "If a submitted high-risk finding is judged as low risk, the submitter will still be rewarded and vice versa.", "Help desk requests are usually reviewed within 1-2 business days.", "A question was asked about how to test block re-orgs and its effect on block confirmation time in Chainlink VRF v2 requestRandomness.", "A link to the Analysis Guidelines and FAQ was provided: https://code4rena.notion.site/Analyses-Guidelines-and-FAQ-2808a71e08e44c81a985527194f5f118", "An issue was reported about not being able to edit an analysis after submissions.", "To edit findings or analysis reports, one needs to go to the audit page and click the \"Your Findings\" button.", "Users with certification can edit their profile.", "To test block re-orgs effects on the block confirmation time in the Chainlink VRF v2 requestRandomness, users need specific knowledge.", "Analysis can be edited after submission as stated on this post https://code4rena.notion.site/Analyses-Guidelines-and-FAQ-2808a71e08e44c81a985527194f5f118.", "To edit Analysis report or findings, users need to go to the audit page and click the 'Your Findings' button.", "Participation in Bot Race is described in more detail on this page https://code4rena.com/register/bot.", "Bot Race registration is not always open and there are qualifiers every few weeks.", "Information about future qualifiers is available on the #\u270brsvp channel. The link to the channel was provided: https://discord.com/channels/810916927919620096/958800160870240286/1142165149050998784.", "Users are concerned about system isolation when reviewing downloaded packages from a sponsor. VirtualBox was suggested as a possible solution.", "If a user is certified and has applied for KYC, they will receive an invitation link via email from Provenance.", "Users are seeking clarification on what is considered a valid issue regarding assumptions made in the code that are not explicitly mentioned in the README/code comments.", "Users are auditing the Dopex project which involves buying and selling options, specifically put options.", "Users can learn about put options from this Twitter post: https://twitter.com/DegenShaker/status/1693630283499651386.", "Users may not submit different issues with different impacts or different attack scenarios if they all originate from the same root cause.", "Users can participate as a team in auditing contests. A single wallet is used during registration for a contest.", "Money distribution in team participation can be managed using multisig or PaymentSplitter feature from OpenZeppelin contracts: https://docs.openzeppelin.com/contracts/4.x/api/finance#PaymentSplitter.", "Bot registration opening will be announced on the #\u270brsvp channel.", "Teams can participate in auditing contests.", "Auditing contests require a single wallet for registration.", "Distribution of prize money amongst team members can be managed through multisig wallets or using a contract like OpenZeppelin's PaymentSplitter: https://docs.openzeppelin.com/contracts/4.x/api/finance#PaymentSplitter", "Bot registrations for contests will be announced in the #\u270brsvp channel.", "Bots not registered in the chainlink protocol cannot be used for certain contests.", "Contest participants need to make a strong case to escalate a known low from the automated findings to a high.", "The KYC process is needed to become a certified warden.", "Analysis reports can be revised and resubmitted.", "Sending or transferring coins from a wallet requires Matic to pay the fee. Wallet users can swap Matic without a gas fee at this link: https://wallet.polygon.technology/polygon/gas-swap", "Issues with VSCode and solidity annotation syntax highlight were discussed.", "Findings in the QA report can be downgraded from H/M to L/QA and these are added to the warden's QA report.", "The verification process to become a certified warden may require a passport.", "Reward distribution for contests does not occur immediately upon reward announcement. The precise time range for reward distribution was not specified.", "An audit on Basin was cancelled without any notice, leaving some users in the dark about the situation.", "Becoming a certified warden, a part of the verification process, might need a passport or a certified copy of an individual's identity.", "Certification process details can be found at https://docs.code4rena.com/roles/certified-contributors.", "To gain backstage access one may need to qualify and then request backstage access via a help desk request. More details about backstage access can be found at https://docs.code4rena.com/roles/certified-contributors/backstage-wardens and the help desk request page is https://code4rena.com/help.", "To participate in Chainlink contests and be eligible for rewards, one must go through a KYC process before submitting.", "Users can submit report without being certified, however certification is needed to receive rewards.", "There are questions about how to embed code on reports.", "Pancakeswap V2 and Uniswap V2 have different formulas for protocol fees, with PancakeSwap V2 utilizing 8/25 of the growth in the square root of K as its protocol fee, while Uniswap V2 employs a 5 basis point (0.05%) protocol fee. The code for PancakeSwap V2 can be found at https://bscscan.com/address/0xcA143Ce32Fe78f1f7019d7d551a6402fC5350c73#code.", "There are concerns about the lack of feedback on bug submissions.", "Participation in some contests can be done without being certified, but some contests require certification for payouts if any submissions are awarded."] \ No newline at end of file diff --git a/codeArena/codearena/codearena-qs_09_23.json b/codeArena/codearena/codearena-qs_09_23.json new file mode 100644 index 0000000..716a015 --- /dev/null +++ b/codeArena/codearena/codearena-qs_09_23.json @@ -0,0 +1 @@ +["Where's the name come from?\nA: It's a play on numbers and words.", "Is this more of a bug-bounty but time-limited and with a guaranteed pot that pays out?\nA: Yes, it is an interesting variation of a bug-bounty, where it is time-limited and there is a guaranteed pot that pays out.", "What about creating a page for the contest and listing / linking to wardens / judges / sponsors? Maybe we should have a little github form for people to fill out when joining as warden, get links to their socials/bio/avi etc?\nA: These are all good ideas.", "Should we start a channel specific to the website, for sharing thoughts and ideas?\nA: We can add a channel here, but also, feel free to submit PRs with any ideas to the Github.", "When will we have access to the codebase?\nA: Access to the codebase will be available from February 17 @ 1400 UTC (9AM EST).", "Are the smart contracts from the 'real world' (i.e. will they be used in practice) or are they only made for the purpose of the competition?\nA: Yes, they are real smart contracts that will be deployed after being audited.", "When will we have access to the codebase? \nA: February 17 @ 1400 UTC (9AM EST)", "Are those smart contracts from the 'real world' (i.e. will be used in practice) or only made for the purpose of this competition? \nA: They are real smart contracts that will be deployed after being audited.", "So theoretically there should be no issues hidden by the team on purpose?\nA: No, there shouldn't be.", "How to disclose issues?\nA: You can read More at https://medium.com/@scott_lew_is/slingshot-finance-sponsors-20-000-usdc-guaranteed-distribution-bounty-pool-for-code-432n4s-first-789514a8dc99 or https://github.com/code-423n4/code-contests/blob/main/SUBMISSION_POLICY.md", "Is the inability to deliver a message to submissions@code432n4.com because the domain code432n4.com couldn't be found a bug? \nA: Reports should be submitted at the end of the contest period.", "What happens then if 2 participants submit the same bug at the end of the contest? \nA: Judging criterion for duplicate submissions can be found at https://github.com/code-423n4/code-contests/blob/main/JUDGING_CRITERIA.md#duplicate-submissions.", "What happens if 2 participants submit the same bug at the end of the contest?\nA: https://github.com/code-423n4/code-contests/blob/main/JUDGING_CRITERIA.md#duplicate-submissions", "Are there any well recommended resources on Solidity? Background is in vulnerability analysis but have not touched smart contracts etc so would probably need to do some deep diving before I can be of use. \nA: https://solidity-by-example.org/0.6\nhttps://docs.soliditylang.org/en/v0.7.5/", "How are you guys choosing \"judges\" and how do they show what their decision on a bounty is? \nA: Judges are chosen based on experience and reputation. They think the chosen ones will do a good job. The results are published after the contest concludes. Because all of the pool is paid out, regardless of how many bugs are found, there is not an incentive for the judge to \"downgrade\" bugs or deny people bounty shares they have earned.\nhttps://github.com/code-423n4/code-contests/blob/main/JUDGING_CRITERIA.md", "Is there a \"Getting Started\" or something similar that shows how we run the slingshot code as it executes in the overall system? \nA: https://github.com/code-423n4/code-contests/tree/main/contests/01-slingshot#how-it-works", "Do we need to slingshot backend running locally, and that\u2019s it? \nA: The contracts can be compiled and function independently of the back end.", "Do we need to have slingshot backend running locally for the contracts to work?\nA: The contracts can be compiled and function independently of the backend.", "Would it be helpful to make a Loom video on how to get the environment setup?\nA: Yes, that would be great!", "Can we get a countdown timer so we do not miss the submission deadline?\nA: Yes, we are considering implementing something like that.", "What is the stop time for the contest?\nA: The stop time is Feb 21, 2359 UTC.", "What do you think about requesting links and preferred avatars from competing wardens and adding them to the home page along with the countdown?\nA: That might not be extremely efficient as updating the website for each new contest could be time-consuming. However, creating a leaderboard after the results of the contest would be beneficial. It could serve as an online curriculum for the contestants. Until a system is created to track leaderboard, it can be done manually.", "Are we sure that all participants reviewing are in the warden section?\nA: There might be participants who haven't publicly announced their participation.", "Will everyones submissions be made available after the contest ends?\nA: Yes, submissions will be made available after the contest ends and possible exploits have been patched.", "Might not be extremely efficient as you will have to update the website for each and every new contest. That being said a leaderboard of the best contestants after the results of the contest would be tight. It would serve the contestants as well, being an online curriculum. Are we sure that all participants reviewing are in the warden section? Per the rules you can review and send it on the last day and still be rewarded if you find a good exploit. Some people might not have expressed publicly their participation. That\u2019s the only possible issue I see.\nA: I don\u2019t mind doing that manually until we build something that tracks a leaderboard for us.", "Will everyones submissions be made available after the contest ends? I'd be cool to see what others methodology was.\nA: Once the possible exploits have been patched. Yes I assume.", "Should we stay focused on the smart contracts, or is going after the UI and back-end trade-route discovery service also in scope?\nA: Yeah, just smart contracts, but open to any suggestions if you find something else that may be relevant.", "The Submission Policy says we can't submit more than 3 hours prior to the contest stop time. But I didn't see anything saying the latest time we can send our submissions. Can we get some guidance on that? I'm just a little worried that I'll be asleep during the \"submissions allowed\" window because my sleep schedule is just wrecked these days.\nA: Oh yeah, of course.", "Okay, so there is a 3 hour window in which we can submit our findings?\nA: Yes, but again, open to suggestions if you have an idea for a better model.", "Suggestion: I'd like to be able to submit any time prior to the contest end time. That way I know I'll be able to submit. To prevent multiple entries from the same person/team, you could have a policy of accepting only the first (or maybe last?) entry that a person/team sent.\nA: Yeah, that makes sense. Ok.", "For submissions, if we have code that runs poc for each bug, how should we submit it? I'm thinking just adding a zip file to the submission is probably easiest but I could also share my private github repo with someone.\nA: How large is the poc?", "Each one is 50 or so lines but I have a whole hardhat project so that they can be run.\nA: Gotcha.", "For submissions, if we have code that runs poc for each bug, how should we submit it?\nA: You can add a zip file to the submission or share a private GitHub repo. The exact submission size depends on the size of the poc.", "Will you add their GitHub usernames as well?\nA: Yes.", "When reviewing the contracts, should we consider the potential impact of misbehavior of owner?\nA: The project should add a trust model description for involved roles to clarify this. You could consider potential malicious behavior of the owner or social engineering attacks, but some people consider a malicious or compromised owner out-of-scope for this game.", "Is there an updated email we should be sending our submissions to?\nA: The correct email for submissions is submissions@code423n4.com.", "Is there an updated email we should be sending our submissions to? I got failed to send to submission@code423n4.com\nA: It's submissionS@code423n4.com which worked for me. But I misspelled the domain name at first. Could be that you're on an old repo version as well where the email is wrong. it's been fixed on main.", "A question about the trust model for ElasticDAO again. I guess we assume the controller (this is the multi-sig account you speak of?) behaves honestly? What about the summoners? Are they trusted as well as hand-picked genesis custodians? Or do we treat them as potentially malicious?\nA: The controller / minter / burner can be trusted. It is a multisig that enacts the snapshot votes on chain. Also, it's a stop gap due to gas costs on layer 1 and replacing that with snapshot voting at the moment to offset the gas costs.", "Hi, how can I contribute to this project? Im a longtime dev/architect in c#/pyhton/js, and now am learning solidity.\nA: This is mostly targeted at auditors, so one way is to become one. That isn't easy, and many ways to get there. My way often is through reverse engineering, in this case reading old audit reports (ours are available here https://chainsecurity.com/audits/, and there are more from other auditors who publish their reports available), and making sure I understand each issue raised (which often, especially initially, requires quite some deep background research). You can also hop in code contest as a warden.", "What's the lead time currently if we were looking to sponsor a contest?\nA: Hard to say, but it\u2019s not long. We\u2019re amidst discussing a handful of contests and working on scaling our processes.", "Where can I find the source code for maple finance?\nA: (No answer provided)", "Just a quick note about the maple-core repo if anyone is running HEVM tests - we have our test script set to use 100 fuzz runs currently. However if you are running the tests for the first time this will take hours since the dapp-cache is not populated. We recommend updating the test.sh file to use 1 fuzz run, and then using 10-100 fuzz runs to run the tests locally after running through that first time. \nA: (No answer provided)", "What's the lead time currently if we were looking to sponsor a contest?\nA: Hard to say, but it\u2019s not long. We\u2019re amidst discussing a handful of contests and working on scaling our processes.", "Where can I find the source code for maple finance?\nA: No direct answer provided.", "If anyone is running HEVM tests - we have our test script set to use 100 fuzz runs currently. However if you are running the tests for the first time this will take hours since the dapp-cache is not populated. We recommend updating the test.sh file to use 1 fuzz run, and then using 10-100 fuzz runs to run the tests locally after running through that first time, is this okay?\nA: No direct answer provided.", "Where can we find the results of the previous competitions?\nA: Findings or awards?", "Both actually, where can we find the results and awards of previous competitions? Is there a blog or website for review?\nA: All the findings will be public and each contest will have a report generated for it. Right now the only one that's public is the ElasticDAO report, which is here: https://ipfs.io/ipfs/QmU7JQUCuciGJ9EVApWnPvBCy32eYQnREDFGsxoyDR6w3j. Cumulative results from the first two contests can be found on the leaderboard on the website https://code423n4.com/leaderboard/.", "Will you be announcing in this channel when the results of a project become public? How will we know when the results are released?\nA: Yes, we'll post results and public findings in #announcements.", "Where can I find the current contest repo?\nA: Make sure to register by joining the #\ud83d\udc3ai-want-to-be-a-warden and saying you're in. Then you'll get an invite to the warden channel.", "How do I register my team as a team?\nA: You can create a team handle by adding it like pocotiempo's here: https://github.com/code-423n4/code423n4.com/blob/main/data/handles/pocotiempo.json.", "How do I register to be a warden?\nA: Register by joining the #\ud83d\udc3ai-want-to-be-a-warden and saying you're in. Then you'll get an invite to the warden channel.", "How do I register my team as a team?\nA: Create a team handle by adding it to the directory. You can view an example at this link: https://github.com/code-423n4/code423n4.com/blob/main/data/handles/pocotiempo.json", "What's the process after my team is created?\nA: Drop a Pull Request (PR) and your team will be added in the next round. Use your team handle when submitting issues. You can add other members' handles as well.", "Is MPL listed in BSC? Is this your contract add: 0xe17b001ce782ad7ba40acbf27feb9ad1eea2f09e?\nA: Blank", "For the maple-core repository, the submodules don't update via public git, I get a 'Permission denied (publickey)'?\nA: Blank", "For Maple submissions, are we supposed to use https://c4-maple.netlify.app/ (not email) correct?\nA: Correct.", "For adding handles to the code423n4.com repository, can we use a GitHub handle? Or a Gab handle?\nA: You can use any handle you'd like. It's solely your warden handle for use on code423n4.com/leaderboard and for handling award processing.", "I submitted my team request, I'm assuming that's all I need to do to add the team?\nA: Blank", "For adding handles to the code423n4.com repository, can we use a github handle? Or a Gab handle?\nA: You can use any handle you'd like. It's solely your warden handle for use on code423n4.com/leaderboard and handling award processing.", "I submitted my team request, I'm assuming that's all I need to do to add the team? https://github.com/code-423n4/code423n4.com/pull/28\nA: Yes, it looks good.", "Just wanted to confirm, is this the repo https://github.com/code-423n4/2021-04-vader/tree/main/vader-protocol we have look for vader protocol?\nA: Yes. https://github.com/code-423n4/2021-04-vader", "Has anyone else registered for Vader protocol bounty?\nA: We have a good number of wardens competing for it.", "Any updates yet on the past projects results?\nA: Should be up soon. We are working on them as we speak.", "Any estimate on how soon the past projects results will be available?\nA: Apologies, I'll let you know when I have an estimate, but I don't have that right now.", "When will the Marginswap awards and results be announced?\nA: We should be sending Marginswap awards and announcing results tomorrow. Maple is just getting started with sponsor review today, then on to judging.", "Are there any questions around the Vader protocol and updates?\nA: Please dm if you have any questions around the protocol. Latest updates have been posted here with mathematical formulas of synths https://github.com/code-423n4/2021-04-vader", "Any estimate on how soon the updates will be available?\nA: No specific estimate time is available right now.", "When will the Marginswap awards be sent and results announced?\nA: The Marginswap awards will be sent and results announced tomorrow.", "Where to find updates on the Vader protocol?\nA: The latest updates on Vader protocol have been posted on Github with mathematical formulas of synths: https://github.com/code-423n4/2021-04-vader", "Is the older, incorrect, copy of Vether.sol was put into the repo?\nA: Yes, an older, incorrect, copy of Vether.sol was put into the repo. The correct code deployed on Mainent is available here: https://etherscan.io/address/0x4Ba6dDd7b89ed838FEd25d208D4f644106E34279#code. The incorrect, and not applicable, testing contract that was uploaded is here: https://github.com/code-423n4/2021-04-vader/blob/main/vader-protocol/contracts/Vether.sol", "Can someone from the organization confirm the above information about Vader-Review?\nA: Yes, the information about Vader-Review is confirmed by the main vader developer.", "Are the other contracts applicable for testing?\nA: Yes, everything in https://github.com/code-423n4/2021-04-vader/tree/main/vader-protocol/contracts is applicable for testing.", "For the purposes of the contest, do we evaluate the submitted repo assuming it is complete and that any findings highlighting security impact of missing functionality will be considered?\nA: Yes, the fairness of the contests is essential so the judging process will absolutely keep this in mind. the default will be based on the provided contest code, and the assumption that wardens have not received further updates beyond what was available at contest start in the repo. however, if there are additional findings in the mainnet contract, those can qualify as well.", "Is it possible to reason about the correctness of missing logic and how it may interact later with existing logic?\nA: Yes, all input will be considered.", "The link to Github is giving a 404 error. Can this be fixed?\nA: Yes, the link should be public now.", "Is the missing functionality, as outlined in the README, within the scope of the review?\nA: The missing logic, which is outlined in the README, is outside the scope of the review. An attack path that relies on the missing logic executing correctly as intended would be valid. However, an attack path that expects the liquidation logic to be non-existent, or executing incorrectly, would be invalid.", "Is it not possible to reason about the correctness of missing logic and how it may interact later with existing logic? \nA: All input will be considered.", "Why do I get a 404 from GitHub trying to reach https://github.com/code-423n4/2021-04-redacted? \nA: The link should be public now.", "Can someone explain VETH?\nA: VETH is a fair launch distribution mechanism for VADER, a liquidity protocol that combines slip based fees of rune, IL protection of Bancor, burn to mint stablecoin of Luna, pool collateralized synthetics with 1:1 purchasing power that are interest yielding, and synths that can also be used to borrow directly from the AMM for capital efficiency. Vether attempts to drive value accrual from Vader to Ether via a daily auction process that requires participants to burn their ETH to obtain VETH. More details can be found at https://linktr.ee/VaderProtocol.", "When will new pulls from individuals and teams be updated in handles? \nA: It is on the to-do list, there's just a bit of a backlog of dependencies in front of that action. At this time, the handles are only for the leaderboard, which will be updated once several of the process pieces have been reworked.", "For Visor finance, should we review only these contracts, all the others are out of scope?\nA: The only contract listed there that should be reviewed is Visor.sol.", "Can we ask questions about FairSide? \nA: Yes, you can reach out to FairSide with any questions.", "Is there a gas optimization side-pot like we've seen with other contests or how are these scored?\nA: The information was not provided in the chat.", "Which contract should be reviewed?\nA: The contract that should be reviewed is Visor.sol.", "Is there a gas optimization side-pot like we've seen with other contests or how are these scored?\nA: While gas optimizations would be appreciated, there is no dedicated pot to them. For the formula optimizations however, depending on what type of optimizations are found (accuracy, gas costs, Taylor Series for reversing it etc.) they will thoroughly consider it and upon coordination with C4 assign a medium to high \"share\" allocation.", "Where can we find catastrophic bugs and earn big prizes?\nA: It was not specified where the bugs can be found.", "Where are the main contracts in the Vault?\nA: The main contracts in the Vault are introduced in this video: https://youtu.be/D-hSiGeNpuY", "Do you want to execute the deployment script?\nA: It was not clarified whether the user wants to execute the deployment script.", "The video is private. How can I access it?\nA: The video should now be public.", "Want to know about this?\nA:", "Do you mean that you want to execute the deployment script?\nA:", "Video is private, why?\nA: It's public now, thank you!", "So, I decided to explain how the users interact with Yield v2 here, instead of a video which would pose some problems. Why is this?\nA:", "Just to be clear: we\u2019ve got ~36 more hours, correct?\nA: Ooooh, I got it wrong, apologies!", "Wardens are advised to consider severity based on the guidelines outlined here: https://code423n4.com/judging-criteria/. Does this make sense?\nA: That's a bit complex for me to calculate for each issue. I think I'll check past reports for examples of comparable issues where the risk rating was agreed between wardens and sponsors.", "Guys, don't bother raising the issue that approvals can be front-run, that's a silly exploit. Why is this?\nA:", "I'm concerned that no one seems to have explored any exploits that involve a batch with several actions, and that no issues at all have been found in the vault caching system in the Ladle. Why is this?\nA:", "Is the handle registration mandatory in order to submit something?\nA: Yes, it is.", "Only found this project an hour ago, so cutting it short. Is this an issue?\nA: You\u2019re fine. We have a grace period on submissions.", "Does the self-assessment of risk make any difference (apart from showing how realistic the person is)?\nA:", "Is the handle registration mandatory in order to submit something?\nA: Yes, handle registration is mandatory for submission.", "Does the self-assessment of risk make any difference (apart from showing how realistic the person is)?\nA: Yes. The best case is made for the severity of the risk, the contest sponsor (project devs) will weigh in, and ultimately a judge will review and make the final determination as to what the severity is. There is a significant difference between award levels for severity. It's advised not to rate everything as high risk to be seen as credible.", "Could you check this link https://github.com/code-423n4/code423n4.com/pull/62?\nA: The link is checked and the content is merged.", "Do the contests run every week?\nA: The contests generally run week-long each week, but there can be exceptions due to events like conferences.", "Is there a list of the upcoming audit?\nA: The list of upcoming audit contests is available on the website code423n4.com.", "Should a post be drafted for #\ud83d\udce2announcements or maybe even #\ud83d\udc49start-here, to make it easier for newcomers to know where to find key info to start participating?\nA: No answer provided.", "Is there contact information for the Twitter user @a_delamo (Alex Del Amo)?\nA: No answer provided.", "Does anyone know the Discord handle for Twitter user @a_delamo (Alex Del Amo)?\nA: [No answer provided]", "Is there a list of the upcoming audit?\nA: The upcoming audit contests are listed on the CodeArena website: code423n4.com. Reality Cards is starting soon, and Pool Together will start next week.", "Why don't we draft up a post for #\ud83d\udce2announcements (or maybe even #\ud83d\udc49start-here, since that one is low volume?) that we can pin to the channel to make it easier for newcomers to know where to find key info to start participating?\nA: [No answer provided]", "Is it possible to ask some questions about the RealityCards code? Is Splidge the right contact point?\nA: Yes, you can ask your questions here and Splidge is the correct contact.", "I've got a quick question but your DMs are not available!\nA: The issue has been resolved and DMs are now open.", "Where\u2019s the contest preview channel?\nA: Click on this guy: #\ud83d\udd0dcontest-previews. However, you\u2019ll have to register as a warden in #\ud83d\udc3ai-want-to-be-a-warden first to see it.", "I'm new to this, I wanted to clarify where you can find out to read in more detail about exploit Smart contracts and about flash loans?\nA: [No answer provided]", "Where can I find out to read in more detail about exploit Smart contracts and about flash loans?\nA: [No Answer]", "Can you explain InvariantTransactionData.transactionId that is used in prepare? Is it just a counter to identify the specific cross-chain transfer for the user? or does it refer to an actual chain transaction hash?\nA: It's not a counter but a unique identifier for the crosschain transfer to be used. The router uses a subgraph so the \u2018transactionId-user-router\u2019 combo should always be unique.", "The C4 PT repo doesn't have the code. I suppose we just use the two .sol files linked in the README?\nA: Yes, those are the two contracts in scope, and a goal with this approach of providing links to the contracts in the context of the rest of the code was to make it easier to find the tests and see them in context since they are from different repos.", "What happens if multiple people report the same vulnerability?\nA: [No Answer]", "Does the C4 PT repo not have the code? Should we just use the two .sol files linked in the README?\nA: Yes, the two .sol files linked in the README are the contracts in scope. This approach was taken to make it easier to find the tests and see them in context since they are from different repos.", "What happens if multiple people report the same vulnerability?\nA: [No answer provided.]", "Do some wardens act as teams?\nA: [No answer provided.]", "Is there a channel for new wardens to team up and collaborate?\nA: Yes, there is a channel called #\u26bdteam-formation.", "What is the difference between low/med/high risk finds?\nA: An independent judge with deep solidity knowledge makes the final determination of severity. More details can be found at this link: https://docs.code4rena.com/roles/wardens/judging-criteria#estimating-risk-tl-dr", "Is it a good idea for beginner solidity devs to participate in the competition?\nA: Absolutely! Participating in this competition will sharpen your solidity skills, be fun, and possibly result in earning some rewards. The community is supportive and will be there throughout the competition.", "How can I start with smart contract bug bounty hunting? Are there any resources for beginners?\nA: [No answer provided.]", "Is it a good idea for beginner solidity devs to participate in this competition?\nA: Yes, beginners are definitely welcome to participate in the competition.", "What is this competition about and how can I learn to participate?\nA: The competition involves auditing smart contracts. Beginners can start learning Solidity through resources such as https://cryptozombies.io/.", "What resources are there for beginners who want to start smart contract bug bounty hunting?\nA: Beginners can start learning Solidity through resources such as https://cryptozombies.io/. Also, doing some Capture the Flag (CTF) can be very useful. An example of this is https://capturetheether.com/.", "How much time does it take to learn the basics and start finding bugs in smart contracts?\nA: It's hard to give a specific time frame as it greatly depends on prior experience in development, security and Solidity. Everyone learns at their own pace.", "Are FloatCapital_v0.sol, Treasury_v0.sol and oracles/ in scope for bounties?\nA: No, these are not in the scope of the audit.", "What does target side and origin side mean? Is it related to shifting between long and short positions?\nA: Yes, it relates to shifting between long and short positions within a market. Origin side is the initial side of the market (e.g., long) and target side is the desired move to side (e.g., short).", "Are FloatCapital_v0.sol, Treasury_v0.sol and orcales/ not in scope for bounties? \nA: Correct, they are not in the scope of the audit.", "What does target side and origin side mean? Is it related to shifting between long and short positions?\nA: Correct, it relates to shifting between long and short positions within a market. Origin side being the initial side of the market (eg long) and target side being the desired move to side (eg short).", "How to start in block chain bug bounty hunting or smart contract bug bounty hunting? What programming language, resources, skills are needed and how much time it might take to learn and start hunting? \nA: It's a relatively new & niche area. The first thing needed is understanding the code base and how the system works. Diving into learning Solidity is recommended.", "Is there a list of bugs that have been found so far? \nA: The nature of our competitions is that the findings are kept under wraps until the contest is over and the judging process has been completed. Duplicate submissions are not really a problem; while it does mean the award would be shared between the people who submitted it, it's not a \"first past the post\" system where we give preference to the first person who reports it. The incentive structure explanation can be found here: [https://docs.code4rena.com/](https://docs.code4rena.com/)", "Are there still bugs that have not been picked up by any wardens yet, even after an internal audit?\nA: Yes, there are at least 2 big bugs that have not been picked up by any wardens yet. These will be shared after the competition closes.", "What's the remaining time for the audit contest?\nA: There are ~16hrs remaining in the audit contest.", "Is there any good person at PGP/GPG stuff here?\nA: [No answer provided]", "Have there been any changes to the Discord server?\nA: Yes, some tweaks have been made to the Discord server. Each contest will now have its own channel for questions, code walkthroughs, etc. For instance, this week's RealityCards contest discussion is in #deleted-channel, and next week's will be in #deleted-channel.", "Is CodeArena a bug bounty platform similar to how HackerOne works where prize pools are defined upfront and projects pay an upfront fee to the platform, then define a prize purse for bugs and their categories? \nA: Not exactly. CodeArena has a comparison article about \"bug bounties vs C4 audit contests\" that helps clarify their function. The article can be found here: https://docs.code4rena.com/", "In the gro protocol report, should it underflow to uint256_MAX and not uint256_MAX - 1?\nA: [No answer provided]", "Is this reentrant? https://etherscan.io/address/0xc49a9ab342b6ea66792d4110e9ca0ab36e3a5674#code\nA: [No answer provided]", "Has the gravity bridge payout happened? When does judging end for that competition?\nA: The gravity bridge payout has not happened yet. The judging for that competition is expected to end in about two weeks.", "I wanted to make a submission on one of the programs but my handle is not added yet. I have raised a new pull request in Github but it is pending review. Can you help?\nA: The pull request has been merged and you have been welcomed to the platform.", "I have a question regarding code provided by Wild Credit. Who should I contact?\nA: You should head over to #deleted-channel and tag @0xdev0. Alternatively, you can DM them.", "I am unable to compile Wild Credit's contracts and it seems like a stack too deep issue that I need to check with them. Who should I contact?\nA: You should head over to #deleted-channel and tag @0xdev0. Alternatively, you can DM them.", "I wanted to make a submission on one of the program but my handle is not added yet. I have raised a new pull request in Github but it is pending review. Can you please help?\nA: Got it merged! Welcome!", "I had a question regarding code provided by Wild Credit. Whom should I contact?\nA: Just head over to #deleted-channel and tag @0xdev0. Or you can DM them.", "This channel is not visible to me, what can I do?\nA: Try now, the issue should be fixed.", "Could you approve https://github.com/code-423n4/code423n4.com/pull/299 and https://github.com/code-423n4/code423n4.com/pull/295? You already approved https://github.com/code-423n4/code423n4.com/pull/297.\nA: Your individual warden registrations are complete, so you should be good to go as far as accessing the repo, etc. I'm just double-checking something about team registrations and will get back to you ASAP on that part.", "I\u2019ve noticed that in some contest repos there is limited documentation, no test cases, and no deployment scripts. Given the repo contains many interrelated/dependent contracts I\u2019m finding it time-consuming to get the environment set up correctly. Can experienced folks just look at 10 complicated contracts and see how to deploy them easily? Should I only be deploying a single contract at a time? Given all that is it reasonable to ask the sponsor for deployment scripts/test cases?\nA: When I want to run code to confirm something I write a test for it in their test environment. (I just add a new test case at the end and use their existing test setup that already deployed the contracts.) I agree test environments are helpful but I never look for any deployment scripts.", "What if there is no test environment? How can I test the code in that case?\nA: If there is no test setup in the C4 repo, I check if there is a repo on the sponsor's github that maybe has a test setup. If not, I do what you said, just pull out the code or sometimes even rewrite some parts of the contract such that I can easily test the snippet that I wanted to test.", "Any outlook on when the Yaxis audit report will be on the website?\nA: [No answer provided.]", "What do you do if there is no test environment in the repository? \nA: You can set up fixtures for certain contract deployments and test them in isolation or test them as an entire unit using eth-brownie.", "Any outlook on when the Yaxis audit report will be on the website? \nA: It's probably going to take a little longer than usual due to a high participation rate. It's likely going to be at least a couple of weeks before it's ready to be awarded.", "How do I get tokens onto rinkeby testnet, in order to use swivel? Is there a faucet or something like that? \nA: Yes, you can use the Rinkeby faucet: https://faucet.rinkeby.io.", "When will the liquidity incentive program go live? \nA: [No answer provided]", "How can I withdraw a contest report? \nA: Yes, the process is the same as described in the docs. But, you can also reach out to @Jay | C4 for assistance.", "Is there an example document for submitting bug findings?\nA: You can look at past submissions on https://code423n4.com/reports. Each of the findings links to a GitHub issue. You can also check out the issues in any repo ending with -findings on the C4 GitHub https://github.com/code-423n4.", "After I submit a finding, do I need to do anything else or just wait until the contest ends and come back and check the results on the website? \nA: After submitting a finding, all you need to do is wait. An announcement will be made on Discord when the contest awarding has been finalized, usually a couple of weeks after the contest ends.", "How many more completions are expected in the next month? Right now there are only two. \nA: [No answer provided]", "After I submit a finding do I need to do anything else - or just wait until the contest ends and come back and check the results on the website?\nA: That's all you need to do. We'll make an announcement when the contest awarding has been finalized, which usually takes a couple of weeks after the contest closes.", "How many more completions are expected in the next month? Right now there are only 2.\nA: There are conversations ongoing on a lot of them.", "How do I alter the severity of my reported bugs after the closing time of the contest? Do I just do that through the PR itself or do I contact one of the judges?\nA: You can DM the staff and they will pass those changes on to the judge.", "Any update on the report for the Yaxis audit?\nA: It's being worked on but the sponsors will get final say on the publication timing - we want to give them sufficient time to mitigate issues.", "After how much time is the report published?\nA: The average turn around time is about a month, and efforts are being made to decrease that.", "Could someone please add me to the boot finance rooms. I'm on the team and keen to see progress.\nA: Done", "Is the Overlay Protocol contest delayed by 5 days?\nA: Yes, their start date changed to 11/16 at midnight UTC.", "How long do I need to wait to join the boot finance rooms?\nA: You have been added to the boot finance rooms.", "Is the Overlay Protocol contest delayed by 5 days?\nA: Yes, the start date for the Overlay Protocol contest has been changed to 11/16 at midnight UTC.", "If the same vulnerability is found in multiple different components of a codebase, does that count as a duplicate or two separate findings?\nA: In cases like these, it's best to submit two separate findings. It ultimately falls to the judge to decide whether to mark them as duplicates. However, it's important to note that awards are distributed based on individual issues. Multiple items in one submission are just going to count for one submission.", "Are there some best practices regarding formatting code in contest findings? I'm using tags but the code always seems to end up mangled in the repository.\nA: Try using markdown. A code block in markdown is surrounded by ``` on either side.", "What's a good way to submit issues with correct formatting?\nA: Create the issues in a tool like Notion, format it there, and then copy and paste the entire thing when submitting. It will be pasted with all the necessary formatting syntax for markdown.", "Does a 0-Non Critical Finding have any share in the Award Pot? If Yes, how many shares if it's a unique finding?\nA: No, non-critical findings do not have a share in the Award Pot.", "What\u2019s the incentive to report non-critical findings?\nA: Currently, there intentionally isn't an incentive for QA type of submissions. Sponsors are interested in high/medium/low severity vulnerabilities and gas optimizations. However, there have been discussions on possibly having a small QA pot if sponsors want this sort of submission, but there isn't a mechanism for it at this time.", "Where can I leave my improvement suggestions for a project?\nA: You can leave improvement suggestions in the project's designated area, and you may also receive karma for your input.", "Does 0-Non Critical Finding have any Share in Award Pot? If Yes, how many Share if it is Unique finding?\nA: No, there isn\u2019t a share for non-critical findings.", "What\u2019s the incentive to report non-critical finding?\nA: Currently, there intentionally isn't an incentive for QA type of submissions. Sponsors are interested in high/med/low severity vulnerabilities and gas optimizations.", "Is it possible to get the severity of the bug added to the C4 emails that are sent out after we submit an issue?\nA: Yes, it is possible to get the severity of the bug added to the C4 emails that are sent out after we submit an issue.", "Is the winner announcement of BadgerDAO 28 oct already done?\nA: No answer provided", "Can we add position numbers to the leaderboard?\nA: No answer provided", "Is it possible to add a Low column to the leaderboard as well?\nA: No answer provided", "What plans do you have for the leaderboard?\nA: We have lots of plans for the leaderboard actually! They're all in the idea phase right now.", "Can we put roles in discord that reflect the leaderboard as well?\nA: No answer provided", "How can we make it possible to compile projects as we clone them?\nA: No answer provided", "Could we move the actual project into a project directory, and keep the README in the top-level one?\nA: No answer provided", "Are there plans to have at least a couple of different timelines we apply to the leaderboard?\nA: Yes, one thing we're quite keen to do is to have at least a couple of different timelines we apply to the leaderboard -- so in addition to \"all time\" there would be e.g. a \"last 3 months\" view or something.", "What other stats would be fun to surface on the leaderboard?\nA: No answer provided", "Can wardens collect badges for various achievements?\nA: Yes, wardens can collect badges too, for various achievements -- whether that's being a hero at gas optimizations or repeat appearances as MVP.", "Why doesn't Brownie compile the projects with the default naming convention of C4 when the project names start with a year?\nA: The brownie requires that project name starts with an alphabetical character, and so when the project names start with a year, Brownie doesn't compile the projects with the default naming convention of C4. This is more of a cosmetic issue, and it can be bypassed by renaming the project to start with an alphabetical character.", "What updates are planned for the leaderboard?\nA: One update being considered is the introduction of different timeline views in addition to the current \"all time\" view. This could include a \"last 3 months\" view. However, measuring time for these different views is less straightforward due to the varying speed at which contests move through judging/reporting/announcing stages.", "What are some other ideas for fun stats to surface on the leaderboard?\nA: Some ideas include allowing wardens to collect badges for various achievements, such as being a hero at gas optimizations or repeat appearances as MVP. There could also be seasons for the leaderboard, where each season lasts a set period of time and at the end, everyone on the leaderboard receives an NFT with metadata of their rank, money made, and a cool design.", "How could the duration of a leaderboard season be determined?\nA: One suggestion is to have each season last 4 or 6 months. Another idea is to end the season when someone hits a certain dollar target, making each season a race.", "What is a potentially useful metric to introduce to the leaderboard?\nA: One suggested metric is the average percentage of pool awarded. This would be useful as not all participants engage in every contest, for various reasons like lack of time or contest preference.", "How is the contest awarding process understood, and how is the pot divided among those who submitted valid vulnerabilities?\nA: The process is not explicitly detailed in the chat, however, there is mention of a website doc detailing how risk is estimated, which could play a role in the awarding process. The risk levels range from 0 (Non-critical) to 3 (High risk where assets can be stolen/lost/compromised). More definitive information might be found in the award script repo mentioned.", "What other metrics could be used to measure achievements in contests?\nA: A suggested metric was the average percentage of pool awarded, given that not all participants engage in every contest due to various reasons.", "Can the awarding process and the splitting of the pot among those who submitted valid vulnerabilities be explained in more detail?\nA: The process is detailed in the website's documentation. The levels of risk are defined as follows:\n - Non-critical: Code style, clarity, syntax, versioning, off-chain monitoring (events etc), exclude gas-optimisations.\n - Low: Assets are not at risk. State handling, function incorrect as to spec, issues with comments.\n - Med: Assets not at direct risk, but the function of the protocol or its availability could be impacted, or leak value with a hypothetical attack path with stated assumptions, but external requirements.\n - High: Assets can be stolen/lost/compromised directly (or indirectly if there is a valid attack path that does not have hand-wavy hypotheticals).", "Where can one find information about the monetary aspects of the awards?\nA: Details about the incentive model and awards can be found at https://docs.code4rena.com/#incentive-model-and-awards", "Has the streaming protocol contest been postponed? \nA: Yes, the contest will be starting on 11/30 as per the website.", "How can one update a submission?\nA: Submissions can be updated by sending a direct message to one of the administrators.", "When can the awards for the fairside contest be expected to be announced?\nA: The timeline is currently unknown. It is still in the sponsor review phase and will need to go through judging afterwards.", "How can I update a submission? \nA: You can update a submission by sending a direct message.", "When can we expect awards for fairside to be announced?\nA: The Fairside awards are expected to be announced next week, but it's still under review and needs to go through judging.", "When will the audit reports for the more recent competitions be published?\nA: Once sponsor review and judging are done, the C4 team tends to get awards and reports out in less than a week. However, the speed of sponsor review and judging varies widely\u2014as fast as a 2 week turnaround, but 6+ weeks in some cases.", "Can you please delete my first issue?\nA: (No answer provided)", "Is it okay if I used a handle of someone else because I couldn't find the handle I submitted?\nA: Using someone else's handle is not recommended as the finding might be credited to them on the leaderboard. You should complete the Warden registration and then contact someone from the team to change the finding to your own handle.", "If I don't change the handle, will I still get the money?\nA: It is suggested to note down your findings, complete Warden registration and then contact someone from the team to change the finding to your own handle.", "I'm no longer receiving email receipts for contest findings I am submitting. What should I do?\nA: It was noted and the user was asked when was the last time they received one, but no solution was provided.", "What should I do if I submitted issues under a different handle?\nA: You should note down your findings, complete Warden registration and then contact someone from the team to change the finding to your own handle once they get back.", "I'm no longer receiving email receipts for contest findings I am submitting. What could be the issue?\nA: It could be related to issues with Github, as indicated by this [link](https://www.githubstatus.com/incidents/r5qrpp2f5fc0). You could wait for Github to fix the issue or switch to a different email if the problem persists.", "I'm new to this world. I've been doing CTF's and learning solidity for the last couple months. Where can I learn more about becoming a smart contract auditor?\nA: You can check out this [guide](https://cmichel.io/how-to-become-a-smart-contract-auditor/) on how to become a smart contract auditor. Additionally, you can browse [Code4rena](https://code4rena.com/reports) reports for more learning materials.", "Where exactly in your Github can I find the repos for the contests and the findings?\nA: You can browse [Code4rena](https://code4rena.com/reports) and all the issues there link to the Github issues as well.", "What is gov-wg?\nA: Gov-wg is the Working Group set up to establish a DAO structure.", "What is gov-wg?\nA: Working Group to setup a DAO structure.", "Can you clarify why my submission here was marked as disputed: https://github.com/code-423n4/2021-10-slingshot-findings/issues/21 whereas this submission, showing the same issue, was accepted: https://github.com/code-423n4/2021-10-slingshot-findings/issues/82?\nA: Both 21 and 82 are out of scope. If an issue is described in the documentation, it is not valid.", "In the contest https://code4rena.com/contests/2021-11-streaming-protocol-contest, the contract are StreamFactory, Stream and LockeERC20. But in the repository only appear Locke and LockeERC20 https://github.com/code-423n4/2021-11-streaming/tree/main/Streaming/src. Is it right?\nA: All contracts are inside locke.sol.", "How can we add screenshots to the report of vulnerability? \nA: You can use Markdown and embed a remotely-hosted image that way. Alternatively, create an issue on a private repo, drag and drop images there, then grab the markdown snippet with the cdn url.", "How are gas optimizations judged? Do they get equal importance?\nA: Gas optimizations are awarded from a separate award pool that is specified on the C4 website (on each contest's page) and in the contest repo. They're awarded the same way as low risk shares of the main pool. For instance, the #deleted-channel contest that just launched has a $67,500 USDC main award pot and a $7,500 USDC gas optimization award pot. More details can be found here: https://docs.code4rena.com/#incentive-model-and-awards.", "Inside the gas pool, how are different findings weighted? \nA: (No answer was provided.)", "Was there some information about the schedule over Christmas and some expected downtime?\nA: Yes, the details about the schedule over Christmas and the expected downtime can be found here: https://discord.com/channels/810916927919620096/810929015509483554/908791439771725854.", "What will the schedule look like over Christmas and does it include downtime?\nA: https://discord.com/channels/810916927919620096/810929015509483554/908791439771725854", "How are gas optimizations judged? Do they get equal importance?\nA: Gas optimizations are awarded from a separate award pool that is specified on the C4 website (on each contest's page) and in the contest repo. For example, the #deleted-channel contest that just launched has a $67,500 USDC main award pot and a $7,500 USDC gas optimization award pot. Because they are distributed from a single pot, they are awarded using a simplified version of our award calculation as outlined in the docs: https://docs.code4rena.com/#incentive-model-and-awards. Basically, they're awarded the same way as low-risk shares of the main pool.", "Inside the gas pool, how are different findings weighted?\nA: There's no additional weighting among gas optimizations. They may still be judged as valid or invalid, but all valid findings are weighted the same.", "Is there a way to contact someone on the streams' protocol team for clarification?\nA: The best option should be to reach out in the contest channel #deleted-channel. \nA: https://discord.com/channels/810916927919620096/914939064027861032/914939487052791828\nA: To see the contest channels, one needs the warden role. To get it, fill out the form on the website and let them know in #\ud83d\udc3ai-want-to-be-a-warden", "How do you deal with a source code leak?\nA: [No answer provided in the chat.]", "Why am I not seeing any channel with the name provided in the link? \nA: The link goes directly to announcements. You need the warden role to see the contest channels. To acquire the role, fill out a form on the website and let it be known in #\ud83d\udc3ai-want-to-be-a-warden.", "How do you deal with a source code leak? \nA: Anyone could fork a project and deploy the same code. But users are unlikely to interact with it unless the team endorses it.", "What tool generates this output?\nA: It's unclear what specific tool generates the output, but most people use Slither.", "Is there an incentive for wardens to submit non-critical vulnerabilities? For example: https://github.com/code-423n4/2021-10-tracer-findings/issues/5\nA: Non-critical vulnerabilities are not considered when calculating awards. However, many wardens submit them because they still benefit the sponsor.", "I found 2 critical vulnerabilities, which are separate mistakes, but a really strong proof of concept when combined. Does it make them a single vulnerability or 2?\nA: If the two findings can be combined to create a third, more powerful one, then you may wish to submit a third finding explaining the proof of concept. The extra detail for high severity findings is valuable.", "What happens once a finding is submitted for a contest? Should I expect any confirmation?\nA: You should not expect any confirmation other than the email copy of the form.", "I've just joined and I'm looking for Cosmos related learning resources for potential wardens. Are there any available?\nA: This question wasn't answered in the chat.", "Should we add the Polygon network to our wallet otherwise we won't receive our amount?\nA: The funds will be sent to your wallet regardless of your settings. You control the key to that address, so when you want to move the funds, you'll send a transaction on Polygon, for example, by adding the Polygon network to MetaMask.", "What happens once a finding is submitted for a contest? Should I expect any confirmation (other than the mail copy of the form)?\nA: No, only the mail copy.", "Is there anywhere with Cosmos related learning resources for potential wardens?\nA: No answer provided.", "Should we add the polygon network to our wallet otherwise we will not get our amount, right?\nA: Regardless of your wallet settings, the funds will be sent to that address. Once you want to move the funds, you'll send a transaction on polygon (eg. by adding polygon network to MM) that will move the funds.", "Can Metamask show the tokens in your address when you swap networks to Polygon?\nA: Yes, Metamask should be able to show you the tokens in your address when you swap networks to Polygon. If not, you can just manually add them in. You can also monitor your address using this link https://polygonscan.com/address/. To move the funds back to mainnet, you can use the polygon bridge https://wallet.polygon.technology/. Alternatively, you can also deposit directly into a CEX that supports native polygon deposits e.g. Binance.", "Has the payment of badgerdao ibBTC been released?\nA: No, it has not yet.", "In a findings report, does adding a link that points to the sponsor's github repo code (with relevant lines highlighted) automatically pull in that code snippet to the report?\nA: No, it doesn't automatically add the code.", "Is there any other option to submit findings, other than the form on the website, as I'm still waiting for the warden verification?\nA: Yes, after the site finishes deploying, you'll find your warden name in the list.", "Are the funds for the 2nd place in the nested finance audit contest still waiting to be sent out?\nA: Yes, they will be sent Monday or Tuesday.", "Is there a way to edit a finding after it has been submitted?\nA: Yes, the organizer team can help get the issue updated.", "I haven't got my award from fairside. Can I get some information about that?\nA: No answer provided.", "Is there a way to edit a finding after it has been submitted? I would like to expand on it, as I've noticed it affects more things than I'd mentioned.\nA: Yes. The organizer team will be back Monday and someone can help get the issue updated.", "I placed 2nd in the nested finance audit contest. Just wanted to clarify if the funds are still waiting to be sent out as I haven\u2019t received the award in my MetaMask wallet yet. Just making sure. Thanks.\nA: The funds will be sent Monday or Tuesday.", "I haven't got my award from fairside. Just need some information about that.\nA: If the contest was on the polygon, that's where awards are distributed. On the other hand, if it was the recent fairside contest, the awards haven't been distributed yet.", "I am thinking about becoming a warden. I am currently hunting bugs on a different platform. I found C4 model quite interesting. I have a small question. How does reward distribution work? According to the recent questions, currently it takes longer than expected. With the current situation, should I expect rewards after 2 months after the end of the competition?\nA: 2 months is a bit of a worse case scenario. The company got a lot faster and then got a lot more wardens and contests so they\u2019re currently scaling processes and personnel to be able to keep up with demand but reducing turnaround times is a very high priority.", "Has anyone managed to successfully call hh deploy-pie-from-factory for the Amun project?\nA: [No answer provided]", "Are any of the Amun project members in the discord to consult with?\nA: The best place to find the project team is #deleted-channel. There's an opening message in there with the three folks from the project listed there for you to DM.", "It looks like I'm missing a permission, I had a feeling it was too quiet here.\nA: You'll need to register as a warden and drop a wave in #\ud83d\udc3ai-want-to-be-a-warden when you've done that.", "Are any of the project members in the discord to consult with?\nA: The best place to find project team members is in the #deleted-channel. There's an opening message in there with the three folks from the project listed for direct messaging.", "Why can't I access a certain channel?\nA: You'll need to register as a warden and announce it in #\ud83d\udc3ai-want-to-be-a-warden.", "What happens when I click the dropdown in the submission form?\nA: The page is replaced with a purple screen, but this issue is currently being investigated.", "Is a separate address from the eth mainnet address used?\nA: It should be the same unless you're using a smart contract wallet (gnosis or argent or something).", "Is anyone else having trouble using the submission form?\nA: The submission forms should be working now, just reload the site.", "Are findings confirmed and discussed once they're submitted, or upon the contest end?\nA: Findings are confirmed and discussed after the contest ends.", "Is \"missing 0 address check\" a valid finding as seen in other reports?\nA: No answer provided.", "Are the issues of fei public?\nA: No answer provided.", "Are findings confirmed and discussed once they're submitted, or upon the contest end?\nA: Findings are confirmed and discussed after the contest ends.", "Is \"missing 0 address check\" a valid finding?\nA: An opinion was given that zero address checks are a valid finding as they can lead to loss of funds if tokens are transferred to the zero address.", "Are the issues of fei public?\nA: Not just yet. The report will be compiled next, then shared out and the findings repo will be opened up.", "What is considered to be a privilege escalation?\nA: No answer provided.", "Why did NFTX contracts use a \"snapshot\" of OZ contracts instead of using contracts directly from the OZ npm repository?\nA: This is usually done to allow the project to make any necessary changes to these external contracts to suit their project requirements better.", "Is there a tool that allows you to see \"diffs\" in contract audits?\nA: You might be able to run a diff command on the two contracts.", "Is it standard to copy/paste OZ source code into the repo without using the npm library?\nA: Yes, it's common to do so.", "Why is it standard to copy/paste OZ source code into the repo without using the npm library?\nA: OpenZeppelin documentation was shared as a potential answer: https://docs.openzeppelin.com/contracts/4.x/wizard.", "Is there a tool that allows you to see \"diffs\" otherwise as an auditor?\nA: You might be able to run a diff command on the two contracts.", "Is it standard to copy/paste OZ (OpenZeppelin) source code into the repo without using the npm library?\nA: Yes, it's common.", "Is there a reason why it's standard to copy/paste OZ source code into the repo without using the npm library?\nA: https://docs.openzeppelin.com/contracts/4.x/wizard", "In the OZ wizard, you get the OZ code as import to the NPM package and not as source code. Is that correct?\nA: Yes, you are correct.", "Does a judge/C4 have the capability to \"multiply\" an issue? For example, I submit one issue pointing to 2 separate files where it happens in the code. Somebody else submits these 2 locations as 2 separate issues. Judge decides to reward these 2 issues separately. Can he create another \"virtual issue\" for me (as I submitted both locations in 1 real issue)?\nA: No. For better or worse, each issue is currently evaluated strictly on what was submitted.", "I've seen this test script syntax in a few Solidity examples before, does anyone know what this library is?\nA: That's likely a script to test an exploit with the run function calling several other functions in order on the smart contract. Hardhat is great for running these types of tests on a forked network.", "I would like to better understand how I should do submission. I see that there's a GitHub template saying that you submit a single document with all the findings but I also see that every contest has \"submit form\". Which one should I use?\nA: That repository is old and not updated anymore. You should submit findings using the \"Submit finding\" button of the specific contest on the main page, each finding separately.", "It would be good to also update the docs because it points out to those info and someone from the chat a couple of days ago suggested me to use the template as a reference. Can you share where you found it in the docs?\nA: It's in the Warden section of the Code4rena docs. It refers to the submission policy and judging criteria subsections in the docs, not to that specific file.", "The submission policy points to that template and says that I need to send the report to an email. Is that correct?\nA: The submission policy does not point to that specific file.", "Should I submit findings using the \"Submit finding\" button of the specific contest on the main page, each finding separately?\nA: Yes, you should submit findings using the \"Submit finding\" button of the specific contest on the main page, each finding separately.", "Where can I find the information in the docs?\nA: The information can be found at https://docs.code4rena.com/roles/wardens", "Does the submission point to that template and that I need to send report to an email?\nA: Yes, the submission points to that template and you need to send the report to an email. However, the link has been updated following your feedback.", "Should one put all gas optimizations into one issue or what is the general rule of thumb here?\nA: You should create different issues for different optimizations. If you only put in a single issue it will be judged as a single one.", "What happens if two people are a team and use the same warden (not a team, single warden), and they find the same issue and they both submit it with different wallets?\nA: Each would get less than half of the reward. It's better to submit as a team. See: https://docs.code4rena.com/#incentive-model-and-awards", "If a third warden reported the same issue, won't it be better for the team to submit separately?\nA: The answer was not provided.", "Have the funds for the second place in the nested finance audit contest been sent out?\nA: The awards for the Nested Finance audit contest were sent out recently.", "Is NFT a scam?\nA: The answer was not provided.", "Who is the point of contact for starting a contest for auditing a code that is updated yet for an AMM project on Algorand Blockchain?\nA: The answer was not provided.", "Is NFT a scam?\nA:", "We have an AMM project on Algorand Blockchain, and we want to create a contest for auditing code that is updated yet. The official auditing process with two companies is already started, but we want to start an additional initiative here. So, who is the point of contact for that?\nA: You can contact our team directly for this matter.", "Should I get an email if an issue is valid or not?\nA: You should get an email of your submission - whether it is valid or not.", "I meant during the judging period. Because I sent a submission for streaming protocol and it says contest completed(sponsor review). \nA: Yes so the contest is completed and now it is in Sponsor Review where the sponsors are reviewing the submissions and weighing in on the results. From there it will go to Judging, then Awarding, and then Reporting where you will be able to see the results of your submissions in the final published report. The findings repo will also be made public at that time.", "Is there an email notifying the warden of the validity of each submitted issue, that is, if it is counted or not. \nA: No, there isn't an email that notifies the warden of the validity of each submitted issue.", "Is there a link to the Livepeer contest?\nA: The contest page on the website is here: https://code4rena.com/contests/2022-01-livepeer-contest. Contest opens in 2 days + ~8 hours.", "Can I create a proposal?\nA:", "What is the address of the C4 token?\nA:", "Is there a link to the Livepeer contest?\nA: The contest page on the website is here: https://code4rena.com/contests/2022-01-livepeer-contest. Contest opens in 2 days + ~8 hours.", "Can I create a proposal?\nA: Technically you will need to have (or be delegated) 50k tokens in order to make an on-chain proposal. Of course, not everything needs an on-chain proposal and very few things should start there. If you have something you're interested in proposing, one approach is to start by sharing it in #\ud83d\udce5suggestion-box and see how it might intersect with others' thinking and perspectives.", "What is the address of the C4 token?\nA: 0x6847D3A4c80a82e1fb26f1fC6F09F3Ad5BEB5222", "How do I get my twitter handle and profile pic attached to my codearena profile?\nA: Check out https://github.com/code-423n4/code423n4.com/tree/main/_data/handles and make a pull request for your handle.", "Is changing the handle itself ok? Or will it cause issues with past/ongoing contests?\nA: Please don\u2019t change handles at this time. We\u2019ll be able to do that in the future but right now there\u2019s so much data keyed off that.", "What do we do to verify these changes are intended at the moment? Seems like a chance for someone to shill a different persons twitter etc... \nA: Go to mycrypto.com and create a signed message and add the json to the PR using a wallet address you have used in a contest. https://app.mycrypto.com/sign-message", "Do I just add that as a comment in the PR itself?\nA:", "Best platform to buy matic?\nA: This might be of use to you: https://discord.com/channels/810916927919620096/824698635815223316/915880736664461322", "I have some problem with getting the award from Mellow Protocol. I use Metamsk with Poligon mainnet to recieve USDC. Can you send me TxID of the transaction?\nA:", "What is the best platform to buy matic?\nA: This link might be of use: https://discord.com/channels/810916927919620096/824698635815223316/915880736664461322", "Can you send me TxID of the transaction? I have some problem with getting the award from Mellow Protocol and I use Metamsk with Poligon mainnet to receive USDC. \nA: Mellow Finance rewards have not been sent yet. You will need to wait a bit more.", "Is this the right channel to ask some solidity question?\nA: No answer provided.", "What is the best way to count the number of lines of code in a Solidity contract? I know about Solidity Coverage (https://www.npmjs.com/package/solidity-coverage) and Solidity Metrics nSLOC (https://github.com/ConsenSys/solidity-metrics) but they give different estimates. \nA: You could consider whichever is closer to the one when the file is viewed with an IDE / on Github.", "Are the PAST CONTEST STATUS UPDATES listed as a timeline?\nA: Yes, that section shows where contests are currently in our process. The order represents the order of the contest progression.", "How can I update/confirm my reward wallet address?\nA: No answer provided.", "Are awards always paid in the same week they are announced?\nA: Generally, the goal is to pay the awards in the same week they are announced. The team is trying to process a bunch of them by the end of this week, they include: MapleOverlaydefiprotocol 1defiprotocol 2yAxis mini 1MellowBootUnlockStreamingProtocolPerennial.", "I followed the steps to participate in the contests but status shows \"Review required\". Does this mean I cannot participate in the contests until this is approved?\nA: Someone will take a look at this for you.", "I followed the steps but status shows \"Review required\". Does this mean I cannot participate in the contests until this is approved?\nA: You're all set now. So you should see your handle in the list when you go to submit findings for a contest.", "Hi there, could it be possible to DM someone from the Code4Arena question?\nA: Yes, you can direct message someone.", "Is it possible to change my wallet address to which I receive tokens to?\nA: Yes, it's possible, but it is a significant effort on our part to manage this. As you know, we collect the wallet addresses separately for each contest, and we don't store them centrally. So if a warden requests an address change, we need to collect a list of every contest they used that wallet form, and then manually update the wallet address for each one. So if it's extremely important to change the wallet (i.e. your old one was hacked), then please DM us. But if it's not critical (more of a preference), we ask that you not request any changes.", "Do teams generally get a few contracts reviewed or entire protocols?\nA:", "Have rewards for Yeti Finance been distributed?\nA: The awards will be distributed likely next week.", "In the docs it says \"It is also recommended to ensure you receive email confirmation of each submission.\" Does this mean we are supposed to get an (automated) email whenever a submission is sent?\nA: Yes, it is expected to receive a confirmation email for each submission but sometimes it takes a few minutes. If it does not arrive at all, you should ask again.", "Should we send a submission for each single gas saving, too? Or group them? Or group just \"similar\" ones?\nA: Judges and sponsors will appreciate grouping similar ones.", "In the docs it says \"It is also recommended to ensure you receive email confirmation of each submission.\" Does this mean we are supposed to get an (automated) email whenever a submission is sent?\nA: Yes, but sometimes it takes a few minutes. The email does not contain the eth address provided.", "Should we send a submission for each single gas saving, too? Or group them? Or group just \"similar\" ones?\nA: Judges and sponsors will appreciate grouping similar ones.", "I still didn't receive any answer email. It was just a low severity issue but I'm curious why I did not get an email.\nA: The code might not trim whitespaces. There was a spam issue with yahoo or hotmail a while back.", "The rewards could be paid partially or always are full paid?\nA:", "In the Sherlock contest, I noticed that the loc in their README doesn't match the # of lines in the contract files. In instances like these, how should we know where these LOCs should correspond to?\nA: The best approach would be to use the line numbers in the files as displayed when viewing them in GitHub. 179 LOC is the number of actual lines calculated by solidity-coverage. Presumably counting 179 SLOC (source lines).", "As a suggestion for future contests, perhaps we can standardize LOCs so that there won't be any confusion across different contests re. how LOC is determined.\nA: That's an interesting suggestion. We thought we were using sloc in the readme counts. Yes, it should be standardized.", "Is there a way to look at all the findings of a contest after it finished but before the results are published?\nA:", "What does LOC refer to in relation to the contests?\nA: LOC refers to the number of actual lines calculated by solidity-coverage, in this context, it doesn't include comments and blank spaces.", "Is there a suggestion to standardize LOCs across different contests to avoid confusion?\nA: Yes, it's suggested that the method of calculating LOCs should be standardized across contests.", "Is there a way to look at all the findings of a contest after it finished but before the results are published?\nA: Currently, it isn't possible to look at all the findings of a contest after it finishes but before the results are published.", "What is the standard method used for calculating SLOC/LOC number during the scoping/sales/intake process?\nA: There isn't a specific validation method used to determine the SLOC/LOC number provided by the sponsor during the scoping/sales/intake process. However, there's a suggestion that SLOC in the readme would be ideal as LOC can be misleading due to considerable comments etc.", "Has the leaderboard got Sublime contest?\nA: Yes, the leaderboard for the Sublime contest is currently being worked on.", "If wardens report the same vulnerability but with different severities, are they given the same severity for award calculation?\nA: Yes, the intent behind deduplication and then judging is to determine severity after that. Therefore, if wardens report the same vulnerability but with different severities, they are given the same severity for award calculation.", "When a submission to a contest was made but not rewarded, is there any way to review why the submission was not accepted?\nA: Yes, when the report is out, the repo will be fully opened and you'll be able to see the discussion among sponsors and judges on the specific issue.", "If wardens report the same vulnerability but with different severities, are they given the same severity for award calculation?\nA: Yes. That is the intent behind deduplication and then judging / determining severity after that.", "When a submission to a contest was made but not rewarded, is there any way we can review why the submission was not accepted?\nA: Yes\u2014when the report is out, the repo will be fully opened and you\u2019ll be able to see the discussion among sponsors and judges on the specific issue.", "Why the issue 14 can be duplicated with the 50? Is not in order?\nA: The order does not matter in terms of which is the original and the duplicates. They all get paid the same, and the most succinct and well written submission is usually chosen as the primary issue.", "Should the \"best write-up\" be incentivized to encourage high quality submissions?\nA: Yes, this is something that has been considered. Currently, the primary issue gets to represent the bucket in the published report and the warden gets first attribution, which seems like a sufficient incentive. However, the idea of awarding a unique badge for the most eloquent warden has been suggested.", "Is it common for judges to mark an issue to have a higher risk than the proposed risk by wardens? I'm not sure whether I should propose it as high or medium.\nA: Yes, it is common. Judges will adjust the risk level of an issue if they deem it necessary.", "Is it common for judges to mark an issue to have a higher risk than the proposed risk by wardens?\nA: Yes, if judges deem it necessary, they do adjust the risk level of issues.", "As the judges should themselves be quite competent, don't they sometimes get \"inspired\" by some reports and then, after the contest/during the judging phase, find new undiscovered high impact bugs? Shouldn't this be rewarded in some fair way?\nA: [No answer]", "If there are multiple instances of the same time of gas optimization, is the warden awarded 1 point for each instance? If not, what is the logic behind this and what de-incentivizes the warden from submitting a different report?\nA: There is some sybil resistance for duplicate submissions of the same vulnerability. Each instance is awarded a share of 1 point depending on the number of duplicates.", "What will be shown in the scoreboard if I got rewards both by myself and as a part of a team?\nA: Your team and yourself will be separate on the leaderboard.", "Does it mean I won't be under the team name? or will my handle appear twice?\nA: Your name will appear twice.", "What happens to the other funds in no Med/High vulns are found? In regards to new low submissions.\nA: The full pool would then be divided based on the QA Report curve. However, it seems unlikely that there will be no mediums or high vulnerabilities found as it has only happened a few times in the past.", "Will NC hold some weight? Just to know if it's worth it spending a considerable amount of time writing this part of the report.\nA: The full report will be graded on a curve against the other reports. The effectiveness of NC will be a community experiment to see what best practices emerge.", "For the new submission process, what if a low-impact QA report turns out to be a high-impact report? How does that work with the 10% prize pool? Would the report be upgraded?\nA: [No answer]", "If I find 3 low-impact bugs am I creating 3 separate QA reports or one single QA report?\nA: All of your non-critical and low severity findings would go into a single report.", "Will Non-Critical (NC) hold some weight? Is it worth it spending a considerable amount of time writing this part of the report?\nA: The full report will be graded on a curve against the other reports. We'll be experimenting together as a community with this but it's anticipated that we'll learn a lot and it will be interesting to see the best practices emerge.", "For the new submission process, what if a low-impact QA report turns out to be a high-impact report? How does that work with the 10% prize pool? Would the report be upgraded?\nA: It's conceivable it could be upgraded. However, it's important to consider that part of auditing is demonstrating proper theory of how an issue could be exploited. If a warden notices something is 'off' but is unable to articulate why it could lead to loss of funds, the job is only half-done. Without understanding the implications, a developer could very well overlook or deprioritize the issue.", "Should proposed changes in the company go through voting on snapshot? What's the point of establishing DAO if not?\nA: The DAO constitution prioritizes actions without a vote; the DAO voted to delegate responsibility for running contests. The benefit of doing this is that votes don't turn into one faction vs another.", "Is there any document that provides definitions of which actions need to be delegated to the corporation and the ones that require voting?\nA: This [forum post](https://forum.code4rena.com/t/c4ip-1-2-3-4-5-constitution-dao-bootstrapping-reimbursements-token-sale/93) works through all the moving pieces in the opening constitution and delegation.", "Is it possible to make the findings repository public when the awards are published?\nA: Typically not because the sponsor generally hasn't finished their mitigation work by that time.", "Why does it matter if the findings repository is made public? The projects aren't deployed yet, are they?\nA: Many of the projects are, in some form at least.", "Why was the malt prize pool changed?\nA: The malt prize pool was changed to account for the increase in the judging fee.", "Why does it matter if the projects are deployed yet?\nA: Some of the projects are already deployed, at least in some form.", "Why was the malt prize pool changed?\nA: The malt prize pool was adjusted to account for the increase in the judging fee.", "Did I miss an announcement about the change in the malt prize pool?\nA: The change was discussed in the wardens channel due to the overwhelming issues on some contests. Increased offers for judging were made for a limited period to clear the backlog of contests.", "When will the new submissions mechanism be implemented?\nA: New contests that were starting would implement the new submissions mechanism.", "What happens to submissions when GitHub is down?\nA: When GitHub fails to take in issues, it usually rejects submissions via the API for a certain period of time which is indicated as a failed submission. However, during the recent GitHub outage, several submissions were successfully received.", "Where should a beginner start to learn in this space, especially about different roles available?\nA: A good place to start learning about different roles, especially relating to smart contract auditing, is this article by cmichel: [https://cmichel.io/how-to-become-a-smart-contract-auditor/](https://cmichel.io/how-to-become-a-smart-contract-auditor/)", "What happens when GitHub has server errors? Does it impact the submission of issues?\nA: GitHub has been known to reject submissions via the API during server errors, which would be seen as a failed submission. However, there have been cases where submissions were received successfully even during an outage.", "Where should a beginner start to learn in this space? What are the different roles available?\nA: Two resources to start learning are [cmichel's guide](https://cmichel.io/how-to-become-a-smart-contract-auditor/) and the resources compiled by CodeArena [here](https://docs.code4rena.com/roles/wardens/tools-and-resources).", "Are constants cheaper than immutable variables?\nA: Both constants and immutable variables are calculated and filled in at compile time and both are embedded into the bytecode at deployment. The difference comes in how they are used. Constants are calculated and filled in at compile time whereas immutable variables are read-only state variables. Reading state variables costs gas. However, there is some debate on whether the cost is the same or not.", "I want to withdraw a submission but would rather not mention the title in this chat. Who should I contact?\nA: You can contact the staff directly, such as CodeArena staff, to request a withdrawal.", "Are there cases in which immutable costs less gas than constants?\nA: This used to be true, but is no longer the case as of July 2020. For more information, you can refer to this discussion: https://twitter.com/GalloDaSballo/status/1476925462010122245. As for immutable vs constant, they both get inlined at deploy time: https://ethereum.stackexchange.com/questions/118547/is-the-gas-cost-for-constant-and-immutable-about-equal. There's no difference in cost nor in bytecode, but small demos show some small differences which I can't explain.", "How do I withdraw a submission without mentioning the title in the chatroom?\nA: You can direct message me to withdraw a submission.", "Have XDEFI sent their rewards?\nA: [No answer provided]", "What does it mean that the rewards are allocated on a curve?\nA: One classic method of grading homework/exams is for a professor to score individual papers as they read them. The grades are then ordered and plotted on a bell curve. The highest score gets an \u201cA\u201d, the next highest a \u201cB\u201d, the next a \u201cC\u201d, etc. This method is used to distribute rewards.", "How would rewards distribution work if there are multiple wardens of different qualities?\nA: [No answer provided]", "Would 1 low quality warden be better than 10 high quality wardens? How to distribute a cash prize over a bell curve with 2 & 3 people of different or same tiers? And how to handle Sybil attacks?\nA: The process is still being worked out by the team. Scott, one of the top mechanism designers, is trusted to figure out the best way to distribute the awards on the bell curve.", "Besides eth transfer, what activates a callback in solidity?\nA: Callbacks can be activated in several ways:\n - safeTransferFrom onERC721Received\n - onERC1155Received of ERC1155\n - tokensReceived tokensToSend of ERC777\n - any call to an untrusted external contract\n - Callbacks are also used in protocols like flashloans, oracles, balancer", "If we send one as a low, could it be increased to medium by judges?\nA: Yes, judges have the authority to increase a submission from low to medium.", "Have the nftx findings been completed?\nA: [No answer provided]", "Besides eth transfer, what activates a callback in solidity?\nA: SafeTransferFrom onERC721Received, onERC1155Received of ERC1155, tokensReceived tokensToSend of ERC777, any call to an untrusted external contract. Also, callbacks are used in protocols like flashloans, oracles, balancer.", "If we send one as a low, could it be increased to medium by judges?\nA: Yes, the severity level of an issue could be increased by judges.", "Have the nftx findings been completed yet?\nA: The chat doesn't provide a direct answer to this question.", "When are rewards for sublime coming in?\nA: If a contest is listed as 'awarding', it means the rewards are queued at the multisig and should be distributed within a week.", "If the user can lose his funds, but the admin is involved in the procedure, is it considered High severity?\nA: The chat doesn't provide a direct answer to this question.", "When there are separate pools for different reports, will there be an announcement distinguishing the reward for each pool?\nA: Yes, there will be an announcement distinguishing the reward for each pool.", "Is there a size limit on submissions? I've tried to submit a gas report three times and it has errored every time.\nA: There might be an API limitation. For the QA & gas reports, you can send one email for each of the two reports to report@code4rena.com.", "Am I the only one getting flagged as a spammer?\nA: No, the issue doesn't seem to be common to all users.", "Where should we submit the low and non-critical report (and gas optimizations) for badger citadel?\nA: The chat doesn't provide a direct answer to this question.", "Is there a size limit on submissions? I've tried to submit a gas report three times and it has errored every time.\nA: There may be an API limitation. For the QA & gas reports, you can fall back to sending one email for each of the two reports to report@code4rena.com.", "Am I the only one getting a user flagged as a spammer? Maybe the handle?\nA: It seems the issue is not widespread, as others seem to be able to see the user's messages without issue.", "Where should we submit the low and non critical report (and gas optimizations) for badger citadel?\nA: You can submit it using the same form, unless you experience issues.", "I thought the reports should be like a file or something?\nA: Plain text markdown is acceptable.", "I didn't receive a email for submissions. Should I try it again?\nA: The emails sometimes end up in spam.", "It looks like I messed up here, any help is greatly appreciated!\nA: The issue is being worked on, it's not a user-specific issue.", "I tried doing some cursory research on Cosmos, but don't have the time to go too deep. Are those competitions on an EVM compatible chain? Will contracts be in Solidity?\nA: Cosmos uses Rust, not Solidity.", "Are the competitions on Cosmos an EVM compatible chain? Will contracts be in Solidity?\nA: Cosmos uses Rust.", "I am looking to get our smart contracts audited along with our product that we are building on polygon. How do I proceed?\nA: A representative from CodeArena will reach out to you directly to discuss further.", "Is a minter or burner role an issue?\nA: The answer is subjective and depends on the specific context.", "Can risk categories change for non defi protocols?\nA: Yes, judges have definitely made this assessment on non-defi protocols before.", "What is the severity of an attack made by the governance?\nA: The severity of an attack made by the governance seems to vary and is highly dependent on the judge's assessment.", "There seems to be inconsistencies in the judgment of the severity of governance attacks. Where can I report these inconsistencies?\nA: When you see inconsistencies, please file an (objective, neutral, blameless) issue with details and example links at https://GitHub.com/code-423n4/rulebook/issues", "What's the difference between M06 and M08 in these assessment reports?\nA: These reports appear to be duplicates of each other. This was an error.", "Is it common to see inconsistencies in the assessment of smart contract vulnerabilities?\nA: Yes, it is dependent on the judge and there's currently no consensus on it. However, it's encouraged to file an objective, neutral, and blameless issue with details and examples in such cases at https://GitHub.com/code-423n4/rulebook/issues.", "What's the difference between M06 and M08 in the Livepeer findings?\nA: These two issues appear to be duplicates of each other, they should have been marked as such.", "Has the Amun reward been sent?\nA: Yes, the Amun reward has been sent.", "I haven't received my Amun reward, what should I do?\nA: You should let the responsible party know, they can help you troubleshoot.", "What tools do wardens use to find vulnerabilities and bugs in smart contracts?\nA: Tools commonly used include Slither and MythX. For more information, you can refer to the post from the top 1 at leaderboard.", "How do you navigate through a smart contract with multiple .sol files, where should I start?\nA: You could start with the libraries and interfaces that have the least dependency, and then see which contracts are using them and check those.", "Is there any way to find reports on past competitions?\nA: Yes, reports from past competitions can be found at https://code4rena.com/reports.", "Do past contests reveal the vulnerabilities? I want to learn from the past.\nA: Yes, reports from past contests which reveal the vulnerabilities can be found at https://code4rena.com/reports. The leaderboard at https://code4rena.com/leaderboard/ can also give you a sense of what wardens are earning.", "I can't find a way to register my ETH address, where should I do this?\nA: It's not clear from the chat where to register an ETH address.", "Is the past contest reveal the vulnerability so I can learn from the past?\nA: Yes, the reports from past contests are available at this link: https://code4rena.com/reports. The leaderboard should give you a sense of what wardens are earning: https://code4rena.com/leaderboard/", "How can I register my ETH address?\nA: The submission form for each contest includes a field for your wallet address.", "Does Code4Arena do bug bounty programs?\nA: Code4Arena audit contests compare to bug bounties. You can get more information from this link: https://docs.code4rena.com/", "Is there a fee to Code4Arena on top of the bounty paid to wardens?\nA: Yes, there is a fee beyond the bounty paid to wardens.", "How much is the fee?\nA: The fee depends on various factors. You can request a direct message for more detailed information.", "Are optimizations worth it if they save less than 100 gas?\nA: This is something that is under discussion.", "How should we treat upgradeable contracts findings in case of Medium-risk vulnerabilities, for example DoSing or bricking the contract?\nA: If the protocol can be bricked until the upgrade takes place, it's the text book definition of a Medium risk bug.", "Where can I submit requests like change or update a contest submission, update your Polygon address or report an issue with our documentation?\nA: To submit such requests, you can use the C4 Help Desk: https://code4rena.com/help. You can enter either an email address or a Discord handle.", "Are we reaching a consensus little by little here for transactions on Ethereum and their gas optimization?\nA: It is suggested that this is definitely something that should be considered.", "How to treat upgradeable contracts findings in case of Medium-risk vulnerabilities such as DoSing or bricking the contract when there are no direct funds at risk?\nA: If the protocol can be bricked until the upgrade takes place, it's classified as a Medium bug.", "If a team submits a vulnerability, do we have the option of adding multiple Ethereum addresses and have the payment split between each address evenly?\nA: No, the best option there is to use a multisig. An Ethereum Gnosis safe will use a different address from a Polygon safe.", "Would splitting the payment between multiple Ethereum addresses be a convenient feature for teams?\nA: This seems like a great idea.", "Where are contest results posted? How can I check if my submissions were accepted?\nA: Results are posted and can be checked at https://code4rena.com/reports/.", "What are the biggest protocols that Code4rena has worked with? And what's the appeal here vs. other companies like Omniscia or Trail of Bits?\nA: Past contests and protocols Code4rena has worked with can be seen at https://code4rena.com/contests. Code4rena provides a process that consistently finds more bugs faster than any other method. Code4rena can get more auditors\u2019 eyes on code faster than any other available option. This has been demonstrated in a talk by Quantstamp's Sebastian Banescu at https://www.youtube.com/watch?v=O1rKwDv5kLQ", "How many members can be part of a team? Is there any limit?\nA: There is technically no limit on team size.", "What are the biggest protocols that code4rena has worked with? And what's the big sell here vs. Omniscia or Trail of Bits?\nA: You can take a look at the protocols from our past contests at https://code4rena.com/contests", "Has it been demonstrated against those other auditors I mentioned above? If so, would be curious to know how that is measured? And if you are able to get on their schedule is it more worth it to go with the big names or does this community offer things they can\u2019t?\nA: \"more auditors, more findings\" as Quantstamp's Sebastian Banescu put it in this talk https://www.youtube.com/watch?v=O1rKwDv5kLQ C4 will get more auditors\u2019 eyes on code faster than any other available option and has repeatedly demonstrated outstanding value that has brought established protocols back again and again", "How many members can be part of a team? Is there any limit?\nA: Technically no", "Is there a way to check how much each group member earned in a competition? Or the only way is to wait for the rewards to be distributed?\nA:", "Will there be any prerequisites to be a certified warden besides providing an ID and signing the agreement?\nA: Probably need to participate in x contests and have y valid findings or reports, but the bar should be relatively low, I think, since part of the benefit is allowing people faster access so they can learn sooner from others\u2019 findings and level up their skills", "is the buttons repo private? I get a 404 when following the link mentioned in this issue: https://github.com/code-423n4/code423n4.com/issues/765\nA: Yes, the buttons repo is private.", "The previous implementation was public. Can wardens be given access?\nA: To that repo, probably not. But there's a good transparency question there.", "Is the purpose of ID solely to punish exploits applied to deployed code? Couldn't there be two tiers - ID gets everything but the lower non-ID tier only gets access to non-deployed code?\nA: I don\u2019t think that is at all the purpose, no.", "Hi, what's the estimated time for sending awards after they are announced?\nA: Our goal is to get them out within 1-2 weeks after they are announced.", "Hi, if the same vuln are reported multiple wardens, do they each get the same share? Or just the first to report?\nA:", "Is the purpose of ID solely to punish exploits applied to deployed code? Couldn't there be two tiers - ID gets everything but the lower non-ID tier only gets access to non-deployed code?\nA: It's not the purpose as such.", "What's the estimated time for sending awards after they are announced?\nA: The goal is to get them out within 1-2 weeks after they are announced.", "If the same vuln are reported multiple wardens, do they each get the same share? Or just the first to report?\nA: They get the same share.", "Are LPT tokens and NFTX still pending?\nA: Yes, those awards are pending.", "If a platform uses Code4Arena to audit their code and it comes back with no critical or minor vulnerabilities, what is the cost?\nA: Unknown, it would need to be handled on a case-by-case basis as it would be an anomaly.", "Is the usual process that the bounty is split amongst those who find bugs?\nA: Yes, the bounty is usually split amongst those who find the bugs.", "What happens if we run a contest and there are zero valid submissions?\nA: This scenario hasn't been encountered yet but the plan is to handle it on a case-by-case basis as it would be an anomaly.", "Was there anything wrong with the backend? I received an error occurred when I tried to submit.\nA: Unknown, the user did not provide any specific details about the error.", "What happens if we run a contest and there are zero valid submissions?\nA: The plan would be to handle those on a case by case basis. It would certainly be an anomaly so there is likely other context that would arise that can't prescribe ahead of time.", "Anything wrong with the backend? I received error occurred when submit\nA: Sometimes with the Gas & QA reports, if they're larger than about ~65k characters, they can't be submitted through the form (because Github has a max character limit on the body/description field for issues). In this case, you can email the submission to submissions@code423n4.com and we'll add it to the repo manually.", "There are a lot of contests still pending - any info on when the first one with a QA report/single gas submission will be released? \nA: There's a handful of these that have been fully judged and simply need to have awards calculated. We are currently implementing the changes to award calculation process based on the mechanism change. This is high priority and under way but we don't have an ETA.", "Getting the same error as well when I'm trying to submit a request to remove an issue from a QA report that I submitted.\nA: Can you send the request to submissions@code4rena.com (including your handle and the contest in the email) and someone will make sure to look at it.", "From the sponsor side which chains are accepted for payment? Just ETH L1? Or other alt L1s/L2s too?\nA: [No answer provided in the chat]", "Can you see if there's anything in the console?\nA: Attempting it via mobile, not PC.", "What should I do if the web console isn't working?\nA: You can send the request to submissions@code4rena.com (including your handle and the contest in the email).", "From the sponsor side which chains are accepted for payment?\nA: Eth or Polygon presently for EVM league contests. Cosmos for Cosmos contests.", "I got the same error when submitting a help request, can you assist?\nA: It's possible the error is happening because of the captcha being blocked by your browser. Cross domain iframes might be needed on this page.", "Is the captcha error due to my network problem after I have completed it?\nA:", "I'm getting the following error when trying to submit findings, what should I do?\nA: There are some issues with GitHub, which is affecting the contest submission form. The Rolla contest is being extended 24 hours because of this issue. [Link](https://discordapp.com/channels/810916927919620096/953009382021533696/956244354496856174)", "What should I do since I won't be able to submit findings tomorrow?\nA: Submissions are working again now, you can proceed to submit your findings.", "When will Biconomy Hyphen 2.0 contest announce audit result?\nA: The findings for that one is currently being reviewed by the sponsor and then we'll hand it off to judge for their review and findings. Our goal is to get the final report published in the next couple of weeks.", "Are there any mail issues? I didn't receive submission confirmation email.\nA: It's possible. You can DM to check if your submission came through.", "I was early to send my submission, should I resend it?\nA:", "When will Biconomy Hyphen 2.0 contest announce audit result?\nA: The findings for that one is currently being reviewed by the sponsor and then we'll hand it off to judge for their review and findings. The goal is to get the final report published in the next couple of weeks.", "Are there any mail issues? I didn't receive submission confirmation email.\nA: It's possible there are mail issues. You can direct message to check if your submission came through.", "Can I see the result of past contests?\nA: You can see reports on past contests here: https://code4rena.com/reports", "How do QA and gas reports work when it comes to duplicates (and formulas)?\nA: QA and Gas awards should disregard duplicates; however, it has turned out to be quite tricky to handle downgraded issues (which need to be paired up with wardens\u2019 QA reports), and it\u2019s possible we missed something there. QA and Gas reports are awarded on a curve according to judges\u2019 scores, and that makes a big difference to the compensation.", "Where are you seeing the information about the duplicates in the QA and gas reports?\nA: The information can be found in the source code: findings.csv and also here: https://github.com/code-423n4/code423n4.com/blob/main/_data/findings/findings.csv#L9336-L9434", "Is the new way of handling QA/gas reports encouraging better quality in reports?\nA: The goal was to discourage farming lows and incentivize the best wardens. The rewards will be worth the effort in finding a unique high for the work required.", "What is the difference between static and symbolic security testing?\nA: Static testing refers to looking at the code without interacting with it. This includes using solidity linter and looking at the compilation warnings in your contract code in Remix. Symbolic testing is about interacting (transacting) with your code. The word symbolic is used because you don't actually do the transactions on-chain. Rather you use software to simulate a transaction and see what 'would happen'.", "Does symbolic testing install testnet and deploy the contract and observe the transaction details?\nA: No answer.", "What is the difference between the static and symbolic security testing?\nA: Static testing refers to looking at the code without interacting with it. This ranges from using solidity linter and looking at the squiggly lines that pop up to checking your contract code in Remix for compilation warnings. Symbolic testing is all about interacting (transacting) with your code. The word symbolic is used because you don't actually do the transactions on-chain. Rather you use software to simulate a transaction and see what would happen.", "Does symbolic testing involve installing testnet and deploying the contract and observing the transaction details?\nA: Yes, deploying contracts on testnet is part of symbolic testing, not static testing.", "Are all gas findings supposed to go in one submission?\nA: Yes, all gas findings are supposed to go in one submission.", "Is there a rule regarding contest price pool related to lines of code?\nA: No, contests are scoped. The 30k ones should be smaller.", "Should the Sublime contest be more than 30k since it's almost 2000 sloc?\nA: For scoping purposes, lines of code do not include comments and blank lines. The Sublime project without comments and blank lines is about 600 LOC which fits well in a 3-day contest.", "Can changing the scope mid-contest disadvantage people who have already dedicated time to it since they plan how much time to spend on a contest based on numerous factors including contest length and prize pot?\nA: (No answer provided)", "Are all the lines including comments and blank lines considered in assessing the potential level of effort a scope will require?\nA: For the purposes of scoping, the lines of code considered do not include comments and blank lines.", "Should the size of the Sublime contest, including all those interfaces, be considered in the scope even if they are not directly in it?\nA: (No answer provided)", "Is the scope of the project being audited in line with a 3-day contest? \nA: The scope of the project being audited is about 600 lines of code without comments and blank lines, which fits well in a 3-day contest.", "Can the scope of a contest change midway? \nA: Changing the scope midway could disadvantage people who have already dedicated time to it, so it is not a preferred option.", "What could be the potential impact of comments and blank lines on the scope of a project being audited? \nA: The number of lines of code, including comments and blank lines, can affect the perceived complexity of a project. However, for the purposes of scoping, comments and blank lines are not typically included.", "Is there an issue with having a space in the discord handle while filling out the help form?\nA: Yes, and the issue has been reported to the development team. In the meantime, you can include your email address on the help form or include your discord handle without spaces in the Discord Handle field, and let us know your actual handle (with spaces) in the Description field.", "Why isn't the real code to audit in the C4 repository for Sublime?\nA: The question was raised but no answer was given.", "How long does it usually take for the payment to be released after the announcement?\nA: Any announced awards usually should get processed Monday or Tuesday after the standing Monday meeting where signatures on the award distribution multisig are rounded up.", "Where can I share my Ethereum address to receive my share of the contest's prize?\nA: When you submit findings, there is a field for your polygon address.", "What if we submit a different polygon address per finding. Will each finding get rewarded on the provided address?\nA: Only one address for one handle for a contest is used for sending rewards.", "Where can we share our ETH address?\nA: It seems the documentation needs to be updated, the company is working on it.", "What if we submit 1 different polygon address per finding. Will each finding get rewarded on the provided address?\nA: The rewards are only sent to one address for one handle for a contest.", "Why isn't the polygon address saved with the username? Is it for a privacy issue or to avoid making the address a target?\nA: This is not primarily for privacy, as the awards are named by handle and distributed from the same awards address in broad daylight on chain. The original tools for finding submissions and contest processing were very simple and they've been gradually replacing those, with an effort currently underway to move to authenticated warden accounts.", "Is it possible for a smart contract to create a signature of data so that another smart contract can verify that signature?\nA: Yes, it's possible by using a specific method explained in this link https://eips.ethereum.org/EIPS/eip-1271. However, both the contract \"signing\" and verifying the \"signature\" need to support this EIP as the smart contract doesn't have its own private key.", "How do we know a finding was submitted successfully if we don't receive an email immediately?\nA: The form is accessing GitHub and Mailgun APIs. If the APIs accept the post, it should go through. If they don\u2019t, the form should error.", "Are there Solana developers in the community?\nA: The company has not hosted any Solana contests yet but intends to expand beyond EVM and Cosmos chains.", "Why hasn't the homepage of Code4rena updated content reports after February?\nA: The reports and rewards calculation changed and it takes time to put all of this together. However, a batch of reports should be published soon.", "Why is the reward not made when the reward compute is done? \nA: It's due to the process of multisig. The company intends to have transactions queue up for signature during a standing meeting each Monday, but it's not perfect and there's room for improvement. Eventually, the company plans to distribute awards via smart contracts once more pieces are in place.", "Do you have Solana developers in your community?\nA: We might! We haven't hosted any Solana contests yet but would like to expand beyond EVM and Cosmos chains.", "Why the reward is not made when the reward compute is done? \nA: We have busy people on the multisig and we have a standing meeting each Monday where the intent is to have txns queue up for signature prior to. Eventually we will distribute awards via smart contract, but we need more pieces in place before that can be done.", "Should 'Awarding:' in the announcements be split into 'Awarding:' and 'Paid:'?\nA: (No direct answer provided)", "LPT is still pending right?\nA: Yes, but should be moving soon.", "Would it make sense to tag wardens in all #\ud83d\udce2announcements posts? \nA: (No direct answer provided)", "JPYC Contest really don't have any high/med risk findings?\nA: The codebase is a relatively simple fork of a mature project, so I think it has already been very well reviewed.", "What is gas free node meaning? What backdoor was used in the ronin network hack? Are there any published technical reports?\nA: Most likely insider got access to server private key allow them to become validator of centralize network. [Link](https://rekt.news/ronin-rekt/)", "What\u2019s the criteria for archiving contest. I noticed some contest that just recently closed (2022) were archived in 2021. Was this intentional?\nA: We ran up against a Discord limit (there's a max number of channels you can put in a single category) so had to improvise a bit.", "Before the chat logs are exported might I suggest maybe archiving the contest in quarters (Q1-Q4 2022). It seems a category can only take in about 20 channels or so, and we\u2019re still expecting more contest for the year. So maybe we can just file it in quarters temporarily till the chats are exported. Another solution might be to create a second category for 2022 (2022-B)?\nA: (No direct answer provided)", "What\u2019s the criteria for archiving contest? I noticed some contest that just recently closed (2022) were archived in 2021. Was this intentional?\nA: Yes, this was due to a Discord limit (there's a max number of channels you can put in a single category), so improvisation was necessary.", "Before the chat logs are exported might I suggest maybe archiving the contest in quarters (Q1-Q4 2022). It seems a category can only take in about 20 channels or so, and we\u2019re still expecting more contest for the year. So maybe we can just file it in quarters temporarily till the chats are exported. Another solution might be to create a second category for 2022 (2022-B). Will these suggestions work?\nA: These are great ideas and have been implemented to make it easier to find the contest channels needed.", "Is there any reason not to release all the unverified submissions a few days after contest ends, before judging? One of the best things about this process is learning from what others found, and it\u2019d be great to do that while the protocol is still fresh on my mind.\nA: This is in the works. Several moving pieces are involved here. [Link to Forum](https://forum.code4rena.com/t/rfc-certified-wardens-rulebook-scout-role-contest-qa-and-mitigation-review-services/123)", "Just to make it clear: are high risk findings still game if they are out of scope? Does it depend on the contest?\nA: Definitely depends on the contest and the judge. It is advised to make a case to the judge in your submission if you think the finding should be considered.", "Any useful resources/tips for a beginner? I would appreciate some direction if anyone is willing to give.\nA: Check out this post [Link to Post](https://cmichel.io/how-to-become-a-smart-contract-auditor/)", "Can't send a text on chat - any clue what's up?\nA: The main chat is locked to just contributors at the moment to reduce spam and off-topic stuff. To join as a warden, one can do that in a certain channel.", "I was curious to see if you and your team would like to have a quick chat about how Governor DAO Proof of Existence Token can solve your Sybil resistance issues you might have?\nA: [No Answer]", "Can't send a text on #\ud83d\ude03chat - any clue what's up?\nA: The main chat is locked to just contributors at the moment to reduce spam and offtopic stuff. If you\u2019d like to join as a warden, you can do that in #\ud83d\udc3ai-want-to-be-a-warden", "Any useful resources/tips for a beginner? I would appreciate some direction if anyone is willing to give.\nA: Check out this post on how to become a smart contract auditor: https://cmichel.io/how-to-become-a-smart-contract-auditor/", "I was curious to see if you and your team would like to have a quick chat about how Governor DAO Proof of Existence Token can solve your Sybil resistance issues you might have?\nA:", "Mmmhhh I can't prove that this is true anymore for keccak expressions on recent solidity versions: https://github.com/ethereum/solidity/issues/9232 . It's a gas optimization that's been existing for a while (and we can even see it on recently audited projects, like Axelar on solidity 0.8.9: // AUDIT: constants should be literal and their derivation should be in comments). When did this optimization become obsolete?\nA: This was fixed in 0.6.12. You can see the changelog here: https://github.com/ethereum/solidity/blob/develop/Changelog.md#0612-2020-07-22", "Hi everyone! I\u2019m Kathleen from IdleDAO (Idle.finance). Could someone please point me to a treasury manager?\nA: @\ud83e\udd96 eric (ninek) | C4 is probably the closest thing to that.", "Is the Total column on the Leaderboard the number of audits done by that particular person?\nA: Total number of valid findings of all severity levels.", "I see that High, Med, and Gas are titles. Is there any particular reason why Low is not there (seeing as you've got a Total column)?\nA: Low and non-critical issues are now grouped together as a single report by each warden.", "Would a typo be considered a valid qa report?\nA:", "Do y\u2019all wardens usually keep in mind the current state of the project when auditing? For example, I know there are a few rare contests with already deployed code. Does this make vulnerabilities pertaining to deployment or early actions like initializers out of scope?\nA:", "In the Scoping form, the question regarding an Oracle (does it use an oracle?) - could you please clarify what you mean here by an oracle as the answer impacts our answer, just want to be sure we're on the same page?\nA: The question originated from the need to understand whether and how external pricing data was entering the project, and whether or not that was by way of an existing, widely-used oracle or whether the project created their own custom oracle.", "Where can I find more details about how rewards are split for teams?\nA:", "Would a typo be considered a valid QA report?\nA: [No answer provided in the chat]", "Do auditors usually keep in mind the current state of the project when auditing? For example, are vulnerabilities pertaining to deployment or early actions like initializers out of scope for already deployed code?\nA: [No answer provided in the chat]", "In the Scoping form, what does the query about \"does it use an oracle?\" mean?\nA: The question is to understand whether and how external pricing data was entering the project, and whether or not that was by way of an existing, widely-used oracle or whether the project created their own custom oracle.", "Where can I find more details about how rewards are split for teams?\nA: An individual team determines how to split their portion of a pot amongst themselves. More information on awards in general can be found at https://docs.code4rena.com/incentive-model-and-awards.", "How much is allocated to the team? Is it 1 unit or each person is 1 unit? \nA: [No answer provided in the chat]", "For the case where there is a team, let's say of 2, and another individual that submit one finding. Is the reward broken up into 50/50 between the team and the individual or 33 33 33 for everyone?\nA: It is broken up into 50/50 between the team and the individual.", "Could it be possible to get an invite for the C4 dinner?\nA: The invite criteria was folks with high severity findings on the leaderboard in the past year who said they\u2019d be at devconnect. The space was limited.", "After a contest has been judged, where can we find the submissions? Or do we need to wait for the report?\nA: [No answer provided in the chat]", "Could it be possible to get an invite for the C4 dinner?\nA: There was limited space and the invite criteria was folks with high severity findings on the leaderboard in the past year who said they\u2019d be at devconnect. If you met that criteria and I didn\u2019t reach out, I\u2019m very sorry!", "After a contest has been judged, where can we find the submissions? Or do we have to wait for the report?\nA: Once the report is published, the findings repo is also made public so you can review submissions. In the near future, wardens will be able to apply for the certified warden role which will give access to findings shortly after contests end.", "For a report submission, in the Vulnerability details section, do I have to paste my report in .md format there?\nA: Yes, that's correct. Make sure you click the preview tab to make sure it looks how you want it.", "What does \"Contracts in scope\" mean? Does it mean we have to review only these files listed and ignore anything else?\nA: (No answer provided)", "How do I register as an auditor and start auditing?\nA: You can register as an auditor by following the instructions provided at https://docs.code4rena.com/roles/wardens. Alternatively, you can jump into the #\ud83d\udc3ai-want-to-be-a-warden channel where you can complete a registration form and then let us know so we can process it.", "After contest awards are announced, what\u2019s the estimated time before payouts are made?\nA: The goal is to get the payouts out between 1-2 weeks after the announcement.", "How many audit projects are there normally in a month?\nA: There are presently 2-5 audit projects per week, but with the addition of many great wardens, we are working hard on processes and tools to be able to add more contest bandwidth.", "After contest awards are announced, what\u2019s the estimated time before payouts are made?\nA: Our goal is to get them out between 1-2 weeks after the announcement.", "How many audit projects are there normally in one month?\nA: 2-5 per week is what we are presently running but we have added so many great wardens that we have been working hard on processes and tools to be able to add more contest bandwidth.", "Are LPT tokens still pending?\nA: No answer provided.", "How can I change my warden avatar and add a link in the C4 website after I have already registered?\nA: Look in the _data folder on the site repo and you can find the json file and make a PR.", "I would like to provide a listing proposal for ARENA project on one of the top ranking 40 exchanges, could you please direct me?\nA: No answer provided.", "Is there any link(s) for starting learning the smart contract auditing?\nA: Here is something to get you started: https://docs.code4rena.com/roles/wardens/tools-and-resources", "What should I do if my QA / Gas reports don't fit in the submit request? Should I split report by separate sends?\nA: No direct answer provided.", "I am afraid it will be missed because that email is getting huge amount of submissions.\nA: When submissions come in to that email address, our team gets a special alert. We'll also reach out to you to confirm we have received it and submitted it on your behalf.", "When I send it as an email, should I also submit a placeholder mentioning that I sent it as an email?\nA: Yes, mention that you have sent it as an email.", "Will my submission be missed if I send it through email due to the volume of submissions you receive?\nA: When submissions come in to our email address, our team gets a special alert. We'll also reach out to you to confirm we have received it and submitted it on your behalf.", "How can I ensure my submission sent via email doesn't get lost?\nA: When sending your submission as an email, you can also submit a placeholder in the system mentioning that you sent it via email.", "Is there a way to find the rewards address used to register as a warden if forgotten?\nA: If you look in the data folder of a recent contest\u2019s findings repo on GitHub, you\u2019ll see it there in the json file associated with your handle\u2019s submissions.", "Why are the checks for my PR failing?\nA: Checks don't run (fully) for external PRs. An internal branch will be set up for it. [Link](https://github.com/code-423n4/code423n4.com/pull/1584)", "Are there really two contests that go for 13 days (May 5 - May 18)?\nA: Yes, it's been a while since we\u2019ve had a two-week contest and we have two queued up for next week.", "The PR to create a team is not passing the checks, is there something wrong?\nA: No, it's fine -- we'll get the PR sorted out. [Link](https://github.com/code-423n4/code423n4.com/pull/1620)", "If the code is not yet complete but an audit needs to be secured, should the process to become a sponsor be started now or wait until the contracts are done?\nA: You could definitely start the process now to get it on the schedule and let us promote it a bit. The artists and contest admins especially appreciate it when we have a bit of time to prep.", "How often are the Code Arena repos ending in suffix -findings released to the public?\nA: No specific answer provided.", "Our code is not yet complete but we wanted to get our audit secured, should we wait until the contracts are done or should we start engaging in the process to become a sponsor now?\nA: You could definitely start the process now to get it on the schedule and let us promote it a bit. The artists and contest admins especially appreciate it when we have a bit of time to prep.", "I've been getting a lot of value reading through the Code Arena repos ending in suffix -findings. However, most of the repos are for contests that happened quite a while ago. I'm assuming most of these repos are private up until the point they are made public. How often are these repos released to the public?\nA: After judging is done and after sponsors have mitigated issues / cleared the reports for publication.", "Where could I look for teammates? Wasn't there a \"team building\" channel at some point? What happened to it?\nA: You can look for teammates at #\u26bdteam-formation.", "Do I need to register as a warden first?\nA: Yes, you might need to register as a warden first.", "When creating a new instance of something that is presumed to want to remain in the storage throughout the life of the program, should 'storage' be used or can 'memory' still be used? My understanding is that memory is temporary, but 'storage' is lasting.\nA: Storage can be read as a link to storage. You can assign a storage variable and change it to update storage value. Usually, it's used when you need to read a struct from storage, then calculate something with it and update to a new value. In this case, the storage directive saves a lot of gas.", "So if we wanted to create something new (lets say a new 'object' in oop) and store its details for the duration of the program (duration of the sc on the blockchain?), we should use 'storage', not 'memory'?\nA: Yes, if you need a temp variable which will not be saved to state - use memory.", "If you have a storage variable, can you access that variable within a function by using the memory command if you wanted to perform operations with the data, but not explicitly alter the data on a protocol level? (i.e., the data would not be stored because it is 'memory')\nA: If you just need to read a struct from storage and do some manipulations with it, using storage is preferable. But it is recommended to do tests to see which is better.", "Is it a possibility to change handles on the C4 website and here?\nA: Presently, it's still tricky to do so because the handle is the uuid for all findings etc. However, some changes are coming that will help make that a little more doable.", "If you have a storage variable, can you access that variable within a function using the memory command to perform operations with the data, but not alter the data on a protocol level? \nA: If you just need to read a struct from storage and do some manipulations with it, using storage is preferable. However, it's recommended to do tests to determine which option is better.", "Is it possible to change handles on the CodeArena website?\nA: Presently, it is tricky to do so because the handle is the unique identifier (UUID) for all findings etc. However, there are some changes coming that will make this more doable.", "If I have written a Proof of Concept (POC) script for a vulnerability, is there any preferred procedure to linking that script?\nA: Nothing fancy, you can just drop the link into the submission wherever it's relevant.", "Does this mean we can't report anything related to input checks from governance variables?\nA: You can't submit any assumptions like owner may be compromised/centralized etc. All the methods with the only owner / only governance modifiers are strictly coming through the trustworthy bodies.", "What is the prize pool for bunker.finance? According to the website it's $50k, but on the RSVP it's $30k.\nA: The scope ended up being slightly larger than originally anticipated, so it got increased to 5 days and $50k.", "Can I dm somebody about a potential vulnerability that I think I found in one of the contracts from the ongoing audit? I'm not sure if it is exploitable so I would like to verify.\nA: [No answer provided]", "In case there are lending pools anyone can create and be the owner, should this be reported?\nA: The vaults are meant to be used by individual users, but allows others to deposit for flexibility. Link: https://github.com/code-423n4/2022-04-mimo/tree/main/supervaults/docs. If you see something and disagree with the sponsor on whether something should be in scope it\u2019s still worth saying something. It's up to the judge to decide.", "What is the prize pool for bunker.finance? According to the website it's $50k, but on #\u270brsvp it's $30k.\nA: The scope ended up being slightly larger than originally anticipated, so it got increased to 5 days and $50k. Apologies for any confusion!", "Can I dm somebody about a potential vulnerability that I think I found in one of the contracts from ongoing audit? I'm not sure if it is exploitable so I would like to verify.\nA: If you hop into the specific contest channel you should be able to see the handles of the folks from the project and be able to DM them.", "What will happen after I click \"CREATE ISSUE\" in \"SUBMIT FINDING\"? I don't see any places where I could attach my POC files, just handle, email address, polygon address, and risk rating.\nA: There aren't exactly attachments. Once you select a risk, you'll be able to enter text and in some cases line references about the issue. After you click \"CREATE ISSUE\", the form data gets turned into a submission that goes into the findings repo for the given contest, to be evaluated by judges after the contest ends.", "How can I create the the special font like the big title and so on when submitting a finding?\nA: The form accepts Markdown.", "If I'm not familiar with markdown, what resources can I use to learn?\nA: This site may be helpful: https://markdown-it.github.io/", "I submitted QA reports (low/non-critical) but I miss up one item, I submitted again with this item. Is that okay? Will you see the full report?\nA: To resolve this issue, please fill out our help form and provide a bit more info there, including the contest name. Then our team can look into it further for you. \nLink: https://code4rena.com/help", "Are web apps in the scope in the contests?\nA: Sponsors decide the scope for their contests and list it in their contest info on our website as well as in their contest repo. If you have specific questions about scope for a contest, it's best to connect with that sponsor via their contest channel or dm.", "Are web app in the scope in the contests?\nA: Sponsors decide the scope for their contests and list it in their contest info. If you have specific questions about the scope for a contest, you need to connect with that sponsor via their contest channel or dm.", "Is anyone aware of any creative ways a smart contract can refuse to receive future ER20 transfers?\nA: A smart contract does not know if someone sent ERC20 tokens to it. It may know, however, if ERC721 or ERC1155 was sent there because it has recipient contract call onReceive. The only thing you could do is to add emergency withdraw to get rid of tokens.", "How can I create a team?\nA: You can find some info about registering a team at https://docs.code4rena.com/roles/wardens#registering-a-team", "Who should I message if I want to ask code4rena a question about a just closed contest?\nA: You can ask your question at code4rena.com/help", "On 60-day leaderboard, some rewards seem not to be displayed. Shouldn't rewards take 60 days to disappear after adding them to the leaderboard?\nA: The leaderboard reflects the last 60 days of finalized rewards instead of when the work for the reward was actually done. There would be some weirdness from the different amount of time it takes for a finished contest to be judged and rewarded.", "What's the criterion that c4 follows in case of the same vulnerability reported by two or more wardens?\nA: The reward is split between them no matter who found the vulnerability first. See this link for the details: https://docs.code4rena.com/incentive-model-and-awards", "If there is an issue that repeats in multiple files, should I send each occurrence separately for med/high? Or list all occurrences by linking each place in one submission?\nA: [Answer not provided]", "What's the criterion that c4 follows in case of the same vulnerability reported by two or more wardens? For example, if wardenA and wardenB both report the same vulnerability, would both of them be considered or whoever was the first to submit gets the recognition + reward for that particular vulnerability?\nA: It's split between them no matter who found it first. See this link for the details: https://docs.code4rena.com/incentive-model-and-awards", "If there is an issue that repeats in multiple files, should I send each occurrence separately for med/high? Or list all occurrences by linking each place in one submission?\nA: If you're the only one that finds them, you'll get more money if you split. If you group, you're more likely to be marked as the primary finding, but get less money because pool is shared with people that only found some of the issues in your grouping. Refer to this link for more information: https://github.com/code-423n4/org/issues/8", "Do I have to combine similar issues?\nA: You don't have to, but most do. The issue thread is worth a read through. There is a lot of nuance involved.", "Can I send a short survey here regarding auditing research?\nA: No answer provided.", "How can I sign up for Code4rena?\nA: Please check in #\ud83d\udc3ai-want-to-be-a-warden.", "Where is the report for JPEG'd?\nA: It's not announced yet.", "When will the report for JPEG'd be announced?\nA: No answer provided.", "Could someone from the team accept my team pull request?\nA: Merged.", "When will the announcement be made?\nA: Not announced yet.", "Could someone from the team accept my team pull request?\nA: Merged.", "In #\u270brsvp channel, Cally bounty is 75k, in C4 it's 50k. Is this correct?\nA: Thanks! We've updated this, but I also added a note to the #rsvp channel description indicating that those details are subject to change. Probably better to rely on the info on the website, since those rsvp notices are posted when the contest is initially booked, and all of that info is subject to change.", "I am struggling to test the contract which is downloaded from GitHub with static and dynamic tools like mythril, slither etc. Please let me know any resources available for tools walkthrough especially for tool execution.\nA: No answer provided.", "On the 60-day leaderboard some rewards seem not to be displayed. Shouldn't rewards take 60 days to disappear after adding them to the leaderboard?\nA: Really great points in this discussion. The dev team has talked about changing from last n days to last n contests which will be more accurate. I'll make an issue for this so it isn't forgotten.", "I found that something I added as a remark in my QA report was regarded as a Medium Risk bug. Who should I talk to about this?\nA: Identifying inconsistencies for the purpose of improving process is part of what we use the 'issues' on the org repo for: https://github.com/code-423n4/org/issues", "I see that being a certified warden makes you eligible for a judge role. I assume this means not being certified makes you ineligible for being a judge which wasn\u2019t the case previously. Is that correct?\nA: Judges have generally been soft doxed or known to at least one party at c4, so they kind of were our old (non-scalable) version of being \u2018certified\u2019.", "So just for clarity, certification would be required?\nA: I expect it will be required at some point, but we are starting with just implementing the certified warden process.", "Does the rule that we should treat the contents of all findings as private and confidential until the contest report is made public mean that, if there's a very cool finding/new technique/new recommendation that can be relevant on other contests, we shouldn't use it as long as the report isn't public yet?\nA: No, I think new methods and learnings etc are totally game. This is really about respecting the fact that the sponsors\u2019 issues should remain under NDA until they choose to make them public.", "Are enums stored in storage or are they stored in the contract bytecode?\nA: No answer provided.", "Is certification required?\nA: Certification will likely be required at some point, but the current focus is on implementing the certified warden process.", "Does the confidentiality rule mean that if there's a new finding/technique/recommendation that can be relevant to other contests, we shouldn't use it until the report is made public?\nA: No, new methods and learnings are allowed. The rule is mainly to respect the fact that the sponsors\u2019 issues should remain under NDA until they choose to make them public.", "Are enums stored in storage or are they stored in the contract bytecode?\nA: Enums are a user-defined type in Solidity. They take up a byte and extra bytecode is added to ensure the size is right for casts. If you're storing an enum it'll take up part of a slot. If you're using it as a literal, it'll be the same as a uint8. Casts will add some overhead.", "Any news about the LPT reward?\nA: No answer provided.", "How do I register a group?\nA: There's information on registering a team in the documentation. Also, the #\u26bdteam-formation channel can be checked out. [Link to docs](https://docs.code4rena.com/roles/wardens#registering-a-team)", "Who should I contact for collaboration and investment issues?\nA: No answer provided.", "How can I check if I submitted my address for rewards?\nA: You can fill out the help form. [Link to help form](https://code4rena.com/help)", "I encountered a solidity issue where uint256 answer = uint8(195) * 86400; reverts with overflow. Does anyone know why?\nA: No answer provided.", "I submitted some issues on one of the audits and I am not sure if I submitted my address for rewards. How can I check it? \nA: If you fill out our help form, we're happy to take a look! https://code4rena.com/help", "Why does this solidity issue occur: \"uint256 answer = uint8(195) * 86400; it revert with overflow.\"? \nA: You have to cast all variables you multiply to uint256 to avoid overflow.", "How does solidity calculate when two different types interact with each other?\nA: Solidity calculates from left to right. However, the theory that swapping the order of variables resolves the overflow issue was proved wrong.", "Is uint8 * uint32 = uint24 in solidity?\nA: Unclear, there was a suggestion to try the latest version to see if the issue was fixed there.", "How to get more details on how functions like delegatecall work in solidity?\nA: The geth source code (https://github.com/ethereum/go-ethereum/blob/master/core/vm/evm.go#L302) can be helpful. A video (https://www.youtube.com/watch?v=bEUtGLnCCYM) walks you through eth_call.", "What is slowing down the judging of Sublime March 2022?\nA: Usually it isn\u2019t judging that\u2019s slow, but sponsor review. In March, a deposit was added to incentivize sponsors to complete their review in a timely manner. If the sponsors don\u2019t do their part, it makes the judging task much harder.", "How far in advance do contests get announced? Is the first one to find the vulnerabilities the only one to get the payout for that one? Is there any way to know which bugs have been found already?\nA: There is no difference in payout between the 1st to find and the 12th other than the overall value of the bug is reduced and split based on how many people find it. There is no way to know which bugs have been found already until the end.", "What's slowing down the judging of Sublime March 2022?\nA: The slow judging process is usually caused by sponsor review. Sponsors are incentivized to complete their review in a timely manner. If sponsors don't do their part, it makes the judging task much harder because the judge has to identify duplicates and kind of has to be a voice for the sponsors.", "How far in advance do contests get announced? Is it basically the first one to find the vulnerabilities gets the payout for that one? So if two people come across the same thing, the first person will be compensated? Is there any way to know which bugs have been found already (or gas optimizations in some cases), or does no one know until the end?\nA: There's no difference in payout between the 1st to find and the 12th other than the overall value of the bug is reduced and split based on how many people find it.", "If a warden is certified, will the Github or email appear in any public place?\nA: No, emails and GitHub usernames will not be listed anywhere by C4. However, certified wardens will be part of a permissions group/team on GitHub in order to give them access to private repos. Individual users can decide to make their membership on private teams public or not.", "I would like to know what severity to report for a certain issue. It is as far as I can see, not security impact, but protocol can work not as intended, which means users may pay more or less than what they are supposed to.\nA: You can refer to the estimating risk tldr in the Code4Rena documentation: https://docs.code4rena.com/roles/wardens/judging-criteria#estimating-risk-tl-dr", "Was there a vote for that? I'm not sure how the all-time legends will react: https://github.com/code-423n4/code423n4.com/pull/1850\nA: There wasn't a vote. The option to see all-time stats should still always be there.", "Can we use this channel as an everything security discussion channel? Or is it only Code4Rena related questions? \nA: (No answer given)", "Why does the function run to completion even after a selfdestruct call?\nA: After calling selfdestruct, the remaining lines aren't executed because they no longer exist. However, if the execution happens within delegatecall it does not stop execution and seems to run to completion.", "Can we use this channel as an everything security discussion channel? Or is it only Code4rena related questions?\nA:", "The function what below runs to completion. This is weird to me as I would expect checking the code size after a selfdestruct should return 0. Why does it run to completion?\nA: After calling selfdestruct, the remaining lines aren't executed because they no longer exist.", "Why does require(size>0) evaluates to true after selfdestruct?\nA: The description on evm.codes for the selfdestruct opcode says that \"The current account is registered to be destroyed, and will be at the end of the current transaction\". It can be verified that the return value will be 132. [evm.codes](https://www.evm.codes/#ff)", "When looking into the details of how functions like delegatecall work behind the scenes with storage (and other functions, just using this one as an example), are the solidity docs the best source? or would they ethereum yellow and the other papers do a better job at going into the details?\nA: For in-depth information on EVM, you can visit [noxx.substack](https://noxx.substack.com/p/evm-deep-dives-the-path-to-shadowy-a5f).", "You wrote: If you are partway through Provenance's certified warden process and have been lagging on completing it, do you recommend completing it?\nA: Yes, it is highly recommended to complete the process.", "What is the criteria to be accepted as a certified warden? \nA: The eligibility requirements can be found at [code4rena.com](https://docs.code4rena.com/roles/wardens/certified-wardens#who-is-eligible-to-be-a-certified-contributor).", "Is there any way to find out if my past submission became a top-3 finish in either the QA or gas report for Code4rena's certified warden criteria?\nA:", "Can I reach out to learn more about the C4 project and discuss a potential partnership?\nA: Yes, you can direct message for further interactions.", "Is there any way to find out if my past submission became a top-3 finish in either the QA or gas report?\nA:", "I wanted to reach out to learn more about the project and discuss a potential partnership. Can I DM one of you?\nA: Yes, please reach out when you're ready.", "When I at some point expect to have at least 3 top3 reports, should I then ask one of you to check before applying, or will you just check as part of the application process?\nA: We'll check as part of the application process. And what we've been doing when people are close, but not quite eligible, is just pausing those applications and checking back a few weeks later.", "What channel can I post a doubt about topics that I'm studying?\nA: If it is related to evm security, you can post it in #\ud83c\udf33everything-evm.", "Does kyc equal to background check?\nA: Good question. In order to receive payment for specifically the OpenSea contest, you'll need to complete this form https://code4rena.com/certified-contributor-application and then go through the ID verification process run on C4's behalf by Provenance.", "How can we apply to become a certified warden?\nA: You can apply to become a certified warden by filling this form: https://code4rena.com/certified-contributor-application.", "How can we apply to become a certified warden?\nA: You can apply to become a certified warden through this link: https://code4rena.com/certified-contributor-application", "Who came up with the Opensea competition's terms, such as the scaling up of the pot based on the level of severity found?\nA: [No Answer]", "I have not received my rewards from the Sherlock contest, have they been paid out yet?\nA: We can direct message you to track down the issue.", "Why did the organization choose Provenance as a KYC provider?\nA: Provenance was recommended by our other cayman-based vendors.", "How long does the open sea contest last? \nA: It lasts through June 3.", "Which contest will be the first to include the certified warden perks? \nA: We are planning to phase in the certified+ post-contest \"triage swarm\" with progressively larger groups to figure out the process and create norms around it. The Opensea project has caused us to revisit some processes around this since we did not anticipate a public contest that was also KYC'd.", "If a submission we made was rejected, do we have any way to argue our case or find out why before the report is finalized and made public?\nA: [No Answer]", "What is this link about? https://www.certik.com/resources/blog/w6AxRmf6l2ow4zL884gr8-feg-token-flashloan-exploit-analysis\nA: [No Answer]", "If a submission we made was rejected do we have any way to argue our case or find out why before the report is finalized and made public?\nA:", "Is there a good tool to debug hardhat tests / introspect contract execution at the EVM opcode level?\nA:", "About this bounty, what are the detailed prizes for severities?\nA: Standard model. The full pool will be paid out. See mechanism in the docs.", "If my team has encountered 1 high severity bug, does that automatically make me eligible for the certification?\nA: If you've also competed in at least 3 contests, yes.", "Do current certified wardens get immediate access to findings repo or is that for certified + ?\nA: That is for Certified+, and in fact has not yet been rolled out to anyone. It's going to be a process so that we can beta-test it.", "What's an example of a highly used token that doesn't revert on failure and just returns false ? Is this a real thing?\nA: ZRX.", "If my team has encountered 1 high severity bug, does that automatically make me eligible for the certification?\nA: If you've also competed in at least 3 contests, yes.", "Do current certified wardens get immediate access to findings repo or is that for certified + ?\nA: That is for Certified+, and in fact has not yet been rolled out to anyone. It's going to be a process so that we can beta-test it.", "What's an example of a highly used token that doesn't revert on failure and just returns false?\nA: ZRX. This repo might be helpful: https://github.com/d-xo/weird-erc20#no-revert-on-failure", "Is there a good tool to debug hardhat tests / introspect contract execution at the EVM opcode level?\nA: Foundry debug kind of does that.", "What tool do you use to do gas estimation in Truffle with VScode?\nA:", "I am doing Ethernaut CTF. I need your help to understand how it worked. I am playing fallout level and here, I was called the fal1out function from the hacker account to change the contract owner. How to identify the default function argument ( from argument ) even though the contract does not have an argument.\nA: There's a difference between the calling convention you use in a web3 console and what is actually called on the contract in the EVM. Whatever you put in from: causes msg.sender (inside the Solidity contract) to be .", "Do the arguments value automatically get assigned if it's a special variable like msg.sender, msg.value, etc.?\nA: There are default values for a lot of things, yes.", "The gas optimizations doesn't appear in the final report now?\nA:", "Do the gas optimizations appear in the final report now?\nA: No, there wasn't a gas pool for that particular contest.", "How do you edit your warden profile to add a profile picture and a Twitter handle for example?\nA: You can make a help desk request on https://code4rena.com/help and we will reach out when we're back online.", "Are there any updates regarding the Enso contest? When can we expect results?\nA:", "Is there any link to information on teams on Code4rena? What is the advantage of forming teams, how the dollars are split, do the reports get submitted by the team instead of team members etc.?\nA:", "Are there news about the LPT Livepeer reward?\nA:", "Are we going to have more contests like the $1M opensea contest (high prize contests)?\nA:", "Do we have to submit Proof of Concept (PoC) while submitting an issue for any contest or we can just explain it while submitting?\nA: Without a proof of concept and a case made for how an item can be exploited, there is a higher likelihood of the issue being marked invalid.", "Has the ChainSafe contest starting date been moved for 6 days?\nA: Yes, the date did move back.", "Is there any news about the LPT Livepeer reward?\nA: An update on the LPT and INS awards will be provided within the week.", "Has the ChainSafe contest been delayed?\nA: This question was not directly answered in the chat.", "Where is the awesome-nonsense channel?\nA: The awesome-nonsense channel is now referred to as #\ud83c\udf00awesome-nonsense.", "Other than the obvious security reasons, what is the purpose of being a certified warden? \nA: Further information about the certified process can be found at https://docs.code4rena.com/roles/wardens/certified-wardens#certified+-contributors.", "Has the name of the 'awesome-nonsense' channel been changed to 'random'?\nA: No, the channel name was reverted back to 'awesome-nonsense'.", "Can someone please tell me other than the obvious security reasons what is the purpose of being a certified warden? \nA: Here is some more information about the certified process [https://docs.code4rena.com/roles/wardens/certified-wardens#certified+-contributors]", "Is there any plans to enable same handle using different wallets in a single contest?\nA: We're amidst taking the first steps in that direction in rolling out wallet auth, but it'll be a bit longer before we'll be there all the way around.", "Is my handle okay?\nA: Yes, your handle is great.", "Is it possible to update Wallet address used in a finding after submitting the finding and before reward payout?\nA: Yes, just submit a request through our Help Desk: [https://code4rena.com/help]", "What does \"QA/gas issue optimizations are finalized\" mean?\nA: The phrase is considered vague without context.", "What should I do if I'm part of a team but not all the members are certified? Can I submit my Seaport findings with the team handle?\nA: All members need to be certified in order to receive funds from OpenSea. This is us following anti-money laundering laws OpenSea is bound by, and it isn\u2019t something we can flex on, as much as we would want to do things differently.", "What does \"QA/gas issue optimizations are finalized\" mean?\nA: [No answer provided]", "Is it possible to update Wallet address used in a finding after submitting the finding and before reward payout?\nA: Yes, just submit a request through our Help Desk: https://code4rena.com/help", "What should I do if I'm part of a team but not all the members are certified? Can I submit my Seaport findings with the team handle?\nA: All members need to be certified in order to receive funds from OpenSea. This is us following anti-money laundering laws OpenSea is bound by, and it isn\u2019t something we can flex on, as much as we would want to do things differently.", "Can we talk about bugs & exploits after submissions for a contest is closed?\nA: You have to wait until reports are out.", "Does the restriction on discussing bugs and exploits after a contest includes private discussions as well?\nA: Private conversations solely among wardens who have agreed to the certified contributor agreement would be under that agreement\u2019s NDA so that would be ok.", "Are Certified Contributors and Wardens able to view submitted issues right after contest close and/or comment/give input on the submitted issues during judging?\nA: We are phasing that in, working on developing process around it and adding more people as we feel like the process makes sense and can support a broader number of people. A set of top contributors are getting first crack at that right now and it will soon be opening to more.", "What is the new qualifications section in the warden registration page?\nA: This is due to the amount of new warden registrations after the OpenSea contest announcement. As far as I know it will go back to normal after the contest ends.", "I got my KYC approved. Anything else I should do?\nA: [No answer provided]", "I have seen the KYC thing about wardens. I am a warden since before that form was required (only by asking for the warden role). Do I need to do something else? \nA: [No answer provided]", "What is the new qualifications section in the warden registration page?\nA: As the user understands it, this is due to the amount of new warden registrations after the OpenSea contest announcement. It should go back to normal after the contest ends.", "I got my KYC approved. Anything else I should do?\nA: [No answer provided in chat]", "I am a warden since before that form was required (only by asking for the warden role). Do I need to do something else?\nA: Your warden registration / handle is still valid, but if you want to become a Certified warden, you'll need to apply and be KYC'd. Certified Warden application can be done here: https://code4rena.com/certified-contributor-application/.", "So... No contests for 3 days?\nA: [No direct answer provided in chat]", "What to do now? Can sponsors do something?\nA: [No direct answer provided in chat]", "Can anyone from the C4 staff confirm if the qualifications section in the warden registration page will go back to normal after the contest ends?\nA: There will likely remain an application process of some kind.", "Does anyone have links to exploits or post mortems where an external call is made to a token with too many or too few decimals?\nA: [No answer provided in chat]", "What if told you that if you do physical exercise then you're able do more auditing?\nA:", "So... No contests for 3 days?\nA: Opensea and many parallel contests stun wardens. Need sometime to rest.", "Does anyone have links to exploits or post mortems where an external call is made to a token with too many or too few decimals?\nA: I may be misremembering, but I think once someone implemented a curve-like pool using usdc + something else, only that their decimals were different and the pool was coded to trade 1:1, so yeah xD kind of similar.", "Anyone has a link to that repo where the guy implements pocs for hacks or would-be hacks?\nA: There are a few here https://github.com/Crypto-Virus?tab=repositories.", "Is there any automated tool which could tell if the contract is initialized ( initialize function has been called) on ethereum mainnet (by looking into transactions, including internal transactions). Mainly given a contract, it can get its proxy contract using internal transactions and then check initialize has been called on proxy or not?\nA:", "I went through certification for OpenSea. What should I do (if anything) to request Certified+?\nA: This works.", "Thanks! Wanted to ask here in case there's an official answer.\nA: Yeah, we should probably have a process for this eventually!", "What benefits a warden got after get the + certification?\nA: You get to see other submissions immediately after contests end. Should speed up the rate at which wardens can learn.", "What about the Canto audit mentioned in #\u270brsvp which is supposed to start today? Is it delayed?\nA: Canto is starting on Friday - yes it got pushed back a couple days.", "I don't actually know much about the $ARENA token. Can someone tell me a bit more about it?\nA: https://discord.com/channels/810916927919620096/810916927919620099/965928519144194059.", "What about the Canto audit mentioned in #\u270brsvp which is supposed to start today? Is it delayed?\nA: Canto is starting on Friday - yes it got pushed back a couple days.", "Can someone tell me a bit more about the $ARENA token?\nA: The $ARENA token is a minimum-viable-governance token with sovereignty over the DAO treasury, etc. You can read the DAO constitution here: https://github.com/code-423n4/org/blob/main/CONSTITUTION.md", "I am looking to join a team, how do I get started?\nA:", "Is it possible to review the issues before the report? I would like to review the abra nft one.\nA:", "I have recently submitted a finding and haven't received the confirmation email. Is this common?\nA: You should get the confirmation each time but if you want, we can dm so I can confirm that the finding shows for you.", "Can the community call be recorded for those not able to join live?\nA: Yes, it's possible, though guidance on how to do it would be helpful. A suggested guide is available here: https://www.howtogeek.com/677198/how-to-record-discord-audio/.", "What's the submission procedure for a report exceeding the number of characters allowed in the submission form?\nA: You can use a placeholder and email. More details are available here: https://docs.code4rena.com/roles/wardens/qa-gas-report-faq#why-is-a-large-gas-or-qa-report-not-successfully-submitting-through-the-contest-submission-form", "I filed a bug report in c4 before, but I forgot the wallet address to receive the bounty, can anyone provide me with it?\nA:", "Did you receive an email when you submitted your report?\nA:", "What's the submission procedure for a report exceeding the number of characters allowed in the submission form?\nA: Use a placeholder and email. More information can be found here: https://docs.code4rena.com/roles/wardens/qa-gas-report-faq#why-is-a-large-gas-or-qa-report-not-successfully-submitting-through-the-contest-submission-form", "I filed a bug report in c4 before, but I forgot the wallet address to receive the bounty, can anyone provide me with it?\nA:", "Did you receive an email when you submitted your report?\nA: No, I did not receive this email, when did it start please?", "When did you submit your finding?\nA: I remember correctly the 8th of April.", "Aren't you a C4 employee?\nA: Nah, just another warden.", "I need the wallet address to get the corresponding private key, how do I get that?\nA:", "How do you get a private key from a public key?\nA: It's just basic cryptography. If you could get a private key from a public key then all of asymmetric cryptography would be broken.", "What was your method of quickly locating these two transactions?\nA:", "What was your method of quickly locating these transactions?\nA: It's all public information. I just worked backwards from past payments that had been made to me.", "Is the payment address of C4 fixed?\nA: Looks like they've been using the same one for a while. It's a multisig. It would remain the same unless there are troubles in accounting.", "On which channel can this message be seen?\nA: #\ud83d\udce2announcements is where all contest results are made.", "Will the issues I found conflict with the issue found by others?\nA: Order of submitting issues doesn't matter. However, the more wardens find the same issue, the less money each warden receives for this issue. Details are here: https://docs.code4rena.com/incentive-model-and-awards", "Is it possible to see the biconomy issues now?\nA: You'll be able to see them once the report goes live. We will be starting on that soon.", "Does the order of submitting issues matter?\nA: No, the order of submitting issues doesn't matter. However, the more wardens find the same issue, the less money each warden receives for this issue. Details can be found at: https://docs.code4rena.com/incentive-model-and-awards", "Is it possible to see the biconomy issues now?\nA: You'll be able to see them once the report goes live. The report creation will be starting soon.", "Are the Biconomy rewards already been sent or do we need to wait?\nA: The Biconomy rewards usually take 1-2 weeks to be sent after announcement.", "After submitting, do we also need to wait for the report to go live to read the issues found?\nA: Yes, you need to wait for the report to go live to read the issues found.", "How can I get help with risk estimation for a hypothetical case?\nA: You can direct message a team member for help with risk estimation.", "Is there a template README for projects to follow? \nA: This question was asked but not answered in the chat.", "How do I submit a Proof of Concept (POC)? Do I create a public github repo for that?\nA: You can provide a diff of an existing sponsor-supplied test/contract or create a private gist and link to it.", "Won't the exploit be made public if I submit a POC?\nA: A diff is a line-by-line difference between two text files. Only the lines that are different are shown, therefore it should be small enough to include in your report submission. Alternatively you could create a private gist and link to it.", "I've got a typo on a report. How can it be corrected?\nA: Unless the typo drastically changes the meaning of your finding, it's advisable to leave it. Otherwise, you can file a help ticket.", "My concern is that the exploit will be made public. How can I share it in the report?\nA: A diff is a line-by-line difference between two text files. Only the lines that are different are shown, therefore it should be small enough to include in your report submission. Alternatively you could create a private gist https://gist.github.com/ and link to it.", "I've got a typo on a report. How can it be corrected?\nA: Unless it drastically changes the meaning of your finding, it's recommended to leave it. Otherwise you can file a help ticket.", "Is there a template README for projects to follow?\nA: Yes, we provide sponsors with a set of example READMEs to work from, as well as a checklist of items to include.", "If a contract imports a library, say ERC20.sol from \"@openzeppelin\", would the library version always match with the current contract or is the most up to date one always used?\nA: It depends on the version specified in the packages.json file.", "What's the sense of announcing the awards and not sending the funds at the same time?\nA: Rewards must be manually sent out. It makes sense to batch these by sending out rewards for a few contests at a time.", "How can I apply to certified+ after a high finding?\nA: Just drop us a line via the help desk form. We'll respond as soon as possible.", "Can I change my Twitter username?\nA: You can do a help desk request and we can update when we're back in the office.", "I need a detailed documentation of the Infinity NFT Marketplace system parameters.\nA: Please read through the README file in the contest repo: https://github.com/code-423n4/2022-06-infinity#readme. If you have further questions, the place to ask is in #deleted-channel .", "Are the rewards sent to Polygon address or ETH?\nA: Rewards are sent to the Polygon address.", "Can I change my twitter username?\nA: You can do a help desk request and we can update when we're back in the office.", "How can I apply to certified+ after a high finding? (Already kyc'd)\nA: Just drop us a line via the help desk form (in channel description). We'll respond ASAP, likely Tuesday after the US holiday weekend.", "I need a detailed documentation of the Infinity NFT Marketplace system parameters.\nA: Please read through the README file in the contest repo: https://github.com/code-423n4/2022-06-infinity#readme. And if you have further questions, the place to ask is in #deleted-channel.", "Are the rewards sent to polygon address or eth?\nA: Polygon.", "I have multiple QA findings for varying issues. Do I submit one large QA report or do I submit separate QA reports for each category?\nA: Submit one QA Report per Contest, ideally group all issues and make sure formatting is easy as sponsor and judges see 50+ of those for each contest. Do separate the Gas from the QA report. 1 Report for Gas, 1 Report for QA.", "When would the cally findings repo be made public?\nA: No answer provided in the chat.", "How can I format code in a submit issue form?\nA: It's called Markdown. Specifically for code, surround it with ` to have a code section midline, or surround it with 3 times that character to have a proper dedicated code block.", "How long does it typically take for reports to be compiled after an audit gets paid out?\nA: Usually a few weeks.", "Are the rewards paid out in matic?\nA: No, rewards are paid out in USDC but over Polygon.", "How long does it typically take for reports to be compiled after an audit gets paid out?\nA: It usually takes a few weeks.", "Are the rewards paid out in matic?\nA: No, rewards are paid out in USDC but over Polygon.", "Is there a place where I can see scoring breakdowns for past contests?\nA: You can see scoring breakdowns for past contests in the #\ud83d\udce2announcements, or each contest page in the CodeArena website, or https://github.com/code-423n4/code423n4.com/blob/main/_data/findings/findings.csv", "Do you plan to make a bug bounty about web?\nA:", "If you get an award for a submission report, do you need to withdraw it somewhere? I'm not sure if I'm supposed to have received mine already.\nA: You need to wait for the payout.", "Will it be cheaper to copy an array to memory before to spend less gas like this?\nA: No, it will not be cheaper. Imagine the array being of size 10... you're reading 10 times from storage to copy 10 times into memory, then reading your 3 times from memory. The first code just requires 3 storage readings.", "I'm trying to register a team but no one has looked at the PR yet. We want to submit our findings as a team so if anyone can help?\nA:", "What does'? ' and : on third line means?\nA: That's a ternary-operator for if-then-else.", "I'm trying to register a team but no one has looked at the PR yet. We want to submit our findings as a team so if anyone can help, we'd appreciate it.\nA:", "What does'? ' and : on third line means?\nA: That's a ternary-operator for if-then-else.", "Can you please explain the following function?\nA: For statement uint256 x = a > b ? a : b; you would find that x was always the maximum of a and b.", "What are the advantages of forming teams? I read in the docs that it's incentivized but how exactly? Doing some basic calculations with the scoring formula, being solo seems to make more sense if it's expected that 2+ other people will also find your vulnerabilities.\nA: When separate people find an issue, the reward is reduced semi-geometrically based on the number of people. With a team, the reward is split evenly between the members.", "Even with the reduction it looks like it's only worth being in a team if your team members find the issue and you only split the reward across team members who actually also found the reward. As soon as you have an outsider finding the same issue you receive more shares being on your own, right?\nA: Some people play different roles on teams. Sometimes something that appears to be a low severity issue is actually a medium or high but some are better at identifying and theorizing attack paths than others\u2014and that does matter; it\u2019s not enough to say \u201cthis is wrong\u201d since the risk of the bug is heavily influenced by what one can do with it.", "Suppose 10 people found a gas optimization. out of these 10, 3(including you) are from the same team. so how does reward get split then?\nA: Teams are treated on C4\u2019s end as just another warden. If your question had been about a medium/high finding, you'd just plug in your numbers in the formula here, considering a team as a single finding of the findingCount https://docs.code4rena.com/incentive-model-and-awards#high-and-medium-risk-bugs", "What are the options for regular website and other infrastructure pentesting audit in the crypto space?\nA: We could probably add that to C4.", "It looks like the leaderboard doesn't reflect FactoryDAO, although findings.csv has already been updated, is this normal?\nA:", "What are the options for regular website and other infrastructure pentesting audit in the crypto space?\nA: We could probably add that to C4.", "Can I give you an example and may be you can clarify for me. Suppose 10 people found a gas optimization. Out of these 10, 3(including you) are from the same team. So how does reward get split then?\nA: If your question had been about a medium/high finding, you'd just plug in your numbers in the formula here, considering a team as a single finding of the findingCount. [Link to the document](https://docs.code4rena.com/incentive-model-and-awards#high-and-medium-risk-bugs)", "It looks like the leaderboard doesn't reflect FactoryDAO, although findings.csv has already been updated, is this normal?\nA: [No answer provided]", "How do you write your QA/gas reports, what tool do you use for formatting or do you write straight into the submission form?\nA: I wrote straight in the submission form.", "But do you use some formatting like \\nHeadline\\nProof of concept\\nImpact\\nHow to fix\\netc?\nA: I just wrote what could get improved in general and then the GitHub link.", "Do you usually use something like Markdown or hackmd or whatever to make your report look better for the judges/project?\nA: There's a similar question in the wardens channel. Have a look through recent reports and you'll see some emergent best practices.", "As a warden when will I be able to see other findings submitted by other wardens after the end of a contest?\nA: Findings reports are made public when the final contest report has been published. But you can apply to be a Certified+ warden. All certified+ wardens get to see the findings repo as soon as the contest is finished", "Is it just me or submitting findings through firefox doesn't work? I get an error about my permalink not having a line number at the end.\nA: I did few submissions last days through Firefox, no problems.", "Should I double-check if they were properly submitted after seeing an error flashing on my Firefox after submitting, but the submission worked nonetheless?\nA: [No answer provided]", "Is there an issue with the regex they're using to validate these, as I'm getting a similar error on Chrome as well, but the submission goes through anyway?\nA: Yes, it happens to me too sometimes. I think it usually happens after I've clicked the \"submit another\" button.", "Is there a known issue with submitting findings through Firefox?\nA: Some users reported issues, but others did not experience any problems.", "Should I double check if my submissions were properly submitted if I saw an error message flash after submitting on Firefox?\nA: Leaving the answer blank, as there is no direct response to this question.", "Do you also experience an error message flash after submitting findings on Chrome but the submission goes through anyway?\nA: Yes, some users also experience this. It is suspected that this issue is more noticeable on slow internet connections.", "What could be the cause of this error message on submission?\nA: It is suspected that there is an issue with the regex used to validate the submissions.", "I have made an edit to the source code to potentially fix this issue, can someone review and approve this?\nA: The CodeArena staff is out, but it can be merged if other users review and approve it. [https://github.com/code-423n4/code423n4.com/pull/2338]", "When is a griefing/DoS attack considered for a High risk vulnerability?\nA: Leaving the answer blank, as there is no direct response to this question.", "What is the timeline for judging and payout announcement after the contest ends?\nA: The process is documented at [https://docs.code4rena.com/structure/our-process]. However, the timeline may vary due to system load.", "Are gas optimizations that are only valid when the optimizer is disabled considered valid findings?\nA: Some users have stopped reporting these due to inconsistent decisions by judges, while others continue to report them.", "How should I handle any gas improvements I flagged that are no longer valid?\nA: If any flagged gas improvements are found to be no longer valid, users are recommended to either stop flagging them or better qualify them in future reports.", "What should I do if some of my valid gas improvements are marked as invalid?\nA: It is suggested to include a Proof of Concept (POC) in the next contest that includes the finding.", "Do you mind if I DM you for a quick question? If DMs are closed for you, no worries!\nA: Added you as a friend", "Are the applicants for the mentorship initiative going to receive a reply even if they don't get accepted or only accepted parties will be contacted?\nA: This isn\u2019t a mentorship opportunity, it\u2019s merely a working group to provide input on how we might create such an initiative. I have not reached out to folks yet on this and it will likely be a bit longer before the group forms.", "However, I am still not sure if you answered the initial question if all applicants will be contacted or only the ones that are accepted as part of the working group (when the time comes)\nA: Oh yeah, will do", "How can we check for account existence before calling .call() on it?\nA: If you mean to not address(0).call{value: msg.value}() if (account == address(0)) revert AccountInvalid(account); account.call{value: msg.value}(); If you have another idea of existence, use the same methodology with any account verification check. Alternatively, you could use this: https://github.com/OpenZeppelin/openzeppelin-contracts/blob/e8c60f92e3307036fd266a3272d7131e096aff0b/contracts/utils/Address.sol#L41. Or you'd have something like this: require(0 != address(myAddr).code.length)", "I think I qualified for Certified+. But where is the google form submission go? Only see the kyc form on main docs\nA: Can you submit a help desk request and we can look into it for you? https://code4rena.com/help/", "I almost never see this check, this can be a medium issue? \nA: If the address is user-supplied, and funds are being transferred, then it's possible, yes", "Are there any other websites like code4arena to get rewarded for auditing smart contracts?\nA: Not answered.", "I think I qualified for Certified+. But where is the google form submission go? Only see the kyc form on main docs.\nA: Can you submit a help desk request and we can look into it for you? https://code4rena.com/help/", "In coding, is the requirement check \"require(0 != address(myAddr).code.length)\" potentially a medium issue if overlooked?\nA: If the address is user-supplied, and funds are being transferred, then it's possible, yes.", "Are there any other websites like code4arena to get rewarded for auditing smart contracts?\nA: The most similar that I'm aware of are https://immunefi.com/ (bug bounties), https://spearbit.com/ (freelancing), https://hats.finance/ (bug bounties but decentralized), and Sherlock is also an option.", "Is Sherlock mostly for people who are very very good at auditing? I see only few names under Watsons.\nA: You'd need to be fairly competent to use Sherlock.", "Is it better to clean the findings csv file from empty lines (not rewarded)?\nA: [No answer provided]", "With the wallet auth, does that mean I have to connect my ledger every time I want to submit findings? Can I change my address?\nA: No, you just need to connect your wallet when you sign in - not every time you submit findings.", "How will the wallet work with teams?\nA: Once an individual has connected their wallet, they can submit findings as themselves or as their team.", "I added my wallet from Payeer wallet, are there any issues with it?\nA: [No answer provided]", "With the new registration process, when I try to re-register with existing warden handle, I cannot find it in the username list.\nA: Try connecting your wallet from the dropdown on the top right of the page (it won't be visible on the registration page). If you've submitted findings before, you should be redirected to a confirmation page instead of the registration page when you connect your wallet.", "With the wallet auth, does that mean I have to connect my ledger every time I want to submit findings?\nA: Nope, you just need to connect your wallet when you sign in - not every time you submit findings.", "How will the wallet with work with teams?\nA: Once an individual has connected their wallet, they can submit findings as themselves or as their team.", "With the new registration process, when I try to re-register with existing warden handle, I cannot find it in the username list.\nA: Try connecting your wallet from the dropdown on the top right of the page; it won't be visible on the registration page. If you've submitted findings before, you should be redirected to a confirmation page instead of the registration page when you connect your wallet.", "I've connected my wallet but I can't find my username.\nA: This issue will be investigated.", "I have added my wallet from Payeer wallet, are there any issues with it?\nA: If it's supported by WalletConnect, then it should be fine.", "I don\u2019t know if my wallet is supported by WalletConnect.\nA: You can check if your wallet is supported by visiting https://walletconnect.com/registry?type=wallet.", "How long does it take to validate the account?\nA: The account validation process has been completed.", "I was able to connect but now when I submit it says your wallet is under review, does that mean I cannot submit findings?\nA: Not answered.", "What does Sloc mean? Example from https://code4rena.com/contests/2022-06-new-blockchain-v2-contest where this is mentioned GovernorBravoDelegate.sol (148 sloc).\nA: Sloc stands for Source Lines of Code. It is the count of lines of code minus the number of lines that are comments.", "What does it take to become certified+? And generally speaking - why are the findings repos held private until the final report is available?\nA: Not answered.", "I was able to connect but now when I submit it says your wallet is under review. Does that mean I cannot submit findings?\nA:", "What does Sloc mean? See example in : https://code4rena.com/contests/2022-06-new-blockchain-v2-contest Where this is mentioned GovernorBravoDelegate.sol (148 sloc):\nA: Sloc stands for Source Lines of Code. It is the number of Lines of Code minus the number of lines that are comments.", "What does it take to become certified+? And generally speaking - why are the findings repos held private till the final report is available? Learning from others findings can help a lot, and it's better to see those findings as close to the contest as possible, after a month I'd probably forget what the project is even about.\nA: The reason the findings are kept secret is that sponsors need time to act on the feedback they've been given and they don't want the findings made public in the meantime. Information about Certified+ can be found here: https://docs.code4rena.com/roles/wardens/certified-wardens#certified+-contributors", "If I find a gas optimization finding, that can be applied in more than one line of code, should I submit one finding and mention all lines where this can be applied? Or submit a gas finding for each?\nA: For each contest, you should submit one Report with all the gas findings. Top reports will list each instance of the findings, while avoiding making the report needlessly long.", "Is there any chance to make it a bit earlier? according to the docs the sponsor's feedback takes 14 days on average, is there any chance to open the repo after that instead of waiting for the full report?\nA: They're working on stream-lining the process but ultimately it's up to the sponsor as far as I can tell.", "Does Slither really work?\nA: I haven't had much luck with Slither as a bug finding tool yet, but something most people don't know is that you can write your own custom checks for it. I might give that a go at some point.", "Any smart contract auditors? I need some career advice.\nA: Ask your questions and I'm sure you'll get some responses. My story: I had a lot of programming experience but I'd never audited before. I've been doing this 3 months and I'm learning a lot. I have made some money so far but not as much as I would have in my old job. Still, it's pretty close, so I'm happy about that.", "Do you have a team?\nA: No, I work solo.", "Any smart contract auditors? I need some career advice.\nA: Ask your questions and I'm sure you'll get some responses. My story: I had a lot of programming experience but I'd never audited before. I've been doing this 3 months and I'm learning a lot. I have made some money so far but not as much as I would have in my old job. Still, it's pretty close, so I'm happy about that.", "Do you have a team?\nA: Nah, just solo.", "Do you like to work solo or looking for a team?\nA: I've considered looking for a team but I'm looking for someone in my time zone (Australia) and someone a lot more experienced than I am.", "Can C4 team find a way to edit the submitted findings?\nA: Yes.", "What is difference between certified warden and certified plus?\nA: Certified Plus has some entry requirements but also gets access to private repos after contest is finished. You can see what everyone else submitted and learn more quickly.", "How? Can the original author do this?\nA: In the past someone raised the idea of having the ability to respond to the submission confirmation mail, and the reply would get added as a comment to the github issue.", "I think edit feature will be really helpful and unburden the C4 team from handling tickets.\nA: We'll get there, but we have a few more pressing priorities to tend to first.", "The email is not connected to github.\nA: Doesn't seem very complicated to me to create a program that will do it.", "Is there any news regarding LPT or Insure rewards?\nA: [No answer provided]", "How does indexing impact Event fields in Smart Contracts?\nA: Indexing makes parsing easier for off-chain tools, at the expense of gas during emission. More information can be found at: https://docs.soliditylang.org/en/v0.8.14/abi-spec.html?highlight=indexed#events", "Is it easier or better to leave direct links to the code (via GitHub) or to reference specific lines in a file like Delegate.sol (line52)?\nA: [No definitive answer provided, depends on reader preference]", "Why do I need to sign in with Metamask to submit a report, when I didn't need to before?\nA: This is now required. More information can be found at: https://discord.com/channels/810916927919620096/810929015509483554/991410741678719278", "Why is there a discrepancy in the announced sum for the Forgotten Runes PR lines and my computed sum?\nA: For the Forgotten Runes, the judge participated in the contest. While they will forfeit their winnings, they'll still get credit for their findings on the leaderboard. This can cause a difference in amounts between what is awarded versus what is on the leaderboard. For more information, check Ellie's Math Geekery thread: https://discord.com/channels/810916927919620096/957048606962106408/957049602291413022", "Where should I make my comments regarding warden auth?\nA: Comments regarding warden auth should be made in the #auth-help channel.", "Can anyone explain how tokens received by the contract can be less than the amount in a specific report?\nA: [No answer provided]", "Why is there a difference in the announced award amount and the sum of my findings in the Forgotten Runes PR?\nA: The judge participated in the Forgotten Runes contest. While they will forfeit their winnings, they'll still get credit for their findings on the leaderboard. This will cause a difference in amounts between what is awarded versus what is on the leaderboard. [Link](https://discord.com/channels/810916927919620096/957048606962106408/957049602291413022)", "Can anyone please explain how does tokens received by the contract will be less than the amount in the report?\nA: Fee-on-transfer tokens remove a small fee from every transfer. So if you transfer, say, 200 tokens, perhaps 2% (or 4 tokens) will be sent to the token contract owners and only 196 will reach their destination. [Link](https://github.com/code-423n4/2022-04-axelar-findings/issues/5)", "Is fee-on-transfer applicable on all types of tokens?\nA: No, only some tokens are fee-on-transfer.", "How is the access to the state variable of a different contract made?\nA: If contractB is a different contract, you need to call the specific instance of contractB you want to query, like contractB(contractBaddress).stateA().", "Why does assert() not refund gas for the transaction?\nA: As of 0.8.0, assert no longer consumes all gas. The remaining gas should be refunded if the assert fails.", "If I submit incorrect finding, and judge reads my submission and thinks, that this is false. Will I get any feedback? or it will be silently discarded.\nA: (No answer provided in the chat)", "Why does assert() not refund gas for the transaction?\nA: As of 0.8.0, assert no longer consumes all gas so yes, the remaining gas should be refunded if the assert fails.", "If I submit incorrect finding, and judge reads my submission and thinks, that this is false. Will I get any feedback? or it will be silently discarded.\nA: Speaking as a judge, I'll typically write an explanation as to why I marked the finding invalid, so you can go back in the contest repo when it's made public and should have feedback.", "Can anyone please say where can I see all the cool stuff what is visible only for Certified+? Can I see it also for contests before I was approved?\nA: Hi, I see you got your first High, congrats! I'll get you set up. I also sent you a friend request so I can DM you a quick note.", "What happens if someone submits a vulnerability, but it turns out to be a mistake by the warden's part? Is there a downgrade?\nA: I haven't ever seen a penalty applied. However, it's important to submit findings in good faith and I wouldn't be surprised if rules came in if the false submission rate went up (and clearly indicated people were trying to game the system).", "I accidentally submitted all my findings to the wrong contest . What should I do?\nA: 1. Submit them again to the correct contest\n2. Fill out this form to let the C4 staff know about the incorrect submissions. https://code4rena.com/help/", "Obsolete code is QA issue, right? So you include it to qa AND gas optimizations. Because each action costs gas.\nA:", "Any update with LPT and Insure payments? several months have passed\nA: Thanks for the ping, going to try to get those out this week", "Is there any way to track our past reports, with the status of this report ? Or should we keep track of it personally for reference and will find everything at the end ?\nA:", "Is there a way to double-check the receival of an issue? My adblocker and Brave sometimes cause sites to break so I wanted to double-check just in case.\nA:", "My certification process completed with ProvenanceDAO, and I\u2019ve participated with more than 3 contests. When I\u2019ll be certified+?\nA:", "Any update with LPT and Insure payments? several months have passed\nA: Thanks for the ping, going to try to get those out this week.", "Is there any way to track our past reports, with the status of this report ? Or should we keep track of it personally for reference and will find everything at the end ?\nA:", "Is there a way to double-check the receival of an issue? \nA: Received a confirmation email, perfect.", "My certification process completed with ProvenanceDAO, and I\u2019ve participated with more than 3 contests. When I\u2019ll be certified+?\nA: The criteria is a bit more stringent than that. Top 3 in 3 contests or a High finding.", "I do have 2 questions: 1. Which part takes more time to be completed? 2. What is reporting part? (publishing the overall report?)\nA: 1. The review and judging phases can both take a while, especially when there is a very high participation rate -- and/or when the codebase is particularly complex. 2. Yes, \"reporting\" means that either: C4 staff are drafting / editing the report for the contest, or the sponsor is reviewing the report prior to publication. (We don't publish the report until sponsors tell us they've finished mitigating the findings, so sometimes this phase can also take some time, especially if there are critical or complex findings.)", "Who should I contact in regards to the team payout address being a smart contract?\nA:", "Hi, is it possible to change nickname ? \nA: Hello! You'd need to create a new registration / discord handle but if you were on the leaderboard, you'd be starting over with the new name.", "Wen contest of code4 contracts ?\nA:", "Hi have some question about certified warden I'm am certified and when I was I was told I'd be added to a channel of some kind and early access to reports etc etc but as of yet to see this private channel or how to get access to these early reports...\nA: That's certified+ you're thinking about: [certified+ info link](https://docs.code4rena.com/roles/wardens/certified-wardens#certified+-contributors)", "Yep...that's a bit like you can have the job when you have experience in doing the job lol OK thanks anyway\nA:", "its a tough one, because as a new warden your still learning how to interact with everything...\nA: That's why I like to take notes when doing my auditing.", "Oh goodness you too yes same thing i have a copy of linus in infinite log in i have had to start note taking AGAIN but this time i was clever and have a back up of my VM hahaha\nA:", "I'm a certified warden and I was told I'd be added to a private channel and get early access to reports, but I haven't seen this channel or know how to get these early reports. Can you help me with this?\nA: Certified+ wardens don't get early access to reports. They get earlier access to the findings repos, so they can assist with post-contest processes. [https://docs.code4rena.com/roles/wardens/certified-wardens#certified+-contributors]", "How can we create a team?\nA: You can create a team at code4rena.com/register-team.", "I reported an issue but not sure about the severity between low / medium, is there a chatting process anytime?\nA: In any case where you think something is a medium or a high, recommend reviewing the tldr criteria and making your best case for the severity you choose using evidence. [https://docs.code4rena.com/roles/wardens/judging-criteria#estimating-risk]", "Where can I find the tldr criteria?\nA: You can access the tldr criteria here [https://docs.code4rena.com/roles/wardens/judging-criteria#estimating-risk]", "How to proceed if I reported an issue but not sure about the severity between low / medium, is there a chatting process anytime?\nA: In any case where you think something is a medium or a high, recommend reviewing the tldr criteria and making your best case for the severity you choose using evidence.", "Where is this tldr criteria?\nA: The TLDR criteria can be found at this link: https://docs.code4rena.com/roles/wardens/judging-criteria#estimating-risk", "What if I already submitted the bug and would like to up the severity?\nA: During a contest, you can submit a help request to remove the original submission and then just submit again. For more assistance, visit code4rena.com/help.", "Will every contest finally release a report about the bugs found for us to learn?\nA: Yes, every contest will release a report about the bugs found, although it may take some time.", "How to ask in private something to a member of the code4rena team?\nA: Submit a Help Desk request, and whoever is available will answer ASAP.", "Are solana audits hosted on your platform?\nA: Plans are being made to open up to Solana.", "I got two (instead of one) identical confirmation emails after I submitted a finding. Should I worry or take any actions?\nA: No, there's no need to worry or take any actions.", "I got two (instead of one) identical confirmation emails after I submitted a finding. Should I worry or take any actions?\nA: Just smile.", "Should I worry about this issue with USDC?\nA: I'm sufficiently hedged in curve 2pool with USDT.", "Does anyone know the extent to which machine learning is used for smart contract auditing? Are there any popular tools / companies that use ML for auditing?\nA: One idea is to convert a non-image task into an image task by converting a smart contract into their respective shapes, train a model based on a dataset of vulnerable and non-vulnerable shapes, and then use that model to predict if a future contract is vulnerable or not. Here is a link to a smart contract visualizer: https://github.com/DanielVF/evm-contract-draw", "Can somebody help me out regarding the submission of reports?\nA: Sure. What do you want to know?", "I submitted two Gas optimizations in juice box contest so will it be cancelled?\nA: You should immediately create a Help request for this https://code4rena.com/help. If you submit a help request then maybe they'll merge the two for you. You should submit one gas optimization report containing all your optimizations.", "Where should I create a help request? \nA: You should create a help request at https://code4rena.com/help.", "What should I include in my gas optimization report? \nA: You should include all your gas optimizations in your gas optimization report.", "What if I submit a help request after the contest is over? \nA: If you submit a help request, they may merge the two for you.", "Is it possible to convert a non-image task into an image task by converting a smart contract into their respective shapes? \nA: The approach to convert a non-image task into an image task by converting a smart contract into their respective shapes is feasible. Another approach would be with graph neural networks, as outlined in https://www.ijcai.org/proceedings/2020/0454.pdf.", "If I find a medium severity issue but it appears to be a high severity and others also mark it as high severity, will my medium severity be lifted to high severity? \nA: Yes, your medium severity might be lifted to high severity. However, it is at the judges' discretion to determine the severity and lift or lower the level.", "Are there instances where a judge might choose not to increase the level of severity, if it is technically a duplicate of other highs but has not been well explained or proven? \nA: Yes, a judge might choose not to increase the level of severity if the issue is technically a duplicate of other highs but has not been well explained or proven. Part of the value of a bug is correctly assessing its severity and presenting evidence. Someone who identifies a low and shows no evidence for how it could be exploited cannot expect that a judge will upgrade their submission to a medium or high based on others\u2019 work identifying, presenting, and documenting evidence of how the same bug could be exploited.", "Can I DM you, I have a question? \nA: Yes, you can DM if you have a question.", "I have a team and I need to make a change (remove 2 members that left and add a new one that joined), what should I do? \nA: [No answer provided in the chat log.]", "Are there instances where a judge might choose not to increase the level of severity, if it is technically a duplicate of other highs but has not been well explained or proven?\nA: Yes, the value of a bug is assessed based on its severity and the level of evidence provided. If a person identifies a low bug but does not provide evidence of how it can be exploited, a judge cannot upgrade it based on the efforts of other people.", "I have a team and I need to make a change (remove 2 members that left and add a new one that joined), how can I do this?\nA: Open a help desk request with the information at https://code4rena.com/help and they can get it sorted for you.", "How to report a problem with a projects license, e.g. dependencies used inside the project require a specific license that the project does not use?\nA:", "Is this low severity? It's not directly a security issue but could lead (theoretically) to serious juristical problems, no? Or can you submit this a high?\nA: Most likely, it will be considered informational.", "What do I have to do now to get certified role after my Provenance application has been approved?\nA: You will be contacted via email.", "How would you go about writing the equivalent of `(Bool success,) = address(someAddy).call{value: msg.value}(someFuncSignature);` in JavaScript hardhat or EthersJs? Like low level calls in JavaScript.\nA: Closest approach would be something like this: `tx = await acct.sendTransaction({to: addressTo, value: 0, data: myContract.interface.encodeFunctionData(\"withdraw\", [etherBalance])});.", "Is the C4 ethcc event full?\nA: Yes, the event is full.", "I believe I have made a mistake connecting my discord with my code4rena account. Is there any way to detect my participation in the audit outside of the leaderboard showings?\nA:", "Is the C4 ethcc event full?\nA: Yes, the C4 ethcc event is full.", "I believe I have made a mistake connecting my discord with my code4rena account. Is there any way to detect my participation in the audit outside of the leaderboard showings?\nA: You can create a help desk request explaining the issue.", "I submitted an audit report for a few audits, but I don\u2019t see my user name in the leaderboards. I think I might have registered anonymous on accident. How can I check my participation for the audit?\nA: You can check if the contest awards have already been announced.", "Are you listed on the awards but not on the leaderboard?\nA: No, not listed on the awards or the leaderboard.", "Where can I check the awards list?\nA: You can check the awards list in the #\ud83d\udce2announcements channel.", "Hypothetically, if one line of code has multiple ways of exploitation, should it reported as a one bug or multiple: if the exploitation looks differently, and has different impacts?\nA: In scenarios like that you would report all the bugs but give priority to the biggest impacting one, or just report the entire line as problematic.", "When is the next audit event/contest dropping?\nA: No specific date or schedule has been mentioned for the next audit event/contest.", "If one line of code has multiple ways of exploitation, should it reported as a one bug or multiple: if the exploitation looks quite differently, and has different impacts?\nA: You would report all the bugs but give priority to the biggest impacting one, or just report the entire line as goofy.", "Do you know when is the next audit event/contest dropping?\nA: Sorry, I don't know. I don't thinks there's anything in the rsvp either.", "So there won't be one for a while?\nA: We have a few potential contests coming up, just waiting for sponsors to confirm details & dates.", "Isn't everyone in Paris, including sponsors? I guessed there would be a week off.\nA: A contest lull does tend to happen right around big conferences for sure.", "When can we expect the results of putty contest?\nA:", "What is this tool? https://user-images.githubusercontent.com/13383782/179862144-097cd187-abf6-48bc-b73d-503e9d1e51a3.png\nA: Looks like a Miro board, it's a tool for collaborative planning, brainstorming via the creation of illustrative diagrams.", "How to become certified member?\nA: You can become a certified member by following the instructions on this link: https://docs.code4rena.com/roles/wardens/certified-wardens", "The certified warden form is saying status is expected to be multi_select after clicking agree and submitting, I don't understand.\nA:", "Is there a way to see your submitted reports (issues) on GitHub to ride shotgun and observe the triage process? Or is that only made public when the report is released?\nA:", "How to Become a certified member?\nA: https://docs.code4rena.com/roles/wardens/certified-wardens", "What is this tool? https://user-images.githubusercontent.com/13383782/179862144-097cd187-abf6-48bc-b73d-503e9d1e51a3.png\nA: It's a Miro board, a tool for collaborative planning, brainstorming via the creation of illustrative diagrams.", "The certified warden form is saying status is expected to be multi-select after clicking agree and submitting, I don't understand?\nA: (No answer provided)", "Is there a way to see your submitted reports (issues) on GitHub to ride shotgun and observe the triage process? Or is that only made public when the report is released?\nA: That\u2019s backstage access, which is open to certified wardens with a certain level of established contribution", "Any info about the community call?\nA: The team is busy at ethcc this week but will regroup and announce a date for it, expect it will be next week.", "Are we able to submit questions for the next recorded community call?\nA: Yes absolutely.", "\"Status is expected to be multi_select.\" , what is the meaning of the message?\nA: The team is looking into that issue.", "When can we expect the results of putty contest?\nA: They are currently being judged. Maybe in a week or so.", "Say we have an abstract contract that imports safeMath and also has the directive using SafeMath for uint256; , If another contract, say contract B inherits from it, Would I need to declare the using for directive again in the inheriting contract if I wanted to utilize safeMath on B?\nA: It looks like the 'using for' is not visible in the child contract. So, you would need to declare it again in the inheriting contract if you wanted to utilize safeMath on B.", "Is there a need to declare the using for directive again in the inheriting contract if I wanted to utilize safeMath on B?\nA: It appears that 'using for' is not visible in child contract.", "Could the following piece of code cause some problems if the input is too large due to the massive amount of gas consumption? How to handle such cases?\nA: The function will run out of gas if input is big enough. A common solution is to have a start offset and a maximum length to process it in batches.", "Are we allowed to discuss our findings publicly after a contest is over but before the final report may come out?\nA: No, It is very much discouraged/prohibited to discuss findings publicly until the report is published.", "Where can I read audit reports written before they were submitted to CodeArena (C4)?\nA: In the reports, each title is a link which points to one of the warden's reports on github. You can then also see reports from other wardens who found the same issue.", "Where can I read audit reports(written before they were submitted to c4)?\nA: In the reports, each title is a link which points to one of the warden's reports on GitHub. You can then also see reports from other wardens who found the same issue.", "In uniswap you have various methods like tokenToEthSwapInput, tokenToEthSwapOutput, ethToTokenSwapOutput and ethToTokenSwapInput. What exactly is meant by input and output?\nA: Input tokens you transfer in contract, output tokens you get from contract. In tokenToEthSwapInput you provide EXACT amount of ERC20 tokens you give and minimum ETH you agree to get for tokens you give. In tokenToEthSwapOutput you provide maximum amount of ERC20 tokens you agree to give for EXACT amount of ETH you want. In ethToTokenSwapOutput you provide maximum ETH you agree to spend for EXACT amount of ERC20 token. In ethToTokenSwapInput you provide EXACT amount of ETH and minimum amount of ERC20 tokens you agree to get. We have it all because of slippage, front-running, sandwich attacks issues.", "So it\u2019s mainly about the precision in terms of specifying exact amounts in the Uniswap methods?\nA: Yes, it is about getting a good enough deal, because the price you see may not be the price at block creation. There can be transactions before yours which change the price, and if you don't get a good enough deal, the transaction reverts.", "How does getting rewarded for bugs work? Suppose I submit some false positives and some real vulnerabilities into my report, will I get rewarded for the real bugs, or does everything in my report have to be correct?\nA: False positives don't get rewarded. Real bugs do. There is no penalty for submitting false positives per se but it is highly discouraged to game the system by spamming with things you're not sure about. One way you can be sure that your bugs are real, and one I would recommend while you're just starting out, is to write an executable test that exhibits the bug. This is quite a bit of work but proves that it's real. You'll learn a lot about how to write unit tests too.", "I'm trying to get certified but I keep receiving this error?\nA: We're looking into it - thanks for letting us know!", "Is it possible to have a judge explain what their reasoning would be when reviewing the severity for this issue?\nA: For Alchemix, this was seen as a medium severity issue because the contracts cannot be upgraded without breaking storage compatibility. Because upgradeability is vital to quickly adapting to issues and improvements in the codebase, it seems likely that an upgrade may unintentionally break other parts of the contract.", "I'm trying to get certified but I keep receiving this error?\nA: We're looking into it - thanks for letting us know!", "Is it possible to have a judge explain what their reasoning would be when reviewing the severity for this issue?\nA: For me, as the judge of Alchemix, I saw this as a medium severity issue because the contracts cannot be upgraded without breaking storage compatibility. Because upgradeability is vital to quickly adapting to issues and improvements in the codebase, it seems likely that an upgrade may unintentionally break other parts of the contract. For these reasons, I think medium severity is justified.", "M-05 and L-11 seem equivalent, except M-05 is better explained?\nA: I agree, the \"fence\" raised this to me and it seems I missed it. [https://code4rena.com/reports/2022-05-alchemix/#m-05-no-storage-gap-for-upgradeable-contract-might-lead-to-storage-slot-collision](https://code4rena.com/reports/2022-05-alchemix/#m-05-no-storage-gap-for-upgradeable-contract-might-lead-to-storage-slot-collision) [https://code4rena.com/reports/2022-05-alchemix/#l-11-upgradeable-contract-is-missing-a-__gap50-storage-variable-to-allow-for-new-storage-variables-in-later-versions](https://code4rena.com/reports/2022-05-alchemix/#l-11-upgradeable-contract-is-missing-a-__gap50-storage-variable-to-allow-for-new-storage-variables-in-later-versions)", "If I find multiple bugs ranging from QA to higher severity and also some gas optimizations, do I have to make 3 different submissions to report them all? Because it says my report has to be specialized?\nA: 1 Report with all QA findings, 1 Report with all Gas findings. A separate submission for each Medium or High severity findings.", "Could someone tell me? The following issue must be avoided with EIP1967 right?\nA: [No answer provided] [https://blog.audius.co/article/audius-governance-takeover-post-mortem-7-23-22](https://blog.audius.co/article/audius-governance-takeover-post-mortem-7-23-22)", "Could someone tell me? The following issue must be avoided with EIP1967 right? https://blog.audius.co/article/audius-governance-takeover-post-mortem-7-23-22\nA:", "Would join the upcoming contest - any tips for newbies?\nA: Just do it!", "Who's clicking around?\nA: Who isn't?", "What are the most stable solidity versions/most secure(other than the latest ofc)?\nA:", "Can we submit multiple findings or do we have to make only one file in which we have to put all the findings?\nA: https://docs.code4rena.com/", "I was not able to find the answer of my question in the docs. If Anyone experienced warden replies with even a yes or no, that will be more helpful.\nA: https://discord.com/channels/810916927919620096/810931711609143326/1001239781063270430", "What is the github link of all the approved findings and gas optimizations?\nA:", "What is the GitHub link of all the approved findings and gas optimizations?\nA:", "Do we audit only the contracts or also the script folders in the GitHub repo contract folders?\nA:", "What does \"in scope\" mean?\nA: \"In scope\" means the part that is to be audited.", "What does \"out of scope\" mean?\nA: \"Out of scope\" means the part that is not to be audited.", "Why can't I see my warden name in submit finding?\nA:", "What does 1e36 mean in Solidity?\nA: 1e36 is a number equivalent to 10**36. It's scientific notation and more gas efficient.", "What is 1e36 used for in calculations in Solidity code?\nA: It's just a short version of a big number.", "Can anyone tell me what 1e36 means in Solidity?\nA: It is a number. 1e36 == 10**36. It's used a lot in calculations in Solidity code and is just a short version of a big number. It's scientific notation and is more gas efficient as well.", "Don't we have to provide the solution as well when pointing out the vulnerabilities (especially in QA reports & Gas Reports)? Or do we just have to point out the mistakes?\nA: Basically we do have to supply the mitigation. But maybe for QA/gas reports (and in general life) the solution lies within the problem, it is implicit, so they don't write it explicitly. For example if the issue is \"it can be helpful for users if revert messages have error strings\" then the solution is quite obvious. For med/high reports it's rare that the solution is not provided.", "In \"eth_call\" what is the \"value\" param? \nA: It's the amount of ether sent with the message call, just like eth_sendTransaction. eth_call is often used to call read-only view functions, but you can also use it to simulate state-changing transactions. If you want to simulate calling a payable function, you might need to set value to simulate sending ether.", "Are we able to create a chat to post questions in the lead up to the monthly call next week?\nA: Sure! Seems like a good idea.", "Is there a template or guide on how gas / qa reports are supposed to look? I'm asking mainly just in terms of formatting...\nA: You can refer to https://github.com/code-423n4. Every repo with 'findings' in the name. Also each report at https://code4rena.com/reports has the top winning example included. Apart from that, just markdown is used and there haven't really been standardized otherwise.", "Is there a template or guide on how gas / qa reports are supposed to look? I'm asking mainly just in terms of formatting.\nA: Every repo with 'findings' in the name on our GitHub page (https://github.com/code-423n4) can serve as a guide. Also, each report at https://code4rena.com/reports has the top winning example included. There are no set guidelines or rules on the formatting except for Markdown.", "What is the fastest way to train for the Paradigm CTF with resources which provide real-life experience too? Where can I learn advanced solidity and defi industry standards?\nA: The Ethernaut challenges (https://ethernaut.openzeppelin.com/) and Damn Vulnerable DeFi (https://www.damnvulnerabledefi.xyz/) are good resources to start with.", "I have found a medium risk in the golem event and want to report this now. I need to provide a link on finding form, I know there is a link, but I don\u2019t get it. Could someone please help me how to do this?\nA: Here is a guide on how to create a permanent link to a code snippet: https://docs.github.com/en/get-started/writing-on-github/working-with-advanced-formatting/creating-a-permanent-link-to-a-code-snippet#linking-to-code", "Any reason why QAs are not listed on leaderboards?\nA: [No answer provided]", "The FINDINGS options is not showing for me to edit. Can you please help? Note: my submission was on July 29th and I already received mail confirmation.\nA: If you're concerned about the golem contest, try resubmitting the issue. Assuming that's successful, then you can create a help desk request asking us to withdraw the invalid submission.", "Where can you see your submissions? I got email confirmation too.\nA: You should be able to see your submissions if you follow the steps outlined in the announcement from Friday: https://discord.com/channels/810916927919620096/810929015509483554/1002648649135824906", "Where can you see your submissions? I got email confirmation too.\nA:", "Hello. Are you asking about being able to see to edit your submissions?\nA: Yes, I mean that and thanks for the help.", "Had you been able to follow the steps outlined in the announcement from Friday? \nA: No, thanks now I know how to do it.", "How many take the Certifications process?\nA: Currently about 150 contributors have been certified.", "Hi guys, I'm new. How can I see how many wardens has submitted a specific issue and the corresponding bounty?\nA:", "If there's a bug in a contract that's in scope, but it impacts another contract that's out of scope, does this impact count? Why there are contracts that are out of scope? If there's a bug in the system, what difference does it make in which contract is it?\nA: The contest pot size is based, in part, on the number of lines, so it's in a warden's best interest to have as little in scope while having as large a pot as possible. Generally it's up to the judge to decide whether an out-of-scope med/high will be awarded.", "Is there any list where you can see how much a finding was worth in a contest before?\nA: This file contains all findings and payouts, which can be cross-referenced with the contest report: https://raw.githubusercontent.com/code-423n4/code423n4.com/main/_data/findings/findings.csv", "Can anyone recommend good blockchain security Telegram groups?\nA: Rekt, LobsterDAO. Rekt invite link: https://t.me/Rekt_HQ.", "Can anyone recommend good blockchain security Telegram groups?\nA: Rekt, LobsterDAO", "I can't find Rekt, could you send an invite link?\nA: https://t.me/Rekt_HQ", "Would it be possible to change avatar and add a twitter link to my profile?\nA: Yes, you can submit a help desk request at https://code4rena.com/help/", "Will a finding get rewarded if deputed by sponsor as won't fix, but a valid one?\nA: Yes.", "How does seaport generate its optimized-out files? More generally, did seaport do anything to bypass eip170 spurious dragon error?\nA:", "If the raw findings.csv file has x entries for warden Y and Y submitted x+1 findings, does that mean one entry was eliminated as invalid? If yes, is that the judge's call or the sponsor's, and is there a way to appeal?\nA: Yes, that's what it means. It's also possible that the missing entry was judged as a duplicate of one of the other findings. The judge has the final say on findings. Wardens which are +backstage [see certified+ section in docs] get to see the judging results before they are published, and if they see issues, they can raise them to the judge for reconsideration.", "Do we report gas optimization inside view/pure functions?\nA: While it doesn't cost gas to directly call a view or pure function, it does cost gas to call them from another smart contract or another non-view/non-pure function. So, you should still optimize those unless it's explicitly mentioned somewhere that their use-case are only linked to direct calls.", "What certification is he/she talking about in the linked Discord message?\nA:", "Are teams considered when comparing leaderboard ranks to choose people for the RSVP certified jobs?\nA:", "Makes sense, thanks. Is it also possible that finding was downgraded to QA?\nA: Yes, it is also possible that finding was downgraded to QA.", "So basically, unless it's only for the protocol contracts, we can optimize them to reduce other contracts' gas cost?\nA:", "Are teams considered when comparing leaderboard ranks to choose people for the RSVP certified jobs?\nA: [Answer not provided in chat]", "Is it possible that a missing entry was judged as a duplicate of one of the other findings?\nA: Yes, it's also possible that the missing entry was judged as a duplicate of one of the other findings. The judge has the final say on findings. Wardens which are backstage (see certified+ section in docs) get to see the judging results before they are published, and if they see issues, they can raise them to the judge for reconsideration.", "Do we report gas optimization inside view/pure functions?\nA: While it doesn't cost gas to directly call a view or pure function, it does cost gas to call them from another smart contract (or another non-view/non-pure function). So, you should still optimize those unless it's explicitly mentioned somewhere that their use-case are only linked to direct calls.", "Can we optimize view/pure functions to reduce other contracts' gas cost?\nA: Yes, calling a view/pure function from a non-view/non-pure function in the same contract does cost more gas. So, it's not only about other contracts, it's also if your contract isn't a pure helper/util one.", "My wallet is not whitelisted, can someone help me?\nA: If you have registered as a warden and your wallet is not whitelisted, you can submit a help desk request at https://code4rena.com/help.", "When do findings get reviewed? How can I tell if a finding was invalid or not?\nA: Sponsors review findings soon after a contest ends and then it goes to judging. There should only be one consolidated gas and/or qa report per warden.", "How do I check my registration?\nA: [Answer not provided in chat]", "I accidentally submitted 2 q/a reports, is there a way to delete one while the contest is still running?\nA: You can edit one of the reports and replace the content with \"withdrawn\" to have it invalidated.", "How do I check my registration?\nA: Please direct message me to discuss.", "I accidentally submitted 2 q/a reports, is there a way to delete one, the contest is still up and running. \nA: For now, you can edit one of them and just replace the report with \"withdrawn\" and we'll invalidate it. Maybe submit a helpdesk ticket explaining what you did as well, in case there is any more clean up needed.", "Are teams considered when comparing leaderboard ranks to choose people for the RSVP certified jobs?\nA: Yes", "Where can I get some ARENA tokens? Can't even find the contract address in docs.\nA: The contract address is 0x6847D3A4c80a82e1fb26f1fC6F09F3Ad5BEB5222.", "Where can I submit a help desk ticket?\nA: You can submit a helpdesk ticket at this link: https://code4rena.com/help.", "There is an arbitrage opportunity. If I buy low amount of tokens, opportunity will still exist, and I will have to do more transactions until it becomes not profitable. If I buy high amount of tokens there maybe high price impact, which can remove/reduce profit. How to buy right amount of tokens to get max profit? Maybe some formula?\nA: It depends on the AMM. But if you want to do it without doing the math, you can do this: \n1 - Check how much y amount of B you would get by inputting x amount of A when doing swap A -> \u2026 -> B.\n2- Check how much z amount of A you would get by inputting y amount of B when doing swap B -> \u2026 -> A.\nYou can get these values through the getAmountsOut function of UNI-v2 router. Then to find the optimal value of x you can use a simple algorithm.", "I'll add more details, at place A I buy asset A at static price, i.e. it is always 1$ at that place, on uniswap price is jumping from 1$ to more. if I get something like 10k I get high price impact which reduces profit. So I try to understand how to get optimal amount of asset A to get max profit.\nA: Ignoring protocol fees, the core UniswapV2 swap formula is (x + dx) * (y - dy) = x * y, where: \nx is the initial amount (reserve) of tokenA, \ny is the initial amount (reserve) of tokenB, \ndx is the tokenA amount you input, and dy is the tokenB amount you receive.\nYou want to input just enough dx such that (y - dy) / (x + dx) is lowered to the fair market value. We can use a to represent that ratio. Now we have all we need to solve the problem. Here's the formula you can use:\ndx = (-2x + sqrt(x * y / a)) / 2\n= -x + sqrt(x * y / a)\nThis ignores the protocol fee. But you can probably get away with just using 1% less dx to not bother with that math. Also, if you get a negative result, then it means that the initial x / y ratio is already below a.", "How to buy the right amount of tokens to get maximum profit? Maybe some formula?\nA: It depends on the Automated Market Maker (AMM). In general, you can derive it from the AMM's price formula. If you don't want to do the math, you can check how much of token B you would get by inputting a certain amount of token A when doing a swap, and then check how much of token A you would get by inputting that amount of token B when doing the reverse swap. To find the optimal value you can use a simple algorithm.", "What is the simple algorithm for finding the optimal value of tokens to swap?\nA: The algorithm is explained through a series of mathematical formulae. It relies on the core UniswapV2 swap formula and involves solving for the amount of token A you input and the amount of token B you receive. The goal is to input just enough of token A such that the ratio of token B to token A is lowered to the fair market value. The final result is a quadratic formula that can be solved for the input amount of token A.", "What about multiple token swap arbitrage, like A -> B1 -> B2 -> A? How to find the optimal amount through all swaps and then use it to update all swaps input?\nA: This is more complicated and does not involve fair market value. The optimum is the first input amount that returns the maximum value for the last output amount minus the first input amount. A formula that generalizes this to n pairs needs to be derived.", "Why does it take so much time to send money after a contest report?\nA: Payments get batched and done once a week, with the 2 week window generally meaning that an award missed the window for the one week. There is double checking and process at each step to ensure it\u2019s done correctly and securely.", "Regarding the backstage role - if I've participated in 5 contests so far, but only 1 of them reached the awarding stage, does that count or do I need to wait for more contests to reach that stage?\nA: You can qualify for the backstage role with 1 high severity finding, or 3 medium severity findings, or 1 QA report with a score of >85, or 1 Gas report with a score of >85.", "Regarding the backstage role - I've participated in 5 contests so far, but only 1 of them reached the awarding stage, does that count or I need to wait for more contests to reach that stage? In that 1 contest I have a gas report with a score > 85, is that enough or I need 3 of those? The wording of section 3 isn't clear enough.\nA: 1 high severity finding, or 3 medium severity findings, or 1 QA report with score of >85, or 1 Gas report with score of >85", "A lot of awards are on the way but can we get a rough idea that how soon can we see some of them?\nA:", "Are judges penalized if they have a delay of X months? Is the judge allowed to do contests while they have an active contest judging?\nA: If a judge cannot complete their work in a timely fashion, the contest is reassigned to another judge. Judges typically do have full-time jobs and other commitments on top of C4 judging. Many of them don't compete on top of all that.", "If a responsibility is assumed and in more than 5 months you have not fulfilled it, are you still considered responsible?\nA:", "How is the responsibility shared for delays in judgment, is it solely on the judge or does the sponsor also play a part?\nA: Sponsors also play a part in delays. There are also factors that one may not be aware of that impact how soon a contest is completed.", "I understood \"a score of 85+ on either a QA or Gas Report\", not participating in 85+ contests (QA and Gas issues count as 1 in a report now). And, only 1 report yes, not 3. Can you elaborate?\nA: Reports are graded between 0 and 100. Maybe none of them got 85+, or both of them. That's an arbitrary score (best report can have 40).", "Are judges penalized if they have a delay of X months? Is the judge allowed to do contests while they have an active contest judging?\nA: If a judge cannot complete their work in a timely fashion, the contest is reassigned to another judge.", "How can I participate in 85+ contests (QA and Gas issues count as 1 in a report now)?\nA: This refers to the amount of findings, not contests. It can be like 30 qa findings per report.", "Can you elaborate on report with score >85? Like Alice submitted 10 qa findings in a report, Bob submitted 20. Who will get score >85? Can both get high score?\nA: Reports are graded between 0 and 100. Maybe none of them got 85+, or both of them.", "Where can I see grades on published reports?\nA: Only +backstage role can see it at the moment.", "So how can I apply for backstage role, If I don't know score of my reports?\nA: The published reports have gas and QA reports sorted by grade, so if you see your report high up the list maybe pm a staff member to check the score.", "Why was the information about the issues with the Anchor contest not shared with the community until now?\nA: C4 is providing a service and it\u2019s not appropriate to throw sponsors (or anyone else) under the bus. This is not a blame-focused community. They focused on improving things for the future rather than focusing on a bandaid for one-off issues.", "Shouldn't the community be informed of such delays as soon as possible, not after several months, when wardens start poking?\nA: C4 wishes they could have shared more news earlier, but the information would have been \"still working on figuring this out\" and they would not have wanted to say more than that.", "I have some questions about distributed rewards from mid April, I received only a small part of it. Can you help?\nA: It's best to submit a Help Desk request, and whoever is available can take a look! [https://code4rena.com/help/](https://code4rena.com/help/)", "Did you compete in either of the contests?\nA: No, I just care about places where I spend my time, like you. I appreciate your work and hope this place to be even more transparent and effective.", "Could you please DM me?\nA: (No answer provided)", "I have some questions about distributed rewards from mid April, I received only a small part of it. Can you help me in DM?\nA: It's best to submit a Help Desk request, and whoever is available can take a look! [Help Desk Link](https://code4rena.com/help/)", "What's the recommended way of making submissions: separate or one big submission? Also, are there any best practices I should know of?\nA: Only one big report for gas and one big for QA.", "Is there any way to change wallet address connected to C4?\nA: There is info here on changing wallets: [Wallet Info Link](https://docs.code4rena.com/roles/wardens/warden-auth#can-i-change-my-wallet-address)", "Who has access to submissions submitted before contest end?\nA: Only the team. After the contests end, those with the +backstage role get access to the findings to help with triaging and stuff.", "Can I submit a medium/high report without recommended mitigation steps if I believe there are no mitigation steps?\nA: Yes, but you should still explain why you think this cannot really be feasibly mitigated.", "I've tried creating a team a few days ago but it doesn't seem to have gone through, should I be getting some \"pending\" notification via email or something?\nA: Can you DM me the team name or PR link, and we can take a look today?", "Can you accept my friend request? Seems like I can't DM you.\nA: Accepted!", "I think I've found 2 Medium vulnerabilities. They are the same vulnerability just on 2 separate functions, do I need to create 2 reports or can I put them in the same report?\nA: If they are the same vulnerability, put them in one report.", "Can you accept my friend request? Seems that I can't DM you.\nA: Accepted!", "I think I've found the same vulnerability on 2 separate functions, do I need to create 2 reports or can I put them in the same report?\nA: You can put them in the same report. However, for more clarification, you may refer to the discussion here: https://github.com/code-423n4/org/issues/8", "One QA and one gas report per contest is now enforced, can you explain this change?\nA: Per contest a warden should submit at most one QA report, and at most one Gas report. The ability to submit more than one was possible before, but now it's not. This change helps wardens stay compliant and reduces noise for judges/sponsors/CAs.", "Isn't it better that the dapp only allows wardens to make one QA or gas report by default?\nA: Yes, that's the change we announced today.", "Can this FAQ be updated: https://docs.code4rena.com/awarding/incentive-model-and-awards/qa-gas-report-faq#why-is-a-large-gas-or-qa-report-not-successfully-submitting-through-the-contest-submission-form?\nA: Yes, it's a good catch. You can propose an edit here: github.com/code-423n4/docs", "I noticed that two of my findings got accepted but it wasn't merged it got closed and today the list again got updated and I saw that one of my report was just removed, can you explain why?\nA: [No answer provided in the chat.]", "Could the FAQ be updated? \nA: Yes, anyone can propose an edit on github.com/code-423n4/docs.", "How to submit changes to the FAQ?\nA: Submit your change as a pull request.", "Why were two of my findings accepted but not merged and one of my reports was removed?\nA: This issue needs to be looked into by contest admins and can be reported through a help ticket at code4rena.com/help. The grading system is currently not in place.", "Is there a grading system already in place for QA and Gas submissions?\nA: No, the grading system isn\u2019t in place yet and won\u2019t be for a few weeks while the judging extension is being finished.", "What does it mean if my submissions are only QA and Gas?\nA: There's already a grading system on QA and Gas, where 0 is possible on a QA report if the judge decides so.", "Why were my 2 findings, which were valid, not rewarded?\nA: The 2 findings were not low risk bugs, they were just non-critical. These types of findings weren't rewarded before the grading system and still aren't.", "Can there be an error in the first report where invalids were taken as valid reports?\nA: It is possible that an error was made in the first report which was later corrected.", "What is the average award pot for Low/Non-critical vulnerabilities in contests?\nA: The average award pot for Low/Non-critical vulnerabilities in contests is 10% of the prize pool.", "Is the percentage for the award pot for Low/Non-critical vulnerabilities fixed like for Gas optimization reports?\nA: It's usually 5%, but sometimes sponsors choose to increase or decrease the Gas optimization pool, depending on how important gas savings are to the project.", "How can I update my team information and solve the issue of failing checks on my PR?\nA: You need to link the PR or send it via DM. Someone from the C4 team has to approve it before it can be merged.", "What is the default percentage of the prize pool for low/non-critical severity? \nA: For QA, which is Low/Non-critical severity, it is 10% of the prize pool.", "I'd like to update my team information. I have created a PR for that, but all the checks are failing, could someone point me the docs for updating it correctly?\nA: Can you link the PR here or send via DM? Someone from the C4 team has to approve it before it can be merged.", "Is the default 5% award pool for low/non-critical severity?\nA: QA is for low/non-critical severity which is 10% of the prize pool.", "What is the average award pool for low/non-critical severity?\nA: The average award pool for low/non-critical severity is 10%.", "My c4 wallet is hacked. Can I change it? \nA: Please submit a help desk request and we can look into it for you. https://code4rena.com/help/", "How to edit the submitted finding?\nA: Go to contest.", "How to find a finding?\nA: Keep practicing. The correct expression is \"How do I edit a submitted finding?\"", "Is \"online English\" just modern English, being understood is way more important than being correct?\nA: It's kind of funny that the thing you quoted is written in correct native English.", "How do I edit a submitted finding?\nA: No clear answer provided.", "How long should a string be to go above size byte32?\nA: A string should be 33 bytes to go above size byte32, with 1 byte per character. [Reference](https://ethereum.stackexchange.com/questions/11556/use-string-type-or-bytes32)", "Is it truly 1 byte per character? For example in a require statement: require(some_test, \"hello world wrong input\");\nA: Yes, it is 1 byte per character. Once it goes past 32 and becomes a string, another word is added for the length. However, it may vary if you add emojis or any non-ascii characters.", "Is there any problem to send a finding that you're not 100% sure of?\nA: No clear answer provided.", "Is it truly 1bytes per character? For example in a require statement: require(some_test, \"hello world wrong input\"); \nA: Yes, and once it goes past 32 and becomes a string, another word is added for the length. Unless you add emojis or any non-ascii character.", "Is there any problem to send a finding that you're not 100% sure of?\nA: It isn't a problem to send a finding that you're not 100% sure of.", "Is there any specific day to do payments?\nA: Payments get batched and done once a week, with the 2 week window generally meaning that an award missed the window for the one week. There is double checking and process at each step to ensure it\u2019s done correctly and securely.", "Is there a service that converts contract address (like https://etherscan.io/address/0x27f461c698844ff51b33ecffa5dc2bd9721060b1/advanced#code) to a separate solidity file?\nA: On Etherscan, change .io to .deth.net to convert a contract address to a separate solidity file.", "Should a finding that is relevant to both QA and gas savings be included in both reports?\nA: You should submit it to any one of the two categories. If the judges think that it should have been in QA and you have inputted it in GAS, they will upgrade it and vice versa.", "Does anyone know what makes a GitHub link open in app vs in browser on iOS?\nA:", "Are there more audit contests coming out in code4rena?\nA: You can check #\u270brsvp for upcoming audit contests in code4rena.", "How much mathematics is important for auditing? I saw some auditors even auditing math formulas, is there any resources to get good on required math topics?\nA: The importance of math in auditing depends on what you're auditing and what math it makes use of. For the most part, basic calculus would suffice. Some projects may require knowledge in financial mathematics, for example.", "Do we have more audit contest coming out in code4arena?\nA: Check #\u270brsvp for updates on upcoming audit contests.", "How much mathematics is important for auditing? I saw some auditors even auditing math formulas, is there any resources to get good on required math topics?\nA: Depends on what you're auditing and what math it makes use of. For the most part, basic calc would suffice.", "I saw some projects doing financial mathematics, for example elastic dao, in their audit process they even had to ask couple of pro mathematicians to audit a formula. I wondered if there is some special math(maybe financial math) topics that auditors should know.\nA: It depends on the project. A lot of them use only simple math (like loan to value = loan / collateral value, and that's mostly the only formula you have to understand). But there are some very math heavy projects, which are very hard to audit without understanding all the details and formulas. And then there are in-between projects, where there might be some hard to understand math, but it's often not really required to audit.", "Is here someone who could help me out with a little amount of matic so I can transfer my awards to another wallet?\nA: i can do that if you send me your address", "What is the cheapest way of swap ERC Tokens? \nA: Uniswap has minimum 0.05% fee and a lot of liquidity. However, Metamask takes 0.743% + min 1.01% slippage.", "Hi I'm back to contests after 2 months off. Any changes to the rules / contest submission guidelines / prices splits I should know about ?\nA: I think no major changes.", "Is it possible to dm you regarding to the last reward distribution?\nA: Yes!", "Is there a way in foundry tests to change transaction priority? In hardhat I can set block mining time and increase transaction fee and change transactions order. How can I simulate front-running in foundry tests is the crux of my question.\nA: No answer provided.", "Any changes to the rules / contest submission guidelines / prices splits I should know about?\nA: I think no major changes.", "Is it possible to send a direct message regarding the last reward distribution?\nA: Yes.", "Is there a way in foundry tests to change transaction priority? How can I simulate front-running in foundry tests?\nA: In forge each test is one tx, so when you run 2 txs in the same test you're actually just calling 2 functions in the same tx. So you can simply call the function of the tx you want to front run before the other, for most cases that would be enough.", "Would connecting a metamask wallet suffice when submitting findings for the payments in C4?\nA: Metamask wallet is great.", "What is https://code4arena.com/cosmos?\nA: Supposed to be an ever-expanding ecosystem of interconnected apps and services, built for a decentralized future. [https://cosmos.network]", "Are there any special math (maybe financial math) topics that auditors should know?\nA: It's not something that can just be learned by finding a resource, and doing some quick reading. It's usually the result of years of high school and university education.", "But can auditors make memes?\nA: Yes, some of them can.", "Does a specific meme (\"In former Soviet Union bloc chains you!\") exist?\nA: No, it doesn't.", "How can I check the amount of prize money paid to each Medium/High risk?\nA: https://raw.githubusercontent.com/code-423n4/code423n4.com/main/_data/findings/findings.csv", "Do you know each contest's one? e.g) The amount of Medium-1 in OpenSea contest is XXX The amount of Medium-2 in OpenSea contest is XXX ....\nA: Oh, I just realised you could also use my tool: https://github.com/sseefried/c4-stats", "More contest coming out\uff1f\nA: [No answer provided]", "Where can someone get a flash loan on BSC network? With low fee and several millions in liquidity.\nA: PCS most likely", "More contest coming out?\nA: [No answer provided]", "Where can someone get a flash loan on BSC network? With low fee and several millions in liquidity.\nA: PCS most likely", "Is there a repository, where I can see rejected reports?\nA: Yes, you can find them at https://github.com/search?q=org%3Acode-423n4+is%3Aissue+label%3Ainvalid", "Have any of you tried to mock SafeERC20? Because it is a library, it doesn\u2019t have an ABI like the ERC20, which as you know is a needed file in the abis folder (erc20.abi.json) in order to mock. I need my mocked token to have safeTransfer and safeTransferFrom function in order to test these functions from my smart contract.\nA: [No answer provided]", "I wanted to make my first audit. Since it's my first time I thought of starting with gas optimization. Is there any resource that I should start with before diving into auditing the contracts?\nA: [No answer provided]", "I used to have my account under the name aez121 and now I changed my wallet and username on discord. Can we replace the new name on the old one? Like aez121 be ali_shehab and change the wallet.\nA: [No answer provided]", "I was reading some reports on gas optimization and I read about public functions not called by the contract should be declared external. So my question is if it is not called by that contract but is called from another contract that is imported on the first one is the optimization valid or is it considered the same contract because they are connected?\nA: If it's derived, then it's under same contract scope.", "Do you guys do any smart contract gigs (coding contracts) or only focused on auditing?\nA: [No answer provided]", "Do you consider to being anonymous/pseudonymous especially in cybersecurity spaces and \"with your name\" on sometimes on bounty leaderboard? why and why NOT?\nA: [No answer provided]", "What would happen to the sponsor reward pot if no issues are found? Would C4 issue a \"well done\" card and return the rewards?\nA: [No answer provided]", "Do you know any polygon bridge for ethereum that's allow you to send to a different address? The official ones only send to the same address.\nA: Connext for sure does, but I think all paid bridges do tbh.", "How can I apply to be certified plus?\nA: You can apply to be certified plus at https://docs.code4rena.com/roles/certified-contributors", "Where can I view my submission replies regarding a contest?\nA: [No answer provided]", "Do you know any polygon bridge for ethereum that's allow you to send to a different address? The official ones only send to the same address.\nA: Connext for sure does, but I think all paid bridges do tbh.", "How can I apply to be certified plus?\nA: You can apply to be certified plus at https://docs.code4rena.com/roles/certified-contributors", "Where can I view my submission replies regarding a contest?\nA:", "Is Connext bridge faster that the one from polygon?\nA: You can use https://www.bungee.exchange/ to compare the different bridges, their time and fee. It can change according to liquidity and amount transferred.", "Trezor or Ledger? What's your pick?\nA:", "Is code4rena going to be open to new wardens forever? The more developers that join the more the prize funds are diluted.\nA:", "Wouldn't more contests in parallel solve the problem of the prize funds being diluted due to more developers joining code4rena?\nA: That's true.", "What is the meaning of \"low quality\" in audit contest guidelines? Does it mean low risk/non critical? \"Do not submit a high volume of low-quality reports.\"\nA: Low quality means there is no explanation or no path to the finding. Wardens are entitled to determine the findings to the sponsor and to the judge for the sake of clearance. Else, the judge may and will reject your submission.", "What about if you have findings but the judge and sponsor, disagree with your mitigation?\nA: The mitigation part is the Sponsor's weapon of choice. If you point out a judge-approved bug/a logic flaw, it's an achievement.", "If I got a new wallet address, can I just use the new address in reports going forward? Will the rewards for the report then be distributed to the new address? Or is there some other step for that?\nA:", "Is there more clarification on the meaning of \"low quality\" in audit contest guidelines?\nA: This might be helpful as well: https://github.com/code-423n4/org/discussions/34", "What happens if you have findings but the judge and sponsor disagree with your mitigation?\nA: The mitigation part is the Sponsor's weapon of choice. If you point out a judge-approved bug or a logic flaw, it's an achievement.", "If I got a new wallet address, can I just use the new address in reports going forward? Will the rewards for the report then be distributed to the new address? Or is there some other step for that?\nA: (No answer provided in the chat)", "What is the meaning of \"low quality\" in the audit contest guidelines, does it mean low risk/non critical?\nA: Here is a link that might help clarify the meaning: https://github.com/code-423n4/org/discussions/34", "What is the average salary for a smart contract auditor? Do you have any resources to help us find out?\nA: (No answer provided in the chat)", "How can I understand that my bug is valid?\nA: You can write a test for it.", "I\u2019ve sent a bug, and still no response to my email. So, how can I understand that my bug is valid?\nA: When you submit a finding you get a confirmation by email, and you can see and edit your findings in the \"findings\" tab next to the contest description. If you mean valid as correct then you have to wait when the contest is done judging.", "During judgment, for the reported issues, whether they are valid or invalid, are they attributed the cause of rejection or acceptance?\nA: (No answer provided in the chat)", "Can I be fully open on discussing issues with the sponsors before the contest is finished? Does this include severity and in-scope/out of scope questions?\nA: Yes, you definitely can be open with sponsors.", "Is there something wrong or bad if I edit a submission? I noticed that it adds a tag called wardener edited.\nA: Nothing at all wrong with editing your submission. It's just a tag to track that it\u2019s been edited.", "If I want to provide code for a test, is it better to add it directly to the report under 'Proof of concept' or should I link it on some private repo on GitHub?\nA: (No answer provided in the chat)", "Can I be fully open on discussing issues with the sponsors before the contest is finished? Does this include severity and in-scope/out of scope questions?\nA: Yes, you definitely can be open with sponsors.", "Is there something wrong or bad if I edit a submission? I noticed that it adds a tag called wardener edited, not sure if that's bad.\nA: Nothing at all wrong with editing your submission. It just adds a tag to track that it\u2019s been edited.", "If I want to provide code for a test is it better to add it directly to the report under 'Proof of concept' or should I link it on some private repo on GitHub?\nA: This depends on the length of the code. If you require further guidance, refer to the submission policy in the Code4Arena documents [https://docs.code4rena.com/roles/wardens/submission-policy#how-to-include-a-proof-of-concept].", "Is there any penalty for submitting a vulnerability as high and then it turns out it's medium, or the other way around? If I'm unsure if a vulnerability is QA or Medium, is it better to add it to QA or submit as a medium vulnerability?\nA: This issue is complex and subjective. You can refer to this forum thread and subsequent discussion for more detailed considerations [https://github.com/code-423n4/org/discussions/34].", "If in my Gas Optimization report I accidentally report an invalid one, will all the other ones get invalidated? How are bounties for Gas Op's calculated? If someone reports 10 valid gas optimizations, will they get double the bounty of someone that reported 5?\nA:", "If someone steals something, justice will be served right?\nA:", "Has anyone received feedback on reports for the $20,000 Canto Dex Oracle contest?\nA:", "Is it a big problem if a warden provides a report on a medium severity bug, but cannot provide a Proof of Concept for it, even though the bug is explained in-depth?\nA: Unless it's extremely obvious, not writing a PoC will typically cause your finding to be disregarded whenever there's criticism or doubts towards it. If it's obvious you can skip the PoC for Medium severity bugs, but you'll always be better off writing a PoC to be sure.", "Is Art Gobblers associated with the creator of Rick and Morty?\nA: Yes, Art Gobblers is a collaboration between Paradigm and Justin Roiland, the creator of Rick and Morty.", "Can anyone provide some resources for blockchain forensics analysis like hacks and incidents in smart contracts?\nA:", "Is Art Gobblers associated with the creator of Rick and Morty?\nA: Yes, Art Gobblers is a collaboration between Paradigm and Justin Roiland.", "Can anyone provide some resources for blockchain forensics analysis like hacks and incidents in smart contracts?\nA: [No answer provided]", "I can't find my name in the drop-down username list when I went to submit a new bug. What should I do?\nA: You can direct message for further help in understanding the problem.", "I did not receive a confirmation email for my last submission. Can someone from the team help me make sure the submission was received?\nA: You can now view / edit your own submissions on the site for open contests if you're ever unsure in the future.", "I'm having difficulty updating my bug findings, what's the problem?\nA: If you are having difficulty updating your finding, you can direct message with a screenshot.", "I think the submit button has a problem, currently I can't submit. What should I do?\nA: You can direct message with a screenshot.", "How do I create a team? I'm not able to push a new branch in the repo.\nA: Someone on the C4 team will need to review and approve for you. You can open a help desk request with a link to the team PR at https://code4rena.com/help.", "I'm not able to create a PR because I cannot push a new branch, what should I do?\nA: [No answer provided]", "Is there a problem with the submit button? \nA: You can dm and send a screenshot.", "How can I create a team? I'm not able to push a new branch in the repo.\nA: Someone on the C4 team will need to review and approve for you. Open a help desk request with a link to the team PR at https://code4rena.com/help", "I'm not able to create a PR because I can't push a new branch. Did I try creating the team through the site?\nA: (No answer provided)", "How much time does it take for the project findings to get reviewed? \nA: It depends on the contest. Some contests get judged very quickly because the sponsors are very enthusiastic.", "Is there an average time in mind for a project findings review?\nA: (No answer provided)", "Who should I talk to about getting my warden profile update PR approved?\nA: (No answer provided)", "Do projects have access to submitted findings before the contest is complete?\nA: Yes, they have access to a private github repo where the findings are posted as github issues as soon as wardens submits them on the UI.", "If a dishonest project clones white-hat reports and cuts down on his payouts at our expense, are there safeguards in place?\nA: The project has paid the second the contest starts, they have no financial incentive in hiding reports. They already pre-paid the full amount.", "Can a project submit reports and recycle the payout this way?\nA: Yes, that's an issue in theory. same with judges, they still see all issues as they come in and could repost them. Always submit everything right before the deadline.", "How do you deal with an insider that extorts you?\nA: (No answer provided)", "Is there a risk of a dishonest project cloning white-hat reports and cutting down on payouts at the expense of CodeArena?\nA: While it is possible in theory, projects typically have no financial incentive to hide reports as they pre-pay the full amount once the contest starts.", "How do you deal with an insider that extorts you? \nA: Currently, the issue of insider extortion is challenging to solve without verifying everyone's identity and even then, it might not completely fix the problem.", "Is it possible to only reveal the findings to the project when the contest is over as a measure to prevent dishonest actions?\nA: Yes, it is a possible solution, but it's effectiveness may depend on the size of the contest.", "How does the process work with platforms like Immunefi?\nA: With Immunefi, reports are timestamped and would require proof that the project submitted the report before the white-hat hacker. Only the first valid submission gets a reward.", "Is it a good idea to add some new rules to the rulebook for further discussion?\nA: Yes, adding suggestions to the rulebook for further discussion can be beneficial.", "Are there scenarios where sponsors could hide bugs in the code base, report them, and hope that no one else finds them?\nA: While this is theoretically possible, it's unlikely for decent projects to risk their reputation to save a small amount of money. Plus, obvious bugs would be found by multiple people, negating the advantage, and complex bugs would take too much time to be financially worthwhile.", "Do the sponsors still have access to the findings repo before the contest ends?\nA: Sponsors do not have access to the findings repo before the contest ends.", "Do the sponsors still have access to the findings repo before the contest ends?\nA: No, sponsors do not have access until the contest is over.", "Aren't the Judges reviewing the findings for duplicate first?\nA: As of the last two weeks only if the sponsor agrees.", "How long does it take to change my wallet address that I requested to update under the help section?\nA: The response time was not provided in the chat.", "How can I change members of a registered team?\nA: The answer was not provided in the chat.", "When entering a contest, do I have to submit all reports for high, medium, QA, and gas optimization?\nA: No, you submit what you find.", "How much details should be written for every issue in the QA and Gas Optimization reports. Does the details need to have PoC, tools used and mitigation sections similar to high severity issues? Any example available for the same?\nA: No, the reports don't need to be as detailed as high severity issues. You can see past examples of the top QA/Gas report for each of these contests [here](https://code4rena.com/reports).", "How much details should be written for every issue in the QA and Gas Optimization reports. Does the details need to have PoC, tools used and mitigation sections similar to high severity issues? Is there any example available for the same?\nA: No, you can see past examples of the top QA/Gas report for each of these contests at https://code4rena.com/reports", "Do one-liners work in the report?\nA: One-liners sometimes work, but most judges prefer a little bit more than that. For more details, visit https://github.com/code-423n4/org/issues/21", "How can I change members of a registered team?\nA: If you're unable to manage your team on the site, then you can submit a help desk request.", "If there's an in-scope contract inheriting an out of scope contract, and I were to find a vulnerability that could affect the main contract, am I allowed to submit it?\nA: Yes, it makes a sense but it depends on the sponsors and judges. If it makes a high severity problem then they accept the issue.", "What is \"LOC reference\" in the context of this field?\nA:", "I won my first contest prize, can anyone tell me how I'm going to receive the payout? Will I receive MATICs on Polygon's Mainnet?\nA: You will receive Usdc on polygon\u2019s mainnet. MATIC is only used to pay the gas for a certain transfer.", "Are sponsors flexible about what tooling is used to provide PoCs? For example, if I prefer Foundry but the project uses hardhat, do I need to use hardhat instead?\nA: A POC in the context of C4 is not even required to be executable, so if you use Foundry instead that should be totally fine.", "Are sponsors flexible about what tooling is used to provide PoCs? For example, if I prefer Foundry but the project uses hardhat, do I need to use hardhat instead?\nA: A POC in the context of C4 is not even required to be executable, so if you use Foundry instead that should be totally fine.", "Is there a way to know how many wardens participate at a contest?\nA: Only after a contest ends, that still doesn't tell you how many actually participated without submitting anything.", "Can a digital nomad become a certified warden? If he can share his id or a bank account to Provenance but proof of residence seems complicated...\nA: You can submit either your mobile phone bill, or credit card bill, or bank account proof of ownership - even if it's not in English - and that should be accepted.", "Can someone take a look at my Backstage application? I requested help from the website but didn't get a confirmation mail.\nA: We received your help desk request and we'll get back to you in the next 1-2 days.", "If I submit a bug, claiming it is a high vulnerability bug, but downgrade to medium level, it will still count, right? My submission will not be invalidated.\nA: Yes, those are correct.", "I'm having some installation problems while studying audit report. What should I do?\nA: Most old repos don't compile, you'd be better off forking from their repo on their github and taking it from there. You should also consider checking the latest contests, especially with Foundry, probably easiest to catch up with those. Stick with it, installation is always difficult for most people.", "Can someone take a look at my Backstage application? I requested help from the website but didn't get a confirmation mail.\nA: We received your help desk request and we'll get back to you in the next 1-2 days.", "If I submit a bug, claiming it is a high vulnerability bug, but downgrade to medium level, will my submission still count and not be invalidated?\nA: Yes, your submission still counts and is not invalidated.", "Can a digital nomad become a certified warden? If he can share his id or a bank account to Provenance but proof of residence seems complicated.\nA: Yes, you can provide proof of ownership using either your mobile phone bill, credit card bill, or bank account, even if it's not in English.", "I'm having a lot of problems with installations, is there a suggested way to solve this?\nA: It's suggested to use Ubuntu 20.04 which runs on windows via WSL2, especially if you're working with Windows.", "Is it possible to change a link with my username in the leaderboard/contest results? I can only change email, discord and github username in the account settings, but not the link or photo.\nA: You can create a help desk request with the link to be updated. Here is the link: https://code4rena.com/help", "What is the name of the lowest level of reported vulnerability that isn't a gas optimization, is it \"Low\" or \"QA\"?\nA: QA includes both Low and Non-critical.", "Is there any difference between Low and Non-critical vulnerabilities? \nA: Mostly, Low has some quantifiable impact, whereas non-critical is best-practices stuff. More details can be found here: https://docs.code4rena.com/awarding/judging-criteria#estimating-risk", "I have submitted a QA report yesterday but realised that I missed to add some findings there. I know that all QA findings should be submitted at once, what should I do?\nA: You can edit your report.", "If I started doing contest since June, am I still eligible to get any token airdrop?\nA: No, you would have needed to start in 2021 to be eligible for the token airdrop.", "I have submitted QA report yesterday for the new contest but realised that I have missed to add some findings there and I know that all QA findings should be submitted at once, what is the best thing here to do?\nA: You can edit your report.", "I started doing contest since June, am I still eligible to get any token airdrop?\nA: No, the token airdrop would have needed to be done in 2021.", "Is there some kind of process for the attribution of the findings ids in the findings.csv file? Based on the docs it seems to be at the discretion of the judges to attribute a number to each finding and I'm having trouble matching those findings to the actual reported issues. \nA: When the final report is released, the issue numbers will match findings.csv.", "If something is mentioned in known issues section in the contest, is it disqualified as a finding? \nA: If explicitly out of scope it will be contested most of the time.", "If a bug relies on user making a mistake in interaction with contract, is it considered invalid?\nA: If a mistake is conditional it will probably not have the same severity as if it doesn't require a mistake. It may still be valid.", "Was there a token airdrop for Code4Arena?\nA: Yes, there was but it was a long time ago.", "Are all the findings disqualified or just the invalid ones?\nA: Just the invalid ones are disqualified.", "Should I leave markdown formatting out of the Issue titles themselves or is it okay to include them?\nA: It's usually okay to include them.", "Are there any advantages to being selected for a primary issue? Will it just be listed in the report?\nA: [No answer provided]", "Should I leave markdown formatting (like `` ) out of the Issue titles themselves? Or is it okay to include them?\nA: It is usually okay to include them.", "Are there any advantages to being selected for a primary issue?\nA: (No answer)", "This kind of issue is quite unlikely isn't it? That would mean that an attacker would init the contract first and nobody would care?\nA: No, it could also mean that it remains uninitialized for a long time and someone malicious happens to stumble upon it and decides he wants to see the world burn. The implementation contract is uninitialized, not the vault instance. If a web3 form utilises the wrong contract or especially if the user tries to front run \"less contract literate\" people by interacting with the contract outside of web ui, someone will find the new contract has been deployed and want to get into the lp (or whatever) first to reap the best rewards. https://code4rena.com/reports/2022-07-fractional#h-01-vault-implementation-can-be-destroyed-leading-to-loss-of-all-assets", "I have a question about the Nouns DAO contest, there is a M-3 finding that I also found, but sent it to \"QA report\" and it wasn't accepted. Is it correct? Or can I appeal it?\nA: (No answer) https://github.com/code-423n4/2022-08-nounsdao-findings/issues/315", "On what basis does the reward of gas optimization gets distributed to wardens? I couldn't wrap my head around 'curve logic' written in docs.\nA: There's an example spreadsheet in the docs that might help understanding it. https://docs.google.com/spreadsheets/d/1qTQ7PApFMwpUFikcHHtww7p1oncPLj_y-UY_SZq6qFg/edit#gid=0", "What is the criteria that a report gets selected in contest (is it related to the reward you get afterwards)? A person submit gas finding as soon as a contest starts vs a person who submit after sometime but with a good quality report, which one will be rewarded more?\nA: Time of submission has no meaning. Currently all dupes are getting paid the same, regardless of report quality, but C4 is intending to change that by grading the submission and paying each submission accordingly. https://github.com/code-423n4/org/discussions/34", "What does the \"Verified Contest\" in the #rsvp channel mean?\nA: It seems like it was posted to the wrong channel. It should've gone to the certified warden rsvp channel.", "I see the Olympus reward PR is pending, will the result be announced soon?\nA: (No answer)", "What is the criteria that a report gets selected in contest ( is it related to the reward you get afterwards ? ) . A person submit gas finding as soon as a contest starts vs a person who submit after sometime but with a good quality report, which one will be rewarded more?\nA: Time of submission has no meaning. Currently all duplicates are getting paid the same, regardless of report quality, but CodeArena is intending to change that by grading the submission and paying each submission accordingly. [Link](https://github.com/code-423n4/org/discussions/34)", "What does the \"Verified Contest\" in the #rsvp channel mean?\nA: Looks like it was posted to the wrong channel by mistake. It should've gone to the certified warden rsvp channel.", "I see Olympus reward PR is pending, will the result be announced soon?\nA: No specific answer provided.", "Are there gonna be any party hosted by CodeArena on devcon?\nA: Yes, there will be a party hosted by CodeArena at devcon. [Link](https://twitter.com/code4rena/status/1577405876952272896?s=21&t=YjWD5aNJCZKKN9jXrRDh7A)", "What does score, pie, split and slice mean in the findings file?\nA: It's how the funds are split between ranked finding, and all well documented in the CodeArena docs. [Link](https://docs.code4rena.com/awarding/incentive-model-and-awards/curve-logic)", "I having some problems with Yarn. How can I fix it?\nA: Seems like Yarn doesn't have permissions, 99% wrong install of Yarn. Try deleting and reinstalling Yarn and try again.", "Does someone know how to fix it?\nA: Opening a terminal with admin rights would probably do the trick.", "How are the funds split between ranked finding, and all well documented in the c4 docs?\nA: For information on how funds are split between ranked findings, refer to the C4 documentation. Link: https://docs.code4rena.com/awarding/incentive-model-and-awards/curve-logic", "I am having some problems with Yarn. What can I do?\nA: It seems like Yarn doesn't have permissions. This usually happens due to a wrong installation of Yarn. You can delete it and reinstall Yarn and try again.", "How can I fix my issue when the terminal isn't opening properly?\nA: Opening a terminal with admin rights would probably do the trick.", "What command does CodeArena use for environment variables?\nA: They use the Bash command for Env Variables.", "What can I do to solve the problem of my PC randomly shutting off and only lighting up for a second when trying to power back up?\nA: This could be potentially due to a faulty PSU or motherboard power module, as a ram or CPU issue would give error beeps or a code on the numerical display, depending on the motherboard manufacturer. Unplugging from mains power for a while (like 30-60 mins) and then trying again may help.", "I saw a few very good gas reports in a recent contest. Can I use that template for my reports with a few changes or is it not allowed?\nA: You are allowed to use that. But make sure to add the correct content from the current contest and think about the value for the sponsor, not just fillers.", "Is the gas optimization pool shared among the reporters or is it awarded only to the top gas opt reporter?\nA: Each gas report is scored, and rewards are distributed accordingly. Link: https://docs.code4rena.com/awarding/incentive-model-and-awards/curve-logic", "How can I reset my password if the reset link doesn't appear on my email?\nA: [No Answer]", "My PC was running fine and then shut off randomly. When I try to power it back up, it lights up for half a second then shuts back off. Could this be due to my PSU?\nA: It could potentially be your PSU or motherboard power module. Consider unplugging your PC from mains power for about 30-60 minutes and then try again.", "I noticed that the \"test\" command contains \"REPORT_GAS=true\" in package.json. Can I just delete the \"REPORT_GAS=true\" part?\nA: [No Answer]", "Is the gas optimization pool shared among the reporters or is awarded only to the top gas opt reporter?\nA: Each gas report is scored, and rewards are distributed accordingly. See https://docs.code4rena.com/awarding/incentive-model-and-awards/curve-logic", "For the \"Links to Affected Code\" section in the high/medium findings, do I only add the github permalink for the respective code block? Or am I allowed to add the permalink in Markdown style? For example, can I add the link in Markdown format like this: ERC20.sol L35-40 ?\nA: Put markdown in the finding body, put only link in the small box (there's a + if you need to put more links)", "Can somebody explain this gas optimization in detail?\nA: 99% of people that send it don't know either, so you're not alone. 1 level is that Solidity applies a bitmask to ensure that all data beside the meaningful byte is zero. The other level (more nuanced) is to save gas to avoid triggering gas refunds (e.g. nonReentrant modifier). It is recommend you benchmark the code and come to your own conclusions, this will help you write findings you can prove which will yield better results over time.", "I got the \"verify your email\" email and the link in it is not working. Who can I talk to?\nA: (No specific response was provided in the chat)", "I'm getting this error even though I installed them?\nA: (No specific response was provided in the chat)", "I am an undergrad IT student currently in my 3rd year. My current goal is to make my career in cybersecurity (penetration tester). I am learning web application security and aiming to get some bounties on bugcrowd and hackerone until I came across code4rena. I'm totally invested in learning about smart contracts now, but I fear that by doing so, my web2 security skills would be on a halt. My only motivation learning about smart contracts is 'money' than bugcrowd/hackerone. Should I: 1. Complete focus on smart contract and make money 2. Focus on web2 security and do this as a sidekick?\nA: (No specific response was provided in the chat)", "I got the \"verify your email\" email and the link in it is not working. Who can I talk to?\nA:", "I am an undergrad IT student currently in my 3rd year. My current goal is to make my career in cybersecurity. I am totally invested in learning about smart contracts, but I fear that by doing so, my web2 security skills would be on a halt which I don't want. My only motivation learning about smart contracts is 'money' than bugcrowd/hackerone. What should I do? Should I complete focus on smart contract and make money or focus on web2 security and do this as a sidekick?\nA1: The focus shouldn\u2019t be on money, but on growing your skillset and knowledge. If that\u2019s the sole reason for learning about Web3, then you should focus on building a strong foundation in Web2 security. You\u2019re still young, make full use of your time to discover what you\u2019re competent at and what interests you more. \nA2: Only you can answer that question. You know what matters more for you personally. Good money can be made both in Web2 and Web3 if you are good. It seems you still have a very on the surface understanding of both types of security practices. Perhaps you should deepen your knowledge in both until one side \"grabs\" you more than the other. \nA3: The focus should be on what you enjoy the most. If you like the crypto/finance world, you should focus on that.\nA4: The choice is all yours. Cybersecurity is a broad career path with many domains. If you want to focus as a Penetration Tester and juggle smart contract auditing, your first step is to learn about the technology then apply the cybersecurity concepts to it with an attacker mindset.", "Could someone tell me how I can do the KYC process?\nA:", "Is the option to submit findings without authenticating gone?\nA:", "According to the docs, there are 4 minimum criteria to be backstage+ [https://docs.code4rena.com/roles/certified-contributors/backstage-wardens]. For criteria 2 and 3, when are they considered to be satisfied (e.g. contest ends, leaderboard released, report released)?\nA: They are considered to be satisfied when the awards are announced and they are added to the leaderboard.", "Could someone tell me how I can do the KYC process?\nA:", "What do you guys think I should do? 1. Complete focus on smart contract and make money 2. Focus on web2 security and do this as a sidekick?\nA: The choice is all yours. Cybersecurity is a broad career path with many domains, but still focuses on the 3 ethos. If you want to focus as a Penetration Tester and juggle smart contract auditing, your first step is to learn about the technology then apply the cybersecurity concepts to it with an attacker mindset. As a Penetration Tester, you have a methodology, it would be useful in web3 security (Enumerate, Enumerate, Enumerate). There's no wrong path, each path creates learning opportunities for you, learn and grow in your career path.", "Is the option to submit findings without authenticating gone?\nA:", "For criteria 2 and 3, when are they considered to be satisfied (e.g. contest ends, leaderboard released, report released)?\nA: They are considered to be satisfied when the awards are announced and they are added to the leaderboard.", "How to send ether with constructor while deploying contract in foundry?\nA: You can refer to this: https://ethereum.stackexchange.com/questions/68519/creating-a-new-contract-specifying-a-sender-and-value-with-factory-pattern", "When I send anything for example gas optimization I create an issue and send all or I must create one for each one?\nA: Gas and low/qa, one issue and send all. Medium and high, one issue for each finding. Read: https://docs.code4rena.com/roles/wardens/submission-policy", "Has anyone already done this work? Do you think it would be useful to do this and use this database as a \" To Do List/ Things to Check \" in my potential future audits?\nA: These resources may help: https://github.com/transmissions11/solcurity and https://github.com/Tomosuke0930/C4-report-categolized.", "What is the story behind AVL trees and 50M$?\nA: Here is the explanation: https://sanebow.me/bnb-hack-iavl-explained", "How long does the certification process take usually?\nA:", "What happens between the announcement of the awards and their distribution?\nA:", "Have you received for Olympus?\nA: Yes.", "What is the story behind AVL trees and 50M$?\nA: [This link explains the story](https://sanebow.me/bnb-hack-iavl-explained)", "How long does the certification process take usually?\nA:", "What happens between the announcement of the awards and their distribution? I used to think that C4 is waiting for sponsors to transfer the \"Pool\", but it looks like they've already been transferred (I assume because Olympus and Nouns DAO are already accounted for in [this link](https://github.com/code-423n4/org/discussions/49)). So, is this time used to validate the results, or something else?\nA:", "Have you received for Olympus?\nA: Yes", "Have all the prizes been sent for Olympus?\nA: They aren\u2019t sent yet", "Are you checking DAI?\nA: Was checking USDC", "I filled out the wrong form, how do I do it editing?\nA:", "If there is a code snippet IERC20(USDT_TOKEN).transferFrom(msg.sender, address(this), _amount); is it safe to say we should use safeTransferFrom? I ask this because the USDT_TOKEN is already wrapped inside IERC20 so is it feasible to use safetransfer?\nA: You should draw the conclusion based on the token used and the expectation of the code. If the interface expects a return value, the code doesn't work. If the interface doesn't expect a return value, the code is fine and could be considered a gas optimization as USDT reverts on failed transfer.", "So if it was a token which doesn't revert on failed transfer, then it's a good practice to use safe version right?\nA: If the token doesn't revert, (returns false on failure) and you don't check, it's a vulnerability that can be exploited.", "What is the impact if a token doesn't revert on failed transfer and you don't check?\nA: Impact will determine severity, if you send this finding (forgot to check), it's probably Medium. If you can steal all the money, then it's high.", "Is it a good practice to use the safe version if a token doesn't revert on failed transfer?\nA: Yes, if the token doesn't revert (returns false on failure) and you don't check the return value, it's a vulnerability that can be exploited.", "What determines the severity of a bug in a smart contract?\nA: The impact of the bug will determine its severity. If you forgot to check the return value of a function, it's probably a medium risk. If the bug allows you to steal all the money (e.g. like what happened with Temple Dao), then it's high risk.", "Is it a vulnerability if the token is USDT and the smart contract updates account mapping after the transfer?\nA: The answer is not provided in this chat.", "Are there any Capture The Flag (CTF) competitions with concepts related to smart contract vulnerabilities?\nA: Yes, you can reverse engineer this example from TempleDao post mortem: https://rekt.news/templedao-rekt/", "Is it possible to make the smart contract audits run in a continuous way?\nA: Running multiple audits at the same time can also have its advantages.", "How can I find which finding of a contest were rejected and why? Also, how can I be able to see the others' findings after the contest finishes?\nA: You can wait for the report and check the Github of the findings.", "What are bins in trader joe contracts?\nA: The answer is not provided in this chat.", "How can I find which finding of a contest were rejected and why? Also, how can I be able to see the others findings after the contest finishes?\nA: Wait for report and check Github of the findings, there may be a better way coming soon.", "Do anyone know what are bins in trader joe contracts?\nA: You can find information about this at https://docs.traderjoexyz.com/concepts/concentrated-liquidity. However, understanding it may still be challenging.", "Is x != 0 cheaper than x > 0 only in require statements or everywhere?\nA: It is only cheaper in require statements, and only prior to 0.8.13.", "Who should we send invoices to regarding the contest payouts? Do we send the invoice to the SilverSide Management or the Code4rena Foundation (both on the Cayman Islands)?\nA: Invoices should be sent to the Code4rena Foundation. More information is available at https://docs.code4rena.com/awarding/incentive-model-and-awards/awarding-process#tax-and-legal-questions.", "What is the company identification number for the Code4rena Foundation?\nA: This information was not provided in the chat.", "Is the $5 minimum for eligibility for payout referring to total awards or awards for individual bugs?\nA: This is referring to total awards, not awards for individual bugs.", "Is it possible to get payment/source of funds confirmation letters?\nA: Currently, the only available information on this subject is the same docs cited above.", "Can anyone from C4 sign anything as a confirmation?\nA: This question was left unanswered in the chat.", "Is the payout less than 5 dollars referring to total awards or individual bugs?\nA: It's referring to total awards not awards for individual bugs.", "Can we get payment/source of funds confirmation letters?\nA: All documents related to payments or source of funds can be found in the cited docs.", "Can anyone from C4 sign anything as a confirmation?\nA: C4 staff are employees of a corp hired by the DAO, so they can\u2019t sign on behalf of the DAO.", "Can C4 staff confirm public information such as a user's earnings, their ethereum address, or payment transaction hash?\nA: If you prepare the statement as you like it and send a help request, C4 staff can verify the accuracy and attest to that accuracy.", "If I find a medium/high vulnerability that I have no idea how to mitigate/fix should I report it as QA?\nA: Your work is to find the issue and explain it very well, a recommended fix it's a gift for the sponsor, sometimes the fix is just a \"delete all and start from the beginning....\", but the recommendation doesn't affect the criticity.", "Do I need to include a fix in the report of an issue?\nA: A recommended fix is not the most important part of the report, but it is appreciated.", "What are good resources for learning the solidity compiler?\nA: There is no answer provided.", "What platforms do you use to write reports?\nA: Some platforms used are: Github, Joplin, VSCode, Notion, etc. Just make sure the tool supports markdown.", "Is it fine to submit a (very long) POC using external platforms (ex. gist)?\nA: Yes.", "How is c4udit output handled?\nA: For each contest, C4 staff ask a +backstage warden to run c4udit (or a variation on it) and post the output in the contest channel so it's visible to everyone. If the issue is posted in the channel, it is a known issue, and known issues are out of scope.", "What sort of platforms do you guys use to write reports?\nA: We mainly use Github, Joplin or Visual Studio Code, Notion, etc. The important thing is that the platform supports markdown.", "Is it fine to submit a (very long) POC using external platforms (ex. gist)?\nA: Yes, it is fine to submit a very long POC using external platforms.", "How is the c4udit output handled in contest channels?\nA: For each contest, C4 staff ask a backstage warden to run c4udit and post the output in the contest channel so it's visible to everyone. If an issue is posted in the channel, it is considered a known issue and is out of scope.", "Isn't the tool in question a different one, not a variation on c4udit? \nA: The tool in question is indeed a different tool in a different language that imports and expands on the same checks.", "Isn't it absurd that one tool's output can be posted and contribute to checks invalidating specific findings, but posting another tool's output doing the same checks is banned?\nA: It may seem absurd, but the aim is to prevent judges and sponsors from having to wade through multiple reports consisting of the same findings from the same tool output.", "Isn't the issue here the findings themselves but the pasting of tool output without context or triage? Would that be a fair conclusion?\nA: Yes, the issue is the pasting of tool output without context or triage.", "Is it okay to use the automated output if we triage and add context?\nA: Yes, it is okay to use automated output if it is used to build a case for high/medium severity issues, and adds real value to the sponsor, audit report, etc.", "Wouldn't it be better to give such a tool to a sponsor so they can fix these small issues in advance, have a list of non valid issues like i++, and have a general policy about the usage of tool?\nA: There needs to be a balance. While giving the tool to a sponsor can be beneficial, it wouldn't be ideal to require sponsors to fix every minor issue before running their contests.", "Wouldn't it be better to give the sponsor a clear report once and for all for all issues that the tool is parsing prior to the contest, to reduce spam?\nA: The goal wouldn't be to ask the sponsor to fix the issues, but to give them a clear report of all issues the tool finds prior to the contest, to reduce report spam.", "What is the reasoning behind assigning a Low level to not using 2-step transfer pattern for access control?\nA: This question was not answered in the chat.", "What is the reasoning behind assigning a Low level to not using 2-step transfer pattern for access control?\nA: Check the link provided for further information, https://github.com/code-423n4/org/issues/52, and feel free to add detailed argumentation.", "How long does it take to complete the KYC process?\nA: It's not unusual for the KYC process to take up to a week or more. However, make sure to check your email, including your junk mail, for any updates. Some people have reported waiting up to 10 days, depending on various factors.", "Can I be wardens & Mansons at the same time?\nA: Yes, you can.", "Is it possible to create an #\ud83d\udce2announcements like channel named #audit-reports or something in which a new message is posted whenever a new report gets published on C4 website?\nA: [Answer is not provided in the chat.]", "What happens if I accidentally report something that turns out to not be an issue? Are there any negative consequences if it's clear that I'm not doing it on purpose?\nA: There are no negative consequences for accidentally reporting an issue that turns out to not be one, but it's recommended to withdraw them to save judges' time. However, with the new changes, submitting more than 3 invalid issues per contest will be punished. Therefore, it is important to be careful and respect others' time.", "What if I submit a medium bug for a contest with a complex application and I didn't understand the logic correctly? So it might be determined that the application is working as intended.\nA: In such a case, the sponsor won't confirm the issue. However, it's always recommended to fully understand the application to respect others' time and write good reports.", "What happens if I submit a bug for a contest with a complex application and I didn't understand the logic correctly? So it might be determined that the application is working as intended.\nA: The sponsor won't confirm the issue. It's important to respect others' time.", "What are the consequences of not withdrawing submitted issues?\nA: Invalid issues can be punished if at least more than 3 of them are submitted per contest.", "Are all rewards sent in polygon(Matic)?\nA: Yes, all rewards are sent in USDC on Polygon.", "Are there guidelines on determining the severity of rug vectors?\nA:", "What should be the answer?\nA:", "Do I need to do KYC to be able to receive prizes? If so where is your KYC form/link?\nA: KYC is needed only for some contests. Details and the form can be found at https://docs.code4rena.com/roles/certified-contributors.", "If I submit what I think is a high severity issue, and provide working code that proves my claim, but a judge disagrees with it being high severity (e.g. they think its medium severity), is there a chance I get 0 rewards for it?\nA: If it's downgraded to Medium, you'll be awarded for finding a Medium issue. Judges can invalidate if they think you're over inflating severity. However, if the issue is well thought out, it is unlikely to be closed even though the Severity was changed during Judging.", "Do I need to do KYC to be able to receive prizes? If so where is your KYC form/link?\nA: Only for some contests. Details (and link to form) here: https://docs.code4rena.com/roles/certified-contributors (edited)", "If I submit what I think is a high severity issue, and provide working code that proves my claim, but a judge disagrees with it being high severity (e.g. they think its medium severity), is there a chance I get 0 rewards for it?\nA: If it's downgraded to Med you'll be awarded for finding a Med. Judges can invalidate if they think you're overinflating severity. But I've never seen a judge close an issue when it was well thought out even though the Severity was changed during Judging.", "Are the issues that are in the published reports the same as were reported? If I report with the same level of detail as in the published reports, is this considered to be a good report? Or are the published reports just a kind of summary of what was submitted originally by the wardens?\nA:", "Does anyone have any books about smart contract security? Or certifications?\nA:", "Is there a way to change my username on code4rena?\nA:", "Can anyone explain what this picture tells?\nA:", "I couldn't see the $ in my Polygon wallet and I didn't send any Matic to anyone. If that wasn't me, then what has happened?\nA: If that wasn't you, then it seems like your key is compromised.", "How can they get my signature from discord hacking?\nA:", "What should I do to prevent this attacks!?\nA: Use a new wallet.", "What does this function mean: transferWithAuthorization(address from, address to, uint256 value, uint256 validAfter, uint256 validBefore, bytes32 nonce, uint8 v, bytes32 r, bytes32 s)\nA: It means either your PK is leaked (they can re-do it), or you recently signed some gibberish which was an approval with the goal of scamming you.", "So opening a new metamask from scratch fixes this problem? Or they completely hacked my laptop and everything is in their hands?!\nA: I wouldn't know, you need to verify how the malicious tx was created (e.g. did you sign some random crap, do you have unlimited approvals to sketchy stuff). The only certainty is that if you roll a new MM on a new device that is not connected to the internet, then it should be fine. You should look into HW wallets as well.", "What should I do to prevent attacks on my wallet?\nA: Use a new wallet.", "Does opening a new metamask from scratch fix the problem of a potential hack? Or has my entire laptop been compromised?\nA: It's not certain, you need to verify how the malicious transaction was created. For example, did you sign some random approval, do you have unlimited approvals to sketchy stuff etc. The only certainty is that if you roll a new MetaMask on a new device that is not connected to the internet, then it should be fine. You should also consider using hardware wallets.", "How can I deploy a contract on Foundry which takes a struct as an argument in the constructor?\nA: This can be achieved as follows:\ncontract A {\n struct Config {\n address someConfig;\n address anotherConfig;\n }\n Config config;\n constructor(Config memory param) {\n config = param;\n }\n}\n\ncontract Test {\n A a;\n function setup() {\n a = new A(\n A.Config({\n someConfig: address(0x001),\n anotherConfig: address(0x002)\n })\n );\n }\n}", "How can I change my wallet address?\nA: Generate a new private key. You won't be able to change your current address while keeping the same private key.", "My metamask wallet has been hacked and my reward from CodeArena was stolen. I have changed the payment address to a new wallet address. Is this sufficient or is there something else I should do?\nA: You should also remove the compromised address from the login. This step may require support from CodeArena.", "How does the DAO voting work?\nA: No answer provided.", "Is there any guidance document about malicious tokens and level of findings? Where do you draw the line?\nA: No answer provided.", "I accidentally leaked my private key on GitHub, was that the problem?\nA: It could be, especially if the repository was public. Bots may be monitoring all new GitHub repos and could have picked up the private key.", "My metamask wallet is hacked. The reward I got from code4rena , was stolen. Now what can I do? There are few upcoming contests, whose reward I will get in that metamask wallet address. So how to prevent that also from being stolen. Steps I have taken: Logged into code4rena and changed the payment address to a new wallet address. Is it sufficient, or I am I missing something else?\nA:", "Was your compromised Github repository public or private?\nA: Public.", "How do you guys benchmark your code for gas savings etc?\nA: The hardhat gas report plugin is something useful for this.", "It's been 10 days since I applied for Kyc and it's still pending, is this normal?\nA: Can you submit a help request on this?", "Is there a way to get notified when new report is published?\nA:", "I can't see transaction with award from NounsBuilder, can someone help me?\nA:", "When I first sign up, I was asked for a 16-digit password. But, there is no such condition when I reset the password?\nA:", "I am trying to decode topics/data from event logs without using web3 library and only with information from etherscan and I am having troubles... I am only using etherscan and I have the abi as well as the data/topics in hex but I dont know how to compute the human readable value. Any clue or resources? (I am using python)\nA:", "Tried to submit my QA at the last minute and failed (yeah, I'm aware about the notice in the docs but I got carried away), is there anything that can be done? I've created a secret gist on GH as a proof if it's helpful.\nA:", "For gas opt, are only those in the generated report invalid? what about others in https://github.com/byterocket/c4-common-issues/blob/main/0-Gas-Optimizations.md\nA:", "When I first sign up, I was asked for a 16-digit password. But, there is no such condition when I reset the password? \nA:", "It's been 10 days since I applied for Kyc and it's still pending, is this normal?\nA:", "I am trying to decode topics/data from event logs without using web3 library and only with information from etherscan and I am having troubles. I am only using etherscan and I have the abi as well as the data/topics in hex but I dont know how to compute the human readable value. Any clue or resources?\nA:", "Tried to submit my QA at the last minute and failed, is there anything that can be done? I've created a secret gist on GH as a proof if it's helpful.\nA: Unfortunately we have to maintain the firm deadline and cannot accept late submissions.", "For gas opt, are only those in the generated report invalid? What about others in https://github.com/byterocket/c4-common-issues/blob/main/0-Gas-Optimizations.md?\nA:", "Is it possible to demonstrate the actual re-entrancy attack in public testnet? All accounts involved though are created by me.\nA: Why does it need to be on the testnet? Can't you just write, say, a Foundry test that forks its state from the testnet (or even the mainnet)? Which would be a much preferred option given the somewhat confidentiality of potential exploits in C4 audits until the findings are made public. Well yeh as @100proof suggested utilise foundry to fork I guess. No need to grab testnet tokens for transactions or wait time on blocks. Yeh pretty much, think a local ganache instance with data forked from a live network be it a main or test net, then once forked it runs locally. Yeah, local forking is just so convenient and you don't pollute the testnet with stuff that doesn't need to be there. Testnet is probably a good place to test a smart contract with 100s of users and complex state. But if you just want to write a toy contract and exploit it just use a private testnet.", "How do i Withdraw the rewards I got on my Findings?\nA: Send it to your binance account or whatsoever cryptotrading platform you prefer.", "How do I send my rewards to my binance account or any other cryptotrading platform?\nA:", "How do I withdraw the rewards I got on my Findings?\nA: Send it to your binance account or whatever crypto trading platform you prefer.", "How do I withdraw the rewards to my binance account?\nA: Use Metamask.", "Is it possible to withdraw the rewards if you don't have binance?\nA: Yes.", "What is another method to convert rewards to fiat?\nA: Converting to some fiat could be done via p2p or various centralized exchange services.", "If in a function a state is changed first and then there's a require statement which fails, will the state change persist?\nA: The state will remain the same.", "So the state would be reverted back to what it was right?\nA: Correct, the state would be reverted back to its previous state before calling the function.", "If in a function a state is changed first and then there's a require statement which fails, will the state change persist?\nA: The state will remain the same. If the require statement fails, the state would be reverted back to what it was prior to calling the function.", "How can we exploit on mainnet other than mainnet forking?\nA: This question wasn't directly answered in the chat.", "What does \"totalDueTokensAccrued\" represent?\nA: It represents total DBR accrued.", "What is the \"Judge presort awards\"? Please tell me its detail. https://github.com/code-423n4/org/discussions/50 \nA: Pre-sort is a service for the sponsor where we sort out all duplicates so they have less findings to look at when doing Sponsor Review. A document with Top QA and Gas is also sent to the sponsor.", "Who do you think makes a great report? \nA: The best reports are focused on one specific attack or issue, feature the project's code, have an easy-to-understand POC or specific example, and include a coded test that demonstrates the vulnerability.", "Submission rules say I shouldn't make findings \"public\" until a contest is finalised, but I've included a link to a repo which includes the tests for my POC, and obviously this repo is public so the judge can see it. Is this okay? \nA: It's suggested to use Github Gist to provide the POC.", "What's going on with the 200+ new wardens in the last 24 hours? Sybil attack or some next-level marketing move?\nA: This question wasn't directly answered in the chat.", "Who do you think makes a great report in your opinion?\nA: The best reports are focused on one specific attack or issue, feature the projects code, have a simple to understand POC or specific example, and have a coded test that demonstrates the vulnerability. Some reports don't have code and are still good, but in general you can't go wrong if a Judge / Sponsor can copy paste your code and it works.", "Submission rules say I shouldn't make findings \"public\" until a contest is finalised, but I've included a link to a repo which includes the tests for my POC, and obviously this repo is public so the judge can see it. Is this okay?\nA: You should use github gist to provide the POC.", "What's going on with the 200+ new wardens in the last 24 hours? Sybil attack or some next-level marketing move?\nA: They are volunteers who will be helping us to test our anti-sybil protection systems recently introduced. Some may misunderstand this as an airdrop opportunity.", "Will the math expressions display correctly in the GitHub findings repo if I use math expressions (Latex/Mathematics) in the submitted issue?\nA: You should create a private repo in github. create an issue there and make your report there. How it looks there will be like how it look in the findings repo.", "Why was I not able to receive the password reset email when I tried to login and reset my password via the website?\nA: No answer provided in the chat.", "I believe zkSync should mention that C4 audit is not a consideration of airdrop. Since the tweet includes the total prize 165k, it might be easily interpreted to some airdrop happening. How should we address this?\nA: Any mention of 'no airdrop' will probably only bring more attention to airdrop hunters. It's best to get through this, mark it as a learning experience, and then consider ways we can prevent flooding in the future without having to worry about wording from the marketing side of things.", "In the report, I see many finding list the first warden who reported it and then a list of wardens that also found the finding. Do the guys in the list \"also found by\", do they receive shares or reward? What is the rule of code4arena for it?\nA: The best report will get a bit more money than the other reports. And if the duplicate is not beyond a threshold, you might not get any money. So make sure to write the reports well and include a poc if you can.", "In the report, do the people in the list \"also found by\", receive shares or rewards? What is Code4Arena's rule for it?\nA: [Link to Code4Arena's Incentive Model and Awards](https://docs.code4rena.com/awarding/incentive-model-and-awards)", "Is the reward system different from bug bounty where the second person gets no reward as it is a duplicate? \nA: The best report will get slightly more money than the other reports. And if the duplicate is not beyond a certain threshold, you might not get any money. So make sure to write the reports well and include a poc if you can.", "Can contest findings be posted and shared by the warden after contests are finished?\nA: No, findings are not allowed to be discussed until the contest report has been published. [Link to Code4Arena's Submission Policy](https://docs.code4rena.com/roles/wardens/submission-policy#audit-contest-guidelines)", "During the contest, if I submit a finding, do I receive comments or reviews from the judge or sponsor? When will the review be done? When can discussions between the wardens and the sponsors and judge happen?\nA: Review starts immediately after the contest. The process is as follows: Contest ends > Sponsor Review > Judge review > Sponsor confirmation > judge's final report and announcement of the results. You can only see your submission and the comments in your submission after the announcement once the repo is set to public unless you're certified for backstage.", "Regarding invoicing, who can I ask?\nA: [No answer provided.]", "Are they HMs or QAs?\nA: [No answer]", "I have a question regarding invoicing. Who can I ask?\nA: You can refer to this documentation for related queries: https://docs.code4rena.com/awarding/incentive-model-and-awards/awarding-process#tax-and-legal-questions", "On one side it says there is no entity to issue an invoice. On the other, there is a foundation. Can we issue them?\nA: You could create an internal invoice and add as much proof to it as you can as to the source of the income (screenshot of the awards). The approach may depend on your jurisdiction.", "Is this static analyser up-to-date and the one being used today by Code4rena for QA and gas optimization?\nA: [No answer]", "How do you compute the number \"SOLC\" for each contest?\nA: You would have to load the file into a buffer, then loop for each line. If the line is empty or starts with \"//\", it may or may not count as a SLOC, depending on additional conditions. When you encounter a \"/*\" then don't count until the next \"*/\".", "What is so bad about the penalty system? Why are you afraid of it?\nA: The bar for satisfactory performance is high, which means more items triggering the penalty. Also, the high number of strikes for reports warrants a deeper look and possible adjustments.", "I'm a bit curious about private contests. Do you guys cherry pick who gets in or is it based on some kind of metric (reports, $)?\nA: Private contests require KYC and becoming a certified warden. You can refer to the official documentation for details.", "How to become a certified warden?\nA: You can become a certified warden by following the process outlined in this link: https://docs.code4rena.com/roles/certified-contributors", "I send a Support ticket and I think that it hasn't been responded yet.\nA: [No answer]", "How to become a certified warden, any link?\nA: Here you go https://docs.code4rena.com/roles/certified-contributors", "I send a Support ticket and I think that it hasn't been response yet, can you check?\nA: Hi! I sent you a dm a few hours ago... Just fyi, in case it is about your mason help request.", "This type of contest (like threat contest), can the threat be in Spanish?\nA: Spanish is ok", "How to generate the block-style format for argument, function name in the audit report?\nA: Use ``", "I submitted application to be certified C4 wardens 1 week ago but I can't accept the KYC mail. How long will it take to receive this email?\nA:", "Are Pending transaction on mempool not hashed? Like how can one front run if it is hashed?\nA: No, it's not hashed. You have access to the data of the transaction.", "Once you join a team, should you always participate as a team? It's a good opportunity to divide the load when there are many contests, but when there is only one contest, I can afford to dedicate myself to it completely.\nA:", "I submitted application to be certified C4 wardens 1 week ago but I can't accept the KYC mail. How long will it take to receive this email?\nA: It may take 2-3 weeks. You should check your spam folder for an email from \"compliance@provenance.company\".", "Are pending transactions on the blockchain's mempool not hashed? How can one front run if it is hashed?\nA: No, the transactions are not hashed. You have access to the data of the transaction.", "Once you join a team, should you always participate as a team? \nA: No, you don't necessarily have to participate as a team.", "What if 2 people submit the same or similar bug? Is the bounty price divided or the first one to post is considered?\nA:", "Do you know of a site where you can get free matic?\nA: Yes, you can try https://wallet.polygon.technology/gas-swap/.", "My metamask wallet is showing zero balance even though there is a hash on polygon scan with my address. Why is this?\nA: Make sure you are checking the right token balance. You may need to add the specific token, like USDC on polygon, to your wallet before the balance shows up.", "Is using storage instead memory in the view function fits into the category of gas report or QA report?\nA:", "The function sets up a vesting with a cliff and a linear vesting, any (but not both) of which may be zero. If the linear vesting is zero, should I use _endTimestamp or _startTimestamp or _releaseIntervalSecs, there's nothing to linear release?\nA: If _linearVestAmount is zero, remove both the highlighted requires or do the highlighted requires only if _linearVestAmount is non-zero.", "My Metamask wallet is showing zero balance even though there is a hash on polygon scan with my address. Am I checking the right token balance?\nA: You might need to add USDC on polygon to your wallet before the balance will show up there.", "Does using storage instead of memory in the view function fit into the category of gas report or QA report?\nA:", "I sent a request to become a certified warden 2 days ago. How long should I wait before my request will be processed?\nA: Usually the folks at Provenance reply within 2 business days. Be sure to check your spam folder. Here's a related post: https://discord.com/channels/810916927919620096/810936719003090974/1039222703091105802", "Are there any Capture The Flag (CTF) for rust smart contracts?\nA: There might not be a need for them anymore, as it seems like Terra is dead and Solana might be following suit, but NEAR is still an option.", "Can anyone please help link the C4audit repo?\nA:", "I sent a request to be a certified warden 12 days ago but I haven't received an email from Provenance. I've checked the spam folder but I can't find it. How can I help?\nA: If you haven't already, please submit a help request so that our team can look into this further with Provenance. Here's the link: https://code4rena.com/help", "Is the order of issues in a report (for example, M-20) significant or random?\nA: It's mostly random, but sometimes Judges might put the most interesting issue first.", "Is the order of issues addressed by Judges at CodeArena random or following some pattern?\nA: The order is mostly random, although sometimes Judges may prioritize the most interesting issue first.", "What kind of experiences have people had with team hunting?\nA: The experiences vary, but one user mentions not having a good experience with it due to lack of confidence in their anonymous online partner.", "What could be the reason for a negative team hunting experience? Could it be different levels of experience/knowledge or some other reasons?\nA: It could be due to a lack of confidence in an anonymous partner over the internet, making trust a significant factor in the experience.", "How can I withdraw my rewards?\nA: The rewards are distributed by the CodeArena (C4) team. There is no smart contract to pull the bounties.", "How do I attach screenshots on vulnerability details section when submitting a report for the first time?\nA: You can copy the Github permalink and the lines of code for the affected code.", "What should I do if it is a mitigation?\nA: You can use a markdown to write the code.", "When submitting a report, is it ok if I do not create .orig files and do git diff --no-index a.sol a.orig.sol, but rather just do git diff of the project folder?\nA: (No answer provided)", "Any news on the trader joe contest bounties? How long does it usually take for these to be announced?\nA: It varies depending on the contest, but progress is being made towards judging and Quality Assurance (QA) for the trader joe contest.", "When submitting a report, is it ok if I do not create .orig files and do git diff --no-index a.sol a.orig.sol , but rather just do git diff of the project folder?\nA:", "Any news on the trader joe contest bounties? Happened almost a month ago; how long does it usually take for these to be announced?\nA:", "Is it allowed to make a \"secret gist\" to show a code example or will it then be counted as \"opened the problem and disqualified\"?\nA: It's fine.", "To start auditing, may I fork the codebase and create a private repo on Github? Is pushing code to GitHub some kind of information disclosure?\nA: If the repo is private it should be fine. After all your submitted findings will be created as a github issue behind the scenes anyway.", "Can calldata arguments ONLY be used for external/public functions?\nA: Don't think so, calldata is sent as an entry point to external and public functions but they can send calldata data pointers to internal and private functions.", "So when we see calldata argument in an internal function, is it just a pointer only?\nA: Yes.", "When can delegatecall return false? What happens if the revert happens in the target function?\nA:", "Is the public report page updated mid contest? Because when I started the LooksRare contest, my finding was not on the list, but now it is. What can I do now?\nA:", "When the clone function creates a new contract instance, will the constructor be called as well? I wonder how the initialization be called twice (one at constructor, and the other at L38).\nA: No, a clone is a minimal proxy with a fixed implementation address: https://eips.ethereum.org/EIPS/eip-1167. Think of it like an upgradeable proxy that can't be upgraded. So the same rules that apply to other kinds of proxy contracts apply to clones: the constructor won't be called, you should use a special non-constructor initializer function to set necessary parameters, and you need to be careful about ensuring the initializer can't be frontrun or called multiple times.", "When can delegatecall return false? What happens if the revert happens in the target function?\nA:", "When the clone function creates a new contract instance, will the constructor be called as well? How does the initialization be called twice (one at contructor, and the other at L38)?\nA: No, a clone is a minimal proxy with a fixed implementation address. Think of it like an upgradeable proxy that can't be upgraded. So the same rules that apply to other kinds of proxy contracts apply to clones: the constructor won't be called, you should use a special non-constructor initializer function to set any necessary parameters, and you need to be careful about ensuring the initializer can't be frontrun or called multiple times. [Link](https://eips.ethereum.org/EIPS/eip-1167)", "Are there any vulnerabilities case studies for front-running the init() function?\nA: There's an example finding in this ToB Hermez audit under point no. 12, \"Initialization functions can be frontrun\". [Link](https://github.com/trailofbits/publications/blob/master/reviews/hermez.pdf)", "If I want to upload an image as part of the POC, where can I upload it to? \nA: You can link it externally.", "How long does it take to become a certified auditor from code4rena after getting approval from Provenance?\nA:", "How do I use the RSVP feature?\nA: Just react to the message in the #\u270brsvp channel.", "Is there any template or best practice for submitting bugs and gas optimizations?\nA: We recommend reading through our docs, especially the submission policy. Also, reviewing warden submissions within our past audit contest reports, as the best submissions are chosen for inclusion in the final reports. [Link](https://docs.code4rena.com/roles/wardens/submission-policy) [Link](https://code4rena.com/reports)", "What is the purpose of #\ud83d\udd06hm ?\nA: It's like a \"go get 'em\" battle cry.", "Do I just react to the message in the #\u270brsvp channel?\nA: Yes!", "What about #\ud83d\udd06hm ? When I Find a high/medium? or just for fun?\nA: It's like a \"go get 'em\" battle cry.", "Why are some of the rewards pending after the contest has finished, for example, Art gobbler?\nA: [No answer given]", "Is there a time where require statements with a string are more gas efficient than reverting with a custom error? Or should a revert always be used?\nA: Instead of require(x < y), we can do if(x >= y) revert customError().", "Are custom errors only cheaper once the require error string was > 32 bytes?\nA: [No direct answer given]", "Does the steak house report recommend changing every instance of require, even those that are not > 32 characters?\nA: The current C4udit is relatively simple and only finds the require with an error string attached, but doesn't count the size of the error string.", "When can I expect a response from Code4rena to become a certified auditor?\nA: We'll get back to you soon.", "Is it necessary to fill the \"## Recommended Mitigation Steps\" section in the bug template? Does it provide any bonus for doing so?\nA: [No answer given]", "How much gas do custom errors save each time they're hit by avoiding having to allocate and store the revert string?\nA: Custom errors save ~50 gas each time they're hit by avoiding having to allocate and store the revert string.", "Can I discuss findings on a public channel?\nA: No, since the report is not yet public, you should not be discussing findings on a public channel.", "What's the name of the website to view onchain contract of etherscan in IDE like remix?\nA: The website is https://discord.com/channels/810916927919620096/810931711609143326/1012727690396176484.", "Is there a time where require statements with a string are more gas efficient than reverting with a custom error? Or should a revert always be used?\nA:", "Was there a website to view onchain contract of etherscan in IDE like remix. Can you name that website?\nA: Yes, you can use this link: https://discord.com/channels/810916927919620096/810931711609143326/1012727690396176484", "Is it needed to fill the \"Recommended Mitigation Steps\" information in the bug template? Is it required or is there a bonus for doing so?\nA: It is not necessarily \"required\", but the best reports tend to provide more value to the sponsor by sharing useful recommendations. The better your submission, the more likely it is to get chosen for inclusion in the final audit report.", "How does the distribution of reward work in an audit contest? Can the team modify the reward percentage share for each individual member or is it defaulted for equal distribution?\nA: A team works like a normal person: there is a single address to send rewards to. It is the responsibility of the team to distribute rewards amongst themselves. It's recommended that teams use a multisig wallet.", "Is there a list of optimizations/L1 issues that gets looked at for the usual \"known issues\" link? \nA: The things it looks for can be found here: https://github.com/Picodes/4naly3er/tree/main/src/issues", "I need some security expert to sign a letter for me, which confirms that Code4Rena is a high-esteem organization. Can somebody sign such a letter for me?\nA:", "Is there a reward for submitting a new detector?\nA: Karma Points", "Is there a list of optimizations/L1 issues that gets looked at for the usual \"known issues\" link?\nA: The things it looks for can be found here: https://github.com/Picodes/4naly3er/tree/main/src/issues", "I need some security expert to sign a letter for me, which confirms that Code4Rena is a high-esteem organization. I need it for my US talents visa as I've had 3rd and 4th place in code4arena contests, but now need to also prove that these contests are really important and highly-valued in the industry. Can somebody sign such a letter for me?\nA:", "Is there a reward for submitting a new detector?\nA: Karma Points", "How can I use the dollar sign in markdown without creating a mathematical expression?\nA: It's $", "Why is the length to encode the address value 32?\nA: abi.encode makes the data compliant with the abi specs for the evm, so it left pads the address.", "I know the address is 20 bytes but I can't understand the gap between 32(data.length) and 20(bytes of address). What is this 12 bytes? And how are they used?\nA: Each slot in the evm is 32 bytes, so these 12 bytes is this left padding filled with 0.", "What does \"24 days\" refer to?\nA: Most likely 24 days without announcements of rewards.", "Any chance of early feedback on a trader joe submission?\nA: Check the judge's post here: https://discord.com/channels/810916927919620096/1030197723619659806/1042826344544870440 (edited)", "What does the 24 days mean?\nA: Most likely it means 24 days without announcements of rewards.", "Will there be any awards shipped soon?\nA: There will be awards shipped this week, one way or another.", "Is there any way to get notified as soon as a new Audit Report is added on the site?\nA: [No answer provided]", "What about hosting Rust contests on CodeArena?\nA: Yes, we'd like to do that. We've definitely had some discussions with projects in that direction.", "Are there CodeArena grants for building tools?\nA: [No answer provided]", "What is the cheapest way to swap ERC tokens?\nA: By using a DEX aggregator like https://app.1inch.io", "Did Curve Finance change UI?\nA: Yes, Curve Finance has a new UI, but you can still use the classic version.", "Why are Code4rena contests generally shorter than Sherlock contests?\nA: We\u2019ve been using the same lengths vs complexity window since auditor participation was 10x smaller and results have been high quality, so no reason to change as it primarily means more competition on each contest.", "Did Curve Finance change UI? \nA: Yes, Curve Finance has a new UI but the classic version can still be used.", "Why are Code4rena contests generally shorter than Sherlock contests? \nA: Code4rena contests are shorter because the same lengths vs complexity window has been used since auditor participation was 10x smaller. The results have been high quality, so there's no need to change. It primarily means more competition on each contest.", "Can we change the Warden handle? \nA: [No answer provided]", "Is it expected that I can submit findings for 'USDC ENS - Versus contest' while I can't access the contest details (error saying that it is restricted to certain participants only)? \nA: You can submit findings for the 'USDC ENS - Versus contest', but you won't get paid for findings because it's an invite only contest.", "How to become a certified warden to participate in private contest? \nA: Information on becoming a certified warden can be found at https://docs.code4rena.com/roles/certified-contributors#certification-process-and-constraints.", "What is the eligibility criteria for private contest? \nA: The eligibility criteria for a private contest can be found at https://discord.com/channels/810916927919620096/810931711609143326/1044766051327557642.", "How can we know whether an upcoming contest will be a public contest or a private one? \nA: Private contests have their RSVPs available in a channel only visible to certified wardens. If it\u2019s in the public RSVP channel, it\u2019s a public contest.", "Should the listing section on the website indicate whether an upcoming contest is public or private? \nA: Yes, if the website listing doesn't already have that information, it should be added.", "How can I get the backstage role after identifying my first high vulnerability?\nA: The process to gain a backstage role after identifying a high vulnerability can be found at https://docs.code4rena.com/roles/certified-contributors/backstage-wardens.", "How can we know whether an upcoming contest will be a public contest or a private one?\nA: Private contests have their RSVPs available in a channel only visible to certified wardens. If it\u2019s in the public rsvp channel, it\u2019s a public contest.", "Is there an additional field on the listing section that mentions information about public and private contests?\nA: This information should be visible on the website's listing section.", "How can I get the backstage role after identifying my first high vulnerability?\nA: You can get information on how to become a backstage warden here: https://docs.code4rena.com/roles/certified-contributors/backstage-wardens", "What is untyped data signing?\nA: It is a method that allows you to sign data with just your private key and some parameters. For a complete understanding, you need to know about hashing and private keys.", "Why is one contest not shown in the live contest section which was there yesterday in the upcoming contest section?\nA: If you're referring to paraspace, it got delayed.", "For gas optimizations report, am I required to mention how much gas was saved for every finding?\nA: The chat log does not provide an answer for this question.", "Can anyone suggest some good resources to learn math regarding solidity projects and how the accountings are done?\nA: YouTube is a good resource. Specifically, this channel: https://www.youtube.com/@smartcontractprogrammer", "Can anyone suggest a good platform to send tokens from polygon to BNB network?\nA: Binance might be a good platform for this purpose.", "Can anyone suggest some good resource to learn math regarding solidity projects how the accountings are done?\nA: YouTube. https://www.youtube.com/@smartcontractprogrammer", "Can anyone suggest a good platform to send tokens from polygon to BNB network?\nA: Binance itself?", "Is it possible to impersonate an account in foundry as we can do in hardhat?\nA: Yes, use vm.prank(address).", "I think prank requires the private key, is that correct?\nA: No need for a private key.", "Does anybody have a bad experience with Provenance or is it just my unlucky case?\nA: You are completing an opt-in ID and address verification process. You don\u2019t have to do it at all.", "I sent all the documentation last week, and today they approved me. Did I have a good experience with Provenance?\nA: This looks not appropriate.", "What do I have to do to run the foundry image with docker after I install foundry with docker but it gives me /bin/sh: -c requires an argument as an answer when I try to run it?\nA:", "Is there any VPN recommendation?\nA: NordVPN allows you to change your IP address, making you harder to track, securing your privacy. Check out the link in the description to get 20% off for the first two months.", "Does anybody have a bad experience with Provenance or it's just my unlucky case?\nA: I had 0 problems personally.", "Is it appropriate to complete an opt-in ID and address verification process?\nA: You are completing an opt-in ID and address verification process. You don\u2019t have to do it at all.", "How do I run the foundry image with docker?\nA:", "What are some ways to stay safe online?\nA: Staying safe online is an ever growing difficulty and you could be exploited by hackers. NordVPN allows you to change your IP address, making you harder to track, securing your privacy.", "Is there any vpn recommendation?\nA: Proton is a good choice, and Hoxx VPN is another option, which is possible to pay in crypto.", "I signed up to be a warden using github a while back. Now to submit a finding you have to sign in with a username and password. Can I delete my account so I can recreate the account with a password?\nA: You\u2019re going to need to submit a help request. Code4rena.com/help", "When submitting gas optimization reports do we need to specify how much gas is being saved for each optimization?\nA: You don't have to, but it gives some info about how much was saved thus potentially increases your points.", "How does specifying how much gas is being saved for each optimization increase points? I thought duplicates got split equally?\nA: I'm talking about the whole report which contains your gas optimization recommendations.", "I submitted a help request 3 days ago, can you check it?\nA: The team was out for 4 days due to Thanksgiving, please be patient. Another response is, \"I'm taking care of this now.\"", "I submitted a help request from 3 days ago, can you check it?\nA: Team was out for 4 days due to Thanksgiving, please be patient.", "After submitting an issue from the form provided inside the website, I can't see the issue inside Issues in the repo created for the audit, is this normal?\nA: If you received an email, you're good, if not, try submitting the issue again.", "Which c4udit is used for finding the Publicly Known Issues? I tried to run this https://github.com/byterocket/c4udit but is this outdated? It doesn't get the same result as the Publicly Known Issues report. Is the report using a modified/updated version of the c4udit?\nA: The newest fork is by @Picodes | Angle called Analyzer https://github.com/Picodes/4naly3er", "When submitting gas optimization reports do we need to specify how much gas is being saved for each optimization?\nA: It depends on the judge.", "Is proof of residence necessary for the certified warden certification process? As I'm just a student, and I don't have anything like utility bills/bank statement/etc, can I finish the certification with an identity document instead?\nA: ID and driving license or passport maybe. Another user mentioned they didn't need that step with theirs, just a photo id and a selfie was enough.", "If we discover the same type of issue more than once for i.e: Reentrancy attack or some gas optimization of the same type, do we report all of them together and submitting just one finding containing all code lines OR we log separate findings for each occurrence?\nA: Report all of them together.", "Can anyone explain why the txn got reverted? Is there any specific reason? https://snowtrace.io/tx/0x0806bc0a28e4d808ac4dba25997e4b68b40595e003adbaa758ce4894ee20e15a\nA: From decompiled bytecode.", "Can you please explain what does if uint8(stor2.field_160) checks? I mean not so comfortable reading Decompiled solidity code.\nA: Seems like some sort of setting, most likely a struct with setting values, you'll have to spend hours to figure out more tbh, it's just an exercise in patience.", "If we discover the same type of issue more than once for i.e: Reentrancy attack or some gas optimization of the same type -> do we report all of them together and submitting just one finding containing all code lines OR we log separate findings for each occurrence?\nA: All together.", "Can anyone explain why the txn got reverted. I mean if there is any specific reason?\nA: The answer wasn't provided in the chat.", "Can you please explain what does if uint8(stor2.field_160) checks? \nA: It seems like some sort of setting, most likely a struct with setting values. You'll have to spend hours to figure out more tbh, it's just an exercise in patience.", "Why I can't see latest reports?? I am seeing till September month not Oct or Nov report?\nA: The answer wasn't provided in the chat.", "Can someone explain the SAVE GAS BY NOT REQURING NON-ZERO INTERVAL IF NO LINEAR AMOUNT issue?\nA: https://discord.com/channels/810916927919620096/810931711609143326/1039353447977324604", "What does Gsset and Gsreset mean in this?\nA: Gsset = set storage from 0 to non-0. Gsreset = set storage from non-0 to non-0, or anything to 0. See https://ethereum.github.io/yellowpaper/paper.pdf page 27.", "Should I register as a warden again if I accidentally lost seed phrase from my wallet?\nA: You should follow the steps here: https://docs.code4rena.com/roles/wardens/warden-auth#what-if-my-wallet-was-hacked", "It's not possible to change login address, right?\nA: You can update your payment addresses from your C4 account screen: https://code4rena.com/account", "I did it, but it's not possible to update login address, right?\nA: The answer wasn't provided in the chat.", "Should I register as a warden again if I accidentally lost seed phrase from my wallet?\nA: You should follow the steps here: https://docs.code4rena.com/roles/wardens/warden-auth#what-if-my-wallet-was-hacked", "Is it possible to change the login address?\nA: You can update your payment addresses from your C4 account screen: https://code4rena.com/account", "Is it possible to update the login address, even after updating the payment address?\nA: You can change the wallet address you log in with if you use MetaMask. https://docs.code4rena.com/roles/wardens/warden-auth#can-i-change-the-wallet-address-i-log-in-with", "Does being a warden mean that KYC has passed?\nA: To clear KYC, there's another step, which is to become a Certified contributor. This process is explained here: https://docs.code4rena.com/roles/certified-contributors", "What does SLOC mean and why are the numbers added for every contract?\nA: No specific answer provided.", "Are all the bugs/gas optimizations stated in publicly known issues valid for other files within the same repo, even if not specified there? Or are the bugs/gas savings valid for the entire repo, even if not declared there specifically?\nA: No specific answer provided.", "Does anyone use fuzzing tools? It seems that after 0.8.0 it doesn't make much sense.\nA: No specific answer provided.", "Should I take Web3 as full time? And can I get a job as a junior auditor role on the auditing firm at Bear Market situation, considering I have 24 hours of free time every day?\nA: No specific answer provided.", "How many wardens report bugs on average per project? Are we talking in the order of 10, 100, or 1000?\nA: 150-300 submissions per contest is the estimate, this includes QA, gas, dupes, and invalid ones as well.", "Does anyone use fuzzing tools? It seems that after 0.8.0 it doesn't make a lot of sense. Maybe, useful to write down different invariants to check against, but overflow/underflow was the main reason of utilizing echidna prior to 0.8.0 I guess.\nA:", "I need some career advice. Do you recommend that I take Web3 as full time? And can I get a job as a junior auditor role in the auditing firm at a bear market situation? I have 24 hours of free time every day.\nA:", "How many wardens report bugs on average per project? Are we talking on the order of 10 or 100 or 1000?\nA: 150-300 submissions per contest is the estimate. That includes QA, gas, dupes, and invalid ones as well.", "If we mark an issue as High for example and the judge decides that it's not of a high order, do they change it to a Medium issue or they discard it?\nA: They downgrade it to medium. However, to prevent everyone from just sending in every issue as a high, intentionally overly inflating severity can result in it being graded unsatisfactory.", "Any jurors online at the moment to help me?\nA:", "When you have a PoC on a testnet fork that doesn't work anymore because of state changes that happened (pool usage changed the dynamics), is it ok to show the PoC against a blocknr known to work?\nA:", "I found out that abi.encode is preferable over abi.encodePacked, however I don't understand exactly why and when this can lead to a critical vulnerability (or even if it can). Can you provide an example?\nA: Here's an example from wild credit contests (2021): [https://www.youtube.com/watch?v=wCD3fOlsGc4](https://www.youtube.com/watch?v=wCD3fOlsGc4)", "Is it best practice to prepend all internal functions with an underline? Does the same apply for function parameters?\nA:", "A few rewards have been announced but the leaderboard has not updated yet?\nA: Caught a minor issue with a couple items being double counted; there will be an update to the numbers later today. Normally there\u2019s some double checks that would happen before awards get announced but we\u2019ve been pushing to get awards out and get caught up to date with the backlog and so some of the double-check steps got decoupled and occurred after posting the numbers.", "Is it best practice to prepend all internal functions with underline? Does the same apply for function parameters?\nA:", "A few reward is announced but the leaderboard does not update yet, why is this the case?\nA: The awards have not yet been merged, it is very strange that they were announced before the merge.", "Why does it take so much time for reporting?\nA: Reports were blocked by the same refactor as awards and awards were higher priority. It should be fast going forward.", "Where can I find out why my bug was not accepted so I can improve?\nA:", "How can I receive awards?\nA:", "I am not sure whether my finding is correct or not because of the lack of specification in docs. What would c4 team suggest? Should I send them anyways?\nA: Yes, suggest submitting if you're short on time. You can also DM the sponsor team and request additional context - should be a pinned post at the top of the contest channel that tags the available team members.", "Is there any penalty if my findings are not correct?\nA: Not as yet - but would advise you read through this discussion to understand how grading and awarding works, as well as what we're exploring re: applying penalties in future. [Link](https://github.com/code-423n4/org/discussions/50)", "What do I have to do to get the backstage role? I got over 3 mediums confirmed, which was suppose to be the condition to get it.\nA: We need you to submit a Help Desk request (link in channel description) and then be a little patient with us. We'll do our best to respond within 1-2 business days!", "Question regarding the \"Unsatisfactory\" definition. It does not have anything to do with \"validity\" right? If a sponsor thinks a report is not adding any value (for example if they trust an address because they own it) it will not be classified as \"Unsatisfactory\" and not be calculated for penalties. Making sure I understand correctly.\nA:", "How to get certified warden role?\nA:", "What do I have to do to get the backstage role? I got over 3 mediums confirmed, which was supposed to be the condition to get it.\nA: You need to submit a Help Desk request (link in channel description) and then be a little patient with us. We'll do our best to respond within 1-2 business days!", "Does the \"Unsatisfactory\" definition have anything to do with \"validity\"? If a sponsor thinks a report is not adding any value (for example if they trust an address because they own it) will it not be classified as \"Unsatisfactory\" and not be calculated for penalties?\nA: [No answer provided]", "How to get certified warden role?\nA: You can find the certification process and constraints here: https://docs.code4rena.com/roles/certified-contributors#certification-process-and-constraints", "Why can I see gas optimizations issues of project Escher, when it still going.not ended contest?\nA: Please refer to the post in the contest channel: https://discord.com/channels/810916927919620096/1049333479105630258/1049811704818716693", "Is the custom script developed by a C4 judge and warden public or private?\nA: The script is public. Here is the link: https://github.com/Picodes/4naly3er", "If I Join a team and we are 2 guys. We submit 1 finding. In the payout, do we receive as a single individual or as 2 since the team has 2 persons?\nA: One payment will be issued and the team will have discretion over how that money is paid to its members. More details here: https://docs.code4rena.com/roles/wardens", "Is there any upside on having a team? Money wise, is it more worth it to work as an individual?\nA: If you submit the same item separately you decrease the overall value of the submission.", "I have submitted my findings to Escher contest and in findings section the message is 'No findings submitted for this contest'. Can anyone please give me an explanation on this?\nA: [No answer provided]", "What's the best way to exchange USDC on Polygon into BTC?\nA: [No answer provided]", "When submitting findings is it 'ok' to provide a link to what basically is a competitor of the project as a mitigation for an issue?\nA: [No answer provided]", "Are there any plans to refactor the CSV design? The leaderboard began to be extremely slow.\nA: [No answer provided]", "I have submitted my findings to the Escher contest but in the findings section the message states 'No findings submitted for this contest'. Can anyone please explain this? \nA: Did you receive a mail regarding your submission?", "What's the best way to exchange USDC on Polygon into BTC?\nA:", "When submitting findings is it okay to provide a link to what basically is a competitor of the project as a mitigation for an issue?\nA:", "Are there any plans to refactor the csv design? The leaderboard began to be extremely slow.\nA:", "When submitting a finding with a proof of concept, can I have the proof of concept in a gist file? I tried just adding an image of it but I can\u2019t get it to work.\nA:", "I got mail regarding my submissions, does that mean I successfully submitted my findings?\nA: Yes, you successfully submitted your findings.", "The findings section for a particular contest is empty, does it show our submissions?\nA: Check the mail to see which contest it is mentioned over there.", "Is there anything to worry about if the findings section for a particular contest is empty?\nA: There's nothing to worry about. But if you are not able to view the submissions, it's better to raise a help request.", "If a judge or sponsor were to comment on one of my submissions, how would I know?\nA: You can check the issue for the finding you sent on Github, from the report click around and you'll find the Github repository then search for your submissions.", "For line 27 Sale public sale, what is the meaning of this? Does it change the visibility of struct Sale to public and change its name to \"sale\"?\nA: Sale (captain S) is made public and is named \"sale\".", "I often see in past reports conversations between the sponsor and the judge / participant. If a judge or sponsor were to comment on one of my submissions how would I know?\nA: You can check the issue for the finding you sent on Github, from the report click around and you'll find the GH repo then search for your submissions.", "For line 27 Sale public sale, what is the meaning of this? it seems like it change the visibility of struct Sale to public and change its name to \"sale\"?\nA: It's similar to the function: uint256 public some_variable_name_here; in Solidity.", "Just out of curiosity, does anyone use fuzzing tools like Echidna for auditing in contest? If so how useful are those?\nA: Until solidity 8.0, fuzzing tools were used a lot, but after 8.0, I think the usage has decreased. Since Solidity 0.8, the overflow/underflow check is implemented on the language level - it adds the validation to the bytecode during compilation. It's also quite useful if you are able to establish some invariants that should not be broken.", "Is it possible to see communication between judge, sponsor and warden before the report is published?\nA: No answer provided.", "What is the difference between certified role and backstage role?\nA: Both certified and backstage roles are KYC'd. Certified can participate in private contests while backstage requires certified and minimum requirements of submissions to then be able to access the contest repo post closure and pre-public report release. More information is provided at https://docs.code4rena.com/roles/certified-contributors.", "Regarding automatic findings for each contest, if we find an attack path that can cause a Medium or High impact in a contract, can we submit the finding? It's not the same a zero address check as a best practice recommendation than a zero address check that can cause a loss of user funds with certain attack path.\nA: It's almost certainly yes. A simple example is a function that accepts a signature to transfer funds, if the return value of the ecrecover function is not checked to not be address(0) then it could potentially allow to transfer funds from the 0 address; which is a H issue and should be fixed.", "What is the difference between certified role and backstage role?\nA: Both are KYC'd roles. Certified contributors have completed KYC and can participate in private contests. Backstage role requires certified status and minimum requirements of submissions to then be able to access the contest repository post closure and pre-public report release. More information can be found [here](https://docs.code4rena.com/roles/certified-contributors).", "Regarding automatic findings for each contest, if we find an attack path that can cause a Medium or High impact in a contract, can we submit the finding? \nA: Yes, as long as it provides value and can be clearly articulated. Wardens may choose to use automated tools as a first pass, and are welcome to build on these findings by identifying high and medium severity issues. However, submissions based on these will have a higher burden of proof for demonstrating to sponsors a relevant hm exploit path in order to be considered satisfactory. More information can be found [here](https://github.com/code-423n4/org/discussions/50).", "Is there a best practice for immutable state variables? Should I declare them upper-case or with an underline prefixed?\nA: Typically best practice is \"address public immutable i_owner;\" although most either use \"address public immutable _owner;\" or \"address public immutable owner;\". The underscore is more of a best practice for private variables. However, it's really about consistency over convention, do whatever works for you.", "If after submission we realize something is a false positive, is there any way to unsubmit or notify the judges to disregard?\nA: Yes, you can retract the submission if you go to the contest page, then click the findings tab.", "How do the judges determine what reports get featured in the client report?\nA: Not answered.", "\"INTERNAL FUNCTIONS ONLY CALLED ONCE CAN BE INLINED TO SAVE GAS\" can someone explain this with a little detail?\nA: Not answered.", "How we know the reasons for findings rejection?\nA: Not answered.", "If after submission we realize something is a false positive, is there any way to unsubmit or notify the judges to disregard?\nA: You can retract the submission if you go to the contest page, then click the findings tab.", "How do the judges determine what reports get featured in the client report?\nA:", "Can someone explain the statement \"INTERNAL FUNCTIONS ONLY CALLED ONCE CAN BE INLINED TO SAVE GAS\" with a little detail?\nA: Let's say function A calls internal function B. Function A uses 100 gas + 10 gas for the function call to B (hypothetical numbers), while function B uses 20 gas. If function B is only ever used in function A, the total gas for every call to function A will be 100 + 10 + 20 = 130 gas. However, if instead of making a function call from A to B, you take B's code and put it directly into A, now there is no function call between A and B, so the 10 gas function call is removed, resulting in 120 gas being used per call to function A.", "How do we know the reasons for findings rejection?\nA:", "Have the top auditors automated these kinds of findings because looking for this manually and then concluding if this should be applied would be time consuming?\nA: They probably just flag it as /// @audit as they do a read through of the codebase, then come back and write it up in their findings.", "Could someone please explain to me how is All and Total calculated? What's All comparing to Solo? Is Solo the unique findings?\nA: Solo means that the findings were found only by that warden, with no duplicates.", "The total is confusing. if you see the first example, the total is 4 but high+med+gas = 3\nA: You have to look at 'all time' for the total to make sense. Another possibility is that the total was submitted as 4, but only three were considered valid. It could also be that the remaining are all of the lows, NC, and QA reports.", "Is this just for one contest actually?\nA: (No direct response)", "What does \"Solo\" mean in terms of findings in a contest?\nA: Solo means the finding was found only by that warden, with no duplicates.", "I want to change my handle, is it supported? I am currently logged into C4 with my wallet, but want to change my handle to something else.\nA: You would have to register again.", "If I register again to change my handle, will my leaderboard and current submissions still be updated?\nA: Leaderboard standing would not be transferrable. Any findings submitted under your current handle / username would not moved to another account.", "How long does it usually take to create a team after sending a request?\nA: (No direct response)", "Is it allowed to discuss potential issues with the sponsor while the contest is going on?\nA: Yes. Each contest has a channel where you can ask general questions, and we pin a post to the top of the channel tagging in members of the sponsor team who are available for questions via DM.", "How does an understanding of EVM help in auditing and writing solidity code?\nA: (No direct response)", "When do we get to know if a finding has been accepted? At the end of the contest?\nA: Once the report is made public you'll see the Judge and Sponsor feedback on your submissions, in the meantime you can check /reports on the site to see what a high quality submission looks like.", "When I click on forget password I am not getting link to reset password as mail. What should I do?\nA: (No direct response)", "Can I link any my github repo as proof of concept in submit finding?\nA: (No direct response)", "How does an understanding of EVM help in auditing and writing solidity code?\nA:", "When do we get to know if a finding has been accepted? At the end of the contest?\nA: Once the report is made public you'll see the Judge and Sponsor feedback on your submissions, in the meantime you can check /reports on the site to see what a high quality submission looks like.", "When I click on forget password I am not getting link to reset password as mail?\nA:", "I am not sure I am unable to login with my handle. Asking for password but when I click on forget password I am not getting any link to reset password.\nA: Can you open a help desk request? https://code4rena.com/help", "When I submitted the QA report for the first time, it prompted that something was wrong, so I clicked try again to submit again, it prompted \"It looks like you've already submitted a QA (Quality Assurance) report for this contest\". So now I don't know if it has been successfully submitted, can you check it for me in the background?\nA: Check if you received the confirmation on your email and you can also see if there is a QA by clicking on View Context > Findings", "Which contest reward can we expect to get before December 23th?\nA: From my experience rewards are transferred once per month, in the beginning of the month.", "How are vulnerabilities that involve social engineering judged? Should I pay attention to anything particular in writing a PoC with SE?\nA:", "How long does it take to get the roles updated after the approval from provenance?\nA: Normally a few days. You should get the role by Friday at the latest.", "Why I don't have any rewards on contests despite the fact that there are even vaults for QA(low) bugs and gas optimizations?\nA: It's not guaranteed that you'll get a reward, your report could be invalid or valid but not satisfactory.", "What does it mean, if I find something I found it, its basically a yes or no question. Does the description matter or explaining the impact or what?\nA:", "How long does it take to get the roles updated after the approval from provenance?\nA: Normally a few days. You should get the role by Friday at the latest.", "Why don't I have any rewards on contests despite the fact that there are even vaults for QA(low) bugs and gas optimizations?\nA: It's not guaranteed that you'll get a reward, your report could be invalid or valid but not satisfactory.", "Does the description matter or explaining the impact or what, when I find something?\nA: Reports are graded. Aim for: Issue, Description, PoC (where necessary), Mitigation (where necessary) all on a nice looking semi-professional report layout.", "Should the QA and gas report be written in divided reports?\nA: Yes.", "How much space does a \"bytes\" consume, as in there is a struct with some \"bytes var1\" (ex - 20 for address)?\nA: 32 for bytes (1 slot).", "Should 'on the fence' vulnerabilities rather be tilted towards High or Medium risk rating?\nA: (No answer provided)", "What are some good staking contracts to look at if you wanna learn the different ways staking functionality can be implemented?\nA: (No answer provided)", "If I find a vulnerability, but don't know how to fix it without making drastic changes to the entire protocol, what should I do? Are reports without recommendations, or open questions as recommendations accepted?\nA: You don't have to do anything. If it's a valid finding, it's the protocol's choice how to mitigate an implementation. A recommendation is appreciated anyway but not a must in many cases.", "If we find a vulnerability of an out-of-scope contract, should we submit it regardless of whether we get a reward or not?\nA: Recommend submitting it. Judge has the ability to bring things in scope (though it\u2019s not guaranteed). There are no penalties in effect currently.", "Would writing an attack contract and then in plain writing explain the effects of said contract count as a POC?\nA: (No answer provided)", "If I find a vulnerability, but don't know how to fix it without making drastic changes to the entire protocol, what should I do? Are reports without recommendations, or open questions as recommendations accepted?\nA: You don't have to do anything. If it's a valid finding, it's the protocol's choice how to mitigate an implementation. A recommendation is appreciated anyway but not a must in many cases.", "If we find a vulnerability of an out-of-scope contract should we submit it regardless of whether we get a reward or not?\nA: Recommend submitting it. Judge has the ability to bring things in scope (though it\u2019s not guaranteed). There are no penalties in effect currently.", "How much space does a \"bytes\" consume , as in there is a struct with some \"bytes var1\" (ex - 20 for address)?\nA: 32 for bytes (1 slot)", "Would writing an attack contract and then in plain writing explain the effects of said contract count as a POC?\nA:", "How long does it usually take after a contest is closed for the findings repo to become publicly available for discussion?\nA:", "To qualify for the backstage role we need a certain number or findings in different areas or of different scores. For example 3+ gas reports scoring above 80, how would one know what their report scored number wise?\nA:", "Could you tell me the way to submit issue as a team? Do we need to log in with our team's wallet address in order to submit an issue? Or can we switch accounts within the address we used when we submitted the application?\nA:", "If findings are in the grey area of being submitted as two separate issues or as one. Which way should a warden lean?\nA:", "One byte is 8 bits. For example, a \"byte1\" will be 8 bits, \"address\" which can directly be casted to \"bytes20\" is 160 bits, and \"uint256\" is 32 bytes. But what about \"bytes some_var\" (not byte) will that be 32?\nA: bytes or bytes32 both are the same like uint & uint256. But, No, bytes is an array of bytes32. (Refer to link: https://docs.soliditylang.org/en/v0.5.12/types.html#dynamically-sized-byte-array)", "Does bytes take 1 slot in storage?\nA: No, check how arrays are stored in storage.", "Does it take 1 slot in storage?\nA: Yes", "How are arrays stored in storage?\nA: Arrays are not stored in one slot, it's recommended to check how arrays are stored in storage.", "Where are contests findings public repos posted?\nA: Go to the section where Contests are posted.", "I can't find any github public repos in the contest chats, where can I find these?\nA: You can locate all github repo on Code4rena website. All repo on all live contests should be there.", "I want to check why my findings is not accepted, where can I find the findings report repo?\nA: No answer provided.", "I'm on search of function totalSupply() on solmate erc20's contract, but I can't found it. How is this possible? \nA: In the openzeppelin contract, _totalSupply is a private storage variable so it needs a view function to see it, which is why they wrote one. In the contract you linked, totalSupply is public, and a view function with the same name is automatically generated for public storage variables. You can view it by just calling contract.totalSupply() in the same way. [Link](https://github.com/transmissions11/solmate/blob/main/src/tokens/ERC20.sol)", "Can a keyword with \"()\" call a variable?\nA: Yes, it is calling a function, but the function is automatically generated for public storage variables, constants, and immutables which aren't stored in storage.", "Is there an invisible function or auto generated function in solidity?\nA: Yes, the function is automatically generated for public storage variables, constants, and immutables which aren't stored in storage. More about state-variable-visibility can be read from here: [Link](https://docs.soliditylang.org/en/v0.8.13/contracts.html#state-variable-visibility)", "Is the Goerli faucet hosted by Mudit not working anymore? \nA: No answer provided.", "Can every keyword with \"()\" call a function or sometimes it can call a variable?\nA: It is calling a function, but the function is automatically generated for public storage variables, constants and immutables which aren't stored in storage.", "Is the Goerli faucet hosted by Mudit not working anymore?\nA: No answer provided.", "When a Medium Finding is marked as invalid (and there are many duplicates), then does this get marked as Low or NC? Or gets discredited completely?\nA: Invalid means it's scrapped.", "How to submit issue as a team in C4? Do we need to log in with our team's wallet address in order to submit an issue? Or can we switch accounts within the address we used when we submitted the application?\nA: You should log in to your C4 account as usual (individual warden accounts) and then switch back and forth between your individual account and your team account before submitting.", "Does the screen show that I can't submit as a team?\nA: If you made changes to your team and still have issues, please open a help desk ticket: https://code4rena.com/help.", "How to change my login wallet address?\nA: Currently, change of login wallet address is not possible. But if you have Metamask, you can link multiple addresses. More information here: https://docs.code4rena.com/roles/wardens/warden-auth#can-i-change-the-wallet-address-i-log-in-with", "Is c4 pronounced as \"code arena\" or \"code for arena\"?\nA: It's pronounced as \"Code Arena\".", "Is the \"Mitigation review contest\" only in GoGoPool contest only or will it be on any future contest? The share is quite big, more than half of HM shares.\nA: Yes, there will be more contests with this structure going forward which includes an initial audit prize pool and a mitigation review pool.", "Is mitigation review limited to the top wardens of the corresponding initial contest?\nA: Yes, mitigation review will be limited to the top wardens of the corresponding initial contest.", "Can we add pictures in the report?\nA: No answer provided.", "Is the \"Mitigation review contest\" only in GoGoPool contest or will it be on any future contest?\nA: Yes, there will be more contests with this structure going forward: an initial audit prize pool + a mitigation review pool.", "Will the mitigation review be limited to the top wardens of the corresponding initial contest?\nA: Yes, correct.", "Can we add pictures in the report?\nA: If it helps your point of contention or explanation, you can add images. The report is done in markdown, so add the image(s) that way. The final report will be compiled with your image(s) if accepted.", "Will the image show on the C4 report? Or is it text only?\nA: Your report is done in markdown, so add the image(s) that way. The final report will be compiled with your image(s) if accepted.", "Is it alright to submit findings we aren't sure if they will help? Or does it hurt our \"score\" in some way?\nA: +3 rejected reports in a competition will prevent you from getting any payout for that competition.", "How does one become a certified warden?\nA: Read the documentation, you need to complete a KYC (Know Your Customer) process.", "Is there a general way to get certifications and become a \"professional certified\" auditor?\nA: There are no certifications currently available.", "If one has more than three rejected reports in a competition, will that prevent them from getting any payout?\nA: Yes, if you have a list any of the C4udit gas findings that will void your report and count as 3.", "Is there a general way to get certifications and become a \"professional certified\" auditor?\nA: There are no certifications as far as the user knows.", "Will having more than 3 rejected reports in a competition prevent me from getting any payout for that competition?\nA: If you list any of the C4udit gas findings, that will void your report and count as 3.", "Will I get penalized for too many unsatisfactory submissions within these 2 months as I do not have backstage access and I won't have any chance to get any feedback loop until 2 months later?\nA: Penalties are not in effect yet.", "Are there any recommended resources to study for regex and analysis of abstract syntax tree?\nA: The answer was not provided in the chat.", "Will there be more rewards coming before the Christmas break?\nA: The user is working on it.", "When making submissions, do I find all bugs before making the final report to submit findings, or do I create one issue/report per bug?\nA: The gas report and low/quality assurance report are all in one, while medium and high each have their own report.", "So when I am submitting an issue like a gas report, do I have to find all the gas optimizations I possibly can before making a report?\nA: You can do it that way, but you can also edit your submitted gas report findings on the C4 page while the contest is open.", "When making submissions, do you find all bugs before making final report to submit findings or you create one issue/report per bug?\nA: Gas report + low/qa report are all in one, medium and high each have their own report.", "When submitting an issue such as a gas report, do I have to find all the gas optimizations I possibly can before making a report?\nA: It's possible to do it that way, or you can also edit your submitted gas report findings on the C4 page while the contest is open.", "After submitting an issue on the C4 website, what\u2019s the next step? Do I have to create an issue on GitHub too?\nA: The C4 systems create an issue on your behalf, but unfortunately, they are not linked to your GitHub.", "How can I get access to a private contest on the platform?\nA: No answer was provided.", "I've signed up as Certified Contributor and my application was approved. Is there anything else I need to do?\nA: You can do a help desk request so the team can take a look. https://code4rena.com/help", "Are there any good resources to learn and master proxies and upgradeable contracts?\nA: You can use this resource: https://proxies.yacademy.dev/", "I sent a help request to be a backstage warden and I didn't receive a confirmation email. Did you receive my request?\nA: The help desk request was received. The team may not have an opportunity to respond to it until about the first week in January.", "Why was a specific finding in The ArtGobblers competition considered unsatisfactory?\nA: No answer was provided.", "Any good resources to learn and master proxies and upgradeable contracts?\nA: https://proxies.yacademy.dev/", "I sent a help request to be a backstage warden and haven't received an email confirmation. Did you receive my request?\nA: Yes, the help desk request was received. Our team may not have an opportunity to respond to it until about the first week in January.", "Why was this finding unsatisfactory: https://github.com/code-423n4/2022-09-artgobblers-findings/issues/137. Is it because it doesn't have a test script? Or because it got demoted to QA and as QA it's considered not substantial enough?\nA: The finding is valid and Non-critical. In judging QAs, all findings are grouped and scored. Your report didn't score high enough. A C score is unsatisfactory.", "What could I have done to improve the score? Or was the sum of all QA findings not substantial enough?\nA: It's a mix of High Quantity and High Quality. Winning reports tend to be either extremely full of detail or high quality and fully custom to the specific contest.", "Are sandwich/front-running attacks that can be addressed considered as valid vulnerabilities and in-scope?\nA: Yes, they are.", "What does a general Mitigation Review process consist of and who are eligible to participate?\nA: N/A", "Does it help to name our findings with a number? E.g: [HIGH-1], [HIGH-2], [GAS-1]. Is that a bad idea, or neutral?\nA: It definitely helps for QA where you could have both a #1 for low and #1 for non-critical.", "Is it hard to understand the purpose of the code base in details without reading the docs?\nA: If you see code that serves a similar purpose to what you've seen before you usually understand the purpose. But you definitely need to read docs / read code multiple times to understand the code well enough to spot bugs.", "I'm yet to receive my payout dating back to early October. Is this something expected? As far as I'm aware my wallet address is linked to my discord username. Please advice.\nA: N/A", "Does it help judge frens to name our findings with a number, like [HIGH-1], [HIGH-2], [GAS-1] etc.? Is that a good or neutral idea? \nA: It definitely helps for QA where you could have both a #1 for low and #1 for non-critical.", "Is it hard to understand the purpose of the code base in details without reading the docs?\nA: If I see code that serves a similar purpose to what I've seen before I usually understand the purpose. But I definitely need to read docs / read code multiple times to understand the code well enough to spot bugs.", "I'm yet to receive my payout dating back to early October. Is this something expected? As far as I'm aware my wallet address is linked to my discord username.\nA: If it's for a contest that's been awarded, you can create a help desk and we can take a look in the new year.", "How can I check my profile was accepted for warden? I am new to this platform.\nA: You have the wardens role which means it was successful", "Are there certificates in this space, or anything that Germans can forward to show we are good for the money?\nA: Github profiles go a long way", "Does anyone know how to run the current GoGoPool contest on windows? Trying to run the tests.\nA: Same running instruction on the doc", "How do I handle the running instructions if Brew doesn't exist for me, and the curl command not going through properly because I have no Linux distribution. Did you do exactly the commands they name?\nA: Just install Foundry", "What do I do after successfully installing Foundry with \"npm install foundry\"?\nA: No answer", "Once cloned the GoGoPool contest repo, how do we run the tests in vscode? I tried to install forge but not successful. I don't know what is the problem. Please share the steps for better understanding.\nA: No answer", "Is it now working after installing Foundry? If yes please share the steps.\nA: No, it's a horrible experience for me right now", "What if Foundry still doesn't work?\nA: Try with a virtual box and Linux.", "After installing \"npm install foundry\", what are the next steps? \nA: [No answer provided.]", "How can I run the tests in vscode after cloning the GoGoPool contest repo? I tried to install forge but was not successful.\nA: [No answer provided.]", "Have you found a solution for running the tests?\nA: [No answer provided.]", "I see my first bounty in my c4arena account but it has not yet appeared in my wallet. When will I receive it?\nA: If it's not there yet, then it will be transferred when the dao employees return from holidays.", "If I submit only one quality assurance finding that is both valid and decent quality, could it still be unsatisfactory and receive no payout?\nA: [No answer provided.]", "Are gas optimisation and gas report the same thing?\nA: Yes, they are the same thing.", "I am new to auditing. Where can I find a recent code4rena report?\nA: You can find a recent report at this link: https://code4rena.com/reports/2022-11-non-fungible/#gas-optimizations", "I got my first bounty as I can see in my c4arena account. Haven't got yet in my wallet. When will I get this?\nA: If not there yet, then when the dao employees return from holidays.", "So hypothetically if I submit only one qa finding that is both valid and decent quality it could still be unsatisfactory and receive no payout?\nA: [No Answer]", "Is that gas optimisation and gas report both are same?\nA: Yup", "Can someone explain me 1. [G-02] STATE VARIABLES CAN BE PACKED INTO FEWER STORAGE SLOTS . \"f variables occupying the same slot are both written the same function or by the constructor, avoids a separate Gsset (20000 gas). Reads of the variables are also cheaper.\" and 2. [L-05] CRITICAL ADDRESS CHANGES SHOULD USE TWO-STEP PROCEDURE?\nA: 1. - Solidity stores state variables in 32 bytes storage slots. E.g.: one uint256 = one slot, but you can also pack 4 uint64s into one slot if they are declared next to each other. The bool here is one byte, but takes up a whole storage slot because the next uint256 can't fit in. If the bool were next to an address (address is only 20 bytes) it would fit in one slot. The GSSET opcode is used to set the value of a storage slot (when the storage value is set to non-zero from zero). If a function were to modify the bool and the address it only has to call the opcode GSSET once, reducing gas costs. 2. - One-step change with critical addresses could leave an error where you pass in the wrong address. Two-step changes are safer and better practice.", "Did you import the usdc token in your wallet?\nA: Hey, thanks this was it.", "I was told that I should report any gas optimisations separately but it doesn't allow me to?\nA: Put all your gas findings under one report.", "Is the usdc reserve contest going to be open to all or just a private one?\nA: [No Answer]", "Hypothetically speaking, what should we do if we find a high or medium severity vulnerability a few days after the contest ends? And would those vulnerabilities be rewarded?\nA: I would think responsible disclosure to the dev team, not awarded by c4 outside the contest timeframe, perhaps something from the dev team if they choose.", "Does 1inch get the aggregated price in the native coin that its being called on for the getRateToEth() method or does it just get the rate to ETH for all chains?\nA: [No Answer]", "When I create a support ticket on the homepage, do I get a notification via email? Received no feedback and now wondering if ticket was created successfully?\nA: Yes your ticket came through.", "Hypothetically speaking, what should we do if we find a high or medium severity vulnerability a few days after the contest ends? And would those vulnerabilities be rewarded?\nA: I would think responsible disclosure to the dev team, not awarded by c4 outside the contest timeframe, perhaps something from the dev team if they choose.", "Does 1inch get the aggregated price in the native coin that its being called on for the getRateToEth() method or does it just get the rate to ETH for all chains? \nA: [No answer provided]", "When I create a support ticket on the homepage, do I get a notification via email? \nA: Yes, your ticket came through.", "If you submit a finding as medium, but judges believe it is high will they reassign or does it stay at medium and vice versa?\nA: It gets upgraded, unless there's a reason to penalize it (not as good as other submissions).", "So hypothetically if I submit only one qa finding that is both valid and decent quality it could still be unsatisfactory and receive no payout?\nA: Yes, you either submit the best Group of QA / Gas Findings or you're very likely to not receive awards.", "If someone were to submit a medium and say it gets downgraded to a low. Would they get any rewards for that valid finding if that was their only low?\nA: Very likely they won't, a lot more likely for top wardens to get a good QA score by getting a bunch of Meds downgraded, but it's a side-effect not a reliable strategy.", "Can issues get upgraded to a higher severity as well? Let's say I am 50/50 between high/med or even med/low, does it matter if I categorize issues on the higher side or lower?\nA: It depends on the work you put in, if you write a one-liner and mark it as High, the fact you put a higher severity will be used against you. Most of the time, the specific severity doesn't matter as long as you did a good job in explaining the finding.", "Calling a contract own functionA() like this: InterfaceA(address(this)).functionA(); would be considered as external contract call and would change the msg.sender value inside the functionA()?\nA: It should have itself as the msg.sender as you're doing an actual call vs a jump.", "I passed the KYC but I do not understand what's pass screening for OFAC sanctions in the opensea contest. Also, I got the confirmation that the KYC was successful but have not seen any role or anything attached to it, is there something?\nA: We will be processing those over the next couple of days.", "So will you open a registration to pass the OFAC sanctions screening?\nA: [No answer provided]", "How do you know a warden as done the KYC? Because you can't see it from the front-end, it would be nice to know that you acknowledge that we have done the KYC.\nA: [No answer provided]", "What's pass screening for OFAC sanctions in the opensea contest?\nA: The specifics regarding OFAC sanctions screening aren't clarified.", "I got the confirmation that the KYC was successful but have not seen any role or anything attached to it, is there something?\nA: KYC status is processed and updated over a few days.", "Will you open a registration to pass the OFAC sanctions screening?\nA: The specifics regarding OFAC sanctions screening aren't clarified.", "How do you know a warden has done the KYC? Because you can't see it from the front-end, it would be nice to know that you acknowledge that we have done the KYC.\nA: Provenance informs once the KYC is done, which is then processed by C4.", "Is there any good resource to learn about opcode?\nA: https://www.evm.codes/", "Does anyone know about spearbit dao? Are they accepting newbies in smart contract security?\nA: Newbies are suggested to apply to yAcademy instead of Spearbit.", "I was KYC'd a few weeks ago and it was successful. Apart from this, do you need something more? Do I have to check in the readme whether am I certified or not?\nA: You will receive an email from C4 once your certification is finalized.", "Is there any consideration from C4 in future for rust-based programs auditing?\nA: They've done rust in the past and would be happy to do it in the future.", "What happened to the steakhouse contest! Will it be rejudged?\nA: No answer provided.", "For QA and gas reports, is it only one user that gets the rewards -unlike med/high findings the rewards is shared?\nA: No answer provided.", "Do you know if there is any consideration (from C4) in future for rust-based programs auditing?\nA: We've done rust in the past, would be happy to in the future!", "What happened to the steakhouse contest! Will it be rejudged?\nA: For information on the steakhouse contest, refer to these relevant posts: https://discord.com/channels/810916927919620096/810936719003090974/908760695712149515 and https://discord.com/channels/810916927919620096/1040268281040359556/1055712214016868352", "For QA and gas reports, is it only one user that gets the rewards -unlike med/high findings the rewards is shared?\nA: QA/gas reports are divided into grade A, B, C based on quality and gas savings. Grade A and B gets rewards.", "How it goes possible that msg.sender == address (this)?\nA: From your contract, you would do something like MyContract(address(this)).myFunction()", "Is there any way I can use foundry in a project that uses hardhat?\nA: You can use foundry in a hardhat project. You can find a base template here: https://github.com/foundry-rs/hardhat-foundry-template. Or try running the tool here: https://github.com/HardlyCodeMan/audit_helper/", "Can I see reports from other wardens, if contests has been ended, but there is no table with results?\nA: No answer available.", "If multiple auditors report the same bug, do they all get paid a portion or only the first one to report gets a bounty? Also, are gas optimization issues in previous reports eligible for a bounty?\nA: All auditors who report the same bug get a portion of the bounty. Common findings are out of scope as they are picked up by the C4udit tool and those findings are linked in each contest readme. If they're not picked up by the tool, they can be submitted.", "Do medium and low risk findings get a bounty?\nA: No answer available.", "Can I see reports from other wardens, if contests has been ended, but there is no table with results?\nA:", "Is there any way I can use foundry in a project that uses hardhat?\nA: You could try running the tool provided here: https://github.com/HardlyCodeMan/audit_helper/", "If multiple auditors report the same bug, do they all get paid a portion or only the first one to report gets a bounty? Also, are gas optimization issues in previous reports also eligible for a bounty?\nA: All auditors reporting the same bug get a portion of the bounty. Many common findings are out of scope as they are picked up by the C4udit tool and those findings are linked in each contest readme. If these issues are not picked up by the tool, they can be submitted.", "Do medium and low risk reports get a bounty?\nA: All accepted reports, from high level down to gas optimizations, will get payouts provided the report is of high enough quality, the findings are accurate and there is a working proof of concept where needed.", "Have the payouts for Stakehouse been distributed yet?\nA: Awards for that contest should be going out soon.", "Is it possible for people to join as warden in the contest as a group of members (e.g. as a company)? If it is possible how should we do it in the right way? If it is not possible, should we join as a warden as individual instead or not?\nA: Yes, it's possible to register as group/team. More details can be found here: https://docs.code4rena.com/roles/wardens#registering-a-team", "Does the page automatically reload when a contest has started?\nA: You can reload and the page details will show.", "What is Mitigation review contest?\nA:", "Do duplicate issues get a reward or only the first reporter?\nA:", "How much time does it usually take for a contest? \nA: The time usually takes 1-2 months.", "I wanted to know about the rewards, does duplicate issues get a reward or only the first reporter?\nA:", "What is the time usually for?\nA: 1-2 months", "What is Mitigation review contest?\nA: Sometimes projects want to invite the top wardens back after the contests to review bug mitigations.", "How do I fix missing imports on sol files?\nA: Install dependencies. If the issue is \"not found: File import callback not supported\", you might need to run forge i to install forge-std. For other dependencies like openzeppelin/openzeppelin-contracts, you will need to install using the command forge install creator/repo. If the repository was made with hardhat, you can install the requirements and add node_modules to foundry.toml. An audit_helper tool can assist with this process when initialising a freshly cloned audit repo.", "Where is the error?\nA: The error is always at the top of every .sol file.", "What should I do if I get an error at the top of every .sol file?\nA: You should install the dependencies. If you're working on the astaia comp and you've followed the setup instructions, you should have grabbed those submodules as part of the git clone.", "What does running \"forge i\" do?\nA: Running \"forge i\" will only install forge-std, you'll need to run forge install creator/repo to install other dependencies. If the repository was made with hardhat, you can install the requirements and add node_modules to foundry.toml. A tool called audit_helper does all this for you when initialising a freshly cloned audit repo.", "Does forge installation rely on git submodules, and are the libraries not lost?\nA: Yes, forge installation does rely on git submodules, so the libraries are not lost. This seems to work primarily for foundry based repositories.", "Can you elucidate what judge + presort and scout mean regarding bounties?\nA: Judge + presort is the portion of awards set aside for the work performed by judges. Presort indicates they are also being compensated for consolidating duplicates for the sponsor. Scouts are essentially an independent scope judge who are responsible for providing staff with candid feedback on an audit's scope and whether the actual scope aligns with the purported scope initially described when scheduling the contest.", "After registering as a team, every single audit the team member do will be regarded belongs to the team or is there some way to distinguish between the personal audits and the team audits?\nA: Once you're in a team, all findings go to the team and all funds go to a single wallet for dispersal to the team. If you want to separate it, you need to be in a team who you will trust to disperse the funds appropriately. Or just audit solo like many others.", "What are the perks of joining a team? Are there any advantages?\nA: Joining a team allows members to work together, bounce ideas off each other, and more importantly, learn faster together.", "What are the perks of joining a team? Are there any advantages?\nA: You can work together, bounce ideas off each other and more importantly learn faster together.", "After registering as a team, will every single audit the team member do be regarded belongs to the team or is there some way to distinguish between the personal audits and the team audits?\nA: If you are part of a team, you can still choose to submit solo findings whenever you'd like. When submitting, you should see an option to choose whether you are submitting solo or for your team. The submission form allows you to select whether you're submitting as an individual warden or as a team member.", "Are the rewards for the contest stakehouse-nov11 distributed?\nA: Yes, they have been distributed.", "Am I allowed to share the findings in public when the contest is closed, if the client accepts?\nA: We ask for no public discussion until reports are published.", "Is a finding considered High if it causes a direct loss of assets like a loss a large portion of the yields?\nA: This question is not answered.", "Is there a tool/plugin to check a solidity code for syntax mistakes and checks like remix IDE does online?\nA: This question is not answered.", "How is it possible that the same finding was submitted by 10 Wardens for example, and one or two of them get 2-3K USDC award unlike the others who get just 100-200 USDC?\nA: This question is not answered.", "How many days does it take to complete KYC after submitting?\nA: This question is not answered.", "Is a finding considered High if it causes a direct loss of assets like a large portion of the yields?\nA:", "Is there a tool/plugin to check a solidity code for syntax mistakes and checks like remix IDE does online? I would like to check contracts automated for mistakes.\nA:", "How is it possible that the same finding was submitted by 10 Wardens for example, and one or two of them get 2-3K USDC award unlike the others who get just 100-200 USDC ? I'm trying to understand what other factor that has this high impact.\nA: The judges check whether the other same issue submissions have a coded Proof of Concept (PoC). Are they written in a comprehensive language and the issue is covered in as many aspects as possible. For example, there are 2 submissions about signature malleability. One warden provides PoC for a forged signature passed as valid and the other warden only states that the code has this malleability.", "How many days does it take to complete KYC after submitting?\nA:", "If I was the sponsor, I would always prefer with PoC for sure. So, Is this what's called Score?\nA:", "So the chosen submission is still not having a higher bounty ser?\nA: It's like 1.3 times the award so it cannot be order of magnitudes bigger.", "I was checking https://github.com/code-423n4/code423n4.com/pull/6700/files and just found for H-02 , two wardens have 4127 and 5365 USDC and the rest 0.84 or something like this. Why is there such a big difference?\nA:", "H-02 in which contest?\nA:", "Are only certified wardens allowed to participate in mitigation-review contests?\nA:", "Are only certified wardens allowed to participate in mitigation-review contests?\nA: Yes.", "While reporting an issue, if my PoC is getting too big then is it okay to provide a link to gist instead of embedding the entire PoC in the issue itself? Do judges prefer one over the other?\nA: This method is accepted and has been implemented by many wardens. However, it is best if you can send in the issue, but if you cannot, gist is okay.", "In contest number 189, I submitted a High and a medium but I see only a medium is accepted. The high was related to buying NFTs with zero amount or somehow a direct loss of funds. I was wondering if this kind of finding is high or medium? \nA: Please wait until the report is published and the findings repo is made public to check on your submissions.", "I need to create an invoice following the rewards I got from a contest and I would need the postal address and email of code4rena to create it. Where can I find this information?\nA: You can find the information at the bottom of this page: https://docs.code4rena.com/awarding/incentive-model-and-awards/awarding-process#tax-and-legal-questions", "What is formal verification contest?\nA: There is more information in the contest repo: https://github.com/code-423n4/2023-01-blockswap-fv", "Is a confirmed high and medium (2 total findings) enough to get back stage pass? If so how do I go about that?\nA: [Answer not provided]", "In contest number 189, I submitted a High and a medium but I see only a medium is accepted. The high was related to buying NFTs with zero amount or somehow a direct loss of funds. Is this kind of finding considered high or medium? \nA:", "Is there any way to validate that my submission were noticed? Who was the judge for Escher?\nA: Please wait until the report is published and the findings repo is made public to check on your submissions.", "What is a formal verification contest?\nA: There is more information in the contest repo: [link](https://github.com/code-423n4/2023-01-blockswap-fv)", "Is a confirmed high and medium (2 total findings) enough to get backstage pass? If so how do I go about that?\nA: Yes if you've participated in 3 contests. One high or 3 mediums. If you meet the qualifications, you can submit a help desk request and we'll take a look: [link](https://code4rena.com/help)", "I\u2019ve participated in three but only got results back from one does that still count?\nA:", "Do I need to be certified before getting backstage pass?\nA: Yes, if you are not certified yet, you'll have to complete that part of the process. More details here: [link](https://docs.code4rena.com/roles/certified-contributors#certification-process-and-constraints)", "The help page on website still shows the Out of Office message. Is this an error?\nA: Thank you for catching this! Will pass onto our dev team now.", "If an issue was submitted as High severity and was downgraded as Med by judge, will this come under the overinflated severity category and be considered invalid?\nA: Unlikely, I think if a QA level severity bug report is inflated to High, then the result maybe invalidated.", "The help page on the website still shows the Out of Office message. What can be done about this?\nA: Thanks for pointing this out! We'll alert our development team immediately.", "If an issue was submitted as High severity and was downgraded to Medium by a judge, would this be considered as an overinflated severity category and be considered invalid?\nA: It's unlikely. If a Quality Assurance (QA) level severity bug report is inflated to High, then the result may be invalidated.", "How many days does it take to complete Know Your Customer (KYC) after submitting?\nA: This can vary depending on the back-and-forth between you and Provenance, so it may take a bit of time. Ensure to check your spam folder for any emails from them.", "I'm doing my first audit now and if we have a low issue/non-critical (Quality Assurance - QA) but fixing it also reduced gas, slightly, should we include it only in one category, QA and mention the gas, or in both QA and Gas report?\nA: QA has a bit more impact, so it would be better to choose QA, as long as it does have the impact. If the issues are clearly related to gas savings only, it can be downgraded from QA to Gas.", "How are awards divided between grade A and grade B for Quality Assurance and Gas reports?\nA: The information can be found at this link: https://docs.code4rena.com/awarding/incentive-model-and-awards", "I am new in the auditing space and would like to do old contests and read old c4 reports to get better. Do you have any contests to recommend?\nA: (No answer provided)", "How can I create these types of code?\nA: You can run a git diff on your terminal, and use backticks with \"diff\" on your report.", "I tried using git diff, but it doesn't work in the report, what can I do?\nA: (No answer provided)", "Does anyone know how to use brownie?\nA: (No answer provided)", "How can I link my c4 profile to my Twitter profile? Is this feature only for certified auditors?\nA: (No answer provided)", "Is there any difference between these two codes: \"uint _last = lastUpdated[user]\" and \"uint last = lastUpdated[user]\"?\nA: (No answer provided)", "Does anyone know how to use brownie?\nA:", "How to bind my c4 profile to re-direct to my twitter profile?, is this for certified auditors?\nA:", "Is there any difference between these two? uint _last = lastUpdated[user]; uint last = lastUpdated[user];\nA:", "I have submitted a report for the first time. How can I check my submission status or report?\nA: You should have received an email verifying your submission. You can also \"view contest\" on the C4 Contest page, click on the \u201cFindings\u201d tab and you will see a list of all your submissions for that contest.", "Can I put all my non-critical findings in one QA report or should I create one QA Report for every finding?\nA: All QA in one.", "Do I want to report a spammer?\nA:", "Do potential med findings need to include POC?\nA:", "Am I not allowed to see others' findings?\nA: That is correct. You can only see the findings you (or your team) have submitted. Once the final report comes out and the findings repo is made public, you can see all the findings that came in.", "How do you actually read reports? In my case, let's say I learnt the concept of reentrancy, now when I go to code4rena and search all the reports related to reentrancy, it just goes over my head. Sometimes it's the function implementation that I don't know, sometimes there is something else. Are my fundamentals weak?\nA:", "Do you have a recommended tutorial to study the testing framework of Hardhat? \nA: You could try the Codecademy JS testing module or apply early access to alchemy university where there's a really good explanation on testings in the ethereum bootcamp in week 4.", "Do you have recommended tutorial to study the testing framework of Hardhat?\nA: You could try the Codecademy JS testing module or apply for early access to Alchemy University, which has a good explanation on testings in the Ethereum bootcamp in week 4.", "I am getting an error when I run the forge init command, what could be causing this?\nA: The forge init command can only run on clean directories. You should create a \"new Folder\", run forge init, and then manually copy over the files into the project directory you wished to init in.", "What does it mean when it says \"critical changes should use a two-step procedure\"?\nA: It means changing variables in a two-step process. In step 1 the change is proposed and in step 2 the change is executed. OpenZeppelin's Ownable2Step contract could be used for reference.", "How many times can we submit a report? I submitted a gas report, but now I want to make some changes and resubmit it.\nA: You can submit one combined gas report, and one combined QA report. Also, you can edit existing findings.", "After I registered with Provenance and my KYC was approved, what should I do to get the role here?\nA: Once Provenance processes it, they will inform us and we can get you processed on our side. If you don't hear anything in a few days, you can open a help desk request: https://code4rena.com/help", "I've raised a point where I think I can start to read some reports. What should I read?\nA: You could start with the smaller bounty contests due to smaller codebase sizes and less complexity. You can find the reports here: https://code4rena.com/reports", "I forgot which wallet address I used to register, what should I do?\nA: [No Answer Provided]", "From the email I got I am under the impression they did already process it. Will wait a few days then, is that okay?\nA: Yes, that is fine. They will let us know and then we can take it from there. Sometimes it takes a couple of days.", "I've raised a point where I think I can start to read some reports. What should I read? there's plenty of them...\nA: Start with the smaller bounty contests due to smaller codebase sizes and less complexity. You can find them here: https://code4rena.com/reports", "I forgot which wallet address I used to register, what should I do?\nA: Visit https://code4rena.com/help for assistance.", "When does the leaderboard get updated?\nA: The leaderboard gets updated when awards are announced.", "In what case, might a warden get a score of 0 (therefore no award) when reporting a medium issue?\nA: No answer provided.", "I am in the winners list of a contest but I don't have any idea how can I receive my award in my trust wallet. How can I receive my award?\nA: If you are in the list, it will be distributed to your wallet address. Check the announcement channel whether distribution is carried out or not.", "Which address should I put in my account?\nA: Put your polygon address in your account.", "It seems like \"Looksrare\" and \"lsd-network-stakehouse\" reports disappeared from the report page, they were available some days ago. Did you notice that? Should I create a ticket for that?\nA: No answer provided.", "The results are out and I am in the award list but not in the leaderboard, does it take some time to update?\nA: Yes, it takes some time to update. You'll see an announcement in the relevant announcements channel. Any PRs that wardens post in the contest channels are not official until they've been reviewed and merged.", "As a warden, what's the easiest way to find how my findings were judged?\nA: Each finding creates a json file, the json file is tied to an issue so it should be doable that way.", "It looks like \"Looksrare\" and \"lsd-network-stakehouse\" reports had disappeared from the report page. They were able some days ago. Did you notice that? Shall I create a ticket for that?\nA:", "Is it takes a little time? As prepo-dec06 results are out and I am in the award list but not in the leaderboard.\nA: It's not announced yet. That was a PR yet to be merged. You'll see an announcement in #\ud83d\udce2announcements . Any PRs that wardens post in the contest channels are not official until they've been reviewed and merged.", "As a warden, what's the easiest way to find how my findings were judged?\nA: Each findings repo has a data folder, and the json files are named as [warden-handle]-[issue number]. Once you find the ones with your warden handle, you can grab the issues numbers and look those up directly.", "Is there any point creating a help request to elaborate why findings were judged incorrectly? Is there anything that can be done?\nA: If you disagree with a decision, there's nothing that can be done if the contest is judged. However, if the concern regarding judging is focused on a matter of inconsistency or process or lack of clarity in the rules, review the issues in https://github.com/code-423n4/org/issues.", "How can I get the back stage role?\nA: You can get the backstage role by following the instructions at https://docs.code4rena.com/roles/certified-contributors/backstage-wardens.", "In gas reports, is it necessary to show PoC for the gas saved or writing description and mentioning gas saved is enough?\nA:", "If I meet the backstage access criteria, do I just have to request it with a help request?\nA: Correct.", "I read this report and I wonder how could we convert it to one mapping of address/id to a struct?\nA: You wouldn't as one is for Orders, the other is for Wallets", "I have a question concerning the \"C4 output\". Does it mean every issues reported will appear on the output including High and Medium? I only see gas or NC for most of them. Does it mean as long as your issue is not in the output you can report it and hope to get a reward?\nA:", "How long does it take to get an email from Provenance?\nA:", "How could we convert a report to one mapping of address/id to a struct?\nA: You wouldn't as one is for Orders, the other is for Wallets.", "Does the \"C4 output\" mean every issues reported will appear on the output including High and Medium? \nA: At the Judge's discretion, reports that look like copy pastes, or use the same underlying risk may be deemed out of scope/already known. You may still chain the vulnerability with some other aspect of the code to demonstrate a bigger attack.", "Why is a certain context in the report?\nA: [No direct answer provided]", "How long does it take to get an email from Provenance?\nA: Make sure to check your spam for an email. And if you don't hear back within a couple days, you can open a help desk request: https://code4rena.com/help.", "How to change the profile picture?\nA: If you mean the profile picture for your user profile, please submit a help desk request and we can get that updated for you.", "Can we somewhere set/update our Twitter handles?\nA: You can submit a help desk request and we can add your Twitter link for you.", "Can I direct message you?\nA: Sure can.", "I sent a KYC request to provenance, not sure when I can receive the confirmation.\nA: I see this having come in two months ago\u2026 is that right? I'll nudge them.", "How to change the profile picture?\nA: If you mean the profile picture for your user profile, please submit a help desk request and we can get that updated for you.", "Can I dm you?\nA: Sure can.", "When can I receive the confirmation for my KYC request to provenance?\nA: We'll nudge them about your request which came in two months ago. You should hear something today.", "As a warden, what's the easiest way to find how my findings were judged? Are there any open source tools that calculate the points & rewards taking into account duplicate findings etc? What tool do C4 judges use to do it?\nA: [No answer provided]", "I participated in opensea-seaport, can I make it?\nA: Yes - all we ask is that wardens start the process within 48h of contest close. We just can't distribute awards to you until you complete the process.", "Can I get the role of \"certified\" now that I am approved?\nA: [No answer provided]", "If the automated findings talks about encodedPacked as a low issue does that mean any medium/high issues stemming from encodedPacked are not eligible?\nA: Visit this link for information on submission policy for automated findings: https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-ineligible", "How much can you earn by identifying gas optimizations?\nA: The earnings depend on how good you are at it.", "Is there a contest channel for the Quests Protocol?\nA: Yes, it's #rabbithole-quest-jan25.", "What kind of architectures do you see that protocols use as the most brittle?\nA: [No answer provided].", "How much can you earn by identifying gas optimizations?\nA: It depends on how good you are at it.", "Is there a contest channel for the Quests Protocol?\nA: Yes, the contest channel for the Quests Protocol is #rabbithole-quest-jan25.", "Will a grade-b in QA receive awards?\nA: Yes, a grade-b in QA will receive awards.", "If one submits a QA issue, will a judge elevate its severity to M/H if necessary?\nA: Yes, a judge will elevate the severity of a QA issue to M/H unless the QA entry lacks a detailed description.", "I submitted one QA issue but I did not know that I can submit it only once. Now I found another error but I can't add another QA submission. Can I edit the actual one?\nA: Yes, you can edit the actual QA submission.", "If a function has a first check from storage, and then a second if statement checks the calldata, does swapping the order optimize the gas, because if calldata check fails it won't even go to the storage check?\nA: The answer was not provided in the chat.", "If we find a bug in code which is medium severity and also affects gas, Can we submit it in both medium and gas findings?\nA: The answer was not provided in the chat.", "What are Scout awards?\nA: A Scout is a certified contributor and there is an award provided for serving in this capacity. More information can be found [here](https://docs.code4rena.com/roles/certified-contributors).", "What is \"The C4audit output\"? Is it an automated tool created by C4?\nA: The answer was not provided in the chat.", "Are there any open source tools that calculate the points & rewards taking into account duplicate findings etc? What tool do the C4 judges use to do it?\nA: If you want to create a table with all wardens and their deduplicated findings, the easiest way is to parse the findings.csv. This can be found [here](https://github.com/code-423n4/code423n4.com/tree/main/_data/findings).", "Can we submit a bug in code which is medium severity and also affects gas in both medium and gas findings?\nA: [No answer provided]", "What are Scout awards?\nA: A Scout is a certified contributor and there is an award provided for serving in this capacity. More information can be found at https://docs.code4rena.com/roles/certified-contributors", "What is \"The C4audit output\"?\nA: The C4audit output refers to a tool used by C4 to generate automated findings for each contest. The current tool being used is https://github.com/Picodes/4naly3er. Automated findings are not eligible for rewards. More info can be found at https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-ineligible", "Are there any open source tools that calculate the points & rewards taking into account duplicate findings etc?\nA: If you want to create a table with all wardens and their deduplicated findings, the easiest way is to parse the findings.csv found at https://github.com/code-423n4/code423n4.com/tree/main/_data/findings", "When submitting a report how does one upload an image?\nA: The steps are as follows:\n1. Register a free account on https://cloudinary.com/\n2. Upload the image, e.g. sample.jpg\n3. Copy the image URL\n4. Create the image link using the following markdown compatible format: ![image title](image URL)\n5. Test with a functional link", "I've made few submissions for a content but I don't see my submissions on Findings tab and therefore can't edit them. Who can help?\nA: [No answer provided]", "I just submitted my first ever finding - what can I expect as a follow up?\nA: [No answer provided]", "I don't understand how to fill this part when submitting a finding: Proof of Concept; Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept.\nA: The main goal of a POC is showing the bug and its impact. You can copy paste in the markdown file or write it in a gist and copy the link. Another accepted POC is that you can copy pasting the code with detailed comment about the bug itself and its impact. Making a simple example about the bug with little comments but also showing the impact sometimes is also accepted.", "Is writing a Proof of Concept a lot of work?\nA: Yes, writing a Proof of Concept can be a lot of work. However, issues found by fewer people tend to get more rewards. You can choose to write the best POC for those bugs you think have more chance of being unique, and write good enough POC for those which you think will be reported by more people.", "Do we need KYC/ to be certified to receive the rewards? Or is that only applicable to private audits?\nA: [No answer provided]", "How are rewards distributed if a finding is reported by multiple people?\nA: [No answer provided]", "Is writing PoC a lot of work? \nA: Yes, writing a PoC can be challenging. However, issues found by fewer people tend to get more rewards. The better the PoC, the higher the chance of being rewarded. [Reference: https://github.com/code-423n4/2022-10-inverse-findings/issues/215, https://github.com/code-423n4/2022-10-inverse-findings/issues/83]", "Do we need KYC or certification to receive the rewards? Is it only applicable to private audits?\nA: Most contests do not require being KYC'd. Any contests with a KYC requirement will have that stated. [Reference: https://docs.code4rena.com/roles/certified-contributors]", "How are rewards distributed if an issue is found by multiple people?\nA: The rewards are determined based on the grading of the reports. Grade A reports count as 2 shares, grade B as 1, and the best report has a 30% bonus. The rewards per share are then calculated based on a specific formula.", "Once a submission is confirmed and the reward amounts are announced, all I have to do is wait for it to go to my wallet?\nA: Yes, you just need to wait for the rewards to be transferred to your wallet.", "Is Code4rena okay with disclosing vulnerabilities to sponsors?\nA: [No answer provided]", "Can I do a new submission of the same issue if I feel my earlier bug submission wasn't detailed enough?\nA: Yes, you can withdraw your old issue and make a new submission.", "If I evaluate an issue as low and put it in a QA report but it is later judged as medium, will I still get the reward?\nA: [No answer provided]", "If code can be simplified, like combining two loops into one, is it a QA report or a GAS optimization?\nA: [No answer provided]", "How can I add color to the text and code snippet in my reports?\nA: You can use presets for code when doing a code block. Javascript is usually used for solidity and diff for diff.\n", "Is there any documentation available for adding color to the text and code snippet in my reports?\nA: [No answer provided]", "Any update on this? It's been a while.\nA: Checked in with them and they let us know you are approved. We'll get your status updated in the next day or two.", "If code can be simplified, like 2 for loops combined in a single one, is it a QA report or GAS optimization?\nA:", "How can I add color to the text and code snippet?\nA: You can use presets for code when doing a code block, usually JavaScript is used for solidity (and diff for diff).", "Is there any documentation for adding color to the text and code snippet?\nA: It's just standard markdown, so it should be easily Googleable. The preview doesn't show colors though.", "Is CodeArena okay with disclosing vulnerabilities to sponsors? Or is it not recommended?\nA: We encourage you to reach out to the sponsor team during the contest if you think you've found something and want to ask questions. The sponsors who are available to answer questions via DM are typically tagged in the welcome message in the contest channel. You're also welcome to disclose a vuln directly to them, just don't forget to submit it via the contest submission form or it won't be eligible for awards.", "If I evaluate an issue as low and put it in a QA report but it is judged as medium, will I get the reward? Can issues be upgraded from QA report into med/high?\nA: [https://docs.code4rena.com/awarding/incentive-model-and-awards/qa-gas-report-faq#what-happens-when-an-issue-submitted-by-the-warden-as-part-of-their-qa-report-an-l-or-n-does-get-bum](https://docs.code4rena.com/awarding/incentive-model-and-awards/qa-gas-report-faq#what-happens-when-an-issue-submitted-by-the-warden-as-part-of-their-qa-report-an-l-or-n-does-get-bum)", "Could someone from admins/moderators DM me, have a small question about one of the contest. Don't want to drop it here, cause it's a security issue.\nA: Hi there! Can you please submit a help request with your question and our team can take a look? [https://code4rena.com/help](https://code4rena.com/help)", "If I evaluate an issue as low and put it in QA report but it is judged as medium, will I get the reward? Can issues be upgraded from QA report into med/high?\nA: [Answer not provided]", "Could someone from admins/moderators DM me, have a small question about one of the contest. Don't want to drop it here, cause it's a security issue?\nA: Hi there! Can you please submit a help request with your question and our team can take a look? [Link](https://code4rena.com/help)", "Is it possible to call the safeTransferFrom function of an ERC-777 token contract in another smart contract, causing the function in that contract to be executed?\nA: [Answer not provided]", "Shouldn't we need to approve the address first?\nA: It's just a simple example for understanding.", "Is there a way for wardens to see the information that was previously in \"_data/contests/contests.csv\"?\nA: [Answer not provided]", "Can I share the posts in #\u270brsvp and #\ud83d\udce2announcements on my private server? Can these be made into \"announcement channels\"?\nA: You can add this to the #\ud83d\udce5suggestion-box if you'd like so it doesn't get lost here.", "Do I have to handle the tax issue for C4 bounty myself? Does KYC firm report our earning so we do not have to report tax ourselves?\nA: Taxes are your \"obligation\" to the government (usually punishable for non-compliance). Neither C4 nor Provenance has anything to do with it. In some if not most countries, banks can report your income to the government.", "Can we still submit the same issue that was found with the automated finding but it is a different instance that was not posted on the automated findings?\nA: Depends on the judge, but generally you can't, because the whole finding is out of scope. The only time you can report Automated findings is when they have more of an impact than expected.", "I forgot my password but didn't get any email when I click on forget password. How do I retrieve my account?\nA: [Answer not provided]", "Can we still submit the same issue that was found with the automated finding but it is a different instance that was not posted on the automated findings?\nA: Depends on the judge, but generally you can't, because the whole finding is out of scope. The only time you can report Automated findings is when they have more of an impact than expected.", "I forgot my password but didn't get any email when I click on forget password. How do I retrieve my account?\nA:", "I want to share the posts in #\u270brsvp and #\ud83d\udce2announcements on my private server. Can these be made into \"announcement channels\"?\nA: You can add this to the #\ud83d\udce5suggestion-box so it doesn't get lost here.", "Where can I find feedback to my submissions? I went through the repos, but failed to find submissions, let alone feedback. I'm looking at contests which have been judged already, namely: eschercaviarprePO\nA: https://github.com/code-423n4/2022-12-prepo-findings/issues/335", "What risk label should I use if I am not sure that a finding is high or medium risk?\nA: Probably Medium and then you can argue why it may be raised. However, you should never have this doubt, the doubt itself means you may need to work on your POC to be able to either Steal Principal (High) or Yield (Med).", "If there is no principal involved, or users can't interact with the underlying principal, how can a high risk finding be defined? Supposing that a finding breaks the protocol, should I always set a medium risk if there are no stolen funds?\nA: If it's broken without conditionality, it's probably still high. Check some recent reports and you should find a similar situation. Also note that if it's stealing 1 wei of assets because of a rounding issue, that wouldn't count as a high.", "If I have doubts about if a finding is only QA or Medium, what should I do?\nA: Prob file as QA unless POC is coded, and really high quality.", "If any user can call functionA on the contract with address(0) as one of the parameters and it has no impact at all just the annoyance of a mapping being filled with random entries, is that even worth reporting as informational or is it accepted as known risks and is fine?\nA: Send as QA - Informational.", "If any user can call functionB on a contract and it mints an internal (user id type) token on behalf of any address as many times as they wish, once again no impact except minting random tokens, is that worth reporting?\nA: Sounds informational as well due to lack of impact. This could be the start of a bigger exploit, but as is, send in the QA.", "May I ask you something in a private message?\nA: Sure", "If any user can call functionA on the contract with address(0) as one of the parameters and it has no impact at all just the annoyance of a mapping being filled with random entries, is that even worth reporting as informational or is it accepted as known risks and is fine?\nA: Send as QA - Informational", "If any user can call functionB on a contract and it mints an internal (user id type) token on behalf of any address as many times as they wish, once again no impact except minting random tokens, is that worth reporting?\nA: Sounds informational as well due to lack of impact. This could be the start of a bigger exploit, but as is, send in the QA", "Should I exclude all known issues from my gas report?\nA: Yes", "Do sponsors see the submissions before the contest ends?\nA: Usually not", "Aren't sponsors trusted by c4 to be the only ones privy to the vulns?\nA: It would not be fair, since sponsors can sybil the vulns to get their money back.", "Why are wardens supposed to trust sponsors and discuss vulns with them? If I found a vuln and discussed it with the sponsors and they decided to submit it themselves, it wouldn't be fair to the duplicates. So either sponsors should be trusted with the vulns or wardens should be asked not to disclose anything they found.\nA: If a vuln is so important that sponsors have to know immediately, a DM works better in any regards. It's probably a balance of trust and what permission is actually required.", "How many active judges does c4 have currently?\nA: (No Answer)", "The table displayed here is nice to get an overview of the rewards: https://docs.code4rena.com/awarding/incentive-model-and-awards/curve-logic. Is a table like this one produced for each contest? I would find it really useful to have this data in a sheet/table. I could make it myself using the contest result page, but it's a bit too much work for the reward.\nA: (No Answer)", "I am a beginner and facing issue in understanding certain code instances.\nA: (No Answer)", "How many active judges does c4 have currently? \nA:", "Is a table like the one displayed here https://docs.code4rena.com/awarding/incentive-model-and-awards/curve-logic produced for each contest? \nA:", "I am a beginner and facing issue in understanding certain code instances, what should I do?\nA: You would make 1 report and reference the 3 issues in 1 as it's of the same nature.", "Does anyone else has issues signing into code4rena now? \nA: I just signed in with user/pass with no issue.", "What does the \"edited-by-warden\" tag on my submitted issue mean?\nA: It means you used the Website to change it after you sent it.", "Can we discuss findings just after a contest ended or is it better to wait for the report to be published, if so, why? \nA: Sponsors need time to fix issues, so discussing before the report is released is not allowed.", "Does the order that wardens report a duplicate bug in impact how much they get paid? \nA: No, the order does not matter.", "What happens when there are no valid HMs? How does the pool get distributed? \nA: If no Med/High vulns are found, the full pool would be divided based on the QA Report curve.", "How long usually does it take to gain +backstage access after the submission of request? \nA:", "Is there an upcoming contests list? \nA: They usually get listed on c4 main page: https://code4rena.com. Currently its empty but will get updated regularly.", "What happens when there are no valid HMs? How does the pool get distributed?\nA: The full pool would then be divided based on the QA Report curve.", "How long usually takes to gain +backstage access after the submission of request?\nA:", "Is there an upcoming contests list?\nA: Contests are usually listed on C4 main page: https://code4rena.com. It gets updated regularly.", "Are front-running possibilities considered Medium findings or QA ?\nA: It depends on the impact.", "How is QA graded? One score for the whole QA or each item has a score?\nA:", "Does POC for HM bugs require actual code or just logic?\nA:", "Which has a higher prize margin...QA or Gas findings?\nA:", "Is there a page (like a user profile), where I can see the count of my submitted vulnerabilities, and how many of them were approved?\nA: After each contest ends, the leaderboard gets updated and you can see the number of overall issues you reported. https://code4rena.com/leaderboard", "Are solidity tests alone considered PoC for Medium/High findings?\nA: You can write proof of concept in anything you want (e.g. Solidity, Python, JS), as long as you show the vulnerability is working.", "Is it possible to report a variety of findings based on different combinations of issues found to create different attacks? Are those considered valid findings?\nA:", "How to add a code block in reporting section?\nA: Reporting sections supports MD format, so you can use code blocks in MD. https://docs.github.com/en/get-started/writing-on-github/working-with-advanced-formatting/creating-and-highlighting-code-blocks", "What will be the next contest after Popcorn? Is it possible that there is no contest for a while?\nA: You can check the #\u270brsvp channel to know what's next, currently there is none.", "Hi could anyone answer this for me https://discord.com/channels/810916927919620096/810931711609143326/1071044665731715122\nA:", "How to add a code block in the reporting section? \nA: The reporting sections supports Markdown (MD) format, so you can refer to the guidelines for code blocks in MD. Here's a helpful link: https://docs.github.com/en/get-started/writing-on-github/working-with-advanced-formatting/creating-and-highlighting-code-blocks.", "What will be the next contest after Popcorn? Is it possible that there is no contest for a while? \nA: You can check the #\u270brsvp channel to know what's next, currently there is none. This could be a great time to take some rest and review the past reports.", "Is it possible to report a variety of findings based on different combinations of issues found to create different attacks? Are those considered valid findings? \nA: If the root cause is the same, it will be accounted as duplicates of each other.", "Is anyone else having trouble submitting findings? \nA: No answer provided.", "What if I submitted something to the contest, but my name wasn't mentioned in the report? Since that's my first try and I think my report has relatively low quality, will that affect my future submit? \nA: No, that will not affect your future submissions. That will only affect your leaderboard ranking a bit.", "You mean the leaderboard of this contest, or the total leaderboard? \nA: Both, it will definitely gonna affect the contest leaderboard as well. Also, the total leaderboard will not be affected that much. It will just gonna show that you participated in a contest and did not find any valid findings. But don't worry that's not gonna affect that much in the long run as the leaderboard depends upon the money more.", "How long usually takes to gain +backstage access after the submission of request? \nA: The backstage processing is currently paused. However, once it restarts, if you've met all the requirements listed in the docs, your application will be processed. Typically it takes around 24 hours after the KYC got admitted.", "How do I add the solidity syntax to code blocks? I'm submitting my first issue. \nA: The reporting sections supports Markdown (MD) format, so you can refer to the guidelines for code blocks in MD. Here's a helpful link: https://docs.github.com/en/get-started/writing-on-github/working-with-advanced-formatting/creating-and-highlighting-code-blocks.", "Can you confirm if you've submitted findings for any contests recently?\nA: Yes, I meet all the requirements listed in the docs.", "How do I add the solidity syntax to code blocks when submitting an issue?\nA: Reporting sections supports MD format, so you can take a look for code blocks in MD. [Link](https://docs.github.com/en/get-started/writing-on-github/working-with-advanced-formatting/creating-and-highlighting-code-blocks)", "When will be announced new contests?\nA: Keep an eye on the RSVP channel to get notified of upcoming contests.", "Are more reserved contests coming soon?\nA: [No answer provided]", "How do I add screenshots to a finding?\nA: It's recommended not to add screenshots in general as they can be a security issue.", "How long does it take for reports to get checked?\nA: Generally, reports get reviewed and triaged immediately after the contest ends by the judges but then await sponsor review and final judging and QA before they are made public.", "Do wardens get notified of new contests in any way?\nA: [No answer provided]", "Where can we see current ongoing contests?\nA: The team is currently talking to a number of projects about upcoming audits, implying that there are currently no ongoing contests.", "If there is a problem with the report, are the wardens called at the end of review or after it's published?\nA: Comments in reports are between judges and sponsors generally. Sometimes there are comments from backstage wardens, but it's rarer for these to end up in a report.", "If there is a problem with the report, do they call wardens at the end of review or after it's published?\nA: The comments in reports are usually between judges and sponsors. Sometimes there are comments from backstage wardens, but that is rarer to end up in a report.", "Where can we see current ongoing contests?\nA: The team just finished a number of contests and are currently in discussion with various projects about upcoming audits.", "When is the next contest?\nA: Not specified, but it's indicated that there seems to be a break in contests for the time being.", "Is money necessary for testing smart contracts in contests?\nA: No, money is not necessary for testing smart contracts in contests.", "In the 2022-06-putty-findings report, what does the label 'old-submission-method' mean?\nA: The label 'old-submission-method' was used around the time the company rolled out wallet-based auth for the C4 website and submission form, but still continued to support non-logged-in users for some time. It's likely this label was used to track which version of the submission form was used, for relevancy in data (e.g. for filtering out spam, etc.).", "Do medium risk vulnerabilities require test codes as proofs of concept when writing reports, similar to high risk vulnerabilities?\nA: Ideally, yes, medium risk vulnerabilities should also require test codes as proofs of concept.", "Why isn't my name in the leaderboard anymore?\nA: By default, the leaderboard shows the results of the last 60 days. You need to change the setting to the appropriate year to see your name if it has been more than 60 days.", "Do risk 2 (med) vulnerabilities require test codes as PoCs? Like when writing reports do Med vulnerabilities require it to be validated like High vulnerabilities?\nA: Ideally yes.", "Why isn't my name in the leaderboard anymore?\nA: By default, the leaderboard will show last 60 days results. Change it to 2022 and you should find your name.", "Can anyone explain or at least give me a reference on the first automated gas optimization detected by the automated c4udit tool that is used for the code4rena automated findings? The one labelled 'Use assembly to check for address(0)'.\nA: You can find a description of the issue here: https://github.com/0xKitsune/solstat/blob/main/src/report/report_sections/optimizations/address_zero.rs. Using assembly could save a few gas.", "What does the yellow icon mean?\nA: The explanation is provided down there in the chat.", "In the \"Past competition status updates,\" there is no Blockswap FV contest. Is there a reason for that?\nA:", "Do required-KYC contests have an impact on the leaderboard? If so, is it fair for non-KYCed wardens?\nA: Much is unfair to non-KYC wardens, but it is their choice or the law. Most contests don't require KYC.", "Does code4rena need any volunteers to help out?\nA:", "What does it mean Versus Mitigation contest?\nA: Versus contests are usually private - they are invite only/top wardens.", "When is the next contest?\nA:", "I sent a ticket a few days ago and didn't get a reply yet. Can anyone from C4 confirm?\nA:", "Does code4rena need any volunteers to help out?\nA: [No answer provided]", "What does it mean Versus Mitigation contest?\nA: Versus contests are usually private - they are invite only/top wardens.", "When is the next contest?\nA: [No answer provided]", "I sent a ticket a few days ago and didn't get a reply yet. Can anyone from Code4Arena confirm?\nA: [No answer provided]", "Can anybody help me understand the section [M-02] PRICE WILL NOT ALWAYS BE 18 DECIMALS, AS EXPECTED AND OUTLINED IN THE COMMENTS from caviar report?\nA: [No answer provided]", "Does Code4Arena attend events like ETH.NYC or ETH.Denver?\nA: Most of the Code4Arena growth team will be there.", "Is there a foundry equivalent of \"upgrades.deployProxy\" from the hardhat?\nA: It's probably easiest to roll your own solution, but this link may be helpful: https://github.com/chugsplash/chugsplash-foundry. Alternatively, you can upgrade your proxy to the implementation you deployed and wrap the contract type of your implementation around the proxy. No need for any lib.", "I just looked at the results (draft) from my first contest and it looks like out of 8 issues I submitted only one was considered valid. How can I get information about why 7 of them were invalid?\nA: [No answer provided]", "What is a vs contest?\nA: [No answer provided]", "How can I get information about why 7 of my issues were invalid from my first contest? \nA: [No answer provided]", "What is vs contest? \nA: A slightly different contest with only 3 wardens!", "What are the differences in a vs contest? \nA: The versus aspect is just to do with the number of wardens participating, but there is an RSVP process and the best performing wardens get first choice.", "Do you guys have projects/contracts that did a Fairlaunch? Or had anti-bot-measures?\nA: [No answer provided]", "How do I know when a contest is going to be open to the public?\nA: By checking the #\u270brsvp channel.", "Can you help me to change my avatar on the site?\nA: You can submit a help desk request: https://code4rena.com/help", "The repo link at https://code4rena.com/contests/2023-02-gogopool-versus-mitigation-contest doesn't work anymore, can you help?\nA: The next public contest begins on Feb 16th. For more details check out the #\u270brsvp channel.", "Do I need to participate in 3 public contests to get into the list for private contests to prove I can submit findings?\nA: [No answer provided]", "Can you help me to change my avatar on the site?\nA: You can submit a help desk request: https://code4rena.com/help", "The repo link at https://code4rena.com/contests/2023-02-gogopool-versus-mitigation-contest doesn't work anymore, what should I do?\nA: The next public contest begins on Feb 16th. For more details check out the #\u270brsvp channel.", "Do I need to participate in 3 public contests to get into the list for private contests to prove I can submit findings?\nA: You need to at least become a certified warden. Getting on the leaderboard will then help enhance your ability to qualify for private contests. Getting on the leaderboard also unlocks backstage access. For more information, check out: https://docs.code4rena.com/roles/certified-contributors", "Is the Judge application opening soon?\nA: You just missed the window, applications were until a week ago https://discord.com/channels/810916927919620096/810936719003090974/1070057724768960702", "How do you register for the audit coming up?\nA: You don't need to, it's a public audit.", "Does anyone know if someone posted solutions/explanations for the latest version of damn vulnerable defi CTF or where to find it?\nA:", "C4 docs mention: For each unique High or Medium finding, the submission selected for inclusion in the audit report receives a 30% share bonus. 30% of what? User's share or the finding's share?\nA: It's 1 High reward + 0.3 High reward. For every solo high, a warden gets 1.3.", "Can one explain the \"scout\" role?\nA: Scouts are technical reviewers that look at repos ahead of contest launch to ensure they are ready for the contest.", "Can anyone provide a one-liner where it appends user-provided strings at the end of a string for ex xy a,b,c and the output is xya , xyb , xyc?\nA:", "Can someone explain the \"scout\" role?\nA: Scouts are technical reviewers that look at repositories ahead of contest launch to ensure they are ready for the contest.", "Can you provide a one liner where it appends user provided strings at the end of a string for example: xy a,b,c and the output is xya, xyb, xyc?\nA: [No answer provided]", "For each unique High or Medium finding, the submission selected for inclusion in the audit report receives a 30% share bonus. 30% of what? User's share or the finding's share?\nA: It is 1 High reward + 0.3 High reward.", "So for every solo high, a warden gets 1.3?\nA: Yes, it's the same for mediums too.", "If there are duplicates of the finding, which report gets the 30% bonus of the finding share?\nA: The best report which describes the finding gets the 30% bonus of the finding share.", "How to know if a contest is public or private? And how do we participate?\nA: Private ones would ask you to be a certified warden (KYC completion). Mostly, they are public contests, even the private ones are listed but you need to be eligible to participate.", "Can we confirm the exact implementation from award calculation script? Is that public?\nA: The formula is public but not the script.", "Only someone from C4 team can confirm the exact implementation from award calculation script, right?\nA: [No answer provided]", "If there are no duplicates, does a user get 1 calculated high share + 30% of the same share?\nA: If it's a solo, that's better than the 30% bonus. You get all the share of that finding. However, the 30% bonus is applied to solo findings as well. So, you get 1.3 of the share for a solo finding.", "Why is there a bonus? How can the report be best if it is a solo bug?\nA: [No answer provided]", "So if there is no duplicates user don't get 1 calculated high share + 30% of the same share?\nA: If it's a solo, that's better than the 30% bonus. You get all the share of that finding.", "I think 30% bonus is applied to solo findings as well. So 1.3. Is that right?\nA: Yes, that's even better.", "But why the bonus? How can the report be best if it is a solo bug?\nA: If it's a solo bug, it means no one else found it.", "What is the bonus for?\nA: The bonus is for the Selected for report.", "How does one access the private audit contest?\nA: To access the private audit contest, you need to be certified warden. More info can be found [here](https://mirror.xyz/c4blog.eth/Ww3sILR-e5iWoMYNpZEB9UME_vA8G0Yqa6TYvpSdEM0).", "In the \"Past competition status updates\" of this and last week, there is no Blockswap FV contest. Is there a reason for that?\nA: The FV contest doesn\u2019t work the same and so is just not really in the flow where we visualize status. The assumption is Certora is still judging.", "How can I join a private audit?\nA: To join a private audit, you will need to complete the KYC process and become certified. More info can be found [here](https://docs.code4rena.com/roles/certified-contributors#certification-process-and-constraints).", "How long usually is the KYC process?\nA: The KYC process usually takes a few days.", "Can you help me to change my avatar on the site?\nA: This should now be completed.", "I passed the KYC and was approved but I can't access private contests. Why?\nA: No answer provided.", "My KYC process completed but I still can't participate in the private contest. Why?\nA: No answer provided.", "How long does it take to know the results of the contest?\nA: No answer provided.", "How long is the KYC process usually?\nA: The KYC process usually takes a few days.", "Can you help me to change my avatar on the site?\nA: Your request to change your avatar on the site should now be completed.", "I passed the KYC and was approved but why can't I access private contests?\nA: You can't access private contests because you don't yet have the certified status on your handle. You can create a help desk request and someone can take a look. [https://code4rena.com/help]", "How long does it take to know the results of the contest?\nA: It generally takes about 2 months to know the results of the contest.", "Do I need to go through KYC and wait days before even getting started on the majority of projects that are restricted?\nA: Yes, you can go through KYC to qualify for future, private contests but there is also a public contest scheduled to open. You can check this in the #\u270brsvp channel. [https://docs.code4rena.com/roles/certified-contributors]", "Can I see the result of my findings after 2 months?\nA: Yes, give or take. You can see results after the report is posted.", "What is meant by \"versus\" in a contest name?\nA: No answer provided.", "Are more RSVP contests coming?\nA: Yes, more contests may be coming. Keep an eye out on the RSVP channels.", "I would like to do a write-up of some issue/bug I found on a project. The leaderboard has been shown and rewards have been sent but the final report has not appeared on the C4 site. From social media the project also seems to have finished implementing the bugfixes and launched. Is it okay for me to do that or just wait until the full public report has been published?\nA: Please hold until the report is published.", "Are there more RSVP contests coming?\nA: Keep an eye out on the RSVP channels. One contest is likely to start tomorrow.", "Can I write-up an issue/bug I found on a project even if the final report has not appeared on the C4 site yet?\nA: Please hold until the report is published on the C4 site.", "What does the token provide within the CodeArena community?\nA: The token provides voting rights for the dao, which includes authority over the treasury.", "Can I change the Login Address to my CodeArena account later on?\nA: [No answer provided]", "How do I start a contest and get into C4 auditing?\nA: The #\ud83c\udfebeducation channel is a good place to start. There\u2019s a bunch of resources shared in there, and if you have specific questions about getting started, that\u2019s the best place to put them.", "How do I join an audit contest?\nA: Keep a lookout on the contest page here: https://code4rena.com/contests - an open competition is starting soon which you can join after signing up as a warden.", "Do private, versus & mitigation audits impact the leaderboard?\nA: [No answer provided]", "Once certified, what do I need to do to participate in private contests?\nA: RSVP in the rsvp-certified channel and ensure you're high on the leaderboards from the last 90 days.", "I sent my identity to certify myself, how long does it take to check it? How can I influence the certification process?\nA: [No specific answer provided]. However, you can create a help desk request and someone can take a look.", "What do you need to do to participate in private contests once you get certified?\nA: You need to RSVP in the rsvp-certified channel and ensure you're high on the leaderboards from the last 90 days.", "How long does it take to check my identity for certification, and what can I do if I'm not certified yet?\nA: There is no specific timeline mentioned. However, if you're not certified yet even after getting a response, you can create a help desk request to expedite the process.", "Do private, versus & mitigation audits impact the leaderboard?\nA: Currently, they do not impact the leaderboard, but there has been discussion about including them in the future.", "Is there any incentive to submit an issue faster, or if someone else found the same issue, do both get paid the same?\nA: No, there is no incentive to submit an issue faster, and both parties get paid the same.", "Why are there messages about private contests in the announcements channel?\nA: It might be a misunderstanding. The Reserve mitigation review contest is private, whereas the Ethos Reserve contest is open to the public. Each project has different audits.", "Which types of findings are considered to be performed by a robot? What is the procedure of finding some bugs via robots such as ChatGPT? And how do you recognize a finding is generated by these parties?\nA: There is no clear answer provided. However, one issue with using tools like ChatGPT is that they might not be useful without inputting the full codebase, which could be large and span different files.\n", "If my KYC application is approved, but I can't access private contests, what should I do next?\nA: No answer was provided in the chat.", "What are some good sources to study the compound codebase?\nA: It was suggested that this question might be better suited for the #\ud83c\udfebeducation channel, but no specific sources were provided in the chat.", "Which types of findings are considered to be performed by a robot?\nA:", "What is the procedure of finding some bugs via robots such as ChatGPT?\nA:", "How do you recognize a finding is generated by these parties?\nA:", "Why can't a full codebase be input into chatGPT for bug reporting?\nA: The issue with chatGPT is that, for example, a project may have 2000 lines of code spanning in different files, we cannot import all the folder into chatGPT.", "Why is the bug report generated by chatGPT not very useful without the full codebase input?\nA:", "My application for the KYC has been approved, but I can't access private contests. What should I do next?\nA:", "What are some good sources to study the compound codebase?\nA:", "Is it possible to know in advance if future contests will be restricted or not? For example, USDC Kuma?\nA: To confirm which contests are public, you can check the #\u270brsvp channel. As we get new public contests coming, they will be posted in the channel. If you become certified, you'll also be able to see the private contests that are coming in discord. All contests are listed on the website.", "Is there a way to change the login address?\nA: It\u2019s not supported, if your account has been compromised please submit a help desk request with details and a mycrypto.com signed message - we\u2019ll follow up on Monday AM.", "Is discussing a potential submission with the project's dev team allowed during a contest?\nA: Yes, you can speak to the sponsor either in the contest channel or request to DM.", "Is there token staking for the ARENA token?\nA: No.", "Curious if we found a high or medium issue. Should we need to submit to C4 immediately? Or submit on the last day also fine?\nA: Submitting on the last day is just fine.", "Is there a no token staking for ARENA token?\nA: No.", "Is discussing a potential submission with the project's dev team allowed during a contest?\nA: A potential submission should not be discussed in the contest channel. If it turns into a valid one, it might be revealed to others. This would be unfair overall for all participants.", "If we found a high, medium issue, should we need to submit to C4 immediately? Or submit in the last day also fine?\nA: Submitting on the last day is just fine, but not too close to the contest close time.", "Aren't there any upcoming contests? Is there a specific reason behind this contest number descend or it is normal in C4?\nA: It's normal in C4. There will not be time to audit once the top tier projects suddenly appear in the #rsvp channel.", "How can I see my findings, if the contest has ended, but now it is in the judging process? Is it possible?\nA: It takes time until the repo is made public. You should wait for the report to be published. Then, you can see the status of your submissions.", "When dealing with upgradeable contracts, is there any edge case where the implementation contract storage can be used somehow to affect the delegate caller contract?\nA: No, it should not be possible. When you use delegatecall, the code of the target gets used by the EVM and there is no access to the target's storage or anything.", "Is it worth going to ETH.Denver?\nA: [Answer is not provided in the chat.]", "Am I able to see my findings, even they haven't been accepted?\nA: Yes, when the repository is made public, anyone has access to all the submissions whether they're valid or not.", "When dealing with upgradeable contracts, is there any edge case where the implementation contract storage can be used somehow to affect the delegate caller contract?\nA: No, when you use delegatecall, the code of the target gets used by the EVM and there is no access to the target's storage or anything.", "Is it worth to go to ETH.Denver?\nA: Some of the C4 team will be there, so if you decide to go, you can see Sock's talk and meet them.", "I am reviewing https://github.com/code-423n4/2022-12-caviar :src/Pair.sol on Remix and try to compile it. But remix complains that it cannot find the external imports. Can someone help me or give me a hint?\nA: You can clone the whole repository and install the dependencies with forge, just run forge build and the dependencies contracts would be installed for you. Another way would be to include the contracts manually on remix from OpenZeppelin contract repo and Solmate.", "How do I integrate remix or other static analyzer together with forge build?\nA: To use slither alongside foundry's remappings you might need to identify those remappings for slither. This is doable with slither sec/Pair.sol --solc-remaps 'solmate/=path/to/solmate\\nopenzeppelin/=path/to/openzeppelin'.", "How do I change the profile icon on code4rena.com leaderboard?\nA: You can submit a help desk request: https://code4rena.com/help", "What's the difference between versus contest and reserve contest?\nA: There is more info about Versus contests here: https://medium.com/code4rena/a-look-at-code4rena-audits-versus-6c55d57939ef. Reserve might be part of a sponsor name you're looking at.", "How do I change the profile icon on code4rena.com leaderboard?\nA: You can submit a help desk request: https://code4rena.com/help", "What's the difference between versus contest and reserve contest?\nA: There is more info about Versus contests here: https://medium.com/code4rena/a-look-at-code4rena-audits-versus-6c55d57939ef . Reserve might be part of a sponsor name you're looking at.", "More contest please?\nA: Ethos is big enough to keep wardens busy for a while.", "Who can I speak to about on-boarding an entire ecosystem similar to what y'all are doing with Cosmos?\nA: You can DM to discuss it further.", "If there is a line like -> require(abc<123) that is used, is it considered a valid low finding as a \"magic number, consider declaring constant value to make code more readable\"?\nA:", "I remember reading something about getting access to the findings repo when the contests end instead of waiting for it to be published after the results are in. What does it take to get that access? Is it documented somewhere?\nA: It's the backstage access but the applications are suspended until further notice by the C4 team. You can find more info on Docs section of code4rena.com. Plus, being certified is a pre-req for backstage access.", "How to get certified?\nA: You can take a look at the doc which provides a link to complete the form: https://docs.code4rena.com/roles/certified-contributors", "Will this be recorded?\nA: Yes, it will be.", "What is some resource or roadmap to learn about web2 security that is relevant in the context of web3 security?\nA:", "Will this be recorded? \nA: Yes, it will be recorded.", "What is some resource or roadmap to learn about web2 security that is relevant in the context web3 security?\nA: N/A", "Would love to see the rewarding formula for mitigation contest. \nA: N/A", "Is there a tool for solidity that makes sequence diagram? (not the uml diagram one e.g. Sol2uml) \nA: N/A", "Are Low issues and Non critical issues considered as QA?\nA: Yes, Low issues and Non critical issues are considered as QA.", "In this issue, why use storage or calldata and not memory, is it cheaper?\nA: Caching a storage pointer avoids re-computing the position so it's cheaper for that reason. Using calldata for read only arrays is cheaper because they don't need to be iterated and copied into memory.", "Can someone help me debug this test contract... I think there is a problem in the setup it keeps showing [FAIL. Reason: Setup failed: Index out of bounds] setUp()?\nA: It sounds like you're accessing an index that you did not define for an array, try array[0] or something similar.", "If we have an issue, which we believe is a mid, but in fact it's a legitimate low. Do you, as a judge, downgrade it to a low (being that it's not a mid as initially submitted) or discard it completely? This brings the next question of, if discarded, can we, by default include all \"uncertain\" mids also as lows as a \"safe\" practice?\nA: N/A", "How do I register for a contest? \nA: N/A", "If we have an issue, which we believe is a mid, but in fact it's a legitimate low. Do you, as a judge, downgrade it to a low (being that it's not a mid as initially submitted) or discard it completely? Can we, by default include all \"uncertain\" mids also as lows as a \"safe\" practice?\nA: Depending if it's a high-quality submission or low effort, some judges may discard a low-effort submission if improperly filed. Ultimately if you don't know what the severity is, you should work on the POC until it becomes obvious.", "How do I register for a contest?\nA: [No Answer]", "How to write Gas Optimizations report?\nA: [No Answer]", "Should the contract verify all immutable addresses to zero addresses?\nA: [No Answer]", "Any update on the upcoming Aragon contest? An update will help wardens to better schedule their auditing efforts.\nA: Generally scheduling is not in our hands; we\u2019re always talking to sponsors about upcoming audits but they are in the driver\u2019s seat as far as when those start.", "When adding code blocks, if we use the embedded github URL, then the code will be rendered in the issue nicely? Is this preferred or the code markdown?\nA: For C4 always add the code via markdown to ensure it shows in the report.", "I have either forgotten my username or something else is wrong as I am unable to Log In to CodeArena. Is there any other option I can try to retrieve that information?\nA: [No Answer]", "When will the recording be uploaded to the C4 YouTube channel?\nA: Currently uploading! Might take a few more hours though, as the internet connection is a bit funky today.", "For C4 always add the code via markdown to ensure it shows in the report?\nA: Yes, you should always add the code via markdown to ensure it shows in the report.", "I've either forgotten my username or something else is wrong as I am unable to Log In to code4rena. Is there any other option I can try to retrieve that information?\nA: You should make sure you're using the correct wallet or email, however you may have logged in previously. If you need further help, please pop into the #auth-help channel.", "When will the video be uploaded to the C4 youtube channel?\nA: The video is currently uploading and might take a few more hours.", "Why can't I log into my code4rena account and when I use the same wallet it asks me to register again?\nA: You should paste this issue into the #auth-help channel so it doesn't get lost and someone can take a look.", "Is post-judging a feedback on a \"frozen\" judgment status, or still a stage at which, in case of purely fact-based evidence, a contested but serious issue can be reopened?\nA: The chat doesn't provide an answer to this question.", "How do we submit low issues, I see QA, medium and high?\nA: Low issues should be submitted in QA only.", "How can I bind my twitter account to C4?\nA: To add your Twitter account to your profile, you can create a help desk request at https://code4rena.com/help.", "How can I submit more than one Low issue? Should I combine all in QA report?\nA: All QA findings should be in one combined report.", "I thought Low is different from QA, is that correct?\nA: No, they are the same thing. Consolidated QA reports became a thing last year so if you're looking at reports prior to that time, that would be why you're seeing them marked as Low.", "How can I bind my twitter account to C4? \nA: To add your Twitter account to your profile, you can create a help desk request and C4 will take a look at it the next week. For more information, visit https://code4rena.com/help.", "How can I submit more than one Low issue? Should I combine all in a QA report? \nA: All QA findings should be in one combined report.", "Is a Low issue different from a QA issue?\nA: No, they are the same. Consolidated QA reports became a norm last year and if you're viewing reports prior to that time, that's why you might see them marked as Low.", "I've been participating in many contests last month, reporting many gas and QA reports and followed all the rules. However, when the results were announced, I didn't get mentioned in any of them. What might be wrong? \nA: There could be several reasons. Your reports might be listed as automated findings and are not awarded. Or maybe they were rated as grade-c in the judgment procedure. You should wait for the reports to see what happened for those findings.", "If I have a possible vulnerability for a project, and I ask the sponsor in a private DM about it and they confirm it. Will it still count when I submit it?\nA: [No Answer]", "How long does it take to get backstage+ after submitting a request?\nA: Applications to backstage are all paused right now due to an issue with backstage. There will likely be an update about this in the next two weeks.", "I found a smart contract scanning tool that looks better than others, can it detect the price manipulation vulnerability?\nA: [No Answer]", "I'm trying to figure out calldata and memory on a low level, does this makes sense and calldata is only specific for external calls right?\nA: [No Answer]", "I've been working on several contests and didn't get mentioned in any of them. What might be wrong? \nA: There are several possibilities. Your reports could be listed as automated findings, which aren't awarded, or they could be rated as grade-c in the judging procedure. Another resource for understanding the process is the C4 judging process thread at https://twitter.com/sayan_011/status/1629011044516655104?t=DJz16iE54QkwLxkc3MrQtw&s=19. There will be also an office hour for GoGopool, which will be a good place to ask if you have participated.", "How long does it take to get backstage+ after submitting a request?\nA: Applications to backstage are all paused right now due to an issue with backstage. An update about this is expected in the next two weeks.", "Is this for C4?\nA: (No answer)", "Are the tests (nearly always) out of scope? If tests lack coverage of significant functionality and don't fully exercise code paths, is it reasonable to list that as a NC issue in the QA report? Or should it be left out?\nA: (No answer)", "Do the judges prefer to have line numbers in code snippets for h/m issues, or are they considered too noisy?\nA: (No answer)", "Is there an option to update the wallet for the login with wallet option (Login Addresses) as a precautionary measure?\nA: (No answer)", "If contract A inherits from contract B, and contract C inherits from contract A, can C access the internal functions of B?\nA: Yes, contract C can access the internal functions of B.", "How can I prove that my submission was not invalidated by use of chat GPT tools?\nA: If people believe you used chatGPT you must've sent something of very poor quality. It would be better to focus on improving that.", "What happens if a submitted medium report is actually of high severity? Does it count as a high severity report?\nA: It will get raised unless there's a reason to penalize it such as it being incomplete, lacking detail, or not as accurate.", "What are the recommended mitigations against unbounded loops in solidity?\nA: Check out this article as it explains the topic pretty well: https://blog.b9lab.com/getting-loopy-with-solidity-1d51794622ad", "May I DM you for a quick question?\nA: (No answer)", "Is there an ETA for the resumption of backstage applications?\nA: There is no ETA at this time.", "What are the recommended mitigations against unbounded loops in solidity?\nA: Check out this article. The topic is explained pretty well.\nhttps://blog.b9lab.com/getting-loopy-with-solidity-1d51794622ad", "Do we have any ETA for this to resume?\nA: Not at this time.", "What happens if a submitted medium report is actually high? Is it counted as a high? \nA: (No answer provided)", "If we submitted a High severity finding but it turned out to be only a Medium, do we lose the reward?\nA: No, you still receive rewards for a medium bug.", "If there is an external function with the transfer of ERC20 tokens without reentrancy protection, is it a valid medium finding?\nA: It will not be eligible for med/high without clear explanation of the exploit path. Without that, it is very likely to be downgraded to QA.", "What does zero day exploitable bug mean?\nA: A 0-day is an exploit that was discovered after being used 'in the wild' i.e., on production software. It's more of a traditional infosec term.", "How to check if my report submission is successful?\nA: You should get an email, you can edit your submitted findings and the company can see one issue raised by you.", "Where can I edit my submitted findings?\nA: It can be edited in the contest page -> your findings.", "Why is this line of code important?\nA: (No answer provided)", "Does 2^96-1 = 7.9e28 possibilities mean to find the same address using another PK?\nA: (No answer provided, but linked to https://bitcoin.stackexchange.com/questions/25069/can-two-private-keys-generate-the-same-public-bitcoin-address)", "Where can I edit my submitted findings?\nA: You can edit your findings on the contest page under 'your findings'.", "Why is this line of code important?\nA: The initialize function may get frontran.", "Is there any indication as to when reports are posted? For example for rabbithole protocol?\nA: [No Answer]", "Do you guys prefer TrustWallet over MetaMask or the other way around?\nA: One opinion suggests to check out web3 wallets like Zerion.", "Are the emails from CodeArena from contact@code4rena.com? or another address? How long has this system been up?\nA: Emails come from submissions@code423n4.com.", "What\u2019s the rule on citing similar findings from other contests to justify the severity and validity within our submission?\nA: [No Answer]", "Is anyone else encountering the same issue of being unable to submit a finding?\nA: Check the console for any errors.", "How to link twitter account in Code4Arena leaderboard?\nA: You can create a help desk request with your Twitter handle listed.", "Are there any differences in scoring grade-A QA reports? Do they all have the same score?\nA: Only the Selected For Report gets a bonus.", "How to link twitter account in code4rena leaderboard?\nA: You can create a help desk request with your Twitter handle listed.", "Are there any differences in scoring grade-A QA reports? (meaning if there are more grade-A reports, do they have the same score?)\nA: Only the Selected For Report gets a bonus.", "How to create a help desk request? Is it on Discord or the website?\nA: You can create a help desk request at https://code4rena.com/help", "Can you check the console for any errors?\nA: There are no console errors, The \"Create Issue\" button just doesn't respond.", "The \"Create Issue\" button doesn't trigger a form submission. What could be the issue?\nA: It could be a form validation issue not producing an error message.", "Are there any types of validations being done on the form other than validating they aren't empty?\nA: Recommendation is to check that code references are present and formatted properly. If that doesn\u2019t work, recommend back up the finding, clear local storage, and try again with a fresh submission.", "By code references do you mean the text in code blocks or links to some code?\nA: Code references refer to links to some code.", "Are there any types of validations being done on the form other than validating they aren't empty?\nA: Check that code references are present and formatted properly. If that doesn\u2019t work, back up the finding, clear local storage, and try again with a fresh submission.", "By code references, do you mean the text in code blocks or links to some code?\nA: Links, I believe.", "Will Neotokyo contest start today?\nA: No, but this week.", "How to find out who will be the judge of an ongoing contest? Specifically, I want to know about the Aragon contest judge.\nA: We don't publish that information ahead of time.", "After clearing out local storage, is there still a need for assistance in the help desk request or were you able to make the updates?\nA: (No answer)", "How to copy code from Github with the contract file name and the line numbers?\nA: (No answer)", "How to copy code from GitHub with the contract file name and the line numbers?\nA:", "Is there any rule to keep for the reporting letter?\nA:", "Is there a template for submitting issues for a contest?\nA:", "I've just submit an issue, but not sure how it values. When can I get the feedback? or any other way to guess?\nA: Generally within a couple of months once the contest has closed; when the report is published.", "When I click - your findings, what should I do?\nA: Can you try clearing your local storage?", "How do you navigate the relationship of interfaces and smart contracts? Do you usually make a diagram so you can have a better picture of the relationship between?\nA:", "How do I go about editing a submission? I don't find that option in the UI.\nA: From the contest page, you should see a Your Findings button.", "Is there any word, or a short announcement as to why backstage is disabled for the foreseeable future?\nA:", "How do you navigate the relationship of interfaces and smart contracts?\nA:", "How do I go about editing a submission? I don't find that option in the UI\nA: From the contest page, you should see a Your Findings button.", "Is there any word, or a short announcement as to why backstage is disabled for the foreseeable future?\nA: One individual abusing the privilege has led us to need to work toward a different model.", "Why has the backstage feature been disabled?\nA: The violation was as benign as could be, but the lack of willingness for anyone to take responsibility for it was the root of the concern.", "How will you adjust the model after the backstage feature was abused?\nA: If we had a way to know the source of the violation, it would be simpler to deal with. But the goal wasn't to exact some kind of punishment but to identify the violator and talk about it.", "Is it clear who abused the backstage feature yet?\nA: No, it's not clear yet.", "Can you provide detail on why the backstage privilege was abused?\nA: The privilege was abused by sharing information about findings for judging in progress with other wardens who did not have backstage access. This was out of bounds based on the confidentiality agreement. It was less troubling that it happened, more that no one was willing to accept responsibility.", "Do backstage wardens have access to every contest findings, or only where they have submitted any issues?\nA: Backstage wardens don\u2019t have access to every contest findings but it\u2019s broader than just where they have submitted issues.", "Does the abuse of backstage feature mean everyone's backstage has been revoked?\nA: The process and what backstage looks like is being changed but it's still in progress.", "I just submitted a help desk request, didn't receive any notifications if it is actually submitted. How can I confirm it?\nA:", "I have submitted findings on some contests but they were not included in the final report, how can I check why they were not considered?\nA:", "Does this mean everyone's backstage has been revoked?\nA: We\u2019re just changing the process and what it looks like. Still in progress though.", "I just submitted a help desk request. Didn't receive any notifs if it is actually submitted. Can you get back to me here on discord via DMs for followups?\nA: Your helpdesk request has been received.", "I have submitted findings on some contests but were not included in the final report. How can I check why they were not considered?\nA: You have to wait until the reports are published, usually it takes at least 1 month.", "What is the Scout awards?\nA: Scouts review code before the start of the contest to ensure it is ready for wardens.", "I'm asking about published reports. I had submitted findings on a contest but they were not included. How can I find out the reason?\nA: Open any C4 report in Github. You will find a data folder from there where you can check yours.", "What is the type of findings, if the code is different from the documentation of the project? For example, different functions, or missing something?\nA:", "Is there a way to edit a finding?\nA: Please submit a helpdesk request with all the info and the update to the finding before the contest closes.", "Do you know any news about the backstage function?\nA: Backstage is closed. There are messages from Sock above explaining. [Link here](https://discord.com/channels/810916927919620096/810931711609143326/1082437741586960485)", "My findings are not considered as valid. Is there another method how can I know about my findings' validity?\nA:", "Do you know any news about backstage function?\nA: Backstage is closed. There are messages from Sock above explaining. https://discord.com/channels/810916927919620096/810931711609143326/1082437741586960485", "I am asking about published reports..as I had submitted findings on the contest but they were not included...so want to know the reason.\nA: Open any C4 report in Github there you will find data folder from there you can check yours.", "Its just showing what I has submitted..not why it is not considered as a valid finding..is there another method how can I know about my findings validity??\nA: Check comments. Some judges do give feedback some just close the issue (due to various reasons).", "I just tried to open the ticket but what I want to send exceed the character count. Have you tried editing your submission?\nA: Hi there. Have you tried editing your submission?", "I was told to send the whole thing via ticket, no I did not see an option to edit my submission for the QA report. Can you confirm you received my help ticket with the entire QA report for Ethos Reserve?\nA: Hi, yes. We have the request. We invite you to edit first and then if you face a challenge, we can assist. To edit, you can go to the contest page and click the Your Findings button. https://code4rena.com/contests/2023-02-ethos-reserve-contest", "What's the QA report looks like? Any template?\nA: No answer provided.", "How can I improve my skills as a warden? Is there a way to check issues from other wardens immediately after contest closed?\nA: Yes, this is something we're aware of -- and sympathetic to. Actively working on some ways we can address this.", "What kind of problems should a bug cause to be a medium? I ask this because I've seen bugs that can cause fund loss and they are high and at the same time seen another one that is medium in reports.\nA: You can find the criteria here https://code4rena.com/judging-criteria/", "Is there another method how can I know about my findings validity?\nA: Check comments. Some judges do give feedback and some just close the issue due to various reasons.", "What kind of problems should a bug cause to be a medium severity? \nA: This information was not provided in the chat.", "Is there any link that explains the different severity levels of bugs?\nA: You can find the criteria here [https://code4rena.com/judging-criteria/](https://code4rena.com/judging-criteria/)", "I can not create an issue, what should I do?\nA: Make sure the links to code fields are correct and if that doesn't work, back up the finding and clear localStorage then start again with a fresh submission.", "Are there any specific browser requirements for creating an issue?\nA: The browser being used might impact the functionality of the platform, trying an alternate browser could resolve the issue.", "Has the paraspace report been posted yet?\nA: This information was not provided in the chat.", "If I submit a high or medium finding that doesn't work as expected, is it better to withdraw it or modify it when I find another totally different issue?\nA: This information was not provided in the chat.", "In case of two wardens submitted the same issues, is there any difference for the one who submitted first?\nA: This information was not provided in the chat.", "I'm trying to find paraspace report. Not posted yet?\nA:", "Supposing that you submit a H/M finding that doesn't work as expected, is it better to withdraw it or modify it when/if you find another totally different issue?\nA:", "In case of two wardens submitted the same issues, is there any difference for first submit?\nA: No, only the best get's a bonus and it's not a matter of who sends it first.", "Do you mean that the detailed and clear description will get better value?\nA: Yes, highest quality (goes in the report) get's a bonus. Lower quality may receive lower % of the same cut.", "Is it possible to include an image in a report?\nA: You can run a relevant search, e.g. \"image\", and look for a suitable answer.", "Hello, Is there a way to remove a finding submission? I submitted something by mistake.\nA: There should be a remove finding button somewhere when you hit edit. It should still be there.", "Are there any standards about how to get the certified and leaderboard identity in this server?\nA:", "What\u2019s the rule on citing similar findings from other contest to justify the severity and validity within our submission?\nA:", "Is there a way to remove a finding submission? I submitted something by mistake.\nA: There should be a remove finding button somewhere when you hit edit.", "Are there any standards about how to get the certified and leaderboard identity in this server?\nA:", "What\u2019s the rule on citing similar findings from other contest to justify the severity and validity within our submission?\nA: It's acceptable to cite similar findings, but keep in mind judges will consider the entire context and judge accordingly.", "If you find multiple instances of a medium vulnerability, do you report it as one issue or multiple?\nA: You should report it as one issue.", "I would really like to share something but I would like to know if it abides by the community rules. Who should I ask?\nA:", "I hope to participate in PolynomialFi contest but I am not a certified warden. If I form a team with a certified warden, is it possible to participate?\nA: You would still need to be certified. You can begin the certification process within 48 hrs of the contest and upon completion, be awarded, if you are eligible for an amount.", "Where can I start the certification process?\nA: You can start the certification process by reading this doc: https://docs.code4rena.com/roles/certified-contributors", "In the Leaderboard file, there are only contest numbers. How can I find out what number corresponds to what contest?\nA:", "Is it possible to add screenshots in submissions? If yes, how?\nA: Yes, you can add screenshots in submissions. Here is the link to do so: https://discord.com/channels/810916927919620096/810931711609143326/1083239106223546420", "I submitted a third finding for the wenwin audit contest but I never received an email. Who do I reach out to?\nA: You can open a help desk request and they can take a look for you. Here is the link: https://code4rena.com/help/", "Is it possible to add screenshots in submissions? If yes, how?\nA: [Link provided] https://discord.com/channels/810916927919620096/810931711609143326/1083239106223546420", "I submitted a third finding for the wenwin audit contest but I never received an email. Who do I reach out to?\nA: You can open a help desk request and we can take a look for you. [Link provided] https://code4rena.com/help/", "My CPU usage hits 90%+ whenever I open the landing page on Chrome. On Firefox / Brave it works fine. Why is this happening?\nA: [No answer provided]", "How are reports sorted on the Code4Arena website?\nA: Reports are sorted by publication date. Sort/filter options are currently being developed.", "Should I jump in competition or should I complete CTFs and audit reports first?\nA: Plenty of people just jump in. There's no need to complete CTFs and audit reports first.", "What do you need to do to become a certified warden?\nA: You can find information on becoming a certified warden at this link: https://docs.code4rena.com/roles/certified-contributors", "What's the average response time after you submitted the application to become a certified warden?\nA: [No answer provided]", "How do I improve the quality/relevance of my submissions in order to be considered in future contests? Is there any way I can see what I submitted for the contest and compare?\nA: You can click the name of the Gas Optimization Report that is chosen, and you can see the github issue corresponding to this person's original version submission. You can learn from it how to write a high-quality gas optimization report. Also, you can search GAS tag in the issues to see your report and others.", "What do you need to do to become a certified warden?\nA: Here's info on becoming certified. [Link](https://docs.code4rena.com/roles/certified-contributors).", "What's the average response time after you submit?\nA: [No Answer]", "How do I learn from this and improve the quality/relevance in order for them to be considered in future contests? Is there any way I can see what I submitted for the contest and compare?\nA: You can click the name of the Gas Optimization Report that is chosen, and you can see the GitHub issue corresponding to the original version submission. Maybe you can learn from it how to write a high-quality gas optimization report. Also you can search GAS tag in the issues to see your report and others.", "What happens in a contest if no high risk or medium risk issues are found, does the entire rewards move down to QA?\nA: Yes, all rewards move down to QA in such a scenario.", "Has there ever been a contest with no high risk or medium risk issues found in the history of CodeArena?\nA: There is a recollection that it may have happened once.", "How to change the team name if possible?\nA: You'd have to create an entirely new team and it wouldn't retain any leaderboard positioning.", "What is the minimum requirement a PC should have so it can be used for auditing DeFi protocols?\nA: If you can run Discord on it, you're going to be just fine. However, fuzzing can benefit from a faster computer. But in terms of \u201cminimum\u201d you're just gonna fuzz slower on an old PC.", "What is the minimum requirement a PC should have so it can be used for auditing DeFi protocols?\nA: If you can run Discord on it, it should be just fine for auditing DeFi protocols.", "Can I buy the cheapest PC for auditing DeFi protocols?\nA: Yes, there's nothing that a 10 year old PC couldn't handle, although certain tasks like fuzzing can benefit from a faster computer and would run slower on an older PC.", "We have foundry, does that affect the PC requirements?\nA: Foundry is an app that can benefit from a faster computer by trying combinations more quickly than on a slower processor.", "Can people build zksync era contest on an old PC?\nA: It might be difficult due to the required patience considering the slower performance of older PCs.", "I have a 9 year old i3 with 2 cores, should I upgrade it?\nA: It's up to personal preference. An upgrade to ryzen 5700g or 7600x might speed up tasks.", "Do you need to begin the certification process 48h before the contest starts?\nA: The answer is not provided in the chat.", "In QA reports, what is the order of importance, and are there any other sub-categories to include?\nA: The answer is not provided in the chat.", "How much is the average payout for gas optimizations, non critical findings and low risk findings?\nA: You can get that information via findings.csv file in CodeArena's website repo.", "What happens in a contest where only one high and only one medium are found? Since the rewards are for HighMedium, is the reward split into 2 simply? Should there be a bigger reward for the high?\nA: The answer is not provided in the chat.", "How to modify the submitted findings?\nA: The answer is not provided in the chat.", "How much is average payout for gas optimizations, non critical findings and low risk findings?\nA: You can get that info via findings.csv file in C4's website repo.", "Can you send me the link to findings.csv file?\nA: https://github.com/code-423n4/code423n4.com/blob/main/_data/findings/findings.csv", "What happens in a contest where only one High and only one Medium are found? Since the rewards are for HighMedium, is the reward simply split into two? In theory, shouldn't there be a bigger reward for the high one?\nA: https://docs.code4rena.com/awarding/incentive-model-and-awards", "How do I modify the submitted findings?\nA: In the contest page there is a \"your findings\" button. You can modify there.", "How to get those scout rewards?\nA:", "Is there any available list for the fee on transfer/rebasing tokens?\nA:", "In case there is an issue that occurs in 2 places of the code that are not related to each other but are in the same contract, is this one issue or two? The meaning of the problem is the same.\nA: 2 issues I guess.", "Where are the rewards amount coming from, purely the sponsor?\nA:", "If you can call a function eg getSomeValue(uint256 objectId); and objectId has to be within a range eg 10-20, else the object doesn't exist. It's not checked if the input is within the allowed range in the function (getSomeValue), and you can send in eg 21 and it reverts, is that considered a bug, and if so is it informational, NC, LOW?\nA:", "I'm expecting to receive some rewards on my first contest, so wondering how do you guys get your USDC rewards over coinbase? How do you convert them to BTC if possible?\nA:", "What happens if nobody finds H/M issues in one contest?\nA: It's divided based on QA.", "How can I access the Polynomial project? I am certified but cannot access it.\nA:", "If you can call a function eg getSomeValue(uint256 objectId); and objectid has to be within a range eg 10-20, else the object doesn't exist. Its not checked if the the input is within the allowed range in the function (getSomeValue), and you can send in eg 21 and it reverts, is that considered a bug, and if so is it informational,NC,LOW?\nA:", "How do you guys get your USDC rewards over coinbase? How do you convert them to BTC if possible?\nA:", "What happens if nobody finds H/M issues in one contest?\nA: It gets divided based on QA.", "How can I access the Polynomial project? I am certified but cannot access it.\nA: Can you please try again now? You will still see the Contest details are not available message when you go to the contest page, but, as a certified warden, the View Repo and Submit Findings buttons should work for you.", "Submut findings is working, but view Repot still gives me a 404, what do I do?\nA: Check if your gitHub is logged in (the same account which you have given for C4). It should work.", "I want to create a team but when I want select members a black page opens, I tried with different browsers. What do I do?\nA:", "How to use this kind of button format in submit findings?\nA: Some contests (such as Polynomial) are only open to wardens who are certified, so the buttons would only show for them on those contests. More info here about how to become certified, if you're interested for future contests: https://docs.code4rena.com/roles/certified-contributors", "What does lookout do?\nA: They pre-sort the repo and provide a summary doc to the sponsor.", "Is the lookout application window open now?\nA: We'll announce that here in Discord, but you're welcome to submit an application anytime. It's more that we ask the reviewers to review the applications every few weeks during a specific window.", "How can I change uploaded gas report?\nA:", "How to use this kind of button format in submit findings?\nA: Some contests, such as Polynomial, are only open to wardens who are certified, so the buttons would only show for them on those contests. More info here about how to become certified, if you're interested for future contests: https://docs.code4rena.com/roles/certified-contributors", "Is the lookout application window open now?\nA: We'll announce that here in Discord, but you're welcome to submit an application anytime. It's more that we ask the reviewers to review the applications every few weeks during a specific window.", "How can I change uploaded gas report?\nA: You can change it from the contest details page under your findings.", "What is the tool used in reports that shows the code snippet with lines numbers on the left?\nA: Not answered in the chat.", "Is it allowed to use arbitrary tools for PoC? Or must I use the framework which the contest project is set up with?\nA: A coded POC of any sort is much better than none at all! The chat did not specify if a specific framework was necessary.", "How can I become a certified warden and participate in the Polynomial Protocol contest?\nA: You can find information on how to become a certified contributor here: https://docs.code4rena.com/roles/certified-contributors", "Can I participate in KUMA Protocol - Versus Mitigation contest?\nA: The MIT review is limited to those who participated in the original contest.", "Why is the \"Versus\" word used in KUMA Protocol - Versus Mitigation contest?\nA: The versus just means a small invite contest. Some are mitigation reviews, some are just regular contests with 5 wardens.", "Does anyone here have some good resources to share or any advice on what's the most optimal way to learn in between the contests?\nA: Not answered in the chat.", "Can I participate in KUMA Protocol - Versus Mitigation contest?\nA: The MIT review is limited to those who participated in the original contest.", "Why the \"Versus\" word in the name convention like \"KUMA Protocol - Versus Mitigation\"?\nA: The versus just means a small invite contest. Some are mitigation reviews, some are just regular contests with 5 wardens.", "Does anyone here have some good resources to share or any advice on what's the most optimal way to learn in between the contests?\nA:", "How much it takes to mark a warden as certified, I was approved yesterday, but still don't have rsvp-certified?\nA: It took about 2 weeks since the kyc firm approved via email and it was reflected in discord.", "Is there a way to download all the smart contracts being deployed at a specific address that we can see using etherscan.io?\nA:", "If I've created an alter account and submitted the same issue from both of my accounts wouldn't I get a greater amount of share?\nA: Less. It's a sybil protection.", "If the code doesn't check the 0 address that can receive funds later, is it a middle-level vulnerability?\nA: It\u2019s because it cannot be unfixed on the initializer.", "Does Arena token exist? If not, what happened to him? And is a new token planned?\nA: The token exists. It just doesn\u2019t have the kind of volume that gets it listed on CoinGecko.", "How does C4 handle duplicate submissions? Do earlier submittals take precedence?\nA: The more of a specific finding during the period submissions are open, the less that finding is worth.", "What tools do you use for audits? Do you prefer Hardhat/Truffle or Foundry?\nA:", "What are the \"bug\", \"grade-c\", and \"unsatisfactory\" labels on my issue about?\nA: These labels indicate issues which are not eligible for rewards.", "How does C4 handle duplicate submissions? Due earlier submittals take precedence?\nA: The more of a specific finding during the period submissions are open, the less that finding is worth.", "What tools do you use for audits? You prefer Hardhat/Truffle or Foundry? \nA: [No answer provided]", "What are the \"bug\", \"grade-c\", and \"unsatisfactory\" labels on my issue about?\nA: These labels refer to issues that are not eligible for rewards.", "Where can I find more info about the warden-application-reviewers role? What are the requirements and how can you apply?\nA: We will get some documentation together on that.", "Was the video from the latest office hour recorded and will it be uploaded to the youtube channel?\nA: Yes, it will indeed.", "How come there are no upcoming competitions? Has this happened before?\nA: Yes, it ebbs and flows. The team is talking with several folks right now about upcoming audits.", "What is the flow when the wardens missed an issue, this issue was found by the judge at the time of judging or other wardens after the contest, How will the flow proceed?\nA: [No answer provided]", "How can I connect my wallet to my account for submitting findings?\nA: There's a login wallet and there's a payment wallet. The login wallet you probably set up when you created the account. The payment wallet can be updated in your profile.", "Do I need to login with a wallet to participate in contests?\nA: No, if you're logged in, you're good on that front. Just make sure to add your payment wallet so all your rewards can be given to you.", "What are the best contests for seeing multiple designs and best security practices for completing contracts for a staking platform?\nA: [No answer provided]", "Is login with wallet required to participate in contests?\nA: No, if you're logged in, you're good on that front. Just make sure to add your payment wallet so all your riches can be given to you.", "What are the best contests you can introduce me in this field, so I can see multiple designs and best security practices?\nA: (No answer provided in the chat)", "Was the office hour video recorded and will it be uploaded to the youtube channel?\nA: Yes, the link was shared in the announcements.", "I was trying to run the picode 4naly3er today without much luck. Has anyone got that work globally? / be willing to help me get it setup properly?\nA: If you're getting an error about missing files, you need a remappings.txt in the project you are running it against.", "Can I use hardhat for testing instead of foundry?\nA: (No answer provided in the chat)", "I can't see any live contest. Is that a website issue?\nA: It's just a gap in the schedule. New ones will be announced soon.", "How do I see my submission on any completed challenge?\nA: You can see your submissions at the concerned GitHub repo once the contest report is published.", "How can I associate my twitter handle in my C4 profile?\nA: Send us a helpdesk request and we'll have a look.", "Has anyone encountered this with Slither? No matter the python version it keeps on failing.\nA: (No answer provided in the chat)", "Where will I get notified whenever a new contest starts? Only on discord?\nA: The website will list any new contests, the #\u270brsvp will alert you to a contest beginning soon and the discord channel for the contest will be set up ahead of the contest launch.", "I don't see Contest 225 on the website. My certification completed 3 days ago, confirmed by email. What should I do?\nA: Contest 225 will be up by tomorrow. It's not a 'you' issue.", "Has anyone encountered this with Slither? No matter the python version it keeps on failing. \nA:", "Where will I get notified whenever a new contest starts? Only on discord? \nA: The website will list any new contests, the #\u270brsvp will alert you to a contest beginning soon and the discord channel for the contest will be set up ahead of the contest launch.", "I don't see Contest 225 on the website. My certification completed 3 days ago, confirmed by email. What should I do?\nA: Contest 225 will be up by tomorrow. It's not a 'you' issue.", "If a contests starts for a project that also has the same code on immunefi, what is stopping someone, that finds a bug in the C4 contest to also submit it in the immunefi project and gain 2 rewards for the same issue (or vice-versa)?\nA: You can refer to the submission policy on the official CodeArena documentation https://docs.code4rena.com/roles/wardens/submission-policy#findings-in-parent-of-forked-projects", "Does anyone else encounter this issue?\nA:", "Maybe it has to do with the opcode support in foundry. Does this happen every time or just sometimes?\nA: It happens every time.", "I changed the network in the metamask to polygon mainnet and then copy and public key from my account and paste in code4rena. Did I do the things correctly?\nA:", "What does it mean when a submission is marked as \"marked the issue as primary issue\"?\nA: It\u2019s used to cluster duplicates around an issue.", "How does one get the \"leaderboard\" discord role?\nA: Once you earn some reward and appear on the leaderboards.", "I did earn rewards and appear on the leaderboard, do I need to make a helpdesk ticket?\nA:", "What does it mean when a submission is marked as \"marked the issue as primary issue\"?\nA: It\u2019s used to cluster duplicates around an issue.", "How does one get the \"leaderboard\" discord role?\nA: Once you earn some reward and appear on the leaderboards, you should get the \"leaderboard\" discord role. If not, you may need to make a helpdesk ticket.", "If I'm registered as a warden, do I have a wallet attached to my user? I'd like to change it.\nA: You should refer to our FAQs to answer this question. However, if you don't find what you're looking for, please submit a help request and our team can take a look. [https://docs.code4rena.com/roles/wardens/warden-auth#faq-troubleshooting](https://docs.code4rena.com/roles/wardens/warden-auth#faq-troubleshooting)", "Which of the ways of showing the places of vulnerability is better? 1) When we provide a URL to the repository with a line inner in text like this [https://github.com/code-423n4/...#L50-L58](https://github.com/code-423n4/...#L50-L58) 2) When we provide a solidity code block?\nA: Providing both the URL to the repository and the solidity code block is suggested. This way you don't need to think about it.", "If Two very different issues can be resolved By fixing the same one thing. Is it considered two issues or one?\nA: If the root cause is the same, they would be considered as one. However, if fixing the root cause doesn't resolve both issues, they can be considered separate.", "What if, by fixing the root cause, without considering both issues will still lead to one of them being active. Would this case not be acceptable for 2 issues?\nA: If both issues are known as having the same root cause, the mitigation review would include to have both resolved.", "If two very different issues can be resolved by fixing the same one thing, is it considered two issues or one?\nA: If the root cause is the same, they would be considered as one.", "What if, by fixing the root cause, without considering both issues will still lead to one of them being active?\nA: If both issues are known as having the same root cause, the mitigation review would include to have both resolved.", "Which of the ways of showing the places of vulnerability is better? Providing a URL to the repository with a line inner in text like this https://github.com/code-423n4/...#L50-L58 or providing a solidity code block contracts/Staking.sol?\nA: It would be better if you include both.", "If a mapping (example mapping(address => ) growth to a such size, could this cause some impact in the EVM execution?\nA: No, a mapping is a hashmap, it has a constant complexity of O(1) meaning whatever its size, there is no performance overhead.", "Numbered lists in valid markdown are not showing the numbers in the preview tab. is this normal?\nA: It's a known issue and the team has a commit to fix it.", "Is it just a submission UI issue, or will the judges who read the report also cannot see the numbers?\nA: It's a UI issue. The numbers are visible when submitted.", "Where can I look for guidance on how to determine the risk (high, low, QA) of the issues I'm finding?\nA:", "Is there a concrete threshold for \"marginal\" gas savings? I've seen gas optimizations not accepted for this reason but don't want to assume the threshold.\nA:", "Would both the issues of a price got by latestRoundData not being checked for stale values and it not being checked for the answer in the same roundid issue go as 1 issue if missing oracle validations?\nA: Getting price through an oracle requires all the necessary steps to be implemented in the same transaction. If you include both points as one issue with a detailed demonstration, you can have the primary issue. Other wardens, who did not include both points in one submission could have the rational duplicate of the issue. A judge can conclude this better.", "Could we add the question \"If two very different issues can be resolved by fixing the same one thing, is it considered two issues or one?\" in the FAQ? I saw it was asked multiple times and it is often unclear for new wardens.\nA:", "Do you know if its just a submission UI issue, or will the judges who read the report also cannot see the numbers?\nA: It's a UI issue. The numbers are visible when submitted.", "Where can I look for guidance on how to determine the risk (high,low,qa) of the issues I'm finding?\nA:", "Is there a concrete threshold for \"marginal\" gas savings?\nA:", "Could somebody please provide clarification on if a lack of constraint on admin 'setter' functions for state variables constitutes as a medium finding?\nA: Usually, it's low.", "Is it ok to ask questions here about findings of past projects (audit report is already released in public)?\nA:", "How can I take part in private competitive audits?\nA:", "What kind of laptop is needed for auditing a smart contract?\nA:", "How can I get certified role?\nA: There are more details about the process and the application here: https://docs.code4rena.com/roles/certified-contributors#certification-process-and-constraints", "If a state variable's change can result in reverting in other functions, but that's only accessible by owner. Should this then be a QA or a med?\nA:", "How long does it usually take to certify a warden after the provenance verification process is completed?\nA: Your application is in my queue - you'll hear in a bit.", "Are there other conditions certified wardens need to meet to attend private audit?\nA:", "What is the process of becoming a certified warden?\nA:", "How to categorize the severity if a state variable's change can result in reverting in other functions that's only accessible by owner?\nA:", "How long does it usually take to certify a warden after the provenance verification process is completed?\nA: Your application is in queue - you'll hear in a bit.", "Are there other conditions certified wardens need to meet to attend private audit?\nA: Responded via direct message.", "What is the process of becoming a certified warden?\nA: There are more details about the process and the application [here](https://docs.code4rena.com/roles/certified-contributors#certification-process-and-constraints).", "Is getting certified allows you to participate in private contests?\nA: Yes, to a point. Versus contests are invitational and opportunities go to wardens by their rank in either specific contests or during a recent window.", "Are the invitational or opportunities contest displayed in the code4rena website?\nA:", "Do certified contests (like the upcoming 225) impact the C4 leaderboard rank?\nA: Yes, certified contest results do indeed get added to the leaderboard.", "For the 225 contest do you need to be just a certified warden or you also need to rank on the top to participate?\nA: Only certified.", "Are there any job openings in Asian countries?\nA:", "For the 225 contest do you need to be just a certified warden or you need also to rank on the top to participate?\nA: Only certified warden is needed.", "Are the certified contest results added to the leaderboard?\nA: Yes, certified contest results do indeed get added to the leaderboard.", "Are there any job openings in Asian countries?\nA: The company definitely needs to hire for time zone coverage but no specific job openings were mentioned.", "What is the requirement for versus audits?\nA: Wardens must be certified. Opportunities are posted for RSVP, and RSVP is usually assigned based on leaderboard ranking.", "When do you get a leaderboard role in discord? What are the requirements? Also, when can one get a finding re-evaluated?\nA: It seems that leaderboard role is assigned based on some criteria, but the exact requirements are not mentioned. No clear answer was given for when a finding can be re-evaluated.", "Will +backstage role applications be reopened soon?\nA: New backstage applications are paused for now.", "Can someone apply for lookout role using findings that don't have reports out yet?\nA: Yes, findings that do not have reports out yet can be used to apply for the lookout role.", "Can we access our issues and comment there while they are being judged?\nA: Wardens who had backstage access had the opportunity to see the submissions and provide factual comments at the pre-judging state, but it's not a continued practice anymore. You can access all the issues, including yours, once the repo is made public.", "If submitting an issue would involve various lines changed, how do I submit it? Do I send a git patch, or a PR to the repo?\nA: (No answer provided)", "When can someone speak with the judge to re-evaluate a finding?\nA: (No answer provided)", "Can someone apply for lookout role using findings that don't have reports out yet?\nA: Yes, they can.", "In the reports, I see sometimes comments from the wardens, apparently made in the judging process. Can we access our issues and comment there while are being judged?\nA: Wardens who have backstage access had the opportunity to see the submissions and provide factual comments at the pre-judging state, but it's not a continued practice anymore. You can access all the issues, including yours, once the repo is made public.", "If submitting an issue would involve various lines changed, how do I submit it? Do I send a git patch, or a PR to the repo?\nA: (No Answer)", "So when can someone speak with the judge to re-evaluate a finding? \nA: As of now, there is no re-evaluation process.", "How long does it usually take before we can see the results of submission after the award is announced?\nA: It can take up to 2-6 weeks or more. The exact duration depends on when the report is published.", "Should I explain the vulnerability in the Impact section or the Proof of Concept section?\nA: In the Impact section, explain the vulnerability and how it impacts the protocol or code. In the Proof of Concept section, add the lines from the code or github, or add a test which is written as an exploit.", "What tool is used here to get a code snippet with line numbers?\nA: It's a VS Code extension called \"Copy With Line Numbers\".", "For QA report, will there only be one top winner? Or it's more like how many scores you got?\nA: (No Answer)", "Are all \u201cCentralization Risks\u201d considered invalid?\nA: (No Answer)", "Are there cases where a centralization risk is valid like when the centralization does not match the protocol's claims or guarantees in their docs or marketing material, or the centralization is not the usual \"bad admin\" issue and poses a threat to all types of users of the protocol and the protocol itself?\nA: Not all issues related to ownership are \"Centralization Risks\", especially if they come from another source. If you feel that the issue should be flagged then report it stating all your reasons and let the judge make the final call on it.", "Are all \u201cCentralization Risks\u201d considered invalid?\nA: Not all issues related to owner are \"Centralization Risks\".", "Are there cases where a centralization risk is valid like when the centralization does not match the protocol's claims/guarantees in their docs and/or marketing material, the centralization is not the usual \"bad admin\" issue and it poses a threat to all types of users of the protocol and the protocol itself, or when it is not listed as a known issue?\nA: If you feel that the issue should be flagged then report it stating all your reasons and let the judge make the final call on it.", "Will I still be able to give my inputs on a particular issue prior to results being finalized for a contest even without backstage role? Does sharing my view here count?\nA: You can share your reasons in the report itself. Besides the backstage access there is no way of providing additional context on your reported issues.", "When can someone speak with the judge to re-evaluate a finding?\nA: Only if you had the backstage access during post-judging with factual comments.", "Will you get feedback on your submissions? Even the ones that were denied?\nA: Directly to you? No. Maybe later on you can check Github repo for the same if that report is made public.", "What are Mitigation review and Lookout awards?\nA:", "Is there any chance that my submitted Medium could be upgraded to High risk? I accidentally passed it as a medium wherein the issue can lose funds which should be considered as high risk.\nA: If this is for a contest that is still open, you can make that edit to your finding.", "Why is my username on the leaderboard not linked with my Twitter account like other wardens? I've added my Twitter id to my account. What do I have to do to get this feature?\nA: You need to complete a help desk request so that your Twitter handle can be added.", "Can an issue be reviewed by the judges if it's explained in detail while submitting?\nA: It depends on the judges, but as an example, for Caviar, someone reported potential reentrancy, but without any actual vulnerability, and it was marked as low.", "Why is my username on the leaderboard not linked with my Twitter account like others, even though I've added my Twitter id to my account?\nA: The Twitter handle might not be associated with your C4 handle. It is suggested to complete a help desk request to have that added.", "Is discussing our finding publicly with other warden allowed or discouraged?\nA: Specific findings should not be discussed until the report has been posted for the contest in question.", "How can I edit my submitted findings?\nA: You should be able to navigate to the contest page and find the 'your finding' button. If that is not displayed for you, you can stay abreast of the situation in the relevant chat channels as the dev team is currently looking into it.", "I registered an account and tried to login after a few days. The system showed me logged in but my wallet does not appear as connected. Also, my discord nickname does not match the nickname on the site. Could this lead to a ban me for having two accounts for one mail and discord?\nA: The problem likely arises from the website's registration mode which is limited due to initial architecture choices. The issue is currently being addressed by the team.", "I made two accounts for one mail and discord, how should I handle this problem?\nA: No specific solution provided.", "How do I handle negative feedback about the system's structure?\nA: The feedback, whether good or bad, should be accepted and used as a tool for improvement.", "I registered an account, I try to log after a couple of days later, I click login, I entered successfully, but in the right corner when I open the menu shows that I did not make a login, the wallet does not appear as connected, I tried to make a new account again, now my discord nickname does not match the nickname on the site. The first time was the same. It turns out I made two accounts for one mail and discord, and now you're going to ban me, right? ahaha because you will think that I am doing an abuzz. In general, guys, you have raised money for investments, you are making a cool product, but you can't make a normal registration on your website and a normal wallet connection module?\nA: This issue arose due to some original architecture choices. It's being handled by a team of more proficient developers who are improving on the initial setup.", "What's your C4 username?\nA: AlexGaspar", "So I see two records for you, one for AlexGaspar and the other for akellabit. Are you saying that you want to now go with AlexGaspar as your C4 username?\nA: Yes.", "Are you able to DM right now so I can better understand why you are unable to login?\nA: No answer provided.", "How many days does it take to become certified after filling up forms?\nA: Approximately 2-3 weeks, however, much depends on how quickly you can supply the necessary documents to the KYC provider; it can move more quickly if your paperwork is in order.", "Can I DM you please?\nA: Friend request sent.", "I checked your site, and there are utility bills that they don't accept as proof, maybe I will just work on other bills. What other documents are acceptable?\nA: Start the application process and then ask Provenance directly what they need. The info in C4's docs is only meant as a guideline; Provenance is a separate entity and they have more detailed information than we do.", "This DM is a phishing scam, right? The supposed Cod4rena account that sent it was just created in Sept, 2022 and the link for buying ARENA tokens goes to a sketchy sounding url: invst.icu.\nA: Yes, that appears to be a phishing scam. There have been numerous scam accounts joining recently.", "How many days does it take to become certified after filling up forms?\nA: A lot depends on how quickly you can supply the necessary documents to the KYC provider; it can move more quickly if your paperwork is in order.", "Are there utility bills that the KYC provider doesn't accept as proof?\nA: Yes, there are certain utility bills that are not accepted. It's recommended to start the application process and ask the KYC provider directly for what they need. The information provided by C4 is only meant as a guideline.", "Is the DM regarding ARENA tokens a phishing scam?\nA: Yes, there have been scam accounts joining and sending out phishing attempts.", "Has anyone used https://captcha.bot/ or is there something similar that they recommend?\nA: It's not bad but there's also a scam where they send you the wrong link and the site looks like this one.", "Does C4 work on weekends? Do I need to keep an eye on the Discord for waiting for the result on the weekend?\nA: C4 is not typically staffed on weekends, so it's probably okay to take a break yourself.", "How are the winners decided in a contest?\nA: (No Answer)", "What are some good resources to study Geth node? What are some good resources to study Web2 security in the context of Web3?\nA: (No Answer)", "Are there automated reports uploaded after starting contests reporting gas optimizations? Would it be considered a bug if a warden reports it under 1 hour?\nA: Yes, there are automated reports for gas optimizations. If a warden reports it under 1 hour, it wouldn't be considered as a bug.", "Can every certified warden join a private auditing contest? Or is it just for people who are on the leaderboard?\nA: (No Answer)", "How do you guys use gas reports?\nA: (No Answer)", "Can this method for creating an image link be pinned to the channel?\nA: (No Answer)", "Are automated reports uploaded after starting contests reporting gas optimizations? If a warden reports it under 1 hour, would it not be considered as a bug? \nA: Yes, that's correct. The goal is to save everyone's time.", "Could every certified warden join private auditing contest? Or just people who are in the leaderboard?\nA: There is no clear answer given.", "How is gas reports used? \nA: There is no clear answer given.", "For lack of an official solution, can this method of uploading images be pinned to the channel? \nA: There is no clear answer given.", "How can one see the payout for vulnerability issues? \nA: You can check the wallet address with which you registered, use polygonscan.com or wallet trackers like debank.com.", "Where can one see how much they pay for each bug in a contest? Is there a list somewhere? \nA: You can see each past contest\u2019s awards at https://code4rena.com/contests/2023-01-numoen-contest. For a detailed list, you can find the reward for each warden for each bug per contest at https://raw.githubusercontent.com/code-423n4/code423n4.com/main/_data/findings/findings.csv.", "Is the contest going to be public or private? \nA: It's a versus (participation of 3-5 wardens) and is for certified wardens.", "How does one become a certified warden? \nA: You can read more about becoming certified here: https://docs.code4rena.com/roles/certified-contributors.", "Is there a decent cross-chain dex between Polygon and Ethereum? \nA: There is no clear answer given.", "Is this contest going to be public or private?\nA: It's a versus (participation of 3-5 wardens) and is for certified wardens.", "How does one become a certified warden?\nA: You can read more about becoming certified here: https://docs.code4rena.com/roles/certified-contributors", "Is there a decent cross-chain dex between polygon and ethereum?\nA: Third party bridge such as wormhold or celer can be used.", "I can not log in to code4rena any more. I need help?\nA: Assistance is being provided (no further details specified).", "How can I change my wallet address?\nA: You can change your payment wallet within your profile. For login, you can switch to using a username and password.", "Any help on participating in private audits?\nA: No answer provided.", "How to become certified to participate in private audits?\nA: You can read up on it here: https://docs.code4rena.com/roles/certified-contributors", "Can I open discussion, if I don't agree with the judge about my issue, for example, it was rejected. Can I escalate it? If yes, when?\nA: No answer provided.", "I am newly joined warden and I would like to join private content. I read the post and want to verify. How can I do that?\nA: Follow this link for verification: https://discord.com/channels/810916927919620096/810931711609143326/1092556195337863309.", "Can I open a discussion, if I don't agree with the judge about my issue, for example, it was rejected. Can I escalate it? If yes, when?\nA:", "I am a newly joined warden and I would like to join private content. How can I verify?\nA: You can verify by visiting this link: https://discord.com/channels/810916927919620096/810931711609143326/1092556195337863309", "Is the function callA(Aang a) equivalent to payable(a)?\nA: Yes, it's the equivalent of payable(a).", "I have received confirmation that I successfully passed KYC yesterday. I'm still not able to join private contests though. Are any further steps required on my end?\nA: Just wait for the C4 team to confirm that proof and add certified role to your discord. Once we are updated on the certified status from Provenance, we generally have it updated within 5 business days.", "Will the Rubicon contest be open for everybody?\nA:", "If I noticed there are not enough decimals, should I report it?\nA: Yes, you should report this as a High in the code4arena contract.", "Is a certified contributor obliged to apply to every contest?\nA: No, you can still choose to join any content you want as before. Certified will grant your access to more contest.", "How long does it take for the C4 team to confirm the proof and add a certified role to your discord?\nA: It usually takes 2 days since Provenance approved. However, once we are updated on the certified status from Provenance, we generally have it updated within 5 business days.", "Any idea how long it takes for the C4 team to confirm that proof and add certified role to your discord?\nA: It generally takes 2 days once Provenance approves. Once updated on the certified status from Provenance, it is generally updated within 5 business days.", "After completing the kyc process, which next steps have to be done for getting a 'certified' role?\nA: Please follow this link for guidance: https://discord.com/channels/810916927919620096/810931711609143326/1092758105646960711", "How to get a leaderboard role?\nA:", "After Bot Races, will the winner bot code be public?\nA: No, just their report will be public.", "After getting the certified role, what is the next step to access private repo such as Party Protocol - Versus contest?\nA: You should now be able to access the certified contests when they come up. Versus contests are competitive access, for a limit of 5-8 of the highest performing wardens who RSVP- so watch for opportunities.", "How can I change my logo on the leaderboard?\nA: Send a helpdesk request with a link to your logo and we can make the change for you.", "Can I change my C4 id?\nA: You'll need to re-register. Your leaderboard status would not follow though.", "How can I change my logo on the leaderboard?\nA: Send us a helpdesk request with a link to your logo and we can make the change for you.", "Can I change my C4 id?\nA: You'll need to re-register. Your leaderboard status would not follow though.", "What kind of findings should bots include in their reports? High / medium / low / non-critical / gas?\nA: Probably everything, but it would be surprising if a bot can find high/medium issues.", "How is it going to affect the current H/M, QA, and G categories?\nA: No answer provided.", "Will the findings listed in the best bot-generated report be out of that contest\u2019s scope like it is with the current \u201cAutomated Findings\u201d?\nA: Yes.", "What about findings in other (non-best) bot-generated reports (that remain unpublished)? Let\u2019s say a warden has submitted a bot-generated report that includes a particular medium severity vulnerability, and his/her report wasn\u2019t the best one so it remained unpublished. The warden was rewarded for that report as part of the bot race, but will he/she be able to submit this vulnerability again as an individual medium severity vulnerability, and receive another reward for it?\nA: Still eligible for them to submit it!", "Do I need to submit proof of concept for gas reports? or do I need to show forge snapshot?\nA: No answer provided.", "Is there a way to check for opcode usage on-chain? (to forbid contracts using them)\nA: No answer provided.", "How to highlight code?\nA: No answer provided.", "Do I need to submit proof of concept for gas reports? Or do I need to show a forge snapshot?\nA:", "Is there a way to check for opcode usage on-chain? (to forbid contracts using them)\nA:", "How to highlight code in GitHub?\nA: Click on the line of code to start, then hold down ctrl + shift and click on the last line you wish to highlight.", "Do I need to send a forge snapshot for gas reports or is it just okay to send raw code?\nA: It would be best if you include how much gas saved via the refactored code in the snapshot.", "Does Remix work for this purpose?\nA: Remix can be kind of tricky even with the Foundry.", "Does a Remix report validate it?\nA:", "How do you find vulnerabilities using Foundry? I just don't see how to do it, I only find it by running solidity.\nA: Foundry is a framework to write tests with, but has some other tools to assist checking things like storage etc. You need to write tests in solidity to test certain things in the Contracts you are auditing.", "I obviously know that I can save gas, but why then do I need to write tests?\nA:", "I saw a lot of vulnerabilities in staking pools when the client doesn't receive a promised amount of rewards or doesn't receive any rewards at all (due to precision loss for example). But I noticed that this type of vulnerability is not always treated as medium-level. Are there any judge's criteria for these situations with unreceived awards? When it should be low and when medium?\nA: It probably depends on the maximum value that is lost due to the precision-loss or other issues and how likely it is to happen.", "For example: rewards = amount/1e18. If amount < 1e18 rewards = 0 and it's a loss of rewards. Is this a vulnerability?\nA:", "Why do I need to write tests in solidity to test certain things in the Contracts I am auditing?\nA: [No answer provided]", "Are there any judge's criteria for situations with unreceived awards in staking pools due to vulnerabilities? When should it be considered low and when medium?\nA: It probably depends on the maximum value that is lost due to precision-loss or other issues and how likely it is to happen.", "Can you describe more detail about the sentence \"Mitigation Review: $8,100 USDC (3 top wardens from open contest will be assigned to it)\" in the Caviar contest post?\nA: You can read more on Mitigation Reviews here: https://code4rena.com/how-it-works", "How to submit a PoC to report a finding? How/where to upload the results of the git diff command?\nA: [No answer provided]", "By mistake I submitted the gas report for rubicon contest although I had some more findings to submit. Is there anyway to edit the submitted security findings?\nA: Login to your account, go to the contest page. You will see your submissions on the tab. You can withdraw/edit your submissions there.", "Is the Frankencoin contest private or public?\nA: The Frankencoin contest is public.", "I've sent a helpdesk request to change my logo a few days ago. Any update?\nA: The request will be worked on shortly.", "Can anyone suggest a tutorial video for audit findings submitting procedure?\nA: [No answer provided]", "Is the Frankencoin contest private or public?\nA: Public", "I've sent helpdesk request to change my logo a few days ago, any update?\nA: I'll work on it shortly. Apologies for the delay.", "Can anyone suggest me a tutorial video for audit findings submitting procedure?\nA:", "Is the H/M reward pool reduced for the Caviar contest?\nA: i think its cuz of the mitigation review, no?", "I submitted a QA report on the Rubicon contest without including all of my findings by mistake. I can't submit another report using the interface right now. Is it possible to do something about it? eg: mark the last one as reverted or something similar?\nA: You can update the current one, on the contest page there is an option called \"My findings\", your QA report should be listed there and you can select and edit it.", "I uploaded my personal documents for certified warden KYC. How many days should I expect to receive a response?\nA:", "Should all QA/gas report issues be combined into a single report? Is it true that only the best/most comprehensive QA/gas report is accepted and the rest are discarded?\nA: 1st is yes", "Why is the contest showing \"It looks like you've already submitted a G (Gas Optimization) report for this contest.\"?\nA:", "Do I have to write a text report first then?\nA:", "Should all QA/gas report issues be combined into a single report? \nA: Yes", "Is it true that only the best/most comprehensive QA/gas report is accepted and the rest are discarded? \nA: The answer is not provided in the chat.", "Why is the contest showing that I've already submitted a G (Gas Optimization) report for this contest?\nA: The answer is not provided in the chat.", "Do I have to write a text report first?\nA: The answer is not provided in the chat.", "Can I see an example of a contest report anywhere?\nA: Full of examples.", "How to use screenshots etc in a report?\nA: [Link](https://discord.com/channels/810916927919620096/810931711609143326/1068609440288358500)", "In Gas Optimization finding do we need to specify the amount of gas saved and attach screenshots for proof?\nA: Yes, it would be optimal.", "Can someone suggest a tool for calculating the gas cost of any contract?\nA: Both hardhat & foundry have gas report, just read documents.", "Is there any problem with the rubicon contest chat room ... I am not able to see it anymore?\nA: The answer is not provided in the chat.", "When are findings for an already paid contest made public? Once they're visible on C4 under Reports or already earlier?\nA: When the report is posted.", "In the c4 website, each finding has a number. Does it reflect the gh issue number?\nA: It is believed to reflect the gh issue number but it's not 100% certain.", "The markdown preview when submitting issues doesn't seem to properly display lists - is it just a preview issue and I could still use lists or should I format my finding differently?\nA: The answer is not provided in the chat.", "When are findings for an already paid contest made public? Once they're visible on C4 under Reports or already earlier?\nA: Findings for an already paid contest are made public when the report is posted.", "The markdown preview when submitting issues doesn't seem to properly display lists - is it just a preview issue and I could still use lists or should I format my finding differently?\nA: You don't have to reformat. The submission is viewed as it should be when submitted. The issue is only with the preview.", "If a protocol interacts with a contract on-chain, it will use a local interface over the methods of interest. Is it considered something worth mentioning if there are more functions in the interface then they are used in the code? To reformulate, should an interface over an on-chain contract only have the methods that are actually used?\nA: It would be great feedback representing your due diligence if there are more functions in the interface than they are used in the code.", "Any idea when the decision re the backstage role will be taken?\nA: We actually have a plan now regarding the backstage role.", "Any broad estimates on when the backstage role will be implemented?\nA: We will try to get an update on it this week but there\u2019s a lot going on.", "What is some effective way to find transaction hash when user A gives allowance to contract B if I only know user A's address and contract B's address?\nA: You need to filter logs of the contract and check topics for that specific address, if the address is indexed you should be able to do it more rapidly.", "What is/was the backstage role?\nA:", "Would it be acceptable to pass a link to a website for QA reports or POCs? Something like a visualization tool. Or do you think all reports should be MD?\nA:", "Can someone explain the exact criteria for low, medium and high severity issues?\nA:", "What is some effective way to find transaction hash when user A give allowance to contract B if I only know the user A's address and contract B's address?\nA: Need to filter logs of the contract and check topics for that specific address, if the address is indexed you should be able to do it more rapidly.", "What is/was the backstage role?\nA:", "Would it be acceptable to pass a link to a website for QA reports or POCs? Something like a visualization tool Or do you think all reports should be MD?\nA:", "Can someone explain the exact criteria for low, medium and high severity issues?\nA: https://docs.code4rena.com/awarding/judging-criteria/severity-categorization", "Are you submitting vulnerability you found in contest after confirming it from protocol's developer? Reason I am asking this is because many vulnerabilities we submit but few gets accepted. To avoid this, are you getting confirmations from the developer before submitting?\nA: Can you say more about this? Not sure I fully understand. I wouldn\u2019t recommend sending findings directly to the project.", "Can someone tell what SafeTransferLib is used for?\nA: It's used for safely transferring funds to user, when it transfer, it checks whether the operation of sending funds is successful by checking return status of the call.", "Normally we talk with project's developer about our doubt in an ongoing contest. I am asking are you also asking for confirmation from the developer about your findings before submitting it via code4rena form.\nA: It's usual to confirm any points through the sponsors whether it's a feature or a bug. But it's always up to the warden to submit a point which is thought to be a valid finding.", "If I submit a QA report and later on find some more QA issues, can I somehow edit/update my submission?\nA: Go to the contest page. You will see your findings. Click on it and you can edit your findings.", "I strongly recommend that you do not confirm findings with the sponsor. Imagine if every warden did this - the sponsor might get 500 messages to check and validate! It is not the sponsor's job to confirm findings... It is our job. The sponsors are our clients and they are paying us a lot of money to find issues in the code. They shouldn't also spend dozens of hours in helping us. Some level of help is obviously given by them, but it shouldn't be overdone by us. They're not our auditing tutor. So this is why writing POCs, and even reading the docs or just experimenting in Remix, is important... We can test many things this way. As we get more experience, and look at previous reports, we learn what issues are considered valid and are able to verify them ourselves. We can also team up with other wardens in a similar level, thereby validating each other's findings, and even explore the issues more deeply together. So I think it's good to remember that the sponsors are our clients, They're paying us, And they shouldn't have to also spend dozens of hours responding to perhaps unnecessary messages from a hundred wardens.\nA: Make sense. Thank you.", "If I submit a QA report and later on find some more QA issues, can I somehow edit/update my submission?\nA: Go to the contest page. You will see your findings. Click on it and you can edit your findings.", "Are we supposed to ask for confirmation from the project developers about our findings before submitting it via Code4rena form?\nA: It is recommended not to confirm findings with the sponsor. They are our clients, paying us to find issues in the code. It is our job to confirm findings and we should not overburden them with unnecessary messages. We can write proofs-of-concept (POCs), read the docs, or experiment in Remix to verify our findings. We can also team up with other wardens to validate each other's findings and explore the issues more deeply.", "Would it be acceptable to pass a link to a website for QA reports or POCs, like a visualization tool, or should all reports be in Markdown?\nA: No specific answer provided.", "Should I include how much gas is saved via the refactored code in the snapshot?\nA: It is technically a proof of concept. However, not being able to provide how much gas the refactoring saves, might lead the submission being in low grade.", "I wanted to report a possible scam I received in direct messages, where should I put that?\nA: No specific answer provided.", "Do points that are counted for the 60-day leaderboard expire 60 days after the contest has ended, or is it 60 days after the contest results are announced?\nA: It's supposed to be 60 days after the announcements, but there seems to be some confusion about this and it will be looked into.", "Do points that are counted for the 60-day leaderboard expire 60 days after the contest has ended? It's not 60 days after the contest results are announced?\nA: It\u2019s 60 days of announcements.", "Do I have to make a single report for all gas related submissions?\nA: Yes, you need to make one consolidated report. The same should be done for QA findings as well.", "What If I find something after I made my report?\nA: You can edit your findings by going to the contest page -> clicking the Your Findings button.", "Should I wait till the last moment before submitting? will it impact the reward value i.e. considered as duplicate?\nA: You can wait till closer to the end, there's no advantage or disadvantage. Any findings that could not be submitted before the end of the contest will not be eligible.", "What is the proper way to ask a judge for feedback about issues? The report is out, contestants paid, just to understand the reasoning behind the ruling and see what could be improved.\nA: Asking in the relevant channel could work.", "Is there a YouTube video about how to audit smart contracts?\nA: You might want to take a look at the #\ud83c\udfebeducation channel.", "I want to be a warden for one of the upcoming contests. Is there something I have to do?\nA: If you can log into your account, you'll be able to compete in the audit.", "Is it allowable to contact the judge of a contest and ask if you should submit something and give them a basic overview, to spare extra submissions, if they think it's not worth it?\nA: You won't know the judge ahead of time (by design), so this is not possible.", "Is there a YouTube video about how to audit smart contracts?\nA: You might want to take a look at the #\ud83c\udfebeducation channel on Discord.", "I haven't been on C4 for a while. I want to be a warden for one of the upcoming contests. Is there something I have to do?\nA: If you can log into your account, you'll be able to compete in the audit.", "Is it allowable to contact the judge of a contest and ask if you should submit something and give them a basic overview?\nA: You won't know the judge ahead of time (by design), so this is not possible. However, sponsor teams will have designated contacts you can DM during the contest to ask these kinds of questions.", "Are backstage roles applications getting accepted now?\nA: Not at the moment, but there is discussion for change in the next few weeks.", "Has anyone seen this before when running slither in windows?\nA: [Link](https://discord.com/channels/810916927919620096/1092789958923784292/1095205359792160918)", "Is there any markdown template for submitting findings?\nA: When you submit through the Code4rena interface, there is one proposed.", "Are findings with the help of ChatGPT valid for the prize?\nA: [No answer provided]", "How do we know if our finding is of High or medium severity? Is there a resource to learn about it?\nA: [No answer provided]", "Has anyone seen this before? Running slither in windows.\nA:", "Is there any markdown template for submitting findings?\nA: When you submit through the Code4rena interface, there is one proposed.", "Do findings with the help of ChatGPT make the prize valid?\nA:", "How do we know if our finding is a High or Medium severity? Is there a resource to learn about it?\nA: Severity is determined by experience, and a balance of consequence + likelihood. High severity usually involves \"sizeable fund loss or other severe consequences\" with \"no pre-conditions needed\". Medium severity generally means lesser impact, some function breaks, or has a specific precondition such as high attack difficulty, requires a specific market condition, or user can realistically be unaware. Judges will generally bump issues between High/Medium without any penalties as long as your report is understandable and of decent quality.", "Can I get a reward for the findings I find with ChatGPT?\nA: No, you definitely can't and your wardenship status can also be suspended.", "What's the current award formula for gas and QA? The formula described in the docs doesn't really align with the actual share at findings.csv.\nA: The award formula uses a curve formula, but it needs to be checked if it's documented. The formula should be updated within the next day or two.", "Will the issue of contest crediting be fixed? I'm concerned because if my last contest is still credited (since its results were announced March 8), I'd probably have a higher spot in the 60-day leaderboard. It's a personal goal for me to go as high as I can on the Leaderboard.\nA: There\u2019s not an easy and fast way to just do that since the site data doesn\u2019t currently track the dates awards went out, just builds the leaderboard off the dates of the audits themselves. A change might be made, but the conversation on this is still ongoing.", "Is the site integrated with Github? Maybe it can use the PR that updates the Leaderboard with the contest results as the end date for that contest?\nA: There are definitely ways to get the timestamp and that\u2019s a good one. However, a change like that might not happen soon because there are a lot of things going on right now including migration of all data from csv and json files to a db and api and site talking to that api.", "What's the current award formula for gas and QA?\nA: The formula will be updated within the next day or two.", "Will my last contest be credited since its results were announced on March 8?\nA: The leaderboard is built off the dates of the audits themselves, not the dates awards went out. A change may be made for this.", "Is the site integrated with Github? Could it use the PR that updates the Leaderboard with the contest results as the end date for that contest?\nA: There are ways to get the timestamp but it might not be implemented soon due to the migration of all data from csv and json files to a database and API, and site talking to that API.", "Will the upcoming ENS contest be public?\nA: Contests displayed in the https://discord.com/channels/810916927919620096/958800160870240286/1094922278808064103 channel are public.", "What is the specific criteria that decides reward selection and distribution?\nA: The judges review the findings and decide their severity, validity, and quality. Contestants are given shares for bugs discovered based on severity, and those shares give the owner a pro rata piece of the pot. During awarding, each share is redeemed for: pot / number of shares.", "Does timing play any part? e.g. First to submit a specific vuln gets higher reward?\nA: No, it's not a first come first served basis.", "Are findings reviewed upon submission, or at end of audit period? Does updating a submission cause extra work for judges?\nA: This question was asked but no answer was provided in the chat log.", "What is the specific criteria that decides reward selection and distribution?\nA: The judges review the findings and decide their severity, validity, and quality. They receive a share of the prize pool themselves as an incentive. Contestants are given shares for bugs discovered based on severity, and those shares give the owner a pro rata piece of the pot. During awarding, each share is redeemed for: pot / number of shares.", "Does timing play any part? e.g. First to submit a specific vulnerability gets a higher reward?\nA: No, it's not like first come first served.", "Are findings reviewed upon submission, or at the end of the audit period? Does updating a submission cause extra work for judges?\nA: The findings are reviewed at the end of the audit period. You're able to edit through contest close.", "There appears to be an issue with one of the contests when checking findings. Is this a problem for submitting?\nA: If you're getting email confirmations of your submissions, you're good.", "Unable to submit in the contest, is there a problem?\nA: Can you try again now?", "After trying again, is the issue resolved? \nA: Yes, it's working now. Thank you!", "Can you try logging in again now?\nA: It's working now, thank you!", "Can you check the findings for one of the contests now?\nA: It's working now, thanks!", "What is the minimum rank on leaderboards required to get the role leaderboards?\nA: The minimum rank is 1.", "When will the top 20 bots be announced?\nA: [Answer not provided]", "What does grade-c mean?\nA: [Answer not provided]", "How to format this type of code into readable format? \nA: This is a string representation of a JSON. The simplest but not that human friendly would be to just load it as a string and print it. The actual way to make it nice is to have a custom print logic for each element. [Link provided as example](https://gist.github.com/CodingNameKiki/36f3bfb214907d68fdf3a43cb0cb8ae3)", "Once my PR is merged for the warden, how can I login?\nA: Are you currently unable to log in?", "When I try to login, it shows me the registration page. Can you help?\nA: I\u2019ll have a look for you in ~ 5 minutes.", "Can you check if I can login now?\nA: I updated our database. Could you try logging in again in 20 minutes and let me know if it's fixed?", "My company wants to run an audit contest for our contracts. How does pricing and everything work?\nA: [Answer not provided, referred to another user for follow up]", "Can you try to log in again in 20 minutes and update me if it's fixed?\nA: Sure", "How does pricing and everything work for running an audit contest for our contracts?\nA: The best person to follow up about that is not specified, but they are referred to.", "How can I modify a string representation of a json to make it more human friendly?\nA: You can load it as a string and print it for a simple but less human-friendly method, or you could use custom print logic for each element to make it nicer. This can be done in any language you're familiar with.", "Has your log in issue been resolved?\nA: Yes, it worked.", "More than 10 days passed when my KYC was confirmed by KYC-provider and I still haven't received a verified role. Could you check on your side?\nA: Best to submit a help desk ticket and someone will look into it more deeply. There was also a hold up with the KYC process which is still ongoing. Attempts have been made to move the process forward.", "I've applied for KYC but never got any reply back. Is there anything I can do?\nA: If you don't get any reply in five business days, you can raise a help request through the form on the website.", "Does Hardhat or Foundry have a method to print local variables that are declared inside a function?\nA: Use console.log.", "Does console.log only work with public variables? How can I print localVar which is declared locally?\nA: Import \"forge-std/console.sol\"; then use console.logUint(localVar) to print locally declared variables.", "Can I import the console.sol inside the original Contract itself? Does it have to be in the x.t.sol file?\nA: No answer provided.", "Are hardhat or Foundry methods/ways to print local variables that are declared inside a function?\nA: You can use console.log in both hardhat and Foundry to print local variables.", "Will console.log only work with public variables in a function?\nA: No, you can print local variables as well. You can use the import \"forge-std/console.sol\" in your function to do so.", "Can I import the console.sol inside the original Contract itself? Is it necessary to be in the x.t.sol file?\nA: No, it's not necessary to import console.sol in the x.t.sol file. You can import it inside the original Contract itself.", "Does hardhat have a similar method to print local variables?\nA: Yes, you can use \"import \"hardhat/console.sol\"\" to print local variables in hardhat.", "Has anyone received the \"Source from artifact has no AST.\" error when running forge debug on a hardhat project with foundry integration?\nA:", "Why do some implementations use the constant product amm (xy = k) calculation dy = (y * dx) / (x - dx) instead of dy = (y * dx) / (x + dx)?\nA:", "How do I log gas remaining after the state variable update in Foundry?\nA:", "How to format the solidity code in the submissions in order for it to be pretty?\nA: You can try viewing it on a Gist, as the Markdown Renderer on the site may not provide an accurate representation.", "I'm certified but I didn't get an invitation link to GitHub. How can I resolve this?\nA: An invitation has been sent.", "How to format the solidity code in the submissions in order for it to be pretty?\nA: Try viewing it on a Gist, the Markdown Renderer on the site is not accurate.", "I'm certified but I didn't get an invitation link to Github, what should I do?\nA: You can reach out to the team, and an invite will be sent.", "Can I send a direct message to a team member?\nA: Yes, you can communicate with the team for assistance.", "Which tool should I use to import screenshots in submissions?\nA: Ideally, screenshots should not be used in submissions.", "Should I just use ``` and copy paste gas report for my submissions?\nA: Yes, that method is preferred.", "Can I include lines/links in my submission?\nA: Yes, you can link to the line, that's fine.", "Will CodeArena be at consensus in Austin next week?\nA: (No answer provided)", "I applied for the Post Event administration role and didn't get an auto-response from Google Forms, did my application go through?\nA: (No answer provided)", "Does the final report for any contest contains wardens whose submissions/findings are not accepted?\nA: (No answer provided)", "Why is there no \"Your findings\" button, I want to update my submission?\nA: The \"Your Findings\" button should be visible in the middle of the screen.", "Why isn't it possible to view all submissions as soon as a contests end?\nA: Backstage wardens do get access to findings soon after an audit. However, due to security reasons and to avoid dropping 0days on sponsors, this role requires KYC/NDA.", "Why there is no \"Your findings\" button? I want to update my submission.\nA: There is one literally in the middle of the screen.", "Why isn't it possible to view all submissions as soon as a contests end like Sherlock? I love to check the findings and see what I missed and why.\nA: The learning feedback loop is one of the best things about this model. Backstage wardens do get access to findings soon after an audit. Because we are highly disciplined and cautious when it comes to security and do not want to risk dropping 0days on sponsors, this role requires KYC/NDA.", "So if I KYC then I get access to the backstage? And how many days after the audit is this?\nA: There\u2019s an announcement coming this week about some updates to backstage access. New access had been paused, but will be opening again with some changes to the process.", "How exactly are gas findings judged? Does it depend on the inefficiency of the current implementation? And if I find a significant improvement in an important function, should I spend time showing it or is it not worth it?\nA:", "I've been wondering for a while how to highlight the syntax in a code block in a finding report. I currently open a code block with three bacticks (`).\nA: To highlight the syntax in a code block, you can use ```solidity\\ncode\\n``` .", "When will Rubicon results be released?\nA:", "Also, a noob question. How do we know our report was accepted?\nA: USDC will start flowing into your wallet.", "Regarding the final report for any contest, does the section with wardens who participated contains wardens whose submissions/findings are not accepted?\nA: No", "Would you consider indicating how may people participated in a given contest, in the discord message at least?\nA:", "How do we know our report was accepted? \nA: USDC will start flowing into your wallet.", "Regarding the final report for any contest, does the section with wardens who participated contains wardens whose submissions/findings are not accepted?\nA: No", "Would you consider indicating how may people participated in a given contest, in the discord message at least?\nA: The goal of doing this would need to be further clarified.", "Would you consider indicating how many people participated in a given contest, in the discord message at least, as it would help with having an estimate on the amount of wardens actually participating in a contest and indirectly show internal growth/contest popularity?\nA: There are reasons we haven\u2019t published the number in the past, but the main one is that we are focused on what value we are providing from a security perspective, which is only delivered by the results.", "Is it still profitable to run flashbot nodes?\nA: No answer provided.", "Can project owners see the findings as they are reported? For instance if something is deployed on mainnet and funds are at risk they could take action, or would it need to be escalated some how\nA: The best approach is to reach out to staff via a help request when an issue involves funds at risk on mainnet.", "Is the tool that is run for automated findings available to run locally?\nA: No answer provided.", "I am a beginner in smart contract auditing, and need help in auditing one contract, who can help me?\nA: No answer provided.", "Why doesn't _data/findings/findings.csv work?\nA: Please use this link to access findings.csv: https://code4rena.com/community-resources/findings.csv.", "Can project owners see the findings as they are reported? For instance if something is deployed on mainnet and funds are at risk they could take action, or would it need to be escalated some how?\nA: The best approach is to reach out to staff via a help request when an issue involves funds at risk on mainnet. We've been working on standardizing our process for sensitive disclosures. You can expect a relevant announcement and update to CodeArena's submissions guidelines soon.", "Is the tool that is run for automated findings available to run locally?\nA: This question was not directly answered in the chat.", "I am a beginner in smart contract auditing, need help in one contract, can someone assist me?\nA: This question was not directly answered in the chat.", "Can I check if backstage+ access has been re-opened? I have applied for it in February.\nA: Access just opened again. Requests previously submitted are being reviewed.", "Does CodeArena go to consensus?\nA: This question was not directly answered in the chat.", "How to become a judge here? Are there any criteria?\nA: More information can be found in the docs here: https://docs.code4rena.com/roles/judges", "In contest rewards, what does mean Scout and Lookout awards?\nA: This question was not directly answered in the chat.", "Could I ask about my KYC process? Almost 20 days have passed.\nA: Sent you a friend request to follow up.", "What\u2019s the average time to get KYC confirmed from the provider?\nA: It usually takes about a week.", "In contest rewards, what does mean Scout and Lookout awards?\nA:", "Could I ask about my KYC process? Almost 20 days gone.\nA:", "How to be a judge here? Any criteria?\nA: More information can be found at the docs here: https://docs.code4rena.com/roles/judges", "What\u2019s the average time to get KYC confirmed from the provider?\nA: In a week.", "What is a lookout reward and what is this role?\nA: More information can be found at the docs here: https://docs.code4rena.com/roles/certified-contributors/lookouts", "What is Lookout & Scount awards?\nA:", "What's the purpose of #\ud83d\udd06hm channel? People write there if they found high/medium bug, right? If there happens to be a duplicate, the bounty is split, correct?\nA: No, the #\ud83d\udd06hm channel isn't related to findings in a contest.", "My KYC was approved, should I resend a +backstage ticket?\nA: No, there is no need to resend a +backstage ticket.", "Who can we ping to get an update on a contest please?\nA:", "What is Lookout & Scount awards?\nA:", "My kyc was approved, should I resend a +backstage ticket?\nA: No need, your backstage will be sorted out.", "What is Lookout & Scout awards?\nA: Lookout's role is not specified in the chat. Scouts are responsible for preparing the contest repo making sure that the provided files by the sponsor are in order, the test files don't create any security vulnerabilities etc.", "What are those 2 awards?\nA: This refers to the Lookout and Scout awards. Please check the previous messages for their definitions.", "How to use 4naly3er?\nA: There was no answer provided in the chat.", "Can we publish multiple times findings for the same contest ? (for me its about gas)\nA: No, you should publish only one gas report; if you need to add some findings, you should edit the existing one.", "Was my report correctly updated? \nA: You should receive an email confirming the update.", "Should there be a notification or email that says \"issue updated\"?\nA: Yes, you should receive an email if an issue is updated.", "Can we publish multiple times findings for the same contest specifically about gas?\nA: You should publish only one gas report; if you need to add some findings, you should edit the existing one.", "Should I receive a confirmation for updating my report?\nA: Yes, you should receive an email if the report is correctly updated.", "I didn't receive an update email for my report, is this normal?\nA: There is no email sent for an issue update.", "Are there any updates on paused backstage applications?\nA: There are several updates available at this [link](https://discord.com/channels/810916927919620096/810936719003090974/1098620465897021490) and in the C4 newsletter.", "How can I check my status for the paused backstage applications?\nA: You should create a help desk request to check your status.", "Which value is correct for my HM rewards in the Eigenlayer contest?\nA: The RSVP post is correct. The repo details were not updated to account for the bot race award.", "Is there an easy to digest version of the Ethereum yellow paper?\nA: The Ethereum beige paper aims to simplify the Ethereum yellow paper.", "Will bots eventually be open sourced for the bot races?\nA: Bots are a warden's intellectual property; so that would be at the warden's discretion and unlikely to be initiated by the company.", "Do we look for gas optimization only in the contracts?\nA: Yes, you should look at in-scope contracts only.", "I don't see the logs output when I run a test file that invokes the function, am I missing something?\nA: The answer to this question was not provided in the chat.", "How can I see verbose logging in the console?\nA: The answer to this question was not provided in the chat.", "Do you look for gas optimisation only in the contracts/right? I don't need to pay attention to any of the .sol files in test/ or scripts/ (in the example of a hardhat project), do I?\nA: You should look at in-scope contracts only.", "When I run a test file that invokes the function, I don't see the logs output. Do I miss something?\nA: You should see it, can you paste the code here?", "Can I dm?\nA: Sure.", "How to solve it?\nA: Assuming you've already created a QA report, you can edit that report to add more details.", "After the judging is complete and the results are posted/sent, why does it sometimes take a lot of time to release the report? Since the rewards were distributed, all the issues are known. From a technical point of view, I see that you just need to run a script at that point that unifies all issues that are left opened, by tag and that's it. What am I missing?\nA: The C4 team needs the green light from projects before they can release the report. Some projects may not want the public to know issues before they have fixed them.", "How long does it take to get a response from Provenance? I submitted on April 25th and four business days have passed.\nA: It took about a week.", "For gas optimization, I read about not initializing default variables to 0, so instead of doing: uint256 testTest 0; it's recommended to do uint256 testTest; How about when you define a variable such as i to create a for loop? Example: for (uint256 i = 0, i < 10, ++i) Is it true as well in this case?\nA: Yes, initializing a variable inside a loop does not consume more gas.", "For gas optimization, is it recommended to not initialize default variables to 0? Is this applicable when defining a variable such as i to create a for loop? \nA: Yes, it appears that not initializing default variables to 0 can help with gas optimization. This is also applicable when defining a variable for a for-loop.", "How long does it take to get a response from Provenance? \nA: It took about a week for a response.", "Is there a difference in gas cost between using ++i and i++ in a for loop?\nA: Yes, using ++i is less gas intensive than using i++ in a for loop.", "Is there a big difference in gas cost between using for (uint256 i = 0; i < 1000; i++) and for (uint256 i = 0; i < 1000; ++i) ?\nA: Yes, using for (uint256 i = 0; i < 1000; ++i) results in nearly 5 gas savings per iteration compared to for (uint256 i = 0; i < 1000; i++).", "How can I learn about the new feature bot race?\nA: You can learn about the new feature bot race at https://code4rena.com/register/bot/.", "Why am I stuck on my report that contains my gas optimization, even when trying to submit low-risk and non-critical findings from the \"Risk rating *\" menu?\nA: No answer provided.", "Has anyone encountered this error before?\nA: No answer provided.", "Why is there an issue with the attachment?\nA: The issue might be due to internet problems.", "It looks like we now see when we edited our findings! Thnks\nA:", "I have an issue, even when trying to submit low risk and non critical findings from the \"Risk rating *\" menu, I remain stuck on my report that contains my gas optimization, help please\nA:", "I want to now about this new feature bot race,\nA: https://code4rena.com/register/bot/", "Is this guy a scammer?\nA: Yes. Just booted them", "You guys should consider using Hashbot here to detect scammers like that one.\nA: https://Hashbot.io", "Is there any way to get +backstage?\nA: If after reading this doc, you believe you meet the criteria, you can submit a help desk request to confirm eligibility. https://docs.code4rena.com/roles/certified-contributors/backstage-wardens", "Can I talk to an Admin please? I have an issue\nA: Hi, you can create a help desk request to explain the concern and we can reach back out. https://code4rena.com/help", "I just put a wrong Discord username... which is mine but no my nickname displayed here\nA: The request (that I believe we currently have for you) is still an issue or no?", "Can I PM you?\nA: Sure", "Can we submit the binance address for payout or there is any problem with that?\nA: The binance address can change. In addition, not your keys, not your coins.", "Can I pm you?\nA: Sure", "Can we submit the Binance address for payout or is there any problem with that?\nA: The Binance address can change. In addition, not your keys, not your coins.", "When will Caviar/Rubicon results come out? These were my first submissions and I would like to see the results and feedback so I can improve.\nA: [No answer provided]", "Is there an explanation/description about the minimum baseline or how the judge/pre-sort categorize each QA&Gas submission into grade A, B, C? Also wondering what is the difference between \"primary issue\" and \"selected for report\", both will receive bonus share or only \"selected for report\"?\nA: Submission guidelines have lots of info about what constitutes a satisfactory / high quality report. You can find more information here: https://docs.code4rena.com/awarding/incentive-model-and-awardshttps://docs.code4rena.com/awarding/incentive-model-and-awards/curve-logic", "I saw older submissions for Owner Misconfiguration as Medium and they seemed to be judged valid. Turns out, they're no longer considered valid. Is there any reference we can look at to know what types of findings are no longer valid?\nA: You can usually check the conversations here: https://github.com/code-423n4/org/issues?q=is%3Aissue+is%3Aopen+label%3Arules", "Discord is changing how usernames work. How will C4 authentication change given that?\nA: I assume you will still be able to have per-server nicknames.", "My Gas/QA findings are included in some audits...does it mean they are graded A...and if they exceed the threshold of 3...so now can I apply for backstage role??\nA: [No answer provided]", "How do I make submissions on behalf of my team?\nA: You should be able to login and select either your solo handle or team handle for submitting a finding.", "Is there any reference we can look at to know what types of findings are no longer valid?\nA: You can check the conversations here: https://github.com/code-423n4/org/issues?q=is%3Aissue+is%3Aopen+label%3Arules", "My Gas/QA findings are included in some audits. Does it mean they are graded A and if they exceed the threshold of 3, can I now apply for backstage role?\nA: If you think you are eligible for backstage role or would like us to check, please open a help desk request: https://code4rena.com/help", "How do I make submissions on behalf of my team?\nA: You should be able to login and select either your solo handle or team handle for submitting a finding.", "I was just recently added to the team, is there a manual process I need to wait for?\nA: [No answer]", "I have submitted a low-risk finding. Now I have found another that I would like to report. How should I report it? How can I edit my previous low-risk issue to add a new one?\nA: [No answer]", "If we create one C4 team but not all members are always participating in the same contest, then that's cool. But what happens if a team member is currently solo participating in the same contest that the rest of my team members are participating in as the team? And what's the solution to this, besides creating a different team every time?\nA: This discussion may be relevant: https://github.com/code-423n4/org/discussions/43", "How do I properly manage same C4 team name but different team members work on different contests at same time or different times?\nA: Understood, and you're correct that we don't currently support this. But we're definitely looking at it.", "Typically how long does it take to hear back for helpdesk requests?\nA: Depending on the type of issue, we're usually able to resolve within 24 - 48 hours. (Business days)", "What does CanAuto mean in finding issue types?\nA: [No answer]", "I can't find how to add my twitter handle in my profile page, is it possible?\nA: Submit a help request.", "I sent a message a few days back and haven't heard anything since, when can I expect a response?\nA: Depending on the type of issue, we're usually able to resolve within 24 - 48 hours. (Business days)", "What does CanAuto mean in finding issue types?\nA:", "How can I add my twitter handle in my profile page?\nA: You can submit a help request.", "I would like my project to be audited, how can I get in contact with someone for this?\nA: You can submit the form online and should expect a response. If you haven't heard back, someone from the team should connect with you.", "I received a letter from a security company that my application for certification is approved. What step should I take next?\nA: If you mean KYC, you will shortly receive certified status as the team process your application.", "Is there an entity that could be invoiced the amount received as a reward for accounting purposes?\nA: The entity would be the Code4rena UNA. However, for tax reporting, there are changes being implemented.", "Is it possible to invoice C4 as it is a DAO?\nA: Yes, this has changed. It's already possible to invoice. More details can be found at https://github.com/code-423n4/org/discussions/91", "Is the invoicing possible now or is it something for the future?\nA: It's already possible to invoice, but further confirmation will be provided soon.", "Where can I find the Code4rena UNA address details?\nA:", "Is it possible to invoice?\nA: Yes, it should be possible but it will need to be confirmed.", "Where can I find the Code4rena UNA address details?\nA: This information was not provided in the chat.", "When I submitted a report where and how can I follow up result for that?\nA: Results will be posted in the contest channel once judging is complete. The findings repo will also be made public once the report is published.", "If the report is accepted when does the project make payment of the reward?\nA: Awards are usually sent within 1-2 business days of the announcement. The judging process can take anywhere from 2-4 weeks depending on the number of submissions and the complexity of the code.", "I'm trying to submit a report, but I received an error message, how can I fix it?\nA: After waiting a bit, you should try again. This seemed to solve the problem in the chat.", "Where is the i-want-to-be-a-sponsor channel?\nA: The channel is #\ud83d\udcbci-want-c4-to-audit-our-code.", "How much time usually does it take for KYC?\nA: The chat did not provide an answer to this question.", "Where is the i-want-to-be-a-sponsor channel?\nA: That is the #\ud83d\udcbci-want-c4-to-audit-our-code channel.", "How much time usually it takes for KYC?\nA: This question was not answered in the chat.", "Is the bot race prize pot taken from the HM pot or QA/Gas if compared to the size of prize pots before introducing the races?\nA: It was HM but this is changing soon.", "Where is info about gsset, gscoldsload etc, I can't find anything on Google Search?\nA: Here is the information: https://github.com/wolflo/evm-opcodes/blob/main/gas.md", "Is participating in test-coverage (https://medium.com/code4rena/new-to-code4rena-test-coverage-c548645404f9) currently open to just certified wardens?\nA: Correct", "Provenance has been approved, Is it possible to participate in a private audit\uff1f\nA: Once provenance send us a confirmation of this we will process your application and send you an email when you\u2019re certified.", "Where should we send the confirmation? Should we create a help request?\nA: Not required. We get it directly from provenance.", "Is it possible to participate in a private audit?\nA: Once provenance send us a confirmation of this we will process your application and send you an email when you\u2019re certified.", "Where should we send the confirmation? create help request?\nA: Not required. We get it directly from provenance.", "What happened to the Vine Labs contest?\nA: The Vine Labs contest got postponed.", "Is only one report of all the low-severity findings that were submitted chosen to be the final low-severity that is reported on the final report, or is it a compilation of the best low-severity findings submitted by all the wardens during the contest?\nA:", "What does this error mean ::fullfillRentalOffer{value: 3}(0) \u2502 \u2514\u2500 \u2190 \"EvmError: OverflowPayment\" \u2514\u2500 \u2190 \"Call reverted as expected, but without data\"?\nA:", "Is there any way to prevent foundry fuzzer to send too much value? \nA:", "Can you submit a help request?\nA:", "How do we currently know, if the issues submitted got accepted or not for the closed contests?\nA: You'll know when the report is generated or at the time you qualify to be Backstage.", "How to qualify to be Backstage?\nA: You can qualify to be a Backstage by following the guidelines provided [here](https://docs.code4rena.com/roles/certified-contributors).", "If a team submits 3+ Medium severity issues and are accepted, are all members eligible for the backstage role?\nA:", "What is the difference between submitting as a team and submitting individually? Do all members receive the bug stats, and what is the pay out split like? Also, is it acceptable to work with other wardens without setting up a team?\nA:", "Does compound cToken exchange rate decreases?\nA:", "How do you all manage taxes from income of contests? Do you have your own entity registered? Any guidance would be welcome.\nA:", "So, if a team submits 3+ Med and are accepted then are all members eligible for the backstage role?\nA:", "Just wondering what the difference is between submitting as a team and submitting individually. Do all members receive the bug stats, and what is the pay out split like? Also, is it acceptable to work with other wardens without setting up a team?\nA:", "Does compound cToken exchange rate decreases?\nA: If 100% is repaid it resets, see recent hacks.", "How do you all manage taxes from income of contests? Do you have your own entity registered? Any guidance would be welcome. Doesn't matter the country.\nA:", "Which previous report is similar to venus protocol (lending, borrowing etc.)? I wanted to use that as a reference point when searching for bugs.\nA:", "C4 used to have the csv which contains all rewards based on each finding, do you guys know where can I find it? It used to be _data/findings/findings.csv. It is deleted here: https://github.com/code-423n4/code423n4.com/pull/8739/files#diff-74910905ffc9d3c8f8510410dbaa9089f77209d36db0cf1368c1cb7e32e92473\nA: Please use this link to access findings.csv: https://code4rena.com/community-resources/findings.csv", "A question about registering a team: I did not realize the process of approving a team takes some time (it says up to a few business days) and stalled the team registration for Venus contest until now. Is there any action that can by taken from my side or the side of other team member, that could speed up the process and possibly make it doable to still submit findings for Venus as a team?\nA: I\u2019ve merged your team\u2019s pr. When you log in, are you able to submit as a team now?", "Is it possible to participate in Bot Races? Or is it just for qualified bots? Any upcoming Qualifier Races coming soon?\nA: Answers to these questions and more in #bot-race-help. Checked the pinned posts.", "Is it possible to edit findings after contests closed? I recently submitted a very low quality description, while I was still working on the PoC and intending to improve the description with it. Sadly the update didn't go through (at least I didn't get an email), so I was wondering if there is any chance to still improve the description or add the PoC?\nA: You won't have access after the contest is closed. If you need something withdrawn after the close, you can create a help desk request and we can do that. We don't just edit findings though.", "How often does the leaderboard get updated?\nA: We typically update it every time awards are announced. However, not all contest types are currently supported (e.g. Versus, bot races).", "Is it possible to edit findings after contests closed?\nA: You won't have access after the contest is closed. If you need something withdrawn after the close, you can create a help desk request and we can do that. We don't just edit findings though.", "So, if a team submits 3+ Med and are accepted then are all members eligible for the backstage role?\nA:", "How often does the leaderboard get updated?\nA: We typically update it every time awards are announced. However, not all contest types are currently supported (e.g. Versus, bot races).", "How are lines of code computed? Is there a tool that does this automatically?\nA: Yes, Google CLOC is a tool that can compute this.", "How can I change my username on Code4rena?\nA: This may be possible one day, but presently your handle is essentially a foreign key across a variety of datasets and is therefore immutable.", "Do I need to register again if I want to change my username?\nA: You\u2019ll need to re-register unfortunately. We don\u2019t support name changes.", "What are some of the tools to test code coverage?\nA:", "I just found out that report only show unique finding, how can I read the rest of it?\nA:", "To execute the 4nalyzer, in scope.txt, is there any way give them just the folder and force it to analyze everything in?\nA:", "I'm having trouble when logging in, tells me i'm logged in after putting in my credentials but i'm still seeing the same connect tab as if i'm not connected, any idea how to fix this?\nA:", "What are some of the tools to test code coverage?\nA: [No answer provided in the chat log.]", "I just found out that the report only shows unique findings, how can I read the rest of it?\nA: [No answer provided in the chat log.]", "To execute the 4nalyzer, in scope.txt, is there any way to give them just the folder and force it to analyze everything in?\nA: [No answer provided in the chat log.]", "I'm having trouble when logging in, it tells me I'm logged in after putting in my credentials but I'm still seeing the same connect tab as if I'm not connected. Any idea how to fix this?\nA: Should be good now.", "Does anyone have trouble executing foundry fork testing in polygon POS network?\nA: [No answer provided in the chat log.]", "Any chance we could have a feedback channel?\nA: There is a #\ud83d\udce5suggestion-box. Feel free to use that channel for feedback.", "I received my first award on Polygon. I have connected Polygon Token on Metamask. Could you suggest the best way to transform it into EUR and withdraw them? I'm thinking of moving it on the Ethereum mainnet through Metamask bridge and then sell it on Coinbase, but maybe it's wrong. Thanks in advance.\nA: That's a reasonable approach.", "I could find it on https://wallet.polygon.technology/, right?\nA: [No answer provided in the chat log.]", "I know the BASE contest requires KYC, which makes it difficult for me to form a team for this contest. But for the upcoming Maia DAO Ecosystem contest, is KYC going to be necessary or not?\nA: Regarding the Base contest: if you're not opposed to being KYC'd, you have time to get that done. You just can't receive payment until / unless you are KYC'd. Regarding the Maia contest: there is no KYC expectation.", "When submitting an issue, can you change/complete it after creating it?\nA: Yes, you are able to edit your findings. When you're logged in there is a \"Your Finding\" button on the contest page above the contest details.", "I know the BASE contest requires KYC, which makes it difficult for me to form a team for this contest. But for the upcoming Maia DAO Ecosystem contest, is KYC going to be necessary or not?\nA: Regarding the BASE contest, if you're not opposed to being KYC'd, you have time to get that done. You just can't receive payment until / unless you are KYC'd. Regarding the Maia DAO Ecosystem contest, there is no KYC expectation.", "When submitting an issue, can you change/complete it after creating it?\nA: Yes, you are able to edit your findings. When you're logged in there is a Your Finding button on the contest page above the contest details.", "Can you use markdown formatting?\nA: Yes.", "Does anyone have any experiences with tx pool (geth)?\nA: [No answer provided]", "Isn't time for Maia DAO less relative to SLOC, or is it optimal?\nA: [No answer provided]", "Where can I find the feedback for my submitted findings? I see that there is a general report and how many of my H,M, ... findings were accepted but I don't see which ones and also not why the others were rejected.\nA: [No answer provided]", "Can I DM you?\nA: Will it be quick?", "What are the requirements for backstage role?\nA: [Here are the requirements for backstage role](https://docs.code4rena.com/roles/certified-contributors/backstage-wardens)", "I got confirmation email from provenence regarding my KYC, so how much time it will take for the role?\nA: If you haven't already, please do a help desk request and we can track it.", "Is precision loss possible here due to divide before multiply in the expression Profit = allProfit - ((allProfit / 100) * fee)?\nA: [No answer provided]", "I did a help desk request but hadn't had any reply.\nA: We weren't going to reply on the weekend. We'll be able to look into it during business hours.", "I got a confirmation email from provenence regarding my KYC, so how much time will it take for the role?\nA: If you haven't already, please do a help desk request and we can track it.", "Is precision loss possible here due to divide before multiply?\nA:", "Why only 20 days for Maia, a 12K SLOC project?\nA: 3 weeks is the longest we\u2019ve ever run an audit. More time doesn't always mean more thoroughness of review. A more constrained time can encourage people to work in a more focused way and not to split attention between audits and other opportunities.", "Shouldn't the audit time be extended for a project with 12K SLOC, as there might be a high probability that not all code is covered, meaning bugs can be lost?\nA: It\u2019s most definitely one of (if not the) biggest codebase we\u2019ve had. I can\u2019t speak to the preferences of the project. It's reasonable to suggest it would be in the interest of the project to add more time.", "How can we ensure that auditors are not splitting their attention between multiple audits?\nA: One way is by not running any other public contests during this period to not create the temptation. Based on past history, the more audits we run simultaneously, the more that registered auditors are active on the platform.", "How has the number of auditors on the platform changed over time?\nA: 2 years ago, an audit with 12 participants was big. However, we added 1000 auditors to the platform in the past month alone. Yes, many are new but \u201cnew\u201d actually represents a range of capabilities based on past experience.", "How many auditors have been added to the platform recently?\nA: We added 1000 auditors to the platform in the past month alone.", "What is the effect of running more audits simultaneously?\nA: The more audits we run simultaneously, the more registered auditors are active on the platform.", "Is it possible to extend the project timeline?\nA: It's reasonable to suggest that extending the timeline would be in the interest of the project due to its large codebase. This can be checked with the sponsor to see if they would be willing to extend it to 4 weeks or more.", "Can the project timeline be extended to 5 weeks?\nA: Yes, the project timeline can be extended to 5 weeks.", "How can I send some gummy bears?\nA: You can pass them in person in Paris if you're going to ETH CC.", "How much time it takes for backstage role after KYC?\nA: Once you're certified and meet the qualifications to be backstage, you can create a help desk request to have your status evaluated. This is usually done within a week if you meet qualifications and nothing is pending.", "How much time it take for backstage role after Know Your Customer (KYC) procedure?\nA: If you're certified and also meet the qualifications to be backstage, you'd create a help desk request to have your status evaluated.", "Once the request is seen, how quick is the evaluation for backstage role?\nA: The evaluation is usually done within a week if you already meet qualifications and nothing is pending.", "Is it necessary to be a certified contributor, or can I be simply a warden?\nA: For most audits, there is no requirement to be certified. Not having a passport doesn't disqualify you from being able to apply.", "I've opened a help ticket for backstage role, but didn't get any reply back, do I need to wait?\nA: Yes, we did receive your request and will get back to you this week.", "I submitted the Certified warden application but received no emails regarding the KYC, how long should I wait?\nA: No answer provided.", "How do I participate in the Ambire Contest as a Warden?\nA: No answer provided.", "If you\u2019re competing with a team do all members need to be certified?\nA: In order to receive the payout, yes, all members need to be certified.", "How can I gain permission to audit private contest?\nA: Usually, you need to be certified and also rank on the leaderboard.", "Is foundry gas cost in wei or gwei?\nA: It's units of gas.", "How can I gain permission to audit private contest? \nA: Usually, you need to be certified and also rank on the leaderboard.", "Is foundry gas cost in wei or gwei? \nA: It's units of gas.", "Are there any news in regards to this message?\nA: No update on Masons yet. It\u2019s something we want to bring back eventually.", "Is there a way to see the judges comments on my submissions for this contest? \nA: No answer provided.", "Is there a ranking cutoff for auditing a contest or just being in the leaderboard is enough?\nA: If it's a mit review or invitational, we usually take top 3 or 5. If it's simply a private audit, then certification is usually sufficient.", "Is it necessary to have passport during the identity verification of KYC ? \nA: You should be able to provide other forms of ID also.", "So there are three types of audits then: public, private (where certified is enough), and invitational (only specific wardens)?\nA: Something like that.", "For base and chain link contest, do all the members of the team need to be KYC or just 1 is enough?\nA: All members should be KYC'd.", "What does score mean?\nA: No answer provided.", "What are \u201cAudit summary awards\u201d?\nA: No answer provided.", "Code4rena is showing me page not found error, is anyone getting that as well?\nA: No answer provided.", "For base and chain link contest all the members of team needed to be kyc or just 1 is enough?\nA: All members should be kyc'd.", "What does 'score' mean?\nA:", "What are \u201cAudit summary awards\u201d?\nA:", "I am getting a 'page not found' error on Code4rena. Is anyone else experiencing this?\nA: Yes, it's a DNS issue. The developers are looking into it.", "Is there a way to change my twitter username on c4?\nA: Yes, you can change it by creating a help desk request.", "I get an error when I want to open a help request. What should I do?\nA: Try using this link: https://old.code4rena.com/help/.", "Can you explain what the \"I\" means in the report judging decisions?\nA: Every judge has their own shorthand. Often it means \"informational,\" i.e. non-critical.", "In the same judging sheets, I see the \"I\" alongside with the \"NC\". What does this mean?\nA: The \"I\" could mean 'ignored'.", "Do you have any idea why an issue might be ignored?\nA:", "Can anyone explain to me what does the \"I\" Means in the report judging decisions?\nA: Every judge has their own shorthand. Often it means \"informational,\" i.e. non-critical.", "Sometimes I see in the same judging sheets ... the \"I\" alongside with the \"NC\" ... ?\nA: For bot racing at least, \"I\" is for ignored.", "Do you have any idea why an issue might be ignored?\nA: That's the judges decision. Generally it's when an issue is either extremely small impact or there isn't enough detail/proof.", "Do wardens get paid for only sponsor confirmed issue or sponsor acknowledged issues too?\nA: The Judge decides, sometimes even disputed ones get paid.", "What is the proper way to apply to participate on restricted audits?\nA: The application can be made at this link: https://docs.code4rena.com/roles/certified-contributors", "How many days does it take for provenance to send the KYC mail to become a certified contributor?\nA: The chat does not provide an answer to this question.", "Is reserve audit private?\nA: Yes.", "Are there no gas optimizations rewards on Base?\nA: Correct, there are no gas optimizations rewards on Base.", "What is the proper way to apply to participate in restricted audits?\nA: You can apply to participate in restricted audits by following instructions on this page: https://docs.code4rena.com/roles/certified-contributors", "How many days does it take for Provenance to send the KYC mail to become a certified contributor?\nA: [No Answer]", "Is the reserve audit private?\nA: Yes, the reserve audit is private.", "What happens if a team wins the prize in an audit but they cannot claim it due to KYC issues?\nA: [No Answer]", "Can I change my nickname? Can I register another account with the same email/github address?\nA: [No Answer]", "Can I verify my identity for KYC if I only have a national Identification card and no passport?\nA: You should apply and ask Provenance (our KYC provider) this question.", "Does C4 have a bug bounty award for its own platform for reporting any issue in its DAO governance or web application?\nA: No, C4 does not have a bug bounty award for its own platform at this time.", "Are there any important changes to contest rules I should know about?\nA: You can find the latest contest rules and any changes here: https://docs.code4rena.com/", "What is the analysis reward about? Is it new?\nA: [No Answer]", "-", "I haven't gotten any mail from Provenance. What should I do?\n A: \n\n-", "I was very active here last year but stopped since November 2022. I'm here for chainlink. Any important changes to contest rules I should know about?\n A: Welcome back! This is probably the best resource for you to take a look through to see if any technicalities have changed since you were last here: https://docs.code4rena.com/\n\n-", "What's analysis reward about? Is it new?\n A: https://discord.com/channels/810916927919620096/810936719003090974/1111666431050919996\n\n-", "How do I get verified for base, I'm not receiving any mails from provenance?\n A: Hey there, when the team is back online after the US public holiday, they'll be able to help you troubleshoot.\n\n-", "Is it possible to do a delegate call from a receive function?\n A: \n\n-", "It says people need to KYC before they can participate in the Base audit. How about the team? If like only one of the member is KYCed and the team took part in it will the team get paid?\n A: The team should be KYC'ed including all members.\n\n-", "How do I join an invitational?\n A: There\u2019s more info here: https://medium.com/code4rena/a-look-at-code4rena-audits-versus-6c55d57939ef.\n\n-", "Will updates to the bot race reward structure be announced before the Maia contest tonight?\n A: Yes, done. https://discord.com/channels/810916927919620096/958800160870240286/1109067971915153508\n\n-", "What is mason role?\n A: https://discord.com/channels/810916927919620096/810956862609424414/964680554509377577.", "Will updates to the bot race reward structure be announced before the Maia contest tonight?\nA: Yes, done. [Link](https://discord.com/channels/810916927919620096/958800160870240286/1109067971915153508)", "How do I get verified for base, I'm not receiving any mails from provenance?\nA: Hi there. Please also check your spam mail. Thanks!", "What is mason role?\nA: [Link](https://discord.com/channels/810916927919620096/810956862609424414/964680554509377577)", "Any update on sharing more details prior to contest start?\nA: More info here: [Link](https://discord.com/channels/810916927919620096/1111666431050919996)", "What happens when I do #channel?\nA: You tag the channel here.", "Has the report for Frankencoin been published? Can someone please share a link?\nA:", "Do you have recommendations how to approach the auditing of big projects or maybe some resources about it?\nA: [Link](https://blog.bytes032.xyz/p/audit-like-a-pro-my-3-step-game-plan)", "I want to re register to change username. Can I use same GitHub name? Can I use same discord name?\nA:", "Can I link same GitHub account as before? Can I link same discord account as before?\nA:", "How long does it take to get certified role after finishing KYC process?\nA: Within a few days after we hear from Provenance.", "How to be a private auditor and participate in the Private Competitive Audits? I did not find the relevant identity authentication channel.\nA:", "I want to re register to change username. Can I link same github account as before? Can I link same discord account as before?\nA:", "How long does it take to get certified role after finishing KYC process?\nA: Within a few days after we hear from Provenance.", "How to be a private auditor and participate in the Private Competitive Audits? I did not find the relevant identity authentication channel.\nA: Check out certified wardens on the docs.", "What do we do if someone set recipient address and start a flashloan?\nA:", "Do we have Office Hours for all audits?\nA: Not all, but when there is an upcoming office hours, it'll be shared in the C4 rollup in announcements.", "Why not use a flag to allow/disallow the flashloan, somewhat similar to reentrancy guard. This will obviously have gas overhead.\nA:", "When the last office hours will be posted on youtube?\nA: Early next week!", "Can I use console log in foundry? It's saying console - undeclared identifier.\nA: Sure you can, I believe default foundry comes with console.log in library.", "Is it a problem if people can start a flashloan and force the recipient to take the flashloan?\nA: The funds and fees must be returned in the same transaction, so there is no problem for Balancer vault. UserData can be a signed message by the owner EOA, so it is possible to validate the flashloan initiator. If the recipient contract behaves incorrectly under a flashloan, it is the recipient contract's fault. Ultimately, it is their responsibility to perform any validations.", "Why not use a flag to allow/disallow the flashloan, somewhat similar to reentrancy guard, even though it will have gas overhead?\nA: Yes, using a flag to allow/disallow the flashloan could be a good idea.", "Can I use console log in Foundry?\nA: Yes, default Foundry comes with console.log in the library.", "What should I import to use console log in Foundry?\nA:", "How do I know if I'm certified?\nA: Check your email and spam for a note from Provenance. If you haven\u2019t heard by Monday you can open a help desk request. You should normally hear back within a couple of days.", "I submitted a Certification Application last week and have not received an email yet. What should I do?\nA: Check in your spam folder.", "I submitted an issue here regarding differences in judging and am worried it will not get resolved before the contest is finalized. Can any staff look at the issue I submitted?\nA:", "If a basic analysis is not eligible for rewards anyway, what's the point of grading A or B instead of just satisfactory/unsatisfactory?\nA:", "I have provided all documents for KYC to Provenance for getting certified but have not received any response even after lapse of 48 hours deadline. How will I know if I get certified?\nA: You should wait until Monday.", "Do people prefer to practice in unaudited contracts or just audited/previously done ones?\nA:", "I have provided all documents for KYC to provenance for getting certified..but has not received any response even after lapse of 48 hours deadline..someone facing the same issue?? or any idea how I will know if I get certified?\nA: Wait until Monday.", "Do people like to practice in unaudited contracts or just audited/previously done ones?\nA: [No answer provided in chat]", "General question - say there's a low sev bot race finding like the below: \"LOW - External calls in an un-bounded for-loop may result in a DOS\". Hypothetically, say there's a scenario where a user can push to the array arbitrarily and cause a DOS for everyone else, breaking system functionality (i.e. elevating it to high sev). That wouldn't be considered as covered by the bot race finding, right?\nA: Correct - it should be submitted as a High/Medium. [Source: https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues]", "Is it possible to be security auditor without focusing on the front end of the blockchain?\nA: Yes.", "I have open a help desk request as I have not received any response from provenance after submitting all documents. \nA: Ok thank you.", "I have been running forge test --gas-report on foundry but in the function table I do not see the public getter functions for state variables marked public. Can someone please tell me if it is possible to see them and their gas costs?\nA: [No answer provided in chat]", "Does C4 treat mismatch between documentation and the code as QA or medium?\nA: Mostly QA if no impact from experience.", "By any chance do you have any update regarding https://github.com/code-423n4/org/discussions/91#discussioncomment-5289561 ?\nA: [No answer provided in chat]", "Does anyone know how to get ETH in Goerli testnet? Its for ethernaut.\nA: Use polygon/sepolia.", "What is backstage role? and how to get it?\nA: [No answer provided in chat]", "Do you have any update regarding https://github.com/code-423n4/org/discussions/91#discussioncomment-5289561 ?\nA:", "Does anyone know how to get ETH in Goerli testnet? It's for ethernaut.\nA: Use polygon/sepolia.", "What is backstage role? And how to get it?\nA: You can get information about it here: https://docs.code4rena.com/roles/certified-contributors", "I'm receiving this error when trying to add a member to my team. (Not sure if it can be related, but I wasn't the one that created it)\nA: I just processed the pending team PR.", "Just realized that it had to go through a PR. Didn't notice at first. Is that the procedure?\nA:", "Is a foreigner able to become a certified warden? I haven't received an email after a week.\nA: Check your spam folder.", "Do I have to submit just one of the following documents: Utility bill clearly stating the service address and mailing address with the individual\u2019s name (note: telephone, cellular and credit card bills are not acceptable as these may be mailed to any address), Bank statement, Rental or lease agreement,Local authority document (e.g. property tax bill, council tax bill etc.)?\nA: You\u2019ll need to talk to them about it. It\u2019s actually 100% out of our hands and out of our view\u2014 we just get back a thumbs up if everything was completed successfully.", "A question regarding the rewarding formula. When a high has two dupes (1 original + 1 dup), each report gets 4.5 shares excluding the best report bonus. But what happens when the second dup is marked as partial credit (eg partial-50), how does the findingCount value change in that case?\nA:", "Are POCs mandatory now? Are non-POC submissions able to be classified as satisfactory?\nA: POC is recommended.", "I can\u2019t access the site. Is it just me?\nA:", "I can\u2019t access the site, is it just me?\nA: It's loading fine for me.", "Can a vulnerability without PoC be awarded as a high?\nA: Yes, PoC doesn't need to be exact code, if you can clearly describe the process in bullets list, it should be ok.", "How to upload private POC repo for report exactly?\nA: Instructions in the docs: https://docs.code4rena.com/roles/wardens/submission-policy#how-to-include-a-proof-of-concept", "I changed my address to receive rewards but still received it on my old wallet. Any reason why?\nA: We use the wallet address on file at the time that awards are calculated for an audit. So if it was a very recent change, then it likely just was made slightly after we'd started our calculations. If it wasn't a recent change in the last few days, recommend submitting a help request and we can look into further. Further info here: https://docs.code4rena.com/roles/wardens/warden-auth#can-i-change-the-wallet-address-where-i-receive-awards. Submit a help request here: https://code4rena.com/help", "When a high has two duplicates, each report gets 4.5 shares excluding the best report bonus. But what happens when the second duplicate is marked as partial credit, how does the findingCount value change in that case?\nA: No answer provided.", "I have 2 questions as only 1 winning report for QA and Gas optimization is now shown in the final report. What happens if a person only finds one QA bug and his report is not chosen? Will the rewards be split for that 1 finding? What happens if the 1 finding is not in the final report selected will it still get a reward?\nA: No answer provided.", "I changed my address to receive rewards but still received it on my old wallet. Any reason why?\nA: We use the wallet address on file at the time that awards are calculated for an audit. So if it was a very recent change, then it likely just was made slightly after we'd started our calculations. If it wasn't a recent change in the last few days, you're recommended to submit a help request and we can look into further.", "When a high has two duplicates (1 original + 1 duplicate), each report gets 4.5 shares excluding the best report bonus. But what happens when the second duplicate is marked as partial credit (eg partial-50), how does the findingCount value change in that case?\nA: [No answer given]", "What happens if a person only finds one QA bug and his report is not chosen? Will the rewards be split for that 1 finding?\nA: [No answer given]", "What happens if the 1 finding is not in the final report selected will it still get a reward?\nA: [No answer given]", "I recently placed 3rd in the EigenLayer Contest. My Twitter handle was not properly tagged in the Twitter post about the ranking. I want to tag windowhan001 as windowhan, who do I talk to?\nA: Please create a help desk request asking that we add your Twitter handle.", "How do I get to the backstage please?\nA: Please do a help desk request.", "Is loss of rewards considered \"loss of assets\"? Is it a High or a Medium?\nA: Yes, it is considered a loss of assets. High or medium depends on whether there are external conditions, or attack difficulty. If you find one then just submit with your best judgement, normally judges don't get picky unless an obviously QA is submitted as High.", "Please how do I do a help desk request?\nA: You can do a help desk request at https://code4rena.com/help.", "Are judge payment, lookout/scout payment included in leaderboard ranking calculation?\nA: No, those particular awards aren't eligible for leaderboard standing.", "I've sent a gas optimization report for Ethos Reserve a while ago, the optimization is properly referenced in the report but my handle is not mentioned in it (and I didn't get a reward as well). I'm not entirely sure why that happened so I'm asking here.\nA: [No answer given]", "Does the submission preview support mermaid syntax? I am asking because I want to include a flowchart in an analysis report.\nA: [No answer given]", "Are judge payment and lookout/scout payment included in leaderboard ranking calculation?\nA: No, those particular awards aren't eligible for leaderboard standing.", "Why is my handle not mentioned in the gas optimization report for Ethos Reserve and why didn't I receive a reward?\nA: No answer provided.", "Does the submission preview support mermaid syntax? \nA: No answer provided.", "How are the rewards calculated in cases where there are partial credits?\nA: In a scenario where 2 \"Highs\" are found, each with 1 duplicate, the pie size is 10*0.9 = 9. Wardens share equally of 4.5. If 1 partial 50 and 1 full are found, the pie size is still 10*0.9 = 9, since 2 wardens found it. Then the full credit warden gets 6, partial gets 3.", "What do abstract contracts mean in repositories?\nA: Abstract contracts are meant to be extended. They have abstract functions and are not supposed to be used on their own. If you have an abstract contract A, you can't deploy A, but you can deploy contract B is A with the required functions completed. It's like a template contract that needs completion before usage.", "How does one initiate the verification process? Are there any regions that are disallowed?\nA: For the verification process, refer to the link: https://docs.code4rena.com/roles/certified-contributors. No information is provided on disallowed regions.", "Is there an article regarding the withdrawal field validation bug that occurred at a CEX?\nA: No answer provided.", "Is there a penalty for not well written reports?\nA: No answer provided.", "Will there be any penalty for incorrect submissions? For example, if GAS/QA contains a few invalid issues, would the whole report be declined, or just the score for it will be lowered?\nA: The score for an incorrect submission would be lowered, but if it's very similar to a bot report it may be further penalized.", "I fail to find the article regarding the withdrawal field validation bug that occurred at a CEX. Any help is appreciated.\nA: [No answer provided]", "How exactly does one initiate the verification process?\nA: For full information on the process, visit https://docs.code4rena.com/roles/certified-contributors.", "Are there any regions disallowed for verification?\nA: The detailed information can be found at https://docs.code4rena.com/roles/certified-contributors.", "Is there a penalty for not well written reports?\nA: [No answer provided]", "Will there be any penalty for incorrect submissions? For example, if GAS/QA contains a few invalid issues (but most of them would be valid), would the whole report be declined, or just the score for it will be lowered?\nA: The score would be lowered, but if the report is very similar to a bot report it may be further penalized.", "Should the issues reported by bot be included in the report? If, however, there is the same issue which bot reported, but the bot missed some instances, is it worth to include that in the report?\nA: Generally it\u2019s not worth to include instances of the same issue. You could use some known issue to build a more complex exploit but it\u2019s not a simple yes or no.", "When an audit ends, how much time does it usually take for the judges to review the findings? Would I see the score of my findings/get any feedback about my finding in the \"Findings\" tab? How many days/weeks after the audit the leaderboard for the audit will be created?\nA: The full process can be about 8 weeks; backstage wardens can generally see findings immediately upon audit close. More details can be found at https://docs.code4rena.com/roles/certified-contributors.", "Is the Code4arena website down?\nA: The team is aware of the issue and they're on it with a resolution.", "How can I look at others' finding for an audit that has been completed?\nA: You can check the C4 GitHub repo for completed audit findings.", "How can I view other's findings from the perspective of a backstage role?\nA: [No answer provided]", "Where can I see my submission in some contest?\nA: [No answer provided]", "When I click on my submitted Analysis Report, it shows nothing but a Risk rating * selection. Is this by design?\nA: Currently, the ability to edit the Analysis report type is not allowed.", "Where can I see my submission in some contest?\nA: [Answer not provided in chat]", "When I click on my submitted Analysis Report, it shows nothing but a Risk rating * selection. Is this by design?\nA: I will double check that but as of right now, we are not allowing the ability to edit the Analysis report type.", "Is the xETH - Mitigation Review Open for all the certificates users?\nA: Hi there. xETH Mit Rev. will be open to those who participated in the original Invitational audit.", "Recently discord allowed to change usernames and not have the #number part either. My original discord username, which is on my C4 account, and the handle I use on twitter and for C4 as my warden handle, are different. This was updated on your side correctly when I joined C4 as a warden, hence why my twitter handle appears in contest results, and not my original/old discord username. This is correct. But my discord username has been updated to reflect my twitter handle too. Referring to the main discord username, not my server specific username which is same as my twitter handle. Should I now update my new discord username on my C4 account as well? Or leave it as is? Dont want to cause issues with our github records and contest report submissions.\nA: Would you be so kind as to submit this question via the Help Desk? We need to put it in front of the right people on the developer team and it would be really helpful to have it in our Help system!", "I think I found a logic flaw in the smart contract, but I'm not skilled enough to write PoC for it. Would describing extensive description and the reasoning (why I think there's a flaw in code), without providing working PoC for actually exploiting it (it requires some edge cases for the exploit) be still evaluated as a valid issue? What would happen if my reasoning was, however, wrong and this is not a flaw? Would be any penalty for my other reports? I'm taking about medium-severe issue.\nA: Yes, you can submit with worded descriptions only.There is no penalty. As long as you're not outright submitting spams then you're ok.PoC is for proof, as its name implies. If you have a coded PoC that everyone can easily copy paste, then you've formally proven your claim. Having a PoC will also likely getting your report selected (which comes with a 30% bonus).", "How do I participate in invitational audits?\nA: [Answer not provided in chat]", "Did you need assistance?\nA: Would you mind creating a help desk request and outline the issue that you are seeing? https://code4rena.com/help", "How do I participate in invitational audits?\nA: You will need to be certified to see those opportunities. More info on certification here: https://docs.code4rena.com/roles/certified-contributors", "What does RSVP mean? \nA: We post about audit opportunities, RSVP is a way for you to signal your interest.", "How does evaluating Gas and QA report work? Do I need to report most of the low/gas optimizations to not get C? E.g. If I have limited time to spare on the audit and during that time I can spot one, maybe two gas optimization issues, is it worth to report them? Or will those reports always be evaluated as C - because it will contain only 1-2 issues? \nA: It does not matter the number of issues even if there is one good issue in your report it would be a grade B, and it can also be a grade C with 20 boring issues. I recommend you either send very creative findings that are high impact, or you refrain from sending common findings as Bot Races will take care of those.", "It's not possible for me to look at issues I just reported for llama contest in the website. What should I do?\nA: You need a +backstage role.", "How to get a backstage role?\nA: https://docs.code4rena.com/roles/certified-contributors/backstage-wardens", "Has anyone got the link where all automated findings not accepted in the contests are listed? I can\u2019t find it anymore for the gas and non-critical.\nA: It's always in the Readme Page for each contest. Search for \"Known Findings\".", "How does evaluating Gas and QA report work? Do I need to report most of the low/gas optimizations to not get C? For instance, if I have limited time to spare on the audit and during that time I can spot one, maybe two gas optimization issues, is it worth to report them? Or will those reports always be evaluated as C because they contain only 1-2 issues?\nA: It does not matter the number of issues. Even if there is one good issue in your report, it would be a grade B. It can also be a grade C with 20 boring issues.", "I applied for +backstage last week, any progress?\nA: Doing a pass of backstage requests today and you're on my list, you should have updates shortly.", "I'm having trouble finding the link where all automated findings not accepted in the contests are listed. Can anyone help?\nA: It's always in the Readme Page for each contest. Search for \"Known Findings\".", "I thought there was already a sort of global list for automated findings not accepted in the contests. Is there one?\nA: It's always custom for each contest, so it's worth checking each time.", "Regarding the findings not accepted in the contests, it\u2019s based on the Bot Race right?\nA: Not all of them, sometimes the Sponsor adds details as well.", "To bridge (from polygon to ethereum) and later withdraw my USDCs on Coinbase, do I need both Matic and Eth (to pay for gas), only matic or neither of the two?\nA: You need both Eth and Matic if you use Polygon bridge. You need only Matic if you use Hop Bridge but you'll receive less USDC on Ethereum Mainnet.", "Discord's new update asks us to use our name without the discriminator. Will that affect the Warden role if I update?\nA: Just update your new Discord handle in your profile on the site and you should be all set.", "Are reports provided by wardens published later? Are they redacted (e.g. when there some incorrect English, if a warden is not a native English speaker)? Does the report contain user's email too, or it's always private?\nA:", "Changing username, would that affect the account registration as a Warden?\nA:", "Does Discord's new update, which asks us to use our name without the discriminator, affect the warden role if I update?\nA: Just update your new discord handle in your profile on the site and you should be all set.", "Are reports provided by wardens published later? Are they redacted (e.g. when there some incorrect English, if warden is not native English speaker)? Does the report contain user e-mail too, or it's always private?\nA:", "Will changing username affect the account registration as warden?\nA: [Link](https://discord.com/channels/810916927919620096/810931711609143326/1119321495987032144)", "If I have a low risk finding in QA and it have been judged and confirmed as medium risk from other wardens. What should I do in my part to make it upgraded to medium risk?\nA: The judge will upgrade it to a medium finding automatically (usually).", "What is post-judging QA and when is it?\nA:", "How can I see the bounties for different exploit types based on a contest?\nA:", "Will the audit of canto be in Go?\nA: Yes.", "How can I apply for private contests?\nA:", "Having changed discord id from clash#7111 to clashxx, what should I do?\nA: [Link](https://discord.com/channels/810916927919620096/810931711609143326/1119321495987032144)", "Is it possible to edit a submitted QA report?\nA: You should be able to edit any submission up until the audit deadline.", "How can I see my submissions?\nA:", "For which audit I can't see my submissions?\nA: Maia", "Do I need to be logged in to my C4 user account to see my submissions for the Maia audit?\nA: Yes.", "Is it possible to edit a submitted QA report?\nA: You should be able to edit any submission up until the audit deadline.", "There\u2019s a tab labelled \u201cYour Findings\u201d on the contest page. Why can't I see a list of my submissions?\nA: You may not be logged into your C4 user account.", "How can I get the \"leaderboard\" tag in my profile? I got Top5 in the eignerlayer contest and received the reward, but the ROLES didn't update.\nA: You should have the \"leaderboard\" tag now.", "What do I do about the issue I reported? Should I just send the link to the judge/lookout?\nA: No, the judge can see it just fine.", "I reported an issue and it does not show up in the Issues page and it seemed like it was missed by the lookout. What should I do?\nA: It's very strange - seems like a github problem but it's a little tricky to troubleshoot!", "I submitted my certified warden application about 3 weeks ago and still didn\u2019t get an email from Provenance. Is this the regular process or is there anything I should do?\nA: You should have received an email from Provenance. Check your spam folder and look for emails from @provenance.company.", "When providing a link to the code, how do I alter the github link to point to the exact lines of code I want?\nA: Clicking on the code line on the left tab will change the URL. You can hold SHIFT for capturing a range of lines.", "I didn't change my username, only the display username. Will this affect anything?\nA: (No answer provided)", "I have problems logging into my account. Can someone explain what to do?\nA: (No answer provided)", "When providing a link to the code, how do I alter the github link to point to the exact lines of code I want?\nA: Clicking on the code line on the left tab will change the URL. You can hold SHIFT for capturing a range of lines.", "If I changed only the display username and didn't change my username, will it affect anything?\nA: It should not affect anything, but it's recommended to confirm with the C4 staff.", "How can I login to my account?\nA: [No answer provided]", "In which cryptocurrency is the payment made?\nA: Payment is made in USDC on the polygon network.", "How can I link my Code4rena profile to my Twitter account?\nA: If you submit a help desk request with your warden name and Twitter URL, Code4Arena can add it for you. Use this link: https://code4rena.com/help.", "How can I get certified?\nA: You can get certified by following the guidelines available at this link: https://docs.code4rena.com/roles/certified-contributors.", "Can I join backstage after having the certified contributor role, 3 medium findings and 4 findings total, and having participated in the Stader Labs contest even if the results have not been published yet?\nA: You can apply to join backstage as soon as the results are published to the leaderboard. This usually happens very shortly after the awards are announced.", "Is there a date for the results to be published or is it just unknown for now?\nA: It depends on how long judging takes.", "Can I join backstage now or should I wait for the results to be published? \nA: You can apply as soon as the results are published to the leaderboard \u2013 this usually happens very shortly after the awards are announced.", "Is there a date for the results or just unknown for now?\nA: It will depend on how long judging takes.", "Will C4 be fine with Discord's new username system?\nA: Yes, you can update your discord name on the Account Management page of your warden profile. Your discord nickname should still remain as your registered C4 username.", "As a contestant of Llama, is it possible to be informed about the progress and schedule of the final report?\nA: [No answer provided]", "Can we submit a rust code base to C4rena?\nA: Yes, we've run audits with a Rust focus. We can connect you with the booking team to have a conversation.", "Is withdrawing a finding the same as canceling it?\nA: Yes", "What is the #\ud83d\udd06hm channel for?\nA: [No answer provided]", "If a bot finds a high or medium, will that high or medium be considered unique and share the total reward pool?\nA: No, it only gets bot pool reward based on bot race rank. Bots can only get more by bumping others to lower ranks, by having more points so that the rank cutoffs shift.", "Did anybody ever consider sending USD (fiat) to participants instead of USDC? Was this ever considered by the DAO/UNA? Is this feasible?\nA: [No answer provided]", "When auditing a codebase in a C$ contest, what is the best approach for raising 'Lookout' category of findings?\nA: Include them in your QA report with a detailed Medium finding format (impact/POC/mitigation etc), the judge will do the needful. It can be upgraded if the verdict of the judge says so.", "Did anybody ever consider sending USD (fiat) to participants instead of USDC? Some countries raise problems converting crypto to fiat.\nA: Yes, this was a consideration of the UNA. It may be possible at some point.", "When auditing a codebase in a C$ contest, what is the best approach for raising 'Lookout' category of findings?\nA: Include them in your QA report with a detailed Medium finding format (impact/POC/mitigation etc), the judge will do the needful. It can be upgraded if the verdict of the judge says so.", "If a function call will always revert but Assets are not at risk, is it considered as a High or a Medium?\nA: It depends on the context. If it's an EIP compliance issue or the project functionality totally breaks, it would be a medium. If it's a rare condition depending on rare conditions, it's more of a QA.", "What tools do you use to upload an image to the submit form via markdown?\nA: Upload it to your Gist. Submit your report with the gist link, then delete your gist.", "Can I DM one of C4 staff member?\nA: Yes, you can DM a C4 staff member.", "How will analysis awards be distributed?\nA: No answer provided.", "Is the issue of banks giving problems to convert crypto to fiat prevalent in India and Israel?\nA: No direct answer provided, but it is implied that this is an issue in both countries.", "How will analysis awards be distributed?\nA: [No answer provided]", "What is the biggest contest in C4 in terms of SLOC?\nA: [No answer provided]", "Do you mean upload images to gist? We can only add images as markdown right? Is there any other way?\nA: [No answer provided]", "How do I submit an image in the submission policy? Are there any tricks to doing this?\nA: You can use the syntax provided in the markdown guide to submit an image. Here is the link: https://www.markdownguide.org/basic-syntax/#images-1", "I tried uploading to Google drive and giving all permissions but it didn't work. Any other ideas?\nA: You could try to ensure your picture renders correctly in another place like GitHub and then submit it. It could be an issue with the Code4Arena site.", "When will the awards of the Stader labs contest be announced?\nA: [No answer provided]", "If the biggest contest in terms of SLOC is MAIADao, which one comes after it?\nA: You can look for the first opensea audit that was run. It might have been the first but it's hard to remember.", "After submitting a finding I found new evidence I want to add. Can I change something to a finding I made, like a medium finding? If not, is it possible just to resend the finding with an update in the title?\nA: If the audit is still open, you can edit your finding. On the contest page, click the button that says \"Your Findings\" to edit the correct one. If the audit has already closed, you won't have an opportunity to make an update.", "Is the contest over?\nA: [No answer provided]", "What are these emojis that are used for contracts out of scope. For example, in the Lybra finance repo, there are emojis next to certain files mentioned. Do they mean anything?\nA: You can hover over the emojis with your mouse to get a description.", "Is the contest over?\nA:", "After submitting a finding I found new evidence I want to add. Can I change something to a finding I made, eg a medium finding? If not, is it possible just to resend the finding with an Update in the title?\nA: If the audit is open, you can still edit the finding. On the contest page, you'll want to click the button that says Your Findings to edit the correct one. If the audit has already closed, you won't have an opportunity to make an update.", "What are these emojis that are used for contracts out of scope. For example, in Lybra finance repo, there are emojis next to certain files mentioned. Do they mean anything?\nA: Hover over them with your mouse for a description.", "Is there any penalty by setting incorrect severity of the issue? I'm not sure if my findings should be Low or Medium.\nA:", "How are QA reports evaluated? If report X has only 2-3 Low findings, while report Y has 5-6 Low findings, and both reports are graded \"A\" - would they receive the same award?\nA: Yes.", "Is there a bonus for each Low/N finding selected for report?\nA: Refer to this document for more details: https://docs.code4rena.com/awarding/incentive-model-and-awards/awarding-process", "According to that .cvs file, Low issues are ranked by uniqueness too. Is this true?\nA: That's old, it doesn't work like that anymore.", "If all A's get the same award, no matter how many Low findings there are - why should auditors bother to put more than one Low findings in QA?\nA: Judges look at both quantity and quality when judging QA reports. If a warden's QA submission only had 1 item, it would be pretty unlikely to receive a high grade. Especially if other wardens' QA submissions within that audit contained many high quality items in comparison. Refer to these documents for more details:\nhttps://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical\nhttps://docs.code4rena.com/awarding/incentive-model-and-awards#qa-and-gas-optimization-reports", "What about overestimated issues? If I found Medium issue - and judges would evaluate it as Low instead, would that Low be transferred into my QA report?\nA: Judges have the ability to downgrade medium issues to QA and consider them alongside your QA report when grading. They also have the ability to upgrade items from your QA report if they feel severity should be higher and that your details are thorough enough. Both of these would be the judge's decision to make.", "If I'm not sure if my finding should be Low or Medium, should I report it as medium or as low?\nA:", "I want to get certified, but my proof of address is not verifying because I live in my parents house and I don\u2019t have utility bills on my name. Provided my national identity card but that didn\u2019t work. Can anybody here help?\nA:", "If my QA reports contain 1-2 incorrect findings, would that affect my QA grade?\nA:", "What about overestimated issues? If I found Medium issue - and judges would evaluate it as Low instead, would that Low be transferred into my QA report?\nA: Judges have the ability to downgrade medium issues to QA and consider them alongside your QA report when grading. They also have the ability to upgrade items from your QA report if they feel severity should be higher and that your details are thorough enough. Both of these would be the judge's decision to make.", "If I'm not sure if my finding should be Low or Medium, should I report it as medium or as low?\nA: [No answer provided]", "I want to get certified, but my proof of address is not verifying because I live in my parents house and I don\u2019t have utility bills on my name. Provided my national identity card but that didn\u2019t work. Can anybody here help?\nA: Might you have a bank statement? Also, have you tried asking Provenance for additional types of acceptable documentation?", "I have bank statement but haven\u2019t asked them about any other acceptable documentation, what should I do next?\nA: You should say that you have a bank statement or just send it to them and ask about the other types of documents.", "What about non-valid issues? If my QA reports would contain 1-2 incorrect findings, would that affect my QA grade?\nA: Your correct findings will get paid.", "What is #\u270brsvp about?\nA: The #\u270brsvp channel lets you see the upcoming public audits and raise your hand if you plan to participate in it.", "Is there any functionality to update profile picture in the new profile feature?\nA: Yes, to change your image, you'll want to create a help desk request and they'll process the PR. [Link](https://code4rena.com/help)", "Should I include new profile picture link in the description when I create a help desk request?\nA: [No answer provided, but redirected to another channel]", "Where can I report a bug in the new profile UI?\nA: It's sufficient to report it in #profile-help - the developers have visibility on that channel and are logging issues.", "For the new auditors profile, is there a problem if we use info about protocols we have audited on other bug bounty platforms to fill our profile?\nA: [No answer provided]", "Should I include new profile picture link in the description?\nA: I have a better idea - follow me to #profile-help.", "Where can I report a bug in the new profile UI?\nA: It's sufficient to report it in #profile-help - our devs have visibility on that channel and are logging issues.", "For the new auditors profile, is there a problem if we use info about protocols we have audited on other bug bounty platforms to fill our profile?\nA: Not at all - feel free to show off your best work across all platforms.", "Is there a set of moderators? I would like to moderate Russian chat, I have management experience, now I work with several projects.\nA:", "I want to start learning about smart contract vulnerabilities, can you recommend me list common vulnerabilities following your experience?\nA:", "How to set your profile photo on C4? I didn't find any button to do this.\nA: See #profile-help.", "Do you plan to include the blockswap contest in the leaderboard ranking anytime soon? With the new profiles functionality my ranking would be boosted up like 200 places.\nA: Will add to the list of feature requests.", "The #\u270brsvp says nouns dao is from July 3-10 but code4rena website says July 3-13.\nA: Thanks for the question! Nouns will run thru the 13th.", "How do I know that I'm certified or not?\nA: Click your name to see the assigned roles and you should have received an email from us.", "Why I am unable to participate in private contests as it says only allowed for certified members?\nA:", "The RSVP says Nouns DAO is from July 3-10 but the Code4rena website says July 3-13, which is correct?\nA: Nouns will run through the 13th.", "How do I know if I'm certified or not?\nA: Click your name to see the assigned roles and you should have received an email from us.", "Why am I unable to participate in private contests even though I have received an email from you, as it says only allowed for certified members?\nA: You'll want to look at the descriptions of the private audits in the certified channel. The qualifications will be described there. If you don't see a mit review in the list, it's because it's generally open to those who participated in the original audit.", "I sumbit the bug report, and then I got an email from C4 saying that Payment addresses updated for BPZ . Requestet done by myself. I have no idea of this & how this happened. Can you please discard this request?\nA: Closed it.", "I received an email about the updation of payment address even though I didn't do it. Can you please double check it?\nA: Closed.", "Why did I receive an email about the updation of payment address even though I didn't do it?\nA: I will ask the Builders to take a look this week.", "How does one get the OG Warden status on his profile?\nA: (No response given in the chat)", "Does the question form support markdown?\nA: Yes, it does support markdown.", "What do we submit for analysis awards, has it a separate report or mix with QA? If any reference in C4 docs, please share?\nA: For details, refer to the link: [https://code4rena.notion.site/Analyses-Guidelines-and-FAQ-2808a71e08e44c81a985527194f5f118](https://code4rena.notion.site/Analyses-Guidelines-and-FAQ-2808a71e08e44c81a985527194f5f118)", "How does one get the OG Warden status on his profile?\nA:", "Does the question form support markdown?\nA: Yes, the question form does support markdown.", "Can I know who's the judge/lookout before or during the contest?\nA: No, we don't disclose that in the interest of keeping the competitions as bias-free as possible.", "Can an issue be non-critical and also be included in gas optimizations?\nA:", "Regarding the upcoming contest, is 2 weeks enough time to go over the 12k sloc?\nA: It's been extended to 4 weeks.", "When will the stader labs contest results be announced?\nA: We are still in the judging process, so stay tuned for the announcement!", "Could you please tell an estimate like how many days or in next week?\nA: There's an estimated timeline in our docs that may be helpful: https://docs.code4rena.com/structure/our-process", "If I have a limited time for audit, and I've just spotted 1-2 Low and 1-2 Gas issues, is it worth to create report for them? Or, because of just 1-2 issues, they will always be graded as C?\nA: Mostly grading is determined by other reports, ie compared to other highly ranked reports yours might not cut it, your gas report has a very high likelihood of being a C.", "Will the contest of the bean money protocol be postponed?\nA: This is actually the Basin audit: https://code4rena.com/contests/2023-07-basin", "If I have a limited time for audit, and I've just spotted 1-2 Low and 1-2 Gas issues, is it worth to create a report for them? Or, because of just 1-2 issues, they will always be graded as C?\nA: Mostly grading is determined by other reports, ie compared to other highly ranked reports yours might not cut it, your gas report has a very high likelihood of being a C.", "Will the contest of the bean money protocol be postponed?\nA: This is actually the Basin audit: https://code4rena.com/contests/2023-07-basin", "I wish the old grading system were in use. It gave others a chance to report even a single Low/Gas issue. Now, is it not being worthy to focus on that?\nA:", "I'm having an issue submitting an analysis as a team, I keep getting an error regarding a saved polygon address. Is anyone else having this issue?\nA: Can you submit a help desk request with the analysis details, please? With team and the audit you're submitting for.", "Can I submit more than one high risk finding in the same audit?\nA: If the root causes are the same, they would be counted as one.", "In one audit when I submit one finding and afterwards try to send another high risk finding it says you already submitted high risk finding. Why is this?\nA: That's not the usual flow. Could you please submit a help request to the team here: https://code4rena.com/help", "In the leaderboard there is a new filtering option of \"Available for Hire\". How can I set me as \"Available for Hire\"?\nA: You must be a Certified warden to have that option. If you're already certified, you can add it via the profile editing screen.", "I received an email that I am certified but the \"Available for Hire\" option doesn't appears in my profile settings. What should I do?\nA: There are some manual steps on our end. We'll look into it.", "Does Uniswap TWAP really not usable in Arbitrium?\nA:", "Can someone define me how to run picodes analyser? I'm facing issue in what would come at base path, scope file and git url.\nA:", "If I accidentally copy & pasted too much info in the issue and I don't want that info to be publicly available - should I just edit an issue?\nA:", "I received an email that I am certified but this option doesn't appear in my profile settings?\nA: There are some manual steps on our end. We will look into it.", "Does Uniswap TWAP really not usable in Arbitrium?\nA:", "Can someone define me how to run picodes analyzer..facing issue in what would come at base path, scope file and git url?\nA:", "If I accidentally copy & pasted too much info in the issue and I don't want that info to be publicly available, should I just edit an issue?\nA: Yes, it's suggested to edit the issue.", "Wouldn't the initial (pre-edited) issue still be publicly available for everyone?\nA: It may be in the edit history but that would also be the case for a withdrawn issue.", "Will a withdrawn issue also be in GitHub history?\nA: Yes, they just get marked as withdrawn and are closed.", "Is there a way to undo an already submitted issue so it won't be published?\nA: If you feel it's a security risk to have the contents made public, it's suggested to submit a Help Desk request and make your case.", "I just made some grammar typos which I'm ashamed of and hoped no one would have seen it - even after the edit in the submission history, should I do anything?\nA: It's OK to leave it. We try hard to create a learning environment for everyone, and that includes iterating on spelling and grammar.", "Does sponsor A's decision affect B's decision?\nA: No, each sponsor's decision is independent.", "I didn't understand that all the low/NC issues were to go in only one QA report, Is it possible to cancel the one I submitted to create another with all my issues?\nA: You can withdraw your findings under \"your findings\" on the contest page.", "What is Bot Race?\nA:", "Does sponsor A's decision affect B's decision?\nA: No, sponsor A's decision does not affect B's decision.", "I didn't understand that all the low/NC issues were to go in only one QA report, Is it possible to cancel the one I submitted to create another with all my issues?\nA: You can withdraw your findings under \"your findings\" on the contest page.", "What is Bot Race?\nA:", "I am competing in my first contest/audit tomorrow, and I am wondering on how to submit findings, is it by using the submit report form or by creating an issue directly on the github repo? What's the best and easiest option for a beginner?\nA: There is a form on the website for each contest.", "Where could I see post mortems?\nA: Post mortems can be found on our YT channel: https://www.youtube.com/@code4rena and more will be announced on #\ud83d\udce2announcements.", "If we are mistaken in a finding or if it's wrong, are we sanctionned or something like that?\nA:", "Can we edit or resubmit an analysis Report?\nA: Not at the moment, however, this functionality will be added in the future.", "Maybe we add an update to the analysis report as a medium finding?\nA: It's preferred that you submit a help desk request and staff can add the changes as a comment on the Analysis.", "How can we participate in judging and gain access to backstage (after audit closes/before final report is submitted)?\nA: You can find information on gaining backstage access here: https://docs.code4rena.com/roles/certified-contributors/backstage-wardens", "This is for the Maia contest which is ending in a few hours. Please assist?\nA:", "Can we add an update to the analysis report as a medium finding?\nA: It would be preferred if you submit a help desk request and staff can add the changes as a comment on the Analysis.", "How can we participate in judging and gain access to backstage (after audit closes / before final report is submitted)?\nA: You can gain backstage access by following the information provided in this link: https://docs.code4rena.com/roles/certified-contributors/backstage-wardens", "Can you assist with the Maia contest which is ending in a few hours because the issue hasn't been resolved yet?\nA: The issue is currently being looked into.", "What can be done when the text for the help desk request is more than the textbox on the site allows?\nA: You can provide the help desk request by linking a gist.", "Should a receipt be received by email when a gist has been linked for a help desk request?\nA: Your help desk request has been received, receipt by email may not be necessary.", "If I have many ideas about gas optimizations, how do I write them all in a single report?\nA: Write each finding separately and merge them into one report.", "For a bot in bot-racing, is the main thing the presence of unique vulnerabilities or their number, and will accuracy (no false positives) be an advantage or is it not evaluated?\nA: This question was not answered in the chat.", "Can the analysis report for the Maia contest be created now?\nA: The issue is being looked into and direct messaging will be used to resolve the situation.", "Is it fine to post a Notion link for the Analysis report during the submission process?\nA: This question was not answered in the chat.", "Can you see that you if you're able to create the analysis report now?\nA: Nope. Still getting an error regarding not having a polygon address saved.", "Is it fine to post a Notion link for the Analysis report during the submission process?\nA: I can confirm but is that supplemental to the information you plan to add to the actual analysis report?", "Is the notion link the analysis report - will it be available to those who have the link without any issue?\nA: My concern is that your notion doc can be edited after the analysis report is closed which could create an unfair advantage.", "For the analysis report, what's Mechanism review? Any insights on that?\nA: If you have expertise in mechanism and incentive design and/or how that might be gamed/abused, it's relevant, but if that isn't an area of expertise, no need to force it.", "Can someone link resources to where I can find more info about this? It seems like a view function returning 0 is the same as a revert?\nA:", "Are the analysis reports published publicly at some point? Just to know the visibility of it. Is it only for judges and sponsor?\nA: Should be all public when issues are made public.", "Sometimes there is a point where it fits two categories for example mechanism and architecture. Where to put it under? I'm assuming it is okay to put it under any of the two?\nA: Yes, for sure. Put it where it makes sense to you. You can even feel free to add other headings if you like.", "I wasn't able to submit the rest of my findings for MaiaDAO contest before contest deadline due to power cut in my city. Where can I submit/email my findings to asap please?\nA: Very sorry to hear this. Unfortunately, we can't accept late submissions at all, per our docs here: https://docs.code4rena.com/roles/wardens/submission-policy#late-submissions.", "Can I add other headings in my work?\nA: Yes, for sure. Put it where it makes sense to you. You can even add other headings if you like.", "Where can I submit my findings for the MaiaDAO contest if I missed the deadline due to a power cut?\nA: Unfortunately, we can't accept late submissions at all, please refer to our submission policy here: https://docs.code4rena.com/roles/wardens/submission-policy#late-submissions.", "Do you accept submissions with a timestamp prior to contest close?\nA: It seems like an unlikely scenario but it would be a possible solution.", "Are there any results or news from the BASE contest?\nA: The chat doesn't provide an answer for this question.", "Is codeArena prepared for a potential downfall of USDC? How so?\nA: We have weathered several stablecoin crises and just made swaps as we saw things shape up. There is no present risk to USDC though. If it looks to be going south, we would make a swap.", "I'm unable to log into my c4 account. What should I do?\nA: The chat doesn't provide an answer for this question.", "If USDC goes down is CodeArena prepared for that and how so?\nA: CodeArena has weathered several stablecoin crises and just made swaps as they saw things shape up. If it looks to be going south, they would swap.", "I'm unable to log into my CodeArena account, even though I have the correct username and password. What can I do to recover my account? \nA: This issue should be moved into #auth-help to get the right people looking into it.", "What tool does the team use to calculate LOC?\nA: The team uses 'cloc' to calculate LOC.", "When can we expect bot registration to be open?\nA: Bot registration is opened every couple of weeks. Keep an eye out on the #\u270brsvp channel for the next one.", "Is there any issue with approval race protections going back to zero? [https://github.com/d-xo/weird-erc20#approval-race-protections]\nA: No, there is no issue if approval race protections always goes back to zero.", "How can I change my twitter url in the portal?\nA: You can create a help desk request with the handle and CodeArena will update it for you. [https://code4rena.com/help]", "I can't edit the analysis report. Is this expected behavior?\nA: Yes, you can create a help desk request including a secret gist and they will add it to the comments of your analysis report. This needs to be done before the audit closes.", "How to find my findings in the github repo. I tried by searching my username and the vulnerability title but couldn't find it. Can anyone help me?\nA: You need to search for your handle.", "I can't edit the analysis report. Is this expected behavior?\nA: Yes, you can create a help desk request including a secret gist and we'll add it to the comments of your analysis report. We'll need it before the audit closes.", "How to find my findings in github repo. I tried find my reported vulns in ajna finding. I tried by searching my username, Tried by searching vulnerability title, not found. How can I find it? It has 500+ reported vulns it will be hectic to open each report one by one. Can anyone help me?\nA: Search for your handle.", "I can't find my findings even after searching for my handle. Are you sure you submitted for Ajna?\nA: I don't see anything for you. You can dm me a screen of one of the confirmations.", "I currently can't connect to the code arena website using wallet connect. I keep getting connection failed on both rainbow wallet and family wallet. Any suggestions?\nA: Can you paste this into the #auth-help channel and one of us can take a look in a bit?", "Can issues be modified after submitted?\nA: Yes, if the contest is not ended, you can modify the issue as many times as you want.", "If I spot some potential (high) issue, but unfortunately, I don't have time to write a PoC for it or examine it more, is it worth to report it? Would be any penalty for wrong submissions (I'm 75% sure there's a high-risk issue, but don't have time to finish the PoC/examine it more). Should I mark it as \"potential\" in the title/description?\nA:", "It seems the issues are never submitted to GitHub at all.\nA: To edit findings while an audit is still open, please go to the contest page and click the Your Findings button.", "I wonder why Basin and PoolTogether contests are both 7 day long, one of them has 1100 sloc while other 3300?\nA: Is there concern or just curiosity?", "I'm concerned because I don't think I will be able to attend both. But yeah mainly curiosity other than that.\nA: Do what you can!", "How can I edit findings while an audit is still open?\nA: To edit findings while an audit is still open, please go to the contest page and click the Your Findings button.", "Why are Basin and PoolTogether contests both 7 days long, even though one of them has 1100 sloc while other 3300?\nA: No specific answer provided.", "Where do low findings go towards? To HM awards pool or to QA awards pool?\nA: You can find more details at https://docs.code4rena.com/roles/wardens.", "If we put our severity as medium can C4 update it to a high incase if we got the severity wrong? Since they can decrease from high to medium.\nA: Yes, judges will usually do it.", "Who can edit the C4 profile? Like, I can't see anywhere to edit my warden profile.\nA: No specific answer provided.", "I cannot access to the Nouns DAO protocol files, i.e., the source code. What should I do?\nA: No specific answer provided.", "How do I get certified?\nA: You can apply for certification at https://code4rena.com/certified-contributor-application.", "Can I see my committed QA reports somewhere for contests that are closed already?\nA: No specific answer provided.", "What\u2019s OG Warden?\nA: No specific answer provided.", "How do I get certified?\nA: You can apply for certification at https://code4rena.com/certified-contributor-application.", "Can I see my committed QA reports somewhere for contests that are closed already?\nA: [No answer provided]", "What\u2019s OG Warden?\nA: OG Warden is just a badge on the website for wardens that started a while ago.", "I just submitted my first finding and I'm wondering how to submit an analysis, do I select QA as the type? Do you get notified after the contest for it or something?\nA: [No answer provided]", "My application got approved from provenance, how much time will it take to complete my certification process?\nA: The status update usually takes a few days and you'll receive an email once the update is complete.", "How do you edit your profile? Like change the pic, set the hire status, or change your rank?\nA: [No answer provided]", "Is there a mechanism to edit the writing of a submission after the contest has ended?\nA: No, there is no mechanism to edit the writing of a submission after the contest has ended.", "Who can edit the C4 profile? I can't see anywhere to edit my warden profile.\nA: Currently, those wardens who were certified when warden profiles were rolled out are able to edit their profiles. More information will be provided when additional certified wardens will also gain the ability.", "When are the next bot qualifiers?\nA: [No answer provided]", "What\u2019s OG Warden?\nA: OG Warden is just a badge on the website for wardens that started a while ago, the specific start date wasn't mentioned.", "Who can edit the C4 profile? Specifically, I can't see anywhere to edit my warden profile.\nA: At this time, those wardens who were certified when warden profiles were rolled out are currently able to edit their profiles. It will be confirmed when additional certified wardens can also gain the ability.", "When are the next bot qualifiers?\nA: The next bot qualifiers usually run every few weeks. Updates will be posted in the #\u270brsvp channel.", "Can I join backstage now that Canto Jun 20 results have been published and I have submitted a few findings?\nA: If you meet +backstage qualifications based on contest results that have now been published, please submit a help desk request. Here is the link for more information: https://docs.code4rena.com/roles/certified-contributors/backstage-wardens", "What is the intention of \"Submit Analysis Report\"?\nA: You can find more information about submitting an analysis report here: https://code4rena.notion.site/Analyses-Guidelines-and-FAQ-2808a71e08e44c81a985527194f5f118", "How can I talk to be whitelisted in the C4 event in Paris?\nA: You can directly message the team to inquire about getting whitelisted for the C4 event in Paris.", "Is it still not possible to edit analysis submissions?\nA: Currently, it is not possible to edit analysis submissions. This feature might be supported in the future.", "What are some tips to advance skills in auditing smart contracts and spotting high & critical issues?\nA: Keep going, don\u2019t stop. Keep reading reports, keep auditing codebases even if your findings are invalidated and don't give up. Hard work always pays off in the end. The more you understand a protocol, the easier it gets.", "What's an average ratio of incorrect submissions? By incorrect submissions I mean submissions which are wrong (does not work, assume something wrong, etc.)\nA: This question was not answered in the chat.", "Is it still not possible to edit analysis submissions?\nA: Currently, it's not possible to edit analysis submissions. This feature may be supported in the future.", "What tips do you have to advance your skills and get to the top in the field of auditing smart contracts?\nA: Keep going, don\u2019t stop. There\u2019s no secrets, keep reading reports, keep auditing codebases even if your findings are invalidated and just don\u2019t give up. Hard work always pays off in the end.", "What's the average ratio of incorrect submissions?\nA: This information is not provided in the chat.", "Where can I see analysis findings that are live?\nA: You can filter for analysis in the findings repo of recent contests. Also, starting from Maia, you'll begin to see analysis examples.", "How to get a backstage role?\nA: If you believe you qualify for backstage access based on audits where awards have already been announced, you can create a help desk request asking to grant access. Find more information [here](https://docs.code4rena.com/roles/certified-contributors/backstage-wardens) and make a request [here](https://code4rena.com/help).", "In mitigation review, are the top three auditors still paid if no issues are found?\nA: This information is not provided in the chat.", "How to fully understand a report without having an overall understanding of its codebase? Any suggestions?\nA: There's no easy way, just participate in contests. You can also analyze what types of bugs are generally considered high and unique to gain a better understanding.", "If I submitted two reports that the underlying issue is quite similar and one is marked as a duplicate of the other, would this affect the payout compared to if only one of the two is awarded?\nA: This information is not provided in the chat.", "What are bot races?\nA: You can find more information about bot races [here](https://code4rena.com/register/bot).", "What are bot races?\nA: Bot races can be found at https://code4rena.com/register/bot", "Many successful auditors lay emphasis on reading past audit reports which I understand well, but I'm finding it a bit doubtful on how to fully understand a report without having an overall understanding of its codebase? Any suggestions?\nA: You can analyze what types of bugs are generally considered high, tends to unique. Also, participating in contests can help.", "Where can I find my submitted reports even invalid issues?\nA: Submitted reports can be found in your email.", "How exactly can we escalate a report? Just writing a comment and waiting for judges response?\nA: There's a post judging QA period where you can comment on the judges decisions, only available for backstage.", "What about when judges marked an issue as satisfactory but the sponsor marks it as Sponsor Disputed? Are we allowed to comment in those cases?\nA: Not Answered.", "Are there any instances of projects that are live on chain and at the same time being audited on C4?\nA: Not Answered.", "Do I need to write an exploit for medium severity bugs?\nA: You should explain the issue. How you are going to do this is your choice, there are no strict requirements.", "How do projects have so much money to build?\nA: Not Answered.", "When is the next bot qualifier race?\nA: Not Answered.", "If I submit a finding as a low in QA report, but the judges determine that its a medium will it be eligible for medium rewards?\nA: Refer to https://docs.code4rena.com/awarding/incentive-model-and-awards/qa-gas-report-faq#what-happens-when-an-issue-submitted-by-the-warden-as-part-of-their-qa-report-an-l-or-n-does-get-bum", "When is the next bot qualifier race?\nA: [Answer not found in chat]", "If I submit a finding as a low in QA report, but the judges determine that its a medium will it be eligible for medium rewards?\nA: Yes, if the issue submitted by the warden as part of their QA report is determined to be of a higher severity by the judges, it will be eligible for the reward of that higher severity. Details can be found [here](https://docs.code4rena.com/awarding/incentive-model-and-awards/qa-gas-report-faq#what-happens-when-an-issue-submitted-by-the-warden-as-part-of-their-qa-report-an-l-or-n-does-get-bum).", "Where can I find Code4 severity ranking?\nA: You can find the Code4 severity ranking [here](https://docs.code4rena.com/awarding/judging-criteria/severity-categorization).", "Has C4 ever revised payment amount (increase, decrease) after payout?\nA: [Answer not found in chat]", "Is the current bot advanced enough to capture the issue such as division before multiplication and loss of precision because of the division?\nA: [Answer not found in chat]", "If a bot race report has a low vulnerability with 2 instances, but there are more than 2 should I add it to QA report?\nA: Yes, you should add it to the QA report if there are more instances of the vulnerability.", "How is the base contest result going?\nA: [Answer not found in chat]", "I want to check my Findings for Tapioca DAO to make some edits, but I see this error Oops! Something went wrong. What should I do?\nA: [Answer not found in chat]", "If a bot race report has a low vulnerability with 2 instances, but there are more than 2 should I add it to QA report?\nA: You should go for it.", "How is the base contest result going?\nA: We had a small delay in Base results. Should have it ready soon.", "When I want to check my Findings for Tapioca DAO to make some edits, I see an error. How can I fix this?\nA: This was tested but we didn't get an error in this case.", "What path did you take to edit your existing findings?\nA: The path is https://code4arena.com/contests/2023-07-tapioca-dao#top, Your Findings tab, but there is an error saying: Oops! Something went wrong.", "You're saying that you went through the contest page to the Your Findings button and got the error when you clicked the button?\nA: Yes, the error reads: \"Oops! Something went wrong.\"", "Ok, I can try to test it out but would need about an hour to circle back. Are you able to hold for now?\nA: Yes.", "Thanks so much for holding. This was tested but we didn't get an error in this case. Is it working for you now?\nA: Thanks. I just tested it now and it is ok.", "Is there a website link for amphora protocol?\nA: Yes, there is. Here is the link: https://code4rena.com/contests/2023-07-amphora-protocol#top", "I meant in the rsvp channel there\u2019s no link to their website, is this a mistake?\nA: [No Answer]", "When is the next bot qualifier race?\nA: Stay tuned to the #\u270brsvp channel.", "Backstage requirement, can 2 medium be acceptable? 3 medium and A qa/gas doesn\u2019t seem equal.\nA: [No Answer]", "What is the HM page?\nA: HM might mean high medium.", "So if one says HM it means they are in that club?\nA: [No Answer]", "On c4 if a finding is valid but severity is not correct, does it get automatically reaffected? For example, a high finding report becomes a valid low?\nA: [No Answer]", "I think they meant the discord channel. Which makes me wonder- do folks post there submitted or confirmed hms?\nA: [No Answer]", "Is base contest the first contest?\nA: It happened once before during last year.", "On c4 if a finding is valid but severity is not correct, does it get automatically reaffected? For example a high finding report becomes a valid low?\nA:", "Do folks post there submitted or confirmed hms in the discord channel?\nA: Hm channel is just like gm channel.", "api.code4rena.com is returning a 500, what should I do?\nA: Try to log out and log back in.", "Is there a doc about API?\nA: It\u2019s for internal use only at the moment, though we do expose some stuff for judges.", "What's the process to report vulns impacting C4's webapp?\nA: For now, direct message @EvilPacket. Also, please send the issue to security@code4rena.com that will get to the security team and into the triage queue.", "Is there a bonus for the best analysis? (e.g. akin to selected for report)\nA:", "I am not able to create bot team, what should I do?\nA: You'd register your bot during the qualifier.", "Did opensea launch new feature \u201cdeals\u201d?\nA:", "When is next bot qualifier race?\nA: The qualifier is posted.", "What's the process to report vulns impacting C4's webapp?\nA: For now, dm @EvilPacket. Or you can send the issue to security@code4rena.com that will get into the triage queue.", "Is there a bonus for the best analysis? (e.g. akin to selected for report)\nA: Yes, there is a 30% bonus for best advanced analysis report.", "I am not able to create a bot team, what do I do?\nA: You'd register your bot during the qualifier.", "So I need to exit the current team and create a new one?\nA: If you're in an already established bot crew, it's different from a team that you're in.", "Does bot crew have to be KYCed?\nA: They will need to be KYCed to receive payments for some audits, but not all.", "Let's take a simple example of transfer vs safeTransfer. Say an audited protocol has this issue in 5 different places in its code. Do I write 5 different reports or it is a single report with all 5 occurrences of the same issue?\nA: It should be one report with all issues and if a single issue has multiple instances you mention the number of instances and permalinks to each of them.", "What happens if you have a few meds/lows and they chain to a high? Do you skip the med/lows and only write the high in the report or do you include them all?\nA: You should write both but put the most effort into the High Severity, the rest are bonus.", "I'm unable to login on the C4 website could it be down? or perhaps too busy rn?\nA: (No answer provided)", "Why does the #arcade-jul21 contest have 2000 sloc mentioned in #\u270brsvp but below 1000 on the contest page?\nA: (No answer provided)", "Is it possible to change my username?\nA: (No answer provided)", "Why does the #arcade-jul21 contest have 2000 sloc mentioned in #\u270brsvp but below 1000 on contest page?\nA: [Answer not provided in chat log]", "If an audited protocol has the same issue in 5 different places in its code, do I write 5 different reports or is it a single report with all 5 occurrences of the same issue?\nA: It's a single report.", "What happens if you have a few medium/low severity issues and they chain to a high severity issue, do you skip the medium/low severity issues and only write the high severity issue in the report or do you include them all?\nA: Include both but put the most effort into the High Severity issue.", "Is it possible to change my username?\nA: [Answer not provided in chat log]", "Once I registered a team I still don't see it on my profile, what do I have to do?\nA: [Answer not provided in chat log]", "If something found in an automated finding can lead to a high severity finding, should I submit this as merely informational (since it's technically not in the contract) or consider it a low/medium?\nA: Submit it, and let a judge weigh in on how they\u2019d see it. It's probably worth submitting as an isolated issue separate from QA so it gets clocked.", "When we submit a \"Proof of Concept\" with GitHub, do we need to make the repo public? Could this be a risk to the project (if the anyone can see the repo, then the vulnerability is exposed to the public)?\nA: Just use a private gist.", "How do I describe what I see when 'it's down'?\nA: [Answer not provided in chat log]", "How to change code4arena profile picture?\nA: [Answer not provided in chat log]", "Is anybody having issues logging into Code Arena with Metamask wallet?\nA: [Answer not provided in chat log]", "Where could we apply again for the Bot Race?\nA: Apply here: https://discord.com/channels/810916927919620096/1093914558776758403/1132679460437639248", "How to change code4rena profile picture?\nA: You can submit a help desk request with a link to the picture: https://code4rena.com/help", "Is anybody having issues logging into code arena with Metamask wallet?\nA: [No answer provided]", "Where could we apply again for the Bot Race?\nA: You can apply on Discord: https://discord.com/channels/810916927919620096/1093914558776758403/1132679460437639248", "Is there a dashboard to check all the reports that I already submitted during the competition? Or is the confirmation just the confirmation page after hitting the submit button?\nA: The confirmation page after hitting the submit button is the only confirmation. However, you will also receive an email confirmation.", "What is RSVP in case of invitation contest, how to apply for those?\nA: Some spots for the invitation contest are filled based on sponsor request. The remaining spots are chosen based on who RSVP'ed and their 90-day leaderboard ranking.", "What is the process of submitting issues found in out of scope contracts?\nA: [No answer provided]", "Is there any problem in the C4 website?\nA: [No answer provided]", "If automated tools reported vulnerabilities, why do people still want to get their smart contract audited?\nA: [No answer provided]", "I am getting the following error when trying to look at any/all of my findings on code4rena: Oops! Something went wrong. Cannot read properties of undefined (reading 'name'). Is this across multiple audits or one in particular?\nA: The issue seems to occur across multiple audits. The developers are looking into it.", "When will the Base reward be sent?\nA: [No answer provided]", "Can you try to view findings now?\nA: [No answer provided]", "I am getting the following error when trying to look at any/all of my findings on code4rena: Oops! Something went wrong. Cannot read properties of undefined (reading 'name'). Is this across multiple audits or one in particular?\nA: This error is happening across multiple audits.", "Can you try to view findings now?\nA: Yes, all good now.", "When will you send Base reward?\nA:", "Does anyone use some sort of graphical interface to see how their smart contracts interact with each other? I installed Surya, but it seems to have been deprecated and is no longer up to date given the latest Solidity upgrades. Anyone use something similar?\nA:", "Should we assume the automated findings will be fixed? I.e if the proposed mitigation to the automated finding introduces a bug (that isn't there without the fix), should we report it or not?\nA: If someone proposes the wrong fix for an issue in the chat, you wouldn't be able to submit that as a bug. The situation with bot mitigations is no different.", "Does my Proof of Concept (PoC) need to be a piece of code or can I explain it in plain English?\nA: Either approach works.", "Can you explain to me why only a prime number is taken here for taking the mod of in the formula for elliptical curve cryptography (y\u00b2 mod p = (x\u00b3 + ax + b) mod p)?\nA: It is a fact from number theory that modulo of a prime number outputs a more normal distribution than modulo of a composite number.", "So are you saying that the mod taken by a prime number will resemble a bell curve?\nA: No, not a bell curve. All the return numbers will have pretty similar chances independently of the input number.", "My application to be a warden was \"closed due to inactive for 2 days\". What does this mean? I verified my account.\nA:", "How can I include replaced lines in my submission, like in the image?\nA:", "You are referring that the mod taken by prime number will resemble a bell curve?\nA: No, not a bell curve. All the return numbers will have pretty similar chances independently of the input number.", "My application to be a warden was \"closed due to inactive for 2 days\". What does this mean? I verified my account.\nA: [No answer provided]", "How can I include replaced lines in my submission, like in the image?\nA: You can do it using diff on Linux or any diff tool.", "I have been granted as backstage+ access, but when I tried to visit https://github.com/code-423n4/2023-07-axelar-findings, it said 404. My GitHub username is QiuhaoLi, could you help to check out?\nA: I've re-sent your invite. Let me know if it works!", "I just accepted the invite and became a member, but still the axelar findings page shows 404. What link are you using?\nA: https://github.com/code-423n4/2023-07-axelar-findings", "It seems to be an account issue, you're not appearing in our list of Backstage Wardens, and Axelar is accessible to Backstage wardens now. Can you double check you are in our Backstage group?\nA: Yes, I am in the \"backstage\" group on this Discord server.", "When will we receive the audited reports that are validated by judges? Is it in 2-3 months time?\nA: Timing is running about 4 - 6 weeks.", "I have trouble submitting report, it says \"API rate limit exceeded for user ID 81770958.\"\nA: [No specific solution provided, but later user remarks \"Worked now\"]", "I don't have access to the findings repo too! Could you please check if I am added to the backstage group in GitHub?\nA: [No answer provided]", "I have an error submitting issue for Arcade contest: API rate limit exceeded for user ID 81770958.\nA: [No answer provided]", "I have trouble submitting report, it says \"API rate limit exceeded for user ID 81770958.\" \nA:", "Can you double check you are in our Backstage group?\nA:", "I have an error submitting issue for Arcade contest: API rate limit exceeded for user ID 81770958. Can you try again? \nA: Worked, thanks", "Hi, are the projects in audit contests yet to be deployed or have they been deployed already?\nA: C4 audit contests are the projects that are yet to be deployed. And already deployed projects generally posts their bug bounty on Immunefi", "If I updated my username on Discord, will this impact my Code4Arena account since I used my old username when I registered?\nA:", "I'm looking through the findings of one of the finished contests for my education. And I see an issue where a warden showed that he discussed something with a sponsor and the sponsor said: Yes, it would be a better way for implementation. Will it be valid according to the rules or we audit the code and the workflow of a project as it is in the contest? I mean where is the difference between advice and a valid issue?\nA:", "How to check for qualifier results for bot race?\nA:", "My application to be a warden was \"closed due to inactive for 2 days\". What does this mean?\nA: I'm confused. Did you re-register under a new name?", "I wanted to change my username but was told I should make another account. Is this correct?\nA: Ok, we wouldn't know you as your other username since we can only see you as Oxbranded. You'll need to update your discord nickname to that other handle. Also, hopefully we explained that your status(es) wouldn't carry over to the new account.", "How to check for qualifier results for bot race?\nA:", "My application to be a warden was \"closed due to inactive for 2 days\". What does this mean?\nA:", "Did you re-register under a new name?\nA: I wanted to change my username but was told I should make another account.", "Will I be able to reapply for certified status after changing my account?\nA: Yes to certified. Please also pop in the designated channel for further assistance.", "How are the results for bot qualifiers announced?\nA: We will get these announced sometime in the next week.", "Is there an issue with the service?\nA:", "Are the upcoming contests not updated on specific channels yet?\nA: Thanks for the ping, it's posted now!", "How can I link a separate submission during submitting an issue?\nA: For example you can refer its number. On page \"your findings\" you can click on issue and see its number in url.", "If the bot race finds an issue but there's another instance of that issue not picked up by the bots, is this a valid issue to submit?\nA: It depends on the judge, but it is best that you're explicit about it being missed by the bot in your submission.", "It's the same issue just slightly harder to see, is this valid then?\nA:", "How can I link a separate submission during submitting an issue?\nA: You can refer to its number. On page \"your findings\", you can click on issue and see its number in the URL.", "If the bot race finds an issue but there's another instance of that issue not picked up by the bots, is this a valid issue to submit?\nA: It depends on the judge, but it is best that you're explicit about it being missed by the bot in your submission.", "It's the same issue just slightly harder to see, is this valid then?\nA: It might be.", "Who should I ask about why my report was graded as B (instead of A)?\nA: It's a relative score compared to other reports, which means that others submitted more findings.", "How can I get backstage access?\nA: You can get backstage access here: https://docs.code4rena.com/roles/certified-contributors/backstage-wardens", "What is the requirement to get leaderboard role?\nA: If you've placed on the leaderboard, you get the leaderboard role.", "Can I opt to different payment channel other than crypto since my country recently banned crypto once again and is blocking the bank accounts linked with crypto in any way?\nA: There are ways you can exchange it without the bank noticing its \"coming from crypto\". One of the possible ways is using Revolut.", "Can someone opt to a different payment channel than crypto since my country recently banned crypto and is blocking the bank accounts linked with crypto?\nA: You can exchange the crypto without the bank noticing it's \"coming from crypto\". Also, you may have access to Revolut and ZEN, both are crypto-friendly. Lastly, as a last resort, you can look into Binance P2P.", "I recently saw a post that Revolut can freeze accounts and never return the money. Is this true?\nA: Some people have used Revolut for various transactions without any issues. However, it's always essential to do your research and make the decision that is best for you.", "If the issue I found in a codebase is in the same category as the bot report, but the instance is not included in the bot report, is this a valid finding?\nA: Yes, it's a valid finding. You can include it in your report, just make it clear to the judge that the finding is related to a bot finding.", "If you see the \"same\" type of issue appearing in multiple different places in the code, should they be batched together and sent in as 1 issue or should they be sent as separate issues?\nA: Reference was given to a link, however the link's content is not provided in the chat.", "What should I do when I can't decide whether to put a finding in medium or high? Is there any consequences for wrongly marking the risk rating?\nA: You should review the guidelines again, look for how similar issues might have been judged in the past, and make the best and clearest case you can.", "Is a Proof of Concept (POC) enough that does not show every step in code - some parts in bullet points? Or do you expect a full coded POC?\nA: The answer to this question is not provided in the chat.", "What should I do when I can't decide whether to put a finding in medium or high? Is there any consequences for wrongly marking the risk rating?\nA: Review the guidelines again, look for how similar issues might have been judged in the past, make the best and clearest case you can.", "Is a POC enough that does not show every step in code - some parts in bullet points? Or do you expect a full coded POC?\nA:", "I got the same error when trying to submit to arcade. API rate limit exceeded for user ID 81770958. Any ideas?\nA:", "What if the error still occurs until the deadline?\nA:", "Can someone explain to me which topics of web2 security apply to web3 security also?\nA: You can pwn a eth node with Linux kernel 0days and RCE on the node.", "Can we host more web2 whitebox audits?\nA:", "Can host more web2 whitebox audit?\nA:", "What if the error still occurs until the deadline?\nA:", "Can someone explain to me which topics of web2 security apply to web3 security also?\nA: You can pwn a eth node with Linux kernel 0days and RCE on the node.", "But speaking of smart contracts?\nA: Seriously, actually the reentrancy happens in web2.", "Which topics should we learn? I know like DDOS attacks can disable a system in both web2 and web3. What other topics are important?\nA: [https://www.blackhat.com/asia-22/briefings/schedule/index.html#hunting-and-exploiting-recursive-mmio-flaws-in-qemukvm-25484](https://www.blackhat.com/asia-22/briefings/schedule/index.html#hunting-and-exploiting-recursive-mmio-flaws-in-qemukvm-25484)", "Should I learn web2 security practically (in code), or should I just know how each attack works? For example, should I know how DDOS attack works in a web2 codebase, or should I just know different type of DDOS attacks, how it happens etc and then just learn these attacks practically in web3?\nA: I am a newbie in web3, but as a cyber security B.S/M.S and security engineer in web2 now, some web2 security experience helps me.", "Can submit now?\nA: Submission issues should be resolved.", "How important is it to have web2 security background? Should I dive deep into web2 security, or should I just have general knowledge?\nA: Don't have web2 experience, but from my point of view they have only mindset in common. Most of the cases in web2 are black box, in web3 it's always white box.", "When I was submitting my analysis on code4rena, an error appeared, so I sent the document again. Now, I see two analyses in my findings. How can I remove the extra analysis because it doesn't appear in the user interface?\nA: For which audit? I only see 1 analysis report.", "Should I dive deep into web2 security, or should I just have a general knowledge?\nA: Most of the cases in web2 are black box, in web3 it's always white box.", "What topics should we learn? I know like DDOS attacks can disable a system in both web2 and web3. What other topics are important?\nA: Not sure that DDOS exists in smart contracts.", "When I was submitting my analysis on Code4rena, an error appeared, so I sent the document again. Now, I see two analyses in my findings. How can I remove the extra analysis as it doesn't appear in the user interface?\nA: For which audit?", "Where can I see the reason why my submissions are rejected? In Nouns dao.\nA: You will be able to view your submissions once the report is published and the findings repo is made public.", "I\u2019m sure that my gas findings are valid but I didn\u2019t get a reward I also submitted 3 hm findings they all rejected, is there any escalation in C4?\nA: There's a post-judging QA period where wardens can comment on the judges decisions. That is only available for our backstage wardens. More on backstage: https://docs.code4rena.com/roles/certified-contributors/backstage-wardens", "I see that chainlink staking v 0.2 is no longer on the upcoming contest on C4 site, what happened?\nA: Just delayed a bit - will re-post once dates are confirmed!", "Can I still submit the bug report after the contest finished?\nA: No. All findings have to be submitted prior to the audit closing.", "Every time I do CTFs, I can't catch any vulnerability, is it because I'm not good at solidity fundamentals? How do I catch vulnerability?\nA:", "Should you be a developer first like do I have to write smart contracts on Defi Projects before starting auditing?\nA: If you can't do good now then practice and make it your muscle memory that way you can be good.", "Why do some wardens ask sponsors to accept a friend request?\nA:", "I made a request a few weeks ago to change my profile picture and I was told to attach the new picture to help, but it is still the old picture. \nA: If you did a request and we weren't able to take care of last week, we'll likely get to it this week.", "I made a request a few weeks ago to change my profile picture and was told to attach the new picture to a help, but it is still the old picture. Why hasn't it been changed?\nA: If you made a request and we weren't able to take care of it last week, we'll likely get to it this week.", "Should you be a developer first like do I have to write smart contracts on DeFi Projects before starting auditing?\nA: It's not explicitly stated, but it's suggested that practice can help you improve.", "Why do some wardens ask sponsors to accept friend requests?\nA: No answer provided.", "Is there a way for you to check if my request to change the profile picture has been made? It could be a mistake on my end.\nA: We aren't able to check the status of your request right now, but it's likely that your request is in the queue as we had some issues to work through last week.", "The site is down at my end. Is anyone else experiencing this?\nA: The site is working fine. You can check its status on https://downforeveryoneorjustme.com/code4rena.com.", "Since it is not possible to change the account name and wallet login, can I create another account on C4 but with the same GitHub username, email address, and discord username?\nA: No answer provided.", "I don't have any development background and so I'm finding it difficult to understand \"Patrick Collins latest foundry course.\" How can non-developers make sure to understand and learn from this course? \nA: No answer provided.", "Does anyone have experience with booting up a very simple PoS blockchain (a public one, not private)? What configurations should I make in order to create a \"public\" chain?\nA: No answer provided.", "I cannot submit findings. What should I do?\nA: No specific answer provided.", "If I submit a finding before the deadline, is it kept safe so that nobody sees it?\nA: Yes, once findings are submitted, they are not disclosed to other competing wardens.", "I cannot submit findings and cannot load submitted findings. What can I do?\nA: [Answer not provided in the chat log]", "If I submit a finding before the deadline, is it kept safe that nobody sees it? Can you share some insights on how you work?\nA: Once findings are submitted, they are not disclosed to other competing wardens.", "Are the findings accessible for the sponsor and C4? Or are these findings sealed until the competition is over?\nA: The findings are sealed to other wardens but in order for judging to occur, they have to be visible to C4 staff, sponsors and the judging team.", "As a warden, when is it best to send findings?\nA: Be sure to submit before the audit closes. There is no reward for submitting first.", "Can you share any statistics when most findings are posted?\nA: Many wardens hold their submissions till the end. This is a personal decision. There's no advantage to submitting early vs late.", "Is there a penalty for invalid issues, like past a certain threshold?\nA: [Answer was a link] https://discord.com/channels/810916927919620096/810931711609143326/1134522735507292230", "Are the findings shared with anyone (including the project team and judge) before the deadline passes?\nA: The findings are not shared with anyone (including the project team and judge) until after the deadline passes. Staff occasionally need to be able to access submissions during an audit to help wardens with any submission errors, etc. but access is highly restricted.", "How are grades assigned for QA and gas reports? Specifically, how can you score an \"A\"?\nA: [Answer not provided in the chat log]", "Have rewards for the llama-jun06 contest been sent out already? I saw my name on the rewards list but it's been 2 weeks since the rewards announcement and I haven't received anything yet. Is there a problem?\nA: Awards for the llama-jun06 contest were sent out on 07/14.", "How can I participate in bot races? I'm a warden already. Do I need to do anything separately to be eligible for bot races?\nA: [Answer not provided in the chat log]", "Are the findings accessible for the sponsor and C4? Or are these findings sealed until the competition is over?\nA: The findings are not shared with anyone (including the project team and judge) until after the deadline passes. Staff occasionally need to be able to access submissions during an audit to help wardens with any submission errors, etc. but access is highly restricted.", "How are grades assigned for QA and gas reports? Specifically, how can you score an \"A\"?\nA:", "Have rewards for the #llama-jun06 contest been sent out already? I saw my name on the rewards list but it's been 2 weeks since the rewards announcement and I haven't received anything yet, and I'm wondering if there's a problem.\nA: The awards were sent out on 07/14.", "How can I participate in bot races. I'm a warden already. Do I need to do anything separately to be eligible for bot races?\nA: See pinned messages in#bot-race-help.", "I'm trying to get certified and I received email from provenancecompliance.com, rather than provenance.company. Is that normal or phishing?\nA: Just received confirmation from the team at Provenance. Safe to proceed.", "How many judge application reviewers are there?\nA:", "If a project uses brownie for testing, can I write my PoC in foundry still?\nA:", "\"1936 SLOC in 137contracts\" 137 contracts is not a typo is it?\nA:", "The create-issue button doesn't work sometimes. Any advice?\nA:", "If I only become certified after the arbitrum (certified only) audit starts but before payout date, can I still get payout?\nA: You have 30 days to complete the process from beginning to end.", "Does C4 have support for splitting payments out to each team member? Or are teams only allowed to receive payments on one address?\nA: One address only and then the team can distribute funds as needed.", "Will there be a mitigation review for Chainlink CCIP as mentioned in the original RSVP message https://discord.com/channels/810916927919620096/958800160870240286/1111007546183012382?\nA:", "Do I have 30 days to complete the process, after I finish the audit? In the case of Arbitrum, will I have 30 days after Aug 10th this year?\nA: Yes, correct. But it's recommended that you do not wait.", "Does C4 have support for splitting payments out to each team member? Or are teams only allowed to receive payments on one address?\nA: Teams are only allowed to receive payments on one address. Then, the team can distribute funds as needed.", "Will there be a mitigation review for Chainlink CCIP as mentioned in the original RSVP message?\nA: Yes, this is still planned.", "I opened an issue ticket in your system regarding a problem that I have with my rewards. Can you please notify me when you review it?\nA: There is no direct response to this question.", "Was the reward for Base and Juicebox sent to my Ethereum network wallet?\nA: No, it was sent to your wallet on the Polygon network.", "Can you close my issue ticket regarding my rewards issue?\nA: There is no direct response to this question.", "Was I removed from the audit process for some reasons? \nA: No, you were not penalized for something. You just may not have ranked high for that issue.", "Do HM awards mean awards about High and Medium bug?\nA: Yes, that's correct.", "I saw the results of a finished audit and with one high and one medium, I was ranked last. Was I removed from the audit process for some reasons?\nA: No, you were not penalized. You may not have just ranked high for that issue.", "Do HM awards mean awards about High and Medium bug?\nA: Yes, that's correct.", "Will there be a mitigation review for Chainlink CCIP as mentioned in the original RSVP message?\nA: Yes this is still planned.", "What are the requirements and qualification to be certified warden?\nA: The problem with the link for certified warden application has been acknowledged and will be looked into.", "The arbitrum contest starts on the 3rd of August, I am not yet certified, will I be eligible for payout if I get certified on the 9th?\nA: You can apply for certification now. You need to complete certification within 30 days of the end of the audit in order to receive your payout. In terms of teams, each individual member would need to be certified.", "What is the submission policy around vulnerabilities that depend on fixing another definite bug?\nA: No answer provided.", "Are team stats counted towards individuals stats as well?\nA: No answer provided.", "The start date of Chainlink Staking v0.2 in RSVP differs from the code4rena website. Which date is correct?\nA: The website date is correct - the RSVP will be updated.", "When reports are out does C4 release both all valid and invalid issues?\nA: Yes, the entire findings repo is made public, and you can see all of the judge's decisions. You can browse through the reports section on the C4 website, each report links many times to the findings repo, and from there you can browse around. Or just go directly to https://github.com/code-423n4 and start browsing from there.", "What happens if we submit a correct bug issue but our proposed solution is incorrect?\nA: You can update the submission if the contest isn't ended.", "The start date of Chainlink Staking v0.2 in rspv differs from the code4rena website. Which date is correct?\nA: The website is correct - the rsvp will be updated.", "When reports are out, does C4 release both all valid and invalid issues?\nA: Yes, the entire findings repo is made public, and you can see all of the judge's decisions. Each report links many times to the findings repo, which you can browse around. Or, you can go directly to https://github.com/code-423n4 and start browsing from there.", "What happens if we submit a correct bug issue but our proposed solution is incorrect?\nA: You can update the submission if the contest isn't ended.", "I submitted a help desk ticket yesterday but I didn't receive a ticket number or email confirmation of the ticket. How can I follow up and check?\nA: The request has been received and will usually be reviewed within a week.", "Am I allowed to share my testing environment with the other auditors, if they don't include specific tests?\nA: [No answer provided]", "Can anybody guide me on what is vault rebalancing and how does it work? \nA: [No answer provided]", "Where are the prizes winners announced?\nA: The winners are announced in the #\ud83d\udce2announcements channel.", "How can I know I completed the KYC? Is it just the registration process?\nA: To apply you can go through this https://docs.code4rena.com/roles/certified-contributors. In case you already applied, you should receive an email from provenance and C4.", "What is an eligible contributor? Is it just someone with an account or do you need some quantity of findings?\nA: When you complete the application listed on the page and are approved, you become an eligible contributor.", "How many audits do I need to take part in to have Activity Stream available on my profile?\nA: [No answer provided]", "There are so many broken file path errors which are unusually high in the pool together competition. Am I missing something?\nA: You should post this in the #pooltogether-aug02 channel. Your fellow wardens working on the audit may be able to assist you.", "Hypothetically, if a hacker compromise C4's mail server, they can read all findings and submit them as their own, making it a centralized point of failure?\nA: There are multiple places in our infrastructure and tooling that require additional diligence for this reason, and we are very focused on it. We have a CSO responsible for overseeing our process, procedural, and application security. We also have a team member who has a deep background in securing infrastructure from an architectural perspective.", "How many audits do I need to take part in to have Activity Stream available on my profile?\nA: [No Answer]", "For the pool together competition, there are so many broken file path errors which are unusually high. Am I missing something?\nA: Are you able to post this in the #pooltogether-aug02 channel? Your fellow wardens working on the audit may be able to assist you.", "Hypothetically, if a hacker compromises C4's mail server, can they read all findings and submit them as their own?\nA: The same would be the case for GitHub access too. There are a handful of places in our infrastructure and tooling that require additional diligence for exactly this reason, and we are very focused on it.", "What is bot crew role?\nA: It means they are in a bot team or have their own bot. Bot races are held for the first hour of an audit. [Bot Registration Link](https://code4rena.com/register/bot)", "I accidentally submitted an analysis from a personal account instead of a team account for Tapioca. Can anyone help?\nA: You should re-submit it from your team's account if possible, and then submit a help desk request to withdraw the other one. [Help Desk Link](https://code4rena.com/help)", "I opened a help desk request a week ago but I didn't receive any reply yet; can I contact someone?\nA: You can direct message me.", "I have different reasons why one function won't work, should I group that into a single finding or report separately?\nA: [No Answer]", "Where can I find information about the issue types?\nA: [No Answer]", "The amounts for the new GMX contest posted in #\u270brsvp don't add up to 40,000$, which number is wrong?\nA: [No Answer]", "In past contests, I was able to read how my reports have been judged. I would like to read how my Lybra report was judged. How can I do?\nA: The report isn't published yet.", "I know the report isn't published yet, but in the report, there are finds of other wardens. I remember that I could see inside Github what a judge wrote about my report. How can I do that?\nA: [No Answer]", "In past contest, I was able to read how my reports have been judged. How can I read how my Lybra report was judged?\nA: The report isn't published yet.", "The amounts for the new GMX contest posted in #\u270brsvp don't add up to 40,000$, which number is wrong?\nA: The discrepancy was due to a typo. It has been fixed.", "Does the presence of a judging pot mean it will be judged by c4 and not by Certora this time?\nA: The bugs will be judged by a C4 judge and the rules will be judged by Certora.", "What is meant by participation reward for the formal verification contest?\nA:", "Is there an issue with the Analysis Report preview to display the embedded images? I'm even trying with the exact same syntax I used in the last Analysis Report I submitted, but today it's not rendering.\nA:", "Is this email related to Provenance? In the docs, it's mentioned that the email will send from provenance.company.\nA: Yes, it is Provenance. [Link](https://discord.com/channels/810916927919620096/810931711609143326/1135988921906495620)", "Can anybody see findings during the contest, before ending?\nA: The findings repo remains private until the report is published. If it is an open audit, generally backstage wardens are added after the audit closes.", "Is it possible to change the wallet I am registered with (login address)?\nA: For the payment address, you can update it in Manage Account.", "What should we provide for becoming a Certified warden? What does Code4Arena ask or do in the process?\nA: C4 delegates KYC to Provenance.", "For payment address, where can you update it?\nA: You can update it in Manage Account.", "[In the context of audit findings,] who can see the private repository until the report is published?\nA: Only bots carrying findings from mail to the repository can see, bots are given priority over humans.", "Is this email (kobus@provenancecompliance.com) related to Provenance as mentioned in the docs?\nA: It is not mentioned in the chat whether this email is related to Provenance or not.", "What should one provide for becoming a Certified Warden? What does Code4rena ask in the process?\nA: Code4rena delegates KYC to Provenance.", "Would trapped/inaccesible funds (but not stolen) correspond to a high [risk]?\nA: If for a rare situation for an end-user: Medium. If the situation locks all the protocol assets: High.", "Are the documents updated correctly as they appear in the application form and response email?\nA: It is correct in the documents now but it's wrong in the application form and response email.", "Where is the channel for automated findings?\nA: Check the pinned messages of the concerned contest's channel. There you will find the message for the automated findings.", "Is this the correct way to request a change of profile avatar?\nA: Yes, the profile avatar will probably get swapped out on Monday when staff returns from the weekend.", "How many judges does C4 have?\nA: The estimated guess is around 10 judges and 5 lookouts.", "Am I allowed to update the format of the findings?\nA: It is not mentioned in the chat whether one is allowed to update the format of the findings.", "When doing the certified warden verification, when should I expect the email from Provenance?\nA: It is not specified in the chat when one should expect the initial email from Provenance.", "How to resolve the issue faced while submitting in my chrome browser?\nA: If you are facing an issue while submitting, you can submit a help ticket here: https://code4rena.com/help.", "What happens when users don't submit analysis? Will their findings be invalidated and skipped?\nA: It is not mentioned in the chat what happens when users don't submit analysis.", "I'm facing this issue while submitting in my Chrome browser. How can I resolve it?\nA: Sorry to hear; best to submit a help ticket here: https://code4rena.com/help", "Is this how I am supposed to request a change of my profile avatar?\nA: Yes, that's correct; it'll probably get swapped out on Monday when folks are back from the weekend.", "What happens when users don't submit analysis? Will their findings be invalidated and skipped?\nA: No, it's not mandatory to submit an analysis as of now.", "Where can I see my submitted bug report that has been rejected?\nA: [No Answer]", "When you receive the certified role, will you receive access to reports like the Chainlink Staking v0.1 or do you need to have backstage as well?\nA: You're going to need backstage as well.", "I am talking about reading the report on C4 not on Discord. Or it's still the same?\nA: Access to reports are available only on the C4 website. Having access to GitHub repo is another feature which can be achieved via having backstage role.", "Is it okay to link to other contest's (not from Code4rena) in my report, to demonstrate, that similar findings are evaluated as Medium?\nA: It\u2019s okay to do so. However, it\u2019s not going to be as convincing as citing examples from Code4rena. We tend toward a more rigorous judging and QA process here than other platforms.", "I changed my Github username in my C4rena profile but for backstage access Code4rena Github admin should give access to my new Github profile. How can I get help with this?\nA: You can open a help desk request here: https://code4rena.com/help and someone will reach out.", "I opened a help desk request yesterday but still I have not received a message about it. What should I do?\nA: [No Answer]", "Can I DM (Direct Message) you regarding the application for certified wardens?\nA: [No Answer]", "Is it \u201cokay\u201d to do? \nA: Of course. However, it\u2019s not going to be as convincing as citing examples from Code4rena. We tend toward a more rigorous judging and QA process here than other platforms.", "I changed my github username in my c4rena profile but for backstage access Code4rena github admin should give access to my new github profile. Is there anybody to help me? \nA: You can open a help desk request and someone will reach out. https://code4rena.com/help", "Can you use foundry to call an internal function? \nA: You can write a child contract and use it like wrappers. There is no way to directly call for internal functions.", "What is the markdown code that I should use to get github code in this manner? Also I have seen reports that include the file name too in the block. \nA: Visit https://docs.github.com/en/get-started/writing-on-github/working-with-advanced-formatting/creating-and-highlighting-code-blocks", "Where can I see my submitted bug report that has been rejected? \nA: When the report is already published, you can visit github's issues. If your submission was rejected, it will be in closed issues.", "What is duplicate? Does duplicate occur if my submission was not the first? Or when some other report was chosen to be published in the report? E.g. If users A, B, C reported the same issue, and B's is chosen to be in the report, then A's and C's are duplicates?\nA: Your example is correct. But, it's not about being first though.", "I know that by using `` we can write code in a block but I was particularly talking about how to get that line number and the file name. \nA: You can open a new search tab in vscode and search the target line/s, or learn vim it\u2019s easier and faster.", "Can somebody please show me a widely used token that is not using decimals()? \nA: There is not a single token without the function decimals, some return 0 though. It's a QA finding for points.", "What is duplicate? Duplicate occurs if my submission was not the first? Or when some other report was chosen to be published in the report? E.g. If users A, B, C reported the same issue, and B's is chosen to be in the report, then A's and C's are duplicates, right? \nA: It's not about being first.", "I knew that by using we can write code in a block but I was particularly talking about how to get that line number and the file name.\nA: Open a new search tab in vscode and search the target line/s, or learn vim it\u2019s easier and faster.", "Can somebody please show me a widely used token that is not using decimals()?\nA: There is not a single token without the function decimals some return 0 though. It's a QA finding for points. It's technically valid, but in practice it's always implemented. EIP states that it's optional, and other contracts must not expect these values to be present: https://eips.ethereum.org/EIPS/eip-20. There is a non-zero possibility that a token might not implement it.", "Why I can't submit more than 1 report of gas optimization in a contest?\nA: Both gas and QA reports should be compiled reports. So if you want to add more to your gas report, please go to the contest page and click the Your Findings button.", "Is it same for high/med bug report or can I submit that one more than one?\nA: https://docs.code4rena.com/roles/wardens/submission-policy", "Are escalations of issues in the automated findings report invalid? For example, if there's an issue in the automated findings report like \"function X needs nonReentrant modifier\", and I find a bug involving reentrancy in function X.\nA:", "My wallet got hacked and I have changed my payment address. \nA: Do you log in via password or wallet? If wallet and its the same wallet, you can create a help desk request.", "QA reports that include QA bot findings from bot races but develop their explanation more and are more detailed are eligible for QA report rewards?\nA: No, they're not eligible due to the root cause being the same.", "If you have no significant findings or findings at all, can you still send an analysis report about the system itself to provide for example advice on things to take into account in the future of the project?\nA: Yes, you can.", "Are QA reports that include QA bot findings from bot races but develop their explanation more and are more detailed eligible for QA report rewards?\nA: No, they're not eligible due to the root cause being the same.", "If you have no significant findings or findings at all, can you still send an analysis report about the system itself to provide for example advice on things to take into account in the future of the project?\nA: Yes, you can.", "The findings report page seems not to support HTML tags like
or
, is there any way around it or that's how it is supposed to work?\nA: You can try using Markdown.", "What if the bot race reports a problem but doesn't report all the actual parts of the codebase where that problem is present? Adding them is eligible?\nA:", "Is there any penalty for incorrect M/H submissions? If one posts 2 valid submissions and 8 invalid, will there be any penalty for that?\nA: As of now there's no penalty.", "If one is unsure if a finding is valid, is it better to send it, so more experienced people will look through it?\nA:", "If a submission was downgraded from medium to QA will it receive rewards as a QA report or it's zero?\nA: It will be rewarded unless it's downgraded to grade-c.", "If you discuss what you think is a finding to confirm it with a sponsor over discord or other private messages, this doesn't invalidate the finding or anything, right?\nA: Talking to the sponsor is fine.", "I'm trying to upgrade an analysis report on the site, but for some reason the submission UI is not working. Any thoughts or help?\nA: Editing Analyses is not yet supported - they're working on it.", "So as of right now, is there no way to send in my update?\nA: Correct - if you look at the Guidelines and FAQ, this is highlighted at the top of the doc: https://code4rena.notion.site/Analyses-Guidelines-and-FAQ-2808a71e08e44c81a985527194f5f118.", "If you discuss what you think is a finding to confirm it with a sponsor over discord or other private messages, this doesn't invalidate the finding or anything, right?\nA: Talking to the sponsor is fine.", "I'm trying to upgrade an analysis report on the site, but for some reason the submission UI is not working. Something went wrong editing submission. Any thoughts or help?\nA: Editing Analyses is not yet supported - we're working on it.", "So as of right now, there is no way to send in my update?\nA: Correct - if you look at the Guidelines and FAQ, this is highlighted at the top of the doc: https://code4rena.notion.site/Analyses-Guidelines-and-FAQ-2808a71e08e44c81a985527194f5f118", "Can I change my c4 profile photo?\nA: Please create a help desk request: https://code4rena.com/help", "Can anybody explain me the difference between flash minting and flash loans, to me both appears the same?\nA: Flash loans are when in 1 single tx you manage to buy an asset at one price in one market and sell it higher in another market.", "If you send a finding before the deadline is it publicly available somewhere for anyone? Or can I check what I sent without modifying it?\nA: (No answer provided)", "How do you apply for backstage guys?\nA: Please find information about becoming certified and qualifying for backstage access. https://docs.code4rena.com/roles/certified-contributors", "Since I am busy around my job and will be for some time, not participating in certified events does not affect my possession of the role right. It does only if I sign up but do not show up from what I've understood. Right?\nA: Correct.", "How many lookouts are there per contest?\nA: There is 1 lookout per contest.", "How many lookouts are there per contest?\nA: There should be 1 lookout per contest.", "Since I am busy around my job and will be for some time, not participating in certified events does not affect my possession of the role right? It does only if I sign up but do not show up from what I've understood.\nA: Correct.", "Can the judge be the lookout in a contest?\nA: Yes, the judge could be the lookout.", "I submitted a report and for some reason the inline math double-rendered in the preview. Would that cause any issues? I'm hoping it won't if the judge looks at the submissions on GitHub or elsewhere and it renders differently there.\nA: No answer provided.", "Regarding the new functionality of Warden profiles and setting on the profile to get private invites, Let's say protocol A selects a warden for a private invite, what happens (and what is the Warden's obligations) if they then ask the warden for a private solo audit after that?\nA: No answer provided.", "How to get a backstage role?\nA: You can learn how to get a backstage role at this link: https://docs.code4rena.com/roles/certified-contributors/backstage-wardens", "Can you sign up as a certified contributor with multiple accounts? (as long as you only participate with one).\nA: No answer provided.", "I just realized there's a typo in one of my submissions for the veRWA contest. Any way to fix it?\nA: No, because the contest has already ended.", "I am willing to pay 300 USD for anyone who can explain this.\nA: If the callback reverts with a small enough error, you'll get the error. if the callback reverts due to out of gas, you'll get the out of gas error. If the error message is too large to pass back given the gas limit, you'll get out of gas. For more details, visit this link: https://blog.theredguild.org/catch-me-if-you-can/", "What is the reasonBytes?\nA: You get 0x but the EVM reverted with OOG.", "Can someone explain the try-catch functionality in solidity 0.6?\nA: If the callback reverts with a small enough error, you'll get the error. If the callback reverts due to out of gas, you'll get the out of gas error. If the error message is too large to pass back given the gas limit, you'll get out of gas. More detail can be found here: https://blog.theredguild.org/catch-me-if-you-can/", "What is the reasonBytes?\nA: You get 0x but the EVM reverted with OOG (Out of Gas).", "Will the next Chainlink contest be open for all?\nA: Open for all to participate, but will need to become certified (successfully complete KYC) to receive awards.", "Any news when a contest for non-KYC will appear?\nA: Monitor the #\u270brsvp channel for updates.", "Is anyone participating in the 'CERTORA'?\nA: If it's in the #\u270brsvp channel, it's open. https://discord.com/channels/810916927919620096/958800160870240286/1136950192625692772", "Why hasn't C4 scheduled contests in a balanced way so two or three are just running all the time?\nA: Contests are scheduled based on the timing and needs of the customer.", "How long is an address type length?\nA: Address type length is 20 bytes", "About a past project Ajna finding, it was classified as solo high risk but the sponsor disputed too late after distribution of rewards. Is this subject for refund or maybe deducted in future earnings or no return at all and treat the result as final?\nA: It is fair to treat the result as final.", "Can a submitted issue that got demoted to QA be QA grade-a? Has anybody landed QA-a with a single QA?\nA: Yes, it is possible to land QA-a with a single QA.", "I have a question about past project Ajna finding, this is classified as solo high risk https://github.com/code-423n4/2023-05-ajna-findings/issues/329 , but the sponsor disputed too late after distribution of rewards. Is this subject for refund or maybe deducted in future earnings or no return at all and treat the result as final?\nA: It's fair to treat the result as final.", "One submitted issue got demoted to QA, can it be QA grade-a? Has anybody landed QA-a with a single qa?\nA: Yes, it is possible to land QA-a with a single qa.", "For the Chainlink contest, can I participate and verify my identity after the contest ends in order to receive the payout?\nA: Yes, you can participate and verify your identity after the contest ends to receive the payout.", "How do we view the repo and its report for Chainlink's past contest? https://code4rena.com/contests/2022-11-chainlink-staking-contest\nA: To view reports you need the backstage role, more about it here https://docs.code4rena.com/roles/certified-contributors/backstage-wardens", "If I've changed my discord username, should I update it somewhere in the CodeArena?\nA: Yes, it's recommended to update your discord username in CodeArena. If you encounter any issues updating it, submit a help request.", "Does changing my Discord username affect receiving rewards?\nA: Your discord username wouldn't affect whether you receive your awards, just might affect whether we're able to tag you in the award announcement.", "How do you paste codes in a specific format when submitting issues?\nA: You can use this tool: https://marketplace.visualstudio.com/items?itemName=yassh.copy-with-line-numbers", "I've submitted a request for KYC with Provenance with all the necessary paperwork, it's been a week now, but haven't got a response. How long does it usually take?\nA: It's recommended to check your spam mail for an email from Provenance compliance.", "How to do pasting of codes like this format when submitting issues?\nA: Use this: https://marketplace.visualstudio.com/items?itemName=yassh.copy-with-line-numbers", "I've submitted a request for KYC with provenance with all the necessary paperwork, it's been a week now, but haven't got a response. How long does it usually take?\nA: Have you checked your spam mail for an email for provenance compliance?", "I have checked my spam mail, but there is nothing. I have already provided documentation and now I am just waiting on a decision. What to do next?\nA: I will inquire about your request. Feel free to nudge me in a couple of days, if I haven't circled back to you by then.", "Can teams participate in #\ud83d\udd96rsvp-certified, or is it exclusive for solo wardens?\nA: If your team is completely certified, and meets the qualifications of that audit, sure you can raise your hand for it.", "Let's say an invitation audit has 5 slots and will prioritize highest ranked wardens - will high-ranked teams be able to participate in it?\nA: High ranked teams are eligible to compete as well.", "Do I need KYC to be verified here to receive bounty?\nA: If you'd like to participate in an audit that requires KYC, you will need to be certified. This will be specified in the #\u270brsvp and / or the audit channel.", "What would I need to do to let the C4 team know that I am raising a hand for my team and not for myself?\nA: (This question was not answered in the chat.)", "Should I need KYC to verified here for receive bounty?\nA: If you'd like to participate in an audit that requires KYC, you will need to be certified. This will be specified in the #\u270brsvp and / or the audit channel.", "What would I need to do to let C4 team know that I am raising a hand for my team and not for myself?\nA: If we create a thread, you can respond in there or maybe reply to rsvp itself.", "Two different exploits from the same root cause are considered duplicates right?\nA: Correct", "Could you please check if I am added to the backstage group in github?\nA: Hi - we received your request to change your GH user and have made the change. Please check your GH invites.", "Is there anywhere that references the grades on QA reports, e.g. A is because... B is because.. etc? \nA:", "I remember for backstage+ you need a high finding or 3 meds, I got 1 high on the pooltogether but the findings are not public yet. I have to wait for them to be released and then receive the role right?\nA: Just ask the support, I did like this from c4 website", "Then I probably have to wait for more results, I participated in more than 3 audits but their results are not announced yet, but thanks\nA: Yup the other rule is just to participate in min 3 contests good luck", "Payouts are on Polygon but with usdc right?\nA: Yes", "If I've participated in the contest (submitted two issues) and I'm not on the award list - it's more likely that those issues were rejected?\nA:", "Do I have to wait for more results from the audits I participated in or is it enough to just participate in a minimum of 3 contests?\nA: Yes, you have to participate in a minimum of 3 contests and wait for the results to be announced.", "Are the payouts on Polygon with USDC?\nA: Yes, the payouts are on Polygon with USDC.", "If I've participated in a contest and submitted two issues, and I'm not on the award list, is it likely that those issues were rejected?\nA: That's a good possibility but it's recommended to review the report when it's available to confirm.", "The Dopex contest has a wrong amount of prize on the website, what should be done?\nA: The issue should be flagged and it will be fixed.", "Are the SLOCs mentioned for Dopex wrong too?\nA: Yes, the original count included spaces etc. The SLOCs count mentioned in the RSVP is nearly always pre-scouting.", "What does an A grade report mean? \nA: An A grade report is generally good. More details about the ranking and incentive model can be found at https://docs.code4rena.com/awarding/incentive-model-and-awards.", "If a team gets 2 highs, do the team members get the backstage role?\nA: If the requirements are met for team and/or individual based on audits with published results, a help desk request can be submitted.", "I've just been certified, does this give access to the previously participated contest in progress judging repo?\nA: This information is not provided in the chat.", "Have you been able to review the docs yet?\nA: No, I was just looking for this. Thanks.", "If a team gets 2 highs, do the team members get the backstage role?\nA: If the requirements are met for team and/or individual based on audits with published results, you can submit a help desk request.", "I've just been certified! Doesn't this give access to the previously participated contest in progress judging repo?\nA: You need backstage for that.", "May I check if I raise a helpdesk request for backstage access, I think I have fulfilled all criteria, if not would I get an email or message to say it was declined?\nA: You'll be notified once your request has been reviewed.", "I found 2 high vulnerabilities. Can I get backstage access?\nA: You can check the requirements and request for backstage access here: [https://docs.code4rena.com/roles/certified-contributors/backstage-wardens#to-request-+backstage-access](https://docs.code4rena.com/roles/certified-contributors/backstage-wardens#to-request-+backstage-access)", "I found 1H and 1M in two audits and participated in another audit, but didn't find any bugs. Can I apply for backstage access?\nA: You can check the requirements and request for backstage access here: [https://docs.code4rena.com/roles/certified-contributors/backstage-wardens#to-request-+backstage-access](https://docs.code4rena.com/roles/certified-contributors/backstage-wardens#to-request-+backstage-access)", "Within a single active context, when you submit the second issue, is it possible to reference the first you submitted?\nA: Yes; after you submit the first issue, you have to edit it: you will see an id at the end of the url, which is the same as the GH issue Id. After that, on the second one, when you want to reference it, you simply write # followed by the previous issue id.", "I submitted a help desk request, do I look at my email if something goes wrong?\nA: (No answer provided)", "Can I request backstage if one of my first 3 contests was with a team?\nA: (No answer provided)", "What does (solo) mean?\nA: Solo means only one warden found the finding in a contest.", "I submitted a help desk request, how do I know if something goes wrong?\nA:", "Within a single active context, is it possible to reference the first issue I submitted when I submit a second one?\nA: Yes, after you submit the first issue, you can edit it to see an ID at the end of the URL, which is the same as the GH issue ID. When submitting the second one, if you want to reference the first, you simply write # followed by the previous issue ID (e.g. #13).", "Can I request backstage if one of my first 3 contests was with a team?\nA:", "What does (solo) mean?\nA: Solo means only one warden found the finding in a contest.", "Is there a way to check your reported findings on which was rewarded?\nA: You can check it [here](https://discord.com/channels/810916927919620096/1095308824354758696/1130212982094299246)", "How does the team work in here when submitting a report?\nA:", "If A.sol is the scope of the contract but it inherits B.sol, should we still audit B and will there be a payout if there is a vulnerability?\nA:", "Will the arcade reward and pool together reward be distributed next week?\nA:", "Is there any benefit to being a Certified Warden? Is there a working requirement or deadline etc.?\nA: Being certified, you can become backstage. And also can receive payment from KYC-required sponsors like Chainlink.", "Can someone explain the rule a. Conduct of Activities: Certified Contributor agrees that they will conduct any and all participation in C4-related activities in a timely and professional manner?\nA:", "Can I be employed and do this audit as a side project?\nA:", "Does being employed and doing this audit as a side project violate the terms?\nA:", "Why can't we receive payment from some projects if we're uncertified?\nA: Some gigs require you to be KYC'd (verified) to get rewards.", "Why don't you become certified if you can participate as both certified or non-certified?\nA:", "Is it possible to be employed and do this audit as a side hustle?\nA:", "Why can't we receive payment from some projects as uncertified auditors?\nA: Some gigs require you to be KYC'd (verified) to get rewards. You can participate as certified or non-certified.", "Why don't you become certified?\nA:", "Are you certified?\nA: Yes, certification involves KYC verification.", "Does being certified require to work full time?\nA: No, being certified means you got KYC verification. It just means you have verified your identity, no further commitment required.", "What is this and how to resolve this \"Validation blockedError: Couldn't find forge binary. Performed lookup\"?\nA:", "Is it possible to add someone to an existing team?\nA:", "If the report is published, and some of the issues were rejected and labelled as \"sponsor disputed\" - without any explanation - is there any log/discussion accessible to check why exactly issues were labelled as \"sponsor disputed\"?\nA:", "Can I get a link to explain how the Analysis report is working, what I need to fill etc...?\nA: https://docs.code4rena.com/awarding/judging-criteria#analysis", "If there's a low in a contest's bot report and I escalate it to a high, is my issue invalid?\nA: Wardens may use automated tools as a first pass, and build on these findings to identify High and Medium severity issues (\"HM issues\"). However, submissions based on automated tools will have a higher burden of proof for demonstrating to sponsors a relevant HM exploit path in order to be considered satisfactory. [https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues]", "Can I get a link to explain how the Analysis report is working, what I need to fill etc...?\nA: [Link to Analysis Report Explanation](https://docs.code4rena.com/awarding/judging-criteria#analysis)", "If there's a low in a contest's bot report and I escalate it to a high, is my issue invalid?\nA: Wardens may use automated tools as a first pass, and build on these findings to identify High and Medium severity issues (\"HM issues\"). However, submissions based on automated tools will have a higher burden of proof for demonstrating to sponsors a relevant HM exploit path in order to be considered satisfactory.", "If some people submit a low and others escalate that low to a high, is the low rewarded less since it is a dupe?\nA: That's up to the judge.", "Is it possible to add someone to an existing team, I'm having trouble saving new team members in the manage-team tab?\nA: Would suggest you submit a help desk request.", "Are private audit contests open only for top ranking wardens?\nA: Those opportunities get listed in #\ud83d\udd96rsvp-certified and will include the eligibility criteria for the specific opportunity. So would recommend keeping an eye out there.", "If an issue were labelled as sponsor-disputed, but there's no explanation provided - why - where/how can I get the explanation why the issue had been rejected?\nA: Would check duplicates if it's very common and can ask the Judge after Judging.", "Yeah, but claiming rewards on behalf of other users means, that the calculation of the future rewards will be different, so when I claim their rewards (on their behalf) now, they will get lower amount of rewards after claiming it later. This is the initial issue I'm referring to - or am I missing something?\nA: Seems like you have a point and this was missed.", "If an issue were labelled as sponsor-disputed, but there's no explanation provided - why - where/how can I get the explanation why the issue had been rejected?\nA: Check duplicates if it's very common and you can ask the Judge after Judging.", "What does it mean when claiming rewards on behalf of other users and how it affects future rewards?\nA: Claiming rewards on behalf of other users means that the calculation of the future rewards will be different. If you claim their rewards now, they will get a lower amount of rewards after claiming it later.", "Is there any way to appeal if a valid finding had been classified as invalid?\nA: The outcome cannot be changed after the payouts are sent, but you can at least be vindicated in your finding. The issue can also be flagged for the judge and sponsor to make sure everyone is aware of it.", "Should there be compensation awarded from the \"judge awards\" pool if the judge incorrectly evaluated an issue?\nA: This question was not answered in the chat.", "Is it possible to add someone to an existing team, I'm having trouble saving new team members in the manage-team tab?\nA: You can try again to add members to your team.", "Why was my application for KYC rejected without any explanation, and are there any nationality restrictions?\nA: OFAC sanctions and background checks are the primary restrictions. The process happens at arm's length to preserve the privacy of individuals. Specifics are not known, but the decision is based on whether provenance greenlighted someone based on their process.", "Can I request for KYC again if I don't have any of the restrictions?\nA: The only option is to directly work with provenance on the original application.", "Will the result be the same if I apply for KYC again after being rejected the first time?\nA: The result will likely be the same if you apply for KYC again after being rejected the first time.", "What are the primary restrictions for KYC (know your customer)?\nA: The primary restrictions for KYC include OFAC sanctions and background checks. The specifics are not known as the process occurs at arm's length to preserve privacy. The decision is based on whether Provenance greenlights an individual after complying with certain regulations.", "If I don't have any of the primary restrictions, can I request for KYC again?\nA: There might not be other options beyond working directly with Provenance on the original application.", "What if my documents were wrong or someone uploaded another file by mistake, why shouldn't I be able to apply for KYC again?\nA: It is suggested to reply to the email asking for clarity.", "If I disagree with a judge's decision and want to have my findings updated in the profile section, what should I do?\nA: Staff need to bring the matter to the judge and sponsor for discussion. In the meantime, it is suggested to file a help desk request so that staff have an open ticket to track this.", "When will the \"Arbitrum Security Council Election System\" result be published on website to see the submitted bug reports details and Activity?\nA: It's hard to give a definite timeline as the system is still in the post-judging QA phase. But results could possibly be awarded in the next week and Warden Activity Streams on the website will update once the report and findings are made public.", "How can I add a whole profile to Code4Arena and link to my Twitter and so on?\nA: In order to edit your profile, you need to be certified.", "What are the prerequisites to become certified and be able to edit my profile?\nA: Here is a link to the certification prerequisites: https://docs.code4rena.com/roles/certified-contributors.", "When will the \"Arbitrum Security Council Election System\" result be published on the website to see the submitted bug reports details and Activity?\nA: We are still in the post-judging QA phase, so it's hard to give a definite timeline of when this would be available. I anticipate we could be awarding next week though! Warden Activity Streams on the website will update once we publish the report and make the findings public, if the sponsor approves.", "How can I add a full profile to Code4Arena and link it to Twitter and other platforms?\nA: To edit your profile, you'd need to be certified.", "What do I need to do to get certified?\nA: [https://docs.code4rena.com/roles/certified-contributors](https://docs.code4rena.com/roles/certified-contributors)", "Is there any tool that can read on-chain storage slot value, even including the private state?\nA: Yes. You can use tools like evm.storage or the Metadock chrome extension from BlockSec.", "How can I dispute an issue if it was marked as invalid?\nA: Just monitor the backstage channel for the post-judging stage of the concerned contest. You can provide your feedback accordingly.", "How long does it usually take for a desk request to be reviewed?\nA:", "Usually how much time does it take for a github organization invite to be sent to a certified warden?\nA:", "If a High-risk finding was submitted and it was marked as low risk, will there still be a reward? Vice versa?\nA: Correct, there will be a reward in both directions.", "Is there any tool that can read on-chain storage slot value even including the private state?\nA: Metadock chrome extension from BlockSec reveals these in etherscan for you too. Just be careful with the chrome extensions as I think there are scam ones trying to imitate this too.", "How much time does it usually take for a github organization invite to be sent to a certified warden?\nA: It looks like you have a pending invite for the certified team in github that was sent on 8/16.", "If we submitted a High risk finding and it was low risk, will we still be rewarded?\nA: Correct for both directions, whether it's a high risk reported as low or vice versa.", "Is there a way for the judges to prove their decisions in a transparent manner?\nA: It may be closed as Overly Inflated, meaning the judges have deemed the risk as being overstated.", "How long does it usually take for a desk request to be reviewed?\nA: We try to get to help desk requests within 1-2 business days.", "I sent a help desk request on Friday but have received no response, should I send another?\nA: Your request has been assigned to staff and they will work through it today.", "How to get leaderboard role at CodeArena?\nA: Just like that, just ask and you shall receive!", "I am certified but I can't edit my profile, why not?\nA: (No answer provided)", "Anyone knows how to test a block re-orgs? To be more detailed, I want to see the effect of block re-orgs on the block confirmation time in the Chainlink VRF v2 requestRandomness?\nA: (No answer provided)", "I thought I'd be able to \"edit\" analysis after submissions as stated on the post [link], it doesn't seem to be the case?\nA: To edit findings, etc., you'll want to go to the audit page and click the Your Findings button.", "I am certified but I can't edit my profile?\nA: [No Answer]", "Anyone knows how to test a block re-orgs? To be more detailed, I want to see the effect of block re-orgs on the block confirmation time in the Chainlink VRF v2 requestRandomness?\nA: [No Answer]", "I thought I'd be able to \"edit\" analysis after submissions as stated on this post https://code4rena.notion.site/Analyses-Guidelines-and-FAQ-2808a71e08e44c81a985527194f5f118, it doesn't seem to be the case. So how can I edit my analysis report?\nA: To edit findings, etc., you'll want to go to the audit page and click the Your Findings button.", "How to participate in Bot Race?\nA: There's more information on this page for you https://code4rena.com/register/bot", "The registration for Bot Race is closed, so now what?\nA: We currently run a qualifier every few weeks, so would recommend keeping an eye on the #\u270brsvp channel for future qualifier dates. Will look something like this: https://discord.com/channels/810916927919620096/958800160870240286/1142165149050998784", "What is your recommended way to isolate your system on reviewing downloaded packages from sponsor? I'm seeing virtualbox can be a sample, any others?\nA: [No Answer]", "3 days have passed since I applied for KYC again, but provenance has not sent me an email (invitation link) yet. What should I do?\nA: [No Answer]", "What is considered valid and not? For example, imagine that we have a function and there are assumptions made about the code that is not explicitly mentioned in the README / code comments. Would like to confirm with the C4 team if the issues pertaining to this assumption is considered valid.\nA: [No Answer]", "Can someone point some resources for me to learn from about buying and selling options, more specifically put options, in regard to the Dopex audit?\nA: Here's a resource you can use: https://twitter.com/DegenShaker/status/1693630283499651386", "Could we submit different issues with different impacts or different attack scenarios with the same root problem?\nA: [No Answer]", "Can someone point some resources for me to learn about put options, which are being used in the Dopex audit?\nA: Here is a resource: https://twitter.com/DegenShaker/status/1693630283499651386", "Could we submit different issues with different impacts or different attack scenarios with the same root problem?\nA: No, all originates from the same root cause.", "Can someone please explain impact of this issue, what actually it can cause (price cumulative reverts due to additions)?\nA: [No Answer]", "If I have already submitted a medium report, if I am writing a QA should I include the medium report as well?\nA: No, you shouldn't.", "How to participate as a team(4) in auditing contests? There is only one wallet when we are registering for a contest. How to distribute the money?\nA: You can distribute the money using a multisig wallet or a Payment Splitter: https://docs.openzeppelin.com/contracts/4.x/api/finance#PaymentSplitter", "When will the bot registrations be opened?\nA: Keep an eye out in the #\u270brsvp channel - we'll announce the next bot qualifier there.", "Is there a way to use my bot that is not registered in chainlink protocol now?\nA: Not for this one - you'll need to wait for the qualifier.", "What happens if we can escalate a known low (general, poorly explained) from the automated findings to a high (contract logic specific)? Is that still ineligible?\nA: Just make a strong case for it.", "I was in the middle of the KYC process to become a certified warden, however, I made a new C4 account to change my username. Is it possible to transfer it over to my new C4 account (the KYC process hasn't been completed yet, it's still ongoing)?\nA: [No Answer]", "Is there a way to use my bot that is not registered in chainlink protocol now?\nA: Not for this one - you'll need to wait for the qualifier.", "What happens if we can escalate a known low (general, poorly explained) from the automated findings to a high (contract logic specific)? Is that still ineligible?\nA: Just make a strong case for it.", "I was in the middle of the KYC process to become a certified warden. However, I made a new C4 account to change my username. Is it possible to transfer it over to my new C4 account? \nA:", "Can I add members to my team? \nA: It still does not work.", "It appears that analysis report can be revised now. Is it ok if I revise it and submit it again?\nA: Should be all good.", "I am trying to send/transfer coins from my wallet but I lack Matic to pay the fee. Can anyone here with Matic on the polygon blockchain help?\nA: Send wallet address, I can send you some. You can also have a Matic swap here without gas fee https://wallet.polygon.technology/polygon/gas-swap.", "Why isn't the Object type highlighted, and why isn't the annotation @notice , @param being highlighted in the bottom when reading chainlink's contest using VSCode + Solidity by Nomic Foundation?\nA:", "Do wardens receive any payout when a high or medium finding is down-ranked to low or QA? \nA: The Judges add the downgraded findings to the warden's QA report. However, the finding should not be of C grade.", "Why isn't Object type highlighted, and why annotation @notice , @param isn't being highlighted in the bottom when reading chainlink's contest on VSCode + Solidity by Nomic Foundation, even after a successful forge build?\nA:", "In standard judging, is the QA report judged to be satisfactory/unsatisfactory based on the whole of the report, including factors like the number of findings, quality of writing, etc?\nA:", "What happens when findings submitted as H or M are accepted but their impact re-evaluated to either L or QA?\nA:", "Are the new L/QA findings that result from the re-evaluation of H/M findings part of a QA report?\nA:", "Are these findings manually added to the warden's QA?\nA:", "Can a warden receive any payout when a H/M finding is down-ranked to L/QA?\nA: Yes, if your H/M is downgraded to L, they're being added in your QA report. However, it should not be of a C grade.", "What's going on with the Basin audit? The result was cancelled without any notice and without any info when the correct results should become available.\nA:", "In the verification process to become a certified warden, is a passport needed? \nA: Not absolutely certain, but you can try with your proof of identity and confirm.", "Does reward distribution occur immediately upon reward announcement? Is there a set time before rewards get distributed or a range of time they typically happen after the reward announcement?\nA:", "Is there a problem with the website or is it an individual issue if someone is having trouble registering?\nA:", "What does it mean to be a certified warden?\nA: Certified wardens are verified contributors who have gone through a certification process. More information can be found in the following document: https://docs.code4rena.com/roles/certified-contributors", "What are the requirements to gain backstage access as a working team? \nA: The backstage requirements are available at: https://docs.code4rena.com/roles/certified-contributors/backstage-wardens. If you think you qualify, you can request backstage access via a help desk request at: https://code4rena.com/help", "Can one start with Damn Vulnerable DeFi as the first CTF?\nA: Yes, one can start with Damn Vulnerable DeFi as the first CTF, though completing Ethernaut first is often recommended.", "In order to be eligible for rewards in Chainlink contests, does one only need to go through KYC before submitting?\nA:", "What is left to gain backstage access? Could we get some kind of hard metric?\nA: Our backstage requirements are here: https://docs.code4rena.com/roles/certified-contributors/backstage-wardens If you think you qualify, you can request backstage access via help desk request: https://code4rena.com/help.", "Can I start with damn vunrable defi as my first ctf?\nA: It is advised to start with Ethernaut then proceed to damn vulnerable defi, but the choice is ultimately yours.", "In order to be eligible for rewards in Chainlink contests, do I only need to go through KYC before submitting?\nA: You can submit a report without being certified, but to receive Rewards you need to be certified.", "How can I embed code on a report?\nA: [No answer provided]", "Are the numerator and denominator in the _mintFee function of PancakeSwap V2, which is a fork of Uniswap v2, correct? The code can be reviewed here: https://bscscan.com/address/0xcA143Ce32Fe78f1f7019d7d551a6402fC5350c73#code\nA: [No answer provided]", "I've submitted 7 bug reports but haven't received any feedback, what could be the issue?\nA: [No answer provided]", "Can I receive rewards from any country if I'm a certified contributor?\nA: [No answer provided]", "Can I participate in contests without being a certified contributor?\nA: You may participate without being certified. However, some contests will require certification for payouts if any of your submissions are awarded."] \ No newline at end of file diff --git a/codeArena/codearena/codearena.json b/codeArena/codearena/codearena.json new file mode 100644 index 0000000..1764d73 --- /dev/null +++ b/codeArena/codearena/codearena.json @@ -0,0 +1 @@ +["The name of the entity or project being discussed is derived from numbers that make words.", "The project is described as an interesting experiment and a variation of a bug-bounty, where it is time-limited and there is a guaranteed pot that pays out.", "There is interest in involving other security researchers in the project.", "There is a suggestion to create a page for the contest and list or link to wardens, judges, and sponsors.", "There is a suggestion to have a form for people to fill out when joining as a warden, including links to their socials, bio, avi, etc.", "There is a channel that can be added for ideas, and people are encouraged to submit PRs with any ideas to the GitHub.", "There is a document with notes about proposed website enhancements and additions.", "Access to the codebase will be available on February 17 @ 1400 UTC (9AM EST).", "The smart contracts being discussed are from the \"real world\" and will be used in practice, not just made for the purpose of the competition.", "These smart contracts will be deployed after being audited.", "There is an expectation that the team should not hide issues in the smart contracts on purpose.", "There are guidelines on how to report issues related to these smart contracts at https://github.com/code-423n4/code-contests/blob/main/SUBMISSION_POLICY.md", "There is a medium article on a competition for slingshot finance at https://medium.com/@scott_lew_is/slingshot-finance-sponsors-20-000-usdc-guaranteed-distribution-bounty-pool-for-code-432n4s-first-789514a8dc99", "There was an issue with delivering a message to submissions@code432n4.com because the domain code432n4.com couldn't be found.", "There was an issue with the domain code432n4.com not being found when trying to send a message to submissions@code432n4.com.", "Reports for the contest should be submitted at the end of the contest period.", "If two participants submit the same bug at the end of the contest, the judging criteria for duplicate submissions can be found at https://github.com/code-423n4/code-contests/blob/main/JUDGING_CRITERIA.md#duplicate-submissions", "There are resources available for learning about Solidity at https://solidity-by-example.org/0.6 and https://docs.soliditylang.org/en/v0.7.5/", "The #\u26bdteam-formation channel is recommended for joining a team.", "Judges for the contest are chosen based on experience and reputation.", "The results of the contest will be published after the contest concludes.", "The judging criteria for the contest can be found at https://github.com/code-423n4/code-contests/blob/main/JUDGING_CRITERIA.md", "Information on how to run the slingshot code as it executes in the overall system can be found at https://github.com/code-423n4/code-contests/tree/main/contests/01-slingshot#how-it-works", "The contracts can be compiled and function independently of the back end.", "A Loom video will be made to show how to set up the environment.", "There was a request for a countdown timer to ensure the submission deadline is not missed.", "A Loom video is planned to be created to show how to set up the environment.", "There is a request for a countdown timer to track the submission deadline.", "There is a suggestion to add links and preferred avatars from competing wardens to the home page along with the countdown.", "The stop time for the contest is February 21, 2359 UTC.", "There is a suggestion to create a leaderboard of the best contestants after the results of the contest.", "The leaderboard could be manually updated until a system is built to track it.", "There is a question about whether all participants reviewing are in the warden section.", "Submissions will be made available after the contest ends once possible exploits have been patched.", "The focus of the contest is on smart contracts, but suggestions are open if something else relevant is found.", "The Submission Policy states that submissions can't be made more than 3 hours prior to the contest stop time.", "There is a 3-hour window in which findings can be submitted.", "A suggestion was made to allow submissions any time prior to the contest end time, with a policy of accepting only the first or last entry from each person or team.", "If participants have code that runs proof of concept for each bug, they can submit it by adding a zip file to the submission or sharing a private GitHub repo.", "The documents will be updated to reflect the suggestion of allowing submissions any time prior to the contest end time.", "Each proof of concept is about 50 lines long and is part of a whole hardhat project so that they can be run.", "There is a discussion about how to submit proof of concept (POC) code for each bug found in the smart contracts.", "The POC code can be submitted as a zip file or through a private GitHub repository.", "The POC code is part of a hardhat project and each POC is about 50 lines of code.", "There is a suggestion to add GitHub usernames to the submissions.", "There is a link provided for sharing vulnerability/discovery POC at https://github.com/code-423n4/code-contests/tree/main/contests/01-slingshot#sharing-vulnerabilitydiscovery-poc", "There is a discussion about whether to consider the potential impact of misbehavior of the owner of the smart contracts.", "The project should add a proper trust model description for involved roles to answer these kind of questions.", "There is a consideration of social engineering attacks on the owner of the smart contracts.", "Some participants considered a malicious or compromised owner out-of-scope for this game.", "There is a question about the correct email for sending submissions, which is clarified as submissionS@code423n4.com.", "There is a question about the trust model for ElasticDAO, specifically about the controller and the summoners.", "The controller/minter/burner can be trusted as it is a multisig that enacts the snapshot votes on chain.", "There is a discussion about how to contribute to the project, with suggestions to become an auditor or to participate in a code contest as a warden.", "There is a link provided to old audit reports at https://chainsecurity.com/audits/ for those interested in becoming auditors.", "There is a question about the lead time if someone were looking to sponsor a contest.", "The project is mostly targeted at auditors.", "One way to contribute to the project is by becoming an auditor.", "Learning about the project can be done through reverse engineering, reading old audit reports, and understanding each issue raised.", "Audit reports are available at https://chainsecurity.com/audits/.", "There are opportunities to contribute to the project as a warden in code contests.", "The lead time for sponsoring a contest is not long, but specific timeframes are not provided.", "The source code for Maple Finance is discussed, but no specific link or location is provided.", "The maple-core repo has a test script set to use 100 fuzz runs, but for first time users, it is recommended to use 1 fuzz run and then increase to 10-100 fuzz runs after the first run.", "The results of previous competitions will eventually be made public and each contest will have a report generated for it.", "The only public report at the time of the chat is the ElasticDAO report, which can be found at https://ipfs.io/ipfs/QmU7JQUCuciGJ9EVApWnPvBCy32eYQnREDFGsxoyDR6w3j.", "Results and public findings are posted in the #announcements channel.", "To become a warden, one must register by joining the #\ud83d\udc3ai-want-to-be-a-warden channel and stating their interest.", "Teams can be registered by creating a team handle and adding it to the project's GitHub page at https://github.com/code-423n4/code423n4.com/blob/main/data/handles/pocotiempo.json.", "Teams should use their team handle when submitting issues and can add other members' handles as well.", "Team members can be added by dropping a PR and using the team handle when submitting issues.", "For the maple-core repository, there are issues with updating submodules via public git due to 'Permission denied (publickey)'.", "Maple submissions are supposed to be made through https://c4-maple.netlify.app/ and not via email.", "Handles can be added to the code423n4.com repository, and any handle can be used, including a GitHub or Gab handle.", "The handle is used for the leaderboard on code423n4.com and for handling award processing.", "A team request was submitted via a pull request on https://github.com/code-423n4/code423n4.com/pull/28.", "The repository for the Vader protocol is https://github.com/code-423n4/2021-04-vader/tree/main/vader-protocol.", "A mathematical formula for syntheticAssets was added to the Vader protocol repository at https://github.com/code-423n4/2021-04-vader/commit/3041f20c920821b89d01f652867d5207d18c8703.", "There are a number of wardens competing for the Vader protocol bounty.", "Results for past projects are being worked on and should be up soon.", "Marginswap awards and results are expected to be announced the next day.", "Maple is just starting with sponsor review and then will move on to judging.", "Questions about the Vader protocol can be directed to a specific individual, and the latest updates have been posted at https://github.com/code-423n4/2021-04-vader.", "Marginswap awards and results are expected to be announced the day after the chat.", "Maple is starting with sponsor review, then proceeding to judging.", "For Vader, questions around the protocol can be directed to the main developer.", "Updates for Vader, including mathematical formulas of synths, have been posted at https://github.com/code-423n4/2021-04-vader", "An incorrect copy of Vether.sol was put into the Vader-Review repo, the correct code deployed on Mainnet is available at https://etherscan.io/address/0x4Ba6dDd7b89ed838FEd25d208D4f644106E34279#code", "The incorrect testing contract that was uploaded can be found at https://github.com/code-423n4/2021-04-vader/blob/main/vader-protocol/contracts/Vether.sol", "The main Vader developer is considered legitimate by the organization.", "All contracts for testing are in https://github.com/code-423n4/2021-04-vader/tree/main/vader-protocol/contracts", "There is missing functionality in the Vader protocol that is yet-to-be/being added, as indicated at https://github.com/code-423n4/2021-04-vader#known-deviations-from-spec", "The fairness of the contests is essential so the judging process will keep this in mind.", "The default will be based on the provided contest code, and the assumption that wardens have not received further updates beyond what was available at contest start in the repo.", "If there are additional findings in the mainnet contract, those can qualify as well.", "The missing logic, which is outlined in the README, is outside the scope of the review.", "VETH is a fair launch distribution mechanism for VADER, a liquidity protocol that combines slip based fees of rune, IL protection of Bancor, burn to mint stablecoin of Luna, pool collateralized synthetics with 1:1 purchasing power that are interest yielding like anchor, and synths can also be used to borrow directly from the AMM for capital efficiency.", "Vether attempts to drive value accrual from Vader to Ether via a daily auction process that requires participants to burn their ETH to obtain VETH.", "More information about VADER can be found at https://linktr.ee/VaderProtocol", "The handles for the leaderboard will be updated once several of the process pieces have been reworked.", "A PR was definitely merged from https://github.com/heiho1/code423n4.com/pulls", "For Visor finance, there was a question about which contracts should be reviewed.", "There is a process for updating handles for individuals and teams, but it is currently delayed due to a backlog.", "The handles are used for the leaderboard.", "A pull request was merged from https://github.com/heiho1/code423n4.com/pulls", "For Visor finance, only the Visor.sol contract should be reviewed.", "Questions related to FairSide can be directed to a specific individual via direct message.", "Gas optimizations and better defining the formula are eligible for the contest and would be appreciated.", "There is no dedicated pot for gas optimizations.", "Formula optimizations will be considered for a medium to high \"share\" allocation.", "A whitepaper was pushed to the C4 GitHub repository under /docs.", "A video was recorded walking through the main contracts in the Vault: https://youtu.be/D-hSiGeNpuY", "A sample of a script to deploy and set up Yield v2 was shared.", "Questions can be asked in private for detailed answers and guidance.", "An explanation of how users interact with Yield v2 was provided.", "The contest had approximately 36 hours remaining at the time of the chat.", "Users are encouraged to ask questions privately for detailed answers and guidance.", "The interaction with Yield v2 is explained in the chat instead of a video.", "There is a time limit of approximately 36 hours for a certain task.", "The severity of issues is to be considered based on guidelines outlined at https://code423n4.com/judging-criteria/", "The complexity of calculating the severity for each issue is acknowledged.", "There is a concern about the lack of exploration of exploits involving a batch with several actions.", "Handle registration is mandatory for submitting something.", "There is a grace period on submissions.", "The self-assessment of risk is considered important and can make a difference.", "The severity of an issue is ultimately determined by a judge.", "There is a significant difference between award levels for severity.", "A user is added as a warden.", "There is a request to check https://github.com/code-423n4/code423n4.com/pull/62", "Week-long contests are run each week.", "Upcoming audit contests are listed on the website: code423n4.com", "Reality Cards is starting in about ~11 hours and Pool Together will start next week.", "There is a suggestion to draft a post for announcements to make it easier for newcomers to know where to find key information to start participating.", "The co-founder of Reality Cards and their solidity engineer are present in the chat.", "The Reality Cards bug bounty is starting in 6 hours.", "There is an outreach effort to connect with users and ask them about their experiences with C4.", "Upcoming audit contests are listed on the CodeArena website at code423n4.com.", "Reality Cards and Pool Together are two upcoming audit contests.", "There is a suggestion to create a post in the announcements or start-here channel to make it easier for newcomers to find key information.", "Reality Cards is starting a bug bounty.", "Users can ask questions about the RealityCards code.", "PoolTogether is available for questions and direct messages.", "Lion's Mane is working with the Tracer DAO on a Tracer bug bounty.", "There is a contest preview channel.", "Users need to register as a warden to see the contest preview channel.", "Gro protocol is running a competition and is available for questions.", "Wild Credit has a protocol developer available for questions.", "Connext is running a flash context and has a video walkthrough available at https://youtu.be/ABEOIKzEshA.", "InvariantTransactionData.transactionId is a unique identifier for the crosschain transfer to be used in Connext's protocol.", "Spartan Protocol contest has started and users can ask questions.", "Sherlock contest has started and users can ask questions.", "Sherlock V1 has been designed this year and is participating in the arena.", "Sherlock protocol is technically unaudited as the results of the Quantstamp audit have not been received yet.", "A unique identifier is used for the crosschain transfer in the context of the router and subgraph.", "There is a Spartan Protocol contest ongoing and participants are encouraged to ask questions either privately or in open discussion.", "The Sherlock contest is also ongoing, and participants can ask questions privately to the host.", "Sherlock V1 has been designed this year and is participating in the arena.", "An advisor to the Sherlock protocol will not be participating in the contest.", "The Sherlock protocol is technically unaudited as the results of the Quantstamp audit have not been received yet.", "There is a micro-audit for PoolTogether starting soon and participants can ask questions to the point of contact.", "The PoolTogether code for the audit can be found at https://github.com/code-423n4/2021-07-pooltogether.", "The two contracts in scope for the PoolTogether audit are linked in the README.", "There was confusion around tests and peripheral code such as interfaces in the last audit.", "There is a question about what happens if multiple people report the same vulnerability.", "Some wardens act as teams in the contests, as seen on the leaderboard at https://code423n4.com/leaderboard/.", "Forming a team can increase chances of winning and prevent splitting awards at a decaying level.", "There is a question about the difference between low/medium/high risk finds.", "The final determination of severity is made by an independent judge with deep solidity knowledge, as explained at https://docs.code4rena.com/roles/wardens/judging-criteria#estimating-risk-tl-dr.", "Beginner solidity developers are encouraged to participate in the competition to sharpen their skills.", "The float capital $50k audit contest is starting soon and the code for it is at https://github.com/code-423n4/2021-08-floatcapital.", "Beginners looking to start smart contract bug bounty hunting are recommended to start with https://cryptozombies.io/ and https://capturetheether.com/.", "OpenZeppelin webinars on governance mechanisms and best practice are recommended for security auditors, with the first video in the series at https://youtu.be/6GaCt_lM_ak.", "A beginner in blockchain bug bounty hunting is advised to start with https://cryptozombies.io/ to get a feel for solidity.", "Capture the Ether (https://capturetheether.com/) is suggested as a useful resource for beginners in blockchain bug bounty hunting.", "There is a Github repository for the project at https://github.com/code-423n4/2021-08-floatcapital.", "More videos are planned to be added to a walkthrough playlist, particularly walking through the Staker.sol and some of the incentive curves in the system.", "The OpenZeppelin webinar on governance mechanisms and best practice is recommended for security auditors, with a link to the first video in the series https://youtu.be/6GaCt_lM_ak.", "A new video has been added to a YouTube playlist, walking through some subtleties in the SyntheticToken contract https://www.youtube.com/playlist?list=PL7RT-0ybd7joiqKeGklvFxcc8dNWpPBCk.", "FloatCapital_v0.sol, Treasury_v0.sol, and orcales/ are not in the scope for bounties.", "The term \"target side\" and \"origin side\" relate to shifting between long and short positions within a market.", "Learning Solidity is recommended for understanding the code base and how the system works.", "Another video is planned to give more details on the Staker.sol contract.", "A new video about Staker.sol has been added to the playlist https://www.youtube.com/playlist?list=PL7RT-0ybd7joiqKeGklvFxcc8dNWpPBCk.", "The nature of the competitions is that the findings are kept under wraps until the contest is over and the judging process has been completed. Duplicate submissions are not a problem.", "The incentive structure and judging criteria for the competitions are explained at https://docs.code4rena.com/.", "Two big bugs have been found in the internal audit that have not been picked up by any wardens yet.", "There is a Discord community for the project at https://discord.gg/5WHvfHeSwr.", "The team is aiming for a quick turnaround time in going through the submitted issues.", "There was an ongoing audit contest with a prize of $50k.", "Two significant bugs were yet to be found in the audit contest.", "The contest had a time limit, with reminders given when there was 16 hours and 1 hour 18 minutes remaining.", "The contest was a learning process for beginners.", "Once the findings repo becomes public, it can be used to learn from other wardens' findings.", "The Discord server has been updated to have each contest have its own channel for questions, code walkthroughs, etc.", "CodeArena is not exactly a bug bounty platform like HackerOne. A comparison between bug bounties and C4 audit contests can be found at https://docs.code4rena.com/.", "There was a question about the payout for the gravity bridge competition, with the response indicating it would happen within two weeks.", "There was a question about making a submission on a program, with the response indicating that the user's handle had been added.", "There was a question about contacting Wild Credit regarding their provided code, with the response directing the user to a specific channel or to direct message a specific user.", "There was a question about the visibility of a channel, with the response indicating that the issue had been resolved.", "There was a question about the completion of individual warden registrations, with the response indicating that they were complete and the user should be able to access the repo.", "There was a discussion about the challenges of setting up the environment for auditing contracts, especially when there is limited documentation, no test cases, and no deployment scripts.", "One suggestion was to write a test for the code in the existing test environment, rather than trying to deploy all contracts.", "If there is no test setup in the C4 repo, one suggestion was to check if there is a repo on the sponsor's GitHub that has a test setup, or to pull out the code or rewrite parts of the contract to easily test the snippet.", "Some contest repositories have limited documentation, no test cases, and no deployment scripts, which can make setting up the environment time-consuming.", "Some users write tests in the existing test environment of the repository to confirm code functionality.", "If there is no test setup in the repository, some users check if there is a repository on the sponsor's GitHub that may have a test setup.", "If no test setup is available, some users pull out the code or rewrite parts of the contract to test the snippet they want to test.", "Eth-brownie is mentioned as a helpful tool for mocking contract deployments and setting up fixtures for certain contract deployments.", "The Yaxis audit report will take longer than usual to be posted on the website due to a high participation rate and a large number of submissions to review.", "Rinkeby testnet tokens can be obtained from https://faucet.rinkeby.io.", "The process to withdraw a contest report is described in the documentation, but users can also direct message the staff for assistance.", "Bug finding submissions can be viewed at https://code423n4.com/reports and https://github.com/code-423n4.", "After submitting a finding, users do not need to do anything else but wait until the contest ends and check the results on the website.", "The contest awarding usually takes a couple of weeks to be finalized after the contest closes.", "There are ongoing conversations about many more competitions.", "Users can alter the severity of their reported bugs after the closing time of the contest by contacting the staff.", "Participants can alter the severity of their reported bugs after the closing time of the contest through direct messages or by contacting the judges.", "There is a vault that is reported to be bugged, with the link to it being https://etherscan.io/address/0x9705e8807aae04c7dc0967da9cab8af65d2f2135.", "The report for the Yaxis audit is being worked on, with the sponsors having the final say on the publication timing to give them sufficient time to mitigate issues.", "The average turnaround time from audit competition to release of reports is about a month, with efforts being made to decrease this time.", "Team members can be added to the boot finance rooms to monitor progress.", "The Overlay Protocol contest was delayed by 5 days, with the start date changed to 11/16 at midnight UTC.", "If the same vulnerability is found in multiple different components of the codebase, it may count as two separate findings rather than a duplicate, but this is ultimately up to the judge's discretion.", "Awards are distributed based on individual issues, with multiple items in one submission counting for one submission.", "Markdown is suggested for formatting code in contest findings, with a code block in markdown being surrounded by ``` on either side.", "Non-critical findings do not have a share in the award pot.", "There is currently no incentive for QA type of submissions, as sponsors are interested in high/medium/low severity vulnerabilities and gas optimizations. There has been discussion of possibly having a small QA pot if sponsors want this sort of submission, but there is no mechanism for it at this time.", "There is no share for non-critical findings in the auditing process.", "Currently, there isn't an incentive for QA type of submissions, sponsors are interested in high/med/low severity vulnerabilities and gas optimizations.", "There is a suggestion to add the severity of the bug to the C4 emails that are sent out after an issue is submitted.", "There is a suggestion to add position numbers to the leaderboard.", "There is a suggestion to add a Low column to the leaderboard.", "There are plans for the leaderboard, which are currently in the idea phase.", "There is a suggestion to put roles in discord that reflect the leaderboard.", "There is a suggestion to sort the projects by date directly and to move the actual project into a project directory, keeping the README in the top-level one.", "There is an idea to apply different timelines to the leaderboard, in addition to \"all time\", such as a \"last 3 months\" view.", "There is a suggestion to collect badges for various achievements, which could potentially be tokenized as NFTs.", "There is a suggestion to have seasons for the leaderboard, each season lasting a year, and at the end of the season everyone on the leaderboard gets an NFT for that season which includes metadata of the rank and money made.", "There is a suggestion to end the season when somebody hits a certain $ target, making each season a race.", "There is a reference to a behavior of Brownie, a Python framework for Ethereum smart contract testing, deployment, and interaction. The behavior is that the project name must start with an alphabetical character, which can cause issues with the default naming convention of C4. The link to the relevant code in the Brownie project is https://github.com/eth-brownie/brownie/blob/0fa4477a178bd55b6683f60d077b7060df02b2c5/brownie/project/main.py#L740.", "There is a suggestion for a season to last 4 or 6 months to allow people to work consistently and then take a break.", "The idea of ending a season when someone hits a certain $ target was proposed.", "There is a suggestion to use the average percentage of pool awarded as a metric, as not everyone participates in every contest due to various reasons such as lack of time or preference.", "The awarding process for bug bounty is considered difficult to understand by some participants.", "The risk estimation for the contest is categorized into four levels: Non-critical, Low, Med, and High, each with specific criteria.", "Information about the incentive model and awards can be found at https://docs.code4rena.com/#incentive-model-and-awards", "There is a suggestion box channel for sharing ideas for improving the website, leaderboard systems, contest processes, and Discord setup.", "The streaming protocol contest was postponed and will be starting on 11/30.", "To update a submission, one can direct message the organizers.", "The awards for the Fairside contest are expected to be announced the following week.", "The audit reports for the competitions are published after the contest finishes, sponsor reviews issues, judging, awarding, and reporting. The speed of this process varies widely, but efforts are being made to speed up these steps.", "Fairside awards are being worked on and are expected to be announced the following week.", "The process for the competition involves contest finish, sponsor reviews issues, judging, awarding, and reporting.", "The C4 team usually gets awards and reports out in less than a week after sponsor review and judging are done.", "The speed of sponsor review and judging can vary widely, from as fast as a 2 week turnaround to 6+ weeks in some cases.", "The C4 team is constantly working on improving their tools and tightening processes to speed up these steps.", "There is a process for submitting issues, and it's possible to submit the same issue twice for clarification.", "There is a registration process to become a Warden at https://docs.code4rena.com/roles/wardens", "The C4 team was out for Thanksgiving and would be back the following Monday.", "There was an issue with email receipts for contest findings not being received.", "The issue with email receipts might be related to a problem with Github at https://www.githubstatus.com/incidents/r5qrpp2f5fc0", "The contest findings can be found at https://code4rena.com/reports", "There was an issue with a user's email flagging C4 emails as spam.", "The term \"gov-wg\" refers to a Working Group set up for a DAO structure.", "Some users have experienced issues with receiving emails from CodeArena, with emails being flagged as spam.", "Users are advised to switch to a different email address if they are experiencing issues with receiving emails.", "\"gov-wg\" refers to a Working Group set up to establish a DAO structure.", "There was a dispute regarding a submission on CodeArena, which was marked as disputed due to the issue being described in the documentation. The link to the disputed submission is https://github.com/code-423n4/2021-10-slingshot-findings/issues/21 and the accepted submission is https://github.com/code-423n4/2021-10-slingshot-findings/issues/82.", "In the contest at https://code4rena.com/contests/2021-11-streaming-protocol-contest, the contracts mentioned are StreamFactory, Stream, and LockeERC20. However, in the repository at https://github.com/code-423n4/2021-11-streaming/tree/main/Streaming/src, only Locke and LockeERC20 appear.", "All the mentioned contracts are inside locke.sol.", "Users can add screenshots to the report of vulnerability by using Markdown and embedding a remotely-hosted image.", "Gas optimizations are awarded from a separate award pool that is specified on the CodeArena website and in the contest repo. The link to the award calculation is https://docs.code4rena.com/#incentive-model-and-awards.", "There is no additional weighting among gas optimizations. All valid findings are weighted the same.", "Users can contact the protocol team for clarification by reaching out in the contest channel.", "There was a schedule for Christmas that included some downtime. The link to the schedule is https://discord.com/channels/810916927919620096/810929015509483554/908791439771725854.", "There is a way to contact the streams' protocol team for clarification.", "The best option to reach out is in the contest channel.", "There is a need for the warden role to see the contest channels, which can be obtained by filling a form on the website.", "In case of a source code leak, anyone could fork a project and deploy the same code, but users are unlikely to interact with it unless the team endorses it.", "The tool that generates a specific output is not known, but most people use Slither.", "There is an incentive for wardens to submit non-critical vulnerabilities as it benefits the sponsor, even though they are not taken into consideration when calculating awards. The link to an example of a non-critical vulnerability is https://github.com/code-423n4/2021-10-tracer-findings/issues/5", "If two critical vulnerabilities can be combined to create a third, much more powerful one, it may be worth dropping a third finding explaining the proof of concept.", "Once a finding is submitted for a contest, the only confirmation received is the mail copy of the form.", "The warden resources seem to be geared towards solidity tutorials, and a user is looking for Cosmos related learning resources.", "The funds will be sent to a specific address regardless of wallet settings, and to move the funds, a transaction on polygon needs to be sent.", "Metamask should be able to show the tokens in an address when swapping networks to Polygon. If not, the tokens can be manually added in. The address can be monitored at https://polygonscan.com/address/", "To move the funds back to the mainnet, the polygon bridge can be used at https://wallet.polygon.technology/. Alternatively, funds can be deposited directly into a CEX that supports native polygon deposits.", "In a findings report, adding a link that points to the sponsor's github repo code does not automatically pull in that code snippet to the report.", "There was a prize of USDC announced on 6th December related to badgerdao ibBTC.", "The payment of the prize will be made on the Polygon network.", "Metamask can show tokens in an address when networks are swapped to Polygon.", "Tokens can be manually added in Metamask if they do not appear automatically.", "An address can be monitored on Polygon at https://polygonscan.com/address/.", "Funds can be moved back to the mainnet using the polygon bridge at https://wallet.polygon.technology/.", "A findings report does not automatically pull in a code snippet from a link pointing to a sponsor's GitHub repo code.", "The actual code needs to be added to the findings report along with the link.", "There is a form on the website to submit findings.", "There is a process to verify wardens.", "The funds for the 2nd place winner of the nested finance audit contest were not yet sent out at the time of the chat.", "There is a way to edit a finding after it has been submitted.", "The organizer team can help update an issue.", "The funds for the contest will be sent on Monday or Tuesday.", "Awards from the recent fairside contest have not been distributed yet.", "Awards are distributed on the Polygon network.", "The process of becoming a warden was discussed.", "The reward distribution process takes longer than expected due to an increase in wardens and contests.", "Reducing turnaround times for reward distribution is a high priority.", "There is a way to register as a warden.", "The project team for a specific project can be found in a specific channel.", "The project team members can be directly messaged for consultation.", "The project team members can be found and consulted in a specific channel on the Discord.", "Users need to register as a warden to access certain channels.", "There was an issue with the submission form that was causing a purple screen to appear, which was later fixed.", "The submission forms should work unless a user is using a smart contract wallet like gnosis or argent.", "Findings from the contest are confirmed and discussed after the contest ends.", "The issues of a project named \"fei\" are not public yet, but will be compiled into a report and shared later.", "Zero address checks are considered a valid finding as they can lead to loss of funds if tokens are transferred to a zero address.", "There was a discussion about what is considered to be a privilege escalation.", "Some contracts are like a \"snapshot\" of OpenZeppelin (OZ) contracts, and this is usually done to allow the project to make necessary changes to these external contracts to suit their project requirements better.", "There was a question about whether there is a tool that allows auditors to see \"diffs\" in contracts.", "A link to a GitHub issue was shared: https://github.com/code-423n4/2021-10-badgerdao-findings/issues/5", "There is a suggestion to start a list of common issues that should be flagged as non-critical or informational.", "Some contracts are like a \"snapshot\" of OpenZeppelin (OZ) contracts, which is a common practice to allow the project to make necessary changes to these external contracts to suit their project requirements better.", "Auditors may need to manually check the differences between contracts, or they might be able to run a diff command on the two contracts.", "It's common to copy/paste OpenZeppelin source code into the repo without using the npm library.", "OpenZeppelin provides a wizard for contract creation at https://docs.openzeppelin.com/contracts/4.x/wizard", "Each issue in the auditing process is evaluated strictly on what was submitted, and judges do not have the capability to \"multiply\" an issue.", "Hardhat is a tool used for running tests on a forked network.", "Submissions for audits should be done using the \"Submit finding\" button of the specific contest on the main page, each finding should be submitted separately.", "The old submission template at https://github.com/code-423n4/code-contests/blob/4db2720312f0958f2e89f6207a6774c9e5360655/SUBMISSION_TEMPLATE.md is outdated and not in use anymore.", "Gas optimizations should be submitted as separate issues for different optimizations.", "If two people are a team and use the same warden, and they find the same issue and they both submit it with different wallets, it is not clear what happens in this scenario.", "There was a broken link that was reported and fixed through a pull request.", "Gas optimizations should be reported as separate issues for different optimizations.", "If two people find the same issue and submit it with different wallets, each will get less than half of the reward. More information can be found at https://docs.code4rena.com/#incentive-model-and-awards.", "There was a delay in the distribution of awards for a certain event, but they were eventually received.", "Nested Finance awards were distributed.", "There is an interest in creating a contest for auditing code for an AMM project on the Algorand Blockchain.", "Users should receive an email of their submission, whether it is valid or not.", "The contest process includes completion, Sponsor Review, Judging, Awarding, and Reporting stages.", "The results of submissions will be visible in the final published report and the findings repo will also be made public.", "There is no email notification for the validity of each submitted issue.", "There is a suggestion for an email summary of an individual warden\u2019s performance as a future feature.", "The Livepeer contest page is at https://code4rena.com/contests/2022-01-livepeer-contest.", "There is a query about creating a proposal.", "There is a query about the address of the C4 token.", "There is a Livepeer contest on CodeArena, which can be found at https://code4rena.com/contests/2022-01-livepeer-contest.", "Users can create a proposal, but they need to have (or be delegated) 50k tokens to make an on-chain proposal.", "The address of the C4 token is 0x6847D3A4c80a82e1fb26f1fC6F09F3Ad5BEB5222.", "Users can attach their Twitter handle and profile picture to their CodeArena profile by making a pull request at https://github.com/code-423n4/code423n4.com/tree/main/_data/handles.", "Users are currently advised not to change their handles due to the amount of data keyed off that.", "To verify changes to handles, users can create a signed message at mycrypto.com and add the json to the PR using a wallet address they have used in a contest.", "The link to create a signed message is https://app.mycrypto.com/sign-message.", "There is a discussion about the best platform to buy Matic, with a link provided for further information: https://discord.com/channels/810916927919620096/824698635815223316/915880736664461322.", "There is a query about receiving an award from Mellow Protocol, with the response indicating that the rewards have not been sent yet.", "There is a question about counting the number of lines of code in a Solidity contract, with two tools mentioned: Solidity Coverage (https://www.npmjs.com/package/solidity-coverage) and Solidity Metrics nSLOC (https://github.com/ConsenSys/solidity-metrics).", "The PAST CONTEST STATUS UPDATES are listed as a timeline, showing where contests are currently in the process.", "The order in the PAST CONTEST STATUS UPDATES section represents the order of the contest progression.", "There is a question about updating/confirming a reward wallet address.", "The goal is to pay awards in the same week they are announced.", "The team is working on processing several rewards by the end of the week, including MapleOverlaydefiprotocol 1defiprotocol 2yAxis mini 1MellowBootUnlockStreamingProtocolPerennial.", "The PAST CONTEST STATUS UPDATES section shows where contests are currently in the process.", "The order in the PAST CONTEST STATUS UPDATES section represents the order of the contest progression.", "Users can update or confirm their reward wallet address.", "Awards are generally paid in the same week they are announced.", "The team is working to process a number of awards by the end of the week, including MapleOverlaydefiprotocol 1, defiprotocol 2, yAxis mini 1, MellowBoot, UnlockStreamingProtocol, and Perennial.", "Users can participate in the contests once their status is approved.", "It is possible to direct message someone from the code4arena.", "It is possible to change the wallet address to which users receive tokens, but it requires significant effort on the part of the team to manage this.", "The team collects the wallet addresses separately for each contest and does not store them centrally.", "If a user requests an address change, the team needs to collect a list of every contest they used that wallet form, and then manually update the wallet address for each one.", "The team is working on a better process for changing wallet addresses in the future.", "Teams generally get a few contracts reviewed or entire protocols.", "Rewards for Yeti Finance are likely to be distributed the following week.", "Users are recommended to ensure they receive email confirmation of each submission.", "The email confirmation does not contain the Ethereum address provided by the user.", "Judges and sponsors appreciate when similar issues are grouped together in submissions.", "There was a spam issue with Yahoo and Hotmail email addresses in the past.", "There was a concern raised about a potential scam.", "A user reported not receiving an email regarding a low severity issue.", "There was a discussion about whether the code trims whitespaces on the Polygon address or the email.", "A question was raised about whether rewards could be paid partially or are always fully paid.", "A user found an email in the spam folder that they had been looking for.", "There was a question about a discrepancy in the number of lines of code (LOC) in the Sherlock contest README and the actual contract files. The Sherlock finance's repo is https://github.com/code-423n4/2022-01-sherlock.", "The LOC discrepancy was clarified as being due to the difference between actual lines and source lines of code (SLOC), with the 179 LOC being the number of actual lines calculated by solidity-coverage.", "A suggestion was made to standardize the way LOCs are counted in future contests to avoid confusion.", "There was a question about whether it is possible to look at all the findings of a contest after it finished but before the results are published.", "A user asked if there is a way to review why a submission to a contest was not rewarded.", "It was clarified that when the report is out, the repo will be fully opened and participants will be able to see the discussion among sponsors and judges on the specific issue.", "A question was raised about whether wardens who report the same vulnerability but with different severities are given the same severity for award calculation.", "It was clarified that the intent behind deduplication is to judge and determine severity after that.", "There was a question about the leaderboard not having the Sublime contest.", "It was mentioned that the Sublime contest leaderboard was being worked on.", "If wardens report the same vulnerability but with different severities, they are given the same severity for award calculation.", "When a submission to a contest is made but not rewarded, it is possible to review why the submission was not accepted once the report is out.", "The order of issue submission does not necessarily determine which issue is considered the original and which are duplicates.", "Judges pick the primary issue based on the quality of the write-up.", "There is a suggestion to incentivize the \"best write-up\" to encourage high quality submissions.", "The primary issue gets to represent the bucket in the published report and the warden gets first attribution.", "Judges can mark an issue to have a higher risk than the proposed risk by wardens if deemed necessary.", "There is some sybil resistance for duplicate submissions of the same vulnerability. Each instance is awarded a share of 1 point depending on the number of duplicates.", "If a participant gets rewards both individually and as a part of a team, their name will appear twice on the leaderboard.", "If no Medium/High vulnerabilities are found, the full pool would then be divided based on the QA Report curve.", "The FEI contest had only low vulnerabilities. The report can be found at https://code4rena.com/reports/2021-11-fei.", "Participants can have their names appear twice in the team.", "If no medium or high vulnerabilities are found in the smart contracts, the full pool would then be divided based on the QA Report curve.", "There have been a few contests with no high vulnerabilities and no contests without a medium vulnerability.", "The FEI contest only had low vulnerabilities, as shown in the report at https://code4rena.com/reports/2021-11-fei.", "The full report of a contest will be graded on a curve against the other reports.", "Non-critical and low severity findings would go into a single report.", "It is possible for a low-impact QA report to be upgraded to a high-impact report.", "Part of auditing is demonstrating proper theory of how an issue could be exploited.", "The DAO constitution prioritizes actions without a vote and has delegated responsibility for running contests.", "A forum post that works through all the moving pieces in the opening constitution and delegation can be found at https://forum.code4rena.com/t/c4ip-1-2-3-4-5-constitution-dao-bootstrapping-reimbursements-token-sale/93.", "The findings repository is typically not made public when the awards are published because the sponsor generally hasn't finished their mitigation work by that time.", "Some of the projects are deployed at the time of the contest.", "The Malt prize pool was changed to account for the increase in judging fee.", "The increase in the judging fee was discussed in the wardens channel due to overwhelming levels of issues on some contests and limited judge availability.", "There was a backlog of issues on some contests due to overwhelming levels and limited judge availability.", "The team had to increase offers for judging compensation for a period of time to clear out the seriously lagging contests in the backlog.", "New contests that are starting will be implementing a new submissions mechanism.", "There were several successful submissions received in the beholder repo during a GitHub outage.", "Beginners interested in learning about different roles in the space can start with resources such as https://cmichel.io/how-to-become-a-smart-contract-auditor/ and https://docs.code4rena.com/roles/wardens/tools-and-resources.", "Constants are cheaper than immutable variables as constants are calculated and filled in at compile time, while immutable variables are read-only state variables.", "Both constants and immutable variables are embedded into the bytecode at deployment, but it costs gas to read state from the contract.", "There are cases where immutable costs less gas than constants, as shown in https://github.com/code-423n4/2021-11-overlay-findings/issues/111.", "As of July 2020, the gas cost for constant and immutable is about equal, as discussed in https://twitter.com/GalloDaSballo/status/1476925462010122245 and https://ethereum.stackexchange.com/questions/118547/is-the-gas-cost-for-constant-and-immutable-about-equal.", "Submissions can be withdrawn by direct messaging a team member.", "A certain finding was true but is no longer the case as of July 2020, as discussed on https://twitter.com/GalloDaSballo/status/1476925462010122245", "Immutable and constant in the context of smart contracts both get inlined at deploy time, as discussed on https://ethereum.stackexchange.com/questions/118547/is-the-gas-cost-for-constant-and-immutable-about-equal", "There is a procedure to withdraw a submission by direct messaging a specific individual.", "There is a question about whether XDEFI has sent their rewards.", "Rewards are allocated on a curve, explained with an analogy of grading homework/exams.", "There is a question about how the rewards would be distributed if there are different quality tiers among the wardens.", "There is a question about what activates a callback in solidity besides Ethereum transfer.", "Callbacks in solidity can be activated by safeTransferFrom onERC721Received, onERC1155Received of ERC1155, tokensReceived tokensToSend of ERC777, and any call to an untrusted external contract. Callbacks are also used in protocols like flashloans, oracles, balancer.", "Judges can potentially increase the severity of a finding from low to medium.", "There is a question about the completion of nftx findings.", "If a contest is listed as 'awarding', it means the rewards are queued at the multisig and should be distributed within a week.", "There is a discussion about whether a situation where a user can lose funds but the admin is involved in the procedure is considered High.", "There is a question about whether there will be an announcement distinguishing the reward for each pool when there are separate pools for different reports.", "There is a question about a size limit on submissions due to errors encountered during submission of a gas report.", "The admin of a smart contract can be incentivized to lock a large amount of tokens in cyberspace to reduce the number of tokens available for trade in the market, which could cause the price to rise.", "The admin of a smart contract is typically a governance framework.", "There are separate pools for different reports and there will be announcements distinguishing the reward for each pool.", "There may be a size limit on submissions, as a user reported an error when trying to submit a gas report.", "For QA & gas reports, users can send one email for each of the two reports to report@code4rena.com.", "Low and non-critical reports (and gas optimizations) for badger citadel should be submitted through the same form.", "Submissions should be in plain text markdown format.", "Emails for submissions may sometimes end up in the spam folder.", "The Cosmos blockchain uses the Rust programming language.", "A link to a Twitter post about smart contracts was shared: https://twitter.com/timurguvenkaya/status/1475843655567089676?s=20", "A link to a course on CosmWasm smart contracts was shared: https://academy.terra.money/courses/cosmwasm-smart-contracts-i", "A link to the GitHub repository for the Anchor Protocol was shared: https://github.com/Anchor-Protocol", "There was an inquiry about getting smart contracts audited for a product being built on the Polygon blockchain.", "The question of whether a minter or burner role is an issue was raised.", "There is a course on CosmWasm smart contracts available at https://academy.terra.money/courses/cosmwasm-smart-contracts-i", "The Anchor Protocol's GitHub repository is available at https://github.com/Anchor-Protocol", "There is a discussion about getting smart contracts audited for a product being built on Polygon.", "There is a question about whether a minter or burner role is an issue.", "There is a discussion about the potential change in risk categories for non-defi protocols.", "There is a discussion about the severity of an attack made by the governance.", "There is a discussion about inconsistencies in judging, with a suggestion to file an issue at https://GitHub.com/code-423n4/rulebook/issues", "There is a link to a specific issue on GitHub at https://github.com/code-423n4/2022-01-livepeer-findings/issues/193", "There is a question about whether the Amun reward has been sent.", "There is a discussion about the tools used to find vulnerabilities and bugs in smart contracts.", "There is a question about how to navigate through multiple .sol files when auditing smart contracts.", "There is a question about finding reports on past competitions, with a link provided to https://code4rena.com/reports", "There is a discussion about learning from past contests and vulnerabilities, with a link provided to the leaderboard at https://code4rena.com/leaderboard/", "There is a discussion about registering an ETH address to receive shares.", "Reports from past contests can be found at https://code4rena.com/reports", "The leaderboard for the contests is available at https://code4rena.com/leaderboard/", "Participants need to register their handle and ETH address to receive their share.", "The submission form for each contest includes a field for the participant's wallet address.", "Code4rena conducts audit contests which are compared to bug bounties. More information can be found at https://docs.code4rena.com/", "There is a fee charged by Code4rena in addition to the bounty paid to wardens.", "The fee amount depends on the specific case and is discussed privately.", "There is a discussion about gas and contract-size optimization award pot, with a suggestion that optimizations must be >= 100 gas saved to be eligible for a reward.", "There is a question about how to treat upgradeable contracts findings in case of Medium-risk vulnerabilities, such as DoSing or bricking the contract.", "Code4rena has set up a Help Desk system to support the community. Requests can be submitted at https://code4rena.com/help", "If a team submits a vulnerability, the payment cannot be split between multiple ETH addresses. The best option is to use a multisig.", "The results of the contests are posted at https://code4rena.com/reports/", "Code4rena has worked with big protocols, but the specifics are not mentioned in the chat.", "Results of the auditing process are posted on https://code4rena.com/reports/", "Once the entire auditing process is complete, a report is published on the aforementioned page.", "Code4Arena has worked with several protocols, which can be viewed at https://code4rena.com/contests", "Code4Arena aims to get more auditors\u2019 eyes on code faster than any other available option and has demonstrated value that has brought established protocols back repeatedly.", "There is no technical limit on the number of members that can be part of a team in Code4Arena.", "The benefits of participating in the contests include learning from others\u2019 findings and leveling up skills.", "There is a question about the transparency of access to certain repositories, as indicated by a 404 error when trying to access https://github.com/code-423n4/code423n4.com/issues/765", "The purpose of ID is not solely to punish exploits applied to deployed code.", "Questions are ideally asked on the forum post itself for context and permanence.", "The estimated time for sending awards after they are announced is within 1-2 weeks.", "If the same vulnerability is reported by multiple wardens, they each get the same share.", "There are pending awards for LPT tokens and NFTX.", "A question was raised about the cost of auditing a platform's code through Code4Arena if no critical or minor vulnerabilities are found.", "LPT tokens and NFTX awards are pending.", "If a platform uses Code4Arena to audit their code and it comes back with no critical or minor vulnerabilities, the cost is not clearly defined and would be handled on a case by case basis.", "The usual process is that the bounty is split amongst those who find bugs.", "If a contest is run and there are zero valid submissions, this is a scenario that has not been encountered so far.", "There have been 100 contests launched by Code4Arena.", "If a user encounters an error when submitting, they can email the submission to submissions@code423n4.com.", "If Gas & QA reports are larger than about ~65k characters, they can't be submitted through the form due to Github's max character limit on the body/description field for issues.", "There are several contests still pending.", "Changes to the award calculation process based on the mechanism change are currently being implemented.", "If a user is having trouble with the support request form, they can send the request to submissions@code4rena.com.", "It is not specified which chains are accepted for payment from the sponsor side.", "Users are attempting to submit information via mobile devices.", "If users encounter issues with submissions, they can send their request to submissions@code4rena.com.", "The platform accepts Eth or Polygon for EVM league contests and Cosmos for Cosmos contests as payment.", "There were issues with the captcha being blocked by some users' browsers.", "There were some issues with GitHub that affected the contest submission form.", "The Rolla contest was extended by 24 hours due to these submission issues. The announcement was made on https://discordapp.com/channels/810916927919620096/953009382021533696/956244354496856174.", "The Biconomy Hyphen 2.0 contest results are being reviewed by the sponsor and will be handed off to a judge for final review. The final report is expected to be published in a couple of weeks.", "Users can view reports on past contests at https://code4rena.com/reports.", "There were questions about how QA and gas reports handle duplicates and formulas, with specific reference to the Redacted Cartel contest.", "The source code for the findings can be found at https://github.com/code-423n4/code423n4.com/blob/main/_data/findings/findings.csv#L9336-L9434.", "There is a concern that the new way of handling reports may not encourage better quality in reports.", "In the Redacted Cartel contest, gas reports G-04, G-05, G-06, G-07, G-08 were rewarded as duplicates, lowering their value for each warden.", "There was a set of nine duplicates in the QA reports: Q-15, Q-13, Q-14, Q-24, Q-11, Q-12, Q-05, Q-10, Q-22.", "This information can be found in the source code: findings.csv at https://github.com/code-423n4/code423n4.com/blob/main/_data/findings/findings.csv#L9336-L9434", "There is a concern that the new way of rewarding may not encourage better quality in reports.", "QA and Gas awards should disregard duplicates, but handling downgraded issues has been tricky.", "QA and Gas reports are awarded on a curve according to judges\u2019 scores.", "There is a difference between static and symbolic security testing. Static testing refers to looking at the code without interacting with it, while symbolic testing is about interacting with the code using software to simulate a transaction.", "Deploying contracts on a testnet is part of symbolic testing.", "All gas findings are supposed to go in one submission.", "There is no rule regarding contest price pool related to lines of code. The contests are scoped, and the 30k ones should be smaller.", "The Sublime contest, which is almost 2000 SLOC, was raised as an example that seems like it should be more than 30k.", "The scope of a project for the purposes of a contest does not include comments and blank lines in the line of code count.", "An update to the documentation was posted to answer some questions about the new awarding model for QA and Gas reports at https://discord.com/channels/810916927919620096/810936719003090974/958455244759650344", "There was an issue with the help form erroring out due to a space in a discord handle.", "The real code to audit for the Sublime contest was not in the C4 repo, leading to some confusion and mistakes.", "There was an issue with the help form erroring out when a space was included in a Discord handle.", "The development team was notified about the issue with the help form.", "Users were advised to include their email address on the help form or include their Discord handle without spaces in the Discord Handle field and let the team know their actual handle in the Description field.", "Some users made a mistake of analyzing and submitting about the master branch instead of checking out the right hash.", "The payment release after the announcement usually takes place on Monday or Tuesday after the signatures on the award distribution multisig are rounded up in a standing Monday meeting.", "Users need to register their handle and ETH address to receive their share.", "When users submit findings, there is a field for their polygon address.", "Only one address is sent for one handle for a contest.", "The original tools for finding submissions and contest processing were simple and have been gradually replaced.", "There has been an effort to move to authenticated warden accounts.", "C4 awards are named by handle and distributed from the same awards address in broad daylight on chain.", "A user asked if a smart contract can create a signature of data so that another smart contract can verify that signature. The response included a link to EIP-1271: https://eips.ethereum.org/EIPS/eip-1271", "If a submission of a finding fails, the form should error. The form accesses GitHub and Mailgun APIs.", "Code4rena has not hosted any Solana contests yet but plans to expand beyond EVM and Cosmos chains.", "Code4rena's homepage did not update contents report after February because the reports and rewards calculation changed.", "A batch of reports is expected to be published soon.", "The reward is not made immediately when the reward compute is done due to the multisig process.", "The intent is to have transactions queue up for signature prior to a standing meeting each Monday.", "Eventually, awards will be distributed via smart contract, but more pieces need to be in place before that can be done.", "A batch of reports is expected to be published soon.", "There is a possibility of hosting Solana contests in the future.", "There are concerns about the timing and tracking of rewards, with some discrepancies in amounts.", "The rewards are currently distributed via multisig, with plans to eventually distribute awards via smart contract.", "There is a suggestion to split 'Awarding:' into 'Awarding:' and 'Paid:' in the announcements.", "There is a question about the JPYC Contest not having any high/medium risk findings, with the response that the codebase is a relatively simple fork of a mature project.", "There is a discussion about the Ronin Bridge hack, with a link to an article about the hack: https://cryptopotato.com/the-biggest-ever-crypto-hack-what-happened-in-the-ronin-bridge-attack/", "There is a link to a technical report about the Ronin Bridge hack: https://rekt.news/ronin-rekt/", "There is a question about the criteria for archiving contests, with the response that it is due to a Discord limit on the number of channels in a single category.", "A suggestion is made to archive contests in quarters (Q1-Q4 2022) or create a second category for 2022 (2022-B) to make it easier to find specific contests.", "This suggestion is implemented, with contests now being archived based on quarters.", "There is a question about releasing all the unverified submissions a few days after a contest ends, with the response that this is in the works: https://forum.code4rena.com/t/rfc-certified-wardens-rulebook-scout-role-contest-qa-and-mitigation-review-services/123", "There is a question about whether high risk findings are still valid if they are out of scope, with the response that it depends on the contest and the judge.", "A user is seeking resources/tips for beginners.", "There is a report of a user being unable to send a text on a specific chat channel."] \ No newline at end of file diff --git a/codeArena/codearena/new_qa_pairs_09_24.json b/codeArena/codearena/new_qa_pairs_09_24.json new file mode 100644 index 0000000..639b61d --- /dev/null +++ b/codeArena/codearena/new_qa_pairs_09_24.json @@ -0,0 +1 @@ +["Question: Can you explain the naming conventions in Code4rena and how I can change my username or team name?\n\nAnswer: Code4rena, pronounced as \"Code Arena\", is a company that assists with smart contract audits. The name is a clever play on words and numbers. In terms of usernames, users have the ability to change their own names in the platform. However, if you want to change your team name in CodeArena, you may need to re-register. It's important to note that in Code4rena, your profile name should be consistent with your name in chat. An individual's name can appear twice on the leaderboard, once individually and once as part of their team. If you're having trouble finding your username on the list during the new registration process, the issue is under investigation. Here is the source of this information: https://github.com/code-423n4/code423n4.com/blob/main/_data/findings/findings.csv#L9336-L9434.", "Question: How does CodeArena operate its time-limited, bug-bounty contests and how are the rewards distributed?\n\nAnswer: CodeArena operates in a fashion similar to a bug-bounty program but with distinct variations. It hosts time-limited contests announced in advance with a guaranteed reward pot. Each contestant is given shares for bugs discovered based on their severity. The shares provide the owners a pro rata piece of the pot. It's important to note that the timing of a bug discovery does not affect the reward, meaning it is not a first-come, first-served basis. Whether you are the first or the last to find a bug, the compensation is the same. The overall value of the bug is reduced and split based on how many people find it. \n\nIn terms of reward distribution, if no issues are found in a contest, there are no details provided as to what happens to the sponsor reward pot. However, the typical process involves the bounty being split among those who make valid discoveries. In the case where multiple people identify a similar issue, the reward can be calculated using a formula provided in the official Code4Arena documentation: [https://docs.code4rena.com/incentive-model-and-awards#high-and-medium-risk-bugs](https://docs.code4rena.com/incentive-model-and-awards#high-and-medium-risk-bugs). \n\nThere are also specific competitions where the pot scales up based on the severity of the findings. However, there isn't a specific bug-payout list for each contest and the average award pot for low or non-critical vulnerabilities in contests typically makes up about 10% of the total reward pool. \n\nRegarding future expansion, it is possible that CodeArena may conduct bug bounty programs for web applications, but no specific plans have been mentioned as of yet. While there's interest in staying open to new wardens indefinitely, concerns about prize fund dilution were raised, though no concrete decisions have been made.", "Question: How can I participate in CodeArena's contests as a warden, and what are the steps for registering as a certified warden, including submitting my socials, bio, and avatar?\n\nAnswer: Participating in CodeArena's contests as a warden involves a few important steps. Firstly, you need to sign up to be a warden using Github. During the registration process, you'll be asked to provide details such as your socials, bio, and avatar.\n\nOnce registered, you can participate in the contest by logging into your account. If you are interested in joining as a group or team, you can do so by following the guidelines given here: https://docs.code4rena.com/roles/wardens#registering-a-team. You can also participate in judging and gain backstage access, with information found here: https://docs.code4rena.com/roles/certified-contributors/backstage-wardens. \n\nHowever, to access the contest channels, you need to have the warden role, which can be obtained by filling out the form on the website. For access to private contests, you need to become a certified warden, which involves completing a Know Your Customer (KYC) process whose details are outlined here: https://docs.code4rena.com/roles/certified-contributors#certification-process-and-constraints. \n\nThe application to become a certified warden can be made here: https://code4rena.com/certified-contributor-application. Certified wardens will have access to findings shortly after contests end. \n\nPlease note that while registering as a warden, your email and Github username will not be listed publicly by CodeArena. However, certified wardens will form part of a permissions group on GitHub to access private repos, and you can decide if you want to make your membership on private teams public or not. \n\nBefore participating, make sure to familiarize yourself with CodeArena's submission policy and judging criteria, found here: https://docs.code4rena.com/roles/wardens/submission-policy.", "Question: What are the options for us to discuss website-related matters and share our thoughts and ideas regarding CodeArena?\n\nAnswer: We have multiple channels in our Discord server where you can discuss website-related matters and share your thoughts. We value the contributions of our community members, so feel free to use these channels to express any ideas or concerns. \n\nHere are some of the channels you can use:\n\n1. A specific channel dedicated to website discussion: Here, you can share your ideas, thoughts, and ask for any clarifications regarding our website.\n\n2. The feedback channel: This channel is designed for you to submit suggestions, ideas, or any other comments that can help us improve our services. \n\n3. The suggestion box: A platform where users can share their ideas on how to improve not just the website but also the leaderboard systems, contest processes, and Discord setup.\n\n4. The #\ud83c\udfebeducation channel: This is a great source of information where you can learn more about our services and operations.\n\nIn addition to these channels, we also have an open invitation for you to submit Pull Requests (PRs) with any ideas to our [GitHub](https://github.com/codearena). Your suggestions and ideas are always appreciated and can significantly contribute to our continual improvement. \n\nPlease note, each contest has a dedicated channel where general questions can be asked. If you have specific queries related to a contest, it is suggested to use the contest-specific channel for clearer communication.\n\nRemember, our Discord server is not just for discussing CodeArena related topics. It can also be used for general security discussions. We look forward to hearing your valuable inputs!", "Question: When and how can users gain access to the CodeArena codebase and related repositories?\n\nAnswer: The CodeArena codebase will be accessible from February 17 @ 1400 UTC (9AM EST). Details of access to specific repositories may vary. For instance, the findings repository becomes public after a certain period, with the exact timing not specified. Immediate access to this repo is granted for Certified+ users, but this feature has not been fully rolled out.\n\nAccess to the source code of certain protocol files, like the Nouns DAO protocol, may be restricted. However, the compound codebase can be studied from the compound repo and user submissions for completed challenges can be accessed on the respective GitHub repo once the contest report is published.\n\nNotably, backstage access can be granted for users to access the findings repo when a contest ends. This allows for viewing of submitted reports on Github during the triage process. However, the applications for backstage access are currently suspended until further notice. \n\nThere are ongoing discussions about possibly integrating the website with Github to track specific timestamps and exploring different procedures for sensitive disclosures. Also, certified users can access specific projects, like the Polynomial project, by viewing the repo and submitting findings. \n\nWhen accessing any report on Code4rena, you will require access to the GitHub repo. This can be achieved if you have a backstage role. Importantly, the entire findings repo is made public, and there are links to the findings repo in each report on the C4 website at [https://github.com/code-423n4](https://github.com/code-423n4). \n\nFor further information on the process, please refer to the organization's docs at [https://docs.code4rena.com/structure/our-process](https://docs.code4rena.com/structure/our-process).", "Question: Are the smart contracts used in CodeArena's competition real-world applications and what is their relation to the auditing process and deployment?\n\nAnswer: The smart contracts in CodeArena's competitions are indeed real-world applications. These contracts will be audited, and once approved, they will be deployed for practical use. CodeArena runs contests to analyze these smart contracts, providing an excellent opportunity for beginner Solidity developers to participate and hone their skills. The users should note that although our primary focus is on auditing smart contracts, we also consider other relevant areas. \n\nThese smart contracts can be compiled and function independently, and some may already be deployed while others may not be. Our platform supports EVM compatible chains, and contracts will be typically written in Solidity. The acceptance of reported issues in these smart contracts depends on their severity as evaluated by our sponsors and judges.\n\nWe encourage open discussions on challenges in understanding the concepts related to smart contracts, including the relationship between interfaces and smart contracts in the overall system. We also assist in understanding the tools used to find vulnerabilities and bugs in smart contracts. For hands-on testing of smart contracts, users can utilize local/testnets, eliminating the need for real money transactions. \n\nThere are ongoing discussions about whether to focus on smart contract security or web2 security for a career path. It's always advisable to focus on what you are interested in and enjoy. \n\nIn the future, we plan to distribute awards via smart contracts, although more pieces need to be put in place before this can be implemented. Please be aware that certain contests may include web applications in their scope, and we encourage questions about all aspects of smart contracts, including potential vulnerabilities to DDOS attacks, the role of a minter or burner, and the application of machine learning for auditing purposes.", "Question: How does CodeArena handle potential issues hidden intentionally by the team or sponsors in the codebase, and what is the process of reporting and verifying such issues?\n\nAnswer: CodeArena is a platform that values transparency and trust. Theoretically, there should be no issues hidden by the team or sponsors on purpose. However, debates have taken place in our community about scenarios such as a sponsor hiding bugs in the code base, reporting them, and hoping that no one else finds them. \n\nCodeArena operates under the principle that no code is perfect, and it's generally considered unlikely that no high or medium issues would be found in a contest. While we do trust our sponsors, potential conflicts of interest, such as sponsors hiding bugs, have been raised. \n\nTo address these concerns, CodeArena has established a process wherein findings are kept private until the final report. This gives sponsors time to act on the feedback and helps prevent potential exploitations of early information.\n\nWe encourage participants to report any issues they find, even if they are not 100% sure of them. There is no negative consequence for reporting something that turns out not to be an issue. However, if you realize that your report is incorrect or unnecessary, we recommend withdrawing it to save the judges' time.\n\nWe understand that fairness is a significant concern for our users. To ensure this, projects have already paid in full at the time the contest starts, giving them no financial incentive to hide reports. Plus, our team is constantly working towards resolving any site or contest-related issues promptly.\n\nIn the event an issue is found, which is believed to be intentionally hidden, it should be reported. If the issue turns out to be a mistake on the warden's part, no penalty has been applied in past instances.\n\nIn addition, it's important to note that participants can submit issues as a team, but the exact process of doing so has not been fully clarified. We are always looking for ways to be more effective and transparent in our operations and appreciate any suggestions for improvement. \n\nThe information shared here represents the current practices and beliefs within the CodeArena community and may not necessarily reflect the actual policies of CodeArena or associated entities.", "Question: What is the process for disclosing, submitting, and discussing issues related to smart contracts at CodeArena?\n\nAnswer: When you discover an issue with a smart contract, you can disclose and submit it using the procedures outlined on our submission policy at https://github.com/code-423n4/code-contests/blob/main/SUBMISSION_POLICY.md. Your report should ideally contain the issue, a description, Proof of Concept if necessary, and a potential mitigation if you can provide one. \n\nIf you are unsure about the severity of an issue or have questions about high severity issues, we encourage you to reach out to the sponsor team during the contest. Remember to provide a good explanation of the finding, as the specific severity may not matter as much as a comprehensive understanding of the issue. \n\nYou can discuss issues with the sponsors before the contest is over, including any uncertainties about whether they are in scope or out of scope. If you have found multiple issues and are unsure about whether to submit them separately or as a single issue, it's okay to ask for clarification. You can report vulnerabilities directly to the sponsor team, but to be eligible for awards, it's important to also submit them via the contest submission form. \n\nIf your findings relate to the platform itself, you can ask about these issue types as well. For vulnerabilities impacting Code4rena's webapp, you can send a direct message or email the issue to security@code4rena.com. If the Proof of Concept for an issue is too large to be embedded directly in the issue, providing a link is an acceptable alternative. \n\nIn the event of a disagreement with the sponsor about the scope of a particular issue, you are still encouraged to report it. Trust between wardens and sponsors is crucial, and concerns about potential misuse of disclosed vulnerabilities are taken seriously. \n\nIf you have additional findings after submitting an initial low-risk finding, you can submit these too. You can check your issue for the finding you sent on Github from the report. If you encounter any problems during the analysis submission process, you can submit a help desk request. \n\nFor sensitive disclosures, we are in the process of developing procedures, and updates on this will be announced soon. If you feel it's a security risk to have issue contents made public, you can submit a Help Desk request. \n\nFor beginners who might have trouble understanding certain code instances, it's advised to make one report and reference the related issues in it. \n\nRemember, a recommended fix is a gift for the sponsor, and the recommendation doesn't affect the severity of the issue. Always aim to make your reports in a semi-professional format and review them before submission.", "Question: I am having difficulty with submitting a report to submissions@code432n4.com. It says the domain code432n4.com couldn't be found. Is this a bug, and if so, what should I do?\n\nAnswer: The correct email for submitting your reports is submissions@code423n4.com, not submissions@code432n4.com. However, if you encounter issues with the submission form, you can alternatively send your submissions to submissions@code4rena.com. It's important to note that it may take some time for a submission of a finding to be confirmed via email. If the submission fails, the form should return an error. \n\nIn case of persisting issues, or if you're performing tasks via mobile and encountering difficulties, feel free to forward your requests to submissions@code4rena.com. If you do not receive a confirmation email after submitting a finding, you can open a help desk request at https://code4rena.com/help/. \n\nMoreover, if your submission includes a gas report larger than ~65k characters, which exceeds Github's maximum character limit for issue descriptions, you may receive an error message. In such cases, email your submission instead of using the form. \n\nFinally, if you've submitted to the wrong contest or not received feedback on your submissions, you can fill out a form available at https://code4rena.com/help/ to let the C4 staff know about your concerns. Remember, the results of submitted bugs to the contests are revealed once the report is made public. In the meantime, you can check previous reports at https://code423n4.com/reports to see what a high-quality submission looks like.", "Question: What is the process and impact if two or more participants submit the same bug at the end of a CodeArena contest?\n\nAnswer: If two or more participants submit the same bug during a CodeArena contest, the value of the bug is reduced and the reduced bounty is split among the finders. This means there is no advantage in terms of payout for the participant who discovers the bug first. If the reported bugs have different severity levels, for the sake of award calculation, they are all given the same severity. \nIf a bug is submitted with an incorrect solution, the submission can be updated as long as the contest isn't over. Participants can also modify the severity of their bug report after the contest has ended either through the PR or by reaching out to one of the judges.\nIf duplicate submissions come from a team, using different wallets, the rewards are increased compared to individual submissions. However, all participants' submissions are likely to be made public after the contest is over once any potential exploits have been patched. For more details on the judging criteria for duplicate submissions, refer to https://github.com/code-423n4/code-contests/blob/main/JUDGING_CRITERIA.md#duplicate-submissions.", "Question:\nWhat resources would you recommend to someone with a background in vulnerability analysis who wants to dive into smart contract auditing and Solidity?\n\nAnswer:\nThere is a myriad of resources available online for learning about smart contract auditing and Solidity. If you are a beginner, we highly recommend starting with Solidity tutorials such as on https://solidity-by-example.org/0.6 and the official documentation https://docs.soliditylang.org/en/v0.7.5/.\n\nFor practicing and getting hands-on experience, you might want to try out https://cryptozombies.io/ for learning Solidity and https://capturetheether.com/ for Capture The Flag challenges. Other platforms, like Sherlock, also provide tools for auditing smart contracts, but they might require a higher level of competence.\n\nTo get more in-depth knowledge about smart contract security, you can refer to resources such as https://cmichel.io/how-to-become-a-smart-contract-auditor/ and https://docs.code4rena.com/roles/wardens/tools-and-resources. For advanced Solidity and DeFi industry standards, consider challenges by The Ethernaut https://ethernaut.openzeppelin.com/ and Damn Vulnerable DeFi https://www.damnvulnerabledefi.xyz/.\n\nFurthermore, if you're interested in blockchain forensic analysis, there are several resources available online. There are also resources to learn about the Geth node and Web2 security in the context of Web3. If you are interested in the mathematical aspects of Solidity projects, consider the YouTube channel @smartcontractprogrammer https://www.youtube.com/@smartcontractprogrammer.\n\nLastly, there are interesting discussions about the use of machine learning in smart contract auditing, such as the idea of converting a smart contract into respective shapes, training a model based on these shapes to predict the vulnerability of future contracts. You can check out related work on GitHub: https://github.com/DanielVF/evm-contract-draw.\n\nRemember, the amount of time it takes to learn the basics and start finding bugs in smart contracts depends greatly on your prior experience and learning capabilities. Good luck on your journey into smart contract auditing!", "Question: How are judges selected for the contests in CodeArena, what is their role in determining bounties, and how can I learn about their decisions?\n\nAnswer: Judges for CodeArena contests are carefully chosen based on their experience and reputation. Their primary role is to review the findings of the contests, deciding on their severity, validity, and quality. This includes deciding which contest reports get featured in the client report and the severity escalations in a contest report. \n\nThe identity of the judges for an ongoing contest is kept confidential to ensure a bias-free competition. Therefore, it's not possible to contact the judge directly during the contest. \n\nAfter the contest concludes, the judges' decisions are shared. Wardens can view the judging results before they are made public and if they find issues, they can raise them for reconsideration as per the fairness and validity policy: https://docs.code4rena.com/awarding/fairness-and-validity#if-you-disagree-with-a-judges-decision.\n\nA post-judging QA period also exists for comments to be made on the judges' decisions. As part of the judging process, judges receive a share of the prize pool as an incentive. This portion of the award is referred to as \"judge + presort\", which includes consolidating duplicates and occurs before the final rewards are announced.\n\nFor more details on how the users' findings were judged, you can refer to the judging and payout timelines documented at https://docs.code4rena.com/structure/our-process. More information about the roles and responsibilities of judges can be found at https://docs.code4rena.com/roles/judges. \n\nPlease note that the decision-making process is designed to be fair and transparent. If you have any disagreements or issues with a judge's decision, you're encouraged to voice your concerns as per the aforementioned fairness and validity policy.", "Question: How can I get started with running the slingshot code and understanding how it executes in the overall system? Are there any resources or tutorials that can help me with this?\n\nAnswer: You can find detailed information about how the Slingshot code executes in the overall system on our GitHub page [here](https://github.com/code-423n4/code-contests/tree/main/contests/01-slingshot#how-it-works).\n\nIf you need help with setting up a testing environment or understanding the testing framework of Hardhat, there are two YouTube tutorials, which can be found [here](https://www.youtube.com/watch?v=Rp_V7bYiTCM) and [here](https://www.youtube.com/watch?v=EHrvD5c93JU). \n\nFor submitting Proof of Concept (PoC) for vulnerability discoveries, you can follow our guidelines [here](https://github.com/code-423n4/code-contests/tree/main/contests/01-slingshot#sharing-vulnerabilitydiscovery-poc). Each PoC should ideally be about 50 lines long and can be run using a Hardhat project. Depending on the length of the code, you can provide it directly in the report under 'Proof of Concept' or link it on a private Github repo. \n\nIf you are a beginner and having trouble understanding certain code instances, it is advisable to make one report and reference the related issues in it. Understanding the purpose of a codebase generally requires reading the documentation or having previous experience with similar code. \n\nFor making reports, CodeArena provides sponsors with a set of example READMEs to work from, and a checklist of items to include. You can also find guidelines on how to include screenshots and embed code in your reports [here](https://docs.code4rena.com/roles/wardens/submission-policy#how-to-include-a-proof-of-concept). \n\nIf you encounter difficulties setting up certain contract environments due to limited documentation, lack of test cases, or absence of deployment scripts, you might want to consider running tests in the existing test environment or writing new test cases, instead of setting up full environments. \n\nRemember, if there's no test setup in the C4 repo, you can check the sponsor's GitHub for a potential test setup or pull out the code to test it in isolation. You can also refer to our overall process and estimated timeline [here](https://docs.code4rena.com/structure/our-process).", "Question: Do I need to run the Slingshot backend locally for auditing the smart contracts, and are there any other tools or methods to consider for testing and auditing?\n\nAnswer: While it is true that the smart contracts can be compiled and function independently of the backend, our Discord chat suggests a few more tools and methods to ease your auditing process. One of the suggested tools is Foundry, which can be used to fork data from a live network, such as a mainnet or testnet, and run it locally. This method avoids the need to grab testnet tokens for transactions or wait time on blocks and does not pollute the testnet with unnecessary data. You can install Foundry with Docker or via a simple 'npm install foundry' command. \n\nAnother tool mentioned is Slither, a static analysis tool for smart contracts, which is widely used to generate output. However, to use Slither alongside Foundry\u2019s remappings, it's necessary to identify those remappings for Slither.\n\nThere are a few other considerations as well. For instance, if there\u2019s no test setup in the C4 repo, you may want to check the sponsor's GitHub for a potential test setup or pull out the code to test it in isolation. Also, it's okay to run tests in the existing test environment or write new test cases, instead of setting up full environments. \n\nRemember, while the process may be complex, the rewards can be substantial. For more detailed information on how code executes in our system, you can refer to https://github.com/code-423n4/code-contests/tree/main/contests/01-slingshot#how-it-works. Moreover, you can learn about Slingshot Finance's sponsorship for CodeArena's first competition at https://medium.com/@scott_lew_is/slingshot-finance-sponsors-20-000-usdc-guaranteed-distribution-bounty-pool-for-code-432n4s-first-789514a8dc99.", "Question: Do I need to have the Slingshot backend running locally for the smart contracts to function and if not, what are some ways I can test these contracts?\n\nAnswer: The smart contracts can be compiled and function independently of the Slingshot backend. They do not require it to be running locally for them to work. You can test these contracts using available resources for testing contracts downloaded from Github with tools like Mythril and Slither. These tools can help you detect vulnerabilities and bugs in smart contracts. Foundry is another valuable tool for testing as it can be used locally, providing an alternative to public testnets. It can fork its state from a public testnet or even the mainnet, making it a more convenient option for testing. Additionally, you can use Foundry for local forking to avoid grabbing testnet tokens for transactions or waiting for blocks. This also prevents polluting the testnet with unnecessary data. You can find more information on how the Slingshot code executes in the overall system at https://github.com/code-423n4/code-contests/tree/main/contests/01-slingshot#how-it-works. If you prefer a graphical interface for understanding smart contract interaction, you might find Surya useful: https://github.com/ConsenSys/surya, though please note that this tool is deprecated. Lastly, please remember that testing does not require money as it can be done using local/testnets.", "Question: What resources and steps are available to assist with setting up the environment for auditing smart contracts with CodeArena?\n\nAnswer: CodeArena provides several resources to assist with setting up your environment for smart contract auditing. \n\nFirstly, there is a suggestion to create a Loom video to show the process of setting up the environment. Also, we have provided two YouTube links that provide valuable insight into understanding the Foundry framework: https://www.youtube.com/watch?v=Rp_V7bYiTCM and https://www.youtube.com/watch?v=EHrvD5c93JU.\n\nIn addition, our community discusses potential solutions to software issues such as 'Yarn', including using Bash commands for environmental variables, using a docker image, or running 'npm install foundry'. If you encounter permission problems or wrong installation, you can create a help desk request on https://code4rena.com/help outlining your issue.\n\nFurthermore, our community suggests running tests in the existing test environment or writing new test cases, instead of setting up full environments. If there's no test setup in the C4 repo, you might find a potential test setup in the sponsor's GitHub or you can pull out the code to test it in isolation. \n\nMoreover, we have an office hours session that will be posted on YouTube early the following week to provide additional support. You can also check out the video walkthrough for the Connext flash contest at https://youtu.be/ABEOIKzEshA for more insights.\n\nLastly, CodeArena's office hour sessions are recorded and uploaded to our YouTube channel for later reference. We also have a suggestion box for users to share ideas on how to improve the website, leaderboard systems, contest processes, and Discord setup. We are always open to feedback and strive to provide the best resources and supports for our users.", "Question: What are the policies and procedures around the submission deadline for a contest?\n\nAnswer: CodeArena has a firm deadline policy for all contest submissions. Late entries are not accepted under any circumstances, as stated in our Submission Policy (https://docs.code4rena.com/roles/wardens/submission-policy#late-submissions). It's important to note that submissions cannot be made more than 3 hours prior to the contest end time. To assist with meeting the deadline, we are considering implementing a countdown timer and the stop time for each contest will be clearly stated. \n\nIn order to prevent missing the submission deadline, you can submit at any time prior to the contest end time, with a policy of accepting only the first (or last) entry that a team sends. We also offer a grace period for submissions during contests. Furthermore, a new submission mechanism is expected to be implemented in the upcoming contests. \n\nParticipants are usually allowed to edit their submissions until the contest closes. After submission, participants should receive a confirmation email, although there may be occasional delays. We are also working on a feature to allow certified contributors to view and give input on submitted issues right after the contest closure during the judging period. \n\nRemember, frequent unsatisfactory submissions could lead to penalties, so it's important to submit your best work. We always recommend keeping a close eye on the remaining time during a contest, and to confirm contest length, especially for larger contests (like ones involving over 12k sloc which may be extended to 4 weeks). If you have any further queries or concerns, we encourage you to reach out to us.", "Question: What is the stop time for the CodeArena contests and what factors influence the contest timeline?\n\nAnswer: The stop time for each contest varies, but as an example, one contest had a stop time of February 21, at 2359 UTC. In general, the timeline of a contest, including the stop time, depends on several factors, such as the complexity of the project or audit. For instance, a contest involving over 12K sloc was extended to 4 weeks. \n\nSubmissions for contests should be made as per the Submission Policy, which states that submissions cannot be made more than 3 hours prior to the contest stop time. After the contest stops, participants can expect the judging process to begin within 48 hours. However, the results publication and payouts may take a variable amount of time, as it depends on the duration of the judging process. Contestants can inquire about the progress and schedule of final reports. \n\nIn terms of contest management, it's also important to note that there can be gaps in the schedule for live contests, with pauses sometimes happening around big conferences. A countdown timer might be implemented in future to ensure participants do not miss the submission deadline. \n\nFor more detailed information on judging and payout timelines after a contest ends, you can consult the official documentation at [this link](https://docs.code4rena.com/structure/our-process).", "Q: How can I participate as a Warden in CodeArena, and what benefits or responsibilities does it entail?\n\nA: To participate as a Warden in CodeArena, you first need to register and sign in to your account on our platform. Once you're registered, we encourage you to participate in our code contests as a Warden. \n\nAs a Warden, you'll have the chance to compete in our contests. The details of each contest are available in the #\u270brsvp channel, allowing you to decide whether you want to compete. We also have exclusive contests such as the \"vs contest,\" which only involves three wardens and has an RSVP process.\n\nMoreover, you have the opportunity to become a \"Certified Warden\". This role allows you access to findings shortly after contests end, potentially giving you an advantage in future contests. You can apply to become a certified warden following this link: [https://code4rena.com/certified-contributor-application](https://code4rena.com/certified-contributor-application).\n\nIn terms of your representation on the website, there was a suggestion to add links and preferred avatars from competing wardens to the home page along with the countdown. However, a more practical implementation includes creating a leaderboard after the contest results, available at [https://code423n4.com/leaderboard/](https://code423n4.com/leaderboard/). The leaderboard gives users a sense of what wardens are earning and serves as an online curriculum for the contestants.\n\nThere has also been a suggestion to create a GitHub form for wardens to fill out when joining, including links to their socials, bios, and avatars. You can change your avatar and links on the CodeArena website by looking in the _data folder on the site repo and making a PR.\n\nFinally, as a Warden, you may also have access to a dedicated contest preview channel and the possibility to participate in the Ambire Contest and other special events. It's important to note that Wardens are expected to start the findings process within 48 hours of a contest's closing.", "Question: What is the process and requirements for participating as a Warden in the CodeArena's contests and audits?\n\nAnswer: Participants referred to as \"wardens\" are the ones who participate in CodeArena's audit contests. However, there are some requirements that a participant needs to meet to become a certified warden. While not all of these requirements are publicly disclosed, it is known that participants need to sign up as a warden to join a competition and may need to participate in a certain number of contests and have a certain number of valid findings or reports to gain certified status.\n\nOnce certified, wardens can participate in a wider range of contests including private, mitigation-review, and test-coverage contests, which are exclusively open to certified wardens. Certified+ wardens, who have shown an established level of contribution, get earlier access to findings repositories and can assist with post-contest processes. They also gain backstage access, allowing them to observe the report submission and triage process. \n\nHowever, it's important to note that the final report for a contest doesn't always include all wardens. Only those whose submissions/findings are accepted will be included. Participants are encouraged to familiarize themselves with the submission policy and judging criteria prior to participating, as outlined in the docs at: https://docs.code4rena.com/roles/wardens.\n\nIf you're interested in becoming a warden, you can check your acceptance status on the CodeArena's platform and even sign up directly on the warden registration page. There's also a new qualifications section added on the registration page due to an increase in warden registrations. If you want to learn more, you can review other warden's submissions on GitHub to learn from marked and invalid cases. In case of any issues or concerns with a report, wardens and staff can seek clarification from each other. \n\nEven though many wardens hold their submissions until the end of the competition, all submissions have to be visible to C4 staff, sponsors and the judging team for them to carry out the judging process. This process is confidential and sealed to other wardens. New wardens are encouraged to participate and even register as a warden to access the contest preview channel. More information on the warden-application-reviewers role and its application process will be documented soon.\n\nRemember, staff occasionally access submissions during an audit to help wardens with any submission errors, but the final decision lies with the judging team. After the contest, the platform allows viewing reports from other wardens to aid in learning and professional growth.", "Question: What is the process for submissions during and after a CodeArena contest, and when will they be available for public viewing?\n\nAnswer: During a CodeArena contest, contestants can submit their findings at any time prior to the contest end time, and they are allowed to edit these submissions until the contest closes. It's important to note that any findings not submitted before the end of the contest will not be eligible. Only the CodeArena team has access to these submissions before a contest ends, and sponsors do not typically see the submissions before the contest concludes. Also, the findings are not publicly available until the contest is finalized.\n\nAfter a contest ends and possible exploits have been patched, all participants' submissions may be made available. This availability comes after a process that includes Sponsor Review, Judging, Awarding, and then Reporting. During this time, submissions cannot be viewed or amended, and the status of submissions will not be available until the contest report is published and the findings repository is made public. The exact time duration before the findings repo becomes publicly available for discussion is not specified.\n\nOnce the contest report is published, user submissions for completed challenges can be accessed on the respective GitHub repo. When the repo of a contest is made public, everyone has access to all the submissions, whether they are valid or not. An email confirmation is also sent out to participants confirming the successful submission of their entries.\n\nThere are plans to implement a new submission mechanism in upcoming contests, which might allow certified contributors to view submitted issues right after contest closure and to comment or give input on these issues during judging. This could also potentially include the release of all unverified submissions a few days after a contest ends for learning purposes. Further details are discussed in this forum post: [https://forum.code4rena.com/t/rfc-certified-wardens-rulebook-scout-role-contest-qa-and-mitigation-review-services/123](https://forum.code4rena.com/t/rfc-certified-wardens-rulebook-scout-role-contest-qa-and-mitigation-review-services/123).\n\nPlease note that this process is subject to changes and it is always recommended to check the specific rules for each contest.", "Q: How does the leaderboard on the CodeArena website work and how does it relate to the contest submissions?\n\nA: The leaderboard on the CodeArena website displays the top contestants based on their achievements in the contests. It is updated every time awards are announced. It does not only reflect the results of the current contest but also considers the total participation of a contestant. \n\nHowever, it's important to note that there might be some delays in reflecting the full duration of contest results. For example, after the leaderboard is shown and rewards are sent, the final report of the contest may not immediately appear on the C4 site. Therefore, it's recommended to wait until the full public report is published before doing a write-up of some issue or bug found on a project. \n\nMoreover, when a submission to a contest is made but not rewarded, participants can review why their submission was not accepted once the report is out and the repository is fully opened. This allows them to see the discussion among sponsors and judges on the specific issue.\n\nFurthermore, all participants' submissions may be made available after the contest ends, once the possible exploits have been patched. This means that wardens, particularly those with Certified+ status, can learn from other submissions immediately after contests end. \n\nLastly, getting on the leaderboard can enhance your ability to qualify for private contests. But to get into the list for private contests, you need to become a certified warden. \n\nFind more details about the Certified+ status and the contest process in this forum post: [https://forum.code4rena.com/t/rfc-certified-wardens-rulebook-scout-role-contest-qa-and-mitigation-review-services/123](https://forum.code4rena.com/t/rfc-certified-wardens-rulebook-scout-role-contest-qa-and-mitigation-review-services/123).", "Q: When and how can I access the findings and submissions from a contest on CodeArena?\n\nA: All participants' submissions may be made available after the contest ends and the possible exploits have been patched. The findings from the contest are confirmed and discussed after the contest ends, and the report is published. Once this report is published and the findings repo is made public, everyone, including sponsors, certified contributors, and other participants, can access all submissions, irrespective of whether they were accepted or not. \n\nCertified contributors, also known as wardens with + certification, may have access to other submissions immediately after contests end. Additionally, those with the \"backstage\" role get access to the findings to help with triaging. \n\nHowever, please note that currently, findings of a contest cannot be viewed after it finishes but before the results are published. Only the team has access to submissions before a contest ends. Sponsors do not generally see submissions before the contest ends either. \n\nYou can review both your own and others' submissions and findings on the concerned GitHub repo. You can also check all the reports you submitted during the competition and will receive confirmation via email. If your submission to a contest was made but not rewarded, you can review why it was not accepted once the report is out and the repository is fully opened. This allows you to see the discussion among sponsors and judges on the specific issue.\n\nThere are plans to implement a new submission mechanism in future contests, which would allow certified contributors to view submitted issues right after contest closure and comment or give input on these issues during judging. \n\nAdditionally, there's a suggestion to release all unverified submissions a few days after a contest ends for learning purposes. The details are discussed in this forum post: https://forum.code4rena.com/t/rfc-certified-wardens-rulebook-scout-role-contest-qa-and-mitigation-review-services/123 \n\nPlease keep in mind that the specific duration before the findings repo becomes publicly available for discussion is not mentioned. It would also be important to know that any findings that are not submitted before the end of the contest will not be eligible.", "Question: Does CodeArena focus exclusively on auditing smart contracts, and if so, how can I better understand the scope of these audits and the tools used? \n\nAnswer: CodeArena primarily focuses on auditing smart contracts. However, we welcome suggestions for areas beyond smart contracts if you find something relevant to the overall security and efficiency of the system. When auditing, the scope typically includes only the contracts themselves and does not extend to other areas like the UI or back-end trade-route discovery services unless specified otherwise. \n\nFor those new to smart contract auditing, understanding the reports and concepts might be challenging. A smart contract can function independently of the back-end, and it's vital to comprehend the relationship of interfaces to smart contracts in the system. Tools like Surya (https://github.com/ConsenSys/surya), although possibly outdated, could be used for observing smart contract interactions graphically. \n\nWhen auditing, an approach typically involves finding vulnerabilities and bugs in smart contracts. This could involve a two-step process for making critical changes or handling upgradeable contract findings in the case of medium-risk vulnerabilities. It's also worth mentioning if there are more functions in an interface than are used in the code during a protocol interaction with a contract on-chain. \n\nMoreover, many users are interested in optimizing smart contracts to reduce gas costs. This includes not just for protocol contracts, but also for other contracts and non-view/non-pure functions. Blockchain forensics analysis might be necessary for understanding hacks and incidents in smart contracts.\n\nFinally, if you find issues in out of scope contracts, we do have a process for submitting these. The frequency and manner of reporting issues can vary based on the reviewer's judgement. We understand the uncertainty in this area and are always open to questions and discussions to ensure the best possible outcome from our audits.", "Question: What is the timeframe for submitting smart contract audit findings to Code4Arena and what should I be aware of regarding the submission policy?\n\nAnswer: Code4Arena's Submission Policy emphasizes that submissions should not be made more than 3 hours prior to the contest stop time. However, there isn't a specified earliest time you can submit your findings. Submissions can be made at any time before the contest ends, but not too close to the contest close time. Users can edit their submissions until the contest closes. Once a contest has ended, submissions for it cannot be amended.\n\nNote that late submissions are explicitly not accepted as stated in the submission policy, which you can find at this link: https://docs.code4rena.com/roles/wardens/submission-policy#late-submissions. \n\nA new submission mechanism is planned for future contests and a countdown timer may be added to assist with submission deadlines. There are also discussions about allowing the release of all unverified submissions a few days post-contest for learning purposes, as mentioned here: https://forum.code4rena.com/t/rfc-certified-wardens-rulebook-scout-role-contest-qa-and-mitigation-review-services/123. \n\nPlease also be aware that while you are allowed to submit findings you are unsure about, submitting more than three invalid issues per contest could potentially penalize you, preventing you from receiving any payout for that competition. \n\nTo avoid misunderstandings and penalties, it's essential to familiarize yourself with the submission policy and judging criteria, which are outlined in this document: https://docs.code4rena.com/roles/wardens/submission-policy#audit-contest-guidelines.", "Q: How does the submission and review process work in CodeArena's smart contract audit contests?\n\nA: The submission process for CodeArena's smart contract audit contests is designed to be simple and flexible. Submissions to audit contests are made through a form available on each contest page on our website. Once you've submitted your findings, you can edit them anytime before the end of the contest by clicking on the 'Your Findings' button on the contest page. You can also check the success of your report submission by looking out for a follow-up email from us and the ability to edit your submitted findings. \n\nOur Submission Policy states that submissions cannot be made more than 3 hours prior to the contest stop time. After the contest is closed, there is a certain period of time before the findings repository becomes publicly available for discussion, but the specific duration is not mentioned. It's also important to note that any findings not submitted before the end of the contest will not be eligible.\n\nAfter a contest ends, your findings will be reviewed. The review process typically takes between 3-6 weeks, depending on the contest and the number of reports under review concurrently. Once the review process is complete, the findings repository is made public and feedback for your submission can be found on the contest page. We advise participants to wait for the report to be published and the findings repository to be made public to check on their submissions. \n\nTeams are also welcome to participate. Once a team is approved, participants can log in and submit findings as a team.\n\nWe understand the importance of clarity and transparency in this process, so please don't hesitate to reach out if you have any further questions or suggestions.", "Question: What is CodeArena's policy regarding the submission and amendment of entries in contests?\n\nAnswer: CodeArena permits contestants to submit their entries at any time prior to the contest end time. However, as per the Submission Policy, entries cannot be submitted more than 3 hours prior to the contest stop time. You can find the policy here: https://docs.code4rena.com/roles/wardens/submission-policy#late-submissions. \n\nParticipants can edit their submission until the contest ends. If a correct bug issue is submitted with an incorrect proposed solution, you can update your submission as long as the contest hasn't ended. However, once a contest has ended, submissions can no longer be amended.\n\nTo manage multiple entries from the same person or team, CodeArena is considering a policy of accepting only the first (or perhaps the last) entry submitted. A new submission mechanism for this is slated for implementation in upcoming contests. \n\nCodeArena is also considering a grace period for submissions to address late issues. Additionally, a countdown timer may be implemented to help participants keep track of the submission deadline. \n\nUpon successful submission, an email confirmation is sent out to contestants. However, only the team and sponsors have access to the submissions before a contest ends, ensuring no data is leaked prematurely. Sponsors generally receive a triaged list after an initial sorting process for a better experience. \n\nAfter the contest ends, those with the \"backstage\" role gain access to findings to help with triaging. CodeArena is planning to allow certified contributors to view submissions right after the contest's closure and provide input during the judging process. All unverified submissions may be released a few days after the contest ends, before judging. \n\nKeep in mind that any findings not submitted before the end of the contest will not be eligible. Late submissions are not accepted as per the existing policy.", "Q: I have code that runs a proof of concept (PoC) for each bug I've found during the audit. How should I go about submitting it?\n\nA: If you have code that functions as a Proof of Concept (PoC) for each bug discovered, there are several ways to submit it. The method you choose largely depends on the length of the code. \n\nIf the PoC is concise, you can add it directly under the 'Proof of Concept' section of your report. However, if it is extensive, you can either create a private gist on Github or provide a diff of an existing sponsor-supplied test/contract. \n\nWhen submitting, remember to include direct links to all referenced code in GitHub and add any screenshots, logs, or any other relevant proof that illustrates the concept. \n\nIf the PoC for an issue is too large to be embedded directly in the report, you can provide a link to it. For example, if various lines were changed, you can send a git patch or a PR to the repo. \n\nPlease note that without a PoC, your finding may be disregarded unless the issue is extremely obvious. Therefore, it's always recommended to include a PoC to ensure your findings are considered valid. \n\nFor further information on how to include a PoC, please visit: https://docs.code4rena.com/roles/wardens/submission-policy#how-to-include-a-proof-of-concept. You can also check previous reports for examples of high-quality submissions at: https://code423n4.com/reports. \n\nAdditionally, if you find that your submitted bug's severity needs to be increased during a contest, you can submit a help request to remove the original submission and then submit again via code4rena.com/help. \n\nIf two participants end up submitting the same bug at the end of the contest, the judging criteria for duplicate submissions can be found at: https://github.com/code-423n4/code-contests/blob/main/JUDGING_CRITERIA.md#duplicate-submissions.", "Question: How can I prepare and run my Proof of Concept (PoC) that is about 50 lines long using Hardhat or Foundry for a CodeArena project?\n\nAnswer: Your PoC, which is approximately 50 lines long, can be run using either Hardhat or Foundry as they serve as effective tools for smart contract testing and gas report generation. \n\nIf you choose to use Hardhat, you can utilize the Hardhat gas report plugin for benchmarking your code for gas savings. There are also resources available like tutorials recommended by the community to study its testing framework, such as the Codecademy Javascript testing module and the Alchemy University's Ethereum Bootcamp in week 4. \n\nIn case you prefer to use Foundry, it can be used in conjunction with Hardhat. A base template for using Foundry in a Hardhat project can be found at https://github.com/foundry-rs/hardhat-foundry-template. This provides you with the capability of forking its state from a public testnet or even the mainnet, making it a more convenient option for testing smart contracts.\n\nRemember that the contest pot size of CodeArena is partially based on the number of lines in your PoC. Also, CodeArena normally hosts 2-5 audit projects per week, and the project timeline can last up to 5 weeks. Thus, you have ample time to prepare and run your PoC for the contests.", "Q: How should I submit a Proof of Concept (PoC) for each bug that I find during my audit?\n\nA: If you have code that runs a proof of concept (PoC) for each bug you find, you can submit it either by adding a zip file to your submission or by sharing a private GitHub repository. When submitting a PoC, you should make separate submissions depending on the type and severity of the bugs found. \n\nTo provide a comprehensive report, you should include a detailed explanation of the vulnerability and its impact on the protocol or code in the impact section. The proof of concept section of your report should contain lines from code/github or add a test which is written as an exploit. It's also beneficial to include a case for how an item can be exploited to avoid your finding being marked as invalid. If you're uncertain how to present a PoC, examples can be found at [https://github.com/code-423n4/2022-12-caviar-findings/issues/343](https://github.com/code-423n4/2022-12-caviar-findings/issues/343) and [https://github.com/code-423n4/2022-12-caviar-findings/issues/376](https://github.com/code-423n4/2022-12-caviar-findings/issues/376). \n\nPlease note that if a medium severity bug is found and no PoC is provided, your finding may be disregarded unless the bug is extremely obvious. So, it's recommended to always write a PoC to be sure. If a single line of code has multiple ways of exploitation, all the bugs should be reported but the biggest impacting one should be given priority. \n\nIf you need to increase the severity of a submitted bug during a contest, you can submit a request for removal of the original submission at [code4rena.com/help](code4rena.com/help), and then re-submit the bug appropriately. For further instructions on how to include a PoC, you can visit [https://docs.code4rena.com/roles/wardens/submission-policy#how-to-include-a-proof-of-concept](https://docs.code4rena.com/roles/wardens/submission-policy#how-to-include-a-proof-of-concept).\n\nRemember, the level of detail in your submission, including the inclusion of a PoC and covering the issue in as many aspects as possible, can influence the award you receive for your findings. After submitting a bug, you can view or edit your own submissions on the site for the relevant open contests, until they are made public. Once public, you can check previous reports to see what a high-quality submission looks like.", "Q: How is GitHub integrated with CodeArena and how can I utilize it effectively for my participation and submissions?\n\nA: CodeArena has a significant integration with GitHub and it's utilized in many ways. \n\n- As a participant, you can link your GitHub repositories as proof of concept in your finding submissions. To find reported vulnerabilities in the GitHub repo, all you need to do is search for your username or handle.\n- If you're interested in joining as a warden, you can sign up using your Github credentials. Additionally, there was a suggestion to create a GitHub form for wardens to fill out with links to their socials, bio, and avatar.\n- Please note that even though your Github username will be used, it will not be listed publicly by C4. Certified wardens will become part of a permissions group/team on GitHub to give them access to private repos. You can decide to make your membership on these private teams public or not.\n- If you prefer, you can set up separate GitHub accounts for your CodeArena work for privacy reasons. If you wish to change your Github username, requests can be made and they are processed by the team.\n- Participants are required to review and make a pull request for their handle at [this link](https://github.com/code-423n4/code423n4.com/tree/main/_data/handles) to participate in contests. Teams can similarly submit a team request at [this link](https://github.com/code-423n4/code423n4.com/pull/28).\n- Once a contest is over and the report is published, user submissions for the completed challenges can be accessed on the concerned GitHub repo. For contest submissions, you can add a zip file or share a private Github repository with the solution. You can also attach screenshots in the vulnerability details section by copying the Github permalink and the lines of code for the affected code.\n- There are ongoing discussions about further integrations with GitHub, such as tracking specific timestamps and automatically pulling in code snippets from a sponsor's Github repo code in a findings report.\n\nRemember, your competency in this space can be demonstrated through your Github profiles, so it's an invaluable tool for participation in CodeArena.", "Question: What factors should be considered when auditing smart contracts, particularly in the context of owner misbehavior and potential impacts on out-of-scope contracts?\n\nAnswer: When auditing smart contracts, several factors should be considered. First, the potential impact of misbehavior or a malicious attack by the owner of the contracts should be taken into account, as should the possibility of social engineering attacks. However, some might consider a malicious or compromised owner as out-of-scope for the audit. \n\nThere should also be a trust model description for the roles involved in the project, which should clarify the potential risks and impacts. Another factor to consider is the scope of the review - while the review is generally focused on the in-scope contracts, impacts on out-of-scope contracts are also relevant. For instance, if a bug in an in-scope contract affects an out-of-scope contract, it might still be considered depending on the judge's decision. \n\nOn the other hand, a vulnerability found in an out-of-scope contract could be reported and might even be brought into scope by a judge. Furthermore, the severity of reported issues can influence their acceptance, with the severity evaluated by the sponsors and judges. \n\nPotential risks could include scenarios such as a ransom attack where an attacker takes ownership of the uninitialized contract and demands a ransom to release it. Such risks could affect the decision to deposit funds in an uninitialized contract. \n\nDecisions on which contracts to audit, whether individual contracts or entire protocols, and whether contracts already deployed or not yet deployed, should also be considered. \n\nThe process of submission of issues found in out-of-scope contracts should be clear, with the potential of including such issues in the C4 report as unrewarded findings or directly messaging the project. \n\nIn case of a dispute with a project, it should not be assumed that the project is always in the right. Trust in the sponsors is also crucial, and potential conflicts of interest, such as sponsors hiding bugs, should be considered as well. \n\nTo further understand the audit process, there is a helpful video explaining some aspects of contract auditing: https://www.youtube.com/watch?v=wCD3fOlsGc4.", "Question: What is the process for submitting and updating my smart contract audit reports to CodeArena?\n\nAnswer: You can submit your audit reports by emailing them to submissions@code423n4.com. Once the submission is received, you should expect a confirmation email, which usually arrives within a few minutes but can sometimes be delayed. If you do not receive this confirmation, please check your spam folder and if the issue persists, reach out for assistance. \n\nYou can also update your submissions as long as the contest is still ongoing. This can be done by direct messaging certain identified individuals or by using the \"Your findings\" button. If you're unable to use the submission form due to issues, you can send your submissions directly to submissions@code4rena.com.\n\nAll your submitted reports can be checked during the contest, and for each submission, an email confirmation will be sent. After the contest, all submissions can be viewed under the \"Findings\" tab on the C4 Contest page. \n\nIt's important to note that you should receive an email about your submission whether it's valid or not. Also, a new submission mechanism is being planned for future contests, and a policy suggestion has been made for accepting only the first (or last) entry a person/team sends. \n\nLastly, if you have queries about submission rules or if there are issues with performing tasks via mobile, you can send requests for assistance to submissions@code4rena.com.", "Question: What is the process and solutions for issues related to sending, receiving, and confirming submissions at CodeArena?\n \nAnswer: The process for sending submissions at CodeArena involves emailing your entries to submissions@code423n4.com, or submissions@code4rena.com if there are issues with the primary email. However, please be mindful of the correct spelling of the domain to avoid delivery errors. If the submission is successful, you should receive an email confirmation within a few minutes. This confirmation could be delayed at times, so check your spam folder as well. \n\nIn case of mobile-related issues, requests for assistance can be sent to submissions@code4rena.com. If a participant does not receive a confirmation email after their submission, they can open a help desk request at [Code4rena Help Desk](https://code4rena.com/help/). \n\nIf you encounter difficulties submitting a request via a support request form, or if your GitHub submission is rejected by the API, you can forward your request to submissions@code4rena.com. For larger submissions, such as a gas report exceeding ~65k characters, sending the report via email is recommended due to Github's character limit for issue descriptions. \n\nYou should receive an email about the validity of your submission, whether it is valid or not. In the case of incorrect submissions, you should resend the correct entries and inform the C4 staff through a form found on [Code4rena Help Page](https://code4rena.com/help/). \n\nFor QA and gas reports, if there are issues with online submission, these can be emailed to report@code4rena.com. \n\nRemember to constantly check and update your repository, as the old GitHub template for submissions is no longer updated. It's advisable to submit findings using the \"Submit finding\" button of the specific contest on the main page. \n\nIn the event of submission errors or multiple submissions, the Code4rena team is available to provide assistance.", "Question: How does the trust model function in ElasticDAO, specifically in relation to the roles of the controller, minter, and burner, and what is their relationship with the DAO voting system?\n\nAnswer: In ElasticDAO, the controller, also referred to as the minter or burner, is a trusted entity. It operates as a multisig account, meaning that it requires multiple signatories for transactions to be approved. This multisig enacts the snapshot votes on chain, thus acting as a bridge between the DAO voting system and the execution of decisions made through voting. \n\nThe trust model of ElasticDAO assumes that the controller behaves honestly, as its actions are derived from the consensus of snapshot votes. As such, it plays a crucial role in ensuring the integrity of the DAO's decision-making process. \n\nThe DAO voting system itself is an essential part of the DAO's governance structure. In this system, token holders are given voting rights, including authority over the treasury. The voting rights are typically exercised through snapshot voting to offset high gas costs on layer 1 of the Ethereum blockchain. \n\nWhile the controller is trusted, it's also worth noting that projects like ElasticDAO should have a trust model description for all involved roles, to ensure transparency and trustworthiness. In the context of an audit, trust models play a significant role in assessing the security of smart contracts. \n\nTherefore, while the controller is trusted, it is essential to remember that the governance model's design should always consider potential risks, including the possibility of malicious actions. This is why auditing, whether manual or automated via tools like Slither, is critical to uncover possible vulnerabilities and ensure the smart contracts' security. \n\nIn regards to severity of attacks made by the governance, it's important to mention that the reaction might vary based on the judgement of the reviewer or the judge, and governance is usually assumed to be a trusted party.\n\nYou may find more about smart contract auditing and tools used for it [here](https://github.com/DanielVF/evm-contract-draw).", "Question: I am a developer interested in learning solidity and contributing to CodeArena. How can I get started and what resources would you recommend?\n\nAnswer: We are thrilled that you're interested in becoming a part of CodeArena. As you're coming from a C#/Python/JavaScript background, you're off to a good start. We primarily target auditors, but we encourage beginners in solidity development to actively participate in our platform. \n\nYou can start your journey by understanding solidity syntax and programming. The best way to learn is reading old audit reports, reverse engineering, and participating in code contests as a warden. Our audit reports are available at https://chainsecurity.com/audits/. These reports will help you understand each issue raised and provide valuable insights into the auditing process. \n\nIf you're facing difficulties in catching vulnerabilities during CTFs or understanding some concepts, don't worry. It's part of the learning curve and you might need more solidity fundamentals or developer experience to get past it.\n\nHere are some resources that can help you learn about smart contracts and solidity:\n\n1. https://cryptozombies.io/ - an interactive code school that educates you about writing smart contracts in solidity through building your own crypto-collectibles game.\n2. https://capturetheether.com/ - for Capture the Flag challenges related to blockchain and smart contracts.\n3. https://www.youtube.com/@smartcontractprogrammer - an excellent resource for understanding math regarding solidity projects and how accountings are done.\n4. https://cmichel.io/how-to-become-a-smart-contract-auditor/ and https://docs.code4rena.com/roles/wardens/tools-and-resources - for beginners interested in smart contract auditing.\n\nRemember, the time it takes to learn the basics and start finding bugs in smart contracts varies greatly based on your prior experience and learning capabilities. But with consistency and perseverance, you'll surely make progress. \n\nOnce you feel ready to contribute, you can report issues related to smart contracts based on guidelines found at https://github.com/code-423n4/code-contests/blob/main/SUBMISSION_POLICY.md.\n\nAnd of course, you're always welcome to ask questions and seek help on our platform. Happy learning!", "Question: What is the timeframe for sponsoring a contest at CodeArena and what factors influence this duration?\n\nAnswer: The duration for sponsoring a contest at CodeArena varies and is not explicitly defined, due to the fact that several factors influence this timeframe. Based on past experiences, the process of approving a team for contest participation can take up to a few business days. The scope and size of the contest also factor into the duration, as larger contests, such as those involving over 12k sloc, can extend to 4 weeks. \n\nSponsors play a critical role in this timeline. They decide the scope for their contests and the review time can vary greatly, sometimes taking as long as six weeks. Additionally, the audit reports for contests are published after the stages of contest finish, sponsor reviews, judging, and awarding are completed. This process could take from 2 weeks to over 6 weeks.\n\nCertain contests need RSVPs to be filled based on the sponsor's request and the 90-day leaderboard ranking of those who have RSVP'ed. The results of contests are dependent on how long judging takes, and the certification process can be started within 48 hours of the contest. \n\nThe company has expressed a desire to handle multiple contests simultaneously, potentially running up to 20 contests per week. This does suggest that while there may be some wait time, it is always a priority to ensure contests run smoothly and efficiently.\n\nPlease do note that the exact timeline can vary and it's best to reach out to the designated contacts for specific timelines or any other queries.", "Question: Where can I access and participate in the review of the source code for Maple Finance?\n\nAnswer: Maple Finance's source code reviews and discussions are mainly held in the context of participation as a warden. You can find relevant information in the 'findings.csv' file located at https://github.com/code-423n4/code423n4.com/blob/main/_data/findings/findings.csv#L9336-L9434. This file contains all findings and payouts, which can be cross-referenced with the contest report. An issue related to Maple Finance's code, regarding the length to encode the address value, has been documented at https://github.com/code-423n4/2022-03-maple-findings/issues/16. In-depth discussions on specific issues can also be found on CodeArena's GitHub page. CodeArena hosts repositories ending in the suffix -findings, where each repository corresponds to a different audit. Remember that all relevant information for the audit can also be found at https://github.com/code-423n4/2021-08-floatcapital. \n\nIt's important to note that while the entire findings repository is made public and there are links to the findings repository in each report on the C4 website (https://github.com/code-423n4), access to the source code of certain protocol files, like the Nouns DAO protocol, may be restricted. Furthermore, there have been concerns raised about the mismatch between the number of lines of code (LOC) mentioned in the README.md and the actual lines in the contract files, so it's advisable to double-check these details. \n\nTo assist with code reviews, there are resources available for testing contracts downloaded from Github with tools like Mythril and Slither. For a more visual approach, you can use the tool at https://github.com/DanielVF/evm-contract-draw for smart contract visualization.", "Question: \nI'm new to running HEVM tests on the maple-core repo and understand it's set to use 100 fuzz runs by default. Since this could take hours, is there a way to speed up the initial test run and what steps should I follow for subsequent local tests?\n\nAnswer: \nYes, for first-time users running HEVM tests on the maple-core repository, the process could be time-consuming due to its default setting of 100 fuzz runs. We recommend making changes to the test.sh file, initially setting it for just 1 fuzz run to quickly populate the dapp-cache. \n\nFor subsequent local tests, you can increase the number of fuzz runs from 10 to 100 as necessary. Note that increasing the number of fuzz runs can provide more complex coverage but may also increase testing time. \n\nYou can adjust the number of cases generated by the fuzz tests using the configuration settings provided in Foundry. This guide [https://book.getfoundry.sh/reference/config/testing#fuzz] provides a detailed explanation on how to do it. \n\nWhile some participants suggest utilizing the existing test environment or writing new test cases, others have recommended checking the sponsor's GitHub for a potential test setup or extracting code to test it in isolation. \n\nRemember to be aware of the testing environment and the tools you're using. If you're using fuzzing tools like Echidna for auditing, be aware that there's a higher burden of proof to demonstrate a relevant exploit path. For more information, you can check this discussion: https://github.com/code-423n4/org/discussions/50. \n\nIf you are running tests in an environment like the polygon POS network, please note that some users have reported difficulty executing fork testing with Foundry. \n\nLastly, it's important to understand that these settings can be adjusted to meet your specific needs and the needs of your project. As such, it's always a good idea to test with a variety of settings to find the optimal balance between testing time and coverage.", "Question: Where and how can I access the results of previous CodeArena competitions, including findings, awards, and reports?\n\nAnswer: The results of previous CodeArena competitions, including both findings and awards, are accessible through several online resources. Findings from contests are posted in the section where contests are announced, and you can also locate them in the findings repo. They can be viewed after a contest finishes and once they are confirmed and discussed. If you submitted a report during a competition, you will receive a confirmation via email and can view your reports for contests that have already closed. \n\nYou can find a comprehensive collection of contest reports at [CodeArena Reports](https://code4rena.com/reports). If you want to view past contest awards, you can visit [Past Contest Awards](https://code4rena.com/contests/2023-01-numoen-contest). The cumulative results from the first two contests are also available on the leaderboard at [CodeArena Leaderboard](https://code423n4.com/leaderboard/). \n\nScoring breakdowns for past contests can be found in the #\ud83d\udce2announcements channel, on each contest page on the CodeArena website, or at [Scoring Breakdowns](https://github.com/code-423n4/code423n4.com/blob/main/_data/findings/findings.csv). For data about previously available contests you can refer to the \"_data/contests/contests.csv\" file. \n\nFinally, please note that audit reports for recent competitions are typically published after the contests finish, following sponsor reviews, judging, awarding, and reporting.", "Question: Where can I find the results, awards, and findings of previous competitions on CodeArena? Can I also view others' findings and learn about the judging process of my submissions?\n\nAnswer: The results, awards, and findings of previous competitions are always published on CodeArena's website. While reports are generally reviewed and triaged immediately after a contest ends, they await sponsor review, final judging, and Quality Assurance before being made public. \n\nYou can find cumulative results, along with the leaderboard, from the first two contests on the website at https://code423n4.com/leaderboard/. Individual contest reports, like the ElasticDAO report, are also publicly available at links like https://ipfs.io/ipfs/QmU7JQUCuciGJ9EVApWnPvBCy32eYQnREDFGsxoyDR6w3j. \n\nThe submissions for a contest can be reviewed after the report is published. For instance, past contest awards can be viewed at https://code4rena.com/contests/2023-01-numoen-contest. You can also check all the reports you submitted during the competition and you will receive confirmation via email once your findings have been reviewed.\n\nTo view other participants' findings, you can visit the contests section on the website where the findings from contests are posted. However, these are only made public after the contest finishes, sponsor reviews are completed, and judging, awarding, and reporting are all done. \n\nThe judging process for your findings includes a sponsor review, judge review, sponsor confirmation, judge's final report, and the announcement of the results. Every step of this process will be transparent. More details about the judging and payout timelines after a contest ends are documented at https://docs.code4rena.com/structure/our-process. \n\nScoring breakdowns for past contests can be found in the announcements channel, on each contest page on the CodeArena website, or at https://github.com/code-423n4/code423n4.com/blob/main/_data/findings/findings.csv. By reviewing these findings and scoring breakdowns, you can also get insights into how to improve your submissions for future contests.", "Question: How and where will CodeArena (C4) announce the results of project audits, publication of audit reports, and details about upcoming contests?\n\nAnswer: CodeArena announcements are made across several specific channels on our Discord server:\n\n1. The #announcements and the #\ud83d\udce2announcements channels are used to post the results of projects and public findings. This also includes the announcement of contest results once the judging process is complete.\n \n2. The #\u270brsvp channel is utilized to announce new public contests once they are confirmed. Users can check this channel to know about upcoming contests and raise a hand if they are planning to participate. Information about which contests are public can also be found here.\n \n3. The #audit-reports channel, which was suggested to be created, would be used to post a new message whenever a new report gets published on the CodeArena website. This channel would help distinguish between general updates and specific audit reports, ensuring clarity for the users.\n \n4. After a contest is closed, there is a certain unspecific period of time before the findings repository becomes publicly available for discussion. This delay is because the CodeArena team needs to get the green light from the projects involved and it can sometimes take a while.\n \n5. It's important to note that the leaderboard and rewards are shown and sent after a contest concludes, but the final report may not immediately appear on the CodeArena site. It's recommended to wait until the full public report is published before doing a write-up of some issue or bug found on a project.\n \n6. Discussions about potential submissions with the project's development team are allowed during a contest, either in the contest channel or through private messaging.\n\nIn conclusion, to stay updated with contest results, report publications, and upcoming contests, users should keep an eye on the aforementioned channels.", "Q: How can I access and participate in current contests on CodeArena, as well as view details about past contests and my submissions?\n\nA: To participate in current contests, you first need to register as a warden. Join the #\ud83d\udc3ai-want-to-be-a-warden channel on our Discord and express your interest in participating. Once you're registered, you'll receive an invite to the warden channel. \n\nCurrent ongoing contests can be found on the CodeArena website under the \"live contests\" section [https://code4rena.com/contests](https://code4rena.com/contests). You can also use the C4 Stats tool available at [https://github.com/sseefried/c4-stats](https://github.com/sseefried/c4-stats) to access contest-related information. \n\nTo view your submissions for a contest, you can check the respective Github repository once the contest report is published. All past submissions can be found in any repository ending with -findings on the CodeArena GitHub: [https://github.com/code-423n4](https://github.com/code-423n4). \n\nAwards from past contests can be viewed at [https://code4rena.com/contests/2023-01-numoen-contest](https://code4rena.com/contests/2023-01-numoen-contest). Reports from past contests are also available at [https://code4rena.com/reports](https://code4rena.com/reports). \n\nIf you've made a submission and want to edit it, head to the contest page and click the \"Your Findings\" button. For instance, you can look at the Ethos Reserve contest page: [https://code4rena.com/contests/2023-02-ethos-reserve-contest](https://code4rena.com/contests/2023-02-ethos-reserve-contest). \n\nRemember, don't use the outdated Github template for submissions. Instead, use the \"Submit finding\" button of the specific contest on the main page to submit each finding separately. \n\nIn case you are curious about why a submission was not rewarded, you can review the discussion among sponsors and judges on the specific issue once the report is out and the repository is fully opened. \n\nKeep in mind that when the repo of a contest is made public, everyone has access to all the submissions, irrespective of whether they are valid or not.", "Question: How can I create, register, and manage my team in CodeArena?\n\nAnswer: To form a team on CodeArena, you first need to register as a Warden. Information about registering as a Warden can be found at [this link](https://docs.code4rena.com/roles/wardens). Once you've registered as a Warden, you can go to [code4rena.com/register-team](https://code4rena.com/register-team) to create your team. \n\nIn the process of team registration, you'll create a team handle, much like this example: [pocotiempo's handle](https://github.com/code-423n4/code423n4.com/blob/main/data/handles/pocotiempo.json). This is essential for submitting findings as a team. You can log in to your Code4rena account as usual (individual warden accounts) and then switch back and forth between your individual account and your team account before submitting.\n\nAdding new team members to an existing team is possible, and changes to team memberships can be made as well. If you face any technical issues while creating a team or modifying its members, such as a blank page opening when selecting members, you can open a help desk request at [code4rena.com/help](https://code4rena.com/help). If you want to change your team's name, you'll need to submit a similar request. \n\nOnce a team is approved, participants can log in and submit findings as part of the team. Team members can choose to submit findings either as individuals or as part of the team, giving flexibility during audits. Please note that sometimes the process of creating a team might need approval from the Code4Arena (C4) team, especially when issues arise. \n\nIf you're part of a bot crew, please note that this is different from a regular team and requires registration during the qualifier.", "Question: How do I become a registered warden at CodeArena and what does the process involve?\n\nAnswer: To become a registered warden, you will first need to join the #\ud83d\udc3ai-want-to-be-a-warden on our Discord server and express your interest. Once you have done this, you will receive an invitation to the warden channel. Registration is essential to gain permissions to specific channels, join competitions, form or join teams, get your wallet whitelisted, and even to participate in private contests. To get a detailed guide on how to register as a warden, please refer to this link - https://docs.code4rena.com/roles/wardens. \n\nIf you're interested in becoming a certified warden, there is a separate process that involves completing an application. More details about this can be found at https://docs.code4rena.com/roles/certified-contributors#certification-process-and-constraints. The certification also includes a Know Your Customer (KYC) process. You can apply to become a certified warden at https://code4rena.com/certified-contributor-application. Eligibility requirements and necessary documentation for becoming a certified member are provided at https://docs.code4rena.com/roles/wardens/certified-wardens#who-is-eligible-to-be-a-certified-contributor. Once you become a certified warden, you are allowed to participate in private contests and specific contests like the PolynomialFi contest.", "Question: What is the process for creating, modifying and operating a team on CodeArena?\n\nAnswer: You can create a team on CodeArena at code4rena.com/register-team or directly on the platform. When creating a team, you have to register a unique team handle as demonstrated here: https://github.com/code-423n4/code423n4.com/blob/main/data/handles/pocotiempo.json. After the team is created, if you experience any technical issues such as a blank page opening when selecting members, you are encouraged to open a help desk request at https://code4rena.com/help. \n\nOnce your team is approved, which can take up to a few business days, you and your team members can log in and submit findings as a team. Modifications to the team, such as removal or addition of members, can be made by submitting a request through the help desk. \n\nTo submit issues as a team, use your team handle when dropping a Pull Request (PR). You can also add other members' handles. However, note that the exact process of submitting issues as a team has not been clarified in detail. \n\nIf you wish to learn more about how teams operate on CodeArena, including how prizes are split and how reports are submitted, or if you want to know how to change a team's name, all information can be found in the organization's docs at https://docs.code4rena.com/structure/our-process and https://docs.code4rena.com/roles/wardens#registering-a-team.\n\nFinally, after a contest is completed, the process includes Sponsor Review, Judging, Awarding, and then Reporting. The final published report allows participants to see the results of their submissions. The leaderboard will also be updated once several of the process pieces have been glued together.", "Question: \nIs MPL listed on BSC, and if so, could you confirm if this is your contract address: 0xe17b001ce782ad7ba40acbf27feb9ad1eea2f09e? \n\nAnswer: \nCurrently, we are unable to confirm the listing of MPL on BSC or validate the provided contract address (0xe17b001ce782ad7ba40acbf27feb9ad1eea2f09e). However, we can confirm that the contract address for our Arena tokens is 0x6847D3A4c80a82e1fb26f1fC6F09F3Ad5BEB5222. If you are looking for more information about specific contracts, links to contract details are often provided on the contest page, such as in our Streaming Protocol Contest [here](https://code4rena.com/contests/2021-11-streaming-protocol-contest). For on-chain contracts, we've found this tool useful for viewing them in an IDE like remix: [https://discord.com/channels/810916927919620096/810931711609143326/1012727690396176484](https://discord.com/channels/810916927919620096/810931711609143326/1012727690396176484). To check if a contract has been initialized on the Ethereum mainnet, you might find automated tools helpful. Be cautious of any potential vulnerabilities, including price manipulation, in the contracts you interact with, for which tools like [MetaTrust](https://app.metatrust.io/project) can be used. For more details on smart contracts and flash loans, consider visiting resources like [EIP-1271](https://eips.ethereum.org/EIPS/eip-1271).", "Q: I'm trying to update the submodules for the maple-core repository via public git, but I keep getting a 'Permission denied (publickey)' error. How can I resolve this issue or obtain necessary files? \n\nA: The 'Permission denied (publickey)' error you're seeing could be due to the repository being private until the issues have been mitigated and cleared for publication. You might not have access to the repository or it could be due to a technical issue with GitHub. You should verify that you're logged into the same GitHub account that you've registered with C4. \n\nYou can use the git clone command with submodules to obtain necessary files. For example, you can type `git clone https://github.com/code-423n4/2023-01-astaria.git -j8 --recurse-submodules` in your terminal. \n\nNote that while you can submit a \"Proof of Concept\" via Github, you do not have to make the repository public due to the risk of exposing vulnerabilities to the public. Instead, you can use a private gist. Keep in mind that submissions made through GitHub require approval as part of a warden's individual registration. \n\nIt's also important to remember that if you're a certified warden, you will be part of a permissions group/team on GitHub to give you access to private repos. However, being certified does not automatically grant you access to the repositories of contests you've participated in. You would need backstage access for that. \n\nIf you're still experiencing issues, you could reach out to the team. And once the repositories are made public, you can access all the issues, including yours. \n\nFor more information, you can check our official [Maple submission channel](https://c4-maple.netlify.app/) and not through email.", "Q: What is the recommended procedure for submitting findings to CodeArena, especially for Maple submissions?\n\nA: The recommended method for Maple submissions is through https://c4-maple.netlify.app/, not via email. However, if you encounter any issues with the submission form or if you're attempting to submit a large report, you can email your submission to submissions@code423n4.com.\n\nDuring the submission process, you can post a Notion link for the analysis report. You also need to include valid links to code fields. The submission form on Code4rena accepts Markdown for formatting the text. \n\nAfter submitting, you should receive a confirmation email from submissions@code423n4.com. If you do not receive this, or if you have submitted an entry to the wrong contest, you can fill out a form at https://code4rena.com/help/ to let the C4 staff know about the issue.\n\nYou can check whether your submissions were accepted at https://code4rena.com/reports. If you have issues with viewing the repo or submitting findings, you can resolve these by ensuring your GitHub account is logged in and is the same one associated with your C4 account.\n\nIf you are submitting findings for a contest, you need to review and make a pull request for your handle at https://github.com/code-423n4/code423n4.com/tree/main/_data/handles.\n\nPlease note that there have been instances of receiving an error message when attempting to submit a form. If a gas report is larger than ~65k characters, it can't be submitted through the form due to Github's max character limit for issue descriptions. In such cases, the submission should be emailed. \n\nIt's also worth mentioning that Code4rena is considering changing its policy so that all submissions are graded and paid accordingly, regardless of the time of submission: https://github.com/code-423n4/org/discussions/34.\n", "Question: How can I add or change my handle in the code423n4.com repository, and what is it used for?\n\nAnswer: Your handle in the code423n4.com repository can be any handle you choose and is not limited to Github or Gab handles. Its main uses are for leaderboard placement at code423n4.com/leaderboard and for processing awards. To participate in contests, you need to review and submit a pull request for your handle on this page: https://github.com/code-423n4/code423n4.com/tree/main/_data/handles.\n\nYou have the option to link your Twitter handle and profile picture to your CodeArena profile by following these instructions and making a pull request for your handle. You can also link your GitHub repositories as proof of concept in your findings submissions. To find reported vulnerabilities in the GitHub repo, you can search for your username or handle. \n\nIf you are part of a team, you can register the team by creating a team handle as demonstrated here: https://github.com/code-423n4/code423n4.com/blob/main/data/handles/pocotiempo.json. Team handles can also be created by submitting a pull request and using the team handle when reporting issues. \n\nPlease note that changing handles on CodeArena can currently be challenging due to design choices, although changes to make this process easier are expected in the future. If you need assistance adding a Twitter handle to your profile or have any other related questions, you can submit a help request.", "Question: I've executed a team request submission, is there anything else I need to do to complete the team addition process?\n\nAnswer: Once you've successfully submitted your team request at https://github.com/code-423n4/code423n4.com/pull/28, you've done most of the necessary work to add your team. However, please note that the process of approving a team for CodeArena contests can take up to a few business days. \n\nOnce your team is approved, team members can log in and submit findings as a team. They can choose whether to submit findings under their solo handle or team handle. Additionally, it's feasible for teams to modify their membership by submitting a request through the help desk. If you need to add new members to an existing team or encounter issues with adding members, you should submit a help desk request at https://code4rena.com/help. \n\nIn case you need to update your team information, you will need to create a new pull request (PR). It's important to note that team PRs need to be accepted by someone from the team. Also, you can submit issues as a team through a PR and add your team handles when reporting issues. \n\nRemember, by submitting as a team, all members receive the bug statistics. If your team meets certain requirements based on audits with published results, you can submit a helpdesk request. Please keep in mind that some users have reported issues with adding members to their teams, so if you encounter difficulty, it might be resolved by trying again on a different day.", "Question: What is the process for adding a new team and updating team information on CodeArena?\n\nAnswer: To add a new team to CodeArena, a team request can be submitted on Github at https://github.com/code-423n4/code423n4.com/pull/28. This request needs to be accepted by someone from the team. If you encounter any issues during team creation, you can refer to specific cases like this one https://github.com/code-423n4/code423n4.com/pull/1620. \n\nFor updating team information, you need to create a new pull request (PR). For instance, if you want to add a new member to your team, consider submitting a request through the help desk at https://code4rena.com/help. \n\nTo participate in contests, team members need to review and make a pull request for their handle at https://github.com/code-423n4/code423n4.com/tree/main/_data/handles. \n\nYou can also attach a Twitter handle and profile picture to a Codearena profile by following the instructions provided at https://github.com/code-423n4/code423n4.com/tree/main/_data/handles and making a pull request for the user's handle.\n\nRemember, when submitting findings, team members can choose to do so on behalf of their teams or as individuals by selecting either their solo handle or team handle. You can view the leaderboard at https://github.com/code-423n4/code423n4.com/issues?q=leaderboard. \n\nIf you encounter any issues or need to discuss team management, consider joining the discussions at https://github.com/code-423n4/org/discussions/43.", "Question: Where can I find information, updates, and resources about the Vader protocol for smart contract audits?\n\nAnswer: You can find the main repository for the Vader protocol at https://github.com/code-423n4/2021-04-vader/tree/main/vader-protocol. This repository includes all the smart contracts applicable for testing. \n\nFor updates and questions regarding the Vader protocol, refer to https://github.com/code-423n4/2021-04-vader. It also includes the latest updates about the Vader protocol, such as mathematical formulas of synths. \n\nThere was an issue with an old and incorrect version of Vether.sol being added to the Vader repository. The correct code that was deployed on the mainnet is available at https://etherscan.io/address/0x4Ba6dDd7b89ed838FEd25d208D4f644106E34279#code and the incorrect testing contract can be found at https://github.com/code-423n4/2021-04-vader/blob/main/vader-protocol/contracts/Vether.sol. \n\nFor answers to questions around the Vader protocol, you can direct messages to @strictly-scarce. \n\nPlease note that the missing logic, as outlined in the README of https://github.com/code-423n4/2021-04-vader#known-deviations-from-spec, is outside the scope of the review. Lastly, for in-depth information about the Vader protocol, you can review the mathematical formula for syntheticAssets at https://github.com/code-423n4/2021-04-vader/commit/3041f20c920821b89d01f652867d5207d18c8703.", "Question: I'm interested in the Vader protocol bounty. Can you provide some information on how many people have registered, how to get updates, where I can find the repository, and how to submit questions or concerns?\n\nAnswer: Yes, we have a significant number of wardens competing for the Vader protocol bounty. If you are interested in staying updated about the Vader protocol, all the updates and questions related to it can be found on our GitHub page, here: https://github.com/code-423n4/2021-04-vader. \n\nThe repository for the Vader protocol, including any contracts applicable for testing, is available at https://github.com/code-423n4/2021-04-vader/tree/main/vader-protocol. \n\nIf you have any specific questions about the Vader protocol, you can send direct messages to @strictly-scarce. If you want to participate in the competition, you need to sign up as a warden. \n\nRemember, to join any competition or contest, including the Vader Protocol bounty, you need to be a registered warden. We have also recently added a new qualifications section on the warden registration page due to the increased number of warden registrations. \n\nKeep in mind that while we encourage competition, we also value collaboration and helpfulness within our community. Happy hunting!", "Question: What is the status and process of updates for past project results on CodeArena?\n\nAnswer: The status of past project results can be tracked in the \"Past Contest Status Updates\" section on CodeArena's website. This section provides a timeline representing the progression of each contest. However, it's important to understand that even after a contest has been judged and awards have been calculated, the final report may not always be immediately available on the site. This is because our team needs to get the green light from the projects involved to release the report. Please note that the public report page is typically updated mid-contest.\n\nAs for specific project updates, at the time of the last conversation, results for the Stader labs, Base, and Enso contests were pending, but should be available soon. The Biconomy Hyphen 2.0 contest's audit results are under review and are expected to be published in the coming weeks. Updates on the LPT and INS awards are also expected soon. \n\nThere have been inquiries about the Caviar/Rubicon and the \"Masons\" audits, but no specific updates have been provided yet. There was also a query regarding the absence of a \"Blockswap FV contest\" in the \"Past competition status updates\".\n\nPlease be aware that the time taken for project findings to get reviewed varies with each contest. Projects do have access to submitted findings before the contest completion. For instance, the leaderboards and rewards of a project may have been shown and sent, but the final report could still be pending.\n\nLastly, please note that we are in talks with several people about potential new audits, so stay tuned for more upcoming competitions. We are continually working to improve our report and rewards calculation system, and a batch of reports is expected to be published soon.", "Question: What is the timeline for publishing past project results and what factors can affect this?\n\nAnswer: The timeline for publishing past project results can vary depending on multiple factors such as the number of submissions, the complexity of the audit and the time taken for judging. Generally, projects have access to submitted findings before the contest completion, but the exact timing of the findings repository becoming public is not specified and can sometimes take a significant amount of time, usually between 2 to 6 weeks, but sometimes longer. The release of the final report requires the green light from the projects involved and even after the leaderboards and rewards have been shown and distributed, the final report may not always be immediately available on the C4 site. If participants are interested in tracking the status of their reports, they can check the \"Past Contest Status Updates\" section which provides a timeline of where contests are currently in the process. Feedback for submitted issues typically comes once the contest has closed and the report is published. For more details, you can refer to the organization's docs at https://docs.code4rena.com/structure/our-process. Please note that the timeline can be affected by special circumstances, such as a high participation rate, like with the Yaxis project which will take longer to be released due to numerous submissions to review.", "Question: When and how are the Marginswap contest awards distributed and results announced at CodeArena?\n\nAnswer: The Marginswap contest awards and results are typically announced the day after the chat. Once the results are announced, they can be found in the announcements channel and published on the leaderboard, which also gets updated. The awards distribution process usually begins shortly after the announcement. The distribution is done manually, in batches for multiple contests at a time. The payouts for the awards are generally released between 1-2 weeks after the announcement. This timeline can vary, as the signatures for the award distribution are often finalized in our standard Monday meeting, meaning that any announced awards usually get processed on Monday or Tuesday of the following week. Please note that these timelines may change depending on the judging process for each contest. For example, if there is a delay in judging or sponsor review, as we have seen with Maple, the announcement and distribution of awards could be pushed back. Also, please be aware that we are currently making changes to the award calculation process which might affect the distribution timeline.", "Q: How can I find updates and ask questions about the Vader protocol?\n\nA: You can find the latest updates about the Vader Protocol, including mathematical formulas of synths, on our GitHub repository at https://github.com/code-423n4/2021-04-vader and https://github.com/code-423n4/2021-04-vader/tree/main/vader-protocol. If you want to ask questions about the Vader protocol, you can direct message @strictly-scarce. You can also review contracts in the Vader repository for testing purposes at https://github.com/code-423n4/2021-04-vader/tree/main/vader-protocol/contracts. For context, our platform hosts a number of competitions, including the current Spartan Protocol contest and the past Blockswap FV contest. Open discussions are encouraged, especially for broad questions about these contests. Take note that if you come across any sensitive vulnerabilities or issues, we are working on procedures for sensitive disclosures. Updates on these procedures will be announced soon.", "Question: Can you provide some information about the updates and their expected timelines for CodeArena?\n\nAnswer: The timeline for updates is not fixed as it depends on a variety of factors. However, here's the information available:\n\n- Updates regarding past project results are being worked on and are expected to be published soon. Exact dates are not specified, but you can expect a batch of reports to be released soon.\n- An update about the paused backstage applications is likely to be posted within the next two weeks. However, the exact date for the resumption of these applications is still not available.\n- There are changes being made to the report and rewards calculation system, and due to this, the content reports after February have not been updated on the homepage. The new system is taking time to compile and a batch of these reports will be published once ready.\n- The findings repository usually takes some time to become public, the exact timing is not specified.\n- The leaderboard and handles will be updated once several process pieces have been arranged and the backlog of dependencies is cleared.\n- The reward distribution is planned to be completed by the weekend and is likely to go out the next week. The status of LPT and Insure payments is also due to be released soon.\n- The certification status from Provenance is generally updated within 5 business days by the C4 team. \n- If you are looking for ways to get notified when a new report is published, keep an eye on our Discord channel and the official website.\n \nPlease note, these updates' timing can vary, and it's always best to check the latest status on our website or Discord channel. You can also find more detailed information about our process in our organization's docs at https://docs.code4rena.com/structure/our-process, and for specific instructions and guidelines, you can refer to https://code4rena.notion.site/Analyses-Guidelines-and-FAQ-2808a71e08e44c81a985527194f5f118.", "Question: Where can I find the most recent updates, details, and resources regarding the Vader protocol?\n\nAnswer: The most recent updates regarding Vader protocol, including mathematical formulas of synths, can be found on CodeArena's Github page: https://github.com/code-423n4/2021-04-vader. For more specific information about the Vader protocol's repository and any other contracts, visit: https://github.com/code-423n4/2021-04-vader/tree/main/vader-protocol/contracts. \n\nIf you have any individual questions around the Vader protocol, you can send direct messages to @strictly-scarce. You might also be interested in the ongoing competition for the Vader protocol bounty which is available for testing. \n\nAs a side note, VETH is a fair launch distribution mechanism for VADER, a liquidity protocol. Further explanation and information can be found at https://linktr.ee/VaderProtocol. \n\nIt is important to note that an old and incorrect version of Vether.sol was added to the Vader repository. The correct code that was deployed on the mainnet is available at https://etherscan.io/address/0x4Ba6dDd7b89ed838FEd25d208D4f644106E34279#code. The incorrect testing contract is available at https://github.com/code-423n4/2021-04-vader/blob/main/vader-protocol/contracts/Vether.sol. \n\nAdditional updates can also be found on the Discord link: https://discord.com/channels/810916927919620096/810936719003090974/1098620465897021490, as well as in the #\ud83d\udce2announcements channel and the C4 newsletter.", "Question: \nWas an outdated and incorrect version of Vether.sol mistakenly uploaded to the Vader repository? If so, where can I find the correct version that was deployed on the mainnet and the incorrect testing contract?\n\nAnswer:\nYes, an older and incorrect version of Vether.sol was mistakenly added to the Vader repository. You can find the correct code, which was deployed on the mainnet, at this link: https://etherscan.io/address/0x4Ba6dDd7b89ed838FEd25d208D4f644106E34279#code. \n\nThe incorrect testing contract that was uploaded can be found at this link: https://github.com/code-423n4/2021-04-vader/blob/main/vader-protocol/contracts/Vether.sol. It's worth noting that any other contracts in the Vader repository at https://github.com/code-423n4/2021-04-vader/tree/main/vader-protocol/contracts are classified as applicable for testing. \n\nThis scenario isn't unusual as it's common for projects to copy and paste OpenZeppelin source code into their repositories instead of using the npm library, but it can lead to confusion. Always ensure to verify the solidity versions used, their stability, and security, besides just the latest versions. \n\nIf you're interested in understanding smart contract interaction, you might find graphical interfaces helpful. However, be aware that some tools like Surya (https://github.com/ConsenSys/surya) are potentially outdated. \n\nLastly, if you ever spot a discrepancy between the number of lines of code (LOC) mentioned in the README.md and the actual lines in the contract files, please raise the concern. An example of this was noticed in Sherlock finance's repo: https://github.com/code-423n4/2022-01-sherlock.", "Question: \nCan someone from CodeArena confirm the provided information about Vader-Review and provide additional details about its updates, repository, and bounty competition?\n\nAnswer:\nYes, the information about Vader-Review has been confirmed by the main Vader developer. You can find questions, updates, and the latest developments regarding the Vader protocol at our Github repository: [https://github.com/code-423n4/2021-04-vader]. \n\nFor more specific inquiries around the Vader protocol, you can send direct messages to @strictly-scarce on Discord. \n\nPlease note that the repository for the Vader protocol is available here: [https://github.com/code-423n4/2021-04-vader/tree/main/vader-protocol]. It should be noted that any other contracts in the Vader repository at the aforementioned link are also applicable for testing. \n\nRegarding the Vader protocol bounty competition, there are quite a number of wardens participating. If you are interested in the competition or have submitted findings, be aware that wardens can see their submission and the comments in their submission after the announcement once the repo is set to public, unless they are certified for backstage access. \n\nRemember, in CodeArena, wardens who report a finding first, as well as those who subsequently found the same issue, are recognized in reports such as the Olympus report. To learn more about being a warden, you can check our warden guidelines at [https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues].\n\nWe hope this information helps and please feel free to reach out if you have further questions or require additional clarification.\n", "Question: Are all the contracts in the Vader repository applicable for testing? How does the process work if some contracts are already deployed or if they inherit from other contracts?\n\nAnswer: Yes, all contracts in the Vader repository at https://github.com/code-423n4/2021-04-vader/tree/main/vader-protocol/contracts are applicable for testing. It's important to note that some of the contracts under discussion might already be deployed, while others might not be. Regardless of the status, these contracts are still subject to testing and auditing. \n\nIn terms of inheritance, if a contract is in scope for an audit and it inherits from another contract, both contracts should be audited. This especially applies to contracts that implement internal functions of another contract. For instance, if Contract A inherits from Contract B, and Contract C inherits from Contract A and accesses the internal functions of Contract B, then all three contracts should be audited. \n\nWhen auditing, you can utilize tools like Mythril and Slither to test contracts downloaded from Github. You can also use tools to compare differences between contracts, which can be helpful when auditing contracts that have been inherited or extended. \n\nIt's also worth mentioning that if there's a bug in a contract that's in scope, but it impacts another contract that's out of scope, the impact might count towards the audit. This decision is generally up to the judge. Additionally, vulnerabilities affecting a main contract, even if found in an out-of-scope contract, should still be reported. \n\nRemember that it's crucial to conduct thorough tests in solidity to check various aspects of the contracts being audited. Depending on the complexity of the contract, you might choose to use a private testnet or a public testnet for testing. A private testnet may be a more suitable choice for simpler contracts or exploratory development, while a public testnet can be useful for scenarios involving large numbers of users and complex state. \n\nLastly, while the scope of the audit is primarily focused on contracts, there may be uncertainty about whether to include script folders. If you have questions or concerns regarding this, please seek clarifications in our chatroom.", "Q: How is the evaluation and submission process carried out for CodeArena contests, especially in terms of security findings, proof of concept and the impact of automated findings?\n\nA: For CodeArena contests, evaluations are conducted on the contest repository provided by the participants, with the assumption that it's complete. The role of our Scouts is crucial in this process, as they prepare the contest repository, ensuring the sponsor-provided files are in order and the test files don't pose any security vulnerabilities.\n\nSecurity findings, particularly those highlighting the impact of missing functionality, are an important part of the evaluation. Participants are encouraged to submit proof of concept alongside their findings, linking their GitHub repositories if necessary. This includes providing direct links to all referenced code in GitHub and adding screenshots, logs, or any other relevant proof that illustrates the concept. For an issue submission to be effective, the vulnerability, its impact on the protocol/code should be well-explained in the impact section, and the proof of concept section should contain the relevant code lines or add a written test that illustrates the exploit.\n\nAutomated findings are also considered, and you can refer to our submission policy for more details (https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues). The same vulnerability found in multiple different components of the codebase might count as separate findings, but it's ultimately up to the judges to determine if they're duplicates.\n\nIt's important to note that if a submission to a contest is not rewarded, participants can review why their submission was not accepted once the report is out and the repository is fully opened. This gives them an opportunity to understand the deliberations among sponsors and judges about the specific issue.\n\nFor further guidance on the submission and evaluation process, participants can refer to our submission guidelines (https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues). We also encourage participants to read https://github.com/code-423n4/org/discussions/34 for more insights into our evaluation process.", "Question: How does CodeArena handle the evaluation of missing logic in smart contracts and the potential impact it may have on existing logic?\n\nAnswer: At CodeArena, we consider all inputs when evaluating the correctness of missing logic and how it may interact later with existing logic in smart contracts. However, it's important to note that certain elements of missing logic, as outlined in the README of our GitHub (https://github.com/code-423n4/2021-04-vader#known-deviations-from-spec), could be outside the scope of the review. \n\nWe understand that some bugs might rely on users making a mistake in interaction with a contract. Such bugs may still be valid, but they are likely to have a different severity compared to those that do not require a mistake. We also take into account oracle validations, such as checking for stale values, which could be considered one issue if missing. \n\nIn the context of our audits, a valid issue can include the loss of precision described within the code to better assess the potential impact. When reporting an issue, we recommend including a proof of concept (PoC). A finding may be disregarded without a PoC unless the issue is extremely obvious, such as a wrong parameter, typo, or code that doesn't compile. If an issue is disregarded, participants are encouraged to ask judges for feedback to understand the reasoning behind the ruling and see what could be improved. \n\nIt's also worth noting that participants might report a variety of findings based on different combinations of issues found to create different attacks. However, it is generally considered unlikely that no high or medium severity issues would be found, as no code is considered perfect. We strive to ensure that our audits are thorough, comprehensive, and fair for all participants.", "Q: I'm having trouble accessing certain links on Github related to CodeArena (C4), such as repositories, PRs, and issue links. I also have questions about linking to Github in my reports. Can you provide some guidance?\n\nA: Absolutely. First, it's important to note that some users have experienced 404 errors when trying to access certain Github links. If this is the case for you, please let us know so we can correct the issue. For instance, there were issues with links like [this](https://github.com/code-423n4/2023-07-axelar-findings) and [this](https://github.com/code-423n4/2021-04-redacted) which have since been resolved.\n\nRegarding report submissions, you can link your Github repositories as proof of concept. However, adding a link that points to a sponsor's Github repo code does not automatically pull in that code snippet to the report. For the 'Links to Affected Code' section of high/medium findings, you can add the Github permalink for the respective code block. You can find more information about creating a permanent link to a code snippet on Github [here](https://docs.github.com/en/get-started/writing-on-github/working-with-advanced-formatting/creating-a-permanent-link-to-a-code-snippet#linking-to-code).\n\nIf you're looking for all approved findings and gas optimizations, they can be found in the findings repo, linked [here](https://github.com/code-423n4/code423n4.com/blob/main/_data/findings/findings.csv). Rejected reports can be found at [this link](https://github.com/search?q=org%3Acode-423n4+is%3Aissue+label%3Ainvalid). If you do not have access to the findings repo, please request to be added to the backstage group on Github.\n\nLastly, we are exploring the possibility of integrating our website with Github to track specific timestamps. This integration, if implemented, might improve access and navigation to specific issues and resources related to CodeArena's operations.", "Question: How does CodeArena handle the audit scope regarding missing functionality as outlined in the README, and how are these situations considered during the contest?\n\nAnswer: At CodeArena, the missing functionality, documented in the README, is perceived to be outside the scope of the review. This is based on the assumption that the submitted repository for the contest is complete. However, findings that emphasize the security implications of such missing functionality are taken into consideration. \n\nIt's important to read the README.md file for each contest, as it clearly outlines what's in the scope for auditing and what isn't. An instance of an attack path that assumes the missing logic to be functioning as intended would be viewed as valid. Conversely, an attack path that assumes the liquidation logic to be non-existent or malfunctioning would be judged as invalid.\n\nFor clarity on what is considered a valid issue concerning assumptions made in the code that aren't explicitly addressed in the README or code comments, it's recommended to refer to https://github.com/code-423n4/org/discussions/34. If the concerns are about inconsistency, process, or lack of clarity in rules, participants are urged to review issues at https://github.com/code-423n4/org/issues, where they can add fact-based comments, endorse suggestions, or open new issues.\n\nLastly, if there's a mismatch between the number of lines of code (LOC) mentioned in the README.md and the actual lines in the contract files, it's subject for clarification with the CodeArena team. An example of this discrepancy was noticed in Sherlock finance's repo at https://github.com/code-423n4/2022-01-sherlock.\n\nIn conclusion, while the missing functionality outlined in the README is generally seen as outside the review scope, its security implications are considered significant in the evaluation process. The README file serves as the main guide for understanding what's included in the audit scope, hence it's advised to read it carefully before initiating the audit.", "Question: Why am I experiencing a 404 error when trying to access certain repositories on CodeArena's GitHub, such as https://github.com/code-423n4/2021-04-redacted?\n\nAnswer: The 404 error usually occurs when the server can't find the page you're trying to access. In the case of CodeArena's GitHub repositories, there may be a few reasons for this. It could be that the repository's link has changed or the repository has been made private temporarily. For instance, some users experienced the same 404 error when trying to access https://github.com/code-423n4/2021-04-redacted, but the issue was later resolved as the link was made public. \n\nIf you find that a certain repository is not accessible, it might be due to similar reasons. CodeArena hosts repositories ending in the suffix -findings, such as https://github.com/code-423n4/2022-04-backed-findings. If you're unable to access a certain '-findings' repository, it might be undergoing updates or revisions.\n\nIt's also worth noting that some links to the repositories in the contests have been reported as not working, which is likely due to similar reasons. You can check the entire findings repo which is made public, at https://github.com/code-423n4. If the problem persists, it would be best to report the issue to CodeArena for a resolution.", "Question: Can you provide more information on VETH and its function within the VADER liquidity protocol?\n\nAnswer: VETH serves as a fair launch distribution mechanism for VADER, a liquidity protocol which combines various features such as slip-based fees of Rune, Impermanent Loss (IL) protection of Bancor, burn-to-mint stablecoin of Luna, pool collateralized synthetics with 1:1 purchasing power that are interest yielding, and synths that also facilitate borrowing directly from the Automated Market Maker (AMM) for capital efficiency. \n\nVether is specifically designed to drive value accrual from Vader to Ether using a daily auction process. This requires participants to burn their Ethereum (ETH) in order to obtain VETH. You can find more detailed information about this process on the official Vader Protocol website at https://linktr.ee/VaderProtocol.\n\nPlease note that an older and incorrect version of Vether.sol was previously added to the Vader repository. The correct code, which was deployed on the Ethereum mainnet, can actually be found at https://etherscan.io/address/0x4Ba6dDd7b89ed838FEd25d208D4f644106E34279#code, while the incorrect testing contract remains available at https://github.com/code-423n4/2021-04-vader/blob/main/vader-protocol/contracts/Vether.sol. \n\nIt's crucial for auditors and developers to have an understanding of the Ethereum Virtual Machine (EVM) and Solidity, the primary programming language for Ethereum smart contracts, when engaging with such systems. This includes understanding how interfaces interact with smart contracts, as well as the utilization of tools to verify if a contract has been initialized on the Ethereum mainnet. \n\nUnderstanding these aspects can aid in identifying and resolving any potential bugs or vulnerabilities, such as the one identified in a vault which was referenced in an earlier discussion: https://etherscan.io/address/0x9705e8807aae04c7dc0967da9cab8af65d2f2135. \n\nLastly, it's important to register your handle along with your Ethereum (ETH) address to receive your share of any possible rewards or benefits from interaction with the VADER protocol.", "Question: How do I update and when can I expect my individual or team pull requests to be reflected in handles on CodeArena?\n\nAnswer: Submitting new pulls for individuals or teams to update in handles is a process currently undergoing rework due to a backlog of dependencies. Your handle - individual or team - can be created or updated by making a pull request at [https://github.com/code-423n4/code423n4.com/tree/main/_data/handles](https://github.com/code-423n4/code423n4.com/tree/main/_data/handles). Team handles can be used while submitting issues. However, changing your handle is not currently recommended as it may affect your participation in past and ongoing contests due to some design decisions.\n\nPlease note that the handles are primarily used for the leaderboard at [code423n4.com/leaderboard](code423n4.com/leaderboard) and for handling award processing. The leaderboard will be updated once several of these process components have been refined.\n\nWe are also working on enabling the use of the same handle with different wallets in a single contest and updates on past project results. The public report page is updated mid-contest. All these changes are expected in the near future, but we don't have a definite timeline as of now. \n\nPlease remember that any changes to team membership or information require a new pull request. Team pull requests need to be approved by a team member. You will be able to find your findings in the GitHub repository by searching for your handle. \n\nIn the meantime, you can attach a Twitter handle and profile picture to your CodeArena profile by following the instructions provided at [https://github.com/code-423n4/code423n4.com/tree/main/_data/handles](https://github.com/code-423n4/code423n4.com/tree/main/_data/handles) and making a pull request for your handle. \n\nLastly, we are working towards distributing contest rewards by the end of a specified week and updating information about upcoming contests on the specific channels. We appreciate your patience and understanding while we work on these improvements.", "Question: What should be considered when auditing a contract for Visor Finance, and what exactly falls under the scope of review?\n\nAnswer: In the case of Visor Finance, the scope of review is limited to the Visor.sol contract. This means that you should focus your audit efforts mainly on this contract. However, if this contract inherits from another contract, you should also audit the inherited contract as it affects the functionality of the main contract. \n\nAny findings related to gas optimization should be reported, as these are crucial for the performance of the contract. In addition, you should also consider the impact of misbehavior by the owner of the contracts during your review. \n\nThough the focus is mainly on the smart contracts, suggestions on other relevant areas are also welcome. If you come across a bug that's in the Visor.sol contract, but it impacts another contract that's out of scope, you should note this. The impact might count towards the final assessment, and this decision is generally up to the judge. \n\nIf you find a vulnerability in an out-of-scope contract, it can be included in the C4 report as an unrewarded finding, or the project can be messaged directly. Sometimes, a vulnerability in an out-of-scope contract may be brought into scope by a judge if it's found to be significant. \n\nRemember to always read the README.md for each contest as it outlines what is in scope for auditing and what is not. For reference, the Vader repository for the contracts can be found here: https://github.com/code-423n4/2021-04-vader/tree/main/vader-protocol/contracts. \n\nIn auditing, it's important to understand the context and severity of the issues discovered, considering aspects like upgradeable contracts and storage variables. Tools for comparing differences between contracts can be useful in these audits. \n\nLastly, if you're new to auditing, you might notice that some contracts seem to be \"snapshots\" of OpenZeppelin (OZ) contracts. This is common, as OZ contracts serve as robust and trustworthy base code for many projects.", "Question: Can I ask questions about FairSide, including issue types, rewards, and platform functionality on C4's platform?\n\nAnswer: Yes, you can certainly ask questions about FairSide directly on the Code4rena (C4) platform or by sending a Direct Message (DM). Questions can cover a wide range of topics, including specific issues related to the platform, the scope of a contest, or the status of awards. Solidity questions and queries about more fragile aspects of the system are also welcome.\n\nPlease be aware that the results for FairSide awards are typically announced the week following the date of the chat or contest end. If you have concerns about not receiving an award, note that FairSide distributes these on the Polygon network.\n\nFor more in-depth questions regarding specific contests, such as the scope or submission rules, or even severity and in/out of scope questions, you can reach out directly to the respective sponsor. You can also openly discuss these issues before the contest ends. \n\nIf you're unsure about the judging process, you can ask the judges directly for feedback on your submissions. This can help you understand the reasoning behind the rulings and see what you could improve.\n \nIf you have any confusion about specific terms or procedures, such as the DAO voting system or the Certified Wardens process, feel free to ask Code4rena directly or in the designated channels for specific topics.\n\nDo remember that each contest may have its own specific contact points for questions, like the Reality Cards code, or unique rules and processes. For instance, there were specific queries about the \"steakhouse contest\" and a suggestion was made to read the relevant posts for more information.\n\nFor any inquiries about the validity of issues submitted in a contest or to find out how your findings were judged, you can ask directly or check the contest's results to see which findings were rejected and why. \n\nIn summary, C4 encourages all users to actively ask and discuss questions related to various topics, contests, and processes. Open discussions are valued as they enrich the learning experience for everyone on the platform.", "Q: How are gas optimizations scored and rewarded in the CodeArena contests?\n\nA: Gas optimizations are an important part of CodeArena contests. Participants can make submissions for gas optimizations, which are eligible for additional rewards. These rewards are usually taken from a separate award pool, which is determined and specified on the C4 website and each contest's individual page. An example was given in the chat of a contest with a $67,500 USDC main award pot and a $7,500 USDC gas optimization award pot. However, do note that not all contests have a gas optimization pool, like the one referred to in the link [here](https://code4rena.com/reports/2022-04-dualityfocus).\n\nThe gas optimization pool is shared among the reporters and is awarded based on the score of each gas report. The method for distributing these awards can be found at this [link](https://docs.code4rena.com/awarding/incentive-model-and-awards/curve-logic). While only one report of gas optimization can be submitted per contest, participants can add more findings to the report on the contest page under the 'Your Findings' button. \n\nWhen submitting gas optimization reports, it's necessary to specify how much gas is being saved for each optimization, though this requirement is ultimately up to the judge's discretion. For gas optimization reports, the award is usually 5% of the prize pool. However, this percentage can be altered by sponsors based on the importance of gas savings to their project. \n\nThere are times when participants have raised questions or needed clarification on gas optimization, and it's important to note that judges may have different criteria for acceptance. Participants can edit their submitted gas report findings on the C4 page while the contest is open. Always remember to check the specific rules and reward distribution of each contest as they may vary.\n", "Question: What are the key factors and considerations when selecting which contracts to review in the audit process for CodeArena?\n\nAnswer: Selecting contracts for review involves multiple considerations. Primarily, for Visor Finance, the Visor.sol contract should be audited. However, it's important to note that if a contract in the scope inherits from another contract, both contracts should be audited. This is with regards to the impact of potential misbehavior by the owner of the contracts, which should be reflected upon during the review. The contract's condition, whether already deployed or not, does not influence its eligibility for the audit.\n\nIn addition, the scope of review may extend beyond contracts to script folders, a decision that could vary based on the audit. To clarify uncertainties, we recommend always reading the README.md for each contest as it outlines what is in scope for auditing and what is not.\n\nThe severity of issues when reviewing them is also a significant aspect to consider. It's important to note that vulnerabilities affecting main contracts should be reported, even if found in an out-of-scope contract. The impact of such vulnerabilities might count, yet this decision is generally up to the judge. To better understand these aspects, a recommended resource is a video on contract auditing: https://www.youtube.com/watch?v=wCD3fOlsGc4 \n\nIn audits, we also look for gas optimisation in the contracts only. Resources to learn more about this, and other aspects of auditing contracts, are often sought by new users of our service. It's also worth noting that some contracts may appear as \"snapshots\" of OpenZeppelin (OZ) contracts, which is a common occurrence in the smart contract space.\n\nFinally, there is a trend towards running audit contests for contracts, which provides another avenue for auditing contracts, though this comes with its own set of operational and pricing considerations. As a company, CodeArena is recommended for contract audits in the crypto space due to our approach and expertise, with some suggesting to also include website audits in our scope.", "Question: How does CodeArena's audit contests work, particularly in terms of finding bugs, contest announcements, rewards and eligibility for certification?\n\nAnswer: CodeArena conducts audit contests which are similar to time-limited bug bounty programs. The contests are announced in advance on our platform. Participants, also known as wardens, compete to find bugs in the smart contracts under scrutiny. \n\nThere is no difference in the payout between the first person to find a bug and any subsequent person who finds the same bug. The overall value of the bug is decreased and shared based on how many people find it. The reward for findings can be calculated using the formula provided in our documentation available at [link](https://docs.code4rena.com/incentive-model-and-awards#high-and-medium-risk-bugs). \n\nOnce a contest is finished, a report about the bugs found is released. This report can be used for learning and keeping track of the bugs already found. Bugs found are kept confidential until the contest ends and the judging process is completed. The findings can be submitted on our website [link](https://code423n4.com/reports). \n\nTo be eligible for certification, a warden must have encountered at least one high severity bug and competed in at least three contests. After a bug is found and reported, the severity of bugs can be altered after the contest ends either through the PR or by contacting one of the judges. \n\nWe also conduct mitigation contests with a different rewarding formula. Detailed information about these contests and their rewards can be found at this [link](https://docs.code4rena.com).", "Question: \nWhere can I find the main contracts for a Vault audit and how should I proceed with it?\n\nAnswer: \nThe principal contracts for a Vault are available in this comprehensive video tutorial: https://youtu.be/D-hSiGeNpuY. In addition to this, for specific audits like PoolTogether, the contracts in scope are linked in the README of the corresponding repository. Other contracts that may be applicable for testing can be found in the Vader repository at: https://github.com/code-423n4/2021-04-vader/tree/main/vader-protocol/contracts. \n\nWhile conducting audits, keep in mind that vulnerabilities affecting a main contract should be reported, even if they are found in an out-of-scope contract. Some contracts could already be deployed, while others may not. You can use tools like Mythril and Slither to test contracts downloaded from Github, and tools for comparing differences between contracts might be helpful as well. \n\nIf you're new to auditing, you might notice that some contracts seem to be \"snapshots\" of OpenZeppelin (OZ) contracts. This is common, as they are used as a foundation for building secure smart contracts. \n\nIt's important to always read the README.md for each contest, as it outlines what is in scope for auditing and what isn't. This may solve uncertainties about whether to audit only the contracts or also on the script folders. \n\nFor specialized audits, like for Visor Finance, only the Visor.sol contract should be reviewed. If in doubt, it's always a good idea to ask in the chat about the scope of review for any specific contracts. \n\nFinally, remember that abstract contracts are meant to be extended and are not supposed to be used on their own. They are like a template contract that needs completion before usage.", "Question: How can I execute the deployment script for a smart contract audit in Code4rena?\n\nAnswer: The process of executing the deployment script for a smart contract audit can vary depending on the specific contract environment and the tools you are using. If a deployment script is provided, such as the sample script shared for deploying and setting up Yield v2, you can follow the instructions in the script. \n\nIf you're working with a contract that takes a complex data type like a struct as an argument in the constructor, you might need additional guidance. In such cases, tools like Foundry can be useful. To deploy a contract on Foundry, you can try using commands like 'npm install foundry' and the `forge i` command to install dependencies. \n\nFor some contracts, you might need to mock the deployment. Tools like eth-brownie can be useful for this. If you've written a Proof of Concept (POC) script for a vulnerability, you can include the link to this script in your submission. \n\nPlease note that there is uncertainty among users about whether the audits should be conducted only on the contracts or also on the script folders. Also, some contracts may already be deployed, while others may not be. \n\nBe aware that it's suggested not to question the deployment of a proxy contract as it will be done correctly. If you're unsure about how to proceed, you can always reach out for help or guidance in our Discord chatroom. \n\nIf you want to view the code for the contest, you can check the script available at https://github.com/Picodes/4naly3er. You can also view the contract files and submit your findings using the \"View Repo\" and \"Submit Findings\" buttons for certified wardens.\n\nFor more detailed guidance, please refer to the observations from the chat in our Discord channel.", "Question: How can I gain access to private contests and resources, such as the findings page and private audit contests, on CodeArena?\n\nAnswer: Access to private contests and certain resources on CodeArena is restricted based on user privileges. To participate in private audit contests, you need to be a certified warden. More details about this can be found at the specific link: [https://mirror.xyz/c4blog.eth/Ww3sILR-e5iWoMYNpZEB9UME_vA8G0Yqa6TYvpSdEM0](https://mirror.xyz/c4blog.eth/Ww3sILR-e5iWoMYNpZEB9UME_vA8G0Yqa6TYvpSdEM0). \n\nPrivate contests have their RSVPs available in a channel only visible to certified wardens. If the contest's RSVP is in the public channel, then it is a public contest. Things like the findings repository remain private until the final report is published. \n\nAccess to the findings repository is granted to Certified+ users, but it has not been rolled out to everyone as of the time of the chat. Immediate access to the findings repo can be granted when a contest ends. \n\nBackstage access allows you to access certain private features and resources. However, it's worth noting that the backstage access feature was disabled due to an individual abusing the privilege. Currently, applications for backstage access are suspended until further notice. \n\nHowever, users can privately ask questions and receive guidance on more fragile aspects of the system. We also offer video resources, such as our YouTube channel where office hour sessions are recorded and uploaded. For instance, there is a video walkthrough for the Connext flash contest at this link: [https://youtu.be/ABEOIKzEshA](https://youtu.be/ABEOIKzEshA). \n\nRemember to adhere to CodeArena's guidelines when participating in contests, to maintain an honest and respectful community environment.", "Question: How can I participate in CodeArena's contests, track my submissions, understand the grading system for findings, and stay updated about new reports and contests?\n\nAnswer: To participate in CodeArena's contests, you need to keep an eye on our announcements for upcoming events. If you're specifically interested in the \"steakhouse contest\" or private contests, we recommend reading relevant posts about these events, as private contests require special access. \n\nOnce you've submitted a finding or report, it's possible to check the submission status via your profile. For first-time submitters, you can also investigate the status of your report by visiting the specific contest page and checking the 'submissions' tab. If you wish to modify submitted findings, you can do so from the same area.\n\nThe grading system for findings in a contest is based on several factors, including the severity of the issue reported and the quality of the report. For insights into how your findings were judged, you can visit the contest page again after the contest ends and review the comments left by our team on your submission. \n\nIf your findings get rejected, the reason for rejection will also be explained in these comments. To understand more about our QA report grading system, we recommend reading our guidelines available on our website.\n\nTo stay updated about new reports, contests and other events, you can enable notifications in your profile settings or follow our official communication channels. Look out for announcements about our 'Bot Races', the Certified Wardens process, and other exciting events. We also have a 'Scout' role for individuals interested in staying informed about the latest in the world of smart contract auditing.\n\nIf you're interested in collaboration or investments, or if you have specific inquiries about auditing projects and our processes, feel free to contact our team directly. We provide a roadmap and resources for those looking to learn more about web2 security in the context of web3 security. \n\nLastly, always be mindful of potential scam alerts raised by our community and ensure to complete the KYC process to protect your identity and rewards. We're committed to creating a safe and transparent environment for all.", "Question: Why are some Code4Arena resources, such as videos or contests, initially set to private?\n\nAnswer: At Code4Arena, some resources, such as videos, contests, or findings repositories, are initially set as private due to a variety of reasons. For instance, findings from audits or contests are kept private until the final report is published, to facilitate learning and to respect the privacy and security of the companies involved. Similarly, user-created content such as \"Proof of Concept\" is also encouraged to be kept private initially to avoid exposure of vulnerabilities. Private gists on Github are often used for this purpose. \n\nPrivate contests are only accessible to certified wardens and their RSVPs are only posted in a channel visible to them. This is to maintain the integrity of the contest and privacy of the participants. Videos, such as office hour sessions, are often recorded and uploaded on our YouTube channel [Code4Arena YouTube Channel](https://www.youtube.com/@code4rena) the following week. Some videos are initially set to private to control the dissemination of information and are made public at a later date. \n\nIt's important to note that not all resources are kept private. Public contests, for example, have their RSVPs posted in the public RSVP channel. Also, after the issues found during audits or contests are mitigated and cleared for publication by the sponsors, the corresponding repositories are made public. Lastly, always remember that it's okay to set up separate accounts for your Code4Arena work for privacy reasons.", "Q: Why was an explanation of how users interact with Yield v2 shared in the chat instead of a video?\n\nA: The chat-based explanation for Yield v2 was chosen due to its interactive nature, which allows users to ask specific questions about Yield v2 and its code in real-time or in private. This provides an opportunity for users to receive guidance on more intricate aspects of the system, which can be more challenging to address in a video format. \n\nAdditionally, a sample script to deploy and set up Yield v2 has been shared in the chat, providing a hands-on approach to understanding the system. However, we understand some users may struggle with concepts such as the relationship of interfaces to smart contracts. For such users, we have a video explaining the main contracts in the Vault at https://youtu.be/D-hSiGeNpuY and we are also considering creating a Loom video to illustrate how to set up the environment. \n\nFor more in-depth understanding of smart contracts, the Ethereum Beige Paper, a more digestible version of the Ethereum Yellow Paper, is a good resource. Furthermore, we are open to discussions on different aspects of smart contracts, such as gas optimization or understanding solidity syntax and programming. \n\nLastly, regarding the submission of any findings or issues with the code, users are allowed to make a \"secret gist\" to show a code example without being disqualified for disclosing a problem. And if you find large text that doesn't fit in the textbox on the help desk site, you can link a gist.", "Question: What is the timeline for the submission deadline, and are there any specific rules or guidelines that participants should be aware of?\n\nAnswer: The timeline for the submission deadline can vary depending on the contest. For instance, some contests like the one involving over 12k sloc have a timeline extended up to 4 weeks. In some cases, due to unforeseen circumstances such as GitHub issues, extensions are granted. For example, the Rolla contest was extended by 24 hours [Link](https://discordapp.com/channels/810916927919620096/953009382021533696/956244354496856174). \n\nTypically, it is clarified when the stop time for submissions is, like it was noted as February 21, at 2359 UTC for one contest. There has also been a request for a countdown timer to be implemented to help participants keep track of the deadline.\n\nAfter the contest close, wardens usually start the process within 48 hours. Furthermore, participants have 30 days to complete the process after finishing the audit. \n\nPlease note, there can be a grace period provided on submissions. Also, in case of larger projects, there is an option to extend the project timeline to 4 weeks or more if the sponsor agrees. \n\nIn the process of a contest, the certification process can be started within 48 hours and upon completion, the participant might be awarded if they are eligible for an amount. \n\nThe team aims to process awards much faster and has a goal to process a list of awards by the end of the week. However, there can be delays as observed in a period where there were 24 days without announcements of rewards.\n\nAs for the inquiry regarding the extension, it is safe to say that the contest in question was likely delayed. You can always check in the Discord chatroom for updates, or contact support for any inquiries. \n\nFor future contests, keep an eye on our announcements, such as when the codebase will be accessible or when the next public contest is scheduled to start. Remember, our helpdesk typically resolves requests within 24-48 hours on business days. \n\nFinally, please note that points for the 60-day leaderboard are counted from the day of the contest announcement, and may expire 60 days after the contest has ended. \n\nWhile the deadlines and timelines can vary, we will do our best to communicate them clearly and provide any necessary assistance along the way.", "Question:\nHow are the severity of issues assessed and what guidelines should Wardens follow in determining the risk level of reported issues at CodeArena?\n\nAnswer:\nWardens at CodeArena are advised to follow the guidelines detailed on our website for assessing the severity of issues. The guidelines provide explicit criteria for estimating risk and defining the difference between low, medium, and high severity issues (https://docs.code4rena.com/roles/wardens/judging-criteria#estimating-risk). \n\nIn case of uncertainty regarding the severity of a reported issue, Wardens are encouraged to review these guidelines and make a case for the chosen severity using evidence. They can also refer to past cases for examples of comparable issues and how they were rated (https://docs.code4rena.com/awarding/judging-criteria/severity-categorization). \n\nIf the same vulnerability is reported by multiple Wardens with different severities, during the deduplication process the issue will be given the same severity for award calculation. This is determined by the judges during the judging process that follows.\n\nIt's important to note that judges have the discretion to mark an issue to have a higher or lower risk than the proposed risk by Wardens if they deem it necessary. This can even include escalation of a low severity issue identified in an automated finding to a high severity one, if evidence supports this. \n\nWardens are encouraged to familiarize themselves with the submission policy and judging criteria prior to participating in any contest, as outlined in our documentation (https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues). \n\nFinally, Wardens can see the judging results before they are made public. If there are any concerns or issues with a report, they can seek clarification or raise these concerns to the judge for reconsideration.", "Question: Why are front-running approvals not considered a serious exploit in CodeArena's smart contract audits?\n\nAnswer: In the context of CodeArena, front-running approvals are not usually considered as serious exploits due to the complexity and context-dependent nature of such a potential exploit. However, it doesn't mean that all such issues are outright dismissed. The seriousness of a potential exploit is evaluated based on several factors. This includes the context in which the contract operates, the potential damage that could be done, and the feasibility of the exploit. One important factor is that the issue needs to be proven with a clear exploit path or a logical explanation. For example, if a finding is based on automated tools, there is a higher burden of proof to demonstrate a relevant High or Medium severity exploit path to be considered satisfactory [https://github.com/code-423n4/org/discussions/50].\n\nWhile it is true that automated bots are used in CodeArena to identify issues and propose fixes, there are concerns that the fixes proposed by bots might introduce more damaging exploits. Therefore, it's crucial to demonstrate a relevant high or medium severity exploit path for the issue to be considered valid. \n\nIn fact, known issues or findings by automated tools can be used to build a more complex exploit that can be considered a valid submission for the contest. However, if a contest's bot report ranks an issue as low but a participant escalates it to high, the issue is not automatically invalid. The participant needs to provide strong evidence through a clear exploit path [https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues].\n\nIt's also important to note that an issue might be ignored or not prioritized if it is either extremely small impact or if there isn't enough detail or proof. It's therefore recommended to include a proof of concept and a case made for how an item can be exploited to avoid being marked as invalid. \n\nRemember, trust in the sponsors is vital, and while potential conflict of interest scenarios, such as sponsors hiding bugs, have been mentioned, a potential solution to avoid dishonest practices is revealing the findings to the project only when the contest is over. However, there's a fairness concern that if sponsors have early access to the vulnerability submissions, they might exploit the information. \n\nLastly, it's worth noting that there are restrictions on discussing bugs and exploits after submissions for a contest are closed and before contest results are out. \n\nIn conclusion, while front-running approvals might not be viewed as a serious exploit in CodeArena, it doesn't mean it's completely dismissed. The issue needs to have a significant impact, be feasible, and be clearly demonstrated to be considered a serious exploit.", "Q: I'm concerned that there seems to be a lack of exploration for potential exploits involving a batch with several actions, and that no issues have been found in the vault caching system in the Ladle. What is your process for finding vulnerabilities in these areas, and what should I know about reporting them?\n\nA: At CodeArena, we use a rigorous process to identify vulnerabilities, including those involving a batch with several actions and possible issues in the vault caching system in the Ladle. Each bug, irrespective of the line of code it occurs in, is treated as a separate finding and should be reported individually. However, if a single line of code has multiple ways of exploitation, priority should be given to the biggest impacting one.\n\nWhen submitting an issue, it's beneficial to include a Proof of Concept (POC) and a case made for how the item can be exploited. This is to ensure a higher burden of proof and avoid the occurrence marked as invalid. Details can be found here: https://github.com/code-423n4/org/discussions/50.\n\nIf you find a vulnerability that's actually a mistake on the warden's part or a bug introduced through mitigation efforts, there will be no penalty. On the contrary, known issues can be used to develop more complex exploits, which we encourage for effective auditing.\n\nWe understand concerns about the lack of feedback on bug submissions or the validity of Gas Optimization reports and are continuously working to improve our processes. Please note that not all bugs/gas optimizations stated in publicly known issues may be valid for other files within the same repo, and each case is handled individually.\n\nFinally, if no issues are found in a contest, the sponsor reward pot will be handled according to our contest rules. Our process consistently finds more bugs faster than other methods, as highlighted by Quantstamp's Sebastian Banescu in this talk: https://www.youtube.com/watch?v=O1rKwDv5kLQ.\n\nWe appreciate your vigilance and encourage you to continue identifying and reporting potential vulnerabilities.", "Question: What is the process to register a handle and submit findings for a contest at CodeArena?\n\nAnswer: Registering a handle is mandatory to make any submissions at CodeArena. Participants have the option to make submissions either as an individual or on behalf of their team. They can select either their solo handle or team handle when submitting a finding. Submissions are done through GitHub and require approval which usually follows a warden's individual registration. You can review and make a pull request for your handle at https://github.com/code-423n4/code423n4.com/tree/main/_data/handles to participate in contests. \n\nValid links to code fields are needed for submissions and to receive your share of the rewards, you need to register your handle and ETH address. A field for the Polygon address is also available when you submit findings. Once your submission is successful, you should receive an email confirmation. Each contest has a submission form on the CodeArena website. \n\nWhile you can make a submission without being certified, certification is required to receive any rewards. There is a new submission mechanism that is being planned for future contests. Finally, it's currently advised not to change your handle as it may cause issues with past or ongoing contests. If you face any problems during the submission process, you can submit a helpdesk request.", "Question: I'm keen to participate in the audit contest but I have concerns. How flexible is the submission timeline and what happens if I encounter problems during my audit process?\n\nAnswer: CodeArena's audit contests do have a set duration, often 20 days, but understand that issues can arise. For example, in the Maia project audit, which had 12K Source Lines of Code (SLOC), the project timeline was extended to 5 weeks, demonstrating the flexibility we aim to provide. We do have a grace period on submissions, so if you've only just found the project, rest assured you can still participate.\n\nIf you encounter any issues during the auditing process, such as not being able to submit your findings before the deadline due to technical problems (like the power cut issue during MaiaDAO contest), or encountering a non-responsive \"Create Issue\" button, please reach out to us immediately. We're there to help resolve any problems and ensure your findings are properly submitted. \n\nThere are also scenarios where users have audited the wrong code or wish to appeal a decision on a finding. In these situations, it's essential to communicate the issue promptly so we can address it. For example, here is a finding from our past project, Ajna, which was classified as solo high risk and was handled accordingly: https://github.com/code-423n4/2023-05-ajna-findings/issues/329\n\nFinally, please remember that the time taken for project findings to get reviewed varies with each contest. We appreciate your patience during this process. \n\nEven with uncertainties and possible issues, we encourage you to participate in the audit contest. Your contribution will help improve the quality of smart contracts in the blockchain ecosystem.", "Question: How does the self-assessment of risk impact the judging process and potential rewards in CodeArena contests?\n\nAnswer: The self-assessment of risk is an important aspect of the submission process in CodeArena contests. It is taken into consideration by the judges when determining the severity of findings, and this can impact the award levels. There are guidelines to help participants estimate the risk of their findings, which can be found at https://docs.code4rena.com/roles/wardens/judging-criteria#estimating-risk. \n\nParticipants should strive to make the best and clearest case possible for the severity of their findings, using evidence and reviewing how similar issues were judged in the past. If a finding is submitted as high-risk but is judged as low risk, the participant will still be rewarded, and vice versa. However, a strategy of rating everything as high risk is discouraged, as a user's credibility is a consideration. \n\nWhen determining the severity of a finding, participants use their experience and balance the consequences and likelihood of the issue. High consequences generally involve sizable fund loss or severe consequences without pre-conditions, while medium consequences usually have less impact and specific preconditions such as high attack difficulty, specific market conditions, or user unawareness. \n\nThere can be uncertainties about the severity of a reported issue. In such cases, participants are advised to review the judging criteria and make a case for the chosen severity using evidence. This approach is also suggested when a participant is unsure whether a finding should be rated as high or medium risk. \n\nParticipants can submit low-risk findings and have the ability to report additional findings. If a finding is initially submitted as low-risk but a participant later realizes that the severity is higher, they can upgrade the risk level of their findings if the contest is still open. \n\nThe final decision on the inclusion and severity of findings depends on the specific contest and the judge. If a participant believes a high-risk finding should be considered, they should make a clear case in their submission. \n\nWhile no specific penalties for misjudging the severity of a vulnerability were mentioned, participants are recommended to read https://github.com/code-423n4/org/discussions/34 for further insights on this topic.", "Question: How does CodeArena handle and respond to issues raised via GitHub links shared in the Discord chatroom?\n\nAnswer: CodeArena actively engages in addressing the concerns shared via GitHub links on the Discord chatroom. When a link is shared - be it for an issue, a pull request, or a suggested fix - the team at CodeArena thoroughly reviews it before taking the necessary action. \n\nFor instance, if the shared GitHub link involves a pull request such as https://github.com/code-423n4/code423n4.com/pull/62 or https://github.com/code-423n4/code423n4.com/pull/3592, it is checked and, if approved, the content is merged. Sometimes, the pull request might be for a team information update or to propose a fix for a submission issue. \n\nIf there's a reported issue like with the link https://github.com/code-423n4/2023-06-lybra-findings/issues/364#issuecomment-1689165295, it is reviewed for a possible creation of a coded proof of concept. Issues with access to certain links like https://github.com/code-423n4/2023-07-axelar-findings are also taken into consideration and resolved promptly.\n\nMoreover, users can submit a team request at https://github.com/code-423n4/code423n4.com/pull/28 to add their team. Participants can also review and make a pull request for their handle at https://github.com/code-423n4/code423n4.com/tree/main/_data/handles to participate in contests. \n\nFor further information on issues, discussions, and leaderboard, you can explore the following links: https://github.com/code-423n4/org/discussions/50, https://github.com/code-423n4/code423n4.com/issues?q=leaderboard, and https://github.com/code-423n4/org/issues/105.", "Question: How does CodeArena schedule and manage its contests?\n\nAnswer: CodeArena runs typically week-long contests each week, with the possibility of running multiple contests simultaneously. The company, however, does allow for exceptions in their scheduling due to external events like conferences or customer needs. Contests can also last longer than a week, for example, a contest involving over 12k source lines of code can be extended to 4 weeks. \n\nThe number of contests can fluctify and there are times when there can be gaps in the schedule for live contests. This is because the scheduling is based on the timing and needs of our customers. For example, there can be two contests queued up for one week, and in the future, CodeArena has expressed a desire to handle up to 20 contests a week. \n\nContests are processed and finalized in a specific order, which represents the order of their progression. The results of these contests are usually announced a couple of weeks after the contest ends, with awards payouts typically made between 1-2 weeks after the announcement. If a contest is listed as 'awarding', it means the rewards are queued at the multisig and will likely be distributed within a week. \n\nNew contests, whether they are public or private, are announced on the RSVP channel and listed on our website. Additionally, the \"Past Contest Status Updates\" section provides a timeline of where contests are currently in the process. Yet, please note that there can be upcoming contests that might not have been updated on the specific channels yet.\n\nAll sponsors and contestants can inquire about the contest progress and schedule. It's also important to note that sponsors decide the scope for their contests and list it in their contest info. They are given access to the findings repo either after the contest is over or one week after with triaged and deduped issues. \n\nRemember that the findings from contests are posted in the section where Contests are posted, and the public report page is updated mid-contest. Therefore, it's always a good idea to keep an eye on these sections for the latest updates.", "Q: Where can I find information on upcoming and ongoing audit contests, reports, and how can I participate?\n\nA: Information about upcoming and ongoing audit contests can be found on the CodeArena website, code423n4.com, and in the #\u270brsvp channel on our Discord server. However, it is important to note that future audit events or contests are dependent on sponsors confirming details and dates. Therefore, there might be periods when no competitions are currently scheduled. Announcements about private contests are also made, but these might be confused with open public audits as different projects have different audits. \n\nIf you're interested in participating in these contests, raise a hand in the #\u270brsvp channel if planning to participate. To assist you, upon becoming a certified auditor, we have a tool located at https://github.com/HardlyCodeMan/audit_helper/ that can be of help. \n\nAs for the audit reports, old audit reports can be accessed at https://chainsecurity.com/audits/. If you want to get notified as soon as a new Audit Report is added, there is a suggestion to create an announcements channel named #audit-reports on our Discord server. For example, the report for Yaxis audit and Biconomy Hyphen 2.0 contest's audit results are currently in the works and are expected to be published in the coming weeks.\n\nFor anyone seeking to understand how to approach auditing of big projects, you can access a blog post at https://blog.bytes032.xyz/p/audit-like-a-pro-my-3-step-game-plan. Additionally, the list of optimizations/L1 issues that are looked for in audits can be found here: https://github.com/Picodes/4naly3er/tree/main/src/issues.", "Question: What steps has CodeArena taken to facilitate communication and access to information for newcomers in the Discord chatroom?\n\nAnswer: CodeArena has implemented several measures to ensure that newcomers can easily find key information and participate in discussions in the Discord chatroom. There are dedicated channels such as #\ud83d\udce2announcements, where updates and contest results are posted, and #\u270brsvp, where users can find out about upcoming contests. A proposal has been made to create an announcements channel named #audit-reports where a new message will be posted whenever a report gets published on the CodeArena website. This is in response to users' interest in getting notified about new reports. \n\nIn addition, there has been interest in creating a notification system, like a Telegram bot, for announcing new contests. A new channel could be added to discuss website-related matters, but for now, users can submit pull requests with any ideas to the [GitHub](https://github.com/code-423n4/org/issues). Users are also encouraged to review and contribute to issues on that page if they have concerns about inconsistency, process, or lack of clarity in rules. \n\nOther suggestions from the community include splitting the 'Awarding' announcement into 'Awarding' and 'Paid' sections for clarity and integrating the website with Github to track specific timestamps. There's also a suggestion box established for users to share ideas on how to improve the website, leaderboard systems, contest processes, and Discord setup. \n\nFor learning about C4 auditing or starting a contest, newcomers can visit the #\ud83c\udfebeducation channel. They can also participate in upcoming contests, with the mantra \"just do it\" widely encouraged. For those who want a more structured approach, they can signal their team's involvement by responding in created threads or the RSVP. \n\nThere are, however, questions about whether to include markdown formatting in issue titles and how to make submissions, indicating a need for more detailed guidelines. For example, beginners who may face issues in understanding certain code instances are currently advised to make one report and reference the related issues in it. \n\nOverall, while there are robust measures in place to facilitate information access, ongoing improvements and community suggestions aim to further enhance the user experience.", "Question: How can I associate my Twitter handle, like @a_delamo (Alex Del Amo), with my CodeArena profile?\n\nAnswer: At CodeArena, you are able to link your Twitter account to your profile. This process can be done by submitting a help desk request with your CodeArena username and Twitter URL. Please note that this request can also be used to change your Twitter username on CodeArena, if needed. You can do this by visiting our help desk at https://code4rena.com/help. Once the request is approved, your Twitter handle will be visible on your CodeArena profile. If you need further assistance, feel free to direct message any of our staff members.", "Question: How can I associate my Twitter handle with my Code4rena profile and ensure that my Discord handle is updated?\n\nAnswer: At CodeArena, you can link your Twitter handle to your Code4rena profile by submitting a help desk request. To do this, navigate to https://code4rena.com/help and provide the necessary information, including your warden name and Twitter URL. \n\nIn the event that you update your Discord username, it's recommended to reflect this in your Code4rena account. Failing to do so might affect your warden role and award announcements. However, rest assured that it won't impact your ability to receive awards.\n\nIf you've encountered an error due to spaces in your Discord handle, consider including your Discord handle without spaces in the required field and state your actual handle (with spaces) in the description field. Alternatively, you can include your email in the help form as a workaround.\n\nShould you encounter any issues such as forgotten usernames, login problems, or difficulties in linking your Discord account with your Code4Arena account, feel free to seek help in the #auth-help channel or direct message someone from Code4rena.\n\nPlease note that changing your wallet and username on Discord might also need to be reflected in your C4 account. If unsure, it's always best to consult with our team, preferably via the Help Desk to ensure the developers review your queries.\n\nRemember, you can also update your avatar and add a Twitter link to your profile through the same help desk request. Your updated information can be found in a GitHub repository by searching for your handle.", "Question: What are the proposed changes to improve the accessibility of information for newcomers on the CodeArena Discord chatroom?\n\nAnswer: There are several suggestions being considered for improving information accessibility for newcomers on the CodeArena Discord chatroom:\n\n- One proposal is to pin key information in specific channels, so it's easier for newcomers to find the information they need.\n- There's a suggestion to transform posts in certain channels into \"announcement channels\", such as the #\ud83d\udce2announcements channel where updates are regularly posted.\n- Another idea is to create a new \"announcement channel\", named #audit-reports, where messages will be posted each time a new report is published on the CodeArena website (https://www.codearena.com).\n- There's an interest in creating a notification system like a Telegram bot for announcing new contests.\n- The #\u270brsvp channel is commonly used to notify users about upcoming contests and audit schedules. New public contests are confirmed and posted here. Users can also find out when a contest is open to the public or when the next bot qualifier is running.\n- Information on contest participation and audit learning can be found in the #\ud83c\udfebeducation channel. Moreover, the #\ud83d\udcbci-want-c4-to-audit-our-code is the designated channel for participants who wish to have their codes audited by CodeArena.\n- Automated findings for a contest can be found in the pinned messages of a contest's channel.\n- It's also suggested to flag common issues as non-critical or informational, which indicates a need for a list of such issues.\n- A new chat has been created to post questions leading up to a monthly call. \n- Apart from these, CodeArena has a newsletter for updates and each contest has its own channel where general questions can be asked. Sponsor team members are available for questions via Direct Message (DM). \n\nThese proposed changes are aimed at improving the experience of newcomers and making it easier for them to find relevant information. They are still under consideration and have not been fully implemented yet.", "Question: Who can I contact to inquire about the RealityCards code and other related queries on the Code4rena platform?\n\nAnswer: Yes, you can ask your questions about the RealityCards code on the platform, and Splidge is indeed the correct contact. However, each sponsor team, including RealityCards, has designated contacts that participants can direct message during a contest to ask questions. You can also direct message someone from the Code4rena team with any additional questions. If you have a question about the scope for a contest, it can be addressed to the respective sponsor. If you don't receive a response within a couple of days, you can open a help desk request at [https://code4rena.com/help](https://code4rena.com/help). Upcoming audit contests, including RealityCards and others, are listed on the website, [code423n4.com](https://code423n4.com). It's also possible to discuss potential issues with the sponsor while the contest is ongoing, and specific channels exist to ask general questions. Remember, personal contact and direct messaging have been encouraged for specific questions.", "Question: Can I direct message (DM) CodeArena staff to get assistance with account issues or specific questions?\n \nAnswer: Yes, you can direct message CodeArena staff for account-related issues, specific questions, or information about our services. In fact, the use of direct messages has been encouraged to ensure privacy and security. If your concern is about a specific contest or the Vader protocol, you can direct message the identified individuals or @strictly-scarce, respectively. You can also contact our sponsor teams during a contest for any questions. \n\nHowever, please know there might be a delay in receiving responses due to volume or non-business hours, as our help desk only operates during business hours and not on weekends. We also advise caution as there have been reports of potential scams through direct messages. \n\nFor immediate updates or inquiries regarding your profile picture, Twitter links, or your status, you can send a help desk request [include link] which we aim to fulfill in a timely manner. \n\nFor general questions about each contest, you can post them directly in the designated contest channel. Also, if your question is about something you're unsure about submitting, it's advisable to ask it on the forum post itself, as the chat is ephemeral. \n\nFinally, if you encounter an error or need guidance on fragile aspects of the system, you're encouraged to send us a help request, but please note that response times might be delayed during holidays. If you're looking for collaboration or investment opportunities, please DM the designated contact.", "Question: How can I access contest previews and stay updated about upcoming contests on CodeArena?\n\nAnswer: To gain access to contest previews, you first need to register as a warden by going to the #\ud83d\udc3ai-want-to-be-a-warden channel. Once you have the warden role, you can view the contest previews by clicking on #\ud83d\udd0dcontest-previews. However, please note that there might be upcoming contests which may not have been updated on specific channels yet.\n\nFor updates and announcements regarding new contests, check the #\u270brsvp channel. This channel will provide you with information about both private and public contests. Private contests have their RSVPs available in a channel that is only visible to certified wardens. If a contest is in the public RSVP channel, it means it's a public contest.\n\nEach contest has a dedicated channel where general questions can be asked. Sponsor team members are also available for questions via Direct Message (DM). If there are any gaps in the live contest schedule or if you want to view your submission replies for a contest, you can check the respective contest channels.\n\nCodeArena also uploads contest-related videos on their YouTube channel, so you can subscribe to it for more insights and information.\n\nOnce judging is complete, the contest results are announced in the #\ud83d\udce2announcements channel. Additionally, you can check the \"Past Contest Status Updates\" section to understand where contests are currently in the process.\n \nPlease note that there can be variations in the schedule for live contests and specific contest channels may be created for different protocols. Being an active member in the community can help you stay updated with such changes. For any contest-related queries or issues, you can consult the backstage channel or the post-judging stage of the concerned contest.", "Question: I'm a beginner in the field and I'm looking for resources to learn more about smart contract vulnerabilities, auditing, and flash loans. Any suggestions?\n\nAnswer: Sure! There are multiple resources online that can help you learn about smart contract vulnerabilities, auditing, and flash loans. Starting with the basics, CryptoZombies.io and CaptureTheEther.com are popular platforms to learn about smart contracts and Solidity. \n\nFor a more practical approach, you can dive into smart contract bug bounty hunting. A good start for this could be the warden's tools and resources provided on our platform: https://docs.code4rena.com/roles/wardens/tools-and-resources.\n\nRegarding flash loans, you may find this analysis of the FEG token flashloan exploit interesting: https://www.certik.com/resources/blog/w6AxRmf6l2ow4zL884gr8-feg-token-flashloan-exploit-analysis. To understand the difference between flash minting and flash loans, we recommend joining in-depth discussions on our Discord server.\n\nTo further your knowledge, you can check out this post by cmichel on how to become a smart contract auditor: https://cmichel.io/how-to-become-a-smart-contract-auditor/. For those interested in blockchain forensics analysis, there are online resources and courses available, particularly for hacks and incidents in smart contracts.\n\nLastly, for an understanding of solidity syntax and programming, you may want to explore the #\ud83c\udfebeducation channel on our server where users can learn more about auditing smart contracts. Do note that the amount of time it takes to learn the basics and start finding bugs in smart contracts can greatly depend on your prior experience and learning capabilities.\n\nWe also continuously add videos explaining the smart contracts to our playlist and our team is always available to answer any questions you may have. Good luck with your learning journey!", "Question: Can you provide a more detailed explanation of how the InvariantTransactionData.transactionId used in the 'prepare' function works? Does it serve as a counter to identity a specific cross-chain transfer for a user or does it represent an actual chain transaction hash?\n\nAnswer: The InvariantTransactionData.transactionId used in the 'prepare' function is not a counter but rather a unique identifier specifically designed for cross-chain transfers. This identifier does not represent the actual chain transaction hash. The router uses a subgraph to make sure the combination of 'transactionId-user-router' is always unique for each transaction. \n\nIn relation to finding a transaction hash when a user has given allowance to a contract, it's important to note that the transactionId does not provide this information. However, you can find the transaction hash using the user's and contract's addresses. \n\nIt's also worth mentioning that not all transactions in the blockchain mempool are hashed. This allows for examination of the data within the transaction, but also opens the possibility for front-running. An important element to consider when dealing with transactions involving tokens is the type of token used, as this can affect whether you would utilise functions like \"safeTransferFrom\" or not. \n\nFor example, fee-on-transfer tokens remove a small fee from every transfer, which means the receiver might receive less than the sent amount. This can be found in the token's code, which can be viewed on a platform like Etherscan. For instance, you can review the code for USDT token at https://etherscan.io/token/0xdac17f958d2ee523a2206206994597c13d831ec7#code#L95. \n\nPlease remember that these considerations are specific to Ethereum-based transactions and the usage of ERC-20 or ERC-777 tokens.", "Q: I am auditing a contract for CodeArena and the C4 PT repo does not have the code. Should I use the two .sol files linked in the README and how do I handle any issues with missing imports or discrepancies in the number of lines of code (LOC)?\n\nA: Yes, you should use the two .sol files linked in the README as these are the contracts in scope. This approach was adopted to make it easier for auditors to find the tests and see them in their context, even when they originate from different repositories. \n\nConcerning missing imports on .sol files, you may need to manually include the contracts from the OpenZeppelin contract repo (https://github.com/OpenZeppelin/openzeppelin-contracts) and Solmate (https://github.com/transmissions11/solmate) on Remix, or clone the entire repository and install the dependencies with forge. \n\nIf the LOC on the README.md does not match the actual lines in the contract files, note this discrepancy as it may be worth mentioning in your final report. You can also consult additional resources provided in the Discord chat for clarification. \n\nPlease note that certain files, like \"FloatCapital_v0.sol\", \"Treasury_v0.sol\" and \"oracles/\" are not part of the scope for the bounty program. For instance, in the PoolTogether audit, only the contracts linked in the README of the mentioned repo are in scope.\n\nFor insights on how to reference code in your report, you may either provide a URL to the repository with a line inner in the text or a solidity code block. However, adding a link to a sponsor's Github repo code in a findings report does not automatically pull in the code snippet.\n\nLastly, remember that the Proof of Concepts (PoCs) in the CodeArena context do not necessarily need to be executable. If you need to run tests, you can use an existing test environment, write new test cases, or refer to the sponsor's GitHub for a potential test setup.", "Question: What happens if the same vulnerability is reported by multiple participants in CodeArena?\n\nAnswer: If the same vulnerability is reported by multiple wardens (participants), each participant is given an equal share of the award for that vulnerability. This is because CodeArena employs a deduplication process and later determines the severity of the vulnerability. \n\nThis rule applies even if the participants report the same vulnerability but with different severities, or if two or more participants are part of a team and submit the same finding from different wallets. The award for that vulnerability is split among the participants who reported it, reducing its overall value per participant. \n\nIt's important to note that if the same vulnerability is found in different components of the codebase, it might be considered as separate findings, although it remains the judge's discretion to determine if they are duplicates. Similarly, if a single line of code has multiple ways of exploitation, it can be reported as a single bug or multiple ones, with the highest priority given to the biggest impacting one. \n\nIn the unique case where two separate vulnerabilities can be used together to create a stronger exploit, participants can submit a third finding with a proof of concept. This is a part of a broader possibility to report a variety of findings based on different combinations of issues to create distinct attacks.\n\nFor more information, please refer to: [https://github.com/code-423n4/org/issues/8](https://github.com/code-423n4/org/issues/8)", "Question: Can wardens participate in audits as teams at CodeArena (C4)?\n\nAnswer: Yes, wardens can participate in audits as teams at CodeArena. Teams of wardens are treated the same as individual wardens. As a warden, you can join the contest either individually or as part of a group. If you want to participate as a team, you'll need to register your team first. The process for registering a team can be found at [https://docs.code4rena.com/roles/wardens#registering-a-team](https://docs.code4rena.com/roles/wardens#registering-a-team). Once you've found your team, you can create one at [code4rena.com/register-team](code4rena.com/register-team).\n\nFor new wardens who are looking to team up and collaborate, they can visit the #\u26bdteam-formation channel. This provides a great opportunity for wardens with varying skillsets to collaborate, for instance, a technical writer beginning as an auditor can team up with a warden whose technical skills are more advanced than their ability to communicate in English.\n\nIf a warden receives rewards both individually and as part of a team, the team and the individual will appear separately on the leaderboard, which can be found at [https://code423n4.com/leaderboard/](https://code423n4.com/leaderboard/). High-ranked teams are also eligible to compete in invitation audits that prioritize the highest-ranked wardens.\n\nWhen a team submits a finding, one payment will be issued and the team will have discretion over how that money is paid to its members. More details about this can be found at [https://docs.code4rena.com/roles/wardens](https://docs.code4rena.com/roles/wardens).\n\nTo access the team-formation channel or participate in contests, wardens must register first. Some contests, such as the PolynomialFi and Ambire Contest, require wardens to be certified. Certified wardens also have the advantage of participating in private contests and access to a private channel for collaboration. Please remember, if the same vulnerability is reported by multiple wardens, the reward for that vulnerability will be divided among them.", "Question: How can new wardens team up, collaborate, and participate in contests at CodeArena?\n\nAnswer: New wardens who are interested in teaming up and collaborating can join the #\u26bdteam-formation channel on our Discord server. To access this channel, you must first register as a warden by joining the #\ud83d\udc3ai-want-to-be-a-warden channel. After registration, you can participate in our code contests as part of a group or team. For more details on how to register a team, please visit https://docs.code4rena.com/roles/wardens#registering-a-team.\n\nThere are also opportunities for new wardens to team up based on their individual strengths, such as technical writing or auditing skills. Once you find a team, you can register it at code4rena.com/register-team. \n\nIn addition to the team-formation channel, we have a private channel for certified+ wardens which is a workspace for various processes they assist with. Certified wardens will also have access to private repositories on GitHub. To become a certified warden, you can apply once the process is introduced.\n\nFor any contest-related information, wardens can check the #\u270brsvp channel. Remember, to access contest channels, you need the warden role. If you're interested in viewing the leaderboard, you can visit https://code423n4.com/leaderboard/.\n\nPlease note that your emails and GitHub usernames will not be listed anywhere publicly by CodeArena. You have the option to make your membership on private teams public or not.", "Question: How is the risk level (low, medium, high) of a finding determined in CodeArena, and what are the implications of these risk levels?\n\nAnswer: The risk level of a finding in CodeArena is determined by an independent judge with deep knowledge in solidity. The judge classifies the finding based on the severity of the potential loss caused by the issue, as well as by considering factors such as the required preconditions for an issue to pose a risk. High-risk findings typically involve a significant potential for fund loss and do not require specific preconditions. Medium risks, on the other hand, usually have a lesser impact and have specific preconditions such as high attack difficulty, specific market conditions, or user unawareness. Low-risk findings, also referred to as Quality Assurance (QA) findings, often involve minor potential losses, such as those due to rounding errors.\n\nThe risk level of a finding can impact the reward that a submitter can receive, with high and medium risk findings often yielding larger rewards. The reward can be calculated using the formula provided in this link: https://docs.code4rena.com/incentive-model-and-awards#high-and-medium-risk-bugs. Furthermore, each unique High or Medium finding chosen for inclusion in the audit report receives a 30% share bonus.\n\nIt's important to note that findings submitted at one risk level may be reclassified by the judges. For instance, a finding submitted as a medium risk could be upgraded to a high risk if the judges deem it appropriate, unless there is a reason to penalize it, such as lack of detail or accuracy in the finding. \n\nParticipants can submit multiple findings. For low-risk findings, one issue and send all is sufficient; for medium and high risks, one issue for each finding is required. Submitters should make the best and clearest case possible when submitting their findings, and review the guidelines and how similar issues were judged in the past for guidance. More details can be found at this link: https://docs.code4rena.com/roles/wardens/judging-criteria#estimating-risk-tl-dr.", "Question: Is it beneficial for beginner solidity developers to participate in CodeArena's smart contract auditing competitions?\n\nAnswer: Absolutely, it is highly beneficial for beginners in solidity development to participate. CodeArena's competitions not only provide you with a platform to sharpen your solidity skills but also expose you to various smart contract design patterns and security practices. \n\nAs a participant, you can make submissions of gas optimizations, and learn to format your solidity code better. You might find some challenges in catching vulnerabilities during Capture the Flag competitions but improving your solidity fundamentals and gaining more developer experience through these contests will definitely aid in overcoming such difficulties. \n\nFor those who have just started with smart contract auditing, resources like https://cryptozombies.io/ for learning solidity and https://capturetheether.com/ for Capture the Flag challenges can be useful. Advanced resources such as The Ethernaut challenges and Damn Vulnerable DeFi (https://ethernaut.openzeppelin.com/ and https://www.damnvulnerabledefi.xyz/) are also recommended for understanding advanced solidity and DeFi industry standards. \n\nDon't hesitate to ask questions or seek help on the platform. You can even reach out to the sponsor team during the contest if you have found something and want to clarify or discuss. Remember, participation in these contests is a learning experience that can help improve your skills and possibly earn rewards. \n\nIn the future, CodeArena may also expand to include contests involving other chains like Solana, and other programming languages like Rust, expanding your learning horizon. So definitely, it's a good idea to participate in these competitions. Just go for it!", "Question: I am new to smart contract bug bounty hunting. What resources can I use to get started and how can I report vulnerabilities that I find?\n\nAnswer: Starting with smart contract auditing and bug bounty hunting requires a solid understanding of the basics. It's recommended to start learning Solidity through resources like [CryptoZombies](https://cryptozombies.io/), which is designed specifically for beginners, and further your skills with Capture the Flag (CTF) challenges on [CaptureTheEther](https://capturetheether.com/). \n\nTo understand the auditing process better and learn about the tools used for smart contract auditing, you can refer to resources such as [How to become a smart contract auditor](https://cmichel.io/how-to-become-a-smart-contract-auditor/) and [Code4rena's guide on tools and resources](https://docs.code4rena.com/roles/wardens/tools-and-resources). More advanced tutorials and content can be found at [Smart Contract Programmer's YouTube channel](https://www.youtube.com/@smartcontractprogrammer).\n\nWhen you feel ready for some hands-on experience, platforms like [Immunefi](https://immunefi.com/) and [Hats.Finance](https://hats.finance/) offer bug bounties, while [Spearbit](https://spearbit.com/) provides freelancing opportunities. \n\nOnce you've identified vulnerabilities, it's important to know how to report them. CodeArena expects specialized reports, where QA findings, gas findings, and medium to high severity findings are submitted separately. For more detailed guidelines on how to report bugs and optimizations, you can refer to our [Submission Policy](https://github.com/code-423n4/code-contests/blob/main/SUBMISSION_POLICY.md).\n\nRemember, the time it takes to learn the basics and start finding bugs greatly depends on your prior experience and learning capabilities. It's a challenging field, but with persistence, you will see progress. Happy hunting!", "Q: How can I participate in a Code4rena competition, and what resources can help me improve my smart contract auditing skills?\n\nA: To participate in a Code4rena competition, you need to sign up as a warden on our website and then access the contest page at https://code4rena.com/contests. Here you will find open competitions and relevant details for each contest. Some contests are private and have specific prerequisites or metrics for participation, while others may allow participation without certification. For contests that require certification, having a Certified Plus status gives you added benefits, such as access to private repositories after the contest ends.\n\nIf you're a beginner in smart contract auditing, we recommend starting with learning Solidity. You can use resources like https://cryptozombies.io/ to improve your skills. Participating in our contests, such as the Bot Races or the Steakhouse contest, is also an effective way to enhance your auditing abilities.\n\nDuring a competition, you can reach out directly to the respective sponsor if you have specific queries about the scope of that contest. You can even disclose a vulnerability directly to them, though you need to submit it via the competition submission form for it to be eligible for awards.\n\nWe also encourage you to read posts related to the contests for detailed information, check out the #\u270brsvp channel for contest details, view other participants' findings after a contest, and learn from the contest reports that are published. For more information on judging and payout timelines after a contest ends, you can visit https://docs.code4rena.com/structure/our-process.\n\nRemember that even if you're a beginner, your participation is valuable. There are even participation rewards for some contests, such as the formal verification contest. Just remember to \"just do it\" and start participating!", "Question: What does it take to learn the basics of smart contract auditing, and how can one start finding bugs in smart contracts?\n\nAnswer: Becoming competent in smart contract auditing requires an understanding of development, security, and Solidity. The time it takes to learn the basics and start finding bugs in smart contracts can vary greatly depending on an individual's prior experience and learning capabilities. \n\nIf you're a beginner in this field, several resources can aid in your learning journey. These include online courses like CryptoZombies.io for learning Solidity and platforms such as CaptureTheEther.com for engaging in Capture the Flag challenges. You can also check out the guides on how to become a smart contract auditor on cmichel.io and the tools and resources available on docs.code4rena.com. \n\nIt's also crucial to familiarize yourself with the tools used to find vulnerabilities and bugs in smart contracts. For instance, Slither is a popular static analysis tool for smart contracts that you might find useful. \n\nUnderstanding the concepts related to smart contracts can be challenging, especially when interpreting complex reports. It's suggested that developer experiences or understanding Solidity's fundamentals can help in catching vulnerabilities during challenges like CTFs. \n\nIn terms of practical experience, Code4Arena runs contests for analyzing smart contracts. Other platforms like Immunefi.com, Spearbit.com, and Hats.finance also offer opportunities to get rewarded for auditing smart contracts. Just remember, some platforms like Sherlock require a high level of competence in the field. \n\nLastly, staying updated with current discussions in the smart contract auditing community could be beneficial. For instance, there are ongoing discussions about the use of fuzzing tools in auditing smart contracts, the two-step process for making critical changes in smart contracts, and the importance of understanding Solidity syntax and programming.\n\nRemember that learning is a continuous process and everyone learns at their own pace. Finding your way through can be challenging, but with patience and perseverance, you'll get there.", "Question: What contracts are in and out of scope for CodeArena's audit bounty program, and how are the bounty payouts determined?\n\nAnswer: In CodeArena's audit bounty program, the scope differs between various contests. For instance, contracts like \"FloatCapital_v0.sol\", \"Treasury_v0.sol\" and \"oracles/\" are not in scope for the bounty program. However, any other contracts in the Vader repository at https://github.com/code-423n4/2021-04-vader/tree/main/vader-protocol/contracts, Visor.sol for Visor finance, and the two contracts for the PoolTogether audit are classified as in scope for testing. \n\nTo clarify, being in scope means that if you find a bug in these contracts, you are eligible for a share of the bounty. If a bug is found in a contract that's in scope, but it impacts another contract that's out of scope, the impact might count, but this decision is generally up to the judge. \n\nBounty payouts are divided among all auditors who report the same bug. However, common findings are usually out of scope as they are picked up by the C4udit tool. If you find a vulnerability in an out-of-scope contract, it can be reported and a judge may decide to bring it in scope, but typically it will be included in the C4 report as an unrewarded finding, or you can directly message the project. \n\nThe severity of a bug is determined by the judges and plays a significant role in determining the bounty amount. The detailed prize amounts for different severities can be found in the contest readme linked in each contest. \n\nYou can find more information about the procedures for disclosing issues and grading reports related to smart contracts on https://github.com/code-423n4/code-contests/blob/main/SUBMISSION_POLICY.md. Please remember that all relevant information for each audit can be found at the respective Github repository link, for example the FloatCapital contest information can be found at https://github.com/code-423n4/2021-08-floatcapital. \n\nPlease make sure to thoroughly understand the scope of each contest to ensure your time and effort are well spent.", "Question: What does target side and origin side mean in the context of market positions? How does this relate to the concept of input and output in Uniswap methods?\n\nAnswer: In trading terms, the origin side refers to the initial side of a market position (e.g., long), and the target side refers to the desired move-to side (e.g., short). This concept is directly related to the idea of shifting between long and short positions within a market.\n\nIn the context of Uniswap methods such as tokenToEthSwapInput, tokenToEthSwapOutput, ethToTokenSwapOutput, and ethToTokenSwapInput, the terms 'input' and 'output' come into play. Here, 'input' refers to tokens being transferred into a contract, and 'output' refers to tokens being received from a contract. This mechanism aligns with the idea of moving from an origin side to a target side in market positions.\n\nFor instance, in a method like tokenToEthSwapInput (origin to target), you are providing tokens (input on the origin side) to receive ETH (output on the target side). It's a way of shifting your position from holding a certain token to holding ETH. \n\nFor a more detailed understanding, you can refer to the Uniswap documentation at [https://docs.uniswap.org/protocol/V1/reference/exchange](https://docs.uniswap.org/protocol/V1/reference/exchange). It's also worth noting that the precise implementation can vary based on the specificities of the smart contracts and the tokens involved, as seen in the 'bins' concept in Trader Joe contracts ([https://docs.traderjoexyz.com/concepts/concentrated-liquidity](https://docs.traderjoexyz.com/concepts/concentrated-liquidity)) and the decision to use methods like \"safeTransferFrom\".\n\nIt's important to understand these concepts when considering potential front-running possibilities and evaluating the impact of such vulnerabilities on smart contracts. The understanding of these terms can also help in exploring arbitrage opportunities across multiple tokens and calculating the optimal amount of tokens to buy for maximum profit.", "Q: How to start in blockchain bug bounty hunting or smart contract bug bounty hunting? What programming language, skills, resources, and tools are needed and how much time it might take to learn and start hunting?\n\nA: Starting in blockchain bug bounty hunting or smart contract bug bounty hunting requires a good understanding of the underlying system and code base, with Solidity being the recommended programming language to learn. \n\nBeginners can use resources like CryptoZombies.io (https://cryptozombies.io/) for learning Solidity, and CaptureTheEther.com (https://capturetheether.com/) for Capture the Flag challenges. These resources provide a good foundational understanding of smart contracts. Other resources include https://cmichel.io/how-to-become-a-smart-contract-auditor/ and Code4Arena's own tools and resources page (https://docs.code4rena.com/roles/wardens/tools-and-resources). \n\nIn terms of tools, it depends on what you are trying to achieve. For instance, tools for finding vulnerabilities and bugs may differ from those used for blockchain forensics analysis in the event of hacks or incidents. \n\nThe time it takes to learn the basics and start finding bugs in smart contracts greatly depends on an individual's prior experience and learning capabilities. It may also be influenced by whether you choose to focus solely on smart contract auditing or balance it with other areas of cybersecurity. If you're an undergraduate IT student, for instance, you may want to consider whether to focus primarily on smart contract auditing or continue with traditional hacking and web2 security, while doing smart contract auditing as a side project.\n\nCodeArena operates somewhat similarly to a bug bounty platform with defined prize pools and fees upfront. However, it's important to bear in mind that there can be competition, and the bounty for a given bug may be split if multiple users submit the same or similar bug. \n\nOne unique aspect of CodeArena's operations is the conduct of audit contests, which are somewhat similar to bug bounty programs but with a guaranteed pot that pays out within a time limit. \n\nKeep in mind, while learning, you may have questions or face challenges in understanding certain reports or concepts related to smart contracts. Feel free to seek help on the platform or refer to past submissions and reports for guidance (https://code423n4.com/reports). CodeArena encourages a culture of learning and collaboration. \n\nLastly, it's worthwhile to make note of the potential for anonymity in cybersecurity spaces and on the bounty leaderboard. As you progress, you may also want to consider gaining further certifications in smart contract security.", "Question: How does the bug discovery and reporting process work in Code4rena contests?\n\nAnswer: In Code4rena contests, the bug discovery process is competitive, with findings being kept confidential until the contest ends and the judging process is completed. However, there are detailed reports available for each contest after its conclusion, which provide information about the bugs discovered and can be used for learning purposes. You can find examples of past submissions and reports at https://code423n4.com/reports.\n\nParticipants are encouraged to report any bugs they find, regardless of whether they think others might have found the same bugs. It's not a \"first past the post\" system, so the reward would simply be shared among those who reported the same bug. If participants have code that runs a proof of concept for each bug, they are advised to either add a zip file to the submission or share a private Github repository.\n\nThe platform does not currently have a specific bug-payout list for each contest, but a detailed list of rewards for each warden for each bug per contest is available at https://raw.githubusercontent.com/code-423n4/code423n4.com/main/_data/findings/findings.csv.\n\nWhen submitting bugs, users should make separate submissions for bugs of different types or severities, as this will ensure their findings are appropriately evaluated. The severity of bugs is judged based on criteria detailed at https://code4rena.com/judging-criteria/, and there is a suggestion that the platform may start adding severity ratings to the confirmation emails sent after issue submission.\n\nTo ensure fairness, there are ongoing discussions about how to handle automated findings and bugs introduced through mitigation efforts. No definitive conclusions have been reached yet, but participants are encouraged to report all bugs they find anyway.\n\nFinally, if you have any questions about severity evaluation and specific bugs, the Code4rena Discord chatroom is a good place to ask them. The community is always ready to help out!", "Question: Could you clarify if there are still unresolved bugs after an internal audit, how these are handled by wardens, and if they are shared after the competition closes?\n\nAnswer: Yes, at times, there might be bugs that have not been identified by any of the wardens during the internal audit. As per our recent audit, there were at least two prominent bugs that were yet to be found. These bugs are typically shared once the competition closes. It's important to note that the timing of bug reporting by wardens is crucial; for instance, not every bug raised by a warden within the first hour of a contest's start is considered. Post the audit contest, projects may invite top wardens back for a \"Mitigation review contest\" to review bug mitigations. \n\nIn case of any concerns or issues with a report, wardens may be asked to provide clarification. Moreover, there is a process in place in case the same vulnerability is reported by two or more wardens. It's possible for wardens to view reports from others who found the same issue, even after the contest has ended. However, visibility may be restricted if there is no table with results. \n\nIt\u2019s important to emphasize that participating in the audit, even if no bugs are found, is considered a valuable learning experience by many users. Wardens who have encountered at least one high severity bug and have competed in at least three contests can be eligible for certification. Certified wardens are eligible to attend private audits, but certain conditions may apply. Also, all bug reports must be submitted before the closing of the audit. \n\nLastly, we would like to mention that we are currently working on tax reporting for wardens, which is an ongoing process. For additional details or any further queries, feel free to contact us through our Discord chatroom.", "Q: Can you provide a comprehensive understanding of the timeline and process for CodeArena's audit contests?\n\nA: CodeArena's audit contests typically follow a structured timeline and process. Initially, the audit contest is opened to teams and individuals, who then have a stipulated period (often about 30 days) to audit the smart contracts and submit their findings. The duration of the contest can vary depending on the complexity of the contract, with some audits lasting up to three weeks and others even extended to four weeks for larger projects.\n\nAfter the audit contest ends, there follows a submission review period, during which participants are allowed to revise their findings. The length of this review period can vary with each contest. The time taken for project findings to get reviewed also varies with each contest, but it generally takes about 8 weeks for judges to review the findings and create the leaderboard.\n\nOnce the judging phase is completed, the audit reports are published. This process, from contest finish to report publication, can take between 2 weeks to over 6 weeks, depending on the contest and the complexity of the findings. \n\nAdditionally, after a contest is closed, there is a specific (but usually unspecified) period of time before the findings repo becomes publicly available for discussion. \n\nIt's also worth noting that CodeArena has numerous audit contests scheduled, with details about each contest available on their website, [code423n4.com](http://code423n4.com). Current ongoing contests can also be found on their respective platforms, and further information can be sought from the CodeArena team.\n\nFinally, there are sometimes delays in the distribution of awards for the contests, as awards need to be calculated following the judging process and this can take time. CodeArena is also in the process of making changes to their award calculation process. \n\nFor those interested in running an audit contest, they can reach out to the CodeArena team for further details and pricing.", "Question: How can I ensure the security of my smart contracts and prevent future attacks on my wallet?\n\nAnswer: CodeArena provides a platform for auditing smart contracts to prevent security breaches. This involves identifying vulnerabilities before they can be exploited, which is crucial in preventing attacks on your wallet. We have resources and tools to help users learn about smart contract security and web2 security in the context of web3 security. We also host office hours where you can ask questions and receive guidance on more fragile aspects of the system. \n\nOne common concern is the leaking of private keys, often due to them being accidentally uploaded on public repositories like Github. It is recommended to always keep your private keys confidential and thoroughly verify any transactions made on your wallet to identify potential unauthorized activities. \n\nCertified users can also access projects like the Polynomial project, by viewing the repo and submitting findings. This allows for further learning and application of your security skills. \n\nTo participate in private audits and contests, users can sign up to be a warden using Github. Remember, proof of competency in this space can be demonstrated through your Github profile. \n\nAdditionally, some users have found the use of fuzzing tools like Echidna helpful for auditing in contests. \n\nLastly, a discussion on VPN recommendations also suggests the use of VPNs for added security. \n\nHowever, despite all these measures, security assurance is not absolute. It is essential to consistently keep learning about new security measures and staying vigilant about your smart contracts and wallet security.\n\nNote: Trust between wardens and sponsors is important. There has been a concern raised about the potential misuse of disclosed vulnerabilities. It is important to ensure that any disclosed vulnerabilities are responsibly used to improve the system's security, not to exploit it.", "Question: What changes have been made to the CodeArena Discord server, and how do these changes affect user accounts and contest participation?\n\nAnswer: Yes, several adjustments have been made to improve the CodeArena Discord server. Each contest now has its own channel for questions and code walkthroughs. Participants can reach out for help if they are having issues connecting their Discord account with their CodeArena account. \n\nRegarding account changes, users can update their Discord usernames on the Code4rena account. However, when making such changes, it's recommended to submit queries via the Help Desk for the development team's review. If a participant changes their Discord username, they may need to update it in the CodeArena as well. It should be noted that some users have encountered discrepancies between their site usernames and Discord nicknames. \n\nAdditionally, changes in Discord usernames can affect C4 authentication, specifically the warden role. In such cases, users are instructed to update their new Discord handle in their profile on the site. More information on these changes can be found on Discord [here](https://discord.com/channels/810916927919620096/1111666431050919996) and [here](https://discord.com/channels/810916927919620096/810931711609143326/1119321495987032144).\n\nWe have also set up a suggestion box for users to share ideas on improvements for the website, leaderboard systems, contest procedures, and Discord setup. These changes aim to enhance the user experience and foster a more engaging and productive community. \n\nFor updates, users can refer to the #\ud83d\udce2announcements channel on the Discord and the C4 newsletter. Specific updates can also be found at the following Discord links: [Update 1](https://discord.com/channels/810916927919620096/810936719003090974/1098620465897021490), [Update 2](https://discord.com/channels/810916927919620096/810931711609143326/1082437741586960485), and [Update 3](https://discord.com/channels/810916927919620096/810936719003090974/958455244759650344).\n\nPlease note that our team is continually working to provide the best possible experience, so more updates and improvements may be expected in the future.", "Q: How does CodeArena's process work in comparison with traditional bug bounty platforms? Can you elaborate on the nature of operations, contest announcements, reward distribution, submission of reports, and handling of discovered vulnerabilities?\n\nA: CodeArena does have some similarities with traditional bug bounty platforms, but our model differs in significant ways. We do not have an upfront defined prize pool or fees like most bug bounty platforms. Instead, we conduct audit contests where the rewards and incentives system can be found at https://docs.code4rena.com.\n\nContests are announced in advance and teams are incentivized in the process. Teams work together to audit code and submit reports. The reward for finding an issue is reduced semi-geometrically based on the number of people who find it. Within a team, the reward is split evenly among members.\n\nThe vulnerabilities discovered during our contests are kept confidential until the conclusion of the contest and completion of the judging process. In case two or more people submit the same or similar bug, the bounty is shared among them, reducing the overall value of the bug semi-geometrically based on how many people found it.\n\nWe also have a help ticket system at code4rena.com/help where users can report issues that need to be looked into by contest administrators. We encourage participants to reach out to the sponsor team during the contest if they have questions or think they've found something. However, they need to submit the vulnerability via the contest submission form to be eligible for awards. \n\nOur process consistently finds more bugs faster than other methods. As highlighted by Quantstamp's Sebastian Banescu, \"More auditors, more findings\" is our mantra. \n\nIf a platform uses CodeArena to audit their code and no critical or minor vulnerabilities are found, the cost is not pre-determined and is handled on a case by case basis. \n\nWe aim for transparency and effectiveness in our operations. Our operations, as well as the criteria for different bug severity levels, can be found at https://code4rena.com/judging-criteria/. If you're interested in how we've performed in past contests, you can check out our report here: https://code4rena.com/reports/2022-09-artgobblers#low-risk-and-non-critical-issues. \n\nIn summary, CodeArena provides a unique approach to auditing smart contracts that combines elements of bug bounty programs with our distinct processes and models.", "Question: In the gro protocol report, should it underflow to uint256_MAX or uint256_MAX - 1?\n\nAnswer: The question of underflow to uint256_MAX or uint256_MAX - 1 largely depends on the context of your code and what you're trying to achieve in your smart contract. However, it's important to note that as of version 0.8.0, Solidity has implemented an overflow/underflow check at the language level. Hence, underflows or overflows would throw an exception and revert the transaction. For gas optimization in smart contracts, consider not initializing default variables to 0, and using the 'unchecked' command in loops to further optimize for gas. Such techniques can result in significant gas savings, as observed in discussions about solidity loop constructs. \n\nPlease note that not all gas optimizations are valid when the optimizer is enabled. For instance, there's a significant gas saving difference between using 'for (uint256 i = 0; i < 1000; i++)' and 'for (uint256 i = 0; i < 1000; ++i)'. The latter can reduce gas costs significantly. It's also worth mentioning that known issues should be excluded from gas reports, and all findings related to gas optimization should be put under one report. For more information refer to the official documentations [here](https://docs.soliditylang.org/en/latest/080-breaking-changes.html) and [here](https://docs.code4rena.com/awarding/incentive-model-and-awards/curve-logic), and a recent CodeArena gas optimization report [here](https://code4rena.com/reports/2022-11-non-fungible/#gas-optimizations).", "Question: How can I determine if a smart contract, such as this one on Etherescan (https://etherscan.io/address/0xc49a9ab342b6ea66792d4110e9ca0ab36e3a5674#code), is susceptible to a reentrancy attack?\n\nAnswer: Determining whether a smart contract is susceptible to a reentrancy attack involves a close examination of the contract's code. A reentrancy attack can occur when a function that changes the state of the contract is called recursively before the first function call is finished. This is a common issue in both web2 and web3 sectors. \n\nComprehensive audits, such as those conducted by CodeArena, can help identify potential reentrancy risks. An example of a potential reentrancy risk that was marked as low can be found in this CodeArena report (https://code4rena.com/reports/2022-12-caviar#l-01-missing-reentrancy-guard-to-withdraw-function). The report suggests even if a reentrancy risk is identified, it doesn't necessarily mean there is a vulnerability. \n\nIn addition to audits, there are tools and services that can help analyze a contract's code. For instance, you can convert a contract address into a separate solidity file on Etherscan by changing .io to .deth.net (https://etherscan.deth.net/address/0x27f461c698844ff51b33ecffa5dc2bd9721060b1/advanced#code). \n\nFurthermore, the possibility of demonstrating the actual re-entrancy attack in a public testnet has been discussed in various forums. This kind of practical demonstration could be a powerful way to understand how such attacks occur and how to prevent them.\n\nLastly, it's important to note that not all potential security issues, such as a \"missing 0 address check\" (https://github.com/code-423n4/2021-10-badgerdao-findings/issues/5), are universally agreed upon as valid findings. This highlights the complexity of smart contract security and the importance of thorough, expert analysis.", "Question: What is the process and timeline for rewards distribution after a CodeArena contest, and where can I find more information?\n\nAnswer: The process for rewards distribution after a CodeArena contest involves several steps. Firstly, after the contest ends, findings or reports are reviewed and triaged immediately by judges. Following this, they await sponsor review, final judging, and Quality Assurance. \n\nThe timeline for publishing contest results and distributing the rewards primarily depends on how long the judging takes. Once the judging is final and rewards are announced, the outcome cannot be changed. However, any overlooked issues can be flagged to the judge and sponsor for consideration. \n\nIn some instances, rewards distribution may be pending even after the contest has finished. This could be due to several reasons, including pending judge reviews or adjustments in the award calculation process. It's also important to note that judges for the contest are chosen based on experience and reputation, and they also receive a share from the prize pool as an incentive.\n\nOnce the contest rewards have been calculated and announced, participants can verify their identity to receive the payouts. The final published report allows participants to see the results of their submissions. \n\nFor more detailed information on the process and timeline, please visit our documentation at https://docs.code4rena.com/structure/our-process. Please remember that this process is subject to change based on the complexity of the contest, the number of submissions received, and judge availability.", "Question: I attempted to submit a program but my handle is not yet added. I've initiated a new pull request on Github, but it's awaiting review. Can you assist me in this process?\n\nAnswer: Yes, we can help with that. In order to participate in contests or make a submission, you should have your handle reviewed and approved in a pull request at https://github.com/code-423n4/code423n4.com/tree/main/_data/handles. If you want to add a Twitter handle to your profile, you can submit a help request for that too. Remember that submissions are typically processed through GitHub and require approval as part of a warden's individual registration. You can also make a request to change your Github user, and our team will process it. If you're part of a team, your team request can be submitted at https://github.com/code-423n4/code423n4.com/pull/28, which is the only step needed to add the team. If you still experience issues with your submission, you can submit a help desk request at https://code4rena.com/help. Keep in mind that the handle you add can be any handle, not just Github or Gab, and this handle is used for code423n4.com/leaderboard and for handling award processing.", "Question: Who should I contact if I have a question about code provided by Wild Credit or any other coding or security issues related to Code4rena?\n\nAnswer: If your question is about the code provided by Wild Credit or any other code-related queries, you should direct your questions to the designated contacts on the respective sponsor teams. You can direct message them on Discord. If your question is about the Certified Wardens process, you can ask directly to Code4rena. For any other queries, such as contest security issues, whitelisting of wallets, checking if you have submitted an address for rewards, or if you believe you're eligible for a backstage role, remember that you can always submit a Help Desk request at [https://code4rena.com/help](https://code4rena.com/help). Furthermore, if you have private inquiries or specific questions, you are encouraged to direct message someone from the Code4rena team. If your query involves a security issue related to one of the contests, make sure to submit a help request at [https://code4rena.com/help](https://code4rena.com/help). Please note, the help desk is also the appropriate place to submit a request to withdraw a wrongly submitted analysis.", "Q: I am having trouble compiling Wild Credit's contracts due to a \"stack too deep\" issue. Who do I contact for assistance, and are there any resources or steps I can follow to understand and resolve these compilation issues?\n\nA: If you're specifically looking to reach out to the Wild Credit's team regarding this issue, you can head over to our Discord server and tag @0xdev0 in the #deleted-channel or send them a direct message. \n\nHowever, if you want to understand and resolve the issue, we recommend a few steps. Based on our chat discussions, a common issue users face is missing imports on .sol files. To compile code, especially on Remix, try cloning the whole repository and installing the dependencies with forge. You can also manually include the contracts on remix from the OpenZeppelin contract repo (https://github.com/OpenZeppelin/openzeppelin-contracts) and Solmate (https://github.com/transmissions11/solmate). \n\nFor a deeper understanding of smart contract compilation and the Solidity compiler, you may want to look into resources our users have found helpful. This includes looking at different staking contracts to understand varying implementations, or testing contracts downloaded from Github with tools like Mythril and Slither. \n\nIf you're new to smart contract auditing, our platform is a good place to seek help and learn. We also recommend books or certifications about smart contract security for more structured learning. \n\nDo note that some smart contract projects, especially those that involve complex formulas, may require professional mathematicians for audit. If you need further assistance or if your concern involves potential risks to funds on the mainnet, reach out to our staff via a help request.", "Question: I'm unable to access certain channels on CodeArena's Discord, what should I do?\n\nAnswer: In case you can't access specific channels, it generally means you need to register as a 'Warden'. To do so, fill out the form provided on our website. Once registered, you'll gain access to channels such as the contest channels, the team-formation channel, and the private channel exclusively for certified+ wardens. \n\nDo keep in mind that certain channels are dedicated to specific purposes. For example, the #\ud83d\udce2announcements channel is where general updates are posted, the #\ud83d\udcbci-want-c4-to-audit-our-code channel is for those who want CodeArena to audit their smart contracts, and the #\u270brsvp channel is to see upcoming public audits and indicate your intention to participate.\n\nFor profile related issues, please reach out in the #profile-help channel. If you're looking for general security discussions, you can use the channel for that too. For any clarification, the best option would be to reach out in the contest channel in Discord.\n\nLastly, if you're not seeing some contests in certain channels, do note that contests are sometimes moved from the upcoming contest section to the live contest section. Also, private contests have their RSVPs only visible to certified wardens. If you see a contest in the public RSVP channel, it signifies it's a public contest. Always make sure to check the #\u270brsvp channel for updates on when a contest is going to be open to the public.", "Question: How can I make sure my pull requests are approved and merged successfully at CodeArena (C4)?\n\nAnswer: To ensure your pull requests (PRs) get approved and merged successfully on CodeArena, follow these steps:\n\n1. Complete your individual warden registration. You should then have access to the repository. If you're part of a team, submit a team request at https://github.com/code-423n4/code423n4.com/pull/28. \n\n2. Review and make a PR for your handle at https://github.com/code-423n4/code423n4.com/tree/main/_data/handles to participate in contests. For team PRs, it's important to know that they need to be accepted by someone from the team.\n\n3. If you spot any issues or have a possible fix, you can propose these at https://github.com/code-423n4/code423n4.com/pull/2338. Alternatively, if you want to propose changes to CodeArena's documentation, you can do so at https://github.com/code-423n4/docs. \n\n4. Be aware that checks don't fully run for external PRs on the CodeArena platform as evidenced by this specific case https://github.com/code-423n4/code423n4.com/pull/1584. \n\n5. If you're facing any issues like a 404 error when trying to access specific GitHub links, you can bring it up for review and resolution. For example, users reported an issue when trying to access https://github.com/code-423n4/2021-04-redacted, which was later resolved.\n\n6. Lastly, always keep track of the status of your PRs. Merged PRs can be viewed at https://github.com/heiho1/code423n4.com/pulls.\n\nIn case of any uncertainties or issues, you can always refer to the discussion threads or ask questions in the chatroom. Remember, CodeArena is a collaborative platform and any constructive input is highly appreciated.", "Q: I\u2019ve noticed that in some contest repos there is limited documentation, no test cases, and no deployment scripts. Given the repo contains many interrelated/dependent contracts I\u2019m finding it hard and time-consuming to set up the environment correctly. Can experienced folks just look at 10 complicated contracts and see how to deploy them easily? Or should I only be deploying a single contract at a time? Given all that is it reasonable to ask the sponsor for deployment scripts/test cases?\n\nA: Setting up the environment for contract audits, especially for contests with many interrelated contracts and limited documentation, can indeed be challenging and time-consuming. However, there are strategies you can use to make the process easier. \n\nOne common approach is to write new test cases in the existing test environment of the contract under audit, instead of setting up a full new environment. You can add these new test cases at the end of the existing setup that already deployed the contracts. This allows you to run code to confirm specific cases without having to deal with the complexity of deploying all the contracts independently. \n\nIf there's no test setup in the repo provided by CodeArena, it's worth checking the sponsor's GitHub for a potential test setup or consider extracting the code to test it in isolation. There are also resources for testing contracts downloaded from Github using tools like Mythril and Slither.\n\nRemember, it's always important to read the README.md file for each contest. It typically outlines what is in scope for auditing and what is not. For instance, whether you should audit only contracts or also script folders within the GitHub repo.\n\nAsking the sponsor for deployment scripts or test cases is not unheard of, but it depends on the specific circumstances of each contest. Remember, each contest has its own rules and explanation of what's in scope, usually provided in the README.md file, so be sure to review it thoroughly. If you're still unsure, consider asking in the CodeArena Discord chatroom.\n\nFinally, learning how to navigate through multiple contract files effectively comes with experience. Some users have shared their approach of starting with libraries and interfaces that have the least dependencies. And don't forget, the time it takes to learn the basics and start finding bugs in smart contracts greatly depends on your prior experience and learning capabilities. \n\nResources:\nhttps://github.com/code-423n4/code-contests/blob/main/SUBMISSION_POLICY.md\nhttps://docs.code4rena.com/roles/wardens/submission-policy#how-to-include-a-proof-of-concept\nhttps://github.com/ConsenSys/surya\nhttps://github.com/code-423n4/2022-01-sherlock\n", "Q: How should I approach code testing and audit if there's no test environment provided in the C4 repo?\n\nA: If there isn't a test setup in the C4 repository, don't worry, there are several recommended strategies you can follow. Firstly, check if there is a test setup available in the sponsor's GitHub repository. If not, you may want to consider creating your own tests or isolating certain parts of the code for testing. \n\nTo validate your findings, especially when it comes to bugs, it's recommended to write an executable test. This helps prove that the bugs you've found are real, as only real bugs are rewarded. False positives, on the other hand, do not receive rewards. \n\nWhen it comes to submitting your findings, the method depends on the length of the proof of concept code. If it's brief, you can add it directly to the report under the 'Proof of Concept' section. If it's lengthy, consider linking it from a private GitHub repo. More details on this can be found in our [submission policy](https://docs.code4rena.com/roles/wardens/submission-policy#how-to-include-a-proof-of-concept).\n\nAnother thing to consider when testing is the use of testing tools. Some auditors use tools like solidity linter, Remix for checking contract code compilation warnings, Mythril and Slither for testing contracts downloaded from Github. \n\nIf you're dealing with complex contract environments with limited documentation, you could consider using Foundry, a tool suggested for testing scenarios in a local environment. This presents a good alternative to public testnets, which could save you money as testing smart contracts in a contest can be done using local/testnets.\n\nLastly, keep in mind that setting up the testing environment for contest repositories can be time-consuming due to multiple interrelated contracts and limited documentation. Some auditors may automate the process of finding potential issues in the code, which could be a helpful strategy to consider.", "Question: When can we expect the Yaxis audit report to be published on the CodeArena website?\n\nAnswer: The publication of the Yaxis audit report is currently in progress. Due to a high participation rate and a large number of submissions to review, the process may take longer than usual. The average turnaround time from audit competition to the release of reports is approximately one month, but efforts are being made to expedite this process. Once the report is ready, it will be published on the CodeArena website and the findings repo will be made public. It's important to note that the sponsors have the final say on the publication timing to allow for sufficient time to mitigate any issues identified during the audit. You can access all audit reports, including the upcoming Yaxis report, on CodeArena's website at [https://code423n4.com/](https://code423n4.com/) or on GitHub where each report title is a link pointing to the respective report. Please note that the specific timing for the release of the Yaxis audit report is uncertain. Stay tuned for updates on an announcement channel named #audit-reports, which is suggested to be created to post new messages whenever a report gets published on the C4 website.", "Question: What are the recommended steps for handling code audits and testing when there isn't a test environment provided in the repository?\n\nAnswer: When there isn't a test environment provided in the repository, auditors often create their own tests or isolate parts of the code for testing. They may choose to run these tests in the existing test environment, write new test cases, or even consider checking the sponsor's GitHub for a potential test setup. Testing can be done in isolation or as an entire unit using tools such as eth-brownie. \n\nAlternatively, auditors could use tools like Foundry for local testing scenarios. This can be particularly useful when setting up certain contract environments becomes challenging due to limited documentation, lack of test cases or deployment scripts, and multiple interrelated contracts. \n\nIf auditors produce code that demonstrates a proof of concept for a bug, they can include it directly in the report under 'Proof of Concept', or link to a private Github repository. However, the choice between these methods often depends on the length of the code. For more information, you can refer to our submission policy [here](https://docs.code4rena.com/roles/wardens/submission-policy#how-to-include-a-proof-of-concept). \n\nPlease note, auditors can fork the codebase and create a private repository on Github for the audit process without it being considered as information disclosure, as the submitted findings will be created as a GitHub issue.\n\nDuring the contest, evaluations are performed on the submitted repository assuming it is complete. Therefore, findings that highlight the security impact of missing functionalities will be considered. To ensure that the bugs found are real and not false positives, it's recommended to write an executable test for them, as false positives are not awarded. \n\nRemember to be careful with potential software problems and consider using Bash commands for environmental variables or using a docker image, if necessary. Also, ensure your GitHub account is logged in and is the same one given for CodeArena (C4) to avoid technical issues with viewing the repo or submitting findings. \n\nFinally, please note that while users can submit a \"Proof of Concept\" with Github, they do not have to make the repository public due to the risk of exposing vulnerabilities to the public. Instead, a private gist can be used.", "Question: How do I get and manage testnet tokens for smart contract auditing, particularly on platforms like Rinkeby and Polygon?\n\nAnswer: To obtain Rinkeby testnet tokens, you can use the Rinkeby faucet at https://faucet.rinkeby.io. If you need ETH tokens for the Goerli testnet, a suggested solution is to use Polygon/Sepolia. However, if you're using Foundry for local forking, it eliminates the need to acquire testnet tokens for transactions or wait time on blocks.\n\nYou can monitor your tokens (including those on Polygon) using https://polygonscan.com/address/ and move funds back to the mainnet using the Polygon bridge at https://wallet.polygon.technology/. To use the Polygon network with Metamask, you can switch your network in Metamask to Polygon Mainnet and copy your public keys. \n\nYou might also need to manually add tokens to Metamask when swapping networks to Polygon. For moving funds back to the mainnet, you can use the polygon bridge: https://wallet.polygon.technology/. If you need to swap gas, you can use https://wallet.polygon.technology/gas-swap. \n\nIf you're looking to test contracts downloaded from Github, consider using tools like Mythril and Slither. To swap ERC tokens, a cheaper method could be using a DEX aggregator like https://app.1inch.io. If you're testing a public testnet, it might be particularly useful for scenarios involving large numbers of users and complex state.\n\nRemember, irrespective of wallet settings, funds will be sent to your address and you control the key to that address. To move the funds, you need to send a transaction on Polygon. Registering your handle and Ethereum (ETH) address is necessary to receive your share from audits. \n\nLastly, awards can be received on Polygon and can be connected to MetaMask for conversion and withdrawal. The conversion process from Polygon Token to EUR can be done through the MetaMask bridge and Coinbase.", "Question: Can you provide information on when the liquidity incentive program will go live and how the rewards will be distributed?\n\nAnswer: The exact date for the launch of the liquidity incentive program is currently not stated. However, there have been measures put in place to encourage the timely completion of reviews, such as the deposit introduced in March. The team is continuously working to distribute various contest rewards, with plans to complete these distributions by the end of the week where possible. Regarding the distribution method, there are plans to utilize smart contracts for the distribution of rewards in the future, but there are still elements that need to be implemented before this can happen. The company acknowledges the need for greater clarity on the distribution and split of rewards and is actively working to provide this information. For the latest updates on upcoming audit contests, please refer to our website [code423n4.com](http://code423n4.com). It is important to note that the calculation and distribution of rewards may involve a complex process and can sometimes lead to pending rewards even after a contest has finished. If a team wins a prize but is unable to claim it due to KYC issues, it's unclear whether the prize will be held until they complete the KYC or if it will be forfeit. We appreciate your patience and understanding as we work to improve these processes.", "Question: How can I manage, review, or withdraw my contest report on CodeArena?\n\nAnswer: As a participant in CodeArena, you can manage and review your contest report directly on the contest page. If you've submitted a report and wish to edit or withdraw it, navigate to the specific contest page and look for the \"Your Findings\" tab. You can edit your findings, update your QA report, or retract your submission entirely from here. \n\nFor withdrawing a report, you can either do it directly on the contest page or request assistance by directly messaging an administrator or submitting a help desk request at https://code4rena.com/help. \n\nRemember, you can submit your findings for a contest using the form on the contest page. After submission, you can keep track of your report status and revisit your findings under the \"Findings\" tab next to the contest description. \n\nIf you did not make the award list, it's possible that your issues were rejected. You can confirm this by reviewing your report. If your submission was wrongly submitted, you're advised to resubmit your report for the contest and then create a help desk request to withdraw the invalid submission. \n\nOnce a contest is completed, the final published report allows participants to see the results of their submissions. You can view your submission replies, check all the reports you submitted during the competition, and will receive confirmation via email. You can also find which findings were rejected and why, as well as view others' findings after a contest finishes. \n\nPlease note, the public report page is updated mid-contest, and submissions can be reviewed after the report is published and the findings repo is made public. So, feel free to revisit the page at any time to stay updated about the status of your report and the contest overall.", "Question: How can I effectively submit bug findings on CodeArena and what are the best practices to follow for this process?\n\nAnswer: You can submit findings from bug hunts through CodeArena's process. Examples of past submissions can be found at https://code423n4.com/reports, which link to GitHub issues. For simpler examples of a bug report, you can look at this finding: https://github.com/code-423n4/2022-12-caviar-findings/issues/141. \n\nWhen submitting bug findings, it's recommended to make separate submissions depending on the type and severity of the bugs found. For each bug, you can also submit code for Proof of Concepts (PoC). If your PoC includes a code, consider including it in a gist file. For detailed guidelines, check out https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues. \n\nHigh-quality submissions are expected to correctly identify the highest severity impact of the bug, provide evidence for the severity and validity chosen, and provide clear and understandable writing. For an example of how to present PoC for a bug and its impact, check out https://github.com/code-423n4/2022-12-caviar-findings/issues/376. \n\nIf you have a larger report, you can submit it by email and place a placeholder in the original submission. You can also provide direct links to all referenced code in GitHub and add screenshots, logs, or any other relevant proof in the Proof of Concept section when submitting a finding. After submitting a bug, you can view or edit your own submissions on the site for open contests. Feedback on your submitted findings can also be found. \n\nUncertainties do exist about the impact of automated findings on the contest and whether bugs introduced through mitigation efforts should be reported. If you find the same issue with the automated finding but in a different instance, it's acceptable to submit it. A single report with all occurrences of the same issue is also acceptable. \n\nAudit contest reports like https://code4rena.com/reports can also be helpful to review prior to making a submission. Remember, the results of submitted bugs to the contents in Code4 are revealed once the report is made public. In the meantime, you can refer to previous reports to see what a high-quality submission looks like.", "Q: What is the process after I submit a finding for a contest and what can I do in the interim period until the results are announced?\n\nA: Once you've submitted a finding via the form on our website for a specific contest, you don't need to do anything else but wait until the results are announced. However, during this waiting period, you have the ability to edit your findings by navigating to the contest page and clicking on the 'Your Findings' button. You can keep editing and updating your findings until the contest officially closes.\n\nAfter the contest ends, the review process for your findings begins. This includes a sponsor review, judge review, sponsor confirmation, and the judge's final report. This process usually takes a couple of weeks and is then followed by an announcement of the results on Discord.\n\nPlease note, you will receive a confirmation email once your findings have been successfully submitted. Additionally, you can also track the status of your report under the 'Findings' tab next to the contest description.\n\nWhile you can view your own submitted findings, please be aware that findings of a contest cannot be publicly viewed after the contest ends and before the final report is published. This is to ensure fairness and integrity of the contest. The final published report, which becomes available a few weeks after the contest ends, will allow you to see the results of your submissions. \n\nIn certain instances, not all findings submitted for the contest may make it to the final report. The reason for this may not be immediately known, and you may have to wait until the full public report is published to understand why. The final report is also the opportunity for participants to discuss any issues or bugs found in a project. \n\nRemember, any findings not submitted before the contest ends will not be eligible for consideration. Also, keep in mind that after the contest rewards have been distributed, the final report may not immediately appear on our website.\n\nFor more specific details, you can follow this [link](https://www.code4rena.com/contests).", "Question: Can you provide an estimate on the number of contest completions expected in the upcoming month at CodeArena?\n\nAnswer: At CodeArena, it's typical for the number of contests to fluctuate. According to our current schedule, we have several contests planned, including two that are already queued up for next week. We also have the capability to handle multiple contests simultaneously, up to 20 contests a week, although this might not always be the case due to fluctuations in the schedule. Furthermore, the leaderboard at https://code423n4.com/leaderboard/ provides cumulative results from previous contests. Please note that the processing and distribution of contest rewards usually occur shortly following the conclusion of the competitions, typically within a month, although efforts are being made to decrease this time. In worst-case scenarios, rewards may be shipped two months after the competition. We are dedicated to reducing these turnaround times and aim to process and distribute rewards as quickly as possible. However, there may be delays, for example, the judging for a competition concerning gravity bridge was still ongoing at the time of the chat, with payouts expected two weeks later. Also, the timeline of a contest can be extended, for instance, a contest involving over 12k sloc was extended to 4 weeks. So, although we cannot provide a precise number of contest completions expected in the upcoming month due to these variables, we are continually working on improving our processes to handle and complete contests more efficiently.", "Q: How and when can I alter the severity of my reported bugs after a contest has ended at CodeArena?\n\nA: After a contest ends, you can alter the severity of your reported bugs by either updating the information directly through the Pull Request (PR) you initially created or by contacting one of the judges. To get in touch with a judge, you can send a Direct Message to the staff and they will pass your request to the relevant judge. Alternatively, you can also submit a help request at https://code4rena.com/help to remove the original submission and then submit again with the revised severity level. \n\nHowever, please bear in mind that bug reports cannot be submitted or updated after the contest has ended. All findings have to be submitted prior to the contest closure. Post-contest, you can view or edit your own submissions on our site for open contests. \n\nReports are generally reviewed and immediately triaged by our judges after a contest ends. These reports then await sponsor review, final judging, and a Quality Assurance process before they are made public. In some cases, if a bug issue is submitted with an incorrect proposed solution, the submission can be updated if the contest hasn't ended. \n\nWe're also considering plans to allow certified contributors to view submitted issues right after the contest closure, providing them an opportunity to comment or give input on these issues during the judging process. \n\nIn case you have any queries about an issue marked as invalid, you can monitor the backstage channel for the post-judging stage of the concerned contest. Feedback for submitted issues typically comes within a couple of months, once the contest has closed and the report is published.\n\nWhen it comes to any uncertainties about the reported bug severity, it\u2019s up to the judge's discretion to decide on severity escalations in the contest report. In the event of duplicate submissions towards the end of the contest, our judging criteria can be found here: https://github.com/code-423n4/code-contests/blob/main/JUDGING_CRITERIA.md#duplicate-submissions\n\nFinally, we're also working on adding the severity of bugs to the emails sent out post-issue submission for better clarity. We encourage learning and growth, and therefore, we release a report about the bugs found in every contest which can serve as a valuable resource.", "Question: Can you provide an update on the progress and expected release of the Yaxis audit report?\n\nAnswer: The audit report for the Yaxis project is currently being worked on. The sponsors have the final say in the publication timing, as we want to allow them sufficient time to address and mitigate any potential issues that might arise from the audit. Due to a high participation rate and a large number of submissions, the release of the report might take a bit longer than expected. Typically, the average turnaround time from audit competition to release of reports is approximately a month, although we are consistently working to decrease this time frame. It's also important to note that after the report is released, it will be publicly visible. We also wish to inform you that a batch of other reports, including past project results, is expected to be released soon. Old audit reports can always be accessed at https://chainsecurity.com/audits/. At this moment, we cannot provide a specific release date for the Yaxis audit report, but please keep an eye on our updates. We appreciate your understanding and patience.", "Question: When can I expect the report to be published after a smart contract audit contest and what occurs during this period?\n\nAnswer: After an audit contest concludes, the report's publication typically takes between 2 to 6 weeks on average, though this can sometimes extend. The duration depends on several factors including the specific contest and the number of reports under review. \n\nDuring this period, reports and findings are immediately reviewed and triaged by our judges. These then await sponsor review, final judging, and Quality Assurance before they are made public. The report publication process also includes compiling audit reports, sponsor reviews, judging, awarding, and reporting. \n\nIn some cases, the sponsors have the final say on the publication timing to allow them sufficient time to mitigate any issues found during the audit. It's worth noting that we do not discuss the findings publicly until the report is published.\n\nUpon publication, the findings repository becomes public, allowing participants to see their submissions and the reasons for their rejection if applicable. Also, the final reports of the contest will appear on the CodeArena (C4) site. \n\nPlease note that feedback for submitted issues typically comes within a couple of months, once the report is published. Understandably, participants are curious about their submissions; it's recommended that they wait for the report to be published and the findings repo to be made public to check on their submissions. \n\nWe are actively working on decreasing the turnaround time from audit competition to the release of reports to improve our process. Users looking for notifications when a new report is published should stay tuned for possible updates to this feature.", "Question: How can I request to be added to specific rooms or teams on CodeArena, and what does the process involve?\n\nAnswer: You can request to be added to specific rooms or teams on CodeArena. To do this, you need to submit a team request at [https://github.com/code-423n4/code423n4.com/pull/28](https://github.com/code-423n4/code423n4.com/pull/28). This request needs to be accepted by someone from the team. \n\nIn case you encounter issues while trying to add new members to your team, it is recommended to submit a help desk request. Sometimes, the issues might be resolved by trying again on another day. \n\nIf you are interested in participating as a warden, you can also seek help in the #\u26bdteam-formation channel on the platform. \n\nIn case you don't have access to particular resources such as the findings repo, you may request to be added to the backstage group on Github. If you meet the criteria for '+backstage', you can submit an application at [https://docs.code4rena.com/roles/certified-contributors/backstage-wardens](https://docs.code4rena.com/roles/certified-contributors/backstage-wardens).\n\nIf you are interested in being a sponsor, you can express your interest in the channel labeled as #\ud83d\udcbci-want-c4-to-audit-our-code. \n\nFurthermore, CodeArena has a dedicated team that can assist with setting up audits. In fact, new wardens are encouraged to team up and collaborate on private audits. Changes such as the addition or removal of members to/from teams can be requested through the help desk. \n\nLastly, participants are encouraged to add their payment wallets to their accounts, and project owners should note that they cannot see the findings as they are reported. If funds are at risk on mainnet, CodeArena staff should be reached out via a help request.", "Question: Why are the start dates for contests, such as the Overlay Protocol contest, delayed and how does this affect the overall contest timeline?\n\nAnswer: The start dates for contests on Code4Arena, including the Overlay Protocol contest, can be delayed due to a variety of factors. For instance, the Overlay Protocol contest was delayed to start on 11/16 at midnight UTC. Delays can be due to factors related to the protocol itself, such as issues with the coding, or external factors such as the availability of the judges, the review process by the sponsors, or even a backlog caused by an increased number of issues in other contests. \n\nSponsors also play a role in contest delays, as they may have a say in the protocol involved or the judgement process. For example, there was a delay in judging the Sublime March 2022 contest due to slow sponsor review. \n\nHowever, it is important to note that while the start dates can change, the overall contest timeline is often extended to accommodate for these changes. For example, a contest involving over 12k sloc had its timeline extended to 4 weeks. Despite these changes, there may still be gaps in the schedule for live contests or even breaks in contests lasting a few days. \n\nThe exact contest details, including any delays or changes, can be found on the contest's specific page on the Code4Arena website. For example, details for streaming protocol contest can be found at: https://code4rena.com/contests/2021-11-streaming-protocol-contest. \n\nPlease note that the start date and other details on the website and other platforms such as RSVP should ideally match, but if there is any discrepancy, the data on the Code4Arena website should be considered as the most accurate. For instance, there was a discrepancy in the start date of Chainlink Staking v0.2 in RSVP and the Code4Arena website, necessitating a clarification. \n\nLastly, it is important to understand that while these delays may affect the start dates, the quality of the contests and the audit process are maintained to ensure the best results for the participants and the companies involved.", "Question: What is the process and timeline to become a certified auditor at CodeArena and gain access to specific rooms?\n\nAnswer: To become a certified auditor at CodeArena, you need to apply for certification and complete the Know Your Customer (KYC) process. This process involves submitting documents for verification to provenance, who will send a confirmation email once the KYC process is completed. You are typically asked to start the process within 48 hours of the contest close. \n\nThe estimated wait time to become a certified warden after sending your request is about 2 business days, but it may take a few more days to get the certified role after finishing the KYC process. After certification, you have a 30-day period to complete your audit. \n\nOnce you're a certified auditor, you can request to be added to specific rooms, such as the 'boot finance rooms'. Access to specific rooms like these can, however, depend on your participation in audits and your position on the leaderboards in the last 90 days. \n\nIf you participate in at least three contests with either one high or three medium fundings, you can also request a backstage pass. This request will be reviewed and you'll be notified once it's been processed. The process for reviewing requests for access can take up to a few business days. \n\nPlease note that the time taken for these processes can vary and is subject to change. If you have any further questions, don't hesitate to create a help desk request to have your status evaluated. \n\nFor more information, please visit our Discord chatroom to discuss with other auditors and our team.", "Q: How should vulnerabilities in a codebase be reported, especially if they occur in multiple components or are similar to each other?\n\nA: If the same vulnerability is found in different components of the codebase, they can be reported as separate findings. However, it's left to the judge's discretion to determine if they're duplicates. If two different exploits originate from the same root cause, they're often considered as duplicates. In contrast, if the same vulnerability appears on separate functions, these can be contained within one report. You may also submit a third finding if two separate vulnerabilities can be combined to create a more critical one. \n\nIf a single line of code offers multiple exploitation opportunities, it appears all bugs should be reported but with more attention to the one with the largest impact. Furthermore, if you discover the same vulnerability but with varying severities, the unified severity for award calculation will be determined through the deduplication process and judging severity phase afterward.\n\nRegarding the simultaneous reporting of the same vulnerability by multiple wardens, there's a criterion in place for this scenario. All wardens will receive an equal share. However, common findings, usually identified by the C4udit tool, are generally out of scope. If such vulnerabilities aren't picked up by the tool, they should be submitted.\n\nIf you are uncertain whether findings should be submitted as separate issues, you can refer to the source code 'findings.csv' for additional information about duplicate reports. Here is the link [Link](https://github.com/code-423n4/code423n4.com/blob/main/_data/findings/findings.csv#L9336-L9434)\n\nRemember, the impact of a vulnerability will influence its severity. Medium risk vulnerabilities ideally require test codes as Proof of Concepts when writing reports, similar to high-risk vulnerabilities. You can submit reports on vulnerabilities and attach screenshots in the vulnerability details section by copying the Github permalink and the lines of code for the affected code.\n\nIt's also important to note that if the root cause of a finding is the same, they will be accounted for as duplicates of each other. In case two different issues can be resolved by fixing the same thing, they would be considered as one issue. You are allowed to report a variety of findings based on various combinations of issues found to create different attacks.", "Question: What is the recommended way to format code for contest finding submissions on CodeArena, and are there any specific practices to follow?\n\nAnswer: CodeArena recommends using markdown to format code for contest finding submissions. Code blocks in markdown are wrapped with ``` on either side. Markdown formatting is accepted in the submissions. For formatting Solidity code or any specific type of code into a readable format, you can refer to the markdown code guide on GitHub's official documentation, which can be found at https://docs.github.com/en/get-started/writing-on-github/working-with-advanced-formatting/creating-and-highlighting-code-blocks.\n\nIt's important to ensure that your code is clearly readable and well-presented. If you're including mathematical expressions or linking to other parts of the code, make sure it's done in a way that doesn't disrupt the overall readability of your submission.\n\nCodeArena provides a submission form on the contest page where you can submit your findings. All findings should be submitted separately using the \"Submit finding\" button. You can also link your GitHub repositories as proof of concept for your findings. There's an old GitHub template for submissions that you can refer to, but it's not updated anymore: https://github.com/code-423n4/code-contests/blob/4db2720312f0958f2e89f6207a6774c9e5360655/SUBMISSION_TEMPLATE.md\n\nIf you have lengthy code for a test, you can include it directly in the report under 'Proof of concept' or link it on a private repo on Github, depending on the length of the code. For more information on this, please consult: https://docs.code4rena.com/roles/wardens/submission-policy#how-to-include-a-proof-of-concept.\n\nRemember, high-quality and high-quantity findings tend to score better in CodeArena competitions. You can compare your findings with winning reports to get more insights: https://code4rena.com/reports/2022-09-artgobblers#low-risk-and-non-critical-issues.\n\nPlease note the discussion about whether to include line numbers in code snippets and the appropriate method for referencing code in reports. There's no hard and fast rule on this, but ensure whatever approach you take contributes to the clarity and comprehensibility of your submission. \n\nFinally, if you have any concerns or disagreements about a contest judgement or the process, you can review and discuss issues at https://github.com/code-423n4/org/issues.", "Question: What is the recommended process for submitting issues in a well-formatted manner at CodeArena?\n \nAnswer: You can submit issues to CodeArena in a specific format using Markdown. You can use a tool such as Notion or the extension available at [https://marketplace.visualstudio.com/items?itemName=yassh.copy-with-line-numbers](https://marketplace.visualstudio.com/items?itemName=yassh.copy-with-line-numbers) to format your code before pasting it into the submission issue form. The submissions accept Markdown for formatting the text and even issue titles can include Markdown formatting.\n\nIn case your submission involves changes in multiple lines of code, you can submit a git patch or a PR to the repo. If you are submitting findings from bug hunts, separate submissions should be made depending on the type and severity of the bugs found. It's useful to include a proof of concept and a case made for how an item can be exploited to avoid being marked as invalid.\n\nYou can also submit issues as a team by submitting through a PR and adding your team handles when reporting issues. If your submission exceeds Github's max character limit for issue descriptions (~65k characters), you can email your submission to submissions@code423n4.com. You can also edit your submissions after they have been issued.\n\nThe grading criteria for quality submissions include: correct identification of the highest severity impact of the bug, making the case for the severity and validity chosen with evidence, and clear and understandable writing. If your concerns focus on inconsistency, process, or lack of clarity in rules, you can review issues at [https://github.com/code-423n4/org/issues](https://github.com/code-423n4/org/issues) and add fact-based comments, support suggestions or open new issues there.\n\nFor more detailed guidelines on the submission process, visit [https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues](https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues). And for examples of past submissions, you can check [https://code423n4.com/reports](https://code423n4.com/reports).\n", "Question: How are non-critical findings rewarded in CodeArena's auditing contests and what factors could influence these rewards?\n\nAnswer: Non-critical findings do not directly share in the main award pot. However, there are other aspects to consider here. For instance, if a team submits a unique non-critical finding, they may derive more rewards than if they had individually submitted the same finding. The level of detail in the submission, such as the inclusion of a Proof of Concept (PoC), and the comprehensiveness of the issue coverage can also influence the reward amount.\n\nThe reward for a finding is also dependent on the severity of the finding. The severity is judged based on the specific contest and the judge's discretion. It's possible to submit more than one high-risk finding in the same audit, but if the root causes are the same, they would be counted as one. If a submitted high-risk finding is judged as low risk, the submitter will still be rewarded and vice versa. \n\nIf an automated finding can lead to a high severity finding, it's possible for a warden to report it again during the contest and it could be awarded with higher severity. It's also worth mentioning here that if no Medium/High vulnerabilities are found, the full award pool would be divided based on the QA Report curve.\n\nIt's also noted that there's an incentive for wardens to submit non-critical vulnerabilities as it benefits the sponsor, despite non-critical vulnerabilities not being considered for awards. A finding will receive a reward if it's disputed by the sponsor as 'won't fix', but is still a valid one. \n\nLastly, the average award pot for low or non-critical vulnerabilities is typically around 10% of the total prize pool. However, this can vary based on the specific terms of the competition, which might scale up the pot based on the severity of the findings.", "Question: What incentives or rewards are in place for users who report non-critical findings in the CodeArena?\n\nAnswer: Currently, CodeArena does not provide direct incentives for quality assurance (QA) type of submissions, including non-critical findings. The primary focus is on high, medium, and low severity vulnerabilities, as well as gas optimizations. However, members of the CodeArena community have been known to report non-critical findings out of goodwill and in support of the overall project improvement. In spite of there being no official incentive, participants can submit non-critical or low-risk findings, and even suggest project improvements in the non-critical findings section. \n\nIt's worth noting that non-critical findings do not have a share in the reward pot and are not considered for awards. However, wardens can submit non-critical vulnerabilities to benefit the sponsor, and there may be a bonus for each low finding selected for inclusion in the report. \n\nWhile not all reports are guaranteed a reward, high-quality and high-quantity findings tend to score better in CodeArena competitions. Participants can gain a better understanding of this by comparing their findings against winning reports, such as [this one](https://code4rena.com/reports/2022-09-artgobblers#low-risk-and-non-critical-issues). \n\nFurthermore, a single QA report can consolidate non-critical and low-severity findings of a given auditor, and bot-generated reports can theoretically include findings of all types. Users can also submit an analysis report about the system even if they have no significant findings, to provide advice for the future of the project.\n\nHowever, it is important to remember that incorrect findings in a QA report can affect the QA grade and reports must meet quality standards to be considered valid. If you are unsure about the severity of a finding, it is advised to submit these findings or direct message the sponsor team for additional context. If a high-risk finding is judged as low risk or vice versa, the submitter will still receive a reward.", "Q: How and where can I provide my suggestions or feedback for improvement to a project on CodeArena?\n\nA: You can provide your suggestions or feedback for improvement to a project on CodeArena through multiple avenues. For project-specific improvements, you can leave suggestions in the non-critical findings section and for more generic feedback on the platform, such as the website, leaderboard systems, contest processes, and Discord setup, you can use the suggestion box that we have established. \n\nIn addition, we have a feedback channel on Discord for all kinds of suggestions and comments. You may also send an analysis report about the system even if you have no significant findings, to offer advice on considerations for the project's future. During contests, you are allowed to discuss potential improvements with the project's dev team either in the contest channel or through private messaging. \n\nIf you wish to suggest changes to the rules or raise concerns about inconsistency or process clarity, you can review issues at https://github.com/code-423n4/org/issues, where you can add comments, support existing suggestions, or open new issues.\n\nMoreover, if you have feedback or improvement suggestions for participants in our ArtGobblers competition, you can provide them at https://github.com/code-423n4/2022-09-artgobblers-findings/issues/137.\n\nRemember, your feedback can influence CodeArena's priority operations, and we appreciate your input in improving our platform. For website-related suggestions, there's an open invitation to submit pull requests with any ideas to our GitHub. We value your feedback and your commitment to making CodeArena a better platform for smart contract audits.", "Question: How does the process of reporting bugs including the inclusion of severity and potential alterations work within the Code4rena platform?\n\nAnswer: When you report a bug on the Code4rena platform, you're asked to assign a severity level to the bug based on its impact. Guidelines for estimating risk can be found [here](https://docs.code4rena.com/roles/wardens/judging-criteria#estimating-risk-tl-dr). Once you've submitted an issue, an email will be sent to you confirming your submission, which may soon include the severity level of the bug you reported. \n\nIf you're unsure about the severity of an issue after you've reported it, it's possible to change the severity post-submission. During a contest, you can submit a help request to remove the original submission and then resubmit it with the new severity evaluation via [Code4rena Help](https://code4rena.com/help/).\n\nAfter the contest has ended, you can still alter the severity of reported bugs either through the Pull Request(PR) or by reaching out to one of the judges via the designated contact points. Be aware that even if you misclassify a bug's severity in your submission, you will still be rewarded for that bug at the correct severity level. \n\nWhile waiting for your reported bug to be made public, you can view past reports to see what a high-quality submission looks like. If you have more questions about severity evaluation and specific bugs, you can ask in the chat where these will be answered. \n\nRemember, the grading criteria for quality submissions include correctly identifying the bug's highest severity impact, providing evidence to support your chosen severity and validity, and clear and understandable writing.\n\nAnd if you don't receive an email after submitting a finding, don't worry. You can open a help desk request at [Code4rena Help](https://code4rena.com/help/). Please note that the bug submission is not invalidated if the severity level assigned by you differs from the evaluated one. Specific severity does not matter as much as a good explanation of the finding. \n\nThe platform is actively considering ways to improve the process, such as adding the ability to respond to the submission confirmation email with a comment that gets added to the GitHub issue. For vulnerabilities impacting Code4rena's web app, these can be reported by sending a direct message to a specific individual or emailing the issue to security@code4rena.com.", "Question: When and where was the winner announcement for the BadgerDAO contest held on October 28th?\n\nAnswer: The winner announcement for the BadgerDAO contest held on October 28th was made on December 6th. The announcement was made in the #\ud83d\udce2announcements section of our Discord chatroom. The winner received a small prize of USDC, which will be distributed to their registered wallet on the Polygon network. Please note that there can occasionally be delays in the distribution of awards, but we aim to process and distribute contest rewards within 1-2 weeks after the announcement. We apologize for any inconvenience caused by such delays. You can check the announcement channel for updates on the distribution of awards. Be sure to also check out the updates on other contests like the Stakehouse, Nested Finance audit, and Fairside contests.", "Question: Can we add position numbers and additional features to the leaderboard on CodeArena? \n\nAnswer: There has been widespread interest from users on adding position numbers and a Low column to the leaderboard. However, as of now, the leaderboard only contains contest numbers and it's not immediately clear what number corresponds to the contest. \n\nWe are exploring potential improvements to the leaderboard. These include introducing different timelines (all-time, last 3 months, etc.), adding badges for various achievements (like being a gas optimization hero, making repeat appearances as MVP, etc.), and introducing leaderboard seasons where each season lasts a certain time period (for example, a year), with everyone on the leaderboard getting an NFT at the end of the season reflecting their rank, earnings, and design. \n\nThe leaderboard is updated after the end of each contest and displays cumulative results. If a user is in the top 5 of a contest and has received the reward, the \"leaderboard\" tag should be updated in their roles. Users can request changes to the leaderboard/contest results link through the help desk.\n\nThere is a leaderboard available at https://github.com/code-423n4/code423n4.com/issues?q=leaderboard and https://code423n4.com/leaderboard/. After each contest, the leaderboard gets updated and users can see the number of overall issues they reported at https://code4rena.com/leaderboard. Profile icons on the leaderboard can be changed through a help desk request at https://code4rena.com/help. \n\nPlease note that the leaderboard reflects both the current contest participation and total participant involvement. It's also worth mentioning that if a participant's name isn't mentioned in the report, it doesn't affect future submissions but may have minor impact on the leaderboard ranking. \n\nKeep in mind that some information could potentially not be reflected accurately on the leaderboard, such as contest results not being counted for the full duration. There have been issues in the past with certain items being double counted on the leaderboard, but these are usually resolved promptly. \n\nLastly, there is an \"Available for Hire\" filter option available on the leaderboard. You can get the \"leaderboard\" tag in your profile if you get in the Top 5 in contests. But it's important to note that the minimum rank required on the leaderboards to get the role leaderboards is a topic of discussion among participants. \n\nWe appreciate your feedback and will continue to consider it as we make updates to the leaderboard.", "Question: What improvements to the CodeArena leaderboard have been proposed and how might they enhance user experience?\n\nAnswer: There have been numerous suggestions to improve the CodeArena leaderboard to enhance user experience. Some users have proposed adding position numbers and a 'Low' column, while others have expressed interest in seeing certain features and contests included in the ranking system. A common suggestion has been to create a leaderboard displaying the top contestants after the results of a contest. \n\nOther potential improvements include:\n1) Having different timelines for rankings (all-time, last 3 months, etc.),\n2) Adding badges for various achievements (such as being a 'hero' at gas optimizations or making repeat appearances as MVP),\n3) Introducing leaderboard 'seasons', where each season lasts a certain period, and at the end, everyone on the leaderboard gets a unique NFT with their rank, earnings, and a design. \n4) Considering the 'Low' column to represent low severity issues found by a participant.\n\nConcerns have been raised about the leaderboard becoming slow and there are ongoing discussions about updating the leaderboard to primarily show the current year's stats while still keeping the all-time stats visible. Currently, the leaderboard's 'total' column represents the total number of valid findings of all severity levels by a specific individual or team.\n\nThe leaderboard gets updated every time awards are announced and rewards from past private contests are also added. However, not all contest types are currently supported. The leaderboard ranking is affected both by the current contest and the total participation of a contestant. \n\nThere is an \"Available for Hire\" filtering option on the leaderboard and users can get the \"leaderboard\" tag in their profile if they place in the Top 5 in the contests. \n\nPlease note that the development team is considering these improvements and there might be changes in the future. For more information or suggestions, you can visit the leaderboard at https://code423n4.com/leaderboard/ or post your queries to the help desk at https://code4rena.com/help.", "Question: What are the plans for improvements to the CodeArena leaderboard?\n\nAnswer: CodeArena is considering various improvements to the leaderboard based on user feedback and internal discussions. Potential enhancements include the introduction of different timelines (all-time, last 3 months, etc.), adding badges for various achievements (such as being a hero at gas optimizations, or making repeat appearances as MVP), and introducing leaderboard seasons, where each season lasts a certain period, like a year, and at the end, everyone on the leaderboard receives an NFT commemorating their rank, earnings, and a design. \n\nLeaderboard updates occur when awards are announced and reflect both the current contest and total participation of a contestant. However, not all contest types are currently reflected in the leaderboard. Users who place in the top 5 of a contest receive the \"leaderboard\" tag on their profile, which is updated when they receive their award. \n\nConcerns about leaderboard display, like adding position numbers and a Low column, and the potential impact of LPT rewards on leaderboard positioning, are also being addressed. The development team is considering shifting the leaderboard from tracking the last number of days to the last number of contests to better reflect user accomplishments.\n\nHandles on the leaderboard are only for the leaderboard, and an individual's name can appear twice - once individually and once as part of their team. Users can find the leaderboard at https://code423n4.com/leaderboard/ and can raise any queries or provide suggestions for improvement through the help desk at https://code4rena.com/help. \n\nPlease note that these enhancements are currently in the idea phase and the final decisions are yet to be made.", "Question: How can I acquire the \"leaderboard\" role in the CodeArena Discord, and what features are associated with it?\n\nAnswer: The \"leaderboard\" role in the CodeArena Discord is granted to users who place on the leaderboard. Notably, to receive this role, a user must appear in the top 5 of a contest and have received the corresponding reward. Once users earn this role, the \"leaderboard\" tag should reflect on their profile in Discord. \n\nThe leaderboard system and role are tied to both the current contest and cumulative participation of a contestant. The leaderboard ranking is updated when the process pieces of a contest are assembled together and awards are announced. There has been discussion of making changes to the leaderboard to show current year statistics primarily while keeping the all-time stats visible.\n\nFeatures associated with the \"leaderboard\" role include being considered for RSVP certified jobs, and being able to change your wallet and username on discord and have these changes reflected in your CodeArena account. An updated discord username tied to a CodeArena account helps ensure participants can be tagged in for any award announcements. Note, changing a nickname requires creating a new registration/discord handle and starting over with the new name if the person was on the leaderboard. \n\nThe leaderboard itself can be found at https://code423n4.com/leaderboard/ and https://github.com/code-423n4/code423n4.com/issues?q=leaderboard. There is also a leaderboard mentioned at https://code423n4.com/leaderboard/, which gives a sense of what wardens are earning. The leaderboard reflects an individual's ranking both individually and as part of their team, and also the awards they've received. \n\nThere are ongoing discussions and improvements being considered for the leaderboard system, such as having different timelines, adding badges for various achievements, introducing leaderboard seasons, and more. These discussions and suggestions can often be found in the suggestion box established for users to share their ideas. \n\nPlease note, if you change your discord username, you may need to update it in the CodeArena, and if you wish to change your profile icons on the leaderboard, you can do so via a help desk request at https://code4arena.com/help.", "Question: How can I compile and set up projects from CodeArena after cloning them?\n\nAnswer: Once you've cloned a project repository from CodeArena, there are several steps you could follow to compile the project. Here are some general guidelines:\n\n1. Clone the entire repository and install the dependencies with `forge`. You may need to use the `git clone` command with submodules, for example: `git clone https://github.com/code-423n4/2023-01-astaria.git -j8 --recurse-submodules`. \n\n2. If the project utilizes OpenZeppelin contracts, you may need to manually include these contracts from the OpenZeppelin contract repo (https://github.com/OpenZeppelin/openzeppelin-contracts) and Solmate (https://github.com/transmissions11/solmate). Some projects copy and paste OpenZeppelin source code into their repositories instead of using the npm library, a practice known as taking a \"snapshot\". This is done to allow for necessary changes to external contracts to suit project requirements.\n\n3. To handle source code leaks or to deploy the same code, you may need to fork the project and endorse it for users.\n\n4. You can also explore the compound codebase from the compound repo if that's relevant to your project.\n\n5. If you're facing difficulties running the project in a specific environment like VSCode, consider running tests in the existing test environment or writing new test cases, instead of setting up full environments. If there's no test setup in the C4 repo, check the sponsor's GitHub for a potential test setup or consider testing the code in isolation.\n\n6. Some users find it helpful to create `.orig` files and use 'git diff' of the project folder when submitting a report. There's a tool available at https://marketplace.visualstudio.com/items?itemName=yassh.copy-with-line-numbers to submit issues in a specific format.\n\n7. If you have code that runs as a proof of concept for each bug, consider either adding a zip file to the submission or sharing a private Github repository.\n\n8. There's an `audit_helper` tool mentioned that can help when initializing a freshly cloned audit repo. This might be useful in your project setup.\n\n9. Remember, setting up the environment for contest repositories can be time-consuming due to multiple interrelated contracts and limited documentation. CodeArena provides sponsors with a set of example READMEs to work from, as well as a checklist of items to include, which you may find helpful.\n\nPlease note that these are general suggestions and the exact process might vary depending on the specific project and its requirements. Always refer to the project's documentation and any setup instructions provided by the project's maintainers.", "Question: What is the recommended approach to organize the project directory and the README file in a project for auditing?\n\nAnswer: At CodeArena, we advise keeping your README file in the top-level directory of your project. The README.md file for each contest should clearly outline what is in scope and what is not for auditing. There are instances where the number of lines of code (LOC) mentioned in the README.md may not match the actual lines in the contract files, so we recommend being meticulous about this. For guidance, you can refer to our set of example READMEs and checklists. \n\nAs for the actual project, you're free to organize it in a project directory. When submitting a report, you can create .orig files and use 'git diff' of the project folder. You might debate whether to leave direct links to the code on GitHub or to refer to a specific file and line number in your reports. Either method is acceptable, but make sure it's easy for others to locate the code in question. \n\nIf your project is extensive, consider implementing a two-tier system for code access or asking for more time for a thorough review. Remember, you can link your GitHub repositories as proof of concept in your finding submissions. \n\nIf you're using external contracts, you might find it better to include the code directly by importing rather than using an npm package. This allows you to make necessary changes to the contracts to suit your project requirements. \n\nLastly, if there's no test setup in the C4 repo, check your GitHub for a potential test setup or consider pulling out the code to test it in isolation. Integration with GitHub for tracking specific timestamps and adding a zip file to your submission or sharing a private GitHub repo are also options for submission. \n\nIn case you need to suggest changes to the CodeArena documentation, you can propose at: github.com/code-423n4/docs. For any other questions or discrepancies, our Discord chatroom is always open for discussion and clarification.", "Question: What improvements are being considered for the CodeArena leaderboard, and how might these changes impact its display and the users?\n\nAnswer: CodeArena is actively working on several potential improvements to the leaderboard. These enhancements include introducing different timelines such as \"all-time\", \"last 3 months\", and potentially even seasonal views that could last 4 or 6 months. This would allow us to showcase more recent achievements while still maintaining visibility of overall all-time stats.\n\nIn addition to timelines, we are considering adding badges for various achievements such as prowess in gas optimizations or multiple appearances as MVP. These badges will aim to better reflect the accomplishments of our users. \n\nAnother aspect under consideration is the introduction of leaderboard seasons. Each season would last a certain period, possibly a year, and at the end of that period, everyone on the leaderboard would receive an NFT with their rank, earnings, and a unique design.\n\nThere have also been discussions surrounding the possibility of changing the leaderboard from tracking the last number of days to the last number of contests. However, this is still in the discussion stage, and no concrete decision has been made. \n\nPlease note, these potential changes are still in the discussion and development stages. The development team is keen on making the leaderboard as reflective and fair as possible for all users, ensuring it accommodates different types of contests and achievements. These changes will be implemented once several of the process pieces have been glued together. \n\nTo keep updated on these changes, please refer to our leaderboard at https://code423n4.com/leaderboard/.", "Question: What are some potential improvements and features that could be implemented for the CodeArena leaderboard?\n\nAnswer: CodeArena's leaderboard, which can be found at https://code423n4.com/leaderboard/, is continually being improved based on user feedback and discussions in our Discord chatroom. Current suggestions for enhancements include:\n\n1. Highlighting different timelines, such as all-time, last 3 months or last 60 days, with a focus on current year statistics while keeping all-time stats visible.\n2. Adding position numbers and a low column to the leaderboard.\n3. Developing a leaderboard showcasing the best contestants after contest results.\n4. Incorporating badges for various achievements, such as excelling at gas optimizations, repeat appearances as MVP, and more.\n5. Introducing leaderboard seasons, potentially lasting 4 to 6 months, where each season concludes with leaderboard members receiving an NFT featuring their rank, earnings, and a unique design.\n6. Considering team statistics in relation to individual stats.\n7. Including the average percentage of pool awarded as a metric.\n8. Adding rewards from previous private contests to the leaderboard.\n9. Ensuring that contest results accurately reflect a user's accomplishments over the full duration.\n10. Adding an \"Available for Hire\" filtering option.\n11. Providing a \"leaderboard\" tag for users who rank in the Top 5 in contests.\n\nPlease note that these improvements are currently under consideration and may not yet be implemented. The leaderboard is regularly updated as changes are made and more data becomes available. We value our community's feedback and are working to ensure that our leaderboard provides a comprehensive and accurate reflection of user achievements in CodeArena's contests.", "Question: What benefits and privileges are associated with being a Warden at CodeArena, and how can one become a Certified Warden?\n\nAnswer: Wardens at CodeArena have the opportunity to participate in various code contests, earn badges for their achievements, and even compete for specific bounties. They can view their standing and earnings on the leaderboard at https://code423n4.com/leaderboard/. \n\nA Warden can also apply for a Certified Warden status. This certification allows wardens to participate in private contests to a certain extent, attend private audits, and receive access to findings shortly after contests end. They also get access to a private channel for Certified+ wardens, which assists with various process-related tasks. \n\nTo become a Certified Warden, there seems to be a requirement to participate in a certain number of contests and have a certain number of valid findings or reports. A warden who has encountered one high severity bug and has competed in at least three contests may be eligible for certification, although other conditions may apply. \n\nIn addition to this, there's an OG Warden status for wardens who have been with the company for a significant period, which appears as a badge on their profile. It's also worth mentioning that wardens may get paid for sponsor-confirmed issues or sometimes even disputed ones, and if a warden receives rewards both individually and as part of a team, they will appear separately on the leaderboard.\n\nFor more detailed information about the Certified Wardens process, users can directly ask Code4rena or check the relevant documents in the docs section. Information about certification and eligibility can also be found in the new qualifications section on the Warden registration page.", "Question: Why doesn't Brownie compile projects that start with a year following the default naming convention of C4, and is there a workaround for this issue?\n\nAnswer: This complication arises because Brownie, a Python-based development and testing framework for smart contracts, requires project names to start with an alphabetical character. When a project name starts with a year, it doesn't comply with this requirement, hence Brownie doesn't compile these projects following the default naming convention of C4. You can find detailed information on this requirement in the Brownie Github repository [here](https://github.com/eth-brownie/brownie/blob/0fa4477a178bd55b6683f60d077b7060df02b2c5/brownie/project/main.py#L740). \n\nThis issue, sometimes referred to as \"C4 MEV\", is more of a cosmetic problem, and a simple solution is to rename the project so that it starts with an alphabetical character. It should be noted that this issue doesn't affect the functionality or security of the smart contract itself, but it's an important detail to be aware of when using Brownie for testing and development in the context of auditing through C4. \n\nIf you're new to using Brownie, or if you've run into issues related to this, remember it's always okay to ask for help or share your experience with the community. Code4rena (C4) is continually working on improving their tools and procedures to ensure a smooth auditing experience.", "Question: How does the leaderboard update process work and what potential improvements are being considered for the leaderboard?\n\nAnswer: The leaderboard on CodeArena is a dynamic representation of performance across various contests. It is updated each time awards are announced, which is determined by the progression and completion of each contest. This can cause some variability in the timing of updates. Some concerns have been raised about the accuracy of the leaderboard, with issues like certain contest results not being counted in full duration or items being double counted. The team is always vigilant about these issues and works to resolve them promptly. The leaderboard is accessible at https://github.com/code-423n4/code423n4.com/issues?q=leaderboard and https://code423n4.com/leaderboard/.\n\nIn terms of improvements, there is an ongoing discussion about adding different timeline views such as \"last 3 months\" or a current year statistics view, alongside the existing \"all time\" view. The idea is to change the leaderboard from tracking the last number of days to the last number of contests. There's also a proposition to introduce leaderboard seasons, which could last 4 months or 6 months. At the end of each season, everyone on the leaderboard might receive an NFT with their rank, earnings, and a design. \n\nIn addition, there are proposals to include badges for various achievements, position numbers, and a \"Low\" column. Adding new contests and features, including private contests, to the leaderboard ranking is also under consideration. Contestants who rank in the top 5 of a contest and receive a reward should have the \"leaderboard\" tag updated on their profiles. \n\nPlease note that while many of these improvements are being considered, the final decision and implementation may take some time. If you have any suggestions or issues, you can reach out through the help desk at https://code4rena.com/help. We also have a suggestion box for users to share their ideas on how to improve the website, leaderboard systems, contest processes, and Discord setup.", "Question: How can the duration and structure of a leaderboard season be determined, and what improvements are under consideration for the leaderboard on CodeArena?\n\nAnswer: The duration of a leaderboard season on CodeArena can be determined in a couple of ways. One suggestion from our community is to have each season last for a specific time period, potentially 4 or 6 months. Another idea is to end each season when a participant reaches a certain earning target, which introduces an element of competition, making each season a race. \n\nImprovements to the leaderboard are under active discussion. These include: \na) Having different timelines for the leaderboard such as all-time results, the last 3 months, the last 60 days results (which is the current default setting) or even tracking the last number of contests.\nb) The addition of badges for various achievements, like being a top performer in gas optimizations, or making repeat appearances as an MVP.\nc) Introduction of leaderboard seasons, where at the end of each season, participants on the leaderboard could earn a Non Fungible Token (NFT). This NFT would include metadata of their rank, earnings, and a special design. \n\nChanges being considered also involve showing current year statistics primarily, while still keeping all-time statistics visible. Also, there are talks of creating a leaderboard that showcases the best contestants after each contest.\n\nIt's important to note that points for the 60-day leaderboard are counted from the day of the contest announcement, and may expire 60 days after the contest has ended. The leaderboard gets updated every time awards are announced, however, not all contest types are currently supported. The leaderboard is accessible at https://code423n4.com/leaderboard/.\n\nPlease note that these improvements are currently under consideration and may be subject to changes based on the continuous feedback received from our community and the ongoing evaluation of the development team.", "Q: How are improvements to CodeArena's leaderboard system being considered to provide a more accurate and engaging reflection of user achievements?\n\nA: The CodeArena team is actively considering numerous enhancements to the leaderboard system to better reflect user achievements while keeping it engaging and competitive. A few proposed improvements include:\n\n1. Different timelines for leaderboard rankings, such as all-time and last three months. This allows users to see their progress more dynamically and over different periods.\n\n2. The introduction of badges for various achievements, such as gas optimization 'heroes', frequent MVPs, and more. These would provide additional recognition for specific skills and consistent performances.\n\n3. The establishment of leaderboard seasons, where each season lasts a certain period, maybe a year. At the end of each season, everyone on the leaderboard could get an NFT including their rank, earnings, and a design. This adds an extra element of competition and rewards.\n\n4. The addition of position numbers and a low column to the leaderboard for better visibility and understanding of rankings.\n\n5. The creation of a post-contest leaderboard showcasing the best performers of each contest is also being contemplated to highlight the winners.\n\n6. Consideration is being given to including the average percentage of pool awarded as a metric because not all participants engage in every contest due to factors like time constraints or contest preference.\n\n7. In an effort to keep the leaderboard reflective of real-time achievements, the development team is also evaluating changing the leaderboard tracking from the last number of days to the last number of contests.\n\n8. Users in the top 5 of a contest who have received the reward can get a \"leaderboard\" tag updated in their roles, providing additional recognition.\n\n9. Concerns about the impact of required-KYC contests on the leaderboard are being discussed, with differing opinions on its fairness for non-KYC wardens.\n\nThese changes aim to make the leaderboard system more comprehensive, fair, and representative of the user's achievements. Remember, the leaderboard also serves as a key factor in selecting people for RSVP certified jobs, so it's crucial to understand its workings and implications. For more details, you can visit the leaderboard at [https://code423n4.com/leaderboard/](https://code423n4.com/leaderboard/) and stay updated with the discussions at [https://github.com/code-423n4/code423n4.com/issues?q=leaderboard](https://github.com/code-423n4/code423n4.com/issues?q=leaderboard).", "Q: How does CodeArena determine and distribute the contest rewards for discovered vulnerabilities, especially in cases of multiple identical submissions, varying severities, or lack of high-risk vulnerabilities?\n\nA: CodeArena determines the contest rewards based on the severity of the discovered vulnerabilities, which are categorized as Non-critical, Low, Medium, and High. Each vulnerability's severity is defined as follows:\n- Non-critical: Pertains to code style, clarity, syntax, versioning, off-chain monitoring (e.g., events), excluding gas-optimizations.\n- Low: These vulnerabilities do not pose a risk to assets. They include issues with state handling, function incorrectness as per specification, issues with comments, etc.\n- Medium: These vulnerabilities do not directly risk assets, but the function of the protocol or its availability could be impacted, possibly leaking value via hypothetical attack paths with stated assumptions, but with external requirements.\n- High: These vulnerabilities can directly or indirectly lead to assets being stolen/lost/compromised if there's a valid non-hypothetical attack path.\n\nThe average award pot for low or non-critical vulnerabilities is usually about 10% of the total prize pool. In case of multiple participants reporting the same vulnerability, all of them receive a share of the bounty; the value of the bug is reduced and split based on the number of people who found it. This is subject to Sybil resistance, and each instance is awarded a share of one point. The level of detail in the submission, like the inclusion of a Proof of Concept (PoC), can also influence the award amount. \n\nIf no Medium or High vulnerabilities are discovered during a contest, the remaining funds are divided based on the Quality Assurance (QA) Report curve, which is quite rare. More details on this can be found in the contest reports on the CodeArena website. For instance, a contest with only low vulnerabilities can be found at https://code4rena.com/reports/2021-11-fei.\n\nParticipants are encouraged to reach out to the sponsor team during the contest if they have any questions or believe they've found a vulnerability. However, they must submit the vulnerability via the contest submission form to be eligible for awards. If a vulnerability is found a few days after the contest ends, it should be responsibly disclosed to the development team, but it wouldn't qualify for a reward from CodeArena.\n\nMore information on the awarding process can be found in the website's documentation or in the award script repository.", "Question: What are some potential improvements and further considerations regarding the metrics used in CodeArena contests?\n\nAnswer: There have been numerous suggestions and concerns from our community to improve the metrics used in our contests. \n\nOne such suggestion is to include the average percentage of pool awarded as a metric. This could be useful as not all participants engage in every contest due to various reasons such as time commitments or preferences for the type of contest. \n\nPrivate contests also exist and their participation depends on certain metrics or prerequisites. There's a need to display these data visibly in our leaderboard, and there are features and contests that users would like to see reflected in the leaderboard ranking.\n\nMoreover, the leaderboard should accurately reflect a user's accomplishments, and there is a consideration to indicate the number of participants in a given contest. For this, there was a suggestion to create a new leaderboard displaying the best contestants after the results of the contest. \n\nIn terms of achievements, being in the Top 3 in 3 contests or making a high finding could be more stringent criteria for certification+. High-quality and high-quantity findings tend to score better in CodeArena competitions. For more insight, participants can compare their findings with winning reports found at [https://code4rena.com/reports/2022-09-artgobblers#low-risk-and-non-critical-issues](https://code4rena.com/reports/2022-09-artgobblers#low-risk-and-non-critical-issues)\n\nParticipation in contests is recommended for improving skills and teams are also allowed to participate in auditing contests. The platform offers several types of contest rewards, including Scout, Lookout, and Judge awards. \n\nFinally, the process after a contest is completed includes Sponsor Review, Judging, Awarding, and then Reporting, which allows participants to see the results of their submissions. This process enhances transparency and provides participants with significant learning opportunities. \n\nThese potential improvements and suggestions show a promising future for our platform's metrics system and we are actively considering them to ensure fair and worthy recognition of contestants' efforts and skills.", "Question: Where can I find detailed information about the rewards, the incentive model, and the award distribution process on CodeArena?\n\nAnswer: Detailed information about the incentive model, rewards, and the process for their distribution can be found in multiple sections of the CodeArena documentation. The general information about the awards and the incentive model is available at https://docs.code4rena.com/#incentive-model-and-awards and https://docs.code4rena.com/awarding/incentive-model-and-awards. \n\nThe guidelines for reward division, including how awards are divided between grade A and grade B for QA and Gas reports, and the reward distribution in case only one High and one Medium issue are found in contests, can be found at https://docs.code4rena.com/incentive-model-and-awards.\n\nFor specific details on how to create an invoice for the rewards received from a contest, you can refer to the bottom of this page: https://docs.code4rena.com/awarding/incentive-model-and-awards/awarding-process#tax-and-legal-questions.\n\nFor inquiries about a specific contest, you can address your questions to the respective sponsor. More information about the judging and payout timelines after a contest ends can be found at https://docs.code4rena.com/structure/our-process.\n\nPlease note that the awards for the contests are announced separately from the disbursement of funds, which is done manually and is usually batched for several contests at once. The awards list for each contest can be found in the announcements channel. The community suggested splitting the 'Awarding' announcement into 'Awarding' and 'Paid' sections for increased clarity.\n\nIt is also noteworthy that each team determines how to split their portion of a contest's reward amongst themselves. The process for running an audit contest, and the operational details and pricing, are also essential aspects of understanding the awarding system. The rewarding formula, including aspects about the findings count and partial credits, is also part of the system.\n\nLastly, participants are advised to stay updated with the announcements, as more information about the \"Audit summary awards\" and the rewarding formula for the mitigation contest would be shared before the respective contests start.", "Question: Has the status of the streaming protocol contest changed, and where can I find more information about it?\n\nAnswer: Yes, the streaming protocol contest was postponed and is now scheduled to begin on 11/30. More contract details about the contest can be found on the contest page on the Code4rena website [here](https://code4rena.com/contests/2021-11-streaming-protocol-contest). Please note that delays in contests can sometimes occur due to factors related to the protocol itself, and not just from the judge. Sponsors also contribute to contest delays at times. You can contact someone from the streams' protocol team if you need more clarification. Furthermore, it's important to note that there can sometimes be gaps in the schedule for live contests, and upcoming contests might not always be updated on the specific channels. You can always check the [Code4rena website](https://code4rena.com/) for the most current information about contests.", "Question: How can I update my submission on the CodeArena platform?\n\nAnswer: You can update your submissions on the CodeArena platform by following these steps:\n\n1. Navigate to the contest page corresponding to your submission. For example, the Ethos Reserve contest page can be found here: https://code4rena.com/contests/2023-02-ethos-reserve-contest.\n2. Click on the \"Your Findings\" button on the contest page. This will allow you to view, edit, or withdraw your submission.\n3. After making necessary changes, ensure to save your updates. \n\nPlease note that you can only update your submissions as long as the contest has not yet ended. If you submit a correct bug issue with an incorrect proposed solution, you have the chance to update the submission before the contest ends. However, the severity of issues can be updated post-submission by judges. \n\nIf you wish to cancel a submission and create another one, you can do so by withdrawing the findings under the \"Your Findings\" section on the contest page. \n\nFor future reference, we have outlined the steps for how to edit submissions in our announcement here: https://discord.com/channels/810916927919620096/810929015509483554/1002648649135824906.\n\nRemember, you can always send a direct message to one of the identified individuals if you need further assistance.", "Question: What is the timeline and process for the announcement and distribution of awards for CodeArena contests like Fairside?\n\nAnswer: The timeline for the announcement and distribution of awards for CodeArena contests, including Fairside, involves several steps and can vary. It typically starts with the review of findings immediately after the contest ends, which includes a sponsor's review and judging process. This process could take from 2 weeks to over 6 weeks depending on the contest. Once the awards are announced, they are usually distributed within 1-2 weeks. The awards are typically processed on Mondays or Tuesdays in a weekly standing meeting. Participants can apply for backstage access as soon as the contest results are published on the leaderboard, which usually happens shortly after the awards are announced. The specific dates of these events, including the announcement of Fairside awards, can be found in our announcements channel. Please note that all awards are distributed on the Polygon network. If you have participated in a contest and have not received your award within the mentioned timeline, please inquire about the progress and schedule in our contest channel or directly contact the wardens.", "Question: When can I expect the audit reports following a competition to be released and where can I find them?\n \nAnswer: Audit reports for competitions are typically published after a series of stages: the contest's conclusion, sponsor reviews, judging, and awarding. This process can take anywhere between 2 weeks to over 6 weeks, with an average turnaround time of about a month. However, the precise timing can vary widely and is dependent on the speed of sponsor review and final judging. Reports are generally reviewed and triaged immediately after a contest ends by judges, and then they await sponsor review, final judging, and Quality Assurance before being made public.\n\nFindings from reports remain private until they are published. Once published, participants can review the submissions for a contest, and all contestants receive confirmation via email when the reports they submitted during the competition are published. It is important to note that findings submitted for contests may not always make it to the final report for various reasons. \n\nYou can check for audit reports and upcoming audit contests on the company's website, code423n4.com. The website does not track the dates awards are distributed, but it does build the leaderboard based on the dates of the audits themselves. Furthermore, certified+ wardens are able to view the findings repo immediately after a contest ends. \n\nFor more specific reports, the Biconomy Hyphen 2.0 contest's audit results are currently in review and expected to be published in the coming weeks. However, the audit report for the Yaxis project may take a bit longer to be released due to a high participation rate and numerous submissions to review. \n\nThe term \"Audit summary awards\" has also been referenced, promising more information to be shared prior to the contest start. This suggests there may be additional recognition or rewards for notable findings or participation.\n\nPlease note that this process and timing are subject to change as efforts are being made to decrease the turnaround time from audit competition to the release of reports.", "Question: How can I manage, edit, or delete my submitted issue in CodeArena?\n\nAnswer: If you need to make changes to a submitted issue, you have the option to edit your submission. This can be useful for instance, if you accidentally pasted too much information in an issue that shouldn't be publicly available. When you edit an issue, the initial (pre-edited) issue may still be publicly available in the edit history, so it's advised to be cautious with the information you initially include. \n\nIf you wish to reference a previously submitted issue, you can do so by writing # followed by the issue ID in your new submission. In order to view the ID of a submitted issue, you'll need to edit it and you'll see an ID at the end of the URL. \n\nIf you've noticed the same issue occurring multiple times in a code, it is recommended to report these as one single issue and provide context for each instance. You can find guidance on dealing with multiple occurrences of the same issue in a discussion at [this link](https://github.com/code-423n4/org/issues/8). \n\nIn case you have submitted an issue and later notice a higher severity bug or wish to make a different submission, you can withdraw your old issue. For this, you'll need to submit a help desk request at code4arena.com/help requesting the removal of the original submission, then you can make your new submission. \n\nPlease note that you can only submit one QA issue, but you can edit the existing submission if you find another error. If you have any unresolved issues, or need assistance with the status of your submission, you can create a help desk request. \n\nIn case you find the 'create-issue' button not working, it is also recommended to send a help desk request. If you are unsure about your submission or its status, you can review issues before they are reported. \n\nRemember, there is no incentive for being the first to submit an issue, the focus should be on the quality of your submission.", "Question: What should I do if I used someone else's handle for my submission and how can I prevent this from happening again?\n\nAnswer: Using someone else's handle while submitting findings is not advised. Findings may be credited to the wrong person if you use someone else's handle and could potentially impact leaderboard standings. If this happens, you should complete the Warden registration process and then contact someone from our team to attempt to correct the issue. \n\nIf you are part of a team, team members can make submissions on behalf of their teams and can select either their solo handle or team handle when submitting a finding. \n\nTo prevent this from happening, ensure that you have your own handle registered. Handles can be added to the code423n4.com repository at https://github.com/code-423n4/code423n4.com/tree/main/_data/handles, and it can be any handle, not just Github or Gab. This handle is used for the leaderboard on code423n4.com and for handling award processing. Review and make a pull request for your handle to participate in contests. \n\nFurthermore, you could link your C4 handle with your Twitter handle by completing a help desk request. Handle registration is mandatory to submit something and it's only for the leaderboard. \n\nIn case you are facing issues with handle creation or submission process, you can submit a help request. Also, please note that changing the handle itself is currently not advised as it may cause issues with past or ongoing contests. However, there are plans to enable the same handle using different wallets in a single contest. Please also remember that leaderboard standings and submissions under the previous handle are not transferable to the new account. \n\nLastly, you can find your findings in a GitHub repository by searching for your handle to ensure they have been correctly credited to you.", "Question: Can I change my handle or wallet address on CodeArena without affecting my rewards and standings in contests?\n\nAnswer: Changing your handle or wallet address on CodeArena is possible, but it can be complex due to current design decisions and can potentially affect your leaderboard standings and contest submissions. Awards are typically linked with one handle and one wallet address per contest. Any changes to the handle or wallet might result in findings or rewards being credited to the wrong person. \n\nIf you want to change your handle, it is advised to complete Warden registration, note down your findings and then contact a team member to switch the finding to your new handle. However, at present, submissions and standings from your old handle won't be transferred to your new one. \n\nIn terms of changing your wallet address, you can certainly use a new wallet address in your reports moving forward, and the rewards for the report will then be distributed to the new address. More information about changing your wallet address can be found here: https://docs.code4rena.com/roles/wardens/warden-auth#can-i-change-the-wallet-address-where-i-receive-awards. \n\nPlease be aware that once contest payouts have been sent, the outcome cannot be changed, although any overlooked issues can be flagged to the judge and sponsor. If your wallet is hacked and you need to change your payment address, submit a request through the Help Desk at https://code4rena.com/help, provided you log in using the same wallet.\n\nIt's important to note that ongoing improvements in the platform are being made to address these issues. For example, there are plans to allow the use of one handle with different wallets in the same contest. Additionally, if you need to update your wallet address after a finding has been submitted and before the reward payout, you can do so by submitting a request through the Help Desk.\n\nRemember, your handle is not just for Github or Gab, but can be added to the code423n4.com repository, and it's used for the leaderboard and processing awards.\n", "Q: I'm no longer receiving email receipts for contest findings I am submitting. What could be the issue and what steps can I take?\n\nA: There could be several reasons for this issue. Firstly, it could be related to issues with Github, as indicated by this [link](https://www.githubstatus.com/incidents/r5qrpp2f5fc0). You could wait for Github to fix the issue or switch to using a different email if the problem persists.\n\nIf you submitted findings to a contest (like the Escher contest) and see 'No findings submitted for this contest' despite having submitted your findings, it might mean that your submission has not been successful. Upon successful submission of entries in the contest, you should receive a mail copy of the form as the only confirmation. If you did not make the award list, it's likely that your issues were rejected, and you can confirm this by reviewing the available report.\n\nSometimes, it might take some time for a submission of a finding to be confirmed via email. However, if the submission fails, the form should return an error.\n\nPlease also check your spam folder as there have been instances where the confirmation emails have ended up there instead of the main inbox. If you still do not receive an email after submitting a finding, you can open a help desk request at https://code4rena.com/help/.\n\nNote that you can check the status of your report submission by looking out for a confirmation email and also by checking the ability to edit your submitted findings on the C4 Contest page under the \"Findings\" tab. You can also retract your submissions under the same tab if needed. If you'd like to view the submissions of others after a contest finishes, you can do so on the contest page as well.", "Question: I have submitted an issue under a different handle. What steps should I take to correct this?\n\nAnswer: If you have submitted an issue under a different handle, the following steps should be taken to correct this:\n\n1. Note down your findings in detail.\n2. Complete Warden registration if you haven't already done so. \n3. You can then create a team handle by submitting a Pull Request (PR) on GitHub. You can find guidance on how to do this here: https://github.com/code-423n4/code423n4.com/tree/main/_data/handles.\n4. If you are part of a team, you can make submissions either with your solo handle or team handle.\n5. If you have accidentally submitted an analysis from a personal account instead of a team account, resubmit it from the team's account.\n6. After resubmitting, submit a help desk request to withdraw the incorrectly submitted analysis using this link: https://code4rena.com/help.\n7. If you have submitted your findings to the wrong contest, you should re-submit them to the correct contest and fill out a form to let the C4 staff know about the incorrect submissions.\n8. Keep in mind that changing the handle itself is not advised as it may cause issues with past/ongoing contests. \n\nRemember that all submissions, regardless of the type and severity of the bugs found, should be made separately. If an issue involves many lines changed, you can send a git patch or a PR to the repo. \n\nFor any unresolved issues or concerns, always feel free to submit help desk requests through https://code4rena.com/help.", "Q: I'm a beginner interested in smart contract auditing, what learning resources and strategies would you recommend to help me get started?\n\nA: As a beginner in smart contract auditing, there are a number of resources you can explore to further your understanding in this field. You can start with [@cmichel's guide](https://cmichel.io/how-to-become-a-smart-contract-auditor/) on how to become a smart contract auditor, which provides comprehensive coverage of the topic. Other recommended resources include [Code4rena's education section](https://docs.code4rena.com/roles/wardens/tools-and-resources) and the [#\ud83c\udfebeducation channel](https://discord.com/channels/CodeArena/education) in our Discord chatroom. \n\nFor understanding solidity and practicing your skills, websites like [Cryptozombies.io](https://cryptozombies.io/) for solidity and [Capture the Ether](https://capturetheether.com/) for Capture the Flag challenges can be beneficial. You can also gain practical experience by analyzing old audit reports such as those available at [ChainSecurity](https://chainsecurity.com/audits/). \n\nMoreover, platforms like [CodeArena](https://code4rena.com/), [ImmuneFi](https://immunefi.com/), [SpearBit](https://spearbit.com/), and [Hats.finance](https://hats.finance/) run contests or offer rewards for auditing smart contracts, which could provide practical experience and potential earnings.\n\nYouTube is another platform where you can find helpful videos for beginners, such as this [video explaining aspects of contract auditing](https://www.youtube.com/watch?v=wCD3fOlsGc4) and another channel suggested for learning about [math and accountings in solidity projects](https://www.youtube.com/@smartcontractprogrammer).\n\nFinally, joining conversations and discussions in smart contract auditing communities such as ours can help you understand common challenges, learn from others' experiences, and get advice on career decisions related to this field, for example, the choice of focusing on smart contract auditing as a full-time career or as a side project.", "Question: How can I locate the contest findings and submissions on CodeArena's GitHub?\n\nAnswer: All the contest findings and submissions, both past and current, can be found in CodeArena's GitHub repositories. You can start from the [Code4rena website](https://code4rena.com/reports) where all the issues link to the corresponding GitHub issues. The findings from contests are posted in the same section where contests are posted.\n\nThe GitHub repositories that hold these findings and submissions end with the suffix '-findings'. For example, you can check out one such repository at [https://github.com/code-423n4/2022-04-backed-findings](https://github.com/code-423n4/2022-04-backed-findings). \n\nFurther detailed information like the scoring breakdowns, the judging criteria, and specific issue discussions can also be found on GitHub. For instance, the scoring breakdowns for past contests can be viewed [here](https://github.com/code-423n4/code423n4.com/blob/main/_data/findings/findings.csv), and the judging criteria can be found [here](https://github.com/code-423n4/code-contests/blob/main/JUDGING_CRITERIA.md).\n\nYou can also view the findings in a .csv format [here](https://raw.githubusercontent.com/code-423n4/code423n4.com/main/_data/findings/findings.csv), which can be cross-referenced with the contest report. If you've participated in a contest, you can find your submissions in the relevant GitHub repository once the contest report is published.\n\nPlease note that while there is a [GitHub template](https://github.com/code-423n4/code-contests/blob/4db2720312f0958f2e89f6207a6774c9e5360655/SUBMISSION_TEMPLATE.md) for submissions, it's outdated and not updated anymore. We advise you to submit findings using the \"Submit finding\" button of the specific contest on the main page, each finding separately.\n\nIn case of any inconsistencies or issues, you may discuss and report them in the 'issues' section of the organization's [Github repository](https://github.com/code-423n4/org/issues).", "Question: Can you provide more detail about the \"gov-wg\" (Governance Working Group) at CodeArena?\n\nAnswer: Certainly! The \"gov-wg\" is a Governance Working Group established by CodeArena to create a Decentralized Autonomous Organization (DAO) structure. This group is not intended as mentorship, rather it provides input on creating such an initiative. The working group also plays a role in various processes that Certified Wardens engage in through a private channel. You might also be interested in exploring an OpenZeppelin webinar on governance mechanisms and best practices to learn more about working groups and governance frameworks. The first video in their series can be accessed [here](https://youtu.be/6GaCt_lM_ak). Please note that the severity of any issues or attacks made by the governance can vary, typically depending on the judge's perspective and assuming the governance to be a trusted party.", "Question: Can you provide more clarity regarding the reasons why my submission was marked as disputed, while another similar issue was accepted and what steps can I take if I disagree with the decision?\n\nAnswer: Yes, we understand your concern. Both submissions, https://github.com/code-423n4/2021-10-slingshot-findings/issues/21 and https://github.com/code-423n4/2021-10-slingshot-findings/issues/82, were out of scope because the issues were already described in the documentation, and hence, not considered valid. Any issue already detailed in the documentation is not typically accepted as a new finding. \n\nThe CodeArena process includes a review period where you can dispute the decision if you disagree with it. If you believe a discrepancy occurred in the judging process, or if there's a lack of clarity in the rules, you can review and comment on existing issues, or open a new issue at https://github.com/code-423n4/org/issues. It's important to provide as much detail as possible, including any similarities or differences between the disputed and accepted issues. \n\nAlso, we encourage you to take a look at our judging criteria for duplicate submissions at https://github.com/code-423n4/code-contests/blob/main/JUDGING_CRITERIA.md#duplicate-submissions, to understand how we handle such cases.\n\nRemember, reviewing the findings of previous contests and understanding why certain findings were or were not accepted could help improve your future submissions. You can review past submissions in any repository ending with -findings on the CodeArena GitHub: https://github.com/code-423n4. You may also check out our 'known issues' policy at https://github.com/code-423n4/org/discussions/50, to understand more about what constitutes a valid issue.\n\nLastly, if there are any unresolved concerns about the contest process, results, or submission guidelines, feel free to raise them in the 'issues' section of our GitHub repository at https://github.com/code-423n4/org/issues. We value your participation and are always open to feedback to improve our process.", "Question: I noticed a discrepancy in the contracts mentioned in the contest https://code4rena.com/contests/2021-11-streaming-protocol-contest and the repository https://github.com/code-423n4/2021-11-streaming/tree/main/Streaming/src. Can you clarify what contracts are involved in this contest and where to find them in the repository?\n\nAnswer: Absolutely, let's clear up that confusion. This contest involves three contracts: StreamFactory, Stream, and LockeERC20. You noticed that in the provided repository, you can only see Locke and LockeERC20. The fact is, all the contracts for this contest are housed within the locke.sol file. This includes the StreamFactory and Stream contracts in addition to LockeERC20. \n\nOur GitHub public repositories for Code4rena, including this one, are all located under the live contests section on the Code4rena website. They are a crucial resource for contest participants. So, for this and future contests, you should always refer to the specific contest's repository for detailed information about the contracts in question. \n\nIt's also important to note that sometimes there might be discrepancies between the number of lines of code (LOC) mentioned in the README.md and the actual lines in the contract files, as it was noticed in other repositories like the Sherlock finance's repo. If you ever spot inconsistencies like this, feel free to raise your concerns in our Discord chatroom.\n\nRemember that CodeArena runs contests for analyzing smart contracts, which involves auditing the provided code for vulnerabilities. So, understanding the scope of the audit and where to find the correct files is key to participating effectively.", "Q: How do I add screenshots and other proofs in my vulnerability report for CodeArena?\n\nA: You can include screenshots or other proofs to your vulnerability report in a number of ways. You can use Markdown to embed images that are hosted remotely. This can be done by creating an issue on a private repository, adding your images there, and then copying the markdown snippet with the CDN URL. You can find more guidance on how to do this here: https://docs.github.com/en/get-started/writing-on-github/getting-started-with-writing-and-formatting-on-github/basic-writing-and-formatting-syntax#images.\n\nIn addition to screenshots, you can also include links to the affected code on Github. If you've created a Proof of Concept (POC) script for a vulnerability, you can include the link to this script in your submission. The report should be pasted in the \"Vulnerability details\" section in .md format. \n\nAn alternative method to add images to your report is by registering a free account on https://cloudinary.com/, uploading your image there, and then copying the image URL. \n\nHowever, please note that including screenshots in your report is generally not recommended as they can pose a security issue. Also, if you submit a report, you have the option to edit it later for additional details or context. \n\nCreating a well-detailed report is crucial. Your report should contain the issue, a detailed description, a Proof of Concept if possible, and mitigation methods if necessary. If you find a vulnerability difficult to fix without major changes to the protocol, it's still important to report it. Recommendations on how to fix it are appreciated, but not required. \n\nRemember that the process for reporting vulnerabilities involves sending a direct message to a specific individual or emailing the issue to security@code4rena.com. If in doubt, you can directly message the project team about a potential vulnerability.", "Question: How are gas optimization findings evaluated and rewarded in CodeArena contests?\n\nAnswer: Gas optimizations in CodeArena contests are evaluated and rewarded from a separate award pool. This pool is specified on both the C4 website and each contest's individual page. All valid gas optimization findings share equal weight, meaning a significant improvement in an important function isn't necessarily valued higher than a smaller improvement in a less important function. \n\nWhen submitting a gas optimization report, it is beneficial to specify how much gas is saved with each optimization, though this depends on the judge's discretion. The report can include multiple ideas about gas optimization, and these can be written separately before being merged into one report. \n\nIt is important to note that not all gas optimization findings are valid when the optimizer is enabled, which can cause some confusion. When the optimizer is disabled, however, all gas optimization findings are valid. This has led to some users questioning the validity of certain findings. \n\nThe gas optimization pool is shared among the reporters and is awarded based on the score of each gas report. The typical award is around 5% of the prize pool, though this can vary depending on the importance of gas savings to the project sponsor. \n\nFor further clarification and details about how gas optimization findings are rewarded, you can refer to the C4 documentation: https://docs.code4rena.com/awarding/incentive-model-and-awards/curve-logic.", "Question: How is the gas optimization pool awarded and managed in CodeArena competitions?\n\nAnswer: In CodeArena competitions, all valid gas optimization findings are weighted the same within the gas pool. These reports are judged as either valid or invalid, and no further weighting is applied. However, it is suggested that the amount of gas saved for each finding may be mentioned. The gas optimization pool is shared among the participants and is awarded based on the score of each gas report as outlined in CodeArena's [curve logic documentation](https://docs.code4rena.com/awarding/incentive-model-and-awards/curve-logic). \n\nA participant can only submit one gas optimization report per contest. If they have additional findings, these should be added to the existing report. This can be done by navigating to the contest page and clicking the 'Your Findings' button. The existing gas report can also be changed under \"your findings\" on the contest details page.\n\nThe amount awarded for gas optimization reports is usually 5% of the prize pool. This percentage, however, can be altered by sponsors based on the importance of gas savings to their project. More details about the average payout for gas optimization findings can be found in the findings.csv file on the C4's website repository. \n\nThere's also an award formula for gas and QA reports at CodeArena: Grade A reports count as 2 shares, Grade B as 1, and the best report receiving a 30% bonus. It's worth noting that a finding that is relevant to both QA and gas savings can be included in either report, and the judges will decide where it best fits. The validity and calculation of awards for gas optimization reports are based on this formula and the judges' decisions. \n\nIn terms of gas measurements, the gas cost in the foundry is measured in units of gas. Finally, bot-generated reports should theoretically include all kinds of findings, including high, medium, low, non-critical, and gas-related issues.", "Question: What should I expect for CodeArena's schedule over the Christmas season, including any expected downtime, rewards distribution, contest schedules, and support availability?\n\nAnswer: Yes, the details about the schedule over Christmas and the expected downtime can be found here: https://discord.com/channels/810916927919620096/810929015509483554/908791439771725854. Please note that the system has been under heavy load recently, so there might be some delays in processing data. This includes the distribution of rewards, which has been a topic of discussion, and it was indicated that more rewards are expected before the Christmas break.\n\nLive contests may experience gaps in the schedule during this time, and the timing for the next audit event or contest could be affected. Customer support requests might also experience delays due to the holiday season. Upcoming office hours will be shared in the C4 rollup in our announcements. Please note that staffing hours may vary, and we're looking into hiring for additional timezone coverage to better serve our community.\n\nThe announcement and distribution of awards are discussed and planned accordingly, with potential delays due to the recent heavy load on the system and the holiday season. Furthermore, it's important to note that the timing of contests depends on the needs of our customers, and sometimes, sponsorship of contests. \n\nLastly, there have been some delays in bounty payments due to the holidays. We are working hard to reduce turnaround times and appreciate your patience during this busy period. For any status updates, you can create a help desk request.", "Question: How does CodeArena schedule contests around holidays and what can participants expect about reward distributions and staffing hours?\n\nAnswer: CodeArena follows a client-centric approach for scheduling contests, which means the timing and needs of the customer play a crucial role in determining the schedule. However, it is important to note that there may be gaps or pauses in the contest schedule around holidays like Christmas or Thanksgiving, or during big conferences. Also, it's worth mentioning that CodeArena does not typically operate on weekends.\n\nDuring busy times, such as the ethcc event, the date for the next community call or contest might be delayed until after a period of regrouping. The streaming protocol contest, for instance, was postponed to 11/30 due to heavy system load.\n\nAs for reward distributions, they are planned to be completed by the weekend and are likely to be sent out the following week. It is, however, a worst-case scenario for participants to expect rewards two months after the end of a competition. Reducing turnaround times is a high priority for CodeArena.\n\nRegarding staffing hours, they are primarily U.S.-based. To cater to different time zones, there is a mention of hiring for additional coverage. Office hours are announced in the C4 rollup and an office hours session is usually posted on YouTube early the following week.\n\nPlease note, for any specific changes or updates related to the schedule, office hours, or contests, refer to the C4 rollup in our announcements on our Discord channel: https://discord.com/channels/810916927919620096/810929015509483554/908791439771725854\n\nPlease also note, the future contests might require an RSVP, the updates about which can be checked on the respective RSVP channels. We anticipate a number of new contests in the coming month, so stay tuned!", "Question: How can I contact members of the streams' protocol team or CodeArena staff for clarification during a contest?\n\nAnswer: During a contest, you have various options to seek clarification or ask questions. For general inquiries, you can use the specific contest channel on our Discord. For example, if there's a question related to a streaming protocol contest, you can go to https://code4rena.com/contests/2021-11-streaming-protocol-contest for contest details and to ask questions. \n\nIf your question is specific, or you need to discuss potential issues with the sponsor while the contest is ongoing, it is encouraged to direct message (DM) the designated contacts from the sponsor teams, or a member of the CodeArena (C4) staff. \n\nKeep in mind, if your question involves a security issue related to one of the contests, you can submit a help request at https://code4rena.com/help. Any queries related to profile help should be directed to the #profile-help channel on Discord. \n\nLastly, you can privately ask questions and receive guidance on more fragile aspects of the system if necessary. The CodeArena team and the sponsors aim to provide the necessary support and guidance for all participants throughout the contest.", "Question: What is the process to handle a source code leak and how do you report potential vulnerabilities in the code?\n\nAnswer: Code4Arena follows a process to handle a source code leak which includes the option to fork a project and deploy the same code. However, user interaction is generally low unless the team endorses it. When it comes to reporting potential vulnerabilities, users typically showcase the places of vulnerability in two ways: 1) Providing a URL to the repository with a line inner in the text, and 2) Providing a solidity code block. It's recommended to include both in the report. \n\nIf a single line of code has multiple ways of exploitation, it is advised to report all the bugs but prioritize the one with the biggest impact. If the same vulnerability is found in multiple different components of the codebase, it might count as two separate findings, but it's ultimately the judge's call to determine if they're duplicates. \n\nParticipants can submit reports on vulnerabilities and attach screenshots in the vulnerability details section by copying the Github permalink and the lines of code for the affected code. If participants have a code that runs a proof of concept for each bug, they can add a zip file to the submission or share a private Github repository. However, it's recommended to use a private gist to avoid vulnerability exposure risk. \n\nIf a vulnerability is found in an out-of-scope contract, it can be included in the C4 report as an unrewarded finding or the project can be directly messaged. A user can also make a \"secret gist\" to show a code example without being disqualified for disclosing a problem. \n\nReporting vulnerabilities impacting the Code4rena's webapp involves sending a direct message to a specific individual or emailing the issue to security@code4rena.com. Newcomers are advised to make one report and reference related issues in it. Code4rena encourages participants to reach out to the sponsor team during the contest if they need to ask questions. Disclosing a vulnerability directly to them is possible, but it needs to be submitted via the contest submission form to be eligible for awards.\n\nMore information can be found in the instructions on sharing vulnerability discovery PoCs at https://github.com/code-423n4/code-contests/tree/main/contests/01-slingshot#sharing-vulnerability-discovery-poc and the submission policy at https://docs.code4rena.com/roles/wardens/submission-policy#how-to-include-a-proof-of-concept. There's also a responsible disclosure guideline recommended for reading at https://github.com/RD-Crypto-Spec/Responsible-Disclosure#the-standard.", "Q: Why am I not seeing any specific channels or contests, even after using the link provided?\n\nA: The ability to see and access certain channels, such as contest channels or team-formation channels, requires the 'warden' role. In order to obtain this role, you will need to fill out a form on our website (link not provided in chat history). Upon completion, make your role request known in the #\ud83d\udc3ai-want-to-be-a-warden channel on Discord. \n\nPlease bear in mind that even after acquiring the warden role, there may be cases where some contests are not visible immediately. This may be due to updates for upcoming contests not being reflected on the specific channels yet. You can check the #\u270brsvp channel and #\ud83d\udce2announcements for information about upcoming contests and updates.\n\nThere have also been instances where links to the repositories in the contests or to our website have not worked due to errors or DNS issues. If you encounter a \"page not found\" error or other issues while accessing links, it might be a temporary problem on our end.\n\nLastly, it's important to note that some channels serve specific purposes. For instance, the #\ud83d\udcbci-want-c4-to-audit-our-code is for those who want to become sponsors and #\ud83c\udfebeducation channel is a good source for educational information. The #\ud83d\udd06hm channel does not concern findings in a contest. Ensure you're trying to access the right channel for your needs. \n\nIf these steps don't resolve your issue, or if you're having trouble registering as a warden, please let us know so we can assist you further.", "Question: What tools are commonly used to generate output for smart contract audits and how can I optimize the reporting process?\n\nAnswer: There are several tools available that our community uses to generate output for smart contract audits. The most commonly mentioned tool is Slither. Others include Hardhat, Foundry for generating a gas report, and cloc, a tool that calculates lines of code. Additionally, tools like the CodeArena Report Generator and the C4audit output tool, available at https://github.com/Picodes/4naly3er, are used for automated findings. \n\nThe platform also hosts a work-in-progress tool for running audits at https://github.com/HardlyCodeMan/audit_helper/. For contest-related information, you can use https://github.com/sseefried/c4-stats. \n\nIt's important to note that automated findings are ineligible for rewards, as detailed at: https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-ineligible. Users utilizing automated tools for attack findings carry a higher burden of proof. More details on this can be found at https://github.com/code-423n4/org/discussions/50.\n\nFor improving the presentation of your reports, Markdown and hackmd are popular choices. You can also use Visual Studio's preview tool or a tool available at https://marketplace.visualstudio.com/items?itemName=yassh.copy-with-line-numbers to format your report with line numbers and code snippets.\n\nHowever, it's crucial to provide context to your findings rather than directly pasting tool outputs. If you are looking to display mathematical expressions in your reports, you may have to use a different approach, since the GitHub findings repo might not display these correctly.\n\nLastly, if you are interested in building tools or platforms for CodeArena, C4 grants are available, particularly for projects that can improve the reporting process or display results for job hunting.", "Q: What are the guidelines and incentives for wardens to submit non-critical vulnerabilities? \n\nA: While there is no direct financial incentive for wardens to submit non-critical vulnerabilities, such submissions can still benefit the sponsor by improving the quality of the contract. In addition, wardens are advised to assess the severity of the issues based on guidelines mentioned at https://code423n4.com/judging-criteria/. If an issue initially identified as non-critical can lead to a high severity finding, it could be reported again during the contest by a warden and could be awarded with the higher severity. \n\nMoreover, the more wardens find the same issue, the less money each warden receives for this issue, as detailed in our incentive model and awards section: https://docs.code4rena.com/incentive-model-and-awards. This is regardless of the order in which the issues are submitted. Similarly, if two people submit the same issue using the same warden but different wallets, each person receives less than half of the reward.\n\nWardens are also encouraged to review other warden's submissions on GitHub to learn from marked and invalid cases, and backstage access is open to certified wardens with a certain level of established contribution. The submission guidelines for wardens are available at https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues. \n\nAll these factors contribute to a culture of trust and collaboration between wardens and sponsors, despite the potential for misuse of disclosed vulnerabilities.", "Question: If I discover two separate vulnerabilities that can be combined for a more powerful exploit, how should this be addressed in the submission?\n\nAnswer: CodeArena encourages users to provide thorough and detailed reports. If you uncover two independent vulnerabilities that create a more potent issue when combined, we recommend that you report each vulnerability separately as well as submit a third finding explaining the combined proof of concept (PoC). \nIn this third report, you should clearly describe the vulnerability and its impact on the protocol or code in the impact section. The PoC section should contain the lines from code or GitHub, or you can add a test which is written as an exploit. You can reference this example of how to present a PoC at https://github.com/code-423n4/2022-12-caviar-findings/issues/376.\nRemember, the impact of a vulnerability will determine its severity, and while it is important to report all discovered vulnerabilities, priority should be given to the one with the highest impact. If you have written a PoC script, it would be beneficial to include the link in your submission, but be aware that a vulnerability without a PoC can still potentially be rewarded if the process is clearly described.\nPlease note, if the same vulnerability is found within different components of the codebase, this may count as separate findings unless they are deemed duplicates by the judge. Multiple instances of the same vulnerability should be reported as one issue. Also, please be cautious when using automated tools for attack findings, as there is a higher burden of proof required. More information on this can be found at https://github.com/code-423n4/org/discussions/50. Lastly, if you have privacy concerns about public exposure of vulnerabilities during the PoC creation, consider using a private gist.", "Question: What is the process after I submit a finding for a contest and should I expect any confirmation?\n\nAnswer: Once a finding is submitted for a contest through the form on our website, you should expect a confirmation via email. This email serves as your initial confirmation. You can also view your submitted findings on the C4 Contest page under the \"Findings\" tab. After the contest ends, the review process for findings begins, including sponsor review, judging, and final reporting. The status of your report can be tracked and any edits can be made by navigating to the contest page and clicking on the 'your findings' button. The final confirmation of whether issues submitted were accepted or not is available when the final report is generated or when you qualify to be Backstage. Please note that it may take some time for the submission to be confirmed via email, and if the submission fails, the form should return an error. If you have any questions about the process or your submission, you can always ask in our Discord chatroom. Be aware that findings from the contest are made public and posted in the section where Contests are posted after the report is published and the findings' repository is made public.", "Question: Where can I find Cosmos-related learning resources and information about becoming a potential Warden at CodeArena?\n\nAnswer: As a new participant interested in becoming a Warden at CodeArena, there are several resources to help you get started. For Cosmos-related learning, we recommend checking out the Cosmos course available at [https://academy.terra.money/courses/cosmwasm-smart-contracts-i](https://academy.terra.money/courses/cosmwasm-smart-contracts-i). You can also explore the dedicated Cosmos section on CodeArena at [https://code4rena.com/cosmos](https://code4rena.com/cosmos).\n\nTo learn about smart contract auditing and the role of a Warden, check out the following resources: [https://cmichel.io/how-to-become-a-smart-contract-auditor/](https://cmichel.io/how-to-become-a-smart-contract-auditor/) and [https://docs.code4rena.com/roles/wardens/tools-and-resources](https://docs.code4rena.com/roles/wardens/tools-and-resources). \n\nIf you aspire to become a certified Warden, detailed information about the process can be found at [https://docs.code4rena.com/roles/certified-contributors](https://docs.code4rena.com/roles/certified-contributors). You can apply for the certified warden role at [https://code4rena.com/certified-contributor-application](https://code4rena.com/certified-contributor-application).\n\nFor additional support, join our Discord community via this link: [https://discord.com/channels/810916927919620096/810931711609143326/1092556195337863309](https://discord.com/channels/810916927919620096/810931711609143326/1092556195337863309). Here, you can engage with other Wardens, participate in discussions, and ask any questions you may have.", "Question: How and where should I add my Polygon address to receive my funds in USDC on the Polygon network?\n\nAnswer: You should add your Polygon address in your CodeArena account. Rewards for contests are paid out in USDC but they are sent through the Polygon network, not the Ethereum network. You can switch your network in MetaMask to Polygon Mainnet, copy your public keys, and paste them into CodeArena. To view your tokens, you can monitor your address on the Polygon network at https://polygonscan.com/address/. If you wish to move your funds back to the Ethereum Mainnet, you can use the Polygon bridge available at https://wallet.polygon.technology/. Remember, regardless of your wallet settings, the funds will be sent to the address you have provided. However, to move your funds, you'll need to send a transaction on the Polygon network. Please also bear in mind that the conversion process from Polygon Token to EUR can be done through the MetaMask bridge and Coinbase. Additionally, be aware that withdrawals from the Polygon to the Ethereum network will require both Matic and Eth if using the Polygon bridge. However, if using the Hop Bridge, only Matic is needed but you will receive less USDC on the Ethereum Mainnet.", "Question: How do I manage and monitor my tokens on the Polygon network using MetaMask and what should I do if I encounter issues?\n\nAnswer: To manage and monitor your tokens on the Polygon network, you first need to switch the network in your MetaMask to Polygon Mainnet. MetaMask should be able to display the tokens in your address when you swap networks to Polygon. However, if they don't appear automatically, you can manually add them. \n\nOnce you've switched networks, copy your public keys and paste them into your Code4rena account. You can monitor your tokens using this link: https://polygonscan.com/address/. \n\nIf you want to move your funds back to the Ethereum mainnet, you can use the Polygon Bridge: https://wallet.polygon.technology/. You can also swap gas without a fee at this location: https://wallet.polygon.technology/polygon/gas-swap. \n\nRewards from Code4rena are sent to your Polygon address, not your Ethereum address. To receive these rewards, make sure to register your handle and Ethereum address, and fill in the field for the Polygon address when you submit your findings. \n\nYou can also bridge from Polygon to Ethereum and withdraw USDC on Coinbase. This requires both Matic and Eth if using the Polygon bridge; however, if you use the Hop Bridge, only Matic is needed, but you will receive less USDC on the Ethereum Mainnet.\n\nIn the event where you encounter issues such as seeing a zero balance in your MetaMask wallet despite there being a hash on the polygon scan with your address, you might need to add USDC on the Polygon network to your wallet. \n\nIf you want to send tokens from the Polygon network to the BNB network, Binance can be used as a platform. Please note that sending or transferring coins from a wallet requires Matic to pay the fee. \n\nRemember, regardless of wallet settings, funds will be sent to the user's address and the user controls the key to that address. To move the funds, you need to send a transaction on the Polygon network.", "Question: Can you provide an update on the release of Badgerdao ibBTC payments?\n\nAnswer: As of the latest update, the payment for the Badgerdao ibBTC has not yet been released. A participant was announced as the winner of a small USDC prize on December 6th, and this payment will be made on the Polygon network. The delay in the payout might be attributed to the holidays, as mentioned in some chatroom discussions. C4, being a DAO, does sometimes experience delays due to the requirement of multiple signatures on multisig wallets before funds can be released. However, it's worth noting that plans are underway to automate the process and distribute awards via smart contract in the future. If you have a report that has been accepted, you can expect USDC to start flowing into your wallet once the distribution process begins. Please note that sometimes there are instances where rewards for a contest have not yet been paid out to participants, but rest assured that all rewards will be settled according to schedule.", "Question: How can I reference or include code snippets from a sponsor's GitHub repository in my findings report for CodeArena?\n\nAnswer: In a CodeArena findings report, you can provide references to code snippets from a sponsor's GitHub repository, but these are not automatically embedded in the report. To reference code, you can include the GitHub permalink for the respective code block in the 'Links to Affected Code' section, especially for high/medium findings. If you wish to include a code snippet in the report, you can use markdown in the finding body, following the guide available at [GitHub Docs](https://docs.github.com/en/get-started/writing-on-github/working-with-advanced-formatting/creating-and-highlighting-code-blocks). \n\nIf the code snippet underlines a Proof of Concept (PoC), you can also provide direct links to all referenced code in GitHub in the PoC section, along with any screenshots, logs, or other relevant proof. For large PoC issues, providing a link to a gist is acceptable if embedding the code snippet directly in the report is not feasible. \n\nFinally, remember that when showcasing areas of vulnerability, it is recommended to include both the URL to the repository with the line number and a code block. Keep in mind that the method you choose to provide the code - either adding it directly to the report under 'Proof of concept' or linking it on a private GitHub repo - may depend on the length of the code.\n\nMore details on the submission policies can be found at [Code4rena\u2019s Documentation](https://docs.code4rena.com/roles/wardens/submission-policy#how-to-include-a-proof-of-concept).", "Q: What are the processes and options for submitting findings on CodeArena, particularly for those still awaiting warden verification?\n\nA: Options for submitting findings on CodeArena largely depend on your status as a warden. If you are a certified warden, you can submit your findings directly through the provided form on the website for each contest. Findings submission follows a documented process available at [https://docs.code4rena.com/roles/wardens/sub](https://docs.code4rena.com/roles/wardens/sub). The website has \"View Repo\" and \"Submit Findings\" buttons for certified wardens to use. After submitting, it might take some time for your finding to be confirmed via email. If the submission fails, the form should return an error. \n\nIf you're still waiting for warden verification, it might be because the site is deploying. After this, your warden name should appear in the list. In some cases, you might need to connect your wallet to your account to submit findings. \n\nIf you have more findings to submit after an initial submission, or if you need to modify or withdraw findings, the guidelines can be found at [https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues](https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues). \n\nIf your report exceeds the number of characters allowed in the submission form, you can submit a placeholder and send an email. Details can be found at [https://docs.code4rena.com/roles/wardens/qa-gas-report-faq#why-is-a-large-gas-or-qa-report-not-successfully-submitting-through-the-contest-submission-form](https://docs.code4rena.com/roles/wardens/qa-gas-report-faq#why-is-a-large-gas-or-qa-report-not-successfully-submitting-through-the-contest-submission-form). \n\nFor users who have submitted applications to become wardens and are waiting for KYC emails, the process of certification is said to be in queue after provenance verification, and the applicant will be notified soon. If you have submitted a report and need to check the submission status, you might want to communicate directly with the staff for further clarification. \n\nPlease note that it's not necessary to confirm findings with the project's developers before submitting them; however, it's up to the warden to submit a point thought to be a valid finding.", "Q: I placed 2nd in the nested finance audit contest. When can I expect the funds to be sent to my MetaMask wallet and how is the award distribution process handled by CodeArena?\n\nA: The awards for the Nested Finance audit contest were recently sent out. CodeArena usually disburses contest awards between 1-2 weeks after the announcement, typically on a specified Monday or Tuesday. This is because the signatures for the award distribution are usually rounded up in a standing Monday meeting. However, it's important to note that there can sometimes be a delay in the distribution of awards. For instance, in the case of this contest, there was a delay in the distribution of awards. Once the awards have been sent, the outcome cannot be changed, but any overlooked issues can be flagged to the judge and sponsor. In case a team wins an audit but cannot claim the prize due to KYC issues, there's a concern whether the reward will be on hold or lost forever. \n\nFor team rewards, the prize is sent to a single address, and it is the team's responsibility to distribute it amongst themselves. If you were part of a team, please check with your team lead to confirm the receipt of the award. For any additional questions regarding payouts, please direct your inquiries to the Code4rena Foundation. \n\nWe aim to process and distribute multiple contest rewards by the end of a specified week and will communicate any delays openly with our community. For future reference, our contest schedule, including the timing of the award distribution, is dependent on several factors including sponsor confirmations and event scheduling. Our audit reports are typically published after all stages of a contest are completed. This includes contest completion, sponsor reviews, judging, and awarding, which could take anywhere from 2 weeks to over 6 weeks.", "Question: How can I edit a finding I've submitted in a CodeArena contest?\n\nAnswer: You can edit your submitted findings directly on the contest page. Navigate to the specific contest on CodeArena and click on the \"Your Findings\" button. Here is an example link: https://code4rena.com/contests/2023-02-ethos-reserve-contest. This page allows you to modify your submitted findings while the contest is still open. You may also withdraw a finding and submit another one if necessary. Remember, you can check the success of your report submission by looking for a confirmation email and any changes will be recorded and visible. If you encounter difficulty or need further assistance, you can submit a helpdesk request with all the information and the update to the finding before the contest closes. Note that findings are reviewed at the end of the audit period, and users are able to edit their findings until the contest closes.", "Question: I haven't received my award from the Fairside contest yet. Can you provide some information about the award distribution process and timelines at CodeArena?\n\nAnswer: Sure, we understand that you are eager to know about your award. The process of distributing awards at CodeArena involves several steps. Typically, once a contest has concluded, the sponsor reviews and judging takes place. This process can take less than a week. Once that's done, award calculations are made. Please be aware that there have been recent changes to the award calculation process and there might be several pending contests. \n\nAwards for specific contests, like the Fairside contest you mentioned, are generally announced within a week after these processes have been completed. The specific timeline can vary and the exact date of award announcement for Fairside will be communicated to you directly or announced in the community soon. Once the awards are announced, they are aimed to be sent within 1-2 weeks. \n\nKeep in mind that the distribution of awards also depends on the network. For instance, if the contest was held on the Polygon network, that's where the awards are distributed.\n\nFurthermore, payment for the contest is usually released after the announcement. The signatures required for the award distribution are usually rounded up in a standing Monday meeting, so any announced awards should generally get processed on either Monday or Tuesday. \n\nPlease note that all these timelines are subject to change based on contest specifics and other factors. You can always inquire about the progress and schedule of final reports by reaching out to us or via direct message regarding questions specific to Fairside.", "Q: How can I edit a finding after it has been submitted, and is there a way to add additional findings to a previous submission?\n\nA: Yes, it's possible to edit and add to your submitted findings. To do so, navigate to the contest page on our website, then look for the 'Your Findings' button. You can find this button under the 'Findings' tab or directly on the contest page. The direct URL for a contest page will usually look something like this: https://code4rena.com/contests/2023-02-ethos-reserve-contest\n\nOnce you have clicked on the 'Your Findings' button, you can modify your submission or add new information. Please note that this feature is available as long as the contest is still open. If the contest has closed, you may need to submit a helpdesk request with the updated information. \n\nAs an additional point of reference, you can check the success of your report submission by looking out for an email confirming your submission. After submitting a finding, additional feedback and follow-ups might also be given. If you wish to cancel a submission entirely and create a new one, you can withdraw the findings under the 'Your Findings' section.\n\nPlease be aware that there has been some discussion on whether findings submitted before the contest deadline are publicly available and how to check a submission without modifying it. Participants are allowed to update the format of their findings, but the ability to edit the original author's submitted findings is still under discussion. \n\nFor further guidance, you can refer to our Analyses Guidelines and FAQ page: https://code4rena.notion.site/Analyses-Guidelines-and-FAQ-2808a71e08e44c81a985527194f5f118", "Q: When and how will my competition prize be distributed if I finish in a winning position in a Code4rena audit contest?\n\nA: After placing in a winning position in one of our audit contests, there are a few steps before the awards are distributed. \n\nFirst, your submission will be confirmed and the reward amounts will be announced. You can follow the progress on our announcement channel. Once that is done, the rewards are queued at our multisignature (\"multisig\") wallets. These wallets add an extra layer of security by requiring signatures from multiple parties before funds can be released. \n\nDue to this process, and our careful approach to ensure everything is done correctly and securely, the distribution of awards can take between 1 to 2 weeks after the announcement of winners. Occasionally, it can take a bit longer if we need time to calculate the awards or if there are multiple contests being processed simultaneously. \n\nWhen the payout is ready, the award will be sent to your registered wallet address, such as a MetaMask wallet. Be aware that in some cases, like the Fairside contest, awards are distributed on the Polygon network. \n\nIt's important to note that in the case of team rewards, the prize is sent to a single address, and it is the responsibility of the team to distribute it amongst themselves. Also, if there are any issues with claiming the prize due to KYC regulations, it's best to contact us directly to discuss the options. \n\nLastly, remember that once more functionality is implemented in the future, we plan to distribute awards via smart contracts. Currently, our projects in audit contests are yet to be deployed.\n\nMore information about upcoming contests and audits can be found on our website: https://code4rena.com/contests/2023-07-basin.", "Q: I am interested in becoming a warden with CodeArena, and I would like some clarification on how reward distribution works, specifically after the end of a competition. What should I expect?\n\nA: The reward distribution after a competition at Code4rena varies depending on several factors. While there may be instances where it takes up to 2 months to receive rewards, that's considered a worst-case scenario. Code4rena is actively seeking to reduce these turnaround times, which is a high priority for the company. \n\nIn terms of how the rewards are distributed, if the same issue is submitted by two wardens using the same warden but different wallets, each warden gets less than half of the reward. The more wardens that find the same issue, the less money each warden receives for that issue. It's important to note that the order of submitting issues does not affect this. If you'd like more details about this, you can refer to the incentive model and awards section of the Code4rena documentation [here](https://docs.code4rena.com/#incentive-model-and-awards).\n\nFor a detailed list of rewards for each warden for each bug per contest, you can check [this](https://raw.githubusercontent.com/code-423n4/code423n4.com/main/_data/findings/findings.csv) link.\n\nIf you're interested in becoming a Certified Warden, there are certain eligibility criteria. A warden who has encountered one high severity bug and has competed in at least three contests can be eligible for certification. Certified Wardens can get access to findings shortly after contests end and participate in private contests. You can find more about the certification process and its constraints [here](https://docs.code4rena.com/roles/certified-contributors#certification-process-and-constraints). There's also a Certified Plus Warden role, which has some additional entry requirements and gives access to private repos after a contest is finished.\n\nLastly, it's worth noting that Code4rena is currently open to new wardens, however, the company's ongoing growth and the increasing number of contests and wardens may affect future access and prize funds distribution.", "Question: How can I successfully call hh deploy-pie-from-factory for the Amun project using Foundry?\n\nAnswer: Currently, it seems that no one in the chat has shared a specific solution to successfully call `hh deploy-pie-from-factory` for the Amun project. However, there are some helpful resources and tools suggested that might help you in deploying contracts using Foundry. \n\nFirstly, for deploying contracts that take a struct as an argument in the constructor, you might find this thread on Ethereum StackExchange useful: [Creating a new contract specifying a sender and value with factory pattern](https://ethereum.stackexchange.com/questions/68519/creating-a-new-contract-specifying-a-sender-and-value-with-factory-pattern).\n\nOn the topic of \"upgrades.deployProxy\" from Hardhat in the context of Foundry, you can refer to this GitHub link for the Chugsplash Foundry: [Chugsplash Foundry](https://github.com/chugsplash/chugsplash-foundry).\n\nIf you encounter the \"Source from artifact has no AST.\" error when running forge debug on a Hardhat project with Foundry integration, you might find the tool called \"foundry debug\" useful for debugging Hardhat tests and introspecting contract execution at the EVM opcode level.\n\nFor handling deployment, the Hardhat Foundry can fork its state from a public testnet or even the mainnet, which makes it a convenient option for testing smart contracts. You may also use the tool `eth-brownie` to mock contract deployments.\n\nAlso, consider using community tools like Mythril and Slither for testing contracts downloaded from Github. For projects that employ Hardhat, Foundry can be used and a base template for this can be found at this link: [Hardhat-Foundry-Template](https://github.com/foundry-rs/hardhat-foundry-template).\n\nPlease note that this information is based on the discussions and resources shared within the chat and you might still need to explore and experiment further to find a specific solution for deploying `hh deploy-pie-from-factory` for the Amun project using Foundry.", "Question: How can I engage with the Amun project members and other community representatives in the Code4Arena Discord chatroom?\n\nAnswer: Project team members, including those from the Amun project, are listed and available for consultation in specific Discord channels. Co-founders and representatives from other projects like Lion's Mane, Tracer DAO, and Gro are also present. During a contest, you are allowed to discuss potential submissions with a project's dev team. These discussions can occur either in the contest channel or through private messaging. If you're having difficulties with code compilation or need technical help, the contest channel is also a great place to ask for assistance. \n\nYou can also reach out for help if you're having issues connecting your Discord account with your Code4Arena account. If you need to check reported findings or want to view and participate in contests, you can follow the provided links in the relevant Discord channels. For example, the #\u270brsvp channel provides information on current contests.\n\nTo join the broader Code4Arena community discussions, you can use this Discord link: https://discord.gg/5WHvfHeSwr. If you have suggestions on improving the website, leaderboard systems, contest processes, or Discord setup, feel free to share them via the suggestion box. You can direct message the C4 staff members for any inquiries or clarifications. For any updates, check the #\ud83d\udce2announcements channel or sign up for the C4 newsletter. \n\nPlease note that while there haven't been any Solana contests yet, we are actively looking to expand beyond EVM and Cosmos chains. Additionally, we are considering archiving contests in quarters due to Discord's channel limit.", "Question: I seem to be missing certain permissions on CodeArena. How can I gain access to restricted resources?\n\nAnswer: To gain additional permissions on CodeArena, you must register as a 'warden'. Once registered, it's important to be active, as several user applications have been closed due to inactivity for 2 days. Drop a notification in the #\ud83d\udc3ai-want-to-be-a-warden channel to complete the registration process. \n\nPlease note that access to certain resources, like the 'findings' page or the 'backstage' group on Github, is restricted to users with specific privileges. However, the 'backstage' feature has been temporarily disabled due to previous misuse. \n\nAt times, there can be delays in receiving responses to applications or requests. Please bear with us during these times. If you still encounter difficulties accessing the site or if you're experiencing errors when submitting queries or help requests, it might be due to an issue on Github (https://www.githubstatus.com/incidents/r5qrpp2f5fc0). \n\nPlease also be aware that there are certain restrictions when commenting on issues outside of Q/A and there might be possible size limitations on submissions. If you believe you qualify for Certified+ but cannot find the submission form, or if you have queries about submission rules, please let us know. \n\nLastly, while you can apply for a 'lookout' role using findings that don't have reports out yet, make sure to check the submission deadlines, as missed deadlines are commonly reported issues among users.\n", "Question: How can I interact with project members or receive technical assistance on Code4rena's Discord server?\n\nAnswer: Code4rena maintains a vibrant and interactive Discord server where you can consult with project members and representatives from various projects like Lion's Mane, Tracer DAO, Gro, Reality Cards, and Pool Together. The best way to initiate a conversation is through the contest channel on Discord or by direct messaging the project members listed in the specific discord channel. You can also discuss potential submissions with the project's dev team during a contest either in the contest channel or through private messaging. If you're having issues connecting your Discord account with your Code4Arena account, you can directly message someone from Code4rena for assistance. You can find the contact details of project members in the opening message of each project-specific channel.\n\nIf you're interested in discussions about improving the website, leaderboard systems, contest processes, or Discord setup, you can contribute your thoughts in the suggestion box. In case of any reported findings, there is a process for checking them via a link on the Discord channel. Should you have any questions related to collaboration and investment, you can contact someone on the streams' protocol team. \n\nRemember that you're also free to examine and engage in contests listed in the #\u270brsvp channel (accessed via the provided discord link), and directly message the project team about potential vulnerabilities. There is an ongoing discussion about how to manage teams and distribute rewards which can be found [here](https://github.com/code-423n4/org/discussions/43). \n\nIn the event of a contest, it is possible to discuss potential issues with the sponsor while the contest is ongoing. The Discord server is equipped with specific channels to ask general questions and sponsors' team members are available for questions via direct messaging. However, please note that response times may vary based on the individual availability of team members. \n\nLastly, if you are interested in joining the float community, you can do so via this [Discord link](https://discord.gg/5WHvfHeSwr). We're continually working to improve our channels and services, and your feedback is always welcome.", "Question: Why am I experiencing difficulties in accessing certain channels or resources on CodeArena's Discord and website, and how can I obtain the necessary permissions?\n\nAnswer: Access to certain channels or resources on CodeArena's Discord and C4 website is often based on the user's role or privileges. For example, to access the contest channels or the team-formation channel, you need to register as a warden. Registration can be done through the Code4rena website. Once completed, you must then announce your registration in #\ud83d\udc3ai-want-to-be-a-warden channel on Discord.\n\nAdditionally, some resources, such as the findings page or certain protocol files like the Nouns DAO protocol, may have restricted access, often limited to specific groups like the \"backstage\" group. Please note that the backstage access feature has been disabled due to misuse and can cause issues.\n\nAlso, it's important to be aware that you may encounter delays in responses to certain requests or applications due to the high volumes of requests we receive. To enable smoother communication, it's recommended to ask questions related to specific topics or contests in their designated channels.\n\nPlease be aware that some users have reported intermittent difficulties accessing the site, including issues logging in to Code4rena. If you encounter an error when trying to access specific links, such as the findings page (https://github.com/code-423n4/2023-07-axelar-findings), it could be due to these reported issues.\n\nLastly, to stay updated on any changes or updates, you can check the #\ud83d\udce2announcements channel, where all updates are posted. Proposals have also been made to pin key information to specific channels to help newcomers find necessary information more easily. For any further assistance, feel free to ask for help in the designated channels.", "Q: How do I navigate and manage my submissions on the CodeArena platform? \n\nA: Once you've successfully made a submission through our form, you can further manage your findings by navigating to the specific contest page. Here, you can find a button labeled \"Your Findings\". Clicking on this will allow you to edit or retract your submissions if needed. If you've submitted a finding and realized later that it's a false positive, you can simply retract your submission by clicking the findings tab under the same contest page.\n\nPlease note that our submission mechanism is constantly being updated for improved user experience, so you might encounter changes in upcoming contests.\n\nAfter your submission, you should receive a confirmation email. However, please be aware that there could be delays. In case your submission fails, the form should return an error. And for any issues encountered with your submission, you can try refreshing the page or switching your browser.\n\nTo view your submission replies regarding a contest, you can go to the C4 contest page and click under the \"Findings\" tab. Here you can view, edit, or retract your submissions. For instance, you can visit the Ethos Reserve contest page: https://code4rena.com/contests/2023-02-ethos-reserve-contest\n\nRemember, if you're part of a team, you have the flexibility to submit solo findings whenever you want. The submission form permits you to select whether you're contributing as an individual or as a team member.\n\nAnd finally, all the submitted findings go into the findings repository for the given contest, which are later evaluated by our judges after the contest ends.", "Question:\nCan I use a separate Ethereum address from my mainnet address for transactions with CodeArena, including rewards distribution? \n\nAnswer:\nYes, you can use a separate Ethereum address for transactions with CodeArena. However, remember that you will need an address from the Ethereum mainnet, and if you're using a smart contract wallet like Gnosis or Argent, it could be different. If you wish to change the wallet address associated with your account, this is possible but might require a significant effort to manage, as it is not centrally stored.\n\nFor rewards disbursement, they are sent to the Polygon address, not to the Ethereum address. You can monitor your tokens on polygonscan.com/address/ and move funds back to the mainnet using the polygon bridge at wallet.polygon.technology. \n\nRemember, you need to register your handle and Ethereum (ETH) address to receive your share of the rewards. When you submit findings, there is a field for the polygon address too. The email confirmation of submission does not include the Ethereum address provided by the participant. \n\nIf you are testing your smart contracts, you can use public testnets, but local forking is preferred to avoid polluting the testnet with unnecessary data. You can do this using Foundry, which can fork its state from a public testnet or even the mainnet. Foundry is helpful for local forking as it avoids the need to grab testnet tokens for transactions or wait time on blocks. \n\nFor simpler contracts or exploratory development, a private testnet can be a more suitable choice. A service that converts a contract address into a separate solidity file can be found on Etherscan by changing .io to .deth.net. \n\nAs always, ensure that you are diligent in managing your addresses and handle in order to properly receive your rewards and maintain the security of your transactions.", "Q: What should I do if I'm facing issues with the submission form on Code4Arena?\n\nA: We understand that some users have experienced difficulties using our submission forms. These issues could range from not being able to find the correct submission form, to receiving errors during submission, potentially due to a size limit or API limitations. Problems with GitHub could also affect our contest submission form. \n\nIf you encounter a problem with the form, first try refreshing the page or changing your browser. Some users have reported success with these methods. If you're still unable to submit, you can send your submissions directly to submissions@code4rena.com. \n\nIf you're using mobile and experiencing difficulties, you can also use this email address to seek assistance. Please note, it may take some time for a submission to be confirmed via email. If your submission fails, the form should return an error.\n\nIf you are trying to submit a finding and see the message 'No findings submitted for this contest' despite having made a submission, or if you experience issues loading submitted findings, please get in touch with us via the email provided above. \n\nNote that there are also concerns about users getting penalized for too many unsatisfactory submissions. We encourage users to be sure of their findings before submission. If you have concerns about the validity or invalidity of the issues you wish to submit in the contest, we recommend seeking advice from our community before submitting.\n\nLastly, remember that the deadline is crucial. Make sure to submit your QA on time to avoid disappointments. If you're having trouble running a contest with the provided instructions or have questions about submission rules, don't hesitate to reach out to us. We're here to help!", "Question: When and how are the findings from a CodeArena contest reviewed, confirmed, and made available for viewing?\n\nAnswer: Findings from a CodeArena contest are reviewed and confirmed soon after the contest ends. However, these findings remain private until the final report is published. The review process is initiated immediately after the contest ends and includes a sponsor review, judge review, sponsor confirmation, and the judge's final report. After this review process, the results are announced. \n\nThe final findings report, which includes detailed information about accepted and rejected submissions, is made available to the public once it's complete and published. The specific duration before the findings repo becomes publicly available is not stated. However, the entire review process, until the publishing of the findings, usually takes at least a month. \n\nDuring this review process, discussions about specific findings are discouraged until the report has been posted for the contest in question. This is to give sponsors time to address any issues. \n\nParticipants have the ability to track their report status and view and edit their findings under the 'Findings' tab next to the contest description, up until the contest ends. After the contest ends, the submission rules prohibit making these findings public until the contest is finalized. \n\nPlease note that any findings not submitted before the contest ends will not be eligible for consideration, and the specific reason why a submission did not make it to the final report might not be immediately known. You will have to wait until the reports are published to check on this.\n\nIf you have submitted findings, you can expect a confirmation via email and you can also check them under the 'Findings' tab on the C4 Contest page. If needed, findings can be withdrawn under the 'Your Findings' button on the contest page. \n\nThe final reports for contests are posted in the same section where Contests are posted on the CodeArena website. Certified+ Wardens have immediate access to the findings repo after a contest ends. \n\nHowever, it's important to note that the time taken for project findings to get reviewed can vary with each contest, and sponsors may not have access to the findings repo before the contest ends.\n\nFor more information, visit the CodeArena website or our Discord chatroom, where you can ask any follow-up questions.", "Question: Is a \"missing 0 address check\" considered a valid finding in smart contract audits, and if so, why?\n\nAnswer: Yes, a \"missing 0 address check\" is generally considered a valid finding in smart contract audits. This is because failing to include this check could potentially lead to loss of funds if tokens are transferred to the zero address. However, there has been some debate about the severity and significance of this issue, with some suggesting that while it is technically a vulnerability, it may not have a meaningful impact in practice. \n\nA related optimization detected by automated audit tools, titled 'Use assembly to check for address(0)', has been discussed in the Discord server. This optimization using assembly could save a few gas, but it's not necessarily interesting or valuable for sponsors. You can read more about this issue at https://github.com/0xKitsune/solstat/blob/main/src/report/report_sections/optimizations/address_zero.rs.\n\nOne instance of a \"missing 0 address check\" vulnerability can be found in the report here: https://code4rena.com/reports/2022-06-canto#m-01-missing-zero-address-check-can-set-treasury-to-zero-address. \n\nIt appears that it is acceptable to submit a single report with all occurrences of the same issue when finding such vulnerabilities. Also, even if you're not 100% certain of your finding, there seems to be no issue in reporting it. However, it's recommended (though not mandatory) to also provide \"Recommended Mitigation Steps\" to increase the value of your report. \n\nOverall, while there are differences in opinion about the severity and implications of a \"missing 0 address check\" vulnerability, it is generally recognized as a valid finding in smart contract audits.", "Question: Are the issues of the Fei project made public, and how are they processed and released?\n\nAnswer: As of the time of the observed chat, the issues from the Fei project are not public. These issues are compiled in a report and shared at a later date. The findings are initially posted as GitHub issues on a private repository which is made public once the report is published. This report contains both valid and invalid issues. Users can access all the issues, potentially including their own submissions, once the repo is made public. However, it's important to note that the issues in the published reports might be the same as those initially reported, but this point is not entirely clear. Before the publication, these repositories are usually private until they have been mitigated and cleared for publication by the sponsors. On occasions, there are inquiries and concerns about the validity of issues submitted in contests, such as those related to gas reports. If you have concerns about inconsistency, process, or lack of clarity in rules, you are encouraged to review issues at https://github.com/code-423n4/org/issues.", "Question: What constitutes a privilege escalation in terms of smart contract audits, and how is it handled at CodeArena?\n\nAnswer: A privilege escalation occurs when a user gains elevated access to resources that are usually protected from an application or user, resulting in unauthorized actions that can break the system functionality. In the context of smart contract audits, this could involve a scenario where a user can arbitrarily manipulate an array leading to a Denial of Service for everyone else. This is usually submitted as a High/Medium severity issue. \n\nAnother instance could be when a line of code has multiple ways of exploitation. In such cases, all the bugs should be reported, but priority should be given to the exploit with the most significant impact. \n\nFurthermore, a vulnerability without a proof of concept can potentially be rewarded as a high if the process is clearly described in bullet points. However, there is a higher burden of proof for demonstrating to sponsors a relevant high or medium severity exploit path to be considered satisfactory if automated tools are used for initial findings. You can find more information on this at https://github.com/code-423n4/org/discussions/50. \n\nIf two different vulnerabilities can be combined to create a more powerful exploit, users can submit a third finding explaining the proof of concept. Likewise, known issues can be used to build more complex exploits. It's also worth noting that social engineering attacks on the owner should be considered as part of privilege escalation. \n\nIn terms of handling privilege escalation, CodeArena takes several measures. Issues identified by bots can potentially be rated lower than their actual severity. If a participant escalates it to a higher severity during a contest, the issue is not automatically invalid. However, strong evidence must be provided to demonstrate a relevant High or Medium severity exploit path, as per CodeArena's submission policy: https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues.\n\nIt's also important to note the backstage privilege, which a user can attain after identifying their first high vulnerability. This role has occasionally been abused, and there are instances of backstage privilege abuse involving sharing information about findings for judging in progress with others who did not have backstage access. More information on backstage wardens can be found at https://docs.code4rena.com/roles/certified-contributors/backstage-wardens.\n\nLastly, trust between wardens and sponsors is crucial and there have been concerns about potential misuse of disclosed vulnerabilities. Therefore, it's advisable to exercise discretion and ethical conduct during the audits.", "Question: Why do projects such as NFTX opt to use a \"snapshot\" of OpenZeppelin (OZ) contracts rather than importing them directly from the OZ npm repository?\n\nAnswer: Projects often employ a \"snapshot\" of OpenZeppelin contracts instead of importing them directly from the npm repository to accommodate necessary modifications that suit their specific project requirements better. It is common to see projects copy and paste the OpenZeppelin source code into their repositories. This practice provides more flexibility in altering the contract code to align with projects' unique needs, manage dependencies, and determine the version of a library a contract uses based on the specified version in the packages.json file. \n\nIt's valuable to note that the completion of NFTX findings pertains to this context. If you wish to compile code on Remix, you could clone the entire repository and install the dependencies with forge. Alternatively, you can manually include the contracts on remix from OpenZeppelin contract repo (https://github.com/OpenZeppelin/openzeppelin-contracts) and Solmate (https://github.com/transmissions11/solmate). More information can be found in OpenZeppelin's documentation: https://docs.openzeppelin.com/contracts/4.x/wizard. \n\nHowever, depending on the project's complexity and requirements, it's crucial to take note of possible differences in measures of lines of code in Solidity contracts when using tools such as Solidity Coverage (https://www.npmjs.com/package/solidity-coverage) and Solidity Metrics nSLOC (https://github.com/ConsenSys/solidity-metrics). \n\nFinally, this practice is not exclusive to NFTX but is also observed in other projects that require smart contracts auditing, including products built on Polygon. While the practice of using snapshots allows for greater customization, it is essential to understand that it can also introduce additional complexities and the need for comprehensive audits to ensure the security of the smart contracts.\n", "Question: What tools and resources can be used for auditing smart contracts on CodeArena, including the process of identifying differences in contract audits?\n\nAnswer: On CodeArena, you can use a variety of tools and resources for auditing smart contracts. For beginners, resources are available at [Code4Rena](https://docs.code4rena.com/roles/wardens/tools-and-resources) and [Cmichel](https://cmichel.io/how-to-become-a-smart-contract-auditor/). For identifying differences between two contracts, you can use diff commands. \n\nIn addition, CodeArena offers an audit tool that is work-in-progress, which is located at [Audit Helper](https://github.com/HardlyCodeMan/audit_helper/). This tool may assist you in your auditing process. \n\nFor deeper insights, you can learn from previous audit reports accessible at [Chainsecurity](https://chainsecurity.com/audits/) or use the smart contract scanning tool at [Metatrust](https://app.metatrust.io/project) to detect price manipulation vulnerabilities. \n\nThere are discussions about the use of fuzzing tools like Echidna for auditing. You could also consider using tools like Mythril and Slither for testing contracts downloaded from Github. If you're curious about syntax checks, the online Remix IDE offers a similar function for Solidity code. \n\nThere's also a #\ud83c\udfebeducation channel where users can learn more about auditing smart contracts. Furthermore, there is a video that explains some aspects of contract auditing available at [Youtube](https://www.youtube.com/watch?v=wCD3fOlsGc4). \n\nRegarding the scope of the audit, it's still uncertain whether the audits should only be conducted on the contracts or also on the script folders. If you have further queries, feel free to ask in the chatroom.", "Q: Why do projects commonly copy/paste OpenZeppelin (OZ) source code into their repositories instead of using the npm library and how can this impact the auditing process?\n\nA: OpenZeppelin is a library for secure smart contract development. It is common for projects to copy and paste OpenZeppelin source code into their repositories instead of using the npm library. This practice, often referred to as taking a \"snapshot\" of OpenZeppelin contracts, is usually done to allow for necessary changes to the external contracts to better suit project requirements. \n\nWhile this practice is standard, it can introduce variables during the auditing process. For instance, there may be questions about whether all bugs/gas optimizations stated in publicly known issues are valid for other files within the same repo. \n\nAdditionally, auditors may need to compile the code on Remix by cloning the whole repository and installing the dependencies with forge, or manually include the contracts on remix from the OpenZeppelin contract repo (https://github.com/OpenZeppelin/openzeppelin-contracts) and Solmate (https://github.com/transmissions11/solmate). \n\nWhen auditing such projects, it's also important to note that a link pointing to a sponsor's GitHub repo code in a findings report does not automatically pull in that code snippet to the report. Therefore, auditors often need to provide detailed reports with specific references to the code in question. \n\nRemember, understanding the purpose of a codebase generally requires reading the documentation and having previous experience with similar code. If you encounter any issues or uncertainties during the auditing, it's recommended to raise your concerns in a community discussion or the FAQ.\n\nIt's also worth noting that when there's no test setup in the C4 repo, auditors often check the sponsor's GitHub for a potential test setup or isolate parts of the code to test it in isolation. In some cases, the use of external platforms such as Gist may be acceptable for submitting proof of concept (POC) reports.", "Question: What tools and methods can auditors use to spot differences and potential issues in the smart contracts they are auditing?\n\nAnswer: \nAuditors have a variety of tools and methods at their disposal to spot differences and potential issues in smart contracts. One fundamental approach is to use a 'diff' command or diff tools to spot differences between two contracts, which allows auditors to identify changes or inconsistencies.\n\nFor more advanced audits, auditors may use tools that assist with automated findings. One such tool can be found on our platform at https://github.com/HardlyCodeMan/audit_helper/. This tool is still a work-in-progress, but it is designed to aid in the auditing process. \n\nIn addition to these tools, auditors may use fuzzing tools, such as Echidna, to test the robustness of the contracts they audit. Fuzzing is a testing technique that involves providing a series of random inputs to a program in an attempt to trigger an error.\n\nOther methods involve understanding and reverse-engineering old audit reports. Reading these reports allows auditors to understand the common issues that arise in smart contracts and how they can be mitigated. A collection of example audit reports can be found at: https://chainsecurity.com/audits/.\n\nAdditionally, auditors can use C4udit or its newest fork, Analyzer [https://github.com/Picodes/4naly3er], to find Publicly Known Issues. These tools are particularly useful in identifying known vulnerabilities in the audited contracts.\n\nFinally, auditors can engage in the audit process even before the code is complete. This proactive engagement allows them to spot potential issues early and provide solutions or mitigations.\n\nFor beginners seeking to understand the auditing process, or for those looking to participate in private audits, they may find this blog post helpful: https://blog.bytes032.xyz/p/audit-like-a-pro-my-3-step-game-plan. This blog post provides a three-step game plan on how to approach auditing of big projects. \n\nRemember, persistence is key in mastering these tools and methods, and the end goal is to find more bugs faster, as emphasized by Quantstamp's Sebastian Banescu in his talk: https://www.youtube.com/watch?v=O1rKwDv5kLQ.", "Question: Why do some smart contracts appear to have \"snapshots\" of OpenZeppelin (OZ) contracts instead of directly using the OZ code from the npm package, as seen in the OZ wizard?\n\nAnswer: While the OpenZeppelin (OZ) wizard provides the OZ code as an import to the npm package, it is common for projects to instead copy and paste OpenZeppelin source code directly into their repositories, creating what appears to be a \"snapshot\" of the OpenZeppelin contract. This practice is usually employed to allow for necessary modifications to the external contracts to better fit the specific requirements of the project, which might not be feasible when using the npm package directly. \n\nThe version of the library used by a contract depends on the version specified in the packages.json file of the project. While copying the code, developers often extract it directly from OpenZeppelin's GitHub repository, which can be found here: https://github.com/OpenZeppelin/openzeppelin-contracts. \n\nHowever, it is essential to note that while this practice allows for greater flexibility, it also carries potential risks. For instance, if the copied code contains bugs or vulnerabilities that are later fixed in the original library, these fixes won't be reflected in the project unless manually updated. \n\nFor more information on how to use OpenZeppelin contracts, you can refer to their documentation here: https://docs.openzeppelin.com/contracts/4.x/wizard.", "Question: How does the issue submission and evaluation process work at CodeArena, especially in cases of multiple issues in one submission or multiple submissions of the same issue?\n\nAnswer: At CodeArena, each issue submitted during a contest is evaluated strictly based on what was submitted by the participant. If you have found multiple issues, it's advisable to create separate submissions for each distinct issue for optimal judgment as multiple items in one submission count as one. Judges do not have the capability to \"multiply\" an issue, meaning they cannot separate out multiple issues from one submission. \n\nHowever, if the same vulnerability is found in multiple different components of the codebase, it might count as separate findings, but it's ultimately the judge's discretion to determine if they're duplicates. In the case of duplicate submissions, or two participants submitting the same bug, the judging criteria for such submissions can be found on CodeArena's Github page [here](https://github.com/code-423n4/code-contests/blob/main/JUDGING_CRITERIA.md#duplicate-submissions). \n\nAlso, it's important to note that the order of reported issues does not necessarily go according to submission time, as judges prioritize the quality of the write-up over the order of submission. If an issue is submitted considering it to be a high severity issue, and the judge disagrees, the issue might be downgraded, but the participant will still be awarded unless the judges invalidate it for overinflating severity. More on this can be found [here](https://docs.code4rena.com/awarding/incentive-model-and-awards#satisfactory-unsatisfactory-submissions).\n\nIf you are a part of a team and find the same issue but submit it with different wallets, or have any disagreements with a decision about a contest judgement, you can review and raise concerns at CodeArena's Github [here](https://github.com/code-423n4/org/issues). If an issue is labeled \"sponsor-disputed\" with no explanation provided, you can check for duplicates and ask the judge after judging. For further guidelines, you can refer to the official CodeArena documentation [here](https://docs.code4rena.com/).", "Question: What tools and resources can I use for testing and understanding Solidity syntax, specifically a test script syntax, in smart contracts?\n\nAnswer: To test and understand Solidity syntax, multiple resources and tools are available. If you are seeing a test script syntax in a few Solidity examples, it's likely a script designed to test potential exploits. The run function of the script calls varying functions in a specific order on the smart contract. \n\nOne such tool commonly used for running these types of tests on a forked network is Hardhat. You can also use Slither, a static analysis tool for smart contracts, and Mythril for testing contracts downloaded from Github. \n\nFor understanding specific syntaxes like \"Sale public sale\", you can refer to resources like https://solidity-by-example.org/0.6 and https://docs.soliditylang.org/en/v0.7.5/. For decompiling Solidity code, https://library.dedaub.com/decompile can be helpful. \n\nIf you're interested in checking Solidity code for syntax mistakes and checks, similar to the functionality of the online Remix IDE, there isn't an exact equivalent tool mentioned in the discussions. However, you can use the linter in Solidity or check your contract code in Remix for compilation warnings as part of static security testing. \n\nRemember, the practice of testing in Solidity is crucial to verify certain aspects of the Contracts being audited. And for navigating multiple smart contracts files, a personal approach starting with libraries and interfaces that have least dependencies could be beneficial. Lastly, always ensure to format your Solidity code properly in the submissions for readability and consistency.\n\nPlease note that while several resources and tools are mentioned, it's important to select and use them based on your specific requirements and understanding of Solidity.", "Q: How do I properly submit my findings to a contest on CodeArena and what is the process to do so?\n\nA: Submissions for contest findings at CodeArena are made using the \"Submit finding\" button on the specific contest's main page. Each finding should be submitted separately. Please avoid using the GitHub template, as it's outdated and is no longer maintained. You can find the outdated template [here](https://github.com/code-423n4/code-contests/blob/4db2720312f0958f2e89f6207a6774c9e5360655/SUBMISSION_TEMPLATE.md) for reference.\n\nTo submit your findings, follow these steps:\n\n1. Navigate to the contest's main page and click on the \"Submit finding\" button.\n2. After clicking the \"Create issue\" button in the \"Submit finding\" section, your form data transforms into a submission that goes into the findings repository for the given contest. These submissions are evaluated by our judges after the contest ends.\n3. If you're part of a team, you can opt to submit individual findings, and the submission form allows you to choose whether you're submitting under your individual or team handle.\n4. The submission form supports Markdown for formatting your text and code. You can also include direct links to your GitHub repositories as proof of concept in your finding submissions.\n5. In case of any issues with GitHub affecting the contest submission form, or if your gas report is larger than ~65k characters (due to Github's max character limit for issue descriptions), you can email your submission to [submissions@code423n4.com](mailto:submissions@code423n4.com).\n6. If you need to update your findings, you can do so by clicking on the \"Your findings\" button on the contest page.\n7. In the event that you mistakenly submit all your findings to the incorrect contest, resubmit them to the correct contest and fill out the form [here](https://code4rena.com/help/) to inform our staff about the incorrect submissions.\n \nPlease note that there are restrictions on submitting more than one report of gas optimization in a contest; all such findings should be compiled into one report. For duplicate bug submissions, our judging criteria can be found [here](https://github.com/code-423n4/code-contests/blob/main/JUDGING_CRITERIA.md#duplicate-submissions). Ensure you review the submission guidelines [here](https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues) before making any submissions. All past submissions can be found in any repository ending with -findings on the [CodeArena GitHub](https://github.com/code-423n4).", "Q: How can I submit findings and update my submissions for CodeArena smart contract audits?\n\nA: You can submit findings using the \"Submit finding\" button of the specific contest on the main Code4rena page. Each finding should be submitted separately. If you need to update your submissions, there should be a \"Your findings\" button to use for this purpose. If you need to edit a particular finding, you can make a helpdesk request with all the information and the update to the finding before the contest closes [link to the helpdesk]. \n\nThe templates for submissions can be found on our GitHub page. Although the old template is outdated and not updated anymore, you can still use it as a reference [link to the old template]. When submitting through the Code4rena interface, a markdown template is proposed. If you are not familiar with Markdown, you can use this resource to help you [link to Markdown resource]. \n\nIf you have findings that apply to multiple parts of the code, you can reference this link for guidance on how to report these [link to the guidance]. There has been some debate regarding how best to reference the code in reports, whether to leave direct links to the code on GitHub or to refer to a specific file and line number.\n\nIf you have large reports to submit, it has been suggested that you could submit them by email and then place a placeholder in the original submission. This suggestion may be added to the official documentation in the future.\n\nWhen filling out the bug template, it is not strictly necessary to complete the \"Recommended Mitigation Steps\" section. However, doing so can improve the value of your report.\n\nIf you are unsure about submitting a finding due to lack of specification in the documents, we recommend you submit these findings or direct message the sponsor team for additional context. \n\nFor further clarification, you can always turn to the contest channel in our Discord. You can also refer to the guidelines and FAQ provided to the users for reference [link to the guidelines and FAQ].\n\nPlease note that you can find templates or guides for gas/QA reports in terms of formatting on our GitHub page [link to the templates].", "Question: I'm unsure about the submission process. Do I need to send reports to an email, as mentioned in the template, to submit an issue?\n\nAnswer: The submission process is done primarily using the \"Submit finding\" button on the contest page of our website, not through email. Each finding must be submitted separately. If your report is too large for the submission form, you can submit a placeholder and then email the full report to submissions@code423n4.com. Please ensure that the placeholder references the email sent. Complete details can be found [here](https://docs.code4rena.com/roles/wardens/qa-gas-report-faq#why-is-a-large-gas-or-qa-report-not-successfully-submitting-through-the-contest-submission-form).\n\nOnce you've submitted a finding, you should receive an email confirmation from submissions@code423n4.com. This email serves as the only confirmation of your submission. If you don't receive this confirmation, check your spam folder. If your submission is successful, you should be able to edit the submitted findings. If the submission fails, the form will return an error. \n\nYou can check the status of all your submissions during the contest via your email confirmation. If you need to update your findings, look for a \"Your findings\" button. If you have any issues, feel free to submit a help desk request. Remember to adhere to the submission guidelines, which can be found [here](https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues). The old GitHub template for submissions is outdated and is not used anymore.", "Question: How should I submit, modify, and manage my findings for a specific contest on CodeArena?\n\nAnswer: You should submit findings for a specific contest using the \"Submit finding\" button on the main page of the contest; each finding should be submitted separately. After clicking \"CREATE ISSUE\" in \"SUBMIT FINDING\", the form data will be turned into a submission that goes into the findings repository for the given contest, which is later evaluated by judges after the contest ends. \n\nTo modify a submitted finding, navigate to the contest page and click the 'Your Findings' button. This is also where you can add more findings to your gas report or QA report. If you have submitted a finding that you wish to withdraw, you can do so under the same \"Your Findings\" section on the contest page. \n\nWhen unsure if findings should be submitted as separate issues or as one, it's unclear which way to lean. However, when submitting bug findings, it is advised to make separate submissions depending on the type and severity of the bugs found. Also, a single report with all occurrences of the same issue is acceptable. \n\nAfter submission, you can track the status of your report and see all your findings in the \"findings\" tab next to the contest description. You will also receive a confirmation via email. If you are part of a team, you can choose whether to submit solo findings or as a team member during the submission process. \n\nPlease note that there have been issues related to submitting and loading submitted findings, so if you encounter any problems, you should reach out for support. The official documentation can provide further guidance: https://docs.code4rena.com/", "Question: Where can I find comprehensive information about the roles, rewards, and processes at CodeArena?\n\nAnswer: CodeArena provides a wealth of information about various aspects of participation on its official documentation page. \n\nFor roles such as wardens, certified contributors, and judges, you can refer to the roles section at https://docs.code4rena.com/roles/. Specific information about wardens can be found at https://docs.code4rena.com/roles/wardens, and information about becoming a certified contributor is at https://docs.code4rena.com/roles/certified-contributors. If you're interested in becoming a judge, you can find information at https://docs.code4rena.com/roles/judges.\n\nInformation about the incentive model, rewards, and the awarding process, including invoicing procedures, can be found at https://docs.code4rena.com/awarding/incentive-model-and-awards and https://docs.code4rena.com/awarding/incentive-model-and-awards/awarding-process#tax-and-legal-questions. For detailed information about how reward division works, you can refer to https://docs.code4rena.com/incentive-model-and-awards.\n\nGuidelines about submitting findings, analysis reports, and how the Analysis report works can be found at https://code4rena.notion.site/Analyses-Guidelines-and-FAQ-2808a71e08e44c81a985527194f5f118 and https://docs.code4rena.com/awarding/judging-criteria#analysis. If you're interested in understanding how to report issues found in multiple places in the codebase, you can refer to https://discord.com/channels/810916927919620096/810936719003090974/1134472653437145149. \n\nFor an overview of the process and estimated timeline, you can refer to https://docs.code4rena.com/structure/our-process. For team registrations, visit the #\u26bdteam-formation channel at https://docs.code4rena.com/roles/wardens#registering-a-team. \n\nIf you're interested in specific technical aspects such as smart contracts and flash loans, it may be helpful to refer to OpenZeppelin's documentation at https://docs.openzeppelin.com/contracts/4.x/wizard. For more background on the technical implementation, a whitepaper was pushed to the C4 GitHub repository under /docs. \n\nIf you're a newcomer, key information is pinned to specific channels, and we regularly update our documentation with essential changes and updates.", "Question: How can I submit my smart contract audit report to CodeArena and verify its successful submission?\n\nAnswer: After completing your smart contract audit, you can submit your report through the specific \"Submit finding\" button for each contest on the main Code4rena page. If your report exceeds the character limit in the submission form, you can submit a placeholder and then send the complete report via email to submissions@code423n4.com. You may also send QA and gas reports to report@code4rena.com if there are issues with online submission. \n\nThe link to the outdated GitHub submission template is here, but it's advised to use the current submission method: https://github.com/code-423n4/code-contests/blob/4db2720312f0958f2e89f6207a6774c9e5360655/SUBMISSION_TEMPLATE.md\n\nIt is recommended to fill the \"Recommended Mitigation Steps\" in your bug template as it can add value to your report but it is not strictly necessary. You can also embed code in your reports and modify findings if needed.\n\nOnce your finding is submitted, you should expect an email confirmation from submissions@code423n4.com. This is your main way of confirming the successful submission of your report. However, due to various factors, there may be delays in receiving this confirmation email. \n\nYou can also view all your submitted reports during the competition, and can check the status of your report by looking under the \"Findings\" tab on the C4 Contest page.\n\nIf you encounter an error while submitting your report or don't receive a confirmation email, you can submit a helpdesk request and you will receive confirmation that your request has been received.\n\nThe link for help if a report is unsuccessful in submitting through the contest submission form: https://docs.code4rena.com/roles/wardens/qa-gas-report-faq#why-is-a-large-gas-or-qa-report-not-successfully-submitting-through-the-contest-submission-form.", "Question: What is the best practice for submitting gas optimization issues during a smart contract audit at CodeArena?\n\nAnswer: Gas optimization issues are a common part of smart contract audits at CodeArena. They should be reported separately when found, but all findings should ultimately be compiled into a single consolidated report. This rule is in place because only one report of gas optimization can be submitted per contest. \n\nFor each gas optimization finding, it's recommended to mention the amount of gas saved, especially if this applies to more than one line of code. However, it's important to note that not all gas optimizations are valid when the optimizer is enabled. This has led to some confusion, so you may want to ask for clarification when necessary. \n\nWhen you come across the same type of issue more than once, such as a reentrancy attack or gas optimization of the same kind, these should be reported together. You should also be aware that all valid findings for gas optimizations are weighted the same. \n\nPotential gas optimization could be a starting point for a first-time audit. However, remember that for gas optimizations, only those in the generated report are considered invalid, the rest are in https://github.com/byterocket/c4-common-issues/blob/main/0-Gas-Optimizations.md .\n\nIn summary, report each gas optimization issue separately but compile them all into one report before submitting. If you're uncertain about anything, don't hesitate to ask for clarification.", "Question: What happens if two wardens or a team find the same issue and submit it with different wallets? \n\nAnswer: When the same issue is found by two wardens and submitted using different wallets, the reward money is divided between the two wardens, with each typically receiving less than half of the reward. However, it doesn't matter who submits the issue first as there is no advantage for the one who submits first. The reward share for the same issue decreases as more wardens find the issue. The level of detail in the submission, including the inclusion of a Proof of Concept (PoC) and the thoroughness of issue coverage, may influence the award amount. \n\nIf a team of wardens submits a finding, one payment is issued, and the team has discretion over how that reward is distributed among its members. All audit findings submitted by a team belong to the team, and a single wallet receives the funds for distribution to the team. An individual warden can also submit findings as part of a team once their wallet is connected. \n\nWhen a team submits a non-duplicate finding, the team earns more rewards than if they had individually submitted the same finding. Therefore, it's generally more beneficial to submit as a team. You can refer to our documentation for more details on the incentive model and awards: https://docs.code4rena.com/#incentive-model-and-awards and for further details on the roles and responsibilities of wardens: https://docs.code4rena.com/roles/wardens.", "Question: What happens if a team of wardens independently discover the same issue and want to submit it separately?\n\nAnswer: If the same vulnerability is identified by multiple wardens, the reward for that issue is divided equally among them, regardless of the order of submission. This also applies to a team of wardens where each member found the same issue and chose to submit it from different wallets. While it is possible to submit findings as a team, the reward will be issued as one payment and the team has the discretion over how the money is distributed among its members. However, the exact process of team submissions isn't clearly stated. It's also important to know that the level of detail in the submission, such as the inclusion of a Proof of Concept (PoC), and covering the issue in as many aspects as possible can influence the award amount. It's recommended to consolidate similar submission issues and submit a single report with all occurrences of the same issue. More details on the incentive model and award distribution can be found at https://docs.code4rena.com/incentive-model-and-awards and https://docs.code4rena.com/roles/wardens.", "Question: Are NFTs a scam?\n\nAnswer: It's not accurate to categorize all NFTs as scams. An NFT (Non-Fungible Token) is a type of digital asset that represents real-world objects like art, music, in-game items, and videos. They are bought and sold online, frequently with cryptocurrency, and they are generally encoded with the same underlying software as many cryptos.\n\nHowever, like any market, the NFT market can be susceptible to scams and fraudulent activities. For example, a source of concern raised in our chatroom was about high findings related to buying NFTs with zero amount being categorized as medium. There are also alerts about potential scams and phishing attempts, like dubious links to purchase tokens from untrustworthy URLs such as invst.icu. \n\nIn CodeArena, at the end of the season, leaderboard participants could potentially receive an NFT for that season. Also, a high finding in AbraNFT was mentioned by a user who went through certification for OpenSea. However, to receive funds from OpenSea, all team members need to be certified due to anti-money laundering laws.\n\nIt's important to proceed with caution and do thorough research before buying NFTs. Make sure you purchase from reputable platforms and verify details such as smart contracts before proceeding. Tools like https://app.metatrust.io/project can potentially help identify vulnerabilities in smart contracts.\n\nIt's also worth noting that not all tokens are fee-on-transfer and that some users have expressed concerns about dishonest projects cloning white-hat reports to reduce their payouts. Therefore, vigilance and due diligence are of utmost importance.", "Question: I'm currently involved in an AMM project on the Algorand Blockchain and we're looking to create a contest for auditing our updated code. We already have an official auditing process with two other companies, but we're interested in starting an additional initiative here. Could you guide us on how to proceed?\n\nAnswer: Sure, we're happy to assist with your inquiry! If you're interested in creating an audit contest for your AMM project on the Algorand Blockchain, you can directly contact our team at CodeArena for this matter. We are regularly in contact with various projects about upcoming audits and can provide you with the necessary details. \n\nIn terms of operational details, you have the option to participate as a team in these auditing contests with a single wallet used during registration. To access a private audit contest, you would need to certify as a warden, you can learn more here: https://mirror.xyz/c4blog.eth/Ww3sILR-e5iWoMYNpZEB9UME_vA8G0Yqa6TYvpSdEM0.\n\nYou can stay updated on ongoing contests and upcoming events by checking our website: code423n4.com. It's also worth mentioning that we have a forthcoming audit contest for the Float Capital project, which you might find interesting - you can find more details on the repo: https://github.com/code-423n4/2021-08-floatcapital.\n\nIf you're a beginner in smart contract auditing, you can also seek help from the CodeArena community. We also encourage discussions about the application of machine learning for smart contract auditing and other innovative approaches.\n\nTo clarify any queries about specific contests, we provide links that indicate the scope of the audit, like this one for a specific contest: https://github.com/code-423n4/2022-07-golom#scope. \n\nWe hope this information is helpful to you, if you have any more questions please don't hesitate to ask.", "Question: How does CodeArena's email notification system work regarding issue submissions and validation, and what should I do if I have concerns about the process?\n\nAnswer: When you submit an issue to CodeArena, you should receive a confirmation email regardless of whether your issue is ultimately deemed valid or invalid. This confirmation email is meant to assure you that your submission has been received and is being processed. Currently, there is not an email notification system for updated issues.\n\nEven the severity of the bug, which might be included in future email notifications, does not impact the receipt of this initial confirmation email. However, please note that an issue might be disregarded if it is of extremely small impact or lacks sufficient detail or evidence.\n\nYou can also review your issues before they are reported and check the success of the report submission in these emails and by your ability to edit submitted findings. However, be aware that some users have encountered issues with receiving these emails, which may sometimes be flagged as spam. If you do not receive a confirmation email, you can check your spam folder or open a help desk request at https://code4rena.com/help/.\n\nIn terms of the validity of the issues, it is important to note that even if a bot race identifies an issue and the bots don't pick up another instance of it, it is still valid for submission. Issues can be upgraded to a higher severity, with the explanation of findings being more important than the specific severity. If an issue is submitted with a high severity and the judge disagrees, it might be downgraded, but you'll still be rewarded for the finding unless it's invalidated for overinflating severity.\n\nIf you have any concerns about the validity or severity of the issues you submitted, you can monitor the backstage channel for the post-judging stage of the concerned contest. If you encounter issues, such as receiving emails about the updating of payment addresses without your knowledge, you can report these and they will be checked by the team. Participants can also check their submitted findings on Github from the report.\n\nIn case of any discrepancies, issues with the reports, or further clarifications regarding what constitutes a valid issue, you can create a ticket. Keep in mind that questions and uncertainties about how to report issues, what is considered a valid issue, and the difference between advice and a valid issue when auditing code and workflows of a project in a contest are all normal and part of the process.", "Question: What happens after a contest ends at CodeArena (C4) and when can I see the results of my submissions?\n \nAnswer: After a contest concludes at CodeArena, it undergoes several stages before the final report is published and the findings repo is made public. These stages include:\n\n1. Sponsor Review: The sponsors begin reviewing the submissions immediately after the contest ends. This review process helps triage the findings from the contest.\n2. Judging: Subsequent to the sponsor review, the submissions are evaluated by judges.\n3. Sponsor Confirmation: The sponsors confirm the judge's review.\n4. Final Judging and Quality Assurance: The judgments are finalized, after which a quality assurance check is conducted.\n5. Awarding: The prizes are awarded based on the judgment.\n6. Reporting: A final report, including discussions among sponsors and judges, is published detailing the contest results and the reasons for the acceptance or rejection of submissions.\n\nYou'll be able to see the status and results of your submissions once the final report is published and the findings repo is made public. However, the exact timeline for this process can vary depending on the duration of the sponsor review and judging period, typically ranging from 2 weeks to over 6 weeks. The delay in this process could be due to slow sponsor review or extended judging times.\n\nPlease note that the submission rules prohibit making findings \"public\" until a contest is finalised. Also, sponsors generally do not see the submissions before the contest ends. There are plans to allow certified contributors to view submitted issues right after contest closure and to comment or give input on these issues during judging.\n\nOnce the judging is complete, the contest results are posted in the contest channel. If a submission to a contest is not rewarded, participants can review why their submission was not accepted once the report is out and the repository is fully opened. More information on judging and payout timelines after a contest ends can be found in our process documentation at https://docs.code4rena.com/structure/our-process.", "Question: Do wardens receive any form of notification about the validity of each issue they submit and how is this process carried out?\n\nAnswer: Yes, wardens do receive a notification regarding the validity of each submitted issue. The notification is typically sent via email confirming whether their submission is either valid or invalid. When an issue is submitted, wardens can check the success of their report submission by looking out for this email and the ability to edit their submitted findings. \n\nThe issues reported in the published reports may not necessarily be the same as those submitted. These reports may be a summary of what was submitted by the wardens. It is possible for multiple wardens to find the same issue, however, the more wardens find the same issue, the less money each warden receives for this issue, as detailed [here](https://docs.code4rena.com/incentive-model-and-awards). \n\nIf a warden submits an issue that is also identified in an automated finding, but can lead to a high severity finding, it can be reported again during the contest by the warden and could be awarded with higher severity. \n\nRemember, the order of submitting issues does not matter in the context of multiple wardens submitting the same issue and there is no advantage for the one who submits first. However, the level of detail in the submission, such as the inclusion of a Proof of Concept (PoC) and comprehensive coverage of the issue, can influence the award amount. \n\nAfter a contest, if an issue is marked as invalid, wardens can query this decision by monitoring the backstage channel during the post-judging stage of the contest. Additionally, wardens can preview the judging results before they are published and if they find any issues, they can raise them to the judge for reconsideration. \n\nLastly, the platform is considering adding the severity of bugs to the emails sent out after issue submission. \n\nPlease refer to [this link](https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues) for more details regarding the submission policy related to automated findings.", "Question: Where can I find information about the upcoming Livepeer contest and what's the process to participate?\n\nAnswer: The Livepeer contest is upcoming and details can be found on the contest page at https://code4rena.com/contests/2022-01-livepeer-contest. The contest will open in two days and approximately eight hours. If you're curious about the LPT Livepeer reward, it's likely that it will be outlined on the contest page as well. Additionally, you may find it useful to refer to the GitHub issues related to Livepeer findings for more context: https://github.com/code-423n4/2022-01-livepeer-findings/issues/193 and https://github.com/code-423n4/2022-01-livepeer-findings/issues/195\n\nPlease note that to be eligible for contest payouts, you will need to verify your identity after the contest ends. If this is your first time participating, you might find our video walkthrough for a previous contest helpful: https://youtu.be/ABEOIKzEshA.\n\nLastly, if you're interested in other contests, you can find a list of all upcoming and past contests, along with their reports and awards, at https://code4rena.com/contests. As contests can be quite competitive, the leaderboard and past contest awards might be interesting to review.", "Question: How can I create and submit a proposal on CodeArena?\n\nAnswer: Yes, you can create a proposal on CodeArena. However, to make an on-chain proposal, you will need to have (or be delegated) 50,000 tokens. Not every proposal requires an on-chain proposal. If you have an idea you're interested in proposing, a good start is to share it in the #\ud83d\udce5suggestion-box on our Discord chatroom. This provides a platform to discuss the proposal and see how it aligns with the thoughts and perspectives of others. \n\nIn the context of a contest, you are allowed to discuss potential submissions (or proposals) with the project's dev team either in the contest channel or through private messaging. \n\nIf your proposal or submission is related to findings in a smart contract, it can be beneficial to include a proof of concept and a case made for how an item can be exploited to avoid being marked as invalid. Proofs of concept can be submitted via a public Github repository or by providing a diff of an existing sponsor-supplied test/contract. We also accept proofs of concept presented in plain English.\n\nFor further clarification on proposal creation or other queries, it's also suggested to pin key information to specific channels or contact the judges directly. Please be aware that while you can ask questions about the findings of previous projects or participate in private competitive audits, some rules may apply to submissions. For instance, it's best to check whether it's acceptable to show a proof of concept against a block number known to work on a testnet fork with state changes.\n\nRemember that anyone can apply to become a Certified Contributor, which can enhance your credibility when making proposals. A proposal could also include requests for C4 grants for building tools, like a website to display results for job hunting.", "Question: How can I access and manage the C4 token, and what should I do if I encounter any problems?\n\nAnswer: The address of the C4 token is 0x6847D3A4c80a82e1fb26f1fC6F09F3Ad5BEB5222. This payment address is a multisig and will likely remain the same unless there are any accounting issues. However, if you suspect that a C4 wallet has been compromised, you can submit a request for assistance via the Code4rena Help Desk at https://code4rena.com/help/. It's also possible to update your payment addresses from your C4 account screen at https://code4rena.com/account. Please note that Code4rena does not currently allow users to change their login wallet address, but if you use Metamask, you can link multiple addresses (more information on this can be found at https://docs.code4rena.com/roles/wardens/warden-auth#can-i-change-the-wallet-address-i-log-in-with). If you have forgotten your registration wallet address, you can also seek help at https://code4rena.com/help. Importantly, if you have submitted a finding and wish to update the wallet addresses used before the reward payout, you can do this by submitting a request through the Help Desk.", "Question: How can I update my Twitter handle, profile picture, or other profile information on my CodeArena profile?\n\nAnswer: You can update your Twitter handle, profile picture, or other information on your CodeArena profile by submitting a help desk request. To link your Twitter account or update your profile picture, go to the help desk page at https://code4rena.com/help and enter your request details. This can include your warden name, Twitter URL, or an image link for your profile picture. Make sure your profile name matches your name in the chat. You may also want to check out https://github.com/code-423n4/code423n4.com/tree/main/_data/handles to make a pull request for your handle. \n\nPlease note that it's not currently possible to change your username on CodeArena without re-registering. If you're having issues connecting your Discord account with your CodeArena account, you can also reach out via the help desk. \n\nFor updates like a Github username change in the CodeArena profile, a manual update to backstage access by a CodeArena Github admin may be required. If you're interested in becoming a certified contributor at CodeArena, you can submit an application via this link: https://code4rena.com/certified-contributor-application. \n\nRemember, the ability to edit your profile on CodeArena requires certification.", "Question: Can I change my handle on CodeArena and how will this affect my participation in contests?\n\nAnswer: Currently, changing your handle on CodeArena is not advised as it may cause issues with past or ongoing contests. This is due to a significant amount of data being keyed off the handle. Your leaderboard standings and submissions under the previous handle, for instance, are not transferable to the new account. \n\nHowever, CodeArena is actively working on making changes to enable handle changes in the future. This will also include the ability to use the same handle with different wallets in a single contest.\n\nIf you need to participate in a contest, you must review and make a pull request for your handle at this [link](https://github.com/code-423n4/code423n4.com/tree/main/_data/handles). This handle can be of your choosing and is not limited to your Github or Gab handle. It's crucial to note that this handle is used for leaderboard standings and award processing.\n\nWhile we are working on improvements, if you need to change your handle, you would need to create a new registration/discord handle and start over with the new name if you were on the leaderboard. The process of verifying these changes involves creating a signed message on [mycrypto.com](https://app.mycrypto.com/sign-message) and adding the JSON to the PR using a wallet address that has participated in a contest.\n\nRemember, if you use someone else's handle, the findings might be credited to the wrong person. So, it's crucial to use your correct and unique handle.", "Question: How can I verify and validate changes to my CodeArena profile, such as changing my Twitter handle or wallet address?\n\nAnswer: To verify and validate changes to your CodeArena (C4) profile, such as changing your Twitter handle or wallet address, you would need to go through a few steps. \n\n1. For changes like updating your Twitter username, you would need to submit a help desk request. This also applies if you're trying to bind or link your C4 profile to your Twitter profile.\n\n2. For wallet address changes, due to their complexity and risk of potential issues such as leaked private keys or malicious transactions, it is recommended that these changes are made only if extremely necessary, such as if your old wallet was compromised. You would need to directly message the team with your request.\n\n3. When verifying changes to user handles, you would have to create a signed message on MyCrypto.com and add the JSON to the PR using a wallet address that has been used in a contest. This process helps to ensure that the changes are intended and authentic. You can create a signed message here: https://app.mycrypto.com/sign-message.\n\n4. If you wish to change other account details, you may be able to do so by registering another account with the same email/Github address or by direct messaging identified individuals for updates to submissions.\n\nPlease note that there has been a discussion about dishonest projects cloning white-hat reports to cut down on their payouts, so it's important to be vigilant about your account security. And remember, when in doubt, you can always contact the streams' protocol team for clarification.", "Question: How can I submit my team's issues and updates on CodeArena (C4)?\n\nAnswer: In order to submit your team's issues or updates, you need to create a Pull Request (PR) on GitHub. If you need to update team information, create the PR and submit it to https://github.com/code-423n4/code423n4.com/pull/28. Teams can also submit their issues through a PR and include their team handles when reporting issues. If an issue involves many lines changed, you can send a git patch or a PR to the repo. \n\nFor instance, when submitting an issue with a proof of concept, you can include the proof of concept in a gist file and drop the link into the submission where it's relevant. If your proof of concept for an issue is too large to embed directly in the issue, providing a gist is acceptable. More information can be found at https://docs.code4rena.com/roles/wardens/submission-policy#how-to-include-a-proof-of-concept.\n\nIf you're submitting a findings report, you can add the GitHub permalink for the respective code block in the 'Links to Affected Code' section. Remember that adding a link to a sponsor's Github repo code doesn't automatically pull in that code snippet to the report. You can also provide your reasons for flagging an issue directly in the report itself. \n\nOnce your team's PR is merged, you can submit findings as a team. Merged PRs can be seen at https://github.com/heiho1/code423n4.com/pulls. Be aware that team pull requests need to be accepted by someone from the team. \n\nIf you have ideas for the website, you can submit pull requests with these to the GitHub, or if you wish to change your warden avatar and links on the CodeArena website, you can do so by making a PR on the _data folder on the site repo.", "Question: Where can I buy Matic and what are its uses while interacting with the CodeArena platform?\n\nAnswer: Matic, also known as Polygon, is a cryptocurrency that's heavily utilized within the CodeArena ecosystem. It can be purchased through various platforms, with specific resources available in our Discord chatroom here: [Discord Link](https://discord.com/channels/810916927919620096/824698635815223316/915880736664461322). \n\nMatic serves multiple purposes in our system: \n\n1. It is used to pay gas fees for transfers within the system, including sending or transferring coins from a wallet. \n\n2. If you wish to bridge from Polygon to Ethereum and later withdraw USDCs on Coinbase, both Matic and Eth are needed if using the Polygon bridge. If you're using the Hop Bridge, only Matic is needed, but you'll receive less USDC on the Ethereum Mainnet. \n\n3. Matic can also be swapped without a gas fee at this link: [Gas Swap](https://wallet.polygon.technology/polygon/gas-swap)\n\n4. It's also worth noting that you may need small amounts of Matic to pay for transactions when bridging tokens, swapping tokens, or moving funds back to the mainnet. \n\nRemember, optimal token usage and purchasing strategies are often discussed in our chatroom, so feel free to join us there should you need further clarification or have additional questions.", "Q: I'm having trouble receiving my award from Mellow Protocol through Metamask using the Polygon mainnet. Can you help me understand the process, and how I can verify my transaction?\n\nA: Sure, I can help with that. First, you need to know that all CodeArena rewards, including those from Mellow Protocol, are sent in USDC on the Polygon network, not the Ethereum network. Hence, you should be checking your Polygon address, not the Ethereum address. If you have an issue of zero balance in your Metamask wallet, try adding USDC on the Polygon network to your wallet.\n\nTo verify your transaction, you can use the PolygonScan website, where you can monitor tokens by inserting your address, like so: https://polygonscan.com/address/. \n\nIn case you want to move your funds back to the mainnet, you can use the Polygon bridge: https://wallet.polygon.technology/. Bear in mind that bridging from Polygon to Ethereum and later withdrawing your USDCs on Coinbase will require both Matic and Eth if you're using the Polygon bridge. If you're using the Hop Bridge, only Matic is needed, but bear in mind that you may receive less USDC on the Ethereum Mainnet.\n\nLastly, please be aware that if you run into any issues, such as your MetaMask wallet being hacked and your reward from Code4rena being stolen, please report it immediately so we can provide further assistance.", "Question: Where can I ask questions relating to Solidity, learn more about auditing smart contracts, and get help on related issues?\n\nAnswer: You are encouraged to ask Solidity related questions directly on the CodeArena platform. For specific topics or contests, you should ask in the designated channels. If you are interested in learning more about auditing smart contracts, there is a #\ud83c\udfebeducation channel on our Discord where you can find resources. There is also a YouTube resource that can be beneficial: https://www.youtube.com/@smartcontractprogrammer.\n\nIf you are facing challenges in understanding concepts related to smart contracts or have coding issues, the best option is to reach out for clarification in the contest channel. There have also been discussions on tools such as Slither, a static analysis tool for smart contracts, and the online Remix IDE for checking Solidity code for syntax mistakes. A tool to view on-chain contracts of etherscan in an IDE has been shared: https://discord.com/channels/810916927919620096/810931711609143326/1012727690396176484. \n\nFor inquiries about specific Solidity syntax, such as \"Sale public sale,\" or issues related to the use of specific terms like \"safeTransferFrom\" in smart contracts, you may also find assistance on the platform. Lastly, if you're a beginner in Solidity development, don't hesitate to participate in the competition as this could be a great place to learn and improve your skills.", "Q: What tools, methods, and resources can I use to reliably count or compare the number of lines of code (LOC) in a Solidity contract, and how can I understand and resolve discrepancies between different measures?\n\nA: There are several tools and methods that can be used to count the number of lines of code in a Solidity contract. Solidity Coverage (https://www.npmjs.com/package/solidity-coverage) and Solidity Metrics nSLOC (https://github.com/ConsenSys/solidity-metrics) are popular tools, but they may give different estimates. The tool named 'cloc' was also mentioned as a reliable method for calculating LOC.\n\nOne thing to keep in mind is the concept of SLOC (Source Lines of Code), which is the total number of lines of code excluding comment lines. This could be one reason for the discrepancies you see in line counts between different methods. For example, a mismatch between the number of LOC mentioned in the README.md and the actual lines in the contract files was noticed on the Sherlock finance's repo (https://github.com/code-423n4/2022-01-sherlock). It's possible that one count included comment lines while the other did not.\n\nOne way to validate or compare these counts is to view the file in an Integrated Development Environment (IDE) or directly on Github. This can give you a more tangible measure to consider.\n\nAs for copying code from Github with the contract file name and line numbers, although I don't see a direct answer to this query from the chat, typically, you can copy the code as plain text and the file name and line numbers would need to be noted manually.\n\nLastly, as you delve further into your Solidity project, consider using tools like Hardhat for gas optimization, Mythril and Slither for testing contracts, and resources like https://www.youtube.com/@smartcontractprogrammer for learning more about the math and accounting behind Solidity projects. Always remember to follow the guidelines on reporting issues related to smart contracts (https://github.com/code-423n4/code-contests/blob/main/SUBMISSION_POLICY.md).", "Question:\nHow are the status updates for past contests organized and where can participants track their submissions and findings?\n\nAnswer: \nThe status updates for past contests are organized in a dedicated section called \"Past Contest Status Updates\" on the CodeArena website, which functions as a timeline. This order represents the progression of the contest. You can check this section to see where contests currently stand in the process.\n\nMoreover, if you participate in a contest, you can track your report status and see and edit your findings in the \"Findings\" tab next to the contest description. This allows you to stay updated with your progress as well as the progress of the contests.\n\nAs a participant, you also have the privilege to view your Quality Assurance (QA) reports for contests that have closed. If you have a query about the status or schedule of final reports, please do not hesitate to inquire. \n\nIt's important to note that some contests, such as the \"FV contest\", may not visually appear in the status updates due to their different working mechanisms. These contests are usually judged by Certora. \n\nPlease also be aware that the public report page is updated mid-contest and the timeline for publishing contest results depends on the time taken for judging. For larger contests, like ones involving over 12,000 lines of code, the timeline may be extended to 4 weeks.\n\nFor any upcoming contests, updates can be checked on the RSVP channels. Also, note that not all upcoming contests might be updated immediately in the specific channels, but rest assured, all contests, both public and private, are listed on the website.\n\nRemember to keep an eye on our website and updates for any changes. As a part of our continuous improvement, we are considering changes to our leaderboard tracking and other features based on user feedback.", "Question: How can I update or confirm my reward wallet address on Code4rena?\n\nAnswer: You can update your reward wallet address on your Code4rena account. You can do this by navigating to your account page at https://code4rena.com/account, and from there, you can update your payment addresses in the 'Manage Account' section. If you wish to change the wallet address you use to log in, instructions are provided at https://docs.code4rena.com/roles/wardens/warden-auth#can-i-change-the-wallet-address-i-log-in-with. \n\nIf you have submitted a finding and wish to update the wallet address used for that, you can do so after the finding has been submitted and before the reward payout by submitting a request through the Help Desk at https://code4rena.com/help. \n\nIf you have already updated your wallet address in your account settings, future rewards will be sent to the new address. Please remember that rewards are sent to the wallet address on file at the time awards are calculated for an audit. \n\nIf you have forgotten your registration wallet address or have other issues, you can seek assistance at https://code4rena.com/help. Remember, it's essential to secure your wallet address to receive rewards for your work.", "Question: What is the timeline and process for the announcement and distribution of awards at CodeArena?\n\nAnswer: The timeline and process for the announcement and distribution of awards at CodeArena is a thorough and detailed one. The awards for each contest are generally announced separately, and the rewards are typically aimed to be paid out in the same week they are announced. However, this timeline can extend up to two weeks. This is due to the meticulous steps taken to ensure the process is completed correctly and securely. \n\nEach Monday, the signatures for the award distribution are rounded up in a standing meeting and the awards announced are processed for distribution. The awards are then sent out manually in batches for multiple contests at a time, which can further extend the timeline. It's worth noting that sometimes there can be delays in this process, as seen in instances like the Nested Finance audit contest. \n\nThe leaderboard on the company's website gets updated every time awards are announced, although it's important to note not all contest types are currently supported. The leaderboard builds off the dates of the audits themselves and does not track the specific dates the awards went out. \n\nThe community has suggested for greater clarity, splitting the 'Awarding' announcement into 'Awarding' and 'Paid' sections. If a contest is listed as 'awarding', it means the rewards are queued at the multisig and should be distributed within a week. However, the reward distribution does not occur immediately after the reward computation due to the involved sponsors' time. \n\nThe team at CodeArena is continuously working to improve this process and aims to process and distribute multiple contest rewards as swiftly and efficiently as possible. If there are any questions or concerns about the awarding calculations, participants are encouraged to reach out for clarification.", "Question: After following the necessary steps, my status shows \"Review Required\". Does this prevent me from participating in contests and how can I check the status of my submissions?\n\nAnswer: Upon completion of the required steps, your application will be reviewed, which can take up to a few business days. During this phase, your eligibility to participate in some contests may be restricted as certain contests require certification for payouts if any submissions are awarded. However, you can participate in some contests that do not require certification.\n\nOnce you have submitted findings for a contest, you will receive a confirmation email, although there might be some delays. To track the status of your report and see/edit your findings, you can go to the \"findings\" tab next to the contest description. Please note that the time taken for project findings to get reviewed varies with each contest.\n\nUpon completion of the contest, your submissions will be reviewed and triaged by our judges. This is followed by a sponsor review, final judging, and Quality Assurance before the results are publicly announced. During this phase, you will not be able to see the status of your submissions until the final report is published and the repository becomes public.\n\nIf your submission is not rewarded, you can review the reasons by accessing the final report once it is published and the repository is fully open. This allows you to see the discussion among sponsors and judges on the specific issue. \n\nRemember to keep an eye on the \"Past Contest Status Updates\" section which provides a timeline of where contests are currently in the process, including stages of contest finish, sponsor reviews, judging, awarding, and reporting. \n\nPlease note, becoming an eligible contributor means completing the application and getting approval. Getting certified grants access to more contests but does not automatically grant access to private contests or previously participated contests in progress judging repository. For these, additional permissions such as backstage access or ranking on the leaderboard might be required.", "Question: How can I communicate with someone from Code4Arena, including staff members and participants?\n\nAnswer: There are several ways to communicate with someone from Code4Arena. If you have a private inquiry or need assistance with issues such as changing profile details, associating your Twitter handle with your Code4Arena profile, asking questions related to contests, or if you're facing issues connecting your Discord account with your Code4Arena account, you can submit a help desk request at https://code4rena.com/help. Each contest also has a dedicated channel where general questions can be asked, and sponsor team members are available for direct messages. You can also direct message the Code4Arena staff and participants in the Discord chatroom. If you've forgotten your username or have login issues, you can seek help in the #auth-help channel on Discord.", "Question: Can I change my wallet address on CodeArena and how does this affect receiving tokens?\n\nAnswer: Yes, it is possible to change your wallet address on CodeArena. However, because wallet addresses are not centrally stored and are collected separately for each contest, changing your wallet address requires substantial effort on our part. If you need to change your address due to critical reasons such as your previous wallet being hacked, please Direct Message (DM) us. \n\nIf you wish to change the wallet address where you receive awards, you can find more information about this at [Warden Auth](https://docs.code4rena.com/roles/wardens/warden-auth#can-i-change-the-wallet-address-where-i-receive-awards). Please note that if you change your wallet address, the rewards will be sent to the wallet address on file at the time the awards are calculated for an audit.\n\nFor future reports, you can use a new wallet address and the rewards for the report will then be distributed to the new address. The payment wallet address can also be updated within user profiles on CodeArena. If you need to change your wallet address, you can update it after submitting a finding and before the reward payout by submitting a request through the Help Desk at [CodeArena Help](https://code4rena.com/help).\n\nHowever, it's important to note that the login wallet address can't be changed at present, but if you're using Metamask, you can link multiple addresses. More information about this is available at [Warden Auth](https://docs.code4rena.com/roles/wardens/warden-auth#can-i-change-the-wallet-address-i-log-in-with). If you need to change your login wallet address, please follow the instructions provided at the same link.\n\nPlease be aware that changing your wallet address is a complex process, and we request that you only DM us for this change if it's extremely important. Also, remember that you have the responsibility of managing and securing the keys to your wallet, as the saying goes, \"Not your keys, not your coins.\" If you have any other queries, please refer to the FAQs on our website or ask in the Discord chatroom.", "Question: What is the process and scope of getting smart contracts reviewed by CodeArena (C4)?\n\nAnswer: Teams typically submit a few contracts or entire protocols for review. This could include contracts that are already deployed and others that may not be. The scope of the review often depends on the contest details as provided on the contest page (for example, see [Streaming Protocol Contest](https://code4rena.com/contests/2021-11-streaming-protocol-contest)) and can sometimes extend beyond the contracts to script folders, based on the judgement of the reviewer.\n\nOnce a team applies to participate in a contest, the approval process can take a few business days. If the team wishes to compete, all members need to be certified to receive the payout. There is also a provision for team members who want to participate solo.\n\nAfter the contest ends, reports are reviewed and triaged by judges and then await sponsor review, final judging, and Quality Assurance before becoming public. The acceptance of reported issues depends on their severity as evaluated by the sponsors and judges, and the impact of misbehavior by the owner of the contracts is also considered. Wardens may get paid for sponsor confirmed issues or sometimes even disputed ones. \n\nThere are additional specialized contests like \"Mitigation review contest\" where projects invite top wardens back after the contests to review bug mitigations. The process and time taken for reviewing project findings can vary with each contest.\n\nIn some cases, if a bug in a contract that's in scope impacts another contract that's out of scope, the impact might count, but this decision is generally up to the judge. Users can also report smart contract issues differently based on their judgement. However, direct contact with judges for clarifications is subject to uncertainty.\n\nAll applicants for a working group may not be contacted, and only those who are accepted will be informed. Open discussions are encouraged for general/broad questions about the contests. Currently, there are no upcoming competitions, but CodeArena is in talks with several people about potential audits.", "Q: When and how are the rewards for a contest on CodeArena distributed?\nA: Once a contest is concluded and winners are announced, the rewards are planned to be distributed typically within the following week. These rewards are not distributed immediately due to the use of multisignature (\"multisig\") wallets, which require multiple parties to sign off before funds can be released. The rewards are sent to the user's registered wallet address, and you can check the announcement channel for updates on distribution. If the contest is listed as 'awarding', it means the rewards are queued at the multisig and should be distributed soon. Please note that in some instances, there might be a delay in the distribution of awards due to various reasons. If you have not received a reward for a particular contest, it may be because the distribution is pending or there has been a delay. The company plans to distribute awards via smart contracts in the future for a more streamlined process, but more steps need to be implemented before this can happen. Please note that if you change your wallet address, you need to update it in your reports for future distributions. If you have participated in contests like Yeti Finance, XDEFI, stakehouse-nov11, #llama-jun06, Stakehouse, Nested Finance audit, or others and are awaiting rewards, please be patient as they are likely on their way to your wallet soon.", "Question: What is CodeArena's process for ensuring and confirming the receipt of submissions?\n\nAnswer: At CodeArena, it is standard practice to send an email confirmation upon successful submission of entries. These emails will typically arrive within a few minutes. If you do not receive an email, it may have gone to your spam folder, so we recommend checking there. All submission confirmation emails come from submissions@code423n4.com. Even if there is an error with your submission, you should still receive an email confirmation, which can help you verify whether your submission was successful or not. \n\nAdditionally, you can check the status and success of your submission by looking for the ability to edit your submitted findings. All your submission reports can be viewed under the \"Findings\" tab on the C4 Contest page. If you have submitted a larger report via email and placed a placeholder in the original submission, you will also receive a confirmation. \n\nIf you still encounter issues or have any further queries regarding your submission, you can submit a helpdesk request. Furthermore, we've learned from user feedback that the ability to respond to the submission confirmation email could be beneficial, and we're considering adding this function. \n\nPlease note, once your submission is finalized and approved, you should receive an additional email confirmation. This includes Quality Assurance reports, Provenance application approvals, and finalized certifications. \n\nLastly, while our team is always here to assist, we do not recommend contacting judges directly about submissions. Instead, any questions about submission rules or other related inquiries should be directed to our helpdesk or discussed in our Discord chatroom.", "Question: How should I submit reports for gas optimization in the CodeArena contests?\n\nAnswer: For gas optimization submissions in CodeArena contests, it is recommended to compile all of your findings into a single report. This report should ideally include details about how much gas would be saved via the refactored code for each finding, as this can potentially increase your points and affect the grade of your submission. However, the necessity to specify the amount of gas saved for each optimization ultimately lies with the judge's discretion. \n\nIf a certain gas optimization can be applied in more than one line of code, it should be submitted as a single finding, citing all the lines where it can be applied. If the report exceeds the limit of a single submission, it can be split into separate sends. \n\nIn addition to the gas report, you are required to submit one consolidated Quality Assurance (QA) report per contest. If a finding is relevant to both QA and gas savings, it can be included in either report and the judges will decide where it fits best. \n\nIt's worth noting that you do not have to submit reports for all categories (high, medium, QA, gas optimization) at once; you can submit what you find. \n\nRemember, only one report of gas optimization can be submitted per contest. If you have additional findings to add to the report, you can do so by going to the contest page and clicking the 'Your Findings' button. \n\nJudges and sponsors appreciate it when similar issues are grouped together in your submissions. All valid findings for gas optimizations are equally weighted. \n\nIf you are unsure whether to submit findings as separate issues or as a single one, it may be best to seek further guidance.", "Q: Why haven't I received an email confirmation for my issue submission on CodeArena, even though the issue was minor?\n\nA: CodeArena strives to send an email confirmation for every issue submitted, regardless of its severity. However, there have been instances where users did not receive these emails due to various reasons. Some of the reasons could be:\n\n1. Email receipt issues: We have observed instances of users not receiving email receipts for their contest findings. It has been reported that our emails sometimes land in the spam folder, so we recommend checking there as well.\n\n2. GitHub incidents: Sometimes, the interruption in email receipts might be due to an incident on Github. You can check the status of Github [here](https://www.githubstatus.com/incidents/r5qrpp2f5fc0) to see if there are any recent incidents that may impact email notifications.\n\n3. Email delivery errors: There have been reports of email delivery errors due to issues with our domain. For instance, the email \"submissions@code432n4.com\" faced delivery failures due to an error with the domain.\n\n4. Delays in responses: It's possible that there might be a delay in email confirmations. It has been observed that it takes some time for a submission of a finding to be confirmed via email. If your submission fails, the form should return an error.\n\nIf you have not received an email, you can open a help desk request at [https://code4rena.com/help/](https://code4rena.com/help/). Please note that we are also considering adding the severity of bugs to the emails sent out after issue submission to provide more transparency and are continuously working to improve our communication processes.", "Q: How are rewards for findings distributed at Code4Arena and when can I expect to receive them?\n\nA: Rewards for findings at Code4Arena can be paid partially or in full, depending on the nature of the finding and whether it is a duplicate. In case of duplicates, the first reporter is typically given preference, but the reward may be split based on quality, severity, and other factors detailed in the rewarding formula at https://docs.code4rena.com/incentive-model-and-awards. Reward amounts for contests are provided by the sponsor and the full pool of prizes for different severities will be paid out as per the standard model. \n\nIf a report is accepted, the reward payment is typically made within 1-2 business days of the announcement. However, contest rewards are usually transferred once per month, towards the beginning of the month. The timeline may vary due to the use of multisignature wallets which require signatures from multiple parties before funds can be released. \n\nOccasionally, there can be revisions to the payment amount (increase or decrease) after payout. This, however, seems to be rare, and the specifics would be case-dependent. \n\nIn cases where teams are involved, the team will receive one payment and it's their responsibility to split the reward amongst themselves. More information on this can be found at https://docs.code4rena.com/roles/wardens. Also, in the case of QA and gas reports, rewards are categorized into grade A, B, C based on quality and gas savings, with grade A and B reports typically receiving rewards.\n\nIn case no high or medium issues are found in a contest, the specifics of reward distribution would vary based on the terms of that contest. You can always update or confirm your reward wallet address.\n\nIt's important to note that all this information is as per the current practices and may be subject to change, especially in light of ongoing discussions to improve the transparency and efficiency of the reward payout process.", "Question: How is the Lines of Code (LOC) or Source Lines of Code (SLOC) determined for each contest and how should auditors handle discrepancies or confusion regarding this?\n\nAnswer: CodeArena computes the Source Lines of Code (SLOC) for each contest using a tool called 'cloc'. The SLOC refers to the number of Lines of Code minus the number of lines that are comments. This is the number you'll usually see reported in the README of the contest repository - for example, you can see the SLOC in the README of the Sherlock contest repo [here](https://github.com/code-423n4/2022-01-sherlock).\n\nHowever, there can be discrepancies between the SLOC mentioned in the README and the actual lines in the contract files. This may be due to the inclusion of spaces or other non-code lines in the count, or a typo in the reported number. If you notice a discrepancy like the one reported for Dopex or the #arcade-jul21 contest, it's a good idea to bring it up in the discord chat for clarification. Also, it's worth noting that different tools, such as Solidity Coverage and Solidity Metrics nSLOC, may measure lines of code in a Solidity contract differently, which can contribute to these discrepancies.\n\nWhen auditing code, if there's any confusion about which lines of code to refer to, it's usually best to use the line numbers in the files as they appear when viewing the code in GitHub. You can also reference specific lines of code in your reports by either leaving direct links to the code on GitHub, or referring to a specific file and line number.\n\nWhen you're auditing a specific contest, always read the README.md for each contest, as it will outline what is in scope for auditing and what is not. For instance, in the PoolTogether audit, there were two contracts in scope as specified in the README. Sometimes, the README will also contain a section titled \"Known Findings\" where automated findings not accepted in the contests are listed.\n\nRemember, the procedures for disclosing issues related to smart contracts can be found [here](https://github.com/code-423n4/code-contests/blob/main/SUBMISSION_POLICY.md). If you're unsure, don't hesitate to ask in the discord chat.", "Q: How are Lines of Code (LOC) standardized across different contests at CodeArena and how can I ensure my understanding of this metric is correct?\n\nA: CodeArena uses a tool called 'cloc' to calculate Lines of Code (LOC). It's suggested that the method of calculating LOCs, or Source Lines of Code (SLOC), should be standardized across contests to avoid confusion. If you notice a discrepancy in the SLOC count for a contest, such as what was observed in https://code4rena.com/contests/2023-08-arbitrum-foundation#top, it's recommended to raise the issue for clarification. This will help ensure that all participants have a clear understanding of contest metrics, and will also help standardize the calculation process. \n\nBear in mind, however, that the duration of contests is not directly proportional to the size of the source code (sloc), so it's not a determinant of how long a contest might run. If you have specific questions about the scope for a contest, we suggest addressing them to the respective sponsor. For reference, contest judging criteria can be found at https://github.com/code-423n4/code-contests/blob/main/JUDGING_CRITERIA.md.", "Question: How can I view, edit, and understand the status of my findings for a contest after the contest has finished but before the results are published?\n\nAnswer: After a contest has finished, the findings cannot be made public immediately. This is to facilitate an unbiased review process, which includes Sponsor Review, Judging, Awarding, and Reporting. However, you are allowed to view and modify your own findings by navigating to the contest page and clicking on the \"Your Findings\" button. \n\nPlease note that submitted findings that do not make it to the final report may be rejected during this review process, and the reason for this may not be immediately available. You will have to wait until the final report is published to understand the details of such decisions.\n\nThere is a period of time before findings are made publicly available for discussion. This is when the final report is published and the findings repo is made public. The specific duration varies and is not mentioned explicitly. \n\nFor Certified+ wardens, they can view the findings repo immediately after a contest ends. As for when findings from an already paid contest are made public, it happens when the report is posted.\n\nIf you want to track the status of your report or check your submission without modifying it, you can do so by visiting the 'findings' tab next to the contest description. \n\nRemember, the platform allows you to view reports from other wardens even after contests have ended. \n\nIn case you wish to withdraw a finding, you can do so under \"your findings\" on the contest page. Please keep in mind that all these processes are subject to change and it's always best to refer to the latest rules and guidelines posted on the official CodeArena (C4) website.", "Question: Could you elaborate on what LOC refers to in the context of CodeArena contests and how it's determined?\n\nAnswer: In CodeArena contests, LOC, which stands for Lines of Code, refers to the count of actual lines of code in a given smart contract, as calculated by a tool called 'cloc'. This number does not include comments and blank spaces. The largest contest in terms of Source Lines of Code (SLOC) can be inquired about. SLOC can also refer to the numbers added for each contract within a contest. There have been instances where contests involving over 12k SLOC have been extended to 4 weeks. There's also been feedback to standardize LOCs across different contests for consistency and to avoid confusion on how LOC is determined. You can find more information about LOC and the contest process in general at https://docs.code4rena.com/structure/our-process.", "Question: How does CodeArena calculate and consider Source Lines of Code (SLOC) during the scoping/sales/intake process?\n\nAnswer: The calculation of Source Lines of Code (SLOC), which is the number of lines of code excluding comments, is not standardized across different contests at CodeArena. However, it is suggested that SLOC be documented in the readme files as it provides a clearer representation of the code than Line of Code (LOC) which can be misleading due to comments. \n\nWe use a tool named 'cloc' to calculate the LOC. For better understanding of how lines of code are calculated, you may refer to 'cloc' and for a comprehensive understanding of SLOC, you can refer [here](https://www.google.com/search?q=SLOC+meaning&oq=SLOC+meaning).\n\nIt's important to note that while SLOC is an important measure, it doesn't directly determine the duration of contests. For instance, a project named Maia had 12K SLOC and the audit duration was 20 days. However, due to concerns raised about the limited duration, the timeline for contests with over 12k SLOC may be extended to 4 weeks.\n\nAnother point of consideration is the accuracy of SLOCs reported. For example, the SLOCs for Dopex were initially reported inaccurately, including spaces, and had to be corrected to 2200. Therefore, it's important to ensure the accuracy of SLOCs reported to avoid confusion or misjudgment of the scope of the project.\n\nFinally, the SLOC of a project is considered when assessing the level of effort a scope will require, but it's only one of several factors. Other factors may include whether the project uses an oracle or how external pricing data is entering the project. \n\nIn conclusion, while SLOC is a useful measure, it is not the sole determinant of the scope or duration of a project.", "Question: How does the leaderboard work for CodeArena contests, specifically for the Sublime contest?\n\nAnswer: The leaderboard on CodeArena is a ranking system used to acknowledge the participants' achievements in the contests. The ranking on the leaderboard is affected by both the current contest and the total participation of a contestant. For instance, after each contest ends, the leaderboard gets updated and users can see the number of overall issues they reported at https://code4rena.com/leaderboard.\n\nAs for the Sublime contest, it was reported that the leaderboard did not initially feature the contest. However, our team is actively working on resolving this issue. That being said, the leaderboard gets updated every time awards for a contest are announced, but it's important to note that not all contest types are currently supported.\n\nThe leaderboard can be found at https://github.com/code-423n4/code423n4.com/issues?q=leaderboard, with cumulative results from the first two contests viewable at https://code423n4.com/leaderboard/. However, be aware that the leaderboard file only contains contest numbers, making it less clear which number corresponds to which contest.\n\nThere have been concerns about the leaderboard not accurately reflecting a user's accomplishments, with the possibility that contest results are not counted for the full duration. Our development team is considering adjustments to the leaderboard to better reflect the performance of users, including potential changes from tracking the last number of days to the last number of contests.\n\nIf you make it to the top 5 in a contest, you can get a \"leaderboard\" tag on your profile. However, it's important to note that rewards from previous private contests also contribute to the leaderboard. Permissions to audit private contests usually require a rank on the leaderboard as well as certification. \n\nFor any changes or concerns regarding the leaderboard or contest results, you can reach out to our help desk at https://code4rena.com/help. We also have a suggestion box for users to share ideas on how to improve our website, leaderboard systems, contest processes, and Discord setup.", "Question: What happens if wardens report the same vulnerability but with different severities? How is the award calculated and is it affected by duplicates or the order of submission?\n\nAnswer: If wardens report the same vulnerability but assign it different severities, they are all given the same severity for the calculation of the award. This is part of Code4rena's deduplication process and the subsequent judging phase to determine severity.\n\nIf more than one warden finds the same issue, the reward for that issue is shared among them. The order of submission does not impact the reward division, as clarified in the Code4rena documentation: https://docs.code4rena.com/awarding/incentive-model-and-awards#duplicates-getting-partial-credit.\n\nThe reward amount can also be influenced by the level of detail in the submission, such as the inclusion of a Proof of Concept (PoC), and the comprehensive coverage of the issue. Further, the severity to be reported should be based on the impact of the bug, as suggested in the judging criteria: https://docs.code4rena.com/roles/wardens/judging-criteria#estimating-risk.\n\nIn some cases, vulnerabilities initially identified by bots and rated lower than their actual severity can be reported again by a warden during the contest and awarded with the higher severity, as long as they meet the judging criteria. The criteria for these cases can be found here: https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues.\n\nIt's worth mentioning that although the reward distribution among wardens can be influenced by duplicates and the level of detail in the submission, non-critical vulnerabilities, which could still benefit the sponsor, are not considered for awards.", "Question: What should I do to understand why my submission to a contest was rejected and how can I review my submission and others' after a contest is completed?\n\nAnswer: If your submission to a contest was not rewarded, you can understand why it was not accepted by reviewing the published report and the fully opened repository (repo) at https://code4rena.com/reports. This report is typically available a month after the contest ends, once it has passed through Sponsor Review, Judging, Awarding, and Quality Assurance stages. The report and the repo will include the discussion among the sponsors and judges about the specific issue related to your submission.\n\nIn addition, you can check the status of your submission or any modifications made to it without affecting it. The \"your findings\" section on the contest page also allows you to withdraw or retract your findings if you wish to create a new one. \n\nIt's important to note that there is a process in place if you wish to query an issue marked as invalid. You can monitor the backstage channel for post-judging stage updates for the concerned contest. There are also procedures to discuss or argue your case if your submission is rejected. \n\nHowever, be mindful that there may be penalties for too many unsatisfactory submissions. If you have any queries about submission rules or feedback on your submissions, you are encouraged to raise them. \n\nPlease remember that even if you have submitted issues for a contest and they did not make the award list, it doesn't necessarily mean that they were rejected. They may simply not have made it to the final report. Therefore, improving your understanding of why a bug was not accepted can help you improve your future submissions.", "Question: How are duplicate issues treated in the CodeArena (C4) auditing process, and how are rewards distributed for such issues?\n\nAnswer: Duplicate issues refer to similar vulnerabilities that are either derived from the same root cause or can be resolved by addressing the same section of the code. They may be submitted by different wardens, and the submission order is not a determinant for rewards.\n\nIn general, all submissions, including duplicate issues, are eligible for rewards. They are all evaluated on their own merit, with the most succinct, well-written, and impactful submission usually chosen as the primary issue. If two wardens submit the same issues, there is no advantage for the one who submits first. \n\nIn some cases, multiple reports of the same nature might be condensed into a single entry in the final report, but this doesn't affect the reward distribution. For example, in a contest named \"Redacted Cartel\", gas reports G-04 to G-08 were rewarded as duplicates, each receiving a portion of the reward.\n\nIt's noteworthy that if an issue is found by the bot race, but another instance of that issue is not picked up by the bots, the issue is still valid for submission. Similarly, if an issue occurs in two places in the same contract and they aren't related but carry the same meaning, they can be considered as two different issues. \n\nIf you come across a disputed issue or want to understand the reason for the rejection of specific issues, you can check the findings report repositories such as [https://github.com/code-423n4/2023-06-lybra-findings/issues/549](https://github.com/code-423n4/2023-06-lybra-findings/issues/549). Additionally, our 'known issues' policy might provide further clarification: [https://github.com/code-423n4/org/discussions/50](https://github.com/code-423n4/org/discussions/50). \n\nRemember, the priority of CodeArena is to ensure the robustness of the audited smart contracts, and every valid contribution helps us achieve this goal, regardless of whether it's a duplicate or an original finding.", "Question: What factors contribute to the rewarding and incentivization of high-quality submissions in CodeArena's smart contract audits?\n\nAnswer: CodeArena places a significant emphasis on the quality of the submissions for its smart contract audits. The primary issue selected by judges in each contest represents the bucket in the published report, and the warden responsible for this issue gets first attribution. Moreover, the best report typically receives more monetary rewards than other reports, and duplicates that are not beyond a certain threshold may not receive any reward. \n\nThe factors that contribute to the rewarding and incentivization of high-quality submissions include:\n\n1. Correct identification of the highest severity impact of the bug\n2. Making a convincing case for the chosen severity and validity with pertinent evidence\n3. Clear and understandable writing\n4. High-quality and high-quantity findings. Participants with such reports tend to score better in CodeArena competitions ([https://code4rena.com/reports/2022-09-artgobblers#low-risk-and-non-critical-issues](https://code4rena.com/reports/2022-09-artgobblers#low-risk-and-non-critical-issues))\n\nAdditionally, CodeArena considers both the quantity and quality of submissions when grading QA reports, and a single item in a QA submission is unlikely to receive a high grade. More details about this can be found here: [https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical](https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical)\n\nSubmissions are also eligible for bonuses, with a high-quality submission potentially receiving a larger bonus. However, there is currently no intentional incentive for reporting QA type of submissions, as sponsors are primarily interested in high/medium/low severity vulnerabilities and gas optimizations.\n\nFurthermore, the best report isn't necessarily the first submitted. Judges select this based on the strength of the write-up, not the order of submission. Also, users' concerns regarding getting penalized for too many unsatisfactory submissions have been noted. \n\nLastly, despite the concern that the new award philosophy may not sufficiently motivate the best efforts in QA/Gas reports, it is designed to encourage fairer competition and reward those who provide the most valuable input to the audit process.", "Question: How often do judges adjust the risk level of an issue proposed by wardens and what factors influence these adjustments?\n\nAnswer: Judges frequently adjust the risk level of issues based on their judgement on the severity of the reported issue. They have the authority to increase or decrease the risk level from the one proposed by the wardens. An issue's risk level may be increased by a judge if a warden submits a report assessing it as lower than what the judge deems appropriate. For example, if a finding is classified as low risk in a QA report but confirmed as medium risk by other wardens, the judge will usually upgrade it. \n\nConversely, an issue proposed as high risk may be downgraded if the judge believes the severity isn't as high as initially reported. The specific contest and the judge both play a role in these decisions. If there is any uncertainty about the severity of a reported issue, it is recommended to review the judging criteria and make a case for the chosen severity using evidence. \n\nThe difference between low, medium, and high risks is explained in the guidelines provided at https://docs.code4rena.com/roles/wardens/judging-criteria#estimating-risk. Wardens are advised to make their best and clearest case possible by reviewing these guidelines and how similar issues were judged in the past. \n\nMoreover, if a finding is submitted with a certain severity and the judges believe it should be higher, it can be upgraded unless there's a reason to penalize it, such as it being incomplete, lacking detail, or not as accurate. \n\nWardens are also informed they can see the judging results before they are published and if they see issues, they can raise them to the judge for reconsideration. However, it is important to note that high-risk issues typically have a higher burden of proof.", "Q: How is the role of judges managed in a contest, particularly in terms of potential discovery of new high-impact bugs during the judging phase? How are such discoveries handled and rewarded?\n\nA: Judges in CodeArena contests are critical players selected for their experience and reputation. They review the bug findings from contestants after contests end to determine their severity, validity, and quality. They also have a significant role in deciding which reports get featured in the client report, basing these decisions on the strength of the write-up rather than the order of submission.\n\nHowever, judges are not privy to the contest's specifics ahead of time. If during the review process they discover new high-impact bugs, these are reviewed and categorized based on severity. If a participant points out a bug or a logic flaw that gets approved by a judge, it's considered an achievement. \n\nParticipants can alter the severity of reported bugs after the contest ends either through the PR process or by directly contacting a judge. Judges may escalate the severity of a bug, but this usually happens if the bug is not a duplicate and has been well explained or proven. If a participant and a sponsor disagree on the mitigation of a finding, the sponsor's decision prevails.\n\nIf an issue identified in an automated finding can lead to a high severity finding, it could be reported again during the contest by a participant and potentially be awarded a higher severity. But the final decision rests with the judges. If a submission is not rewarded, participants can review why their submission was not accepted once the report is out and the repository is fully opened.\n\nThe judging process, while extensive, can take some time due to factors beyond the judge's control. There are no penalties for delayed judging, but judges are encouraged to work efficiently. If there are delays in judging, it is often due to an increased number of submissions.\n\nSponsors also review findings after a contest, and if they do not fulfill their duties properly, it can make the judging process more challenging as duplicate submissions need to be identified. The full details of the judging process and rewards are available on our documentation page: https://docs.code4rena.com.", "Question: How are points and rewards distributed for duplicate gas optimization reports submitted by different wardens?\n\nAnswer: According to Code4rena's incentive model, when multiple wardens submit reports for the same gas optimization, each report is assigned a share of one point depending on the number of duplicates. These points are later translated into rewards. This system is designed to resist sybil attacks and encourage wardens to consolidate their findings into a single, comprehensive report. The distribution of rewards is not affected by the order in which these reports are submitted. However, the quality of a report, such as the inclusion of a Proof of Concept (PoC), or the detail with which the issue is covered, can influence the final award amount.\n\nIt's also important to note that if the same vulnerability is reported with varying degrees of severity, it's given the same severity for reward calculation as part of the deduplication process. The judges' scores determine the QA and Gas awards and disregard duplicates. Furthermore, it's been advised that for each contest, wardens should submit at most one QA report and one gas report. If multiple people, including team members, identify a gas optimization, the reward split can be calculated using a specific formula.\n\nWhile it's possible to submit gas optimization reports without specifying the amount of gas saved, including this information could potentially increase points. If an automated finding can lead to a severe finding, it could be reported again during the contest by a warden for a higher severity award.\n\nFor more information on the incentive model, report submission, and reward distribution, please refer to the following links:\n\n- [Incentive Model and Awards](https://docs.code4rena.com/awarding/incentive-model-and-awards)\n- [Report Submission Policy](https://docs.code4rena.com/roles/wardens/submission-policy#report-format)\n- [Reward Calculation Spreadsheet for reference](https://docs.google.com/spreadsheets/d/1qTQ7PApFMwpUFikcHHtww7p1oncPLj_y-UY_SZq6qFg/edit#gid=0)", "Q: How are individual and team rewards displayed on the leaderboard in CodeArena, especially when a participant receives rewards both individually and as part of a team? \n\nA: The leaderboard in CodeArena displays the rewards for each participant individually as well as their contribution as part of a team. If a warden has received rewards both individually and as a team, they will appear twice on the leaderboard, under their individual profile and under their team's profile. The leaderboard ranking is influenced by the current contest and the total participation of a contestant. \n\nRewards from previous private contests also contribute to the leaderboard rankings. If a team submits a non-duplicate finding, they earn more rewards than if they had submitted individually, influencing the leaderboard rankings. However, the reward within a team is split evenly amongst the members, irrespective of who found it first. The specific calculations for these rewards can be found at https://docs.code4rena.com/incentive-model-and-awards. \n\nMoreover, it's important to note that the leaderboard is updated when awards are announced and participants can receive a 'leaderboard' discord role if they manage to get in the top 5 in the contests. While the leaderboard displays the rewards and ranks, the final report may not always be immediately available on the C4 site. \n\nLastly, there are questions related to the rewarding formula in terms of findings count, partial credits, and different severity of issues, and how these factors may affect the display of awards on the leaderboard. These are areas that might need more clarity for effective participant understanding and engagement.", "Question: What happens to my leaderboard standing and team membership if I change my handle or team name on CodeArena?\n\nAnswer: If you change your handle, your leaderboard standings and submissions under the old handle will not carry over to the new account. This includes findings you've submitted individually and as part of a team. If you change your team name in CodeArena, you would need to create an entirely new team, and this new team wouldn't retain any previous leaderboard positioning. \n\nAs a team member, you can make submissions on behalf of your team and can choose between your individual handle or your team handle when submitting a finding. However, changing the handle itself is currently not recommended as it can cause issues with past and ongoing contests. So if you want to change your nickname, you need to create a new registration/discord handle and start over with the new name if you were on the leaderboard.\n\nTeam handles can be created by dropping a PR and using the team handle when submitting issues. This handle can be added to the code423n4.com repository and it can be any handle, not just Github or Gab. Here's how to create a team handle: https://github.com/code-423n4/code423n4.com/blob/main/data/handles/pocotiempo.json \n\nAfter changing your username, you can reapply for certified status. Also, remember to update your new Discord handle in your profile on the site, especially if you're a Warden so you can be tagged in for any award announcements. However, do note that having an updated discord username tied to a CodeArena account does not affect receiving awards.\n\nMaintain caution while using someone else's handle as findings might be wrongly credited. Also, bear in mind that changes to teams, such as removal and addition of members, are possible, and once you join a team, you are not obligated to always participate as a team.", "Question: What occurs with the reward funds if no Medium or High vulnerabilities are detected during a contest? Does this affect the submission and reward process for lower vulnerabilities?\n\nAnswer: If no Medium or High vulnerabilities are identified during a contest, the remaining prize pool is divided based on the Quality Assurance (QA) Report curve. This is a rare occurrence, as there have only been a few instances where no High vulnerabilities were found, and no contests where no Medium vulnerabilities were detected. \n\nThe QA report curve incorporates low and non-critical vulnerabilities, often referred to as \"QA\" or \"Low\" level vulnerabilities. If a vulnerability is initially submitted as low severity but is later judged as a medium severity by the panel, it will be eligible for medium rewards as per the CodeArena\u2019s awarding policy, which can be found [here](https://docs.code4rena.com/awarding/incentive-model-and-awards/qa-gas-report-faq#what-happens-when-an-issue-submitted-by-the-warden-as-part-of-their-qa-report-an-l-or-n-does-get-bum). \n\nFurthermore, for each unique Medium or High severity finding chosen for inclusion in the audit report, a 30% share bonus is given. However, note that there are no direct incentives for reporting non-critical findings, as the focus is on high/med/low severity vulnerabilities and gas optimizations. \n\nIt's also important to note that incorrect classifications of a bug's severity do not currently incur penalties. For instance, if a high severity bug is judged as only medium, the submitter will still be rewarded for a medium severity bug. Same applies if a medium vulnerability is later considered high, unless there is a valid reason to penalize such as a lack of detail or accuracy in the submission. \n\nOn average, the award pot for low or non-critical vulnerabilities in contests is typically 10% of the total prize pool. An example of a contest with only low vulnerabilities can be seen [here](https://code4rena.com/reports/2021-11-fei). Remember, only one low-severity report among all the low-severity reports submitted is chosen to be included in the final report. \n\nFinally, it's important to stress that if a vulnerability is found after the contest ends, it should be reported directly to the development team. CodeArena encourages responsible disclosure but does not award findings outside of the contest timeframe.", "Q: What are some considerations when creating a QA report, how are they evaluated, and how does this affect rewards?\n\nA: When creating a QA report for CodeArena, there are several things to consider. The report should include all your findings, whether they are Low, Non Critical (NC), or related to Refactoring. If you're unsure of the significance of your finding due to lack of specification in documents, it's recommended to include these findings in the report or to direct message the sponsor team for additional context. The format of the report can influence its evaluation by judges. \n\nFor findings that could fit into multiple categories, such as mechanism and architecture, the judges may decide where it best fits. If you find issues that impact both the quality assurance and gas savings, you may include them in either section of the report. Front-running possibilities could be considered either Medium findings or QA findings depending on the impact.\n\nThe grading system for QA reports is based on a curve, compared to other submitted reports. The count and severity of findings, as well as proof of how much gas the refactoring saves, can impact your grade. Not all reports or findings are guaranteed a reward. Reports are graded and must meet quality standards to be considered valid and satisfactory. There is a community experiment to see what best practices emerge for NC findings. \n\nIt's also possible to send an analysis report about the system even if you have no significant findings or findings at all, to provide advice on things to take into account in the future of the project. \n\nThe rewarding formula is adjusted according to the severity of findings and whether partial credit is awarded. A bonus may be provided for each low finding included in the report. \n\nReports should be compiled into a single document for submission. Participants can track the status of their past reports to follow up on the evaluation process. Finally, users have the opportunity to ask questions or seek clarification on the reasons for findings rejection to improve future submissions.", "Question: If I submit a low-impact QA report in the new submission process and it turns out to be a high-impact report, how would this impact the 10% prize pool? Could the report be upgraded, and if so, how does the upgrade process work?\n\nAnswer: Yes, a low-impact QA report can potentially be upgraded to a high-impact report if the judges deem the issue to be of higher severity. The process of grading takes into account both the quantity and quality of submissions, and a single item in a QA submission is unlikely to receive a high grade. However, if a finding initially classified as low impact is determined to be of medium or high impact by the judges, it will become eligible for the corresponding rewards. \n\nThe judges also have the ability to downgrade medium issues to QA and consider them along with your QA report when grading. They can upgrade items from your QA report if they believe the severity should be higher. \n\nRemember, part of the auditing process is demonstrating an understanding of how an issue could be exploited. If an auditor identifies an issue but can't explain why it could lead to loss of funds, the job is only half-done. If you want to make sure your findings are accurately classified and rewarded, it's crucial to provide as much detail as possible, including a Proof of Concept (PoC) when available.\n\nIf no medium or high vulnerabilities are found during a contest, the remaining funds are distributed based on the QA Report curve. This situation is considered rare but has happened a few times, and an example can be found [here](https://code4rena.com/reports/2021-11-fei).\n\nFor more information, please refer to the following links:\n- [Judging Criteria](https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical)\n- [Incentive model and awards](https://docs.code4rena.com/awarding/incentive-model-and-awards#qa-and-gas-optimization-reports)\n- [QA Gas Report FAQ](https://docs.code4rena.com/awarding/incentive-model-and-awards/qa-gas-report-faq#what-happens-when-an-issue-submitted-by-the-warden-as-part-of-their-qa-report-an-l-or-n-does-get-bum)", "Q: How should I report my findings of low-impact bugs or non-critical issues during a smart contract audit?\nA: When you are auditing a smart contract and you come across low-impact bugs or non-critical issues, all of these findings should be consolidated into a single Quality Assurance (QA) report. This includes cases where a single line of code may have multiple exploitable vulnerabilities - these can be reported as one issue. If there are multiple instances of the same vulnerability, it is acceptable to consolidate them into one issue within your report.\n\nIt should be noted that two QA reports that are graded 'A', regardless of whether one report has 2-3 low findings and another has 5-6 low findings, would receive the same award. The grading of QA reports does not focus on the quantity of low findings.\n\nFor QA reports, the severity of your findings can be categorized into sub-categories including Low, Non-Critical (NC), and Refactoring. It is recommended to clearly separate the Gas report from your QA report.\n\nPlease be aware that while you are allowed to submit one combined gas report and one combined QA report, high and medium severity findings should be submitted as separate reports.\n\nIf you find an additional error after submitting your QA report, you can edit your existing submission. We understand that the auditing process may reveal more issues as you delve deeper, and we accommodate this.\n\nPlease keep in mind that the QA report is a crucial part of demonstrating your understanding of how an issue could be exploited. If a low-impact QA issue has the potential to become high-impact, it could be upgraded in the report, but it must demonstrate an understanding of the exploitation process.\n\nFinally, if the same vulnerability is reported by multiple people, each occurrence is treated separately. \n\nFor more information on how to report bugs and optimizations found in the smart contracts, please refer to our guidelines [insert link to guidelines].", "Question: What is the importance and relevance of Non-Critical (NC) findings in the CodeArena audit report and how are they evaluated?\n\nAnswer: Non-Critical (NC) findings play a significant role in CodeArena audit reports. While they do not share directly in the award pot, they can be valuable for the overall quality and usefulness of the report. \n\nThe report covers all kinds of findings including high, medium, low, non-critical, and gas-related issues. It's worth noting that all low and non-critical issues should be consolidated and submitted in one QA report. Users often submit non-critical findings out of goodwill and to benefit the sponsor, despite there being no direct reward for non-critical vulnerabilities. Also, suggestions for project improvements can be made in the non-critical findings section.\n\nIt's important to understand that not all findings are guaranteed a reward. Reports are graded based on both the quantity and quality of submissions and must meet quality standards to be considered valid and satisfactory. High-quality and high-quantity findings tend to score better in CodeArena competitions. For more insight, participants can compare their findings with winning reports found at [https://code4rena.com/reports/2022-09-artgobblers#low-risk-and-non-critical-issues](https://code4rena.com/reports/2022-09-artgobblers#low-risk-and-non-critical-issues).\n\nAdditionally, it's not strictly necessary to fill the \"Recommended Mitigation Steps\" in the bug template for NC findings, but doing so can enhance the value of the report. Furthermore, a finding that is relevant to both QA and gas savings can fit into either category, and judges will decide where it best fits.\n\nIt's also worth noting that if a low-impact QA report potentially becomes a high-impact report, it could be upgraded. However, demonstrating an understanding of how an issue could be exploited is a crucial part of the auditing process.\n\nAs a final point, while there is an ongoing discussion about whether it's worth listing tests lacking coverage of significant functionality as an NC issue, there's no definitive consensus yet. Remember that the purpose of the NC section is to provide additional value and insights, even if they may not lead to rewards directly.", "Question: How does the DAO and voting process work in CodeArena, and should proposed changes in the company go through voting on snapshot?\n\nAnswer: CodeArena, being a DAO, operates on a system of decision-making that prioritizes actions without a vote. This is in alignment with its stated constitution, which delegates responsibilities such as running contests. The token utilized in CodeArena's DAO provides voting rights, which includes authority over the treasury. Thus, rather than turning votes into factional disputes, the primary focus is on delegated responsibilities. \n\nA good example of this can be seen with the introduction of invoicing and the two-step process for making critical changes in smart contracts. Both of these major changes were a response to the company's concern with compliance with tax laws and the need to offset Layer 1 gas costs.\n\nAdditionally, the controller in ElasticDAO is a multisig that enacts the snapshot votes on chain. This creates a seamless connection between the voting process and the implementation of those votes. The term \"gov-wg\" is often used in the community to refer to the Working Group set up to establish the DAO structure.\n\nFor a more detailed understanding of the actions that need to be delegated to the corporation and those requiring voting, you can refer to this forum post: [C4IP 1 2 3 4 5 Constitution DAO Bootstrapping Reimbursements Token Sale](https://forum.code4rena.com/t/c4ip-1-2-3-4-5-constitution-dao-bootstrapping-reimbursements-token-sale/93)\n\nIn the future, the company plans to distribute awards via smart contracts. There are discussions around the practice of taking a \"snapshot\" of OpenZeppelin contracts instead of using them directly, suggesting project-specific modifications to external contracts may be necessary. \n\nIt's also worth mentioning that the Code4rena staff are employees of a corporation hired by the DAO, so they cannot sign on behalf of the DAO. \n\nPlease note that the exact nature of actions requiring a vote and those that can be delegated may vary and evolve based on ongoing discussions within the community and the needs of the DAO.", "Question: Can you explain the process and requirements for delegating actions to the corporation and those that require voting within CodeArena's DAO structure?\n\nAnswer: Sure, the process and requirements for delegation of actions to the corporation and the ones that require voting are defined in our opening constitution and delegation. You can find more details in this [forum post](https://forum.code4rena.com/t/c4ip-1-2-3-4-5-constitution-dao-bootstrapping-reimbursements-token-sale/93). \n\nThe DAO constitution prioritizes actions without a vote, with the DAO voting to delegate responsibility for running contests. The token provides voting rights for the DAO, which includes authority over treasury. \n\nWhen it comes to specific contract functions, if a certain action needs to be voted on before it gets called, the contract itself would call the function. In terms of governance, the admin role is typically a governance framework and there's a guideline not to submit assumptions such as the owner may be compromised or centralized. \n\nThe methods with the onlyowner/onlygovernance modifiers strictly come through the trustful bodies. It's worth noting that some contracts could already be deployed, while others may not be. \n\nFor roles and responsibilities within the DAO, the term \"gov-wg\" is referred to as a Working Group setup for a DAO structure. Projects are also suggested to add a trust model description for involved roles. \n\nIn terms of audits and contests, there are queries regarding running an audit contest for contracts, with queries about pricing and operational details. This can include concerns about team members who want to participate solo in a contest that their team is also auditing. \n\nFurthermore, there are different roles in the contest such as a certified role and a backstage role. More information on the warden-application-reviewers role and its application process would be documented. \n\nIt's important to know that these processes might be subject to changes and it's always a good idea to keep up-to-date with our latest discussions on our [GitHub](https://github.com/code-423n4/org/discussions/91).", "Question: When and how does CodeArena make the findings repository public, and can participants review their submissions and the reasons for their rejection?\n\nAnswer: At CodeArena, the findings repository typically goes public once the final contest report has been published. This is because the sponsor usually hasn't finished their mitigation work when the awards are announced. The exact timing for this process isn't specified, as it varies depending on when the final report is ready and the mitigation work is completed. \n\nParticipants can review their submissions and understand the reasons for their rejection once the report is published and the findings repo is made public. They will be able to access all the issues, including theirs, and see the discussion among sponsors and judges on the specific issues. This facilitates learning from the findings of other participants as well. \n\nThe findings repository is made public on the C4 website, and links to the findings repo are included in each report. The URL for these is: https://github.com/code-423n4.\n\nPlease note that sponsors of the contests do not have access to the findings repository until the contest ends. After a contest is closed, there is a certain period of time before the findings repo becomes publicly available for discussion. Lastly, certified wardens can view the findings repository immediately after a contest ends.\n\nFor further query, after a contest has ended and is in the judging process, users can't see the status of their submissions until the report is published and the repo becomes public. However, they can edit their submitted security findings for a contest, and findings can also be withdrawn under \"your findings\" on the contest page.", "Question: Why are the findings repositories initially kept private, and when are they made public at CodeArena? \n\nAnswer: The findings repositories of the audited projects at CodeArena are kept private initially to secure the vulnerabilities from being exposed to the public and to give the project sponsors enough time to act on the feedback. These repositories typically contain detailed insights or potential vulnerabilities that, if exposed prematurely, could pose security risks. A project's findings repository remains private until the final audit report is published, although the exact timing of making it public is not specified. \n\nThis private-to-public transition is not related to the award announcement as the sponsors might not have completed their mitigation work by that time. After the findings repository is made public, all the issues, including the ones submitted by individual users or teams, become visible to all. This facilitates learning from others for new participants and encourages discussion. \n\nIt's important to note that while some of the projects under audit are already deployed, others may not be. Users submitting a \"Proof of Concept\" with Github do not need to make their repository public due to the risk of exposing vulnerabilities. They can instead use a private gist. \n\nPlease note that, as of the time of the discussion, immediate access to the findings repo is reserved for Certified+ users, but it has not been rolled out to anyone yet. Also, after a contest is closed, there is a certain undisclosed duration before the findings repo becomes publicly available. \n\nYou can access the findings repositories once they are made public on the C4 website (https://github.com/code-423n4).\nRemember that the information given above is based on discussions in the community and may not represent the actual policies or state of affairs at CodeArena. Always refer back to official communications for the most accurate information.", "Question: Why was the malt prize pool changed and how does this affect the distribution of awards in contests?\n\nAnswer: The malt prize pool was adjusted to account for an increase in the judging fee. This change was necessary to clear out lagging contests in the backlog due to an overwhelming number of issues and limited judge availability, as discussed in the wardens channel. The adjustment also helps in managing the contest flow and ensuring timely judgement of the entries. \n\nHowever, these changes to the prize pool do not typically affect the means of distributing awards in contests. The full pool of prizes for severities will be paid out as per the standard model. In situations where only a few issues are found, the reward distribution is proportionally adjusted. For contests with multiple winners, the prize is shared accordingly.\n\nIt's important to note that sometimes exceptions may occur such as in the OpenSea contest, where the prize pool expanded. Additionally, sponsors also play a part in contest delays and changes to the prize pool. The process of deciding winners, even in cases where one issue is marked as duplicate, does not significantly affect the payout. \n\nIn future, there will be more contests with the structure of an initial audit prize pool and a mitigation review pool. The company strives to maintain transparency with these changes and any major shifts in rules, prize splits, or submission guidelines will be communicated promptly.\n\nFor any specific inquiries about the prize pool or contest rewards, the administrators are always ready to clarify in the chatroom. Please keep an eye on the channel for updates related to contest prize pools, judging fees, and reward distribution.", "Q: What is the relevance of a project's deployment status in the audit process at CodeArena?\n\nA: At CodeArena, the deployment status of a project plays a significant role in the audit process. Some projects being audited may already be deployed, while others are still in the process of development. For those projects yet to be deployed, users can engage in the audit process even before their code is complete. \n\nIn case of projects that are already deployed, the audit takes into account the current state of the project. However, it's important to note that the audit scope may not always include vulnerabilities pertaining to deployment or initial actions, especially for projects with already deployed code. Some projects may even be live on chain and simultaneously being audited on CodeArena.\n\nThe deployment status of a project doesn't affect accessibility to it. Even if a project is deployed, its final report may not always be immediately available on the CodeArena site. However, project teams do have access to submitted findings before the contest completion.\n\nEvents like project deployment or code leaks won't halt the audit process. Even if there's a code leak, there is a process to deal with it, including the possibility of forking a project and deploying the same code. However, users are unlikely to interact with it unless the project team endorses it.\n\nDiscussions about deployment can also include specific technical considerations, like the difficulty of setting up certain contract environments with limited documentation, no test cases, and no deployment scripts. In such cases, it's suggested not to question the deployment of a proxy contract as it will be done correctly.\n\nIn summary, the deployment status of a project is a vital factor in determining the nature and focus of the audit process at CodeArena. However, whether a project is deployed or not, our processes ensure thorough audits and constant communication between auditors and project teams.", "Question: What is the process for adjusting the prize pool for a contest, and how are these changes communicated to the participants?\n\nAnswer: Changes in the prize pool for a contest are typically discussed and decided upon in the wardens channel. For instance, an adjustment was needed recently due to an overwhelming number of issues and limited judge availability, which resulted in an increase in the judging fee. This adjustment was necessary to clear out lagging contests in the backlog. \n\nSpecific contest changes, such as for the Caviar contest, resulted in a reduction of the H/M reward pool. There was also a situation where the bot race prize pot was initially taken from the HM pot but was expected to change soon, as seen in the Maia contest update [here](https://discord.com/channels/810916927919620096/958800160870240286/1109067971915153508). \n\nBeyond the prize pool adjustments, it's important to note that reward distribution for contests does not occur immediately upon reward announcement, and there might be a period of delay. However, the precise time range for reward distribution was not specified in the chat. Some rewards may still be pending after a contest has finished, for reasons not specified. \n\nIn response to user feedback, the community has suggested splitting the 'Awarding' announcement into 'Awarding' and 'Paid' sections for clarity. These changes aim to improve transparency and communication, ensuring all participants are up-to-date with the contest state. \n\nIn conclusion, while the prize pool may adjust according to the contest's needs, rest assured that CodeArena is committed to maintaining transparency and communication regarding these changes.", "Question: Can you explain the new submissions mechanism for CodeArena and what participants can expect in terms of submission rules, updates, and feedback?\n\nAnswer: The new submissions mechanism is expected to be implemented in the upcoming contests at CodeArena. This change is part of our ongoing efforts to enhance our user experience, which originally started with simple tools for finding submissions and contest processing and has now evolved towards authenticated warden accounts. \n\nUnder this new system, participants can expect a grace period on their submissions. They will receive a confirmation email regarding their submission, although there might be delays due to possible API limitations. There would also be a \"Your findings\" button to update the submissions. Submission guidelines can be found at our website: [https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues](https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues).\n\nOnce a contest ends, certified contributors will be allowed to view submitted issues and comment on these issues during the judging process. To enhance the learning experience, all unverified submissions may also be released a few days after a contest ends, before the judging takes place. The details of this decision can be found in our forum post: [https://forum.code4rena.com/t/rfc-certified-wardens-rulebook-scout-role-contest-qa-and-mitigation-review-services/123](https://forum.code4rena.com/t/rfc-certified-wardens-rulebook-scout-role-contest-qa-and-mitigation-review-services/123).\n\nParticipants are advised to wait for the report to be published and the findings repo to be made public to check on their submissions. Feedback for submitted issues typically comes within a couple of months, once the contest has closed and the report is published. Users can see the reasons for their submission's rejection and the severity of issues can be updated post-submission by judges.\n\nTo ensure participants don't miss the submission deadline, we're considering implementing a countdown timer. However, it is important to note that users might be penalized for too many unsatisfactory submissions. If you have any doubts or queries about whether you should submit something, it is best to wait for the report's publication.\n\nPlease note that while we strive to improve our submission process, there might be intermittent issues as reported by some users. We appreciate your patience and understanding during this time.", "Question: How does CodeArena handle contest submissions during GitHub outages?\n\nAnswer: In the event of a GitHub outage, CodeArena (C4) has a system in place to ensure that user submissions are not significantly disrupted. Generally, when GitHub fails to take in issues, it rejects submissions via the API, which results in a failed submission. However, during the recent GitHub outage, several submissions were successfully received in the Beholder repository.\n\nDespite the outage, it's important to be aware that there may be intermittent issues with the submission process or issues related to API limitations. If a user encounters problems, they can seek assistance from the Code4rena team or send their submissions via email to submissions@code4rena.com. Alternatively, if the form cannot handle large submissions (for instance, a gas report larger than ~65k characters due to Github's max character limit for issue descriptions), users can email their submissions.\n\nOnce a submission for a contest is made, users will not be able to see the status of their submissions until the contest report is published and the repo becomes public. If a submission to a contest is not rewarded, users can review why their submission was not accepted once the report is out and the repo is fully opened. This system allows for transparency, letting users see the discussion among sponsors and judges on the specific issue.\n\nPlease note that, in relation to user submissions, there are ongoing discussions about adding a zip file to a submission or sharing a private GitHub repo. It's also worth noting that users can edit their submissions after submitting an issue. More information about this can be found at https://github.com/code-423n4/code423n4.com/pull/2338.", "Question: As a beginner, how can I start learning in this space specifically about the different roles available in smart contract auditing, and what resources are available to me?\n\nAnswer: There are various roles involved in smart contract auditing, each with its own unique set of responsibilities. These include certified contributors, backstage wardens, scouts, and judges, among others. You can learn about these roles in depth at [CodeArena's roles guide](https://docs.code4rena.com/roles/certified-contributors).\n\nTo begin learning about smart contract auditing, two key resources are recommended. Firstly, you can refer to the [guide by cmichel](https://cmichel.io/how-to-become-a-smart-contract-auditor/), which provides an introduction to becoming a smart contract auditor. Secondly, CodeArena has compiled a list of resources for wardens that you can access [here](https://docs.code4rena.com/roles/wardens/tools-and-resources).\n\nFor hands-on learning, you might want to check out [CryptoZombies.io](https://cryptozombies.io/) and [CaptureTheEther.com](https://capturetheether.com/). The former provides an interactive code school that teaches you to write smart contracts in Solidity through building your own crypto-collectables game, while the latter offers a series of Capture the Flag challenges focusing on Ethereum smart contract security.\n\nTo better understand the staking functionality implementation, it is suggested to review different staking contracts. You can also review [reports from smaller bounty contests](https://code4rena.com/reports) to learn since they often have a smaller codebase size and less complexity.\n\nFor those interested in roles like the backstage warden, you can achieve this after identifying your first high vulnerability. More information on the backstage role and the certified warden role can be found [here](https://docs.code4rena.com/roles/certified-contributors/backstage-wardens) and [here](https://docs.code4rena.com/roles/certified-contributors#certification-process-and-constraints) respectively.\n\nLastly, the journey to becoming proficient in smart contract auditing can greatly depend on your prior experience and learning capabilities. It's also essential to focus on an area you genuinely enjoy and are interested in, not just potential earnings. This will help you sustain your learning journey and possibly pave the way for a successful career in smart contract auditing or similar fields. Remember, everyone starts somewhere, and there is a learning curve, so don't be deterred by initial challenges. Happy learning!", "Q: What happens when GitHub experiences server errors? How does it impact the submission of smart contract audits on Code4rena?\n\nA: When GitHub faces server errors, it may reject submissions made via the API, leading to failed submissions. However, there have been circumstances where submissions were received successfully even during an outage. During such events, error messages might also appear when attempting to submit a form, particularly if a gas report exceeds ~65k characters as this is the maximum character limit for GitHub issue descriptions. When such limitations hinder the submission process, the user can email their submission directly to submissions@code423n4.com.\n\nIssues may also arise with the visibility of reported issues on the Issues page, likely due to GitHub errors. These technical problems with viewing the repo or making submissions can usually be resolved by ensuring you are logged into the GitHub account you provided to C4. However, if you continue to experience problems, you should reach out to the Code4arena team for assistance. \n\nIssues with the submission process can be discussed and reported on the 'issues' section of our organization's Github repository [https://github.com/code-423n4/org/issues]. Here, participants can review issues, add fact-based comments, support suggestions, or open new issues. \n\nIt's important to note that if your submission involves a high severity issue but lacks working code to demonstrate its impact, it may be downgraded or deemed ineligible for awards. If a submission is not rewarded, the reason can be reviewed once the contest report is published and the repository is fully opened. This gives participants the opportunity to understand the sponsors' and judges' discussion around the specific issue.\n\nLastly, in cases when there are interruptions in email receipts or other inconsistencies in the contest process, these might be due to incidents on Github, as outlined here: https://www.githubstatus.com/incidents/r5qrpp2f5fc0. However, rest assured that any submission issues that occur on the Code4rena platform are promptly handled by our developers.", "Question: What is the cost difference between constants and immutable variables in smart contracts, and how do they affect gas efficiency?\n\nAnswer: Both constants and immutable variables are calculated and filled in at compile time and are embedded into the bytecode at deployment. Constants are generally cheaper than immutable variables because they are computed at compile time, whereas immutable variables are read-only state variables that may require gas to be read. However, there have been instances in which immutables cost less gas than constants, such as the example provided in this [Github discussion](https://github.com/code-423n4/2021-11-overlay-findings/issues/111).\n\nAs of July 2020, the cost of immutable variables was reported to be roughly equivalent to constants, contradicting previous beliefs that immutable variables cost less. This change can be traced in this [Twitter discussion](https://twitter.com/GalloDaSballo/status/1476925462010122245). For a more comprehensive comparison of the gas cost for constant and immutable variables, you can refer to this [StackExchange discussion](https://ethereum.stackexchange.com/questions/118547/is-the-gas-cost-for-constant-and-immutable-about-equal). \n\nIn terms of best practices, declaring a constant can make code more readable and efficient, especially in the case of magic numbers in a line of code such as 'require(abc<123)\u2019. This practice also applies to variables defined in a for loop, where excluding the increment (++i) can significantly reduce gas costs. \n\nMoreover, Solidity stores state variables in 32 bytes storage slots, and multiple variables can be packed into a single slot if they are declared next to each other, which can further reduce gas costs ([source](https://docs.soliditylang.org/en/v0.8.17/internals/layout_in_storage.html)). It's worth noting that functions are automatically generated for public storage variables, constants, and immutables which aren't stored in storage.\n\nIn conclusion, while the cost difference between constants and immutable variables can be a nuanced subject with occasional exceptions, both are crucial components to consider when optimizing for gas efficiency in smart contracts.", "Question: How can I withdraw or amend my submission without revealing the details in the chat?\n \nAnswer: If you need to withdraw or amend a submission, there are several options available. You can message an administrator or a moderator directly to request a withdrawal. Alternatively, you can retract your submission on the contest page under the 'your findings' tab. If you wish to replace an existing submission, you can edit your submitted reports and replace the content with \"withdrawn\" to invalidate the original. If a submission was made in error from a personal account instead of a team account, resubmit the analysis from the correct account and directly submit a help desk request to withdraw the mistaken submission here: https://code4rena.com/help. \n\nIf you're unsure about a potential submission, it is advised not to discuss it in the contest channel to avoid revealing details to others. Instead, you can contact identified individuals directly to discuss your queries or concerns. Please remember, the submission rules prohibit making findings public until a contest is finalised, to maintain fair competition. \n\nIn the event that an issue is discovered to be a false positive after submission, the submission can be retracted by navigating to the 'your findings' section on the contest page. Users are also allowed to argue their case or discuss their concerns if their submission is rejected, by monitoring the backstage channel during the post-judging stage of the concerned contest. It is crucial to follow these guidelines to maintain the integrity of our contests and respect the privacy of all participants.", "Question: What is the difference between constants and immutables in terms of gas usage in smart contracts, and how can I optimize my smart contracts to reduce gas costs?\n\nAnswer: Constants and immutables are both types of variables in smart contracts. Constants are generally cheaper than immutables because constants are calculated and filled in at compile time, while immutables are read-only state variables. However, the actual gas cost between the two may vary, and there have been cases where immutables cost less gas than constants, such as outlined in this example on GitHub: https://github.com/code-423n4/2021-11-overlay-findings/issues/111.\n\nThere are no differences in cost or bytecode between constants and immutables, but minor differences may appear in small demos, the reason for which remains unclear. This is supported by discussions on Twitter: https://twitter.com/GalloDaSballo/status/1476925462010122245 and Ethereum Stack Exchange: https://ethereum.stackexchange.com/questions/118547/is-the-gas-cost-for-constant-and-immutable-about-equal.\n\nWhen optimizing your smart contracts to reduce gas costs, there are several strategies you could employ. For example, you could consider swapping the order of a function that first checks from storage, then checks the calldata, excluding the increment (++i) in a for loop, or using the 'unchecked' command in loops. It's also recommended not to initialize default variables to 0 for gas optimization in smart contracts.\n\nSolidity stores state variables in 32 bytes storage slots, and packing variables into fewer slots can reduce gas costs. More information on this can be found here: https://docs.soliditylang.org/en/v0.8.17/internals/layout_in_storage.html. \n\nIt's also worth noting that using storage or calldata in an issue is dependent on their costs. Caching a storage pointer avoids re-computing the position, so it's cheaper for that reason. Using calldata for read-only arrays is cheaper because they don't need to be iterated and copied into memory.\n\nThe cost of reading the entire bytecode of a contract is constant. Therefore, function inlining can also be used to save gas in smart contracts. Here is a recent CodeArena report on gas optimizations: https://code4rena.com/reports/2022-11-non-fungible/#gas-optimizations.\n\nFor more complex gas optimization strategies, you might want to consult with a smart contract auditing service like CodeArena.", "Question: How can I manage or withdraw my submission on CodeArena?\n\nAnswer: If you wish to withdraw or manage a submission, there are several ways to do this on CodeArena. \n\nOne of the easiest ways is to directly message a moderator or an administrator to request a submission withdrawal. Alternatively, you can submit a help desk request to withdraw a wrongly submitted analysis at [https://code4rena.com/help](https://code4rena.com/help).\n\nYou can also manage your submissions directly from the contest page. Findings can be withdrawn, edited, or replaced under the \"Your Findings\" tab on the contest page. If you realize something is a false positive after submission, you can retract the submission by going to the contest page and clicking the findings tab. You can also link a separate submission during the submission of an issue by referring to its number on the \"Your Findings\" page.\n\nIf you accidentally submitted an analysis from a personal account instead of a team account, you should re-submit it from the team's account and then use the help desk to request the withdrawal of the other submission.\n\nPlease remember, it is important not to make findings \"public\" until a contest is finalised to prevent revealing it for others. If there are concerns about a contest, you can resubmit the issue and then create a help desk request to withdraw the invalid submission.\n\nFor detailed steps on how to edit your submissions, you can refer to the announcement from this [link](https://discord.com/channels/810916927919620096/810929015509483554/1002648649135824906).\n\nIn case of any disputes or if your submission is rejected, there are processes for you to discuss or argue your case. You can also monitor the backstage channel for the post-judging stage of the concerned contest.", "Question: What is the process for distributing rewards in CodeArena, and when can I expect my rewards from XDEFI?\n\nAnswer: At CodeArena, rewards distribution generally follows a process where once a submission is confirmed and the reward amounts are announced, participants have to wait for the distribution to their wallet. This delay often occurs due to the use of multisignature (\"multisig\") wallets for security, which require signatures from multiple parties before funds can be released. \n\nSpecifically for XDEFI, no definitive information has been provided about whether their rewards have been sent. However, based on general observations, rewards are typically distributed within 1 to 2 weeks after the announcement. If a contest is listed as 'awarding', it means the rewards are queued at the multisig and should be distributed within a week. For instance, Biconomy rewards usually take 1 to 2 weeks after the announcement to be sent out.\n\nDo bear in mind that there can be delays, sometimes due to specific circumstances like holidays. In such cases, participants should monitor the announcement channel for updates on distribution. \n\nAlso, please note that the rewards are sent to the participant's registered wallet address. If you wish to update your wallet address, you can do so after the finding has been submitted and before the reward payout by submitting a request through the Help Desk at https://code4rena.com/help. \n\nLastly, it's important to note that not all contest rewards work the same way. For instance, Immunefi only rewards the first valid submission, so the reward distribution may differ based on the contest or audit.", "Question: Can you explain how rewards are allocated on a curve in Code4rena, and how it impacts the distribution of awards?\n\nAnswer: At Code4rena, we distribute rewards based on a curve, a method inspired by the way professors grade homework or exams. In this method, submissions are scored individually, then ordered and plotted on a bell curve. The highest score receives the top prize, with the rewards decreasing as scores decrease, akin to grading in A, B, C format. \n\nThis approach is applied to various contests and submissions like QA reports, gas reports, and mitigation contests. With the severity of findings, count of findings, and partial credits playing a role in the rewarding formula. In the case of gas optimization reports, the pool is shared among the reporters and is awarded based on the score of each gas report. Similarly, in the context of multiple wardens finding the same issue, the best report typically receives more money, and duplicates below a certain threshold might not receive any money.\n\nThe reward amounts for contests are usually provided by sponsors and if no Medium/High vulnerabilities are detected, the full award pool would be distributed based on the QA Report curve. In the context of team-based contests, rewards are divided evenly among team members, irrespective of who found the issue first.\n\nWhile we aim to pay out rewards in the same week they are announced, the distribution does not occur immediately due to the use of multisignature wallets which require signatures from multiple parties before funds can be released. If a contest is listed as 'awarding', it means the rewards are queued at the multisig and should be distributed within a week. We are also working on distributing awards via a smart contract in the future. \n\nYou can find more about our incentive model, curve logic, and reward distribution at https://docs.code4rena.com/awarding/incentive-model-and-awards/curve-logic.", "Question: How is the reward distribution managed in CodeArena in the context of multiple wardens of varied qualities detecting the same issue?\n\nAnswer: In CodeArena, rewards are distributed among wardens who find the same issue based on the quality of their reports. Typically, the report with the best detail receives more money, and reports that are too similar or below a certain quality threshold might not receive any funds. The distribution does not depend on the order of submission, so wardens who report a duplicate bug later aren't at a disadvantage. If the same vulnerability is identified by multiple wardens, they each get a share of the reward for that issue. This share can vary, and in some cases, wardens have earned thousands of USDC, while others only receive hundreds.\n\nThere are instances where wardens receive rewards both individually or as part of a team. In such cases, both the individual and the team will appear separately on the leaderboard. Also, if a team submits a finding, the reward is issued once, and the team members decide how to distribute it among themselves. If the same vulnerability gets reported by multiple wardens but with different severities, they are given the same severity for the award calculation. This is due to the deduplication process and the judging/determining severity that happens afterward.\n\nThe exact rules for awarding shares or rewards to wardens can be found in Code4arena's awarding policies at https://docs.code4rena.com/awarding/incentive-model-and-awards. This document also addresses issues like duplicate reports and how they are evaluated. A detailed list of rewards for each warden for each bug per contest can also be found at https://raw.githubusercontent.com/code-423n4/code423n4.com/main/_data/findings/findings.csv.\n\nThe leaderboard, providing information on what wardens are earning, can be found at https://code4rena.com/leaderboard/. This leaderboard also plays a role in identifying high-ranked wardens for invitation audits.", "Q: Can you explain more about the prize distribution process and how it's affected by the quality of warden's findings, duplicate submissions, and the number of wardens participating in the contest?\n\nA: Yes, the prize distribution process at Code4rena is based on several factors. The distribution is typically done over a bell curve with different tiers of quality wardens. In a context where multiple wardens find the same issue, the reward usually goes to the warden who submitted the most detailed report. The reward amount can also be influenced by the inclusion of a Proof of Concept (PoC), and the way the issue is covered in as many aspects as possible. Duplicates that don't meet a threshold might not receive any money. The more wardens find the same issue, the less money each warden receives for that issue. \n\nIn the case of a contest where only one high and one medium issue are found, or if no medium or high vulnerabilities are found, the remaining funds are divided based on the QA Report curve. You can find more about the incentive model and awards [here](https://docs.code4rena.com/awarding/incentive-model-and-awards).\n\nSome wardens can act as teams, with a leaderboard showing their rankings which you can find [here](https://code423n4.com/leaderboard/). Higher-ranked wardens or teams are often prioritized for invitation audits. \n\nFinally, regarding duplicate submissions and Sybil attacks, if two people submit the same issue using the same warden but different wallets, each person gets less than half of the reward. Code4rena has measures in place to resist Sybil attacks. An abrupt increase in the number of wardens could be due to many reasons, including marketing moves or potential Sybil attacks. However, rest assured that the system in place ensures a fair reward distribution process.", "Question: What triggers callbacks in Solidity, and how does \"safeTransferFrom\" fit into this?\n\nAnswer: Callback functions in Solidity are activated in a variety of ways. These include, but are not limited to:\n\n - \"safeTransferFrom\" in conjunction with \"onERC721Received\" for ERC721 tokens\n - \"onERC1155Received\" for ERC1155 tokens\n - \"tokensReceived\" or \"tokensToSend\" for ERC777 tokens\n - Any call to an untrusted external contract\n - Certain protocols like flashloans, oracles, and balancers\n\nTrading callbacks are typically activated using the methods listed above. For example, ERC721 or ERC1155 contracts know if tokens were sent because upon receipt, the recipient contract calls onReceive. The use of \"safeTransferFrom\" depends on the token used and the expectation of the code. In some instances, it's possible to call the \"safeTransferFrom\" function of an ERC-777 token contract in another smart contract. Additionally, the \"eth_call\" function in Quicknode includes a \"value\" parameter referring to the amount of ether sent with the message call. To understand how functions like delegatecall work with storage, you can refer to the Solidity docs and the Geth source code found [here](https://github.com/ethereum/go-ethereum/blob/master/core/vm/evm.go#L302).\n\nThere are discussions about whether more functions in an interface than are used in the code should be mentioned during a protocol interaction with a contract on-chain. It's always useful to carefully consider the specifics of your smart contract and token when determining whether to use safeTransferFrom, as illustrated in a useful Etherscan link [here](https://etherscan.io/token/0xdac17f958d2ee523a2206206994597c13d831ec7#code#L95). \n\nIn conclusion, it's important to note that the triggers for callbacks in Solidity can vary depending on the specific functions and tokens used within your smart contracts.", "Question: Can the severity of a submitted finding in CodeArena's smart contract audit be adjusted by the judges? \n\nAnswer: Yes, judges have the authority to adjust the severity of a submitted finding. If a finding has been submitted as low or medium severity, but the judges deem it to actually be of higher severity, they have the power to upgrade it. The upgraded severity level will also be taken into account for reward allocation. Conversely, if a submitted finding is judged to be of lower severity than initially categorized, judges can downgrade it. However, unless the issue lacks detail, is incomplete, or inaccurately described leading to overinflation, the participant will still be awarded for their finding at the downgraded severity level. Additionally, it's worth noting that if no high or medium severity issues are found in a contest, the entire rewards may move down to Quality Assurance (QA). Contest participants are encouraged to provide strong evidence and make a compelling case for the appropriate severity level of their findings, especially when escalating from low to higher severity levels. For further details, refer to the submission guidelines and reward policy on the CodeArena website as linked here: [https://docs.code4rena.com/awarding/incentive-model-and-awards#satisfactory-unsatisfactory-submissions](https://docs.code4rena.com/awarding/incentive-model-and-awards#satisfactory-unsatisfactory-submissions) and [https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues](https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues).", "Question: \nWhen and where can I find the completed NFTX findings?\n\nAnswer: \nThe completion of the NFTX findings is confirmed and discussed after the contest ends. During the contest, the findings remain private and are not accessible even to sponsors. The findings repository becomes public once the report is published, which can be found at https://raw.githubusercontent.com/code-423n4/code423n4.com/main/_data/findings/findings.csv. This repository contains all findings and payouts and can be cross-referenced with the contest report. Please note that any findings not submitted before the end of the contest will not be eligible. The exact timing of when the findings will be made public is not specified. Also, while you can expect a follow-up after submitting a finding, it's worth knowing that only findings deemed valid and critical, such as those related to the buying of NFTs with a zero amount, are likely to be rewarded. Non-critical findings like the presence of \"Open Todos\" or the \"use of Block.timestamp\" are not rewarded. Lastly, please note that there are pending awards for LPT tokens and NFTX.", "Question: What is the process for distributing rewards for the contests at CodeArena and when can I expect to receive them?\n\nAnswer: At CodeArena, rewards for contests including sublime, arcade rewards, pool together rewards, mitigation contest, #llama-jun06 contest, Sherlock contest, new detector submission, stakehouse-nov11 contest, are processed and distributed in a systematic manner. Once a contest is listed as 'awarding', it signifies that the rewards are queued at the multisig. These rewards are expected to be distributed within a week, typically by the end of a specified week. \n\nHowever, the precise timing can vary depending on certain factors. In some cases, like the Biconomy rewards, it can take 1 to 2 weeks after the announcement to be sent out. Also, rewards are usually paid out in the same week they are announced and often transferred once per month, typically at the beginning of the month. \n\nFor certain contests, rewards might be awarded partially or fully. Once a submission is confirmed and reward amounts announced, participants just need to wait for it to go to their wallet. Additionally, rewards for submissions, like a new detector, may be given in the form of \"Karma Points\". \n\nThe reward amounts in contests often come from the sponsor. Once the rewards are announced, they are sent out manually in batches for multiple contests at a time. Judging becomes final after rewards are announced.\n\nNote: The leaderboard is updated regularly and any discrepancies, like the absence of the Sublime contest, are usually worked on promptly. There may be instances where rewards have been announced but are still pending, or not yet been paid out to participants. These instances are exceptions rather than the norm, and our team works diligently to resolve such issues. Stay tuned for updates on our Discord chatroom for the most accurate information.", "Question: If a user's funds are potentially at risk due to an admin's involvement in a procedure, how is the severity of this issue classified?\n\nAnswer: Classification of severity is a balance of consequence and likelihood based on users\u2019 expertise. In a scenario where a user's funds are at risk due to an admin's involvement, it could potentially be considered high risk. High consequences generally involve substantial fund loss or other severe consequences and do not require pre-conditions. However, the classification is not just determined by the potential for loss. Other factors like the difficulty of an attack, specific market conditions, or user unawareness can influence the classification as well. \n\nFor instance, if a user can arbitrarily push to an array and cause a Denial of Service for everyone else, breaking system functionality, this should be submitted as a High/Medium severity issue. The loss of rewards is also seen as a \"loss of assets\", and depending on the external conditions or attack difficulty, it could be classified as high or medium severity. If a function call in a smart contract always reverts but assets are not at risk, it can also be considered as a Medium or High finding depending on the context.\n\nMisclassifying a bug's severity in a submission does not necessarily mean the reward is lost. Even if a High severity bug turns out to be only Medium, the reward for a Medium bug is still received. However, there is a penalty for setting incorrect severity of the issue in smart contract auditing. Further, it's important to note that if an issue identified in an automated finding can potentially lead to a high severity finding, it may be reported again during the contest and could be awarded with higher severity. The policy for this is explained at [https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues](https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues).\n\nIn conclusion, while the potential for a user to lose funds if an admin is involved in a procedure can be considered high risk, the final severity classification depends on a range of factors and the expert judgement of the auditors.\n", "Question: How are the rewards announced and distributed for different report pools at CodeArena and what considerations should be kept in mind?\n\nAnswer: At CodeArena, announcements are made to distinguish the rewards for separate pools for different reports. This helps participants understand the reward structure for each pool. The community has suggested splitting the 'Awarding' announcement into 'Awarding' and 'Paid' sections for greater clarity. Rewards are typically distributed to the address provided in the report and participants can use a new wallet address for their reports moving forward. \n\nIt's important to note that the distribution of rewards may vary depending on the circumstances. For instance, if multiple wardens find the same issue, the best report typically receives more money, and duplicates below a certain threshold might not receive any money. If two people submit the same issue using the same warden but different wallets, each person gets less than half of the reward. \n\nEach team, however, determines how to split their portion of a contest's reward amongst themselves. Special activities may have specific reward timelines, such as the \"arcade reward\" and \"pool together reward,\" which are expected to be distributed the following week. \n\nIn the context of a team, the reward and recognition are split between them, irrespective of who found it first. For more detailed information on awards, check out our documentation on the [incentive model and awards](https://docs.code4rena.com/incentive-model-and-awards). \n\nThe platform recognizes the need for more clarity on how rewards are split for teams and is working to improve transparency regarding the incentive for team formation. Please always refer to the specific contest rules and the [award section](https://docs.code4rena.com/awarding/incentive-model-and-awards) on our website for the most accurate information.", "Question: What are the guidelines and limitations for submitting gas and QA reports in contests?\n\nAnswer: CodeArena enforces certain limitations on the submission of gas and QA reports for contests. If a gas or QA report is larger than about 65,000 characters, you may encounter an error due to Github's max character limit for issue descriptions. In such cases, you can submit a placeholder on the form and email the full report to submissions@code423n4.com. \n\nOne important rule is that you can only submit one gas report and one QA report per contest. Any additional findings should be incorporated into these existing reports. You can edit your findings by visiting the contest page and clicking on the 'Your Findings' button. \n\nIf you encounter an error stating \"API rate limit exceeded,\" it might be due to an API limitation. In this case, you can also email your reports to report@code4rena.com. \n\nIf you are unsure about the submission process, additional details can be found in the FAQ section on the CodeArena website: https://docs.code4rena.com/roles/wardens/qa-gas-report-faq#why-is-a-large-gas-or-qa-report-not-successfully-submitting-through-the-contest-submission-form. \n\nRemember, when submitting gas optimization reports, the necessity to specify how much gas is being saved for each optimization is based on the judge's decision. Always aim for a consolidated report for gas and QA to ensure a smooth submission process.", "Question: Why are my emails from CodeArena being flagged as spam and how do I address the issue?\n\nAnswer: Our users have reported instances of emails from CodeArena being flagged as spam, particularly by providers such as Yahoo and Hotmail. This occurs when the email provider's system identifies certain elements of the email as indicative of spam. It's important to note that this does not mean you are being considered a spammer by CodeArena.\n\nIf you're having trouble receiving emails from us, especially key communications like confirmation emails or KYC mail, we advise checking your spam folder. In certain cases, our users have found emails from \"compliance@provenance.company\" and other CodeArena related communications in their spam folders. To avoid missing important emails, consider adding our email addresses to your contacts or marking them as 'Not Spam' in your email provider.\n\nIf you're still experiencing issues after checking your spam folder, or if you have concerns about being wrongly penalized for spam submissions or for receiving unsatisfactory submissions, please reach out to us directly. We encourage users to direct message us for specific questions or issues. There is no penalty for wrong reasoning as long as it's not spam. \n\nIt's also worth noting that we are considering proposals to address the issue of spam submissions, such as providing sponsors with tools to fix smaller issues in advance and implementing policies to reduce spam.\n\nRemember, if you encounter any suspicious activity like potential scams, you can report these directly in our Discord chatroom. We're here to help ensure a safe and productive environment for all CodeArena users.", "Question: How should we submit low and non-critical reports and gas optimizations for Badger Citadel at CodeArena?\n\nAnswer: For submissions related to low and non-critical reports and gas optimizations for the Badger Citadel, you should use the standard submission form provided by CodeArena. You are allowed to submit one QA report and one gas report per contest, and both these reports should consolidate all your respective findings. The QA report should be separate from the gas report.\n\nFor gas-related submissions, it is advisable to include how much gas would be saved via the refactored code. However, please note that the current focus is on high, medium, low severity vulnerabilities and gas optimizations, and there's no direct incentive to report non-critical findings. \n\nIf your report exceeds the character limit on the submission form, you can submit a placeholder and send the report via email to report@code4rena.com. \n\nJudges consider both the quantity and quality of submissions when grading QA reports. If a finding you submit as low in the QA report is considered of medium severity by the judges, it will be eligible for medium rewards.\n\nFor more detailed information about the submission process, please refer to the following links: \n\n- Submission policy: https://docs.code4rena.com/roles/wardens/submission-policy\n\n- Contest report reviews: https://code4rena.com/reports\n\n- FAQs: https://docs.code4rena.com/roles/wardens/qa-gas-report-faq\n\n- Incentive model and awards: https://docs.code4rena.com/awarding/incentive-model-and-awards/qa-gas-report-faq\n\n- Judging criteria: https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical\n\n- Known issues for automated findings: https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues. \n\nRemember, the submission guidelines require your reports to be specialized and focused.", "Q: Why am I getting flagged as a spammer? How does this affect my account and submissions, and what can I do about it?\n\nA: Based on your query, it seems you've been flagged as a spammer on CodeArena, which could be due to a variety of reasons. Some users have reported an issue where certain individuals' emails were being flagged as spam. This might cause delays or interruptions in receiving important updates or confirmations from CodeArena. \n\nSome users also expressed concern about getting penalized for too many unsatisfactory submissions, which might be related to your query. We advise our users to focus on quality rather than quantity, as too many inappropriate or unsatisfactory submissions could potentially lead to penalties. \n\nIf you believe you've been incorrectly flagged as a spammer, please provide your reasons directly in your report or through a help request. It's also beneficial to check your spam folder regularly, as important communication like confirmation emails or verification mails from CodeArena and Provenance might land there.\n\nFinally, please remember that each user is allowed a single account. Using multiple accounts or handles may cause confusion, and findings may be credited to the wrong person if you use someone else's handle. \n\nFor specific issues regarding your flagged status, please contact our support team directly. They will be able to assist you with any further concerns or issues.", "Question: What are the acceptable formats and practices for submitting vulnerability reports at CodeArena?\n\nAnswer: At CodeArena, we prefer our vulnerability reports to be submitted in plain text markdown format. However, you are not restricted to this format. You can make use of any platform such as Github, Joplin, VSCode, Notion, etc., as long as the platform supports markdown. Even images can be embedded in the report using Markdown to provide a clear understanding of the vulnerabilities found. In case of large reports, you can submit them via email and then place a placeholder in your original submission.\n\nWhen it comes to the content of the report, you have a couple of options. You can choose to compile all non-critical findings into one QA report or you can create one QA report for each finding. Alternatively, if you have multiple occurrences of the same issue, these can be compiled into a single report. We recommend creating one large comprehensive report for gas and another for QA. If you're unsure about how to submit your reports, you can refer to our official documentation [here](https://docs.code4rena.com/).\n\nYou are also welcome to include a 'git diff' of the project folder when submitting a report. If you're providing proofs of concept, you can include them in a gist file. When referencing code in your reports, you may either leave direct links to the code on GitHub or refer to a specific file and line number. \n\nOnce your report is submitted, you can track its status via your email. If you spot any discrepancies or have issues with the reports, you can create a ticket. \n\nLastly, we are considering consolidating the last 10/15 reports and all detected vulnerabilities into a database for future audits, so that you can easily access past reports. We're also working on setting up notifications for when a new report is published. \n\nWhile we strive for the best efforts in QA/Gas reports, we understand that changes in the handling of these reports may not always promote this, but we believe our approach is fairer for everyone, including newcomers.", "Question: I made a submission but I haven't received a confirmation email yet. Should I try again?\n\nAnswer: If you submitted a finding, you should typically receive a confirmation email from submissions@code423n4.com within a few minutes. This confirmation will indicate whether your submission was successful and will allow you to edit your findings. However, please note that there can sometimes be delays in this process. If you don't see the email in your inbox, make sure to check your spam folder as some participants have reported their confirmation emails being filtered there. \n\nIn case the submission process failed, the form should have returned an error message. If you did not receive such a message, your submission was likely successful. If you still haven't received a confirmation email, you may want to open a help desk request at https://code4rena.com/help/ for further assistance. \n\nAs for the concerns regarding whether you'll receive an email if your submission is valid or not, rest assured that you should be notified regarding the status of your submission, irrespective of its validity. \n\nRemember, emails regarding submission confirmations are sent out upon successful submission of entries in the contest. However, if you're unsure about the submission rules, or have queries about viewing all submissions after a contest, you may want to contact us directly or refer to our guidelines for further clarification. \n\nOccasionally, there have been issues with the email \"submissions@code432n4.com\" not being successfully delivered due to an error with the domain. If you encounter this issue, please reach out to our help desk.", "Question: I've encountered an error and I'm also unsure about how to correct a few things, what steps should I take?\n\nAnswer: First, don't worry as this is not a user-specific issue and the team is always here to assist you. If you've made mistakes in a form, need to modify your submitted findings, or have accidentally submitted to the wrong contest, you can correct these issues by submitting a help desk request at https://code4rena.com/help. \n\nIn your request, provide as much detail as possible about the issue you've encountered. If you've made a multiple submissions or submitted analysis from the wrong account, you can request a withdrawal of the wrong submission while you re-submit the correct one. \n\nIf you're experiencing technical problems related to specific tools like 'brownie' or errors with running contests in environments such as VSCode, please include these details in your request. \n\nIf you need to change your profile picture, request a logo change, or change a link associated with your username, these can also be made via a help desk request. \n\nPlease be aware that some users have reported issues with Discord handles with spaces when filling out forms, so ensure your handle doesn't include spaces. \n\nRemember, the CodeArena team is here to support you with any errors or issues that occur, and you're encouraged to reach out for assistance whenever needed.", "Question: Are the competitions on CodeArena hosted on EVM compatible chains and does it require contracts to be in Solidity?\n\nAnswer: CodeArena hosts competitions on various blockchains including EVM compatible chains like Ethereum (ETH) and Polygon, and Cosmos chain. For EVM league contests, CodeArena accepts both ETH and Polygon. The contracts for these competitions are typically written in Solidity and resources are available for Solidity tutorials and learning like CryptoZombies.io, CaptureTheEther.com, and the solidity compiler. However, it's important to note that Cosmos, another significant blockchain network for competitions, uses Rust as its programming language. Community members can find information about Cosmos and its smart contracts through the following links: https://academy.terra.money/courses/cosmwasm-smart-contracts-i and https://github.com/Anchor-Protocol. CodeArena is also interested in expanding beyond EVM and Cosmos chains, with discussions about onboarding other ecosystems. For testing contracts, tools like Mythril and Slither are recommended and CodeArena runs contests for analyzing and auditing smart contracts.", "Question: What blockchain networks are supported in CodeArena competitions and what programming languages are used for smart contracts in these different networks?\n\nAnswer: CodeArena competitions currently support Ethereum (ETH) or Polygon for EVM league contests, and Cosmos for Cosmos contests, where smart contracts are written in Solidity for EVM and in Rust for Cosmos. You can find more about Cosmos here: https://academy.terra.money/courses/cosmwasm-smart-contracts-i and https://github.com/Anchor-Protocol. Although there haven't been any Solana contests yet, there is an interest within the community to expand beyond EVM and Cosmos chains. The platform encourages beginner Solidity developers to participate in the competitions, and provides a variety of learning resources. For example, CryptoZombies.io and CaptureTheEther.com are recommended for beginners to learn about smart contracts and Solidity. Additional resources for more advanced Solidity and DeFi industry standards include The Ethernaut challenges and Damn Vulnerable DeFi: https://ethernaut.openzeppelin.com/ and https://www.damnvulnerabledefi.xyz/. The platform not only focuses on auditing but also on analyzing smart contracts. It's also worth noting that CodeArena runs contests for staking platform contracts and offers awards for gas and contract-size optimization.", "Question: I'm new to smart contract auditing and I'm building a product on Polygon that needs auditing. How should I proceed, and are there any resources for me to learn more about the process?\n\nAnswer: At CodeArena, we are more than happy to assist you with smart contract auditing. Our team will reach out to you directly to discuss your project. In the meantime, you can explore various resources to learn more about smart contract auditing. For starters, you can check out this useful post: https://cmichel.io/how-to-become-a-smart-contract-auditor/ and our official documentation https://docs.code4rena.com/roles/wardens/tools-and-resources that provide in-depth insights into the process. \n\nWe also have an education channel (#\ud83c\udfebeducation) on our Discord where you can learn more about smart contract auditing. As for tools, fuzzing tools are often used in auditing smart contracts and you might find it beneficial to familiarize yourself with them. \n\nOur platform not only focuses on audits but potentially includes smart contract gigs as well. Also, we have plans to expand our services to include Solana audits too. If you are interested in running an audit contest for your smart contracts, we can discuss the pricing and operational details. \n\nLastly, despite the existence of automated tools, it's crucial to have human audits since some complex formulas may require professional mathematicians to review and automated tools might not pick up on certain vulnerabilities. Tests in Solidity are also necessary to ensure the contracts are functioning as intended. \n\nPlease note that we are also exploring the application of machine learning for smart contract auditing. This is an exciting space and we're thrilled to have you join us on this journey.", "Question: What roles such as minter or burner can be trusted in smart contracts and how do these roles relate to auditing?\n\nAnswer: The roles of a minter or burner in a smart contract are subjective and context-dependent. There is often discussion around these roles due to their potential influence on the contract's operation. For instance, in ElasticDAO, the controller/minter/burner is considered trustworthy. \n\nWhen auditing smart contracts, it's important to understand the functionality and potential vulnerabilities associated with different roles. Some roles, like the minter or burner, could have the potential to manipulate the contract in unfavorable ways if not properly secured. Therefore, part of auditing involves evaluating these roles for potential security risks. \n\nIt's also important to distinguish between different roles within the auditing process itself. For example, a certified role typically involves official auditing responsibilities, whereas a backstage role may involve supporting tasks. \n\nThere's also specific roles like a 'scout,' who might be better at identifying and theorizing attack paths, a crucial part of the auditing process. \n\nMoreover, some auditors might focus more on the backend blockchain aspects rather than the frontend, and vice versa. Both perspectives are important for thorough smart contract auditing. \n\nLastly, some auditors might be concerned about the importance of creating a report for 1-2 Low and 1-2 Gas issues. While an issue can be non-critical and also be included in gas optimizations, the worth of reporting these issues really depends on the specific context and the potential impact they could have on the contract's execution and efficiency. \n\nPlease refer to our documentation for more details on the roles and responsibilities within the auditing process: https://docs.code4rena.com/awarding/incentive-model-and-awards/qa-gas-report-faq#what-happens-when-an-issue-submitted-by-the-warden-as-part-of-their-qa-report-an-l-or-n-does-get-bum", "Question: How does CodeArena (C4) assess and categorize the risk severity of vulnerabilities in non-defi protocols?\n\nAnswer: CodeArena (C4) has a rigorous approach to assessing and categorizing the risk severity of vulnerabilities. This applies to both DeFi and non-DeFi protocols. The process involves evaluating the potential impact of a vulnerability on the protocol and its users, taking into account factors such as the likelihood of it being exploited and the potential consequences. \n\nFor example, if a finding breaks the protocol without any funds being stolen, it could still be classified as a high risk due to the significant disruption it could cause. The potential for users to lose funds due to involvement of an admin, an uninitialized contract being subject to a ransom attack, or loss of rewards due to precision-loss or other issues in staking pools can all be considered high risk depending on the maximum value that is lost and how likely it is to occur.\n\nRisk categories can indeed change for non-DeFi protocols, based on the judge's assessment. In some cases, 'on the fence' vulnerabilities can be rated as High or Medium risk, depending on the severity and potential impact of the vulnerability. Risk categorization and severity evaluation are determined using guidelines provided on the CodeArena website (https://docs.code4rena.com/awarding/judging-criteria#estimating-risk) and by referring to how similar issues were judged in the past.\n\nIt's also important to note that vulnerabilities found in out-of-scope contracts can be included in the C4 report as unrewarded findings, or the project can be directly messaged. Furthermore, if a vulnerability is found but is difficult to fix without significant changes to the protocol, it can still be reported. Recommendations are appreciated but not mandatory.\n\nThe severity of a vulnerability is not always static. For instance, a finding initially classified as low risk during the QA process could be upgraded to a medium risk if other judges confirm it as such. Contest participants can upgrade the risk level of their submitted findings if the contest is still open. Conversely, if a high-risk finding is judged as low risk, the submitter will still be rewarded, reflecting the complex and nuanced nature of risk assessment.\n\nFinally, it's worth noting that while there is some discussion around the treatment of issues marked as high risk by judges, including the potential for them to be downgraded or discarded, specific procedures and guidelines should always be referred to for accurate information.", "Question: How is the severity of an attack made by the governance determined in CodeArena's smart contract audits?\n\nAnswer: The severity of an attack made by the governance in a smart contract audit is not a fixed measure, but rather a subjective assessment that varies case-by-case. This assessment is primarily made by an independent judge who possesses deep knowledge in Solidity, a programming language used for writing smart contracts. Several factors are considered in this determination, including the impact of the vulnerability, whether it could lead to a denial-of-service (DOS), and changes in the state variables of smart contracts. \n\nSocial engineering attacks on the owner of the contract are also considered in the evaluation. The potential loss of rewards, whether due to precision-loss issues, or other factors, is generally considered a \"loss of assets\" and can be designated as high or medium severity, depending on the circumstances and attack difficulty.\n\nThe final determination of severity, however, ultimately impacts the level of rewards awarded. For example, a vulnerability reported by multiple people may be judged and given the same severity for award calculation due to the deduplication process. In case of uncertainties about the severity, it is advised to review the judging criteria at [CodeArena's Judging Criteria](https://docs.code423n4.com/roles/wardens/judging-criteria#estimating-risk) and make a case for the chosen severity using evidence.\n\nKeep in mind that it's possible to report a variety of findings based on different combinations of issues to create different attacks. If an automated finding leads to a high severity finding, it can be reported again during the contest by a warden for a potential higher reward. \n\nLastly, it's important to note that the severity of an issue can be updated post-submission by judges, based on the impact and potential consequences.", "Question: How should I handle inconsistencies in the judgment of the severity of reported issues, especially related to governance attacks?\n\nAnswer: When you encounter inconsistencies in the judgment of the severity of reported issues, including governance attacks, the first step is to file an objective, neutral, and blameless report at https://GitHub.com/code-423n4/rulebook/issues. Be sure to include specific details and example links to support your claim. \n\nRemember, the severity of an attack is usually determined by the judge and usually depends on the impact of the bug. Judges have the discretion to determine the severity of identified problems in the submitted reports and make changes in severity levels as necessary. If you are unsure about the severity of a reported issue, it is advised to review the judging criteria at https://docs.code4rena.com/roles/wardens/judging-criteria#estimating-risk and make a case for your chosen severity using evidence.\n\nIf you still have concerns about inconsistency, process, or lack of clarity in rules after reviewing the judging criteria, you are encouraged to visit https://github.com/code-423n4/org/issues. Here, you can add fact-based comments, support suggestions, or open new issues. Also, if you believe a centralization risk should be flagged, you should report it, providing all your reasons, and let the judge make the final call.\n\nIn case of disagreements with a judge's decision, you can refer to the policy at https://docs.code4rena.com/awarding/fairness-and-validity#if-you-disagree-with-a-judges-decision.\n\nIt's important to note that questions about the availability of specific reports, modifying or withdrawing findings, and the difference between two submissions reporting the same issue, as well as concerns about the validity of the submitted issues, should also be addressed through these channels. Changes to the severity of reported bugs after a contest can be passed on to the judge through designated contact points. The ranking of the severity of issues can be found at https://docs.code4rena.com/awarding/judging-criteria/severity-categorization.\n\nLastly, remember that the decision on how to reward severity escalations in a contest report is ultimately up to the judge. If you suspect you have misjudged the severity of a vulnerability, we recommend referring to https://github.com/code-423n4/org/discussions/34 for further insight.", "Question: Can you please explain the grading system and differences between various reports such as M06 and M08 in CodeArena?\n\nAnswer: Though it was initially stated that the M06 and M08 reports appeared to be duplicates due to an error, further clarifications from our chat history indicate that there can be differences in the scoring of grade-A QA reports. The evaluation of a report can be influenced by its format, and the grades are assigned comparatively based on other reports. \n\nFor instance, a single item in a QA submission is unlikely to receive a high grade as both quantity and quality of submissions are evaluated when grading QA reports. When it comes to gas findings, their judgment depends on whether they show significant improvements in essential functions.\n\nMoreover, the same issues in the published reports may not always be identical to the reported ones. The published reports can be seen as a summary of what was submitted by the wardens. Furthermore, there can be downgradations of findings from H/M to L/QA in the QA report. The wardens should assess the severity of the issues based on guidelines mentioned here: https://code423n4.com/judging-criteria/.\n\nTo understand more about the grading system used in QA reports and the criteria for judging gas optimizations, you can refer to the following links: \n1. https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical\n2. https://docs.code4rena.com/awarding/incentive-model-and-awards#qa-and-gas-optimization-reports\n\nFor further understanding of how the Analysis report works, visit https://docs.code4rena.com/awarding/judging-criteria#analysis. Lastly, when making submissions, it is recommended to have distinct reports for gas and one for Quality Assurance, and the judges prefer detailed reports over one-line summaries.", "Q: How is the process of evaluating and reporting inconsistencies or vulnerabilities in smart contracts handled at CodeArena, and what tools are commonly used for identifying such issues?\n\nA: At CodeArena (C4), when an inconsistency or vulnerability is identified in a smart contract, the severity of the issue is evaluated by our judges. The assessment can vary based on the judgement of the reviewer, and there is currently no consensus on this process. However, we encourage all parties to report any issues in an objective, neutral, and blameless manner with comprehensive details and examples at https://GitHub.com/code-423n4/rulebook/issues. \n\nIn terms of identifying vulnerabilities, a variety of tools are used, including automated tools and fuzzing tools. For instance, Slither, a static analysis tool, is often utilized for smart contracts. Another tool mentioned in our discussions is a smart contract scanning tool that can detect price manipulation vulnerabilities, available at https://app.metatrust.io/project. \n\nIt's important to note that even with the use of automated tools, many companies still opt for audits of their smart contracts. This is because automated tools may not catch every vulnerability, and human evaluation can provide a more comprehensive analysis. \n\nWhen reporting vulnerabilities, they are categorized based on severity related to state variable changes, among other factors. The acceptance of reported issues in smart contracts depends on their severity as evaluated by the sponsors and judges. If the severity of an issue is not clear, it is recommended to continue working on the proof-of-concept until it becomes clearer. It's also worth mentioning that there can be a penalty for misjudging the severity of a vulnerability. \n\nFor those new to smart contract auditing, the learning curve can be steep, and the time it takes to start finding bugs depends greatly on the individual's prior experience and capabilities. However, we encourage beginners to seek help through our platform, and we offer plenty of resources to support your learning journey. \n\nIt's also worth noting that if a vulnerability is found in an out-of-scope contract, it can be included in the C4 report as an unrewarded finding, or the project can be messaged directly. In some instances, vulnerabilities affecting a main contract, even if found in an out-of-scope contract, should still be reported. \n\nRemember, while it can be challenging to understand reports and various concepts related to smart contracts, it's crucial to gain a comprehensive understanding of smart contract audits to ensure the security and performance of your contracts.", "Question: What's the difference between M06 and M08 in the Livepeer findings, and how are issues categorized and rewarded in CodeArena contests?\n\nAnswer: M06 and M08 in the Livepeer findings seem to be duplicates of each other and should have been reported as such. These issues were raised during a CodeArena contest, which can be found at [Livepeer Contest](https://code4rena.com/contests/2022-01-livepeer-contest). Contest participants often discuss the approach to handling upgradeable contract findings and medium-risk vulnerabilities. There can be differences in reporting and scoring, depending on the judgement of the reviewer. For example, the same finding submitted by two different wardens can result in a significantly different award value based on the level of detail in the submission, such as the inclusion of a Proof of Concept (PoC), and the extent to which the issue is covered. This is further detailed in the [Judging Criteria](https://docs.code4rena.com/roles/wardens/judging-criteria#estimating-risk-tl-dr) on Code4Arena's website. There's also a debate on the validity of certain findings, as seen with the \"missing 0 address check\" issue. In some cases, there's a possibility of a bug in the award math. It's important to note that some issues in the published reports might be the same as those reported initially, and this point isn't always clear. There are also tools discussed for comparing differences between contracts. Lastly, duplicate findings, like M06 and M08, can significantly reduce their value, as seen in a contest named \"Redacted Cartel\". The duplicate issues were rewarded less for each warden.", "Question: What is the process and timeline for the distribution of rewards by CodeArena?\n\nAnswer: Once a contest at CodeArena concludes and the winners are officially announced, the rewards distribution process begins. The rewards are queued at the multisig and are typically distributed within a week of the announcement. It's important to note that this process involves manual distribution in batches for multiple contests at a time, which might extend the waiting period slightly. \n\nFor some specific activities, like the \"arcade reward\" and \"pool together reward,\" the rewards are expected to be dispatched the following week. In some cases, such as Biconomy rewards, it may take 1 to 2 weeks after the announcement for the rewards to be sent out. \n\nThe rewards are transferred to the wallet address provided by the participant. It's possible to update or confirm your reward wallet address if needed. The rewards for a report will be distributed to the new address if you update it in your report. \n\nIt's worth noting that there might be instances where the rewards are pending after a contest has finished. This could be due to the use of multisignature (\"multisig\") wallets which require signatures from multiple parties before funds can be released. Additionally, reward distribution is eventually planned to be accomplished via smart contract once the required systems are set up.\n\nThere is a possibility of delay in times of high activity or during holiday seasons. However, the team at CodeArena aims to process and distribute multiple contest rewards by the end of each week to ensure a smooth experience for participants. On a final note, once an award for a submission report is received, the user is required to wait for the payout. \n\nPlease keep an eye on our Discord chatroom for updates on reward distribution.", "Q: I didn't receive my reward after a CodeArena contest, what should I do and when can I expect it?\n\nA: CodeArena aims to distribute rewards for various contests as promptly as possible. However, there can be delays due to several reasons. \n\nOnce your submission for a contest is confirmed and the reward amounts are announced, you need to wait for it to be transferred to your wallet. The transfer typically takes 1 to 2 weeks for Biconomy rewards, for example. Keep in mind that rewards are sent manually in batches for multiple contests at a time, and usually once per month, typically at the beginning of the month. \n\nIf you see a contest listed as 'awarding', it means the rewards are queued at the multisig and should be distributed within the week. Multisig wallets require signatures from multiple parties before funds can be released, which can also cause delays. Top participants can expect their rewards to be shipped typically within a week from the announcement.\n\nIf you haven't received an expected email from Provenance, or if there's an issue with your reward, you can raise a ticket to the CodeArena team or use the help form available at [https://code4rena.com/help](https://code4rena.com/help). There have been instances where users didn't get a response after sending a ticket, but rest assured that all issues are reviewed by the team. \n\nPlease note that there might be instances where rewards are pending even after a contest has finished. The reasons for this are not always specified in the chat. Also, there might be a discrepancy in the timing of rewards being announced before the leaderboard is updated, which we are working on addressing.\n\nOverall, please be patient as the process of rewarding can take time due to various complexities involved. We understand the importance of these rewards to our participants and are continuously working to improve the process.", "Question: What tools and resources are used by wardens to identify vulnerabilities and bugs in smart contracts, and how can beginners start learning about smart contract auditing?\n\nAnswer: Wardens typically use tools like Slither, MythX, and fuzzing tools like Echidna to identify vulnerabilities in smart contracts. These tools help in smart contract scanning and static security testing, which involves inspecting the code without interacting with it. Additionally, there are resources available to aid in learning about smart contract auditing and blockchain forensics analysis. \n\nBeginners can start learning from online tutorials and resources like https://cmichel.io/how-to-become-a-smart-contract-auditor/, https://docs.code4rena.com/roles/wardens/tools-and-resources, and https://cryptozombies.io/ for learning Solidity. For practical exercises, platforms like https://capturetheether.com/ offer Capture the Flag challenges. \n\nTools like Mythril and Slither can also be used for testing contracts downloaded from Github. For more advanced automated analyses, tools like https://app.metatrust.io/project have been recommended. \n\nIt's worth noting that learning smart contract auditing can have a steep learning curve for beginners, involving understanding the architecture of each project, interacting with the code, and finding vulnerabilities within the allotted time. Code4Arena runs contests for analyzing smart contracts which can be a good way to gain experience. \n\nFor more information, you can refer to the post from the top 1 at leaderboard or watch helpful videos like this one by Quantstamp's Sebastian Banescu: https://www.youtube.com/watch?v=O1rKwDv5kLQ. Please remember to connect your wallet to your account to submit findings.", "Question: As a beginner, how can I effectively navigate and understand a smart contract with multiple .sol files? What resources can I use to learn and improve?\n\nAnswer: Navigating through a smart contract with multiple .sol files requires a systematic approach. One suggested method is starting with libraries and interfaces that have the least dependencies. This way, you can gradually understand which contracts are using them before diving deeper into those contracts. \n\nFor a broader understanding of the relationship between interfaces and smart contracts, there are resources available such as CryptoZombies.io and CaptureTheEther.com. These platforms offer interactive learning experiences for beginners to understand Solidity and smart contracts. \n\nIf you're auditing a contract from an external source like Github or etherscan.io, there are tools available to help you. For instance, you can convert a contract address into a separate solidity file using Etherscan by changing .io to .deth.net. \n\nAdditionally, for contracts from Github, you can test these contracts using tools like Mythril and Slither. \n\nIf you're seeking to understand the syntax and programming aspects of Solidity, there are resources available like https://cmichel.io/how-to-become-a-smart-contract-auditor/ and https://docs.code4rena.com/roles/wardens/tools-and-resources. \n\nLastly, if you're struggling with understanding how a specific smart contract functionality like staking works, it might be helpful to look at different staking contracts to understand various implementations. \n\nRemember, the guidelines on how to report issues related to smart contracts can be found at https://github.com/code-423n4/code-contests/blob/main/SUBMISSION_POLICY.md. \n\nThe journey to mastering smart contract auditing may be challenging, but with the right resources and a systematic approach, you can make significant progress.", "Question: How can I find and make use of past competition reports on CodeArena?\n\nAnswer: Reports from past competitions on CodeArena can be accessed at https://code4rena.com/reports. These reports contain the results of the competitions, including findings and awards. They are typically published after the competition has concluded, sponsor reviews have taken place, judging and awarding has been done, and reporting is complete. \n\nIf you're new to auditing and you're looking for recommendations on past contests to practice on, these reports can be a valuable resource. You can view the QA reports for contests that have already closed and even check the reports you submitted during the competition. \n\nParticipants are also allowed to view reports from other wardens, even after the contests have ended. However, visibility might be limited if there is no table with results. \n\nFor more detailed results, such as the scoring breakdowns from past contests, you can visit the #\ud83d\udce2announcements channel, the contest page on the CodeArena website, or https://github.com/code-423n4/code423n4.com/blob/main/_data/findings/findings.csv. \n\nIf you're interested in specific findings from a contest, they can be located in the findings repo. For example, a link to a previous competition finding was shared here: https://github.com/code-423n4/2022-09-artgobblers-findings/issues/137. \n\nFinally, it's worth noting that CodeArena allows for inquiries about the progress and schedule of final reports, as well as questions about findings of past projects, meaning you can further your understanding and analysis of past competitions.", "Question: Can I learn about vulnerabilities from past contests, and how can I use past reports and findings to improve my auditing skills?\n\nAnswer: Yes, Code4Arena hosts reports from past contests which reveal the vulnerabilities found during those contests. These reports serve as a valuable resource for learning and improving your auditing skills. You can access these reports at https://code4rena.com/reports.\n\nFurther, you can gain insights from the leaderboard at https://code4rena.com/leaderboard/ to understand what wardens have been earning. Wardens are individuals or teams who participate in the contests to find vulnerabilities. \n\nIf you're new to auditing, you can practice on past contests and read old reports to gain a better understanding. Even if you're a seasoned auditor, these reports can help you to understand areas of improvement. \n\nYou can also ask questions about findings of past projects and participate in private competitive audits. If you believe that you've found a vulnerability during a contest, you're encouraged to reach out to the sponsor team. However, to be eligible for awards, you must submit it via the contest submission form. \n\nApart from this, you should also be aware that if no medium or high vulnerabilities are found during a contest, the remaining funds are divided based on the QA Report curve. But this situation is considered a rarity. You can view an example of a contest with only low vulnerabilities at https://code4rena.com/reports/2021-11-fei.\n\nAfter the contests end, and all possible exploits have been patched, all submissions may be made available for you to learn from and improve upon. \n\nLastly, it's important to note that there are restrictions on discussing bugs and exploits after submissions for a contest are closed and before the contest results are out. So, ensure that you respect these guidelines while using the reports for learning. \n\nRemember, participating in contests, practicing, and reviewing past findings are great ways to improve your auditing skills.", "Question: How can I register or change my Ethereum (ETH) address on CodeArena to receive my share?\n\nAnswer: To register or change your Ethereum (ETH) address on CodeArena, you will need to go through the registration process where you will be required to provide your handle and ETH address. The same process applies for your Polygon address. Remember that your Polygon and Ethereum addresses are necessary for the withdrawal process.\n\nIf you forgot your registration wallet address or need to change it, you can seek assistance at CodeArena's help desk at https://code4rena.com/help. You can also use this platform if you're not sure whether you've submitted an address for rewards.\n\nPlease note that your wallet address could be monitored on the Polygon network at https://polygonscan.com/address/. \n\nIf you are interested in updating your wallet address, you should know that it's possible to change the registered wallet (login address) on the platform. For instance, if you want to move funds back to the mainnet, you can achieve this using the Polygon bridge at https://wallet.polygon.technology/.\n\nIn case of changing your wallet to a smart contract wallet like Gnosis or Argent, you have to register as a warden and submit a request at the help desk.\n\nFor any inquiries related to the whitelisting of wallets, you can address them by submitting help desk requests at https://code4rena.com/help. \n\nPlease be aware that the confirmation email you receive after submission does not include the Ethereum address you provided. Payouts for vulnerability issues can be verified by checking the wallet address with which you registered, using https://polygonscan.com/address/ or wallet trackers like debank.com.", "Question: How can I register and manage my Ethereum (ETH) and Polygon addresses on CodeArena?\n\nAnswer: To register, you should fill the submission form for each contest you participate in and include your Ethereum wallet address in the provided field. You also need to register your handle along with your Ethereum (ETH) and Polygon addresses to receive your share of rewards. The submission form also includes a field for Polygon address when submitting findings. \n\nIf you ever forget your registered wallet address or need to check if you have submitted an address for rewards, you can get help at [CodeArena's help page](https://code4rena.com/help). \n\nTo update your wallet address, follow the procedure detailed on the page: [Can I change my wallet address?](https://docs.code4rena.com/roles/wardens/warden-auth#can-i-change-my-wallet-address). Please note, the login wallet address cannot be changed at present, but multiple addresses can be linked if using Metamask. More information on this can be found [here](https://docs.code4rena.com/roles/wardens/warden-auth#can-i-change-the-wallet-address-i-log-in-with).\n\nTo verify if a contract has been initialized on the Ethereum mainnet or to verify your payout for finding vulnerabilities, you can use the link [https://polygonscan.com/address/](https://polygonscan.com/address/) and replace \"\" with your own. The tokens can also be monitored here and funds can be moved back to the mainnet using the polygon bridge [https://wallet.polygon.technology/](https://wallet.polygon.technology/). \n\nFor those willing to register as a warden and get their wallets whitelisted, you can submit your request via [CodeArena's help desk](https://code4rena.com/help). \n\nRemember, wallets that are supported by WalletConnect can be used in the registration process. More details can be found at the [WalletConnect Registry](https://walletconnect.com/registry?type=wallet).", "Question: How does Code4Arena's audit contests compare to traditional bug bounty programs and what is the process for reporting vulnerabilities?\n\nAnswer: Code4Arena operates audit contests, which are somewhat similar to traditional bug bounty programs. The key difference lies in the fact that with Code4Arena, the second person to report a bug also receives a reward unlike in a conventional bug bounty model. Code4Arena's compensation structure is explained in detail on their documentation page: https://docs.code4rena.com/awarding/incentive-model-and-awards#duplicates-getting-partial-credit.\n\nDuring the contest, if participants believe they've found a vulnerability, they are encouraged to reach out to the sponsor team or disclose the vulnerability directly to Code4Arena, but it must be submitted via the contest submission form to be eligible for awards. The bugs found are kept confidential until the contest is over and the judging process is complete. Additionally, teams or individuals can submit their findings once their wallet is connected to the platform.\n\nIn the event of encountering problems with rewards, participants can open issue tickets at code4rena.com/help for review by the CodeArena team. If a security issue arises concerning one of the contests, a help request can be submitted at the same link.\n\nWhile there is interest in conducting bug bounty programs for web applications and hosting Rust contests in the future, as of the last chat update, there were no specific plans in place for these programs. If vulnerabilities impact the Code4Arena web application, they should be reported to security@code4rena.com. Code4Arena charges a fee beyond the bounty for auditing services. Information about past protocols worked with by Code4Arena can be found at https://code4rena.com/contests.", "Question: What are the costs associated with using Code4Arena's services, and how are the wardens' bounties and rewards determined?\n\nAnswer: Code4Arena does charge a fee beyond the bounty that is paid to the wardens for auditing smart contracts. The exact fees are not mentioned in the chat history, and it is recommended that users refer to Code4Arena's policy for more specific details. As for the wardens' rewards, they are allocated based on the findings they submit. If a team submits a finding, one payment will be issued, and the team will decide how to distribute the money among its members. \n\nThe order in which wardens report a duplicate bug does not impact their payment. If two people submit the same issue using the same warden but different wallets, each person gets less than half of the reward. More information on this can be found in the incentive model and awards section of the Code4Arena documentation: https://docs.code4rena.com/awarding/incentive-model-and-awards#duplicates-getting-partial-credit. \n\nIt's also worth mentioning that Code4Arena allows for individual wardens or teams to compete for the bounties. Teams are treated the same as individual wardens, and once wardens find a team, they can register at https://code4rena.com/register-team. \n\nParticipants can get an idea of potential earnings from the leaderboard, which provides information about the earnings of current wardens: https://code4rena.com/leaderboard/. \n\nFor those interested in becoming wardens, there are guidelines on how to register and become a certified warden at https://docs.code4rena.com/roles/wardens. Certified wardens can also participate in private contests once they complete the Know Your Customer (KYC) process. \n\nIn summary, the costs associated with Code4Arena's services include a fee beyond the bounty paid to wardens, and the wardens' rewards are determined based on their findings and the order in which they are reported.", "Question: Can you explain Code4Arena's fee structure and how it affects various operations like auditing, prizes, and payouts?\n\nAnswer: Certainly. Code4Arena's fee is dependent on a variety of factors and it may affect different areas of our operations. We charge a fee for auditing beyond the bounty. The amount for a particular contest includes a judging pot. \n\nIn terms of prizes and payouts, we have a minimum of $5 for eligibility to avoid needing to send small amounts. For instance, we have contests with various awards such as the Analysis awards of $4,250 USDC and QA awards of $2,000 USDC or a $67,500 USDC main award pot with a $7,500 USDC gas optimization award pot. Guidelines for analysis can be found at: [https://code4rena.notion.site/Analyses-Guidelines-and-FAQ-2808a71e08e44c81a985527194f5f118](https://code4rena.notion.site/Analyses-Guidelines-and-FAQ-2808a71e08e44c81a985527194f5f118).\n\nIn terms of audits, we operate similarly to a bug bounty platform where prize pools and fees are defined upfront. There are occurrences where the payment amount might be revised after payout due to various reasons, this could either be an increase or decrease. \n\nDo note that discrepancies may occur, for instance, the bounty for the Cally contest showed different amounts on different platforms, but we ensure to update and provide accurate information. \n\nFinally, not all operations involve fees. For example, not all types of tokens are fee-on-transfer. Also, users can compare different bridges, their time and fees at [https://www.bungee.exchange/](https://www.bungee.exchange/). \n\nFor more detailed information on our fee structure, feel free to request a direct message.", "Q: How important is gas optimization in smart contracts, and when is it considered worthwhile?\n\nA: Gas optimization in smart contracts is a crucial aspect of auditing at CodeArena (C4). It involves streamlining the code to reduce gas costs, which is particularly beneficial for protocol contracts and other contracts with non-view/non-pure functions. While the significance of gas savings might depend on the specific situations, it is recommended to report any gas optimizations separately. For instance, function inlining, swapping the order of a function that first checks from storage, then checks the calldata, or using 'unchecked' command in loops are common ways to optimize for gas. \n\nWhen submitting gas optimization reports, it is beneficial to specify how much gas is being saved for each optimization, though it isn't mandatory. This information can potentially increase points, though the necessity for this is ultimately based on the judge's decision. You can refer to [this documented issue](https://github.com/code-423n4/2021-11-overlay-findings/issues/111) as an example where immutable cost less gas than constants.\n\nMoreover, the validity of some gas optimizations might be dependent on whether the optimizer is enabled or not, which has led to some confusion about what should be reported. It's important to clarify that not all gas optimizations are valid when the optimizer is enabled. In addition, for gas optimizations to be considered, they need to be included in the generated report. \n\nIn contests, participants can earn by identifying gas optimizations. However, the earnings would depend on their proficiency and the judge's criteria. Please note that while all valid findings for gas optimizations are weighted the same, the threshold for \"marginal\" gas savings is yet to be defined. \n\nLastly, for first-time audits, gas optimization can be a useful starting point. The optimization of smart contracts to reduce gas costs is a topic that is frequently discussed in our community, and users can always ask for clarification if needed. For further details, please refer to the [C4's common issues GitHub page](https://github.com/byterocket/c4-common-issues/blob/main/0-Gas-Optimizations.md).", "Q: What is the approach for handling and reporting medium-risk vulnerabilities such as DoSing or bricking of upgradeable contracts, particularly when no direct funds are at risk?\n\nA: When treating upgradeable contract findings in the case of medium-risk vulnerabilities, the context plays a crucial role. If a protocol can be bricked until an upgrade takes place, it is typically classified as a medium-risk bug, even if no direct funds are at risk. Similarly, if a function call in a smart contract always reverts, it can be considered a medium or high finding depending on the context. \n\nFor example, a potential risk might be that the contract could fall victim to a ransom attack, where an attacker takes ownership of the uninitialized contract and demands a ransom to release it. Additionally, vulnerabilities affecting a main contract, even if found in an out-of-scope contract, should still be reported.\n\nIt's also important to note that vulnerabilities found in smart contracts can be reported differently based on the judgment of the reviewer. For instance, if a vulnerability is discovered but is challenging to fix without major changes to the protocol, it should still be reported. Recommendations for fixes are appreciated but are not mandatory.\n\nIf the severity of a vulnerability is unclear, it's recommended to continue working on the proof of concept (POC) until it becomes evident. Medium-risk vulnerabilities (Risk 2) ideally require test codes as POCs when writing reports, similar to high-risk vulnerabilities. \n\nRemember, the categorization of severity is dependent on the balance between consequence and likelihood. Medium consequences usually have a lesser impact and specific preconditions such as high attack difficulty, specific market conditions, or user unawareness.\n\nIf you discover a medium vulnerability like a missing zero address check that could lead to a loss of funds, it's still valid and should be reported. Here's an example of one such vulnerability: [https://code4rena.com/reports/2022-06-canto#m-01-missing-zero-address-check-can-set-treasury-to-zero-address](https://code4rena.com/reports/2022-06-canto#m-01-missing-zero-address-check-can-set-treasury-to-zero-address).\n\nLastly, if automated tools are used for initial findings, there is a higher burden of proof required to demonstrate a relevant high or medium severity exploit path, considered satisfactory to sponsors. This expectation is further clarified here: [https://github.com/code-423n4/org/discussions/50](https://github.com/code-423n4/org/discussions/50).", "Q: How can I manage my submissions for a contest and report issues with the CodeArena platform, including updates, changes, and concerns related to contests?\n\nA: To submit requests such as updating a contest submission, changing your Polygon address, reporting an issue with our documentation, or any concerns related to the contest, you can use the C4 Help Desk at https://code4rena.com/help. You can enter either an email address or a Discord handle. \n\nAfter submitting a bug, you can view or edit your own submissions on the site for open contests. To do this, visit the contest page and click the \"Your Findings\" button. An example of a contest page is the Ethos Reserve contest page: https://code4rena.com/contests/2023-02-ethos-reserve-contest. Detailed steps for editing submissions can be found in this announcement: https://discord.com/channels/810916927919620096/810929015509483554/1002648649135824906. If you are unable to perform tasks via mobile, send requests to submissions@code4rena.com for assistance.\n\nFor participants who disagree with a decision about a contest judgment, they can review issues at https://github.com/code-423n4/org/issues. There, they can add comments on existing issues, support existing suggestions, or open a new issue if their concern is not already addressed. \n\nIf you have questions about contest security issues or submission rules, you are advised to submit a help request at https://code4rena.com/help. The submission policy can be found at https://docs.code4rena.com/roles/wardens/submission-policy, while audit contest reports can be reviewed at https://code4rena.com/reports. \n\nFor issues related to rewards distribution, they can also submit a Help Desk request through this link: https://code4rena.com/help/. If a submitted bug severity needs to be increased during a contest, you can submit a help request to remove the original submission and then submit again. \n\nLastly, we value your suggestions on improving our website, leaderboard systems, contest processes, and Discord setup. Feel free to share your ideas via our suggestion box or submit pull requests with any ideas to our GitHub.", "Question: What is CodeArena's approach to optimizing gas usage in Ethereum transactions and smart contracts and how can one participate in discussions and submit ideas for these optimizations?\n\nAnswer: CodeArena has a strong focus on optimizing gas usage in Ethereum transactions and smart contracts. The community continually discusses various strategies and techniques for achieving this, including the consideration of gas and contract size optimization.\n\nUsers can actively participate in these discussions, sharing their ideas on how to compile multiple concepts about gas optimizations into a single comprehensive report. The community also explores the possibility of optimizing smart contracts to reduce gas costs, including protocol contracts and other non-view/non-pure functions.\n\nYou can also submit your own gas optimization findings in contests run by CodeArena. Before diving into auditing contracts, we recommend you familiarize yourself with resources related to gas optimization. A great place to start is the [CodeArena report](https://code4rena.com/reports/2022-11-non-fungible/#gas-optimizations). \n\nAdditionally, a user can ask for clarification on any aspect of gas optimization, as it's a complex topic that not everyone may fully understand. There are also discussions about the need to mention the amount of gas saved for every finding in gas optimization reports.\n\nFor instance, a question was raised about whether swapping the order of a function that first checks from storage, then checks the calldata, could optimize the gas. Similarly, queries about the process for submitting gas optimization issues are common. It is also suggested that simplifying code, such as merging two for loops into one, can be a form of gas optimization.\n\nFinally, the judgement criteria for gas optimizations are important to understand. Some users have stopped reporting gas optimizations due to inconsistent acceptance by judges. It's crucial to clarify the validity and importance of gas optimizations in certain situations, such as when the optimizer is disabled. To get a deeper understanding of Ethereum transactions, the Ethereum Beige Paper can be a helpful resource.", "Question: How does the payment process work when a team submits a vulnerability and how is the prize money distributed among the team members?\n\nAnswer: At Code4rena, we only support payments to one Ethereum address per vulnerability submission by a team. Once the reward is received at the provided address, the responsibility of distributing the funds amongst team members is entirely on the team. We recommend using a multisig wallet or a smart contract specifically designed for such scenarios, like OpenZeppelin's PaymentSplitter (https://docs.openzeppelin.com/contracts/4.x/api/finance#PaymentSplitter) for managing the distribution of the prize. \n\nIf multiple participants or even team members individually report the same vulnerability, our system has some sybil resistance in place, with each instance awarded a share of one point depending on the number of duplicates. \n\nIn case the same vulnerability is reported with different severities, they are all given the same severity for award calculation. The reward split can be calculated using a formula present at https://docs.code4rena.com/incentive-model-and-awards#high-and-medium-risk-bugs. \n\nParticipants can easily verify their payout by checking the registered wallet address using polygonscan.com or wallet trackers like debank.com. To receive their share of the reward, they need to register their handle and Ethereum address while submitting their findings. \n\nIf a team of two submits one finding, one central payment will be made, and the distribution of the money to its members is up to the team as per https://docs.code4rena.com/roles/wardens. \n\nIf no Medium/High vulnerabilities are found in the smart contracts, the remaining contest funds are divided based on the Quality Assurance (QA) report curve. \n\nIn case you need to change your wallet address for future rewards distribution, you can simply use a new wallet address in your reports going forward, and the rewards for the report will then be distributed to the new address.", "Question: Can CodeArena support splitting payments between multiple Ethereum addresses for team rewards, and how is this managed?\n\nAnswer: Currently, CodeArena can only send team rewards for auditing to a single wallet address. The responsibility of distribution amongst team members falls on the team itself. A convenient way to manage this distribution is through the use of multisig wallets, or by using a contract such as OpenZeppelin's PaymentSplitter feature. Multisig wallets require multiple signatures from parties before funds can be released, providing security and control over the distribution process. The PaymentSplitter contract, on the other hand, provides a transparent and automated way of splitting payments. It is important to note that if a team of two or more members submits a single finding, one payment will be issued, and the team will have discretion over how that money is split amongst its members. More information about the splitting of rewards for teams can be found on CodeArena's document about wardens and their roles: https://docs.code4rena.com/roles/wardens and about the incentive model and awards: https://docs.code4rena.com/incentive-model-and-awards. There has been a noted need for more clarity on this process, and the platform is considering implementing features to better support teams in the future.", "Q: How can I check and understand the status of my submissions to a Code4Arena contest, including whether they were accepted or rejected?\n\nA: Once you make a submission to a Code4Arena contest, you will receive an email confirmation. You can view your submission in the \"Findings\" tab on the contest page (each contest has a unique URL, for example, https://code4rena.com/contests/2023-03-asymmetry-contest). \n\nOnce a contest is completed, the subsequent processes include Sponsor Review, Judging, Awarding, and Reporting. The final report, containing the status of your submissions and the reasons for acceptance or rejection of the findings, will be published on our website at https://code4arena.com/reports/. Please note that it might take at least a month after the contest ends for the report to be available. \n\nThe published report and the associated GitHub repository, which becomes public after the report is published, will allow you to understand the judges' perspective on the accepted and rejected submissions. Here you can also view and learn from the findings of other participants. If your findings were not accepted and you didn't make the award list, you can review the report and the public repository to understand why your submission was rejected.\n\nYou can also monitor the progress of the contest and the estimated timeline for the report to be published in the \"Past Contest Status Updates\" section. \n\nRemember that you can edit your findings prior to the contest deadline. After a contest has ended and is in the judging process, you will not be able to see the status of your submissions until the report is published. \n\nFor any queries related to submission rules, contest updates, results, team information, and rewards, feel free to ask in our Discord channel.", "Q: What are the key protocols that Code4rena has audited, and how does its approach differentiate from other auditing companies like Omniscia or Trail of Bits?\n\nA: Code4rena has audited various protocols, each of which can be viewed at https://code4rena.com/contests. An example includes the Cosmos project, which has a dedicated section on our platform at https://code4rena.com/cosmos. We pride ourselves in our approach to audits, which is somewhat akin to bug bounty programs, but with a few distinctions. Our process involves conducting audit contests, which allows us to get more auditors\u2019 eyes on code more rapidly than any other method, thus finding bugs more efficiently. \n\nYou can learn more about our process, the way teams operate, and how we classify different severity levels for bugs in our documentation at https://docs.code4rena.com/ and https://code4rena.com/judging-criteria/. Our contests have been highlighted in various events such as ETH.NYC and ETH.Denver, where our growth team was present. If you're interested in participating in our contests or want to learn more about our operations, you can sign up at https://code4rena.com. For any assistance or queries, our help desk can be reached at https://code4rena.com/help.", "Question: What are the rules and possibilities regarding team creation and participation in audits on CodeArena?\n\nAnswer: At CodeArena, there is no technical limit to the number of members that can be part of a team. You can add new members to existing teams or make changes such as removing members. However, there have been cases where users face technical issues when trying to add members, such as a blank page appearing. In that case, trying again on a different day might resolve the issue.\n\nTeams can be registered at code4rena.com/register-team, and the method for registering a team is detailed at https://docs.code4rena.com/roles/wardens#registering-a-team. Once a team is approved, members can log in and submit findings as a team.\n\nIf a person is part of a team, they can still choose to submit solo findings whenever they want. The submission form allows users to select whether they're submitting as an individual or as a team member. You're not obligated to always participate as a team once you've joined one. \n\nThere have been questions about how teams operate on Code4rena, especially regarding how prizes are split and how reports are submitted. An individual team determines how to split their portion of a pot amongst themselves, as per the awards information provided on https://docs.code4rena.com/incentive-model-and-awards. \n\nThere are also ongoing discussions about managing teams where not all members participate in the same contest and how to distribute rewards among team members who contributed. The relevant discussion can be found at https://github.com/code-423n4/org/discussions/43.\n\nNote that teams can consist of individuals with varying levels of English language proficiency and technical skills. Also, an individual's name can appear twice on the leaderboard, once individually and once as part of their team. High-ranked teams are even eligible to participate in competition.", "Q: What are the benefits and procedures of becoming a certified auditor with CodeArena, and how can auditors participate in private audits and audit contests? \n\nA: CodeArena, with its large and ever-growing auditor base, offers unique opportunities and benefits for auditors. To become a certified auditor, a good understanding of smart contract auditing is required, and you may need to participate in multiple audits to gain certification. Once you are certified, you can participate in private audits. The eligibility criteria for each opportunity is listed in #\ud83d\udd96rsvp-certified. Together with private audits, audit contests are also an integral part of the platform, and even organizations have shown interest in running these contests. \n\nHowever, do note that to gain permission to audit private contests, not only do you need to be certified, but also ranked on the leaderboard. For example, in the mitigation review for the jul05 Chainlink contest, the top three auditors were selected. There's also a possibility that there might be a ranking cutoff for auditing private contests, with top 3 or 5 usually selected for mitigation review or invitational. \n\nIf you are a part of a team and want to participate solo in a contest, it is suggested to manage this carefully as it could have implications for the team's audit. \n\nIn terms of tools for auditing, users have queried about Hardhat/Truffle or Foundry, highlighting the importance of tool selection in the process. It's also worth mentioning that auditors can use information about protocols they have audited on other bug bounty platforms to fill their profiles. \n\nCurrently, private, versus, and mitigation audits do not impact the leaderboard, but there has been discussion about including them in the future. To understand how to approach auditing of big projects, you may refer to this blog post: https://blog.bytes032.xyz/p/audit-like-a-pro-my-3-step-game-plan. \n\nLastly, the CodeArena platform is continuously evolving, and while there might not be any upcoming competitions, there are talks with several people about potential audits. Stay tuned for more opportunities and developments!", "Question: How are rewards from competitions distributed, when should I expect them, and is there a way to see how much I or my team earned before the rewards are sent out?\n\nAnswer: After a competition concludes and the submission is confirmed, the reward amounts are announced. The distribution of these rewards doesn't occur immediately upon announcement. This delay is due to the usage of multisignature (\"multisig\") wallets, which require signatures from multiple parties before funds can be released. Eventually, the goal is to distribute awards via smart contract when further components are put into place.\n\nIt's also important to note that the distribution process is manual and typically done in batches for multiple contests at a time. This means the exact timeline for receiving rewards may vary, but the team is working hard to reduce turnaround times. While there might be instances where rewards distribution may take up to two months, this is considered a worst-case scenario.\n\nAs for the reward amount each participant or team earned, this is determined based on the contest's results. In competitions where only one high and one medium issue are found, the reward distribution may differ. Also, if no high or medium issues are found in a contest, there may be questions as to what happens to the rewards.\n\nIf you're part of a team, the reward is sent to a single address and it's the team's responsibility to distribute it amongst themselves. Each team determines how to split their portion of a contest's reward. You can find general information on awards and their distribution at https://docs.code4rena.com/incentive-model-and-awards.\n\nFinally, you can check the announcement channel for updates on reward distribution and look at the leaderboard to gauge how you and your team performed. However, there isn't a way to check the exact reward amount before they are distributed.", "Question: What is the process and requirements to become a Certified Warden at CodeArena?\n\nAnswer: Becoming a Certified Warden at CodeArena involves completing a Know Your Customer (KYC) process, which may be delegated to Provenance. This involves providing an identification document such as a passport or a driving license and potentially a proof of residence. Alongside this, there is a requirement to participate in a certain number of contests and have a certain number of valid findings or reports. Once approved, it may take some time for an applicant to be marked as a certified warden. Being a Certified Warden provides privileges such as the eligibility to attend private audits, participate in private contests, and potentially serve as a judge in certain circumstances. However, certain conditions may need to be met for these benefits. More detailed information about the process and requirements can be found at https://docs.code4rena.com/roles/certified-contributors#certification-process-and-constraints and https://docs.code4rena.com/roles/wardens/certified-wardens#who-is-eligible-to-be-a-certified-contributor. Please note, it's important to review these links as the specifics can change and they contain the most up-to-date information.", "Question: I'm encountering a 404 error when trying to access certain repositories on CodeArena's GitHub, including the buttons repo. Are some repositories private or is there a different issue?\n\nAnswer: Yes, some of the repositories on CodeArena's GitHub are private, including the buttons repo, which could cause a 404 error when trying to access them. However, once these repositories are made public, you should be able to access them without any issues. It's also worth noting that CodeArena hosts repositories ending with the suffix -findings, such as [https://github.com/code-423n4/2022-04-backed-findings](https://github.com/code-423n4/2022-04-backed-findings), and these repositories should be accessible. \n\nThere have been instances where users experienced a similar issue, such as with the link [https://github.com/code-423n4/2021-04-redacted](https://github.com/code-423n4/2021-04-redacted), but these problems were later resolved. \n\nYou can browse issues on [https://code4rena.com/reports](https://code4rena.com/reports), and each issue provides a link to the relevant Github issue. However, please remember that if the \"Create Issue\" button is not responding, there might be a technical issue that needs to be resolved. \n\nAlso, if you're looking for the leaderboard, it can be found at [https://github.com/code-423n4/code423n4.com/issues?q=leaderboard](https://github.com/code-423n4/code423n4.com/issues?q=leaderboard). And for information on 'known issues' policy, please visit [https://github.com/code-423n4/org/discussions/50](https://github.com/code-423n4/org/discussions/50).\n\nLastly, please note that adding a link to a sponsor's Github repo code in a findings report does not automatically pull in that code snippet to the report. You have to manually include any required code snippets in your report.", "Question: What are the perks and process to become a Certified Warden and how does it relate to accessing our private repos?\n\nAnswer: Becoming a Certified Warden at CodeArena (C4) comes with several privileges. Certified Wardens are given backstage access, allowing them to observe the report submission and triage process. They are also part of a permissions group/team on GitHub and have access to private repos, although their emails and GitHub usernames won't be listed publicly by C4. Users can decide whether they want their membership on private teams public or not. Certified Wardens also get earlier access to the findings repositories so they can assist with post-contest processes.\n\nIt's important to note that Certified Wardens are also able to participate in private contests to a certain extent. They are encouraged to look at the findings of other wardens once the findings repository becomes public. They also have access to specific channels such as the contest preview channel and a private channel for certified+ wardens which assists with various process-related tasks. \n\nTo become a Certified Warden, users need to register as a warden initially. The specifics of the certification process have not been fully detailed yet, but it involves making a certain level of established contributions. The professional conduct guideline requires all findings to be treated as private and confidential until the contest report is made public (https://docs.code4rena.com/roles/wardens/certified-wardens#certified-warden-professional-conduct-guidelines). \n\nLastly, user profiles for Certified Wardens have additional functionality and can be edited, this feature is currently only available to those who were certified when warden profiles were introduced. Trust between wardens and sponsors is paramount, and there is a concern raised about the potential misuse of disclosed vulnerabilities. All these aspects contribute to the transparency and effectiveness of our audit processes.", "Question: What is the purpose of providing ID in CodeArena and could there be a two-tier system, where ID holders get access to everything, including deployed code, while non-ID holders only get access to non-deployed code?\n\nAnswer: The purpose of ID verification in CodeArena is not solely to punish exploits applied to deployed code; it also helps maintain the integrity and security of our platform. The idea of a two-tier system has been suggested, where those who provide ID have access to everything, including deployed code, and those who don't provide ID only have access to non-deployed code. However, it's important to note that if a line of code has multiple ways of exploitation, all bugs should be reported while prioritizing the most impactful one. It's also important to know that known issues can be used to build a more complex exploit, and vulnerabilities identified by bots can potentially be rated lower than their actual severity. We encourage our users to include a proof of concept and a case made for how an item can be exploited to avoid being marked as invalid when submitting an issue. For more information about our platform and its operations, please refer to the following link: https://github.com/code-423n4/org/discussions/50.", "Q: What is the process and estimated timeline for announcing and distributing awards after a contest at CodeArena?\n \nA: After a contest ends at CodeArena, the timeline for announcing and distributing awards can vary depending on several factors. The judging process typically takes about 8 weeks. Once the judging is completed and the leaderboard is created, awards are generally announced in the same week. \n\nThe distribution of awards then follows, typically within 1-2 weeks after the announcement, but this can sometimes take up to two weeks. This is because the payments are processed manually in batches for multiple contests at a time, and are usually rounded up in a standing Monday meeting for processing. Participants can find the list of awards in the announcements channel on our Discord.\n\nThe overall process from contest end to award distribution can take from 2 weeks to over 2 months, depending on the time taken for sponsor review, judging, and awarding. We aim to process and distribute contest awards as quickly as possible, with the goal of completing this within the week of announcement.\n\nPlease note that award distribution cannot start until the entire process is completed and that the process of distributing awards is carried out with careful double-checking at each step to ensure it\u2019s done correctly and securely. Once the awards are distributed, they are sent to the user's registered wallet address.\n\nRemember, you will receive an email confirmation upon successful submission of your contest entries. If a contest is listed as 'awarding', it means the rewards are queued at the multisig and should be distributed within a week.", "Question: How does Code4rena handle duplicate vulnerability reports from multiple wardens, particularly in terms of award distribution and severity rating?\n\nAnswer: At Code4rena, if the same vulnerability is reported by multiple wardens, each warden receives a share of the award for that vulnerability. The reward money for the vulnerability is divided among the wardens who found the issue. The severity of the vulnerability, even if reported differently by various wardens, is standardized during deduplication and judging processes. This means that all wardens who reported the same vulnerability are given the same severity for award calculation. \n\nHowever, it's important to note that the more wardens find the same issue, the less money each warden receives for this issue. Also, the order in which wardens report a duplicate bug does not impact how much they get paid. In addition, the level of detail in the submission, for example, the inclusion of a Proof of Concept (PoC), can influence the award amount.\n\nRegardless of whether a finding is submitted by a team or an individual, only one payment is issued per finding. If a team of wardens submits a finding, they will have discretion over how to distribute the payment among team members. Additionally, duplicate submissions are subject to some sybil resistance, with each instance awarded a share of one point depending on the number of duplicates.\n\nFinally, it's worth noting that non-critical vulnerabilities can also be reported as they benefit the sponsor, despite not being considered for awards. More information on this topic can be found at the following link: [Code4rena Awarding Process](https://docs.code4rena.com/awarding/incentive-model-and-awards).", "Question: What is the status of the LPT and NFTX token rewards? Why are they still pending and when can we expect them to be released?\n\nAnswer: As of now, the LPT and NFTX token rewards are still pending. Various factors could contribute to the delay, for instance, the completion of certain findings like NFTX, KYC (Know Your Customer) verifications, and potential technical issues. It's important to note that not all tokens are fee-on-transfer, and the specific chains accepted for payment from the sponsor side were not specified in the chat, which could be contributing to the delay. However, the company is aware of these inquiries and an update on the LPT and INS awards is expected in the upcoming week. If KYC verification is still pending after a considerable time, you can submit a help request. Please keep an eye on our updates and thank you for your patience.", "Question: What is the cost of a Code4Arena audit if no critical or minor vulnerabilities are found?\n\nAnswer: There is not a specific cost defined for audits that come back without any critical or minor vulnerabilities found. The cost in such rare events would be decided on a case-by-case basis. It's important to mention that Code4Arena follows a rigorous audit process \"More auditors, more findings\" that consistently identifies bugs faster than other methods. This is why cases with no vulnerabilities are considered anomalies. The company charges a fee beyond the contest bounty for conducting audits. In situations where no medium or high vulnerabilities are found, the remaining funds are divided based on the QA Report curve, as detailed at https://code4rena.com/reports/2021-11-fei. For more information on the judging criteria and the process for vulnerability estimation, consider visiting the following link: https://docs.code4rena.com/awarding/judging-criteria#estimating-risk. If you have found a potential vulnerability in the Code4Arena webapp, please report it to security@code4rena.com.", "Question: How is the bounty distributed amongst auditors who find the same or similar bugs in the CodeArena platform?\n\nAnswer: At CodeArena, the bounty is generally split amongst those who discover the bugs, including scenarios where multiple auditors report the same bug. This is not a first-come, first-served system - the timing of the bug discovery does not affect the reward and there is no difference in payout between the first auditor to find a bug and any subsequent auditors who identify the same issue. \n\nThe overall value of the bug is reduced and split based on how many auditors find it. This reduction is calculated semi-geometrically, with the reward being split evenly amongst members of a team if they find an issue together. This process ensures that all auditors are incentivized to participate and rewarded fairly for their contributions. \n\nHowever, common findings are usually out of scope as they are picked up by the C4udit tool. If a bug is not picked up by the tool, it should be submitted. Auditors can submit code for proof of concepts (PoC) for each bug they find, either by adding a zip file to the submission or sharing a private Github repository.\n\nThe exact reward split for a case where multiple auditors identify a bug can be calculated using the formula present in the [CodeArena Documentation](https://docs.code4rena.com/incentive-model-and-awards#high-and-medium-risk-bugs). \n\nIt is important to note that CodeArena's model differs from the traditional bug bounty model where the second person to report a bug receives no reward due to duplication. At the conclusion of every contest, a report about the bugs found is released, which can be used for learning. \n\nIf you're interested in more details on this process, you can find examples of past submissions at [CodeArena Reports](https://code423n4.com/reports) and consult the [Incentive Model and Awards](https://docs.code4rena.com/awarding/incentive-model-and-awards#duplicates-getting-partial-credit) section of the Code4rena documentation.", "Q: What happens in the event that a contest ends with no valid submissions? \n\nA: While we haven't yet faced a scenario where a contest concludes with zero valid submissions, rest assured we have plans in place to manage such anomalies on a case-by-case basis. In the scenario where no high or medium issues are found, questions have been raised about the dispensation of the reward pot; again, this would be handled individually per contest. All submissions, valid or not, will be accessible once the repository of the contest has been made public. This provides participants an opportunity to understand why their submissions were deemed invalid or were not selected for a reward. Also, we encourage participants to get their issues queried if marked as invalid by following the backstage channel for the post-judging stage of the concerned contest. Participants can expect feedback from a judge if a finding is marked invalid. Please note, submitting more than three invalid issues could lead to sanctions within the contest. It's also important to point out that any submissions or amendments to submissions are not accepted once the contest has ended. More information on these processes can be found in discussions on our forum. [Here](https://forum.code4rena.com/t/rfc-certified-wardens-rulebook-scout-role-contest-qa-and-mitigation-review-services/123) is a related discussion about releasing all unverified submissions a few days after a contest ends. We are continually refining our processes, and enhancements to the submission mechanism are being considered for future contests.", "Q: I encountered errors while making a submission on CodeArena. What could be causing this and how can I resolve it?\n\nA: There can be several reasons why you're experiencing errors during the submission process. Some of these could be due to technical issues with the submission form, issues with GitHub that affect the contest submission form, a size limit on large submissions, or intermittent issues with the submission process. \n\nIf you're seeing a purple screen when a dropdown is clicked, this is a known issue that has since been resolved. If you were unable to submit a report update or help request, please note that these issues have been acknowledged and subsequently fixed by our team. \n\nIf you're unable to submit your QA due to missing the deadline, we advise you to ensure you submit your entries well before the deadline next time to avoid such issues. \n\nFor those who are unable to submit their findings to specific contests despite having made submissions, or if you've accidentally submitted your findings to the wrong contest, you can fill out a form to let the C4 staff know about the incorrect submissions at [https://code4arena.com/help/](https://code4arena.com/help/).\n\nIf your gas report or QA report is larger than ~65k characters, it can't be submitted through the form due to GitHub's max character limit on the issue descriptions. In such cases, you can email your submission to submissions@code423n4.com.\n\nIn cases when you're unable to submit a form due to an error message or any other reason, we suggest trying to refresh the page or change your browser. If you continue to experience issues, you can forward your requests to submissions@code4rena.com. Our team is always ready to assist you with any problems you may encounter.\n\nPlease note that there have been instances of GitHub rejecting submissions via the API, which may result in failed submissions. These issues are usually resolved quickly by our team. \n\nFinally, if you're having issues with submitting an analysis as a team due to an error about a saved polygon address, assistance is available through our help desk.\n\nRemember, you can always seek assistance from the CodeArena team when experiencing issues with submission. We're here to help and ensure you have a smooth experience on our platform.", "Question: What is the process and guidelines for submitting QA and gas reports for contests on CodeArena?\n\nAnswer: For each contest, participants are required to submit one combined Quality Assurance (QA) report and one combined gas report. As a participant, you should ideally group all issues together in these reports, and separate the gas report from the QA report. The amount of detail required for QA and gas optimization reports is not as comprehensive as for high severity issues. Nonetheless, the judges consider both the quantity and quality of submissions when grading these reports.\n\nHere are some points to note:\n\n1. There's no direct incentive for reporting QA type submissions, as sponsors are more interested in high/medium/low severity vulnerabilities and gas optimizations. \n2. If a report exceeds the number of characters allowed in the submission form, you can submit a placeholder and send the detailed report via email to report@code4rena.com. \n3. Participants also have the ability to edit existing findings in their reports. \n4. Examples of top QA/Gas reports from past contests can be found at https://code4rena.com/reports. \n5. For some contests, there may be no gas optimizations in the final report if there was not a gas pool for that particular contest.\n6. The FAQ on the CodeArena website about large gas or QA report submissions could be updated to reflect these recent changes. More information about QA/Gas reports can be found at https://docs.code4rena.com/awarding/incentive-model-and-awards.\n7. If no Medium/High vulnerabilities are found in the smart contracts, remaining contest funds will be divided based on the QA report curve.\n\nWe are currently in the process of improving the FAQ on the CodeArena website to reflect these points and more, but we don't have an ETA for this.", "Question: I'm experiencing issues while attempting to submit or edit a QA report for a contest. What can I do to resolve this?\n\nAnswer: We are aware that users may encounter various issues during the QA report submission process. If you are receiving an error message, it could be due to a number of reasons. For instance, there are reports of users experiencing difficulties with the 'Create Issue' button not responding, or encountering the error message \"API rate limit exceeded for user ID 81770958.\" \n\nIf you're hitting the API rate limit, it might be due to an excessive number of requests within a short period of time. In these cases, it can be helpful to wait a short while before attempting to submit again. \n\nPlease be aware that there's a potential size limit on submissions. If your gas report is larger than ~65k characters, it cannot be submitted through the form due to Github's maximum character limit for issue descriptions. In such cases, or if you're having difficulty with the submission interface, you can email your submission to submissions@code423n4.com. Please include your handle and the contest details in the email.\n\nUsers are allowed to submit one QA issue but can edit the existing submission if they find another error. If you need to edit an analysis after submission, you can do so under the \"Findings\" tab. Please note that you can edit a submitted QA report until the audit deadline.\n\nIf you are unable to submit your QA due to missing the deadline or if a submitted bug severity needs to be increased, you can submit a help request to remove the original submission and then submit again via https://code4rena.com/help.\n\nAfter submitting a Quality Assurance report, you can confirm if it has been successfully submitted by checking your email for a confirmation or viewing the findings through the \"View Context\" function. Your submitted bug report that has been rejected can be found in Github's closed issues. \n\nPlease remember to be patient and retry if necessary, as there have been intermittent issues reported with the submission process. It's always helpful to also keep us informed about any ongoing issues so we can provide further assistance.", "Question: What are the accepted chains for payment on the sponsor side at CodeArena? Are there any options beyond ETH L1, including alt L1s/L2s, or non-crypto payment methods due to legislative restrictions in certain countries?\n\nAnswer: At CodeArena, sponsorship payments are accepted in different forms based on the type of contest. For EVM league contests, ETH or Polygon is accepted while Cosmos is the preferred payment for Cosmos contests. Additionally, for contests such as the Chainlink one, a verification of identity is required after participation to receive the payout, a process that involves successful completion of the KYC requirements. It's important to note that contest prizes are often paid in USDC on Polygon's Mainnet. However, there has been a discussion about alternative payment channels due to legislative restrictions in certain countries. Although the specifics of these channels are still uncertain, it's clear that the company is working towards ensuring the platform is inclusive for all users, regardless of their location. Lastly, the company is looking to expand beyond EVM and Cosmos chains, which may result in the acceptance of additional payment chains in the future.", "Question: How can I troubleshoot issues on CodeArena if I'm using a mobile device and cannot access console?\n\nAnswer: We understand that mobile users may experience difficulties with certain tasks, such as viewing the console or interacting with specific buttons on our platform. If you're having trouble, there are several ways to seek assistance:\n\n1. If you're having issues with the 'Create Issue' button or viewing findings on Code4rena, our developers are aware of these issues and are working on resolving them. However, you should also confirm that there are no console errors present.\n \n2. If you're having trouble submitting a finding, you can check whether your submission was accepted at https://code4rena.com/reports. If you don't receive an email after submitting a finding, please open a help desk request at https://code4rena.com/help/.\n \n3. If you submit a Quality Assurance report for the first time and receive an error, you can check if it has been successfully submitted by checking your email for confirmation or viewing the findings through the \"View Context\" function.\n \n4. If you're having difficulties logging into Code4rena, we recommend creating a help desk request at https://code4rena.com/help outlining the issue you're experiencing.\n \nFurther, if you are unable to address your issues through these methods, you can email us at submissions@code4rena.com for assistance. It's also worth noting that our platform allows you to view reports from other wardens even after contests have ended. \n\nRemember, if you need assistance, don't hesitate to create a help desk request on https://code4rena.com/help. We're here to help.", "Question: What steps should I take if I'm experiencing issues with the web console in CodeArena, especially as a mobile user?\n\nAnswer: If you are experiencing difficulties with the web console - such as it not working, having trouble logging in, or finding that the 'Create Issue' button does not respond - the first step is to attempt to clear your localStorage and restart your device. If the problems persist, we suggest you send a detailed request to submissions@code4rena.com, including your handle and the contest in question in the email. \n\nMobile users who are especially impacted by these issues are also encouraged to use this method. Please ensure to outline the problem you're experiencing in the email to get the most effective assistance.\n\nIf you do not receive an email back after submission or registration, or in case of not getting certified after a response is received, you can create a help desk request at https://code4rena.com/help or alternatively, at https://old.code4rena.com/help in case of errors on the main help page. Help desk requests can also be used for checking your participation in an audit outside the leaderboard, verifying your status, and resolving issues with connecting your Discord account with your Code4Arena account. \n\nFor issues specific to team accounts, such as difficulties in adding new members or making changes to a team, the same help desk request link should be used. \n\nIf you encounter vulnerabilities impacting our web application, these should be reported to security@code4rena.com. If you continue to experience platform issues, we recommend backing up your findings and starting afresh. We're here to assist you, so don't hesitate to reach out for help.", "Question: What is the process and requirements for payment and rewards for sponsors and participants in CodeArena contests?\n\nAnswer: For CodeArena contests, the rewards come from the sponsors who also determine the scope of their contests. Depending on the contest, sponsors currently accept Eth or Polygon for EVM league contests, Cosmos for Cosmos contests. For specific contests like the Chainlink contest, participants can participate and verify their identity after the contest ends to receive the payment. This verification is a Know Your Customer (KYC) process that is necessary for contest participation and eligibility for rewards. All team members should undergo this KYC verification for contests like the base and the Chainlink contest.\n\nSponsors play a vital role in the acceptance of reported issues in smart contracts based on their severity. Wardens may get paid for sponsor confirmed issues or sometimes even disputed ones. However, Certified Wardens receive benefits, including backstage access and payments from KYC-required sponsors like Chainlink. \n\nRewards for submissions could be paid partially or fully, and distribution among team members can be managed through multisig wallets or using a contract like OpenZeppelin's PaymentSplitter (https://docs.openzeppelin.com/contracts/4.x/api/finance#PaymentSplitter). In the case when the team payout address is a smart contract, further inquiries can be made on how to proceed. \n\nSome participants made inquiries about alternative payment channels due to restrictions from certain countries. Code4rena is considering implementing a system for using different wallets for different submissions in a single contest, and the first steps in that direction are underway with wallet auth. \n\nTrust in the sponsors is vital, and there are channels available in the discord server for those interested in becoming sponsors (#\ud83d\udcbci-want-c4-to-audit-our-code). However, there are discussions about potential conflicts of interest, such as sponsors hiding bugs. \n\nIn March, a deposit was introduced to motivate sponsors to complete their reviews on time. However, sponsors do play a role in the delays of contest judgement. Contest payouts should be invoiced to the Code4rena Foundation.", "Question: I am experiencing an error when submitting a help request or a report on Code4rena.com. What steps should I take to resolve this issue?\n\nAnswer: There could be several reasons for encountering errors when submitting help requests or reports on Code4rena. The issue might be related to your browser blocking the captcha or a potential size limit on submissions. It's also possible to encounter errors if there is a space in your Discord handle. \n\nIf you are experiencing these issues, there are several ways you can seek assistance:\n\n1. First, try submitting your help request again at https://code4rena.com/help. It's noted that some users have managed to submit after multiple attempts. \n2. If your issue persists, you can forward your request to submissions@code4rena.com.\n3. Should you encounter difficulties with the support request form or if you're using mobile, sending your request to submissions@code4rena.com might be helpful. \n4. If you already submitted a report, but need to increase its severity or to withdraw it, please submit a help request at https://code4rena.com/help to remove the original submission and then submit again.\n\nRemember that once a help request is submitted, you should receive confirmation that your request has been received. If you do not receive an email after submitting a request, it's recommended to create another help request on https://code4rena.com/help outlining the issue you are experiencing. Please note that it might take some time for a submission to be confirmed via email.\n\nIn the event of persistent issues, the Code4rena team is always available to assist you. Don't hesitate to send help requests or support tickets when you need assistance.", "Question: I've completed the captcha, but I'm experiencing an error when trying to submit my report. Could this be because of my network?\n\nAnswer: While your network could potentially be a factor, there are several other reasons why you may be experiencing errors after completing the captcha. \n\nFirstly, ensure that captcha is unblocked in your browser settings. Some users were able to resolve submission errors this way. \n\nAnother potential issue could be the size of your submission. There have been instances where users encountered errors while making submissions, suggesting that there may be a size limit. \n\nIf you've made multiple attempts without success, the issue might be related to form validation not producing an error message. Cloudflare interceptions have also been known to cause submission errors. \n\nSometimes, issues with submissions could be related to local storage. A suggested solution to this is to clear your local storage and try submitting again. \n\nIf you experience any submission errors, you can always seek assistance by submitting a help ticket at https://code4rena.com/help. The team handling the platform will be able to offer assistance or communicate any known issues with the system. \n\nDo note, however, that there can be a delay in the confirmation of a submission via email. If the submission fails, the form should return an error.\n\nRemember, if you find another error after submitting once, you can edit your QA submission. If you continue to experience difficulties, don't hesitate to reach out to the team via our Discord chatroom.", "Question: I'm experiencing issues with submitting and editing my findings for a contest, what should I do?\n\nAnswer: There are several potential issues with submitting and editing findings. If you are trying to submit your findings and receive an error, this could be a problem with GitHub affecting the contest submission form. As a result, contests such as the Rolla contest have been extended for 24 hours to accommodate this issue. [Link](https://discordapp.com/channels/810916927919620096/953009382021533696/956244354496856174)\n\nHowever, there are other possibilities. For instance, some users have reported problems when submitting findings via certain browsers such as Firefox and Chrome due to permalink-related errors. Some users also face issues with the \"Risk rating *\" menu. You might also see the message 'No findings submitted for this contest' even after submitting your findings\u2014this could be due to a delay in the confirmation process. Normally, confirmation of submission is sent via email and can take some time. \n\nIf you want to edit your submitted findings, you can navigate to the contest page and click on the 'Your findings' button. This is where you can also add more findings to your report or update your QA report. You can find feedback for your findings here. \n\nThe procedure for submitting findings is clearly outlined in CodeArena's documentation [here](https://docs.code4rena.com/roles/wardens/sub). If you want to learn more about the submission policy, especially relating to automated findings, you can visit [this link](https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues). \n\nIn case of persistent issues, consider reaching out for further assistance or try a different browser.", "Question: What should I do if I experience issues while submitting findings on the CodeArena platform?\n\nAnswer: If you're unable to submit your findings or have issues related to loading your submitted findings, first ensure that the contest for which you\u2019re submitting the findings is still open. All findings must be submitted before the contest ends. If you're still within the contest timeline, you can submit your findings through the form available on the contest page on the website. \n\nIf you're waiting for warden verification or experiencing other issues, you can try withdrawing your previous submission and creating a new one under the \"Your findings\" section on the contest page. Please note that you can modify your submission any number of times before the audit closes through this same section.\n\nIn case you're unsure about the status of your submission or whether it will make it to the final report, we advise patience as the report and findings repo will be made public once the contest is finalized, typically a month after the contest ends. If you've submitted your findings but it shows \u2018No findings submitted for this contest\u2019, it might be due to a delay in the system updating or a potential bug, so please allow some time for the system to update your status.\n\nUncertainty about whether to submit a particular finding or how to classify it is common. If this happens, please submit all your findings or direct message the sponsor team for additional context. Even if you\u2019re unsure about the specification in documents, it's better to submit your findings. \n\nRemember that the important thing is not to be the first to submit findings but to submit accurate and thorough findings before the audit closes. Feel free to edit and modify your findings until the contest deadline. However, avoid discussing specific findings publicly before the report has been posted for the contest in question, as per our submission rules.\n\nIf you're unable to submit findings before the contest ends due to unforeseen circumstances, such as a power cut, unfortunately, we cannot extend the deadline or accept findings after a contest has ended. \n\nAfter submitting a finding, you will receive a follow-up, potentially via email. Please note, it may take some time for a submission of a finding to be confirmed via email. If your submission fails, the form should return an error. \n\nRemember that you need to be authenticated to submit findings. Currently, there is no option to submit findings without authenticating.", "Question: What is the process and timeline for the announcement of audit results and distribution of awards for the Biconomy Hyphen 2.0 contest on CodeArena?\n\nAnswer: The audit results for the Biconomy Hyphen 2.0 contest are currently under review. After a contest ends, the initial stage involves finishing the contest, followed by a review from our sponsors. The findings are then handed over to judges for their review and decision-making, which generally takes about 8 weeks. Once the leaderboard is created, the final audit report is prepared and published. \n\nIt's worth noting that the timeline could vary from 2 weeks to over 6 weeks depending on the scale of submissions to review and the time taken for judging. After the audit report is published and results are announced, the awards payout typically happens between 1-2 weeks later. \n\nFor the Biconomy Hyphen 2.0 contest, we expect the final report to be published in the coming weeks. Future audit events or contests are dependent on sponsors confirming the details and dates, and we will share more information about them, including the explanation of \"Audit summary awards\", closer to the contest start. \n\nFor information about ongoing and upcoming audit contests, you can visit our website [code423n4.com](https://code423n4.com/). For specific audits such as the upcoming Basin audit for the Bean Money protocol, you can refer to the respective contests' page, for instance, [Basin audit](https://code4rena.com/contests/2023-07-basin). \n\nPlease bear in mind that the timeframes mentioned are indicative and can vary depending on numerous factors involved in the auditing and judging process. We appreciate your patience and understanding during this process.\n", "Q: I didn't receive a confirmation email after submitting my findings to a contest. What might be the issue?\n\nA: Upon successfully submitting your findings to a contest, you should typically receive a confirmation email from submissions@code423n4.com. However, there have been cases where participants experience delays or do not receive this email due to various reasons.\n\n1. Email Delivery Issues: Some users have reported issues with receiving emails from our system, especially from the Provenance platform. It's also important to note that there was an error in email delivery to the incorrect domain submissions@code432n4.com instead of the correct domain submissions@code423n4.com. \n\n2. Spam Folder: We recommend checking your spam folder as some confirmation emails may end up there.\n\n3. Submission Errors: If your submission was unsuccessful, the form should return an error. Please verify if you received any such error messages during your submission process.\n\n4. Delayed Confirmation: Please note, it may take some time for your submission to be confirmed via email.\n\nIf you submitted your findings but did not make the award list, it is possible that your findings were rejected. You can verify by reviewing the available report.\n\nIf you are still unsure, please feel free to reach out to us by Direct Message to check the status of your submission. \n\nPlease remember, you are expected to receive a confirmation email for each submission you make, whether the issue you submitted is valid or not. The email confirmation does not include the Ethereum address provided by you. You can check all the submitted reports and their status during the competition via these confirmation emails.", "Question: I sent my submission early, is there a need for me to resend it and how do I confirm that it was received?\n\nAnswer: There's no need to resend your submission if you sent it early. CodeArena allows submissions at any time prior to the contest end time and has a policy of accepting only the first (or last) entry a person/team sends. Upon completing your submission, you should receive a confirmation email. However, it's important to note that there may be delays in receiving this confirmation email. If you don't receive a confirmation email within a reasonable time, please check your spam folder. If the submission fails, the form should return an error. \n\nIf you are still unsure about the success of your submission, you can check the status by looking out for an email and the ability to edit submitted findings. In case you submitted a finding to the wrong contest, you have the option to submit again to the correct contest and then fill out a form to let the C4 staff know about the incorrect submissions. This form can be found at https://code4rena.com/help/. \n\nYou also have the option to withdraw and resubmit your findings under the \"your findings\" section on the contest page if you wish to make corrections or additions. However, remember that late submissions cannot be accepted as per Code4rena's submission policy, which can be found at https://docs.code4rena.com/roles/wardens/submission-policy#late-submissions. \n\nThere were instances of technical issues with the submission process reported by some users, but these were resolved after communicating with the team. If you encounter any such issues, please contact Code4rena for support.", "Question: How can I access and review the results, findings, and reports of past contests on CodeArena?\n\nAnswer: After a contest is completed, the results are published on the CodeArena website, specifically under the \"Reports\" section which can be accessed at [https://code4rena.com/reports](https://code4rena.com/reports). Here, you can view the summary report of each contest, including the findings, awards, and judges' comments. \n\nIf you participated in a contest, you can track your report status and edit your findings even after the contest has ended. This can be done in the \"Findings\" tab next to the contest description. You can also view your QA reports for contests that have already closed. Submitted findings can be modified through the \"Your Findings\" button on the contest page. \n\nAs for viewing other wardens' findings, this can be done after the contest has ended and the findings repo is made public. However, visibility may vary if there is no table with results. \n\nIf you are interested in the schedule and progress of the final reports, they can be tracked in the \"Past Contest Status Updates\" section, which provides a timeline of where contests are currently in the process. \n\nTo view the awards for previous contests, visit the specific contest page, for example, the Nuo Network Contest at [https://code4rena.com/contests/2023-01-numoen-contest](https://code4rena.com/contests/2023-01-numoen-contest) and the Asymmetry Contest at [https://code4rena.com/contests/2023-03-asymmetry-contest](https://code4rena.com/contests/2023-03-asymmetry-contest). \n\nFor cumulative results from multiple contests, you can refer to our leaderboard at [https://code423n4.com/leaderboard/](https://code423n4.com/leaderboard/). \n\nPlease note that findings from a contest cannot be viewed after it finishes but before the results are published. Also, projects have access to submitted findings even before the contest completion. You will receive a confirmation via email once your submission is successful.\n", "Question: How does Code4rena handle QA and Gas Optimization reports, their grading, duplication and potential issues?\n\nAnswer: At Code4rena, participants are required to submit one combined Gas report and one combined Quality Assurance (QA) report for every contest they participate in. Ideally, all related issues should be grouped together in these reports. The reports should be written as divided reports, meaning the Gas report should be separate from the QA report. If a particular finding is relevant to both QA and Gas savings, it can be included in either report, and the judges will decide where it best fits.\n\nThe QA and Gas reports are awarded based on judges\u2019 scores. The amount of detail required for these reports is not as comprehensive as for high severity issues. The awarding process uses a formula which is calculated on a curve, however, the specifics of the formula remain unclear and it's planned to be updated. Examples of top QA/Gas reports for each contest can be found on our website [https://code4rena.com/reports](https://code4rena.com/reports). Also, there's a grading and sharing system, with Grade A reports counting as 2 shares, Grade B as 1, and the best report receiving a 30% bonus.\n\nWhen it comes to handling duplicates, QA and Gas awards typically disregard them, but it has been challenging to manage downgraded issues, which need to be paired up with wardens\u2019 QA reports. If you submit two similar reports and one is marked as a duplicate, it may affect the payout. For instance, in a contest named \"Redacted Cartel\", certain gas reports and QA reports were rewarded as duplicates, reducing their value for each warden.\n\nJudges consider both the quantity and quality of submissions when grading QA reports, and a single item in a QA submission is unlikely to receive a high grade. The number of issues reported in a Gas and QA report doesn't necessarily determine the grade; it could have one good issue to be a Grade B, or it could have multiple low-impact issues and still be a Grade C. \n\nFor more specific guidance on the grading and submission process, please refer to the following links: [https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical](https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical) and [https://docs.code4rena.com/awarding/incentive-model-and-awards#qa-and-gas-optimization-reports](https://docs.code4rena.com/awarding/incentive-model-and-awards#qa-and-gas-optimization-reports). Alternatively, you can watch this tutorial video on how to prepare a Gas and QA report [https://www.youtube.com/watch?v=nady250cNo4](https://www.youtube.com/watch?v=nady250cNo4).", "Question: How do I handle QA and gas reports for CodeArena contests, including duplicates, and where can I find the details about them?\n\nAnswer: Quality Assurance (QA) and gas reports are vital parts of CodeArena contests. In these contests, participants are required to submit one combined report for both QA and gas issues. A report includes all the issues found, ideally grouped together. The QA report should be separate from the Gas report. The amount of detail needed for these reports is not as extensive as for high severity issues. Examples of top QA/Gas reports from previous contests can be found here: https://code4rena.com/reports. \n\nFor report submissions, users have the ability to edit existing findings. In the case that a QA/Gas report does not fit in a single submit request, it can be split into separate sends. If there are any issues with the online submission, reports can be sent via email to report@code4rena.com. \n\nInformation about duplicates can be found in the source code (findings.csv) and at https://github.com/code-423n4/code423n4.com/blob/main/_data/findings/findings.csv#L9336-L9434. It's important to note that the QA and Gas awards are determined according to judges\u2019 scores, and duplicates are disregarded. \n\nMore guidance on how to prepare a Gas and QA report, including report formatting and templates, can be found here: https://www.youtube.com/watch?v=nady250cNo4 and https://docs.code4rena.com/awarding/incentive-model-and-awards. Finally, keep in mind that a finding that is relevant to both QA and gas savings can be included in either report, and judges may decide where it best fits.", "Question: How does the new QA and Gas report handling system work in CodeArena and how does it encourage quality in submissions?\n\nAnswer: CodeArena aims to ensure fairness and quality in QA/Gas reports with its new handling system. Each contest participant is required to submit one combined QA report and one combined Gas report, where ideally all issues are grouped together. This change was designed with the goal of discouraging farming of low severity issues and incentivizing wardens to find unique high severity issues. \n\nThe QA report should include all non-critical findings, and the Gas report should focus on gas optimizations. Participants have the ability to edit existing findings as well to ensure that the reports are comprehensive and clear. The amount of detail required for these reports is not as comprehensive as for high severity issues. However, each case is evaluated based on both the quantity and quality of the submissions, maintaining a high standard throughout the competition. \n\nThe grading and awarding of QA and Gas reports can be found in detail in the following links: [https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical](https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical) and [https://docs.code4rena.com/awarding/incentive-model-and-awards#qa-and-gas-optimization-reports](https://docs.code4rena.com/awarding/incentive-model-and-awards#qa-and-gas-optimization-reports). \n\nThere's been some concern that these changes may not motivate the best efforts in QA/Gas reports, but it's also viewed that they could encourage fairer competition. Uncertainty remains on this aspect, but the ultimate aim is to have a more fair and quality-driven process for everyone participating in the contests.", "Q: What is the difference between static and symbolic security testing in the context of smart contract auditing, and what tools are commonly used for these tests?\n\nA: Static security testing involves examining the smart contract code without actually executing it. This method includes the use of solidity linter, a static analysis tool that flags programming errors, bugs, stylistic errors, and suspicious constructs in your contract code. Additionally, you can check your contract code in Remix for compilation warnings. An example of a static analysis tool often used for smart contracts is Slither. \n\nOn the other hand, symbolic security testing involves interacting with your contract code without conducting the transactions on-chain. This typically involves the simulation of transactions using software to predict the potential outcomes. One such example is the use of fuzzing tools like Echidna for this purpose.\n\nIt's also worth noting that automated tools can be used to aid in initially finding vulnerabilities. However, there is a higher burden of proof for demonstrating to sponsors a relevant high or medium severity exploit path to be considered satisfactory if automated tools are used for initial findings. More information on this can be found in this [discussion](https://github.com/code-423n4/org/discussions/50).\n\nWhile these security testing methods are critical in identifying potential vulnerabilities in a smart contract, it's also important to remember that real bugs get rewarded, but false positives do not. To ensure that the bugs are real, it is recommended to write an executable test. Furthermore, medium risk vulnerabilities ideally require test codes as Proof of Concepts when writing reports, similar to high-risk vulnerabilities.\n\nDespite the use of these testing methods and tools, some companies ask why people still get their smart contracts audited if automated tools have already reported vulnerabilities. The reason being, no tool can substitute the human element of understanding the project's code, providing value from a security perspective, and delivering results. Hence the importance of security audits.", "Question: How is symbolic testing conducted in the auditing of a smart contract, and does it involve the use of a testnet and observing transaction details?\n\nAnswer: Symbolic testing is a crucial part of the auditing process for smart contracts. It involves interacting with the code without executing transactions on-chain, usually by simulating transactions using software. This differs from static testing, which involves examining the code without interaction and using tools such as solidity linter and checking contract code in Remix for compilation warnings.\n\nDeploying contracts on a testnet can be a part of symbolic testing, but it is not always necessary. For simpler contracts or exploratory development, it may be more appropriate to use a private testnet or a tool like Hardhat Foundry, which can fork its state from a public testnet or even the mainnet. This makes it a more convenient option for testing smart contracts as it avoids polluting the testnet with unnecessary data and waiting time on blocks.\n\nSome auditors use a public testnet particularly for scenarios involving large numbers of users and complex state. There are available resources for testing contracts downloaded from Github with tools like Mythril, Slither, and eth-brownie, the latter of which can be useful for mocking contract deployments. \n\nContract testing may include checking for initialization on the Ethereum mainnet, demonstrating potential attacks (like re-entrancy attack), and testing specific functions within the contract, such as safeTransfer and safeTransferFrom in the case of token contracts.\n\nIt is also worth noting that some auditors create their own tests or isolate parts of the code for testing if there is no test environment in the repository. Foundry has also been suggested as a tool for testing scenarios in a local environment, providing an alternative to public testnet.\n\nWhile conducting symbolic testing, auditors might use graphical interfaces such as Surya (https://github.com/ConsenSys/surya), though it's noted as potentially outdated, to observe smart contract interactions.\n\nIn summary, symbolic testing is a flexible process that can be adapted based on the complexity of the contract and the resources available. Various methods and tools can be used, including but not limited to deploying contracts on a testnet and observing transaction details, local forking, and utilizing software like Foundry or eth-brownie.\n", "Question: What is the recommended way to submit gas findings in a contest at CodeArena?\n\nAnswer: At CodeArena, we advise contestants to compile all gas-related findings into a single, consolidated report for each contest. This can be achieved by adding or updating findings in your existing report rather than submitting multiples. To add more findings, simply navigate to the contest page and click on the 'Your Findings' button. \n\nWhile the report should ideally consolidate all gas optimization issues, if a particular finding applies to more than one line of code, it should be reported as one issue but should mention all applicable lines of code. In your report, the amount of gas saved for each finding might be required, but this typically depends on the judge's decision. Similar issues should be grouped together, an approach that is generally appreciated by both judges and sponsors.\n\nPlease note, it's important to separate gas findings from Quality Assurance (QA) reports. Therefore, you should submit one combined gas report and one combined QA report per contest. If a QA/Gas report does not fit into a single submission request, it can be split into separate sends.\n\nRemember, if you encounter an error message when trying to submit a Gas Optimization report for a contest, it may be due to a report having already been submitted. In such cases, you should update your existing report.\n\nFor further information, you can refer to the contest rules or reach out to us directly on our Discord chatroom [Link to Discord].", "Question: How is the contest price pool determined at CodeArena and does it relate to the lines of source code (SLOC)?\n\nAnswer: At CodeArena, the contest price pool is not strictly determined by the number of lines of source code. Instead, contests are scoped, meaning the criteria for the prize pool may be based on several factors including the complexity and scope of the source code, the level of difficulty, and other contest-specific requirements. For instance, smaller contests may have a prize pool of around $30,000. However, the number of lines can partially influence the pot size, though it's not the only determinant. \n\nIt's important to understand that the contest pot size may also account for a judging fee, meaning part of the prize pool is set aside for the team of judges reviewing the submissions. For example, the prize pool for a certain contest was adjusted to accommodate an increase in the judging fee.\n\nWhile the duration of the contests is not directly proportional to the size of the source code, the announcement of contests and payout timelines can be found at https://docs.code4rena.com/structure/our-process.\n\nMoreover, there may be discrepancies in the SLOC count for contests across different platforms. CodeArena is considering standardizing LOCs across different contests to avoid such confusion. More details regarding the scope of each contest can be found within the README.md file for each contest on the CodeArena platform. \n\nPlease note that there are both private and public contests at CodeArena. All submissions are graded and paid regardless of the time of submission as per CodeArena's policy: https://github.com/code-423n4/org/discussions/34. The awards for specific contests are also announced in advance such as the Stader Labs contest. Regardless of when a bug is found, the payout is equal for the first person to find a bug and any subsequent person who finds the same bug; the overall value of the bug is reduced and split based on how many people find it.\n\nOverall, CodeArena encourages participation from all levels of developers, including beginners. The company operates contests for analyzing smart contracts and helps in auditing smart contracts for other companies.", "Question: How is the contest duration and prize pool determined for CodeArena audits, especially for larger projects like Sublime with high Source Lines of Code (SLOC)?\n\nAnswer: Contest duration and prize pool at CodeArena are determined through a scoping process rather than being directly proportional to the number of Source Lines of Code (SLOC). This scoping process takes into account the complexity of the project and the expected number of participants, among other factors. For example, the Sublime contest, despite having almost 2000 SLOC, had a contest duration of 3 days and a prize pool of 30k. This is because, for scoping purposes, lines of code do not include comments and blank lines, and the Sublime project had around 600 effective lines of code.\n\nIt is worth noting that there have been instances where the timeline for a contest involving over 12k SLOC was extended to 4 weeks due to the complexity of the project and the necessity for a thorough audit. Also, a project named Maia, with 12K SLOC had an audit duration of 20 days, and this was subject to queries due to the seemingly limited duration. There is no standard duration or prize pool for a contest. For example, one contest had a substantial prize pool of $67,500 USDC for the main award and a $7,500 USDC for gas optimization. \n\nIn general, Code4Arena contests have been shorter than other platforms, like Sherlock contests, because high-quality results have been achieved even with a smaller number of auditors. However, the number of contests can vary, with discussions around handling up to 20 contests per week. Each contest typically receives between 150-300 submissions, which include quality assurance, gas, duplicates, and invalid entries. \n\nThe prize for a finding reduces approximately by 10% for each duplicate submission, and there is a mechanism in place to penalize unsatisfactory submissions to ensure the quality of the audits. The judging process is rigorous and can be slowed down due to sponsor reviews, as seen in the Sublime March 2022 contest. \n\nYou can view all submissions after a contest, and the leaderboard is updated accordingly, although there might be delays in updating for certain contests, like the Sublime contest. \n\nFor more details on individual contests, you can visit our contest page on https://code4rena.com/contests/.", "Question: How are changes to the scope of a contest managed mid-contest, and how does this affect participants who have already dedicated time to the contest?\n\nAnswer: The scope of contests at CodeArena is defined by the contest sponsors and is listed within the contest information. This scope guides the participants in their audit process. However, if there's a need to change the scope mid-contest, it's a sensitive issue as it could potentially disadvantage participants who have already invested time based on the original parameters. \n\nIt is recommended that participants discuss any specific questions or issues they have, including those related to scope, with the respective sponsor directly either via the contest channel or direct message. The dialogue between contestants and sponsors during a contest allows for an exchange of information on any potential issues. It's also emphasized that any changes to the scope of the contest are subject to the sponsors' discretion. \n\nThere is an understanding among the community that factors affecting the completion of a contest may not always be visible to all participants. Judging of contests may take a significant time period due to factors beyond judges' control. This can cause delays and potentially affect the leaderboard rankings, which may not always accurately reflect a user's accomplishments.\n\nThe community recognizes that there could be improvements in transparency around contest parameters, such as indicating the number of participants or the average percentage of pool awarded to give a clearer picture of the contest. \n\nIn general, it is important to remember that the contest results, reward distribution, and any potential changes are largely dependent on the sponsors and judges. Participants are encouraged to maintain open communication with them throughout the contest.\n", "Question: How is the potential level of effort determined in scoping a project at CodeArena, and are comments, blank lines, or line numbers considered in this process?\n\nAnswer: At CodeArena, the potential level of effort required to audit a project is determined by considering the complexity of the software, the number of smart contracts involved, and the size of the codebase. However, the count of lines of code (LOC) usually does not include comments and blank lines. The term Source Lines of Code (SLOC) is often used, which refers to the number of Lines of Code minus the number of lines that are comments. As such, SLOC gives a more accurate representation of the codebase size. \n\nFurthermore, there is a debate about the inclusion of line numbers in code snippets or direct links to the GitHub code in the audit reports, but this does not affect the initial scoping of the project. It's important to note that for larger codebases, more time might be necessary for a thorough review to avoid missing any potential bugs or issues. \n\nAlso, there were concerns raised in the chat about the limited duration for auditing larger projects, implying that the scope of the project does affect the time allocated. It is encouraged for participants to review the README.md file for each contest, as it outlines what is in scope for auditing and what is not. This further helps in understanding the scope and effort needed for the project.\n\nIf you are unsure about any aspect of the process, you are encouraged to review issues at https://github.com/code-423n4/org/issues, where you can provide fact-based comments, support suggestions, or open new issues.", "Question: Is the size of the Sublime contest, including all the interfaces, considered in scope even if they are not directly part of it?\n\nAnswer: The scope of each contest, including Sublime, is determined by the contest's sponsor. This information will be provided in the README.md file for each contest, which includes details on what is in scope and what is not. If there are interfaces included in the contest size but not directly part of it, their consideration in the scope may vary depending on the contest and sponsor.\n\nIt's also worth noting that the size of the source code (SLOC) is not directly proportional to the duration or complexity of a contest. For instance, contests like Basin and PoolTogether might have a large codebase but the duration of the contest doesn't necessarily increase with it.\n\nIf you have specific questions or doubts about the scope of a contest, you're encouraged to discuss these with the sponsor before the contest ends. This could include questions about whether bugs in in-scope contracts that impact out-of-scope contracts will be considered, or if more functions in an interface than are used in the code during a protocol interaction with a contract on-chain should be mentioned. \n\nIt's important to remember that if you come across a bug in a contract that's in scope, but it impacts another contract that's out of scope, the bug's impact might still be considered. However, the final decision will ultimately lie with the judge.\n\nIn our platform, we have seen participants cite similar findings from other contests to justify the severity and validity within a submission. This is allowed, but the judges will consider the entire context when making their decision. In case of uncertainty, it may be beneficial to link to other contests in your report to demonstrate findings, especially if they reference examples from Code4rena due to our rigorous judging and QA process. \n\nLastly, please keep in mind that there are factors affecting the completion of a contest which are not visible to all participants, such as the contest price pool which is not related to lines of code but is scoped. For example, the contests worth 30k are expected to be smaller. \n\nFor more detailed guidelines and instructions, please refer to our contest policies here: [Link to policies]", "Question: What factors determine the duration and scope of a contest for auditing a project on CodeArena?\n\nAnswer: The duration and scope of a CodeArena audit contest depend on several factors. Typically, a contest lasts for about 3 days to 5 weeks, based on the complexity and size of the project. For example, a project with about 600 lines of code can be audited within a 3-day contest, whereas a larger project like Maia with 12K Source Lines of Code (SLOC), required an extended duration of 5 weeks.\n\nThe scope of the contest, or the elements to be audited, is defined by the project's current status and requirements. For instance, a project yet to be deployed may not require auditing for vulnerabilities related to deployment or early actions like initializers. The scope of each contest is usually provided by the respective sponsor and can be found using the specific contest link, for example: [https://github.com/code-423n4/2022-07-golom#scope](https://github.com/code-423n4/2022-07-golom#scope).\n\nAudit contests involve various stages, including the initial contest, sponsor reviews, judging, and awarding, which can take anywhere from 2 weeks to over 6 weeks. The exact timeline for these stages can vary with each contest.\n\nTeams and individual participants can take part in CodeArena contests, and any specific questions or concerns (like understanding the difference between advice and a valid issue, deciding whether to participate solo or as a team, etc.) can be addressed to the sponsor before the contest concludes.\n\nFor those interested in running an audit contest or seeking further detail on how to approach auditing larger projects, other helpful resources such as this blog post may be beneficial: [https://blog.bytes032.xyz/p/audit-like-a-pro-my-3-step-game-plan](https://blog.bytes032.xyz/p/audit-like-a-pro-my-3-step-game-plan)\n\nUpcoming contests can be found on the CodeArena website at [code423n4.com](https://code423n4.com/), with 2-5 audit projects typically happening per week. Participating in these contests is a great way to gain a better understanding of audit reports and the process involved.", "Question: Can the scope of a CodeArena contest be modified while it's ongoing?\n\nAnswer: Generally, changing the scope of a contest after it has begun is not preferred, as it could disadvantage participants who have already spent time working within the defined scope. However, it's important to note that the scope of each contest is determined by the respective sponsors. This information is typically included in their contest details. If a contestant has specific questions or potential issues regarding the scope, they are encouraged to openly discuss these with the sponsors either through their contest channel or via direct message. This can include questions about in-scope/out of scope issues or severity of reported bugs. \n\nPlease bear in mind that there could be factors affecting the progression of the contest which might not be visible to all participants. For example, the public report page is updated mid-contest, and changes to the severity of reported bugs after the contest ends can be communicated to the judge via designated contact points. However, once the contest payouts have been sent, the outcome can no longer be altered.\n\nIf contestants feel like their findings have been overlooked, they can still flag these to the judge and the sponsor after the contest conclusion. Also, they can still upgrade the risk level of their submitted findings as long as the contest is still open. Additionally, if a correct bug issue is submitted with an incorrect proposed solution, it can be updated if the contest is still ongoing.\n\nIn conclusion, while the scope of a contest is rarely changed mid-way, there are mechanisms in place to address any concerns or adjustments that participants may need to make, as long as the contest is still open. It's always recommended to keep open lines of communication with the sponsors and judges throughout the contest duration.", "Question: How does the audit process work at CodeArena, including the impact of comments and blank lines, and what parts of the project are typically included in the scope?\n\nAnswer: The audit process at CodeArena takes into consideration the current state of the project, with the scope typically including the parts specified for auditing, such as contracts and sometimes script folders. The scope, which can be outlined in the README.md file of each contest or project, may not include vulnerabilities pertaining to deployment or early actions like initializers, especially for projects with already deployed code. It's important to note that the term \"in scope\" refers to the elements that should be audited, while \"out of scope\" indicates elements that should not be audited, as clarified [here](https://github.com/code-423n4/2022-07-golom#scope).\n\nThe number of lines of code, including comments and blank lines, can affect the perceived complexity of a project. However, for the purposes of scoping, comments and blank lines are not typically taken into account. It's worth noting that some auditors may automate the process of finding potential issues in the code. Concerns about understanding audit reports without an overall understanding of the codebase have been raised, and users can access a [blog post](https://blog.bytes032.xyz/p/audit-like-a-pro-my-3-step-game-plan) to understand how to approach auditing of big projects.\n\nThere is an ongoing debate on the best way to reference code in reports, with some preferring to leave direct links to the code on GitHub, while others opt to refer to a specific file and line number. Auditors can also create coded Proof-of-Concepts (POCs) to further explain their reported issues, though it will not have an effect on awards or the contest per C4 guidelines. In the event of a low-impact QA report potentially becoming a high-impact report, the report could be upgraded. \n\nAlso, participants are allowed to engage in the audit process before their code is complete. Questions or doubts about the findings of past projects, the impact of automated findings on the contest, and whether bugs introduced through mitigation efforts should be reported can be discussed in our community. If there are no significant findings or findings at all, auditors can still send an analysis report about the system to provide advice on things to take into account in the future of the project. \n\nHowever, if your concerns focus on inconsistency, process, or lack of clarity in rules, you are encouraged to review issues at [this page](https://github.com/code-423n4/org/issues). They can add fact-based comments, support suggestions, or open new issues there. While there is some uncertainty about the scope and audit process, CodeArena is committed to providing a fair and comprehensive platform for auditing projects.", "Question: What should I do if I encounter an error due to a space in my Discord handle while filling out the CodeArena help form?\n\nAnswer: Currently, an issue has been reported about the help form not accepting Discord handles with spaces. This has been reported to the development team for a fix. While this is being worked on, you can apply the following workaround. You can either include your email address in the help form or enter your Discord handle without spaces in the Discord Handle field. In the Description field, please provide your actual Discord handle, including the spaces. \n\nRemember, it does not affect your ability to receive awards, but having an updated Discord username linked to your CodeArena account helps ensure you can be tagged in for any award announcements.\n\nIn case of other issues, such as a mismatch between your site username and Discord nickname, difficulty in connecting your Discord account, or lack of email confirmation after registration or a help request submission, please reach out for assistance by creating a help desk ticket at https://code4rena.com/help. \n\nIf you wish to associate your Twitter handle with your CodeArena profile or update it, you can do so by submitting a help desk request as well. Lastly, if you need to update your Discord handle in your profile on the site due to any Discord updates, you can do so through your C4 account or submit a help desk request.", "Question: Why isn't the actual code to be audited present in the C4 repository for Sublime, and how can I ensure I'm auditing the correct code?\n\nAnswer: The Code4rena (C4) process involves auditing specific hashes of code, rather than the master branch of a given repository. This is to ensure that auditors are all examining the same version of the code. The specific hash to be audited is usually provided in the README.md for each contest. In cases such as Sublime, it appears some auditors mistakenly analyzed the master branch, which led to confusion and wasted effort. To prevent this, always refer to the README.md for the contest in question. This document outlines what is in scope for auditing and what is not. \n\nIf you can't find the test setup in the C4 repo, consider checking the sponsor's GitHub for a potential test setup or isolating parts of the code for testing. \n\nFor more detailed information on the audit, you can look at the findings for completed audits, which are available on the C4 GitHub repo [https://github.com/code-423n4]. Also, the platform has an audit tool in progress at [https://github.com/HardlyCodeMan/audit_helper/].\n\nAs for peripheral code such as interfaces, some may be lost as they are in separate repos. Be sure to consider this when conducting your audit. \n\nIt's important to note that if a platform uses C4 to audit their code and no critical or minor vulnerabilities are found, we haven't specified what the cost would be.\n\nLastly, bear in mind that auditors can fork the codebase and create a private repository on Github without it being considered as information disclosure. The submitted findings will be created as a Github issue. \n\nFor further queries or difficulties understanding the audit reports, feel free to raise them in our Discord chatroom. We're here to help.", "Question: What is the typical timeline for the release of reward payments after an announcement at CodeArena?\n\nAnswer: At CodeArena, once a report is accepted or a contest is completed, the reward payment is typically announced. After this announcement, the payment release process commences. The signatures for award distribution are usually gathered during a standing Monday meeting. Consequently, it's common for the announced awards to be processed on the following Monday or Tuesday. That said, the timeline can vary depending on several factors. While the goal is to pay out rewards within the same week they are announced, it can sometimes take between 1-2 weeks for contest awards to be sent out. This delay is due to the necessity for meticulous double-checking at each step of the payment process to ensure accuracy and security. After payment is processed, participants just need to wait for the reward to be deposited into their wallets. In some instances, the release of reports after an audit payout may take a few weeks, and it is during this time that the results of a contest are made public. Please note that the timeline for publishing contest results is contingent on the time taken for judging. Also, while unlikely, there is a potential for the revision of the payment amount after payout. As this process involves various steps and sometimes multiple parties, we appreciate your understanding and patience.", "Q: How can I register my Ethereum address to be eligible for my share of the contest's prize at CodeArena?\n\nA: To be eligible for the contest's prize, you need to register your handle and Ethereum address. You can indicate your Ethereum address in the submission form when you submit your findings for each contest. Remember, rewards are distributed to one address for one handle per contest. \n\nIf you belong to a team participating in an audit contest, please note that the prize will be sent to a single address registered for the contest. It is the team's responsibility to distribute it amongst themselves. However, you can manage the distribution of prize money amongst team members through multisig wallets or using a contract like OpenZeppelin's PaymentSplitter (https://docs.openzeppelin.com/contracts/4.x/api/finance#PaymentSplitter).\n\nAfter the contest ends, you may verify your identity to receive the payout. If you have participated in the chainlink contest, follow the same process. If you placed in any of the contests, such as the nested finance audit contest, you can expect to receive your award in your registered Ethereum wallet, for example, MetaMask. \n\nIn case you need to change the wallet address where you receive awards, you can learn more about the process here: https://docs.code4rena.com/roles/wardens/warden-auth#can-i-change-the-wallet-address-where-i-receive-awards. \n\nFor issues related to the rewards distribution, you may submit a Help Desk request at: https://code4rena.com/help/. \n\nPlease note, for some contests, you might be required to complete KYC to receive your prizes. You can find the form at: https://docs.code4rena.com/roles/certified-contributors. \n\nAlso, you can check the announcement channel for updates on reward distribution.", "Question: Can I use different wallet addresses for each finding I submit on Code4Arena and will the rewards for each finding be distributed to the corresponding wallet address?\n\nAnswer: Generally, rewards are distributed to one unique address registered under one handle for each contest. However, there is a provision to update your wallet address in a finding after submission and before the reward payout by submitting a request through the Help Desk at https://code4arena.com/help. It is important to note that if a reward is to be distributed, it is sent to the wallet address on file at the time the awards are calculated for an audit. If you use a new wallet address in your reports going forward, the rewards for the report will then be distributed to the new address. Please ensure to register your handle and Polygon address, as rewards are sent on the Polygon network, and not the Ethereum network. You can verify your payout for each vulnerability issue by checking your registered wallet address on polygonscan.com or wallet trackers like debank.com. If you are part of a team and submit a non-duplicate finding, the team generally receives more rewards than if the same finding was submitted individually. Please note that the submission form for each contest includes a field for users' wallet addresses which can be updated or confirmed. For more details, please refer to https://docs.code4rena.com/#incentive-model-and-awards.", "Question: How can I register, manage or change my Ethereum (ETH) and Polygon addresses on CodeArena for participation and rewards?\n\nAnswer: To participate in CodeArena (C4), you need to register your handle and Ethereum (ETH) address. For receiving rewards, you need to register your Polygon address as well. You can do this in your account settings and also in the submission form for each contest, which includes a field for users' wallet addresses. \n\nTo find your Polygon address, switch the network in your Metamask to Polygon Mainnet, copy your public keys, and paste them into Code4Arena. You can also monitor your address on the Polygon network at the following link: https://polygonscan.com/address/.\n\nIf you need to change your registered wallet (login) address, it's possible to do so in the platform settings. If you wish to change the wallet address used in a finding, you can update it after submitting the finding and before the payout by submitting a request through the Help Desk at https://code4rena.com/help. The payout for vulnerability issues can be verified by checking the registered wallet address using polygonscan.com or wallet trackers like debank.com. \n\nRegarding the discussion on Ethereum bridges, these allow sending funds to a different address. You can move funds back to the mainnet using the polygon bridge at https://wallet.polygon.technology/. There's also a service for potentially free Matic at https://wallet.polygon.technology/gas-swap/. Please note that you must be aware of the address for the Ethereum mainnet and smart contract wallets like Gnosis and Argent.\n\nRemember, you can always ask more solidity related questions on the platform or discuss more on Ethereum bridges, smart contract wallets, and other related topics.", "Question: How does the process of registering, saving, and changing Polygon and Ethereum addresses in my CodeArena account work in the context of receiving awards for contract auditing?\n\nAnswer: The process of setting up your Polygon and Ethereum addresses within your CodeArena account is critical to participating in smart contract auditing and receiving awards. When submitting your findings, there is a field for your Polygon address, which is where the rewards will be sent. This is separate from your Ethereum address which is also required for the withdrawal process. \n\nYou can monitor your address on the Polygon network at https://polygonscan.com/address/. Please note that any changes to your wallet address need to be registered with CodeArena, and can be done through the opt-in ID and address verification process. If you choose to change your wallet address on CodeArena to a new one, future rewards will be sent to the new address. This change can be made on the platform itself. \n\nPlease be aware that there have been instances of errors related to Polygon addresses when users have tried to submit their analysis as a team. Assistance for these issues is available through the help desk. Additionally, a user reported an error when trying to create an analysis report without a saved Polygon address. \n\nKeep in mind that regardless of wallet settings, funds will be sent to the address you control and you will need to send a transaction on Polygon to move the funds. At times, users have reported not seeing funds in their wallets, suspecting their keys might have been compromised. Therefore, it's important to ensure the security of your account. \n\nLastly, if you encounter any issues or need further assistance with registering, saving, or changing your Polygon or Ethereum address on CodeArena, please consult the help desk or community forum for help.", "Question: Can a smart contract create a signature of data for another smart contract to verify, and if so, how does this process work?\n\nAnswer: Yes, a smart contract can create a \"signature\" of data that another smart contract can verify. This process is made possible by following a standard called EIP-1271, which you can find more about on this [link](https://eips.ethereum.org/EIPS/eip-1271). \n\nIt's important to note that the contract \"signing\" the data and the one verifying the \"signature\" both need to support this EIP. The reason for this is that a smart contract does not possess its own private key, unlike a traditional user account. The signing process involves signing data with a private key and some parameters, a method often referred to as untyped data signing. Further information about this process can be found [here](https://github.com/code-423n4/2022-08-rigor-findings/issues/75).\n\nThis functionality would be particularly useful in situations where you want to prove that a certain piece of data originated from a specific smart contract. For example, this could be used to verify the origin of ERC20 tokens sent to a contract, or to ensure that a contract has been correctly initialized on the Ethereum mainnet.\n\nHowever, it's worth noting that auditing these interactions and correctly implementing EIP-1271 can be complex, often requiring the use of automated tools or professional assistance to ensure the absence of vulnerabilities. Platforms like [Sherlock](https://sherlock.xyz/) and tools like [Slither](https://github.com/crytic/slither) may be used to find potential vulnerabilities and bugs. Other novel approaches to auditing, such as converting the smart contract into visual shapes and training a model to predict the contract's vulnerability, are also being explored.\n\nWhen it comes to security matters and complex interactions like these, it's always best to seek advice from experts in the field to avoid potential pitfalls and ensure the highest level of security for your smart contracts.", "Question: How can I confirm that my finding has been successfully submitted to CodeArena?\n\nAnswer: When you submit a finding to CodeArena, the form accesses our GitHub and Mailgun APIs. If these APIs accept the post, your submission should be successful. In case they do not, the form should display an error message. After the successful submission, you should expect to receive a confirmation email within a few minutes, but please be aware that there may be occasional delays.\n\nHowever, it has been reported that some users do not receive these confirmation emails. If you haven't received a confirmation email, we recommend checking your spam folder as some of our emails have been reported to end up there. If you still cannot find the confirmation email, you can check the status of your submission by visiting the \"Findings\" tab on the C4 Contest page. Additionally, you can open a help desk request at https://code4rena.com/help/. \n\nPlease note that even if your submission has been successfully received, it may not always appear in the final report. The specific reasons for this are not immediately made known, and you might have to wait until the reports are published, which usually takes at least a month. If you receive two identical confirmation emails, there is no need to take any specific action. Also, you won't be able to modify your submission without submitting a new one.", "Question: Are there Solana developers in the CodeArena community, and are there plans to host Solana contests or provide Solana audits on the platform?\n\nAnswer: There could potentially be Solana developers in the CodeArena community, though it's worth mentioning that we haven't yet hosted any Solana-specific contests. However, there is an active interest and plans to expand beyond the current EVM and Cosmos chains, which could involve hosting Solana contests in the future. Also, there's a plan to open up to Solana audits on our platform. As we continue to expand our reach, our developers and users are encouraged to participate in discussions and contests across various blockchain platforms. This means we're not only focused on auditing but also fostering a community where questions related to Solidity syntax, programming, and smart contract issues can be discussed. Please note that our expansion plans are subject to change and we encourage our community members to check our website https://code4rena.com for the latest updates and contest announcements.", "Question: Why haven't the content reports on Code4rena's homepage been updated after February and how can I access these reports?\n\nAnswer: The content reports on Code4rena's homepage have not been updated since February because changes were made to the report and rewards calculation system. This process requires time to compile the data accurately. Please be assured that our team is working on this and a new batch of reports should be published soon. \n\nYou can find these reports at https://code4rena.com/reports. They are sorted by publication date and include both valid and invalid issues. After each contest ends, the leaderboard gets updated and users can see the number of overall issues they reported at https://code4rena.com/leaderboard. \n\nPlease be aware that after the leaderboard is shown and rewards are sent, the final report of the contest may not immediately appear on the C4 site. It's recommended to wait until the full public report is published before doing a write-up of some issue or bug found on a project. \n\nIf you are experiencing issues with viewing these reports or have any queries regarding the report submission process, you can reach out to our team at https://code4rena.com/help for assistance.", "Question: Why aren't rewards distributed immediately after the reward computation is completed?\n\nAnswer: The delay in the distribution of rewards after their computation is due to the multifaceted process involved. Primarily, the use of multisignature (multisig) wallets is a factor. These wallets require signatures from multiple parties before funds can be released, which typically occurs during a standing meeting each Monday. Please note that this process does not guarantee immediate payment after the meeting and the timing can vary.\n\nAdditionally, rewards for a contest may still be pending even after the contest has finished. This could be because the project's leaderboard hasn't been updated or the final report isn't immediately available on the CodeArena (C4) site. After the leaderboard is displayed and the rewards are sent, the final report of the contest may not immediately appear on the C4 site. We recommend waiting until the full public report is published before drafting a write-up of some issue or bug found on a project.\n\nIt's important to note that rewards are sent out manually in batches for multiple contests at a time on the Polygon network, not the Ethereum network. The exact time range for reward distribution has not been specified.\n\nLastly, the company intends to eventually distribute rewards via smart contracts once more pieces are in place. For more details on the incentive model and awards distribution, please visit [https://docs.code4rena.com/incentive-model-and-awards](https://docs.code4rena.com/incentive-model-and-awards). Please bear in mind that there is no reward for submitting findings first in the competition as the system is not based on a first-come, first-served basis.", "Question: How does Code4rena manage the process of announcing and distributing awards for smart contract audits?\n\nAnswer: Code4rena announces and distributes awards following established procedures but is also open to community suggestions to improve clarity. The current method involves making announcements in the designated 'Awarding' section, which provides information on which submissions win rewards. After the announcement, the awards are batched and sent out manually for multiple contests at a time. The timeline for this process is aimed to be within 1-2 weeks after the announcement. \n\nThe distribution of the awards is based on the quality and uniqueness of the reports submitted. For instance, if multiple wardens find the same issue, the report covering the issue in the most detail, possibly including a Proof of Concept, would typically receive a higher award. Duplicates below a certain threshold might not receive any money. For team submissions, the team decides how to distribute the reward among its members. \n\nThere has been a suggestion from the community to split the 'Awarding' section into 'Awarding' and 'Paid' for increased clarity. Also, there is a proposal to grade and pay all submissions, irrespective of the time of submission. However, these are under consideration and not yet implemented. \n\nThe platform recognizes the need for further clarity on splitting rewards, especially for teams, and is open to suggestions for improvements. Detailed information on awards can be found at https://docs.code4rena.com/incentive-model-and-awards and https://docs.code4rena.com/awarding/incentive-model-and-awards. Please note that actual implementation can take up to two weeks due to the need for double-checking at each step to ensure it\u2019s done correctly and securely.", "Question: \nWhat is the status of the LPT and other pending rewards, and when can I expect to receive them?\n\nAnswer:\nYes, as of now, the LPT tokens, NFTX awards, and certain other rewards are indeed pending. We understand that some of you have been waiting for over ten days after completing your KYC, and we appreciate your patience. There are a number of reasons why rewards might be pending, even after a contest has concluded. In some cases, the awards still need to be calculated, or changes to the award calculation process may be causing delays. \n\nAn update on the status of these rewards is expected in the upcoming week. It's also worth noting that the status of past contests and their associated rewards can be checked in the \"Past Contest Status Updates\" section on our platform. \n\nIf your KYC application is still pending after a considerable amount of time, we encourage you to submit a help request. We understand that many of our participants are still learning about our system and processes, and we are here to assist you. \n\nPlease bear with us as we work to expedite this process. We value your participation and aim to ensure that all rewards are distributed as soon as possible.", "Question: How does the process work for becoming a Certified Warden at CodeArena and what are the benefits and responsibilities of the role?\n\nAnswer: Becoming a Certified Warden at CodeArena involves participating in code contests and going through the Certified Wardens process. This process can be initiated by registering as a warden and contributing to code contests. If there are issues or concerns with a report, wardens may seek clarification through various channels.\n\nCertified Wardens have exclusive benefits such as access to the contest preview channel and a private channel for certified+ wardens, which is a workspace for various process-related tasks. They are also part of a permissions group/team on GitHub which gives them access to private repositories. However, their emails and GitHub usernames will not be listed publicly, with individuals having the choice to make their team membership public or private. \n\nWardens also have the opportunity to team up and collaborate in the #\u26bdteam-formation channel. This teamwork can be beneficial for wardens who are great technical writers but are still developing their auditing skills, or for wardens with advanced technical skills who need help in improving their communication in English. \n\nFor wardens interested in monitoring the leaderboard, they can visit https://code423n4.com/leaderboard/. This site provides a ranking of wardens based on their performance in contests. \n\nNew participants are encouraged to look at the findings of other wardens and learn from them. This can be done once the findings repository becomes public.\n\nIt's important to note that trust between wardens and sponsors is crucial. There are concerns about potential misuse of disclosed vulnerabilities, which is why the professionalism and integrity of wardens is of utmost importance. \n\nWardens may get compensated for sponsor-confirmed issues and sometimes even disputed ones. However, specifics about payments and tax reporting are in progress.\n\nMore detailed information about Certified Wardens can be found in the documents (docs) provided by Code4rena. This includes the new functionality of Warden profiles and how private invites work.\n\nIn terms of announcements, they are regularly posted in the #\ud83d\udce2announcements channel on Discord. There's also a suggestion to have a channel named #audit-reports where updates will be posted whenever a new report gets published on the CodeArena website.\n\nIt's worth mentioning that there was a significant increase in the number of new wardens at one point, with over 200 new wardens registering in a 24-hour period. While some users speculated a Sybil attack or a marketing move, this highlights the growing interest in becoming a warden in the CodeArena community.", "Question: What are the implications and procedures if no high or medium risk findings are identified in a CodeArena contest like the JPYC Contest?\n\nAnswer: Indeed, the JPYC Contest did not have any high or medium risk findings as it was a straightforward fork of a mature project. However, the implications and procedures when no high or medium risk findings are detected in a contest are governed by a set of rules. If no high or medium vulnerabilities are found during a contest, the remaining rewards are divided based on the Quality Assurance (QA) Report curve as per https://code4rena.com/reports/2021-11-fei. \n\nHowever, occurrences of contests without high or medium vulnerabilities are rare. Contest entrants can submit findings they deem as high-risk and make a case in their submission for its consideration. If a finding classified as low risk in QA is confirmed as medium risk by other wardens, it is typically automatically upgraded by the judge. There's no penalty for incorrect medium/high submissions. \n\nHowever, it is important to note that non-critical findings do not share in the rewards. The classification of high, medium, or QA findings is determined by the severity of loss caused by the issue. If the principal can be stolen without needing extra conditions, then it's probably classified as HIGH. If all rewards can be lost, it's probably MEDIUM/HIGH. If there's a risk of only losing some rewards, it's probably medium. If rewards are lost due to roundings (a negligible amount of rewards), it's probably QA. \n\nFinally, the amount of prize money allocated to each Medium/High risk can be checked at https://raw.githubusercontent.com/code-423n4/code423n4.com/main/_data/findings/findings.csv. High quantity and high-quality findings typically score better in CodeArena contests as shown here: https://code4rena.com/reports/2022-09-artgobblers#low-risk-and-non-critical-issues.", "Question: Can you explain the importance of gas optimization in smart contracts and how CodeArena uses gas reports in auditing?\n\nAnswer: Gas optimization is crucial in smart contract development as it can significantly reduce the cost of transactions on the Ethereum network. At CodeArena, we acknowledge the importance of gas optimization and use gas reports to identify areas where smart contract code could be optimized to use less gas.\n\nOur gas reports are an essential part of our auditing process. We have an automated tool, the c4udit static analyzer, which we use for Quality Assurance and gas optimization. You can find the tool at [https://github.com/byterocket/c4udit](https://github.com/byterocket/c4udit).\n\nWe assess gas findings based on the magnitude of their improvements in important functions. We do not necessarily require a Proof of Concept for the gas saved, though a detailed description and mention of gas saved are necessary and expected.\n\nWe have a variety of resources to learn more about gas optimization and related topics. One such resource is the recent CodeArena report, which details gas optimizations. You can find the report at [https://code4rena.com/reports/2022-11-non-fungible/#gas-optimizations](https://code4rena.com/reports/2022-11-non-fungible/#gas-optimizations).\n\nKeep in mind that all findings, including high, medium, low, non-critical, and gas-related issues, should be included in any reports. However, it's worth noting that our current focus is primarily on high/medium/low severity vulnerabilities and gas optimizations and there's no direct incentive to report non-critical findings.\n\nLastly, it's important to remember that while our tool is powerful, auditing also requires human expertise. We always encourage participants to ask for clarification on gas optimization if needed.", "Question: What's the process and criteria for archiving contests on Code4Rena? \n\nAnswer: Contests on Code4Rena are archived based on a number of factors. Primarily, the archiving was improvised due to a Discord limit on the maximum number of channels that can be put in a single category. Recently, there has been a consideration to archive contests in quarters to manage this channel limit. Once a contest is closed, a certain period of time elapses before the findings repo becomes publicly available for discussion, although the specific duration is not always mentioned. During this time, contestants can view their QA reports for contests that have already closed. It's also in consideration to release all unverified submissions a few days after a contest ends, before judging, for learning purposes - the discussion on this can be found on our forum [here](https://forum.code4rena.com/t/rfc-certified-wardens-rulebook-scout-role-contest-qa-and-mitigation-review-services/123). The order of contests in the \"Past Contest Status Updates\" section represents the progression of the contest. Please note that judging of contests may take a lengthy time period, with factors beyond the judge's control contributing to delays. You can view past contest awards [here](https://code4rena.com/contests/2023-01-numoen-contest).", "Question: What are the current strategies for managing Discord chat logs and channels for CodeArena's increasing number of contests and what improvements could be implemented?\n\nAnswer: C4's current approach to managing Discord chat logs involves exporting them after contests are completed and the reports are published. These exported logs are then placed into contest repositories, which allows for the deletion of old channels and freeing up space. \n\nIn terms of managing channels, the company is considering archiving contests in quarters (Q1-Q4) to manage the channel limit on Discord. This strategy was suggested due to a limit imposed by Discord on the maximum number of channels that can be put in a single category. \n\nAs an alternative solution, creating a second category (2022-B) or adding new contest channels for each contest were strategies that have been implemented. Each contest has individual channels for questions, code walkthroughs, and other related discussions. For instance, specific contest channels have been set up for different protocols, such as the Quests Protocol.\n\nAdditionally, there was a suggestion to have seasons for the leaderboard that could span 4 to 6 months. Other strategies being considered include releasing all unverified submissions a few days after a contest ends for learning purposes and to stimulate discussion, which is detailed in this forum post: https://forum.code4rena.com/t/rfc-certified-wardens-rulebook-scout-role-contest-qa-and-mitigation-review-services/123 \n\nIt's important to note, however, that not all findings from contests make it to the final report. To check this, you need to wait until the reports are published, which usually takes at least a month. Furthermore, there can be gaps in the schedule for live contests, and new contests are continuously being planned. \n\nIt is also worth mentioning that there is the option of allowing contest submissions at any time prior to the contest end time. Also, the \"Past Contest Status Updates\" section provides a timeline of where contests are currently in the process, and contest results are posted in the contest channel once judging is complete. \n\nThese strategies and improvements are aimed at providing a streamlined and organized experience for all participants and stakeholders.", "Question: Can I view all the submissions and the judge's feedback after a contest ends and before the results are published?\n\nAnswer: CodeArena is actively working on a process to release all unverified submissions a few days after a contest ends, before judging. This will allow participants to learn from what others found while the protocol is still fresh in mind. The process is a multi-step one that starts with an immediate review and triage of reports by judges, after which they await sponsor review, final judgment and Quality Assurance before they become public. \n\nOnce the final report is published and the findings repository is made public, you will be able to view all submissions, including those that were not rewarded, along with the discussion among sponsors and judges on the specific issues. This process allows for transparency and learning opportunities. For certified contributors, there are plans to allow immediate viewing of submitted issues right after contest closure and to comment or give input during judging.\n\nPlease note, finding submissions can be updated as long as the contest has not ended, but they are not made \"public\" until the contest is finalized and the report is published, to avoid dishonest practices. For more details and ongoing discussions, please visit [this forum post](https://forum.code4rena.com/t/rfc-certified-wardens-rulebook-scout-role-contest-qa-and-mitigation-review-services/123).", "Question: How are high-risk findings treated if they fall out of the scope of a contest and what steps should be taken when submitting them?\n\nAnswer: Whether high-risk findings are accepted in a contest even when they are out of scope largely depends on the specific rules of the contest and the judge's discretion. In your submission, if you believe a high-risk finding should be considered, it\u2019s advised to make a strong case to the judge. This includes providing substantial evidence to support your claims, as high-risk issues generally have a higher burden of proof. \n\nIf a high-risk finding is judged as low risk or vice versa, it doesn't mean your submission will be discarded, you will still be rewarded based on the judgement. You can escalate the risk level of your findings if you feel it necessary. However, if a low severity finding listed in a contest's bot report is escalated to high severity, it is not automatically considered invalid. To understand the judging criteria in such instances, you can refer to our submission policy here: [https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues](https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues)\n\nFor more insight, you can compare your findings with winning reports from our past competitions [https://code4rena.com/reports/2022-09-artgobblers#low-risk-and-non-critical-issues](https://code4rena.com/reports/2022-09-artgobblers#low-risk-and-non-critical-issues). It may help you understand what kind of submissions usually score better. \n\nYou also have the option to discuss issues with the sponsors before the contest is finished, including severity and scope-related questions. If you have specific queries about the scope for a contest, you can address them to the respective sponsor. \n\nRemember, findings listed in the best bot-generated report are usually out of a contest's scope, and the contest pot size may depend on the number of lines. It's ultimately up to the judge to decide whether an out-of-scope med/high risk finding will be awarded.", "Question: I am a beginner interested in smart contract auditing. Could you provide me with some useful resources and tips to get started?\n\nAnswer: Definitely! Starting your journey into smart contract auditing can be quite rewarding and engaging. Here are some resources and advice to help you get up and running.\n\nFirstly, for understanding the basics of smart contract auditing, refer to this post [here](https://cmichel.io/how-to-become-a-smart-contract-auditor/) and this documentation [here](https://docs.code4rena.com/roles/wardens/tools-and-resources).\n\nTo learn Solidity, a key language when dealing with smart contracts, we suggest you to check out [CryptoZombies.io](https://cryptozombies.io/). For understanding how to tackle Capture the Flag challenges, you can refer to [CaptureTheEther.com](https://capturetheether.com/).\n\nWe have also observed that beginners may face issues in understanding certain code instances, so it's advisable to make one report and reference the related issues in it. To practice, we suggest you explore some past contests and read old reports which can be found [here](https://code4rena.com/reports). Starting with reports from smaller bounty contests might be beneficial due to their smaller codebase sizes and less complexity.\n\nIf you're unfamiliar with Markdown, which is used extensively in writing audit reports, you can learn it [here](https://markdown-it.github.io/). For learning about the Solidity compiler and other specific topics such as gas optimization, regex, and analysis of abstract syntax tree, community members often share resources in our chatroom.\n\nConsider participating in a contest to get some hands-on experience. It\u2019s a good idea to just dive in and start contributing. You can also privately ask questions and receive guidance on more fragile aspects of the system. Code4Arena even encourages users to participate in upcoming code contests.\n\nLastly, remember that the community is here to help you. If you encounter an error or need advice, don't hesitate to ask. You can also reference our guidelines and FAQs [here](https://code4rena.notion.site/Analyses-Guidelines-and-FAQ-2808a71e08e44c81a985527194f5f118) for further assistance. Happy learning!", "Question: I'm having difficulties sending a text in the main chatroom and I can't submit a finding. How can I resolve this?\n\nAnswer: Our main chatroom access is currently restricted to contributors only in order to reduce spam and off-topic discussions. However, if you're experiencing difficulties with submitting a finding or sending a text, it may be due to multiple factors such as browser compatibility issues, mobile device limitations, or chat platform reporting issues. We recommend trying the following steps:\n\n1. Ensure you're using a compatible and updated browser. If the issue persists, try switching to a different browser.\n2. If you're using a mobile device, note that there may be certain limitations such as viewing the console. In case of any issues, you can send your requests to submissions@code4rena.com for assistance. \n3. Check if your issue can be resolved through the '+backstage' feature in our chat. \n4. If you're having trouble logging in to Code4rena, you can direct message someone from Code4rena or email us for assistance with account issues. \n5. Make sure your email provider isn't flagging our emails as spam. Yahoo and Hotmail users have reported such issues in the past.\n6. In case your issue is related to KYC (Know Your Customer) process or other specific queries, you can directly contact someone on our streams' protocol team.\n7. Lastly, if the website shows an 'Out of Office' message or you're unable to get a response after sending a ticket to Code4rena, note that there may be a delay in receiving responses due to high volumes of requests.\n\nPlease remember that we are continuously working to improve our platform and resolve any issues that our users encounter. Your patience and understanding are greatly appreciated.", "Question: Can you provide some information on how CodeArena handles Sybil resistance issues and if tools such as the Governor DAO Proof of Existence Token could be beneficial?\n\nAnswer: At CodeArena, we take Sybil attacks very seriously. We use various protection measures to prevent such issues, including scrutinizing actions like creating duplicate accounts to submit the same issue for greater share of rewards. We believe that our current systems are robust, but we are always open to exploring new solutions that may enhance our defenses.\n\nThe Governor DAO Proof of Existence Token is an interesting concept, and we appreciate your suggestion. However, it's important to note that its application would depend on many factors, including its compatibility with our existing security measures and overall system architecture. \n\nWe would be interested in learning more about this, as well as other potential solutions. Our team is composed of co-founders and engineers from different projects such as Lion's Mane, Tracer DAO, Gro, Reality Cards, and Pool Together, who are all available for communication about these and other topics. \n\nWe also encourage questions about our systems and procedures on our platform, including those related to solidity, smart contract interactions, and techniques for debugging and identifying vulnerabilities. We believe in fostering an open and collaborative environment where everyone can learn and contribute.\n\nWe also discuss pertinent issues around smart contracts, such as the context of problems within upgradeable contracts and slot collisions, mitigations for DDOS attacks, and the use of automated tools like Slither for static analysis. We're also exploring the application of machine learning for smart contract auditing.\n\nOur community users often share valuable resources on smart contract security, including books and certifications. For those interested in graphical interfaces to better understand smart contract interaction, Surya (https://github.com/ConsenSys/surya) was mentioned as a potential tool, albeit a possibly outdated one.\n\nAs we further develop our processes and tools, we look forward to a continued dialogue on these topics in our Discord channel.", "Question: I am unable to verify gas optimization for keccak expressions on recent solidity versions. Can you elaborate on when this optimization became obsolete and how to optimize gas usage in smart contracts?\n\nAnswer: The optimization for keccak expressions was fixed in Solidity 0.6.12. Here is the changelog for the changes made during that time: https://github.com/ethereum/solidity/blob/develop/Changelog.md#0612-2020-07-22. \n\nWhen considering gas optimization, it's crucial to understand that not all optimizations are valid when the optimizer is enabled, which can lead to some confusion. There are several proven methods and tools to help with gas optimization. For example, function inlining can be used to save gas in smart contracts. Also, an interesting automated gas optimization detected by an automated audit tool is 'Use assembly to check for address(0)'. This optimization using assembly could save a few gas, but it's not necessarily interesting or valuable for sponsors. You can read more about this issue here: https://github.com/0xKitsune/solstat/blob/main/src/report/report_sections/optimizations/address_zero.rs.\n\nHowever, it was observed that excluding the increment (++i) in a for loop can significantly reduce gas costs. Also, not initializing default variables to 0 is recommended for gas optimization in smart contracts. \n\nThere are also other gas optimizations that can be implemented. For instance, swapping the order of a function that first checks from storage, then checks the calldata, could optimize the gas. Another way is to use '1e36' in Solidity code, a more gas-efficient method of representing big numbers, as per the Solidity documentation here: https://docs.soliditylang.org/en/v0.8.15/types.html#rational-and-integer-literals.\n\nIt's also worth noting that there's a discussion about the gas efficiency of custom errors in contrast to require statements with a string in Solidity smart contracts. And in relation to smart contracts, a line of code like 'require(abc<123)' is considered a valid low finding as a \"magic number\". It has been suggested that declaring constant value will make the code more readable.\n\nLastly, one must remain aware of the cost differences between constant and immutable in Solidity. It was once true that immutable costs less gas than constants, but as of July 2020, this is no longer the case. Here is a Twitter discussion that supports this information: https://twitter.com/GalloDaSballo/status/1476925462010122245. And for more detailed insights on the gas cost for constant and immutable, refer to https://ethereum.stackexchange.com/questions/118547/is-the-gas-cost-for-constant-and-immutable-about-equal. \n\nRemember, while gas optimization is important, maintaining code readability and simplicity should also be a priority.", "Question: Hi! I'm Kathleen from IdleDAO (Idle.finance). Could someone guide me on how to engage with CodeArena for treasury management and understand more about the DAO voting system, smart contract auditing, and potential collaborations?\n\nAnswer: Hi Kathleen, welcome to CodeArena! For treasury management and investment collaboration, you can reach out to @\ud83e\udd96 eric (ninek) | C4. For understanding the DAO voting system, bear in mind that our token gives voting rights which includes authority over treasury. If you're interested in participating in private audits or planning to run an audit contest, you could also submit an application to become a certified warden. Becoming a certified warden also makes you eligible for payouts. \n\nFor any queries regarding the process, you can submit a help desk request at https://code4rena.com/help. If you're waiting for KYC mails, they may be delayed due to the DAO employees being on holiday, so do check your spam folder for emails from \"compliance@provenance.company\". \n\nIf you're new to smart contract security, you may find resources like yAcademy or this YouTube channel https://www.youtube.com/@smartcontractprogrammer useful. We also have a specific channel for certified+ wardens, which assists with various process-related tasks, so becoming a certified warden can be beneficial. I hope this helps.", "Question: What does the 'Total' column represent on the CodeArena leaderboard, and how is it calculated?\n\nAnswer: The 'Total' column on the CodeArena leaderboard represents the total number of valid findings of all severity levels by a specific individual or team. These findings are the result of audits, and the leaderboard is updated based on the dates of the audits, not the dates when awards were given out. The leaderboard's ranking is influenced by both the current contest and the total participation of a contestant. \n\nIn addition to the number of valid findings, for each unique High or Medium finding, the submission selected to be included in the audit report receives a 30% share bonus. This bonus is added to the total count. \n\nIt should be noted that the default setting for the leaderboard displays results from the last 60 days. However, you can adjust the settings to view results for a specific time period. Currently, private, versus, and mitigation audits do not impact the leaderboard, but there has been discussion about including them in the future. \n\nMore information about the leaderboard can be found on our website [https://code423n4.com/leaderboard/]. If you have further queries or issues, for instance, if you feel the leaderboard does not accurately reflect your participation in audits, we recommend you to create a help desk request explaining the issue.", "Question: How is the classification of findings (High, Medium, or Low) and gas optimizations handled in CodeArena's system and how does it impact the reporting and reward process?\n\nAnswer: CodeArena uses a risk-based classification system for all findings. This includes High, Medium, Low (or Quality Assurance - QA), and gas-related issues. Each level of severity has its own reporting process and reward mechanisms. \n\nHigh and Medium findings are the most severe, with each unique finding selected for inclusion in the audit report receiving a 30% share bonus. The amount of prize money paid to each Medium/High risk can be checked at [this link](https://raw.githubusercontent.com/code-423n4/code423n4.com/main/_data/findings/findings.csv). \n\nLow or non-critical issues are grouped together as QA. The lowest level of reported vulnerability that isn't a gas optimization is called \"Low\" or \"QA\", where QA includes both Low and non-critical vulnerabilities. There may even be bonuses for each low finding selected for the report. \n\nGas optimizations are also important and are judged separately from the risk-based issues. There's a suggestion that gas reports may need to mention the amount of gas saved for every finding. There's an award formula for these reports, but it's not clear if it's documented. \n\nWhen entering a contest, participants do not have to submit all reports for high, medium, QA, and gas optimization. They can submit what they find. However, it's important to know that all valid findings for gas optimizations are weighted the same.\n\nThis classification is based on the severity of the loss caused by the issue. If all rewards can be lost, it's a Medium/High risk. If there's a risk of losing some rewards, it's probably medium. If rewards are lost due to roundings (a negligible amount of rewards), it's probably QA. If the principal can be stolen without requiring extra conditions, then it's probably High. \n\nFor more detailed information on risk estimation, refer to CodeArena's judging criteria [here](https://docs.code4rena.com/roles/wardens/judging-criteria#estimating-risk-tl-dr). \n\nThe level of detail required for QA and Gas Optimization reports isn't as comprehensive as for high severity issues. Examples of the top QA/Gas report can be found at [CodeArena reports](https://code4rena.com/reports). \n\nPlease note that this classification of findings directly impacts their representation in the leaderboard's \"total\" column, which represents the total number of valid findings of all severity levels by a specific individual or team. Currently, users are interested in adding position numbers to the leaderboard and a Low column, but there isn't a definite decision on this yet. \n\nIn summary, CodeArena presents an intricate system of classification for findings, tied to the significance of the flaw detected and the potential loss caused, each with its own report and reward considerations.", "Question: Is a typo considered a valid issue in a QA report, and how does it affect the assessment of the report?\n\nAnswer: A typo in a finding could be considered a valid issue for a QA report, particularly if it drastically changes the meaning of the finding. However, if the issue is minor and does not significantly impact the understanding or functionality of the contract, it might be disregarded unless the issue is extremely obvious, such as a wrong parameter, code that doesn't compile, or a significant discrepancy between documentation and code. \n\nQA reports can include multiple findings that are non-critical, and those are typically classified as Low or Non-Critical (NC). Reports are graded based on the correct identification of the severity of the bugs, evidence provided to support the severity, and the clarity of the report. \n\nIt's important to note that judges can elevate the severity of a QA issue if it is described in detail. Also, incorrect findings in a QA report can affect the QA grade. You can edit your QA report if you find another error or if you want to provide more details. If you have doubts about whether a finding is only QA or Medium, you should file it as QA unless you have coded a proof of concept (POC).\n\nFor more information about the grading criteria and how to submit QA reports, visit these links: [https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical](https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical) and [https://docs.code4rena.com/awarding/incentive-model-and-awards#qa-and-gas-optimization-reports](https://docs.code4rena.com/awarding/incentive-model-and-awards#qa-and-gas-optimization-reports).", "Question: When auditing smart contracts for a project, do the wardens take into consideration the current state of the project? Specifically, are vulnerabilities related to deployment or initial actions considered out of scope, particularly for projects with already deployed code?\n\nAnswer: Yes, the current status of the project is taken into account during an audit. However, the scope of the audit may or may not include vulnerabilities related to deployment or early actions like initializers, especially for projects with already deployed code. \n\nThis perception of scope is largely determined by the guidelines provided in the README.md file for each contest, which outlines what is to be audited and what isn't. Hence, it's always recommended for wardens to carefully read these guidelines before engaging in audit activities. \n\nIn cases where there is uncertainty about the scope or the severity of reported issues, wardens are advised to refer to the judging criteria and make their case based on evidence. The judging criteria can be found [here](https://docs.code4rena.com/roles/wardens/judging-criteria#estimating-risk).\n\nThe auditions performed by CodeArena have some similarities to bug bounty programs and sometimes utilize automation tools or fuzzing tools like Echidna for auditing in contests. At times, wardens might find vulnerabilities in contracts that are out of scope. While these findings might not be rewarded, they can be included in the C4 report or directly communicated to the project.\n\nLastly, it's worth noting that trust is a critical factor in our audit process. Once vulnerabilities are disclosed, there is a risk of misuse, and hence, establishing trust between the wardens and the project sponsors is of paramount importance. Similarly, certified wardens, who have access to findings repositories earlier, can assist with post-contest processes, further enhancing the audit process.", "Question: \nWhat does the term \"oracle\" refer to in the Scoping form, specifically regarding whether our project uses an oracle or not? \n\nAnswer: \nThe term \"oracle\" in the Scoping form is used to understand if and how your project incorporates external pricing or other data. This could be either through an existing, widely-used oracle or a custom one created by your project. \n\nOracles are third-party services that provide Smart Contracts with external information. They serve as a bridge between blockchain and the outside world. Depending on the type and source of data your project needs, you may choose to use a pre-existing oracle service or build your own. \n\nFor example, if your project uses external pricing data, that information can be fed into your smart contract through an oracle. In the Scoping form, this information is necessary to determine the scope of review for your project's smart contracts. \n\nDo note that the term \"in scope\" refers to the elements that should be audited, and \"out of scope\" means they do not need to be audited. You can find specific examples of outlining the code to be audited [here](https://github.com/code-423n4/2022-07-golom#scope). \n\nIf you have further questions about the scope for a contest regarding oracles or any other components, these can be addressed to the respective sponsor via their contest channel or DM. \n\nKeep in mind, the final decision on whether a certain component is in or out of scope, like a contract that's in scope but its impact affects an out-of-scope contract, is typically up to the judge.", "Question: How does CodeArena's reward distribution system work for teams and where can I find more detailed information about it?\n\nAnswer: CodeArena incentivizes both individual and team participation in contests to find and report issues in smart contracts. The reward system works in such a way that if a team identifies a non-duplicate issue, they receive more rewards than if the same finding was submitted individually. An individual team is responsible for dividing the reward among its members as they see fit. \n\nIn the case of multiple people, including team members, identifying the same issue, the reward distribution can be calculated using a specific formula which can be found at [CodeArena's Incentive Model and Awards](https://docs.code4rena.com/incentive-model-and-awards#high-and-medium-risk-bugs). In instances where multiple wardens find the same issue, the best report typically receives a larger portion of the reward, and duplicates below a certain threshold might not receive any money. Detailed explanation and guidelines for such cases are available at [Duplicity of Findings](https://docs.code4rena.com/awarding/incentive-model-and-awards#duplicates-getting-partial-credit).\n\nWhen participating as a team, the entire prize money is sent to a single address and it is the responsibility of the team to distribute it amongst themselves. This distribution can be managed through multisig wallets or using a contract like OpenZeppelin's [PaymentSplitter](https://docs.openzeppelin.com/contracts/4.x/api/finance#PaymentSplitter).\n\nPlease refer to CodeArena's documentation on [Incentive Model and Awards](https://docs.code4rena.com/incentive-model-and-awards) for a complete breakdown of the reward distribution system and to better understand the incentive for team formation. There is also ongoing discussion about how to manage teams where not all members participate in the same contest and how to distribute rewards among these team members which can be followed [here](https://github.com/code-423n4/org/discussions/43).", "Question: How does the audit process work at CodeArena, especially considering the current state of the project, its deployment status, and the inclusion of initial stages like initializers in the scope of the audit?\n\nAnswer: At CodeArena, the audit process takes into account the current state of the project. This may include both projects that are deployed, and those that are not. The scope of the audit usually outlines the elements to be audited. While it may not always include vulnerabilities related to the deployment or initial stages like initializers, especially for already deployed code, it's always best to refer to the outlined scope provided for each project, usually specified in the README.md file of the GitHub repo. \n\nAn example of this can be found [here](https://github.com/code-423n4/2022-07-golom#scope), which clarifies that \"In scope\" equals \"to be audited\" and \"Out of scope\" equals \"do not audit\".\n\nIn instances where a vulnerability is found in an out-of-scope contract, this can be included in the C4 report as an unrewarded finding or the project can be directly messaged. Some auditors may automate the process of finding potential issues in the code or write new test cases to test the code in a testing environment, while others create their own tests or isolate parts of the code for testing if no testing environment is provided.\n\nAudits aim to identify vulnerabilities and ideally provide solutions or mitigations for them. Understanding the audit report requires an overall understanding of the codebase. The context, such as the deployment status of a project, is important in determining the severity of issues. For instance, discussions about upgradeable contracts and storage variables highlight this point. \n\nFinally, if a platform uses Code4Arena to audit their code and no critical or minor vulnerabilities are found, the cost is not pre-determined but handled on a case-by-case basis. That said, the primary goal of CodeArena is to assist in auditing smart contracts and ensuring their security.", "Question: Can you explain what the question about \"does it use an oracle?\" in the Scoping form means and how it relates to the auditing process?\n\nAnswer: The query about whether a contract uses an oracle in the Scoping form is to help us understand how external pricing data is incorporated into the project. An oracle is used to bring real-world data into a blockchain. The question helps us determine if the project utilizes a widely recognized oracle or if they've built a custom one. The use of an oracle, whether custom or widely-used, can have significant implications on the security and reliability of a smart contract, and therefore it is crucial to know this while conducting an audit. For oracle validations, considerations include checking for stale values and verifying the answer in the same roundid issue. Missing these validations could be deemed an issue during the audit. For a better understanding of the scope of an audit, check out this [link](https://github.com/code-423n4/2022-07-golom#scope) where 'In scope' equates to 'to be audited' and 'Out of scope' means 'do not audit'.", "Q: How are rewards allocated to a CodeArena team and how is it divided among the team members?\n \nA: The allocation and division of rewards within a CodeArena team are primarily managed by the team itself. When a team submits a finding or completes an audit, all rewards go to the team, being sent to a single address that the team has specified. The team is then responsible for dividing and distributing these funds among its members. The division can be determined based on the team's internal agreement or contribution to the finding. \n\nThe rewards are structured such that they are reduced semi-geometrically based on the number of people who find an issue independently. However, within a team, the reward is split evenly among the team members. That means if multiple members of the same team identify an issue, the reward is awarded once to the team, not to each individual member who made the finding. \n\nIt's important to note that all team members need to be certified by CodeArena to be eligible for a payout. Furthermore, individuals that are part of a team have the option to submit findings solo if they wish to do so. \n\nFor more details on the incentive model, reward distribution, and the rewarding formula, refer to the official CodeArena documentation at https://docs.code4rena.com/incentive-model-and-awards. For discussions on team management issues and reward distribution among team members, you can visit https://github.com/code-423n4/org/discussions/43.", "Question: How does the reward distribution work for teams versus individuals in the case where a finding is submitted by a team and an individual?\n\nAnswer: At CodeArena, we employ an incentive model that encourages both team and individual participation. If a team and an individual submit non-duplicate findings, the reward is divided 50/50 between the team and the individual. However, the team has the advantage of receiving a larger share than if the members had submitted the findings individually. The reward is reduced semi-geometrically based on the number of people who find an issue when they are separate, but within a team, the reward is split evenly between the members.\n\nThe reward for a finding reduces by approximately 10% for each duplicate submission, and the overall value of the bug is reduced and split based on how many people find it, irrespective of who found it first. For each unique High or Medium finding, the submission selected for inclusion in the audit report receives a 30% share bonus.\n\nA single payment is issued for each team finding, and it is the team's responsibility to distribute it amongst themselves. Teams have discretion over how to split their portion of a contest's reward amongst themselves. \n\nPlease note that if a person is part of a team, they can choose to submit solo findings whenever they want. The submission form allows members to select whether they're submitting as an individual or as a team member. Similarly, team members can make submissions on behalf of their teams and select either their solo handle or team handle for submitting a finding.\n\nMore details about the incentive model, including the rewarding formula and how the share bonus works, can be found at https://docs.code4rena.com/incentive-model-and-awards and https://docs.code4rena.com/roles/wardens.", "Question: \nHow can I get an invite to the C4 dinner or other private events?\n\nAnswer: \nInvitations to private events like the C4 dinner are offered to individuals who meet certain criteria. These typically include those who have had high severity findings on the leaderboard in the past year and have confirmed their attendance at specific events such as devconnect. These events often have limited capacity due to venue constraints. \n\nIf you meet the criteria and are interested in attending, you can direct message the C4 staff members or ask for support from the C4 website. For private contests such as the Party Protocol, certified contributors to C4 can gain access once they meet certain criteria, such as the number of findings and contest participations. More information about these invitational events can be found at https://medium.com/code4rena/a-look-at-code4rena-audits-versus-6c55d57939ef.\n\nFor future events that may require an RSVP, updates can be checked on the RSVP channels. The status of your request for backstage access will be notified to you once reviewed. Please note that the details of these events, including the invite criteria, are subject to change.", "Question: What is the process for viewing submissions and the status of these submissions after a contest has been judged on CodeArena?\n\nAnswer: Once a contest has been judged and concluded, the submissions can be reviewed once the final report is published, and the findings repository (repo) is made public. This report and repo provide insights on each submission, including those that were not rewarded, and the reasons behind their acceptance or rejection. The entire process after a contest concludes includes Sponsor Review, Judging, Awarding, and then Reporting. The evaluation of findings and reports begins immediately after the contest ends, however, these findings are only available publicly after the complete review process, which includes a sponsor review, final judging, and quality assurance. This process typically lasts at least a month. \n\nParticipants receive confirmation of their submissions by email. They can also check their report status and view their findings by visiting the \"Findings\" tab next to the contest description on the C4 Contest page. Currently, only certified wardens have the ability to view and comment on submitted issues immediately after a contest ends. Plans are in place to extend this privilege to certified contributors in the future. \n\nPlease note that all the findings submitted may not be included in the final report, and the specific reason might not be immediately known. Therefore, patience is advised until the reports are published to fully understand the results of your submissions.", "Question: How should I format and structure my report when submitting it in the Vulnerability details section of CodeArena?\n\nAnswer: In the Vulnerability details section, your report should be pasted in Markdown (.md) format. CodeArena's submission form supports Markdown, allowing you to add code blocks and improve the presentation of your report. An example of how to do this can be found [here](https://docs.github.com/en/get-started/writing-on-github/working-with-advanced-formatting/creating-and-highlighting-code-blocks) .\n\nYou can also include screenshots in your report by copying the Github permalink and the lines of code for the affected code. If you've written a Proof of Concept (POC) script for a vulnerability, it's acceptable to include the link in the submission. However, it's suggested not to import screenshots but to paste any gas report directly.\n\nYour report should aim to include the issue, description, proof of concept (where necessary), and mitigation (where necessary). If mitigations are involved, you can use markdown to write the code in the report. While it is not strictly necessary to fill out the \"Recommended Mitigation Steps\", doing so can add value to your report.\n\nFor high/medium findings, only the GitHub permalink for the respective code block should be added in the \"Links to Affected Code\" section. Markdown can be added in the finding body.\n\nReports can be written using platforms like Github, Joplin, VSCode, Notion, etc. as long as the tool supports markdown. If a report is larger, you may consider submitting it by email and placing a placeholder in the original submission.\n\nRemember, the more clear and detailed your report is, the more valuable it will be.", "Q: What does \"Contracts in scope\" mean in the context of a CodeArena audit? Does it mean we have to review only these files listed and ignore anything else?\n\nA: \"Contracts in scope\" refers to the specific contracts or elements that should be audited during a CodeArena audit. These are the files that you should focus your review on. However, this does not always mean you should completely ignore 'out of scope' files. For example, if an 'in scope' contract inherits from an 'out of scope' contract, both should be audited. Moreover, if a vulnerability is found in an 'out of scope' contract that impacts an 'in scope' contract, it can still be reported and might be considered by the judge.\n\nThe scope of audit can vary for each contest and project. As such, you should always refer to the README.md file for each contest, which outlines what is in scope for auditing and what is not. An example of this can be found [here](https://github.com/code-423n4/2022-07-golom#scope). \n\nIt's important to remember that the scope of an audit takes into account the current state of the project and may not include vulnerabilities pertaining to deployment or early actions like initializers, especially for projects with already deployed code.\n\nWhen reviewing contracts, it's also beneficial to start with libraries and interfaces that have the least dependencies. Tools for comparing differences between contracts can also be helpful. While reviewing, keep in mind that the severity of issues is context-dependent. For instance, the context could alter the severity of an issue in the case of upgradeable contracts and storage variables.\n\nAdditionally, there was some uncertainty among users about whether audits should be conducted solely on the contracts or also on the script folders. There was also a question about SLOC (Source Lines of Code) and the numbers added for every contract. While these aspects aren't directly related to the concept of \"contracts in scope\", they do highlight the complexities and considerations involved in the audit process.", "Question: What is the process to register as an auditor, become certified, and start participating in both public and private audits at CodeArena?\n\nAnswer: To register as an auditor at CodeArena, first follow the instructions provided at https://docs.code4rena.com/roles/wardens. After completing the registration form, let us know in the #\ud83d\udc3ai-want-to-be-a-warden channel so we can process your application.\n\nBecoming a certified auditor involves participating in audit contests to meet the criteria for certification. More information on certification can be found at https://docs.code4rena.com/roles/certified-contributors. Once certified, you'll be able to join teams and participate in both public and private audits. \n\nFor public audits, no registration is needed. You can directly participate and contribute. \n\nHowever, private audits require certification and there might be additional conditions to meet, such as ranking on the leaderboard. For private audits - including invitational, restricted, and private audit contests - you need to complete the KYC process. Details about this process are available at https://docs.code4rena.com/roles/certified-contributors#certification-process-and-constraints.\n\nRemember, more audits running simultaneously can increase your activity and chances to gain experience on the platform. If you're new to smart contract auditing, you can start learning from resources such as https://cmichel.io/how-to-become-a-smart-contract-auditor/ and https://docs.code4rena.com/roles/wardens/tools-and-resources.\n\nIt's worth noting that the time it takes to become certified can vary and currently, CodeArena doesn't offer a \"professional certified\" auditor status. If you're interested in running an audit contest for your company or have further inquiries about auditing projects, our booking team can assist with setting up audits.", "Question: What is the process and timeline for announcing contest awards and distributing payouts at CodeArena?\n\nAnswer: After a contest ends at CodeArena, reports are immediately reviewed and triaged by judges. They then await sponsor review, final judging, and Quality Assurance before being made public. The timeline for publishing contest results and announcing awards can vary, usually taking about 2 months, but it can range from 2 weeks to over 6 weeks depending on the time taken for judging. \n\nOnce awards are announced, the aim is to send out payouts between 1-2 weeks. Payouts are usually processed during a weekly Monday meeting and are performed manually in batches for multiple contests at a time. However, the process can take up to two weeks due to the need for double-checking at each step to ensure it\u2019s done correctly and securely. \n\nPlease note that changes to the award calculation process are currently being made, and there may be instances where rewards for a contest may not yet be paid out to participants. Once the contest payouts have been sent, the outcome cannot be changed. However, any overlooked issues can be flagged to the judge and sponsor. \n\nFor more detailed information on judging and payout timelines, please refer to the official documentation at https://docs.code4rena.com/structure/our-process.", "Question: How many audit projects does CodeArena typically handle in a month, and what is the process involved in these audits?\n\nAnswer: CodeArena typically handles between 8-20 audit projects per month, a rate of 2-5 audit projects per week. The number of projects may vary as we are continually working on enhancing our processes and tools to increase our capacity. We've recently added 1000 auditors to our platform, which should help us manage more projects effectively. \n\nAn audit project generally involves analyzing the current state of the smart contract to check for vulnerabilities. However, the scope may not include vulnerabilities related to deployment or early actions like initializers, especially for projects with deployed code. The turnaround time from audit competition to release of reports is approximately one month, although efforts are being made to reduce this timeline. \n\nAfter the audit, participants have 30 days to complete the process. The compilation of reports after an audit payout usually takes a few weeks, and it can take about 8 weeks for the judges to review the findings and create the leaderboard. \n\nPlease note that different projects require different audits, and some audits, especially those involving complex math, may require auditors with years of experience and extensive study. For larger projects, such as Maia with 12K Source Lines of Code (SLOC), the audit duration can be extended to as much as 5 weeks, as the project team is open to extending the duration. \n\nPlease visit our blog post at [https://blog.bytes032.xyz/p/audit-like-a-pro-my-3-step-game-plan](https://blog.bytes032.xyz/p/audit-like-a-pro-my-3-step-game-plan) to understand more about how to approach the auditing of big projects. If you have any inquiries about auditing projects, they can be made online. If you're interested in becoming a certified auditor or participating in private competitive audits, we encourage you to reach out to us for more information.", "Question: What is the status of LPT tokens and other awards like NFTX and Insure, and why might they be pending?\n\nAnswer: Both LPT tokens and NFTX awards are currently pending. This may also apply to Insure payments. While the specific reasons for these delays are not mentioned in the chat, it's common for rewards to remain pending after a contest has finished due to various internal processes or issues. Participants can expect updates on the LPT and Insure payments in the upcoming week. Please note that not all types of tokens are fee-on-transfer, meaning that the received amount might be less than the transferred amount due to a small fee removed from every transfer. For further information or concerns, you can submit a help request, especially if your KYC application has been pending for a considerable time. Please stay patient and continue to check for updates.", "Question: How can I update my Warden profile, including changing my avatar and adding a link, on the CodeArena website after I have registered?\n\nAnswer: After registering as a Warden on CodeArena, you can make changes to your profile, such as updating your avatar and adding links, by looking in the _data folder on the site repo and making a Pull Request (PR). If you encounter any issues or require assistance, you can submit a help desk request at https://code4rena.com/help. This includes requests for editing your profile picture, social media handles, and other profile details. \n\nHowever, please note that profile editing is currently only available to Wardens who were certified at the time profile editing was introduced. If you're a Certified Warden and want to be marked as \"Available for Hire\", this can be done via the profile editing screen.\n\nAlso, if you're interested in participating in a contest as a Warden or to access specific channels like the team-formation channel or the contest preview channel, ensure your Warden registration is fully completed. Once you have formed a team, you can register it at https://code4rena.com/register-team.\n\nFor more detailed guidelines on how to register as a Warden, update your account details such as changing the wallet attached to your account, or how to apply for the OG Warden status, you can visit https://docs.code4rena.com/roles/wardens.\n\nRemember, altering your username could potentially affect your account registration as a Warden, and any changes to your Discord name should be made on the Account Management page of your warden profile, while your Discord nickname should remain as your registered C4 username.", "Question: How can I propose to list the ARENA project on one of the top 40 exchanges?\n\nAnswer: The process of proposing to list the ARENA project on a top-ranking exchange is currently under consideration by the team at CodeArena. The $ARENA token exists, but it currently doesn't have significant volume that would make it eligible for listing on platforms like CoinGecko. \n\nHowever, you can engage more actively with the community and proposal processes by becoming a certified contributor or a warden at CodeArena. To do so, you can apply at [https://code4rena.com/certified-contributor-application](https://code4rena.com/certified-contributor-application) or register as a warden and submit your queries at [https://code4rena.com/help](https://code4rena.com/help). \n\nKeep in mind that you can also create an on-chain proposal if you have (or by delegating) 50k ARENA tokens. For more information about the $ARENA token and its role in governance, refer to the DAO constitution at [https://github.com/code-423n4/org/blob/main/CONSTITUTION.md](https://github.com/code-423n4/org/blob/main/CONSTITUTION.md).\n\nRemember to avoid phishing scams that involve suspicious links to purchase ARENA tokens, like from the site invst.icu. The authentic ARENA tokens can be obtained using the contract address 0x6847D3A4c80a82e1fb26f1fC6F09F3Ad5BEB5222.\n\nFurther details about CodeArena's projects and contests can be found at [https://code4rena.com/contests](https://code4rena.com/contests). However, please note that the procedures for proposing to list a token on an exchange may vary depending on the exchange's specific regulations and requirements.", "Question: Where can beginners start learning about smart contract auditing and what resources are available to assist in this learning process?\n\nAnswer: There are several resources available for beginners interested in learning about smart contract auditing. Our website provides a comprehensive guide at https://docs.code4rena.com/roles/wardens/tools-and-resources. For visual learners, there are YouTube tutorials available such as https://www.youtube.com/watch?v=wCD3fOlsGc4 and OpenZeppelin webinars starting with https://youtu.be/6GaCt_lM_ak. You can also peruse informative blog posts like https://cmichel.io/how-to-become-a-smart-contract-auditor/. \n\nFor more hands-on learning, beginners can try bug bounty hunting on platforms like https://cryptozombies.io/ for Solidity and https://capturetheether.com/ for Capture the Flag challenges. Other similar platforms rewarding for auditing smart contracts include https://immunefi.com/, https://spearbit.com/, and https://hats.finance/. \n\nThere are also discussions about the use of fuzzing tools, application of machine learning, and graph neural networks for smart contract auditing. These can be advanced topics but can give a perspective on the range of techniques used in the field. \n\nMoreover, you can join our #\ud83c\udfebeducation channel on Discord for more focused discussions and learning about smart contract auditing. We also recommend reading old audit reports like those available at https://chainsecurity.com/audits/ to learn from past audits. \n\nIt's also important to note that understanding Solidity, the primary language for smart contracts, is crucial. There are also resources available to learn about the Solidity compiler. Furthermore, gaining knowledge in other areas like gas optimization, blockchain forensics analysis, and accounting in Solidity projects can be beneficial. \n\nRemember, becoming an auditor often involves a combination of guided learning, practice, and real-world experience. Happy auditing!", "Question: What is the recommended process for submitting QA and Gas reports if they do not fit in the submit request form?\n\nAnswer: If your Quality Assurance (QA) or Gas report doesn't fit in the submit request form, it's recommended to split each into separate sends. You should ideally consolidate all issues into one large QA report and one large Gas report for each contest. However, if a report exceeds the character limit imposed by Github (~65k characters) for issue descriptions, you can submit a placeholder in the form and send the full report via email to submissions@code423n4.com. \n\nIn terms of the content of the report, high, medium, and low severity findings should be submitted as separate issues. Also, remember that the judges consider both the quantity and quality of submissions when grading QA reports, and a single item in a QA submission is unlikely to receive a high grade. \n\nFor more details, you can refer to the following links: \n- [QA/Gas report FAQ](https://docs.code4rena.com/roles/wardens/qa-gas-report-faq#why-is-a-large-gas-or-qa-report-not-successfully-submitting-through-the-contest-submission-form)\n- [Judging Criteria](https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical)\n- [Incentive Model and Awards](https://docs.code4rena.com/awarding/incentive-model-and-awards#qa-and-gas-optimization-reports)\n- [Submission Policy](https://docs.code4rena.com/roles/wardens/submission-policy#report-format) \n\nRemember, if you're uncertain about whether to submit findings as separate issues or as one, it's best to lean towards submitting separate issues for findings of different severity.", "Question: What should I expect after submitting an audit report, and what can I do if I experience issues with my submission?\n\nAnswer: After you submit your audit report to CodeArena, our team receives a special alert and we will promptly reach out to you to confirm receipt. Typically, you should receive an email confirmation from submissions@code423n4.com within a few minutes of your submission. This email serves as the only confirmation that your report has been received.\n\nHowever, there may be delays in receiving this email due to high volume of submissions or other intermittent issues. If you do not receive a confirmation email, we recommend checking your spam folder, as some users have reported our emails being flagged as spam. If you're still unable to find the confirmation email or you encounter errors during your submission, it may be due to issues with our API or there might be a size limit on the report you're trying to submit.\n\nIn this case, we suggest the method of submitting larger reports by email and then placing a placeholder in the original submission. If you're concerned about the quantity or quality of your submissions, please note that we may penalize for too many unsatisfactory submissions. Therefore, it's important to ensure the quality of each submission and adhere to our submission rules. \n\nIn case you have any inquiries about submission rules or if you're unsure whether to submit something, please contact us directly instead of reaching out to judges. After a contest, we understand that you may want to view all submissions, but currently, we have no provision for that. One final thing to note is that due to high participation and numerous submissions to review, some audit reports, like the one for the Yaxis project, may take longer to be released.\n\nPlease note that we're continually working on improving our submission process, including considering adding the severity of bugs to the emails sent after issue submission. For any further queries or issues, feel free to reach out to us.", "Question: How does the email submission process work for reports at CodeArena and what should I expect after submitting my findings?\n\nAnswer: You can submit reports via email for larger findings that exceed the character limit on the submission form. After submitting your findings, you should expect an email confirmation within a few minutes. This email serves as the primary confirmation of your submission. Even if your issue is uncertain or you're waiting for warden verification, you're encouraged to submit it. \n\nIf there are issues with the email confirmation, you may want to check your spam folder. In case of delays, remember that it sometimes takes time for the submission to be confirmed via email, but if a submission fails, the form should return an error. \n\nFor submissions via email, use submissions@code423n4.com. Upon successful submission, you will receive an email confirmation from this address. However, note that the email confirmation will not include the Ethereum address you provided. \n\nIt is also acceptable to submit a placeholder in the original form and send a detailed report via email. You can find more details on this option [here](https://docs.code4rena.com/roles/wardens/qa-gas-report-faq#why-is-a-large-gas-or-qa-report-not-successfully-submitting-through-the-contest-submission-form). \n\nReports submitted can be found in your email. If you're unsure about a certain finding, you can reach out to the sponsor team directly for additional context or submit it anyway. \n\nThere's also a suggestion to allow the ability to respond to the submission confirmation email, with the reply added as a comment to the GitHub issue. However, this is not yet a confirmed feature. \n\nFinally, if you're unsure if findings should be submitted as separate issues or as one, it's unclear which way to lean, so you may need to use your discretion or reach out to the CodeArena team for guidance.\n\nEmail submissions to CodeArena receive a special alert and the team will reach out to confirm receipt. In case of any uncertainties, don't hesitate to contact CodeArena for clarification.", "Q: How does the submission and confirmation process work at CodeArena, and what should I expect when I submit my audit report via email?\n\nA: When you submit your findings or audit reports to CodeArena via email at submissions@code423n4.com, our team receives a special alert. You can expect to receive a confirmation email from us regarding your submission. However, there might be slight delays in receiving the confirmation email due to the volume of submissions we handle. If you don't receive a confirmation within a reasonable time, we recommend checking your spam folder. \n\nWhether your submission is valid or not, you should still receive an email about your submission. If you're unsure about what to submit or have queries about the rules, you should not contact the judges directly. Instead, please refer to our official documentation or reach out to our support team at submissions@code423n4.com. \n\nTo accommodate larger reports, you may submit by email and then place a placeholder in the original submission. If you encounter errors or issues during the submission process, possibly due to size limits or API limitations, or if you're using a mobile device, you can also write to us at submissions@code423n4.com for assistance. \n\nPlease bear in mind that submitting the same item separately can decrease the overall value of your submissions. Also, remember that excessive unsatisfactory submissions can lead to penalties. You can check the reports you've submitted during the competition and they should be available for review without modifications. \n\nFinally, we have a policy of accepting only the first or last entry that a person or team sends prior to the contest end time. We're also planning to implement a countdown timer to ensure participants do not miss the submission deadline. We're constantly working on improving our submission mechanism and hope to implement new features in upcoming contests. \n\nWe appreciate your participation and look forward to your valuable submissions.", "Q: How can I ensure my smart contract audit submission to CodeArena doesn't get lost and what should I expect after submission?\n \nA: To ensure your submission doesn't get lost, there are a few steps you can take:\n\n1. Submit your report via email to submissions@code423n4.com. If your report is large and exceeds the number of characters allowed in the submission form, you can submit a placeholder and then send the full report via email. More details about this can be found here: https://docs.code4rena.com/roles/wardens/qa-gas-report-faq#why-is-a-large-gas-or-qa-report-not-successfully-submitting-through-the-contest-submission-form\n\n2. After submission, you should receive an email confirmation. Generally, the confirmation should arrive within a few minutes. However, there might be delays sometimes, so don't panic if you don't receive it immediately. It's also important to check your spam folder as some users have reported that their confirmation emails landed there.\n\n3. If there are issues with the email confirmation or you have any other queries, you can reach out to our helpdesk for assistance. If you're submitting via mobile and facing problems, feel free to send a request to submissions@code4rena.com for help.\n\n4. You can check the status of your submitted reports by visiting the C4 Contest page under the \"Findings\" tab. Here you can view all your submissions and their statuses.\n\n5. If you're participating in a contest, make sure you're aware of the submission deadline. We're considering implementing a countdown timer to help you with this.\n\n6. Regardless of whether a submitted issue is valid or not, you will receive an email confirmation. It may take some time for a submission to be confirmed, so don't worry if you don't receive a confirmation immediately.\n\nRemember, all participants are expected to receive a mail regarding their submission. If you don't receive one, reach out to us. We're here to help.", "Question: I have forgotten the rewards address I used to register as a warden. How can I find it and can I change it afterwards if needed?\n\nAnswer: If you have forgotten the rewards address used to register as a warden, you can find it in the data folder of a recent contest\u2019s findings repo on GitHub associated with your handle\u2019s submissions. \n\nIf you need to change the wallet address where you receive awards, you can find more information on how to do this at https://docs.code4rena.com/roles/wardens/warden-auth#can-i-change-the-wallet-address-where-i-receive-awards. Alternatively, you can update your wallet addresses used in a finding after it has been submitted and before the reward payout by submitting a request through the Help Desk at https://code4rena.com/help. \n\nIf you are still unable to find or remember your rewards address, you can submit a help request at https://code4rena.com/help for assistance. Please note that if you change your wallet address, rewards are sent to the wallet address on file at the time awards are calculated for an audit. \n\nFor any other queries related to warden registration, changing the wallet attached to the user account, and other FAQs, you can always refer to our troubleshooting section at https://docs.code4rena.com/roles/wardens/warden-auth#faq-troubleshooting.", "Question: Why are the checks for my external PR on CodeArena failing and how can this be resolved?\n\nAnswer: Checks for external Pull Requests (PRs) may not fully run on the CodeArena platform. This could be due to a number of reasons such as issues with GitHub, discrepancies in the sum of rewards, or technical issues. To rectify this, an internal branch will be set up for the PR. Also, PRs need approval from a member of the CodeArena team before they can be merged. \n\nIn the past, GitHub has rejected submissions via the API, leading to failed submission. If you're encountering similar issues, ensure that you're logged into the same GitHub account provided for CodeArena. Sometimes, the PRs may be related to new team creations which might face issues with passing the checks as well. To better understand why a bug was not accepted and improve future submissions, you can refer to this process. \n\nFinally, it's worth noting that to update team information, a new PR needs to be created and approved by a member of the team. Once the PR is merged, you should be able to log in. If there's any uncertainty, you can always check the status of merged PRs here. \n\nFor more specific cases, you can refer to these instances:\n- Case 1: [Link](https://github.com/code-423n4/code423n4.com/pull/1584)\n- Case 2: [Link](https://github.com/code-423n4/code423n4.com/pull/1620)\n- Case 3: [Link](https://github.com/code-423n4/code423n4.com/pull/2353/files#diff-74910905ffc9d3c8f8510410dbaa9089f77209d36db0cf1368c1cb7e32e92473R13694-R13696)\n- Case 4: [Link](https://github.com/code-423n4/code423n4.com/pull/3592)\n\nBy following these guidelines, you should be able to navigate and resolve issues related to failing checks for your PRs on CodeArena.", "Question: Can you explain more about the duration and scheduling of CodeArena's contests?\n\nAnswer: Yes, CodeArena organises a variety of contests that vary in length. While most of the contests are a week-long, there are instances where contests can last up to 13 days, or even be extended to 4 weeks given the complexity and size of the project, such as in the case of a contest involving over 12k sloc. We try our best to run contests each week, with many more expected to take place in the coming month. For instance, we have two contests lined up for next week. \n\nHowever, it is important to note that there can be gaps in the schedule for live contests, or breaks lasting for a few days. We've also discussed the possibility of running multiple contests simultaneously, with a desire to handle up to 20 contests a week, and the specific order of these contests typically represents the contest progression. \n\nHistorically, the Nouns DAO contest ran from July 3-13, while the OpenSea contest lasted until June 3. There are also upcoming contests that might not have been updated on specific channels yet. We would recommend staying updated with our contest schedule to ensure you don't miss out on any opportunities. \n\nJudging of contests may take a lengthy time period, with factors beyond the judge's control contributing to delays. For example, the results of a contest generally take about 2 months to be announced. Also, there are inquiries about viewing all submissions after a contest, which we are considering. \n\nPlease note that our leaderboard is under consideration to be changed from tracking the last number of days to the last number of contests. This is due to concerns that the leaderboard might not accurately reflect a user's accomplishments, with contest results potentially not being counted for the full duration. \n\nFor specific information about a particular contest, such as the \"steakhouse contest\" or the BASE contest, we encourage you to read the relevant posts for more information.", "Q: I'm having issues with team creation in CodeArena, specifically with passing the checks for a PR. What should I do?\nA: Don't worry if your team creation PR does not pass the checks immediately. It's a common issue that new teams on CodeArena face. The PR approval needs to be done by a member of the C4 team before it can be merged. However, sometimes checks don't fully run for external PRs on the CodeArena platform. \n\nShould you experience any technical issues like a blank page opening when selecting members for your team, it might help to try again on a different day. Also, if you wish to add a new member to the team, you might need to create a new PR to update the team information. Here is a [link](https://github.com/code-423n4/code423n4.com/pull/3592) to a PR for a team information update for reference.\n\nAfter your PR is merged, your team will be able to submit findings as a team. When submitting issues, remember to use the team handle. There have been instances in the past where an issue with the team creation process was resolved and merged. Here is a [link](https://github.com/code-423n4/code423n4.com/pull/1620) to an example. \n\nIt's noteworthy to mention that managing the same team name but with different team members working on different contests at the same time or different times can be challenging. Discussions are ongoing about how to manage teams where not all members participate in the same contest and how to distribute rewards among team members who contributed. You can follow the relevant discussion [here](https://github.com/code-423n4/org/discussions/43).\n\nTeam changes, such as adding or removing members, are possible. If you need to modify your team, you can do so by submitting a request through the help desk. If you wish to change your team name, a similar process would apply. \n\nRemember, the key is patience and communication. Feel free to reach out on the Discord channel if you need further assistance or clarification.", "Question: Our smart contracts are still under development, but we want to secure an audit with CodeArena. Should we initiate the process now or wait until our contracts are fully developed? What does the process entail and how does it affect incomplete contracts?\n\nAnswer: It is highly recommended to start the audit process with CodeArena even if your contracts are not yet fully developed. This allows our team to schedule your audit and initiate the promotional activities. It also gives our artists and contest administrators ample time to prepare. \n\nAn audit takes into account the current state of your project, regardless of whether the contracts are completed or not. Depending on the state of your contracts, the scope of the audit may or may not include vulnerabilities pertaining to deployment or initial actions like initializers. \n\nEven if your contracts are incomplete, you can still engage in a private audit after confirmation from provenance. If your contracts are already deployed, they are considered as they are during the audit process. If your contracts are to be deployed after the audit, note that any projects in audit contests are yet to be deployed.\n\nRemember, the process of confirming an audit includes several steps: finalizing details, scheduling the audit event or contest, and confirming sponsorship. This process can take anywhere from 2 weeks to over 6 weeks, including stages of contest finish, sponsor reviews, judging, awarding, and report publication. You'll also want to keep in mind that if a team wins an audit but cannot claim the prize due to KYC issues, there is a risk that the reward may be held or even lost.\n\nFor those interested in running an audit contest for their contracts, we are open to discussions about pricing and operational details. You can find more information and get in touch with us via our website [link to CodeArena website].\n\nTrust in the sponsors is crucial for the audit process. We take potential conflict of interest scenarios very seriously. For example, we ensure that sponsors do not have access to the findings repo before the contest ends.\n\nLastly, for those seeking help on gas optimization and other technical details, we encourage asking questions about findings of past projects. We also offer resources to help you prepare for contract audits, and encourage you to take part in private competitive audits. However, to do so, you must first become certified.", "Q: When and how are the findings from CodeArena audits released to the public?\n\nA: The findings from CodeArena audits, held in repositories ending in the suffix -findings, become public after the final report is published. The reason for this is to provide sponsors with the time to act on the feedback they have been given. The exact timing of the report publication varies and is not specified. These reports, which include both valid and invalid issues, are published on the CodeArena website, sorted by publication date. They can be accessed through https://code4rena.com/reports. \n\nEach report also includes a link to the findings repository on the CodeArena GitHub page, where you can find more in-depth discussions on the issues. Backstage access to the findings repo can also be granted when a contest ends, although this service is currently suspended. After reports are published, the findings repo becomes open for public discussion. \n\nBefore becoming public, sponsors are given access to the findings repo either immediately after the contest ends or one week after, with triaged and deduped issues. All the findings from past submissions can be found on the CodeArena GitHub, a sample one being https://github.com/code-423n4/2022-04-backed-findings. \n\nThe findings from the CodeArena competitions are derived from a methodology that aims to find more bugs faster. The results of the contests, including the findings and awards, are posted on the CodeArena website after the entire process is complete. The participants in the competitions can also name their findings with a number to aid the judges. \n\nFor a more comprehensive look at the findings, you can refer to the findings.csv file at https://github.com/code-423n4/code423n4.com/blob/main/_data/findings/findings.csv, which includes all rewards based on each finding. Further insights can be obtained by comparing your findings with the winning reports. \n\nPlease note that there may be some variation in the release of findings and reports as these are subject to the agreements between CodeArena and the sponsors of the contests.", "Q: How does the process of making the findings repositories public work at CodeArena, and how often are these repositories released to the public? \n\nA: CodeArena hosts analysis findings from its contests in repositories ending with the suffix -findings, like this one: https://github.com/code-423n4/2022-04-backed-findings. These repositories are initially kept private to allow sponsors time to mitigate the issues and clear the reports for publication. At this stage, sponsors are given access to these findings, either after the contest is over or one week after with triaged and deduped issues. Once the final report is available and sponsors have acted on the feedback, the findings repositories are made public. The exact timing for this transition varies and is not specified. \n\nYou can find all public findings repositories on the CodeArena GitHub: https://github.com/code-423n4 and links to each findings repo in the corresponding report on the C4 website: https://github.com/code-423n4. You can also access findings from previous competitions, both findings and awards, on CodeArena's website, and specific reports are available at https://code4rena.com/reports. \n\nFor each contest, the Readme Page includes a \"Known Findings\" section listing automated findings not accepted in the contests. For more insight into how findings are scored, you can refer to the scoring breakdowns for past contests in the #\ud83d\udce2announcements channel, on each contest page of the CodeArena website, or at https://github.com/code-423n4/code423n4.com/blob/main/_data/findings/findings.csv. \n\nDo note that, while the audit is still open, findings submitted for CodeArena contests can be edited.", "Q: How can I form or join a team on CodeArena's discord channel?\nA: You can look for teammates in the #\u26bdteam-formation channel on the CodeArena Discord platform. This provides a space for new wardens (participants) to team up and collaborate. Before accessing this channel, you need to first register as a warden on CodeArena. \n\nOnce you've found your team, you can create one at [code4rena.com/register-team](https://code4rena.com/register-team). If you face any issues while adding members to your team, you can ask for help or clarify the process in the specific discord channel. \n\nRemember, each contest has its own channel where you can ask general questions and Direct Message (DM) sponsor team members for help. Once you have joined a team, you are not obliged to always participate as a team. \n\nDiscussions about managing teams, participating in different contests, and distributing rewards among team members are ongoing in CodeArena community. You can contribute to these discussions [here](https://github.com/code-423n4/org/discussions/43). \n\nFor latest updates on upcoming contests, you may need to check the specific contest channels as they might not be updated immediately. Keep an eye on the leaderboard at [https://code423n4.com/leaderboard/](https://code423n4.com/leaderboard/) to see how teams are performing.", "Question: What's the most efficient way to create new instances in terms of gas usage - using 'storage', 'memory', or 'calldata'? Can you also explain the implications on the use of 'storage' or 'calldata' in the view function as well as the handling of arrays and immutable variables?\n\nAnswer: Depending on the situation, 'storage', 'memory' or 'calldata' may be the most gas-efficient way to create new instances. \n\n'Storage' should be used when you want to read a struct from storage, perform some calculations on it, and then update it with a new value. Caching a storage pointer can save gas as it avoids re-computing the position. Moreover, Solidity stores state variables in 32 byte storage slots, and packing variables into fewer slots can reduce gas costs. More about this can be read at this [link](https://docs.soliditylang.org/en/v0.8.17/internals/layout_in_storage.html). \n\nOn the other hand, 'memory' is temporary and can be used for variables that don't need to persist throughout the lifetime of the program. \n\n'Calldata' is a special data location that is used for function arguments. It's particularly useful for read-only arrays as they don't need to be iterated and copied into memory, which can be cheaper.\n\nIn terms of using 'storage' or 'calldata' in a view function, it would depend on whether the function needs to modify the state or just read from it.\n\nWhen it comes to arrays, they are stored differently in storage than individual elements and do not take up just one slot. \n\nAs for immutable state variables, they are read-only state variables and can be cheaper than constants in certain cases. Immutable vs constant have no difference in cost nor in bytecode, but minor differences can occur, as seen in this [example](https://github.com/code-423n4/2021-11-overlay-findings/issues/111). \n\nIt's important to note that different solutions may be more or less gas-efficient depending on the specific smart contract and the expected usage patterns. Therefore, it's recommended to always audit your smart contracts to ensure they are efficient and secure.", "Question: Can you provide guidance on how to effectively use 'storage' and 'memory' when creating new instances in smart contracts for optimal gas usage?\n\nAnswer: The choice between 'storage' and 'memory' in smart contracts is largely dependent on the specific requirements of your contract and its functions. \n\n'Storage' in Ethereum refers to the persistent storage that exists between function calls and transactions. In the context of smart contracts, 'storage' is used to store state variables, which persist across transactions. For example, if you're creating a new object and intend to store its details for the duration of the smart contract's life on the blockchain, you would use 'storage'. However, storing variables in 'storage' can be more expensive in terms of gas costs compared to 'memory'.\n\n'Memory', on the other hand, is a temporary place to store data. It's erased between (external) function calls and is cheaper to use than storage. If you need a temporary variable that won't be saved to the contract's state, you should use 'memory'. \n\nWhen optimizing your contract, consider caching a storage pointer, as it can be cheaper by avoiding re-computing the position. Also, consider the layout of your storage. Solidity stores state variables in 32 bytes storage slots, and packing variables into fewer slots can reduce gas costs. You can potentially pack multiple variables into a single slot if they are declared next to each other. More detail about this can be read at the Solidity documentation [here](https://docs.soliditylang.org/en/v0.8.17/internals/layout_in_storage.html).\n\nThe choice between 'storage' and 'calldata' in an issue is also dependent on their costs. Using 'calldata' for read-only arrays is cheaper because they don't need to be iterated and copied into 'memory'. \n\nIn terms of arrays, they do not simply take up one slot in storage but are stored differently than individual elements.\n\nRemember to review your contract for any potential issues. For example, if you're dealing with upgradeable contracts, be aware of potential issues with storage variables. \n\nI hope this gives you a good starting point on how to use 'storage' and 'memory' effectively for creating new instances in smart contracts. Depending on your contract's requirements and the Ethereum Virtual Machine's (EVM) specifics, the appropriate strategy may vary.", "Question: How can you optimally access and manipulate a storage variable within a function without explicitly altering the underlying data at a protocol level?\n\nAnswer: If your intent is to read a struct from storage and perform some manipulations without altering the data, using 'storage' is typically preferable. However, the choice between using 'storage' or 'memory' depends on your specific use case, so it is recommended to conduct tests to determine the most efficient option.\n\nThe use of 'storage' or 'calldata' can greatly impact costs due to their different characteristics. Caching a storage pointer, for example, can be cheaper because it avoids re-computing the storage position. On the other hand, using 'calldata' for read-only arrays is cheaper as they don't need to be iterated and copied into memory.\n\nWhen dealing with variables in storage, it is essential to understand how Solidity manages state variables. Solidity stores state variables in 32 bytes storage slots. Further, multiple variables can potentially be packed into a single slot if they are declared next to each other, reducing gas costs. You can read more about this in the Solidity documentation [here](https://docs.soliditylang.org/en/v0.8.17/internals/layout_in_storage.html).\n\nFor public storage variables, functions are automatically generated. However, constants and immutables aren't stored in storage. You can get more insights about state variable visibility [here](https://docs.soliditylang.org/en/v0.8.13/contracts.html#state-variable-visibility).\n\nLastly, remember that arrays in storage behave differently than individual elements - they do not occupy a single slot. This can impact the gas cost and function performance. In the case of accessing state variables from a different contract, you would need to call the specific instance of the contract being queried.\n\nIn summary, the choice between 'storage' and 'memory' depends on your specific needs and the nature of the data. It's always beneficial to understand the underlying mechanics of Solidity's storage system and how it impacts gas costs and performance.", "Question: How can I change my profile settings, including my handle, on my CodeArena (C4) account?\n\nAnswer: While it's currently tricky to change your handle on CodeArena as the handle is tied to all your findings, leaderboard standings, and submissions, there are some anticipated changes in the future that will make this process easier. However, any previous leaderboard standings and submissions under your old handle will not be transferred to your new account.\n\nIn the meantime, it's possible to make certain changes to your account. You can change your wallet address, payment addresses, and Login Address on your C4 account screen at https://code4rena.com/account. You can also update your Twitter username, Discord username, and C4 profile photo by submitting a help desk request at https://code4rena.com/help. Just include the necessary details in the request and the support team will take care of your request. Additionally, to change a link with your username in the leaderboard/contest results, you can create a help desk request at the same link.\n\nFurthermore, there are ongoing discussions and plans to enable users to use the same handle with different wallets in a single contest. For any other help, concerns or issues, feel free to reach out to C4 staff members directly or submit your issue using the C4 form.", "Question: How can I modify my profile information like handles, avatars, Twitter links, etc., on CodeArena?\n\nAnswer: Currently, the handle (username) on CodeArena is immutable and cannot be directly changed due to its crucial role as a unique identifier for findings and contest results. This might lead to complications with past or ongoing contests. However, system improvements are being anticipated that may allow handle changes in the future.\n\nIn the meantime, there are other profile modifications possible. You can associate your Twitter handle and change your avatar with your CodeArena profile by submitting a help desk request at https://code4rena.com/help. If you wish to include a link to your leaderboard/contest results or change your team name, you can also create a help desk request at the same link. \n\nTo change the wallet address connected with your CodeArena account, you can follow the procedure detailed at: https://docs.code4rena.com/roles/wardens/warden-auth#can-i-change-my-wallet-address. If your Discord username changes, you may also want to update it in CodeArena. \n\nRegarding team modifications, teams can make changes to their membership by opening a help desk request at https://code4rena.com/help. \n\nFor any other changes to your CodeArena profile, such as changing your profile picture, creating a help desk request remains the most effective method. Keep in mind that when changing any user information, it is always advisable to be cautious as it may impact your identity and interactions on the platform.", "Question: What is the procedure for submitting a Proof of Concept (POC) script for a vulnerability in the smart contract audits?\n\nAnswer: If you've written a Proof of Concept (POC) script for a vulnerability, it can be included in your submission where it's relevant. You can add the link to the script directly in your submission or, if the PoC is too large to embed directly in the issue, you can provide a link to the PoC hosted on an external platform such as Github or Gist. \n\nFor instructions on how to share your vulnerability discovery PoCs, you can follow the guidelines provided [here](https://github.com/code-423n4/code-contests/tree/main/contests/01-slingshot#sharing-vulnerabilitydiscovery-poc) and [here](https://docs.code4rena.com/roles/wardens/submission-policy#how-to-include-a-proof-of-concept). \n\nKeep in mind that it's recommended to always provide a PoC, especially for medium severity bugs. If you can't provide a PoC, your finding might be disregarded unless the bug is extremely obvious. Providing a PoC not only helps in demonstrating the vulnerability but also increases the chances of your report being selected, which comes with a 30% bonus.\n\nA PoC can be written in any language and may include test code, screenshots, logs, or any other relevant proof that illustrates the concept. Examples of how to present a PoC can be found at [here](https://github.com/code-423n4/2022-12-caviar-findings/issues/376). Remember, the best reports focus on one specific attack or issue and provide a clear, easy-to-understand PoC. If two separate vulnerabilities can be combined to create a more powerful one, you can submit a third finding explaining the PoC. \n\nWhen submitting a medium or high-risk vulnerability, it's advantageous to include test codes as part of your PoC. If your PoC involves a precision-loss issue, ensure it is supported by a PoC to bolster your submission.", "Question: Can I report issues related to input checks from governance variables, and how does CodeArena handle such reports?\n\nAnswer: CodeArena has specific guidelines regarding the reporting of issues related to input checks from governance variables. As per the guidelines, you cannot submit assumptions such as 'the owner may be compromised' or 'centralized'. The reason is that all the methods with onlyowner/onlygovernance modifiers come strictly through trusted bodies. \n\nThis means that any constraints on admin 'setter' functions for state variables can only be considered a low or medium finding. Also, CodeArena currently does not have a bug bounty award for reporting issues in its DAO governance or web application.\n\nWhile there is no direct incentive for reporting QA type of submissions, sponsors are primarily interested in high/medium/low severity vulnerabilities and gas optimizations. \n\nKnown issues should be excluded from gas reports. If multiple people report the same vulnerability, the handling process might be different. \n\nFrequently, the severity of issues like an attack made by governance varies and depends on the judge's discretion, because governance is usually assumed to be a trusted party. The severity categorization can be important when considering the changes in state variables in smart contracts, and the context in which they are used is critical.\n\nFinally, while you can post a Notion link for the analysis report during the submission process, you cannot currently send in updates to your analyses as highlighted in the Guidelines and FAQ at [https://code4rena.notion.site/Analyses-Guidelines-and-FAQ-2808a71e08e44c81a985527194f5f118](https://code4rena.notion.site/Analyses-Guidelines-and-FAQ-2808a71e08e44c81a985527194f5f118) and there are discussions about potentially implementing this feature.\n\nRemember, until the report goes live, the issues found cannot be seen by the participants and public discussions should not occur until reports are published.", "Q: I'm confused about the prize pool for bunker.finance audit contest, why does the website show it's $50k whereas the RSVP says it's $30k? \n\nA: Apologies for the confusion. The initial prize amount for the bunker.finance audit contest was $30k, however, the scope ended up being slightly larger than originally anticipated, leading to an increase in the prize pool to $50k. This is not unprecedented, as we've had similar changes in the past. For instance, there was a discrepancy in the bounty for the Cally contest between the RSVP channel and C4, but the information was updated later. Please note that all contest details including prize pool are subject to change depending on the scope of the project and the sponsorship. For more accurate and updated information on our contests, always refer to our website: [https://code4rena.com](https://code4rena.com). We appreciate your understanding and participation in our contests.", "Question: I think I may have found a potential vulnerability in one of the contracts from an ongoing audit. Can I directly message somebody about it to verify if it is exploitable? \n\nAnswer: Yes, you can message the project team directly about a potential vulnerability. However, it's important that you have a clear explanation of the exploit path. Simply finding an external function with transfer of ERC20 tokens without reentrancy protection, for example, may not be sufficient unless there is a clear explanation of the exploit path. Findings like these may not be eligible for a medium or high categorization and could be downgraded to QA without a clear exploit path. \n\nFor vulnerabilities that are found in out-of-scope contracts, you can include them in the C4 report as an unrewarded finding or directly message the project. If the vulnerability affects the main contract, it should be reported regardless of whether it was found in an out-of-scope contract. If you have confirmed a potential vulnerability with the sponsor via private DMs, it may still count when submitting it, depending on the judgement. \n\nThere are several tools you can use to find vulnerabilities and bugs in smart contracts, including automated tools and fuzzing tools. One such tool is https://app.metatrust.io/project, which can detect price manipulation vulnerabilities. The use of these tools should be supplemented with manual review, as automated tools may report false positives. \n\nFor those new to smart contract auditing, there are a variety of resources available to help you learn, including a YouTube video on how to audit smart contracts. In addition, CodeArena runs audit contests for contracts, which is a great way to practice your skills. \n\nIt's important to remember that auditing is not just about finding vulnerabilities, but also about understanding the potential risks and impacts of those vulnerabilities. For instance, a middle vulnerability like a missing zero address check can lead to loss of funds. A detailed explanation of such a vulnerability can be found here: https://code4rena.com/reports/2022-06-canto#m-01-missing-zero-address-check-can-set-treasury-to-zero-address. \n\nLastly, if you identify a vulnerability that is reported by multiple people, it is handled on a first-come, first-serve basis. Therefore, it is crucial to report any findings as soon as possible.", "Question: What should I do if I find a potential vulnerability in an out-of-scope contract, and how are these vulnerabilities judged within CodeArena?\n\nAnswer: At CodeArena, we encourage you to report any potential vulnerability you discover, regardless of whether it's in scope or not. All reports should be well-articulated, with clear reasons as to why you believe a certain aspect poses a potential risk. You can submit your report via this link: https://github.com/code-423n4/2022-04-mimo/tree/main/supervaults/docs. \n\nPlease note that while project owners are unable to see the findings as they're reported, they may take action when funds are at risk on the mainnet. In such cases, users are advised to reach out to our staff via a help request. \n\nRest assured, all reports are reviewed with utmost fairness, and any potential unethical behavior by sponsors, such as exploiting early access to vulnerability submissions, is taken very seriously. \n\nIt's key to remember that even if a contract is out of scope, a vulnerability can still be brought into scope by a judge based on the potential risk it poses. For instance, centralization risks, potential scams, and cases where users could lose funds due to admin involvement are considered high-risk and should definitely be reported. \n\nIn situations where the same vulnerability is reported by multiple people or when two people from the same team find the same issue and submit it with different wallets, we have provisions in place to handle and appropriately reward discoveries. \n\nWhile we advise against making assumptions, such as the possibility of a contract owner being compromised, it is crucial to consider the impact of any misbehavior by the contract owner during your review. \n\nLastly, it's worth noting that CodeArena's process is similar to that of a bug bounty platform, where prize pools and fees are defined upfront. There are separate pools for different reports, and the reward for each pool will be announced to distinguish between them.", "Q: How do I submit, edit, and follow-up on my findings in the CodeArena smart contract auditing contests?\n\nA: After clicking \"CREATE ISSUE\" in the \"SUBMIT FINDING\" section, your filled form data is transformed into a submission that is sent to the findings repository for the specific contest. This submission will be evaluated by judges after the contest concludes. \n\nYou can provide additional details about the findings, such as Proof of Concept (PoC) by offering direct links to the referenced code on GitHub and adding relevant proofs like screenshots or logs. If you've created a PoC script, simply insert the link into the relevant section of the submission. For more guidance on how to include a PoC, visit https://docs.code4rena.com/roles/wardens/submission-policy#how-to-include-a-proof-of-concept.\n\nIf you want to submit additional findings after your initial submission, or if you need to update your submission, navigate to the contest page and click on the 'Your Findings' button. That's where you can edit your QA issue submissions. Remember, each finding should be submitted as a separate issue. \n\nAfter you submit your findings, you can expect follow-up on them. Feedback for your submitted findings can be found on the contest page under 'Your Findings'. Make sure to register your handle and ETH address to receive your share of the contest winnings. There is a field for the polygon address when submitting findings. \n\nYou can verify the success of your submission by looking out for a confirmation email and the ability to edit your submitted findings. If you encounter any issues with the submission process or have further queries, please reach out to the help desk. For a more detailed overview of the submission process and policies, refer to the submission guidelines at https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues.", "Question: How can I submit, edit and manage my smart contract findings using CodeArena's platform?\n\nAnswer: You can submit your findings through CodeArena's platform by using the form provided on each individual contest page. The form accepts Markdown for formatting purposes and it allows you to create special fonts like big titles. \n\nTo submit an issue, click on the \"SUBMIT FINDING\" button, which turns your form data into a submission that goes into the findings repository for the given contest. It is later evaluated by judges after the contest ends. If your report exceeds the character limit, you can submit a placeholder and then send the detailed report by email. You can find additional details here: https://docs.code4rena.com/roles/wardens/qa-gas-report-faq#why-is-a-large-gas-or-qa-report-not-successfully-submitting-through-the-contest-submission-form\n\nYou can edit your submitted findings by navigating to the contest page and clicking on the \"Your Findings\" button. For example, if you are participating in the Ethos Reserve contest, you would go to https://code4rena.com/contests/2023-02-ethos-reserve-contest and click \"Your Findings\" to edit your submission. \n\nIf you need to update a finding and are having issues, you can also make a helpdesk request with all the necessary information and the requested update before the contest ends. Participants can track their report status and edit their findings in the \"Findings\" tab next to the contest description. \n\nOnce a finding is submitted, you should receive a confirmation email. If you need to remove a submission, it can likely be found under an 'edit' button. Team members can also make submissions on behalf of their teams by selecting either their solo handle or team handle. \n\nIt's worth noting that findings submitted before the deadline are not publicly available. You can check your submission without modifying it. Please remember to always authenticate before submitting your findings.", "Question: What resources are available to learn Markdown for improving my report presentation, and how is Markdown utilized in CodeArena's platform?\n\nAnswer: Markdown is a lightweight markup language that you can use to add formatting elements to plaintext text documents. It is widely used in our platform for writing reports and issue submissions. \n\nIf you're new to Markdown, a good starting place is https://markdown-it.github.io/. This site will help you grasp the basics of Markdown and its syntax. \n\nIn CodeArena, Markdown is used to add code blocks in your reports, making them easier to read and understand. For a detailed guide on how to create and highlight code blocks, you can visit this page on GitHub: https://docs.github.com/en/get-started/writing-on-github/working-with-advanced-formatting/creating-and-highlighting-code-blocks.\n\nThe platform supports a variety of tools for writing reports including Github, Joplin, VSCode, Notion, among others. However, it is critical to ensure that your chosen tool supports Markdown. If your report involves mitigations, you can also use Markdown to include the code in the report.\n\nIn addition, Markdown allows you to embed images in your report. To do this, you can follow this guide on GitHub: https://docs.github.com/en/get-started/writing-on-github/getting-started-with-writing-and-formatting-on-github/basic-writing-and-formatting-syntax#images. \n\nInterestingly, the Markdown Renderer on our site might not be accurate, and it's suggested to view the code on Gist for better formatting. \n\nOverall, understanding and properly utilizing Markdown will greatly improve your report presentation on CodeArena.", "Question: How can I effectively submit and edit Quality Assurance (QA) reports for Code4rena smart contract audits, particularly when findings are of low or non-critical severity?\n\nAnswer: At Code4rena, we recommend that participants submit one consolidated report for Gas optimizations and one consolidated report for Quality Assurance (QA). For QA reports, you can include all your low/non-critical findings in one submission. These findings can be categorized sub-categorically into Low, Non Critical (NC), and Refactoring.\n\nIf you have additional findings after your initial report submission or need to correct an error, you have the option to edit your existing QA report until the audit deadline. You can do this by revising and resubmitting your report. Please note that incorrect findings in a QA report can affect the QA grade, so ensure accuracy in your reports.\n\nAlso, it's worth noting that the judges have the ability to upgrade or downgrade your findings based on their perceived severity. If a finding initially labeled as 'low' in your report is determined by the judges as 'medium', you might be eligible for medium rewards as per our Incentive Model and Awards guide.\n\nIf your QA or Gas report exceeds the character count for regular submissions, you can submit them via help tickets. For first-time users submitting a QA report, if you receive an error, you can confirm successful submission by checking the \"View Context\" function or your email for a confirmation message.\n\nKeep in mind that the results of submitted bugs for contests will be revealed once the report is made public. For a better understanding of what a high-quality submission looks like, you can review previous reports.\n\nFurther information about submitting QA reports and our judging criteria can be found in these guides: [Judging Criteria](https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical) and [Incentive Model and Awards](https://docs.code4rena.com/awarding/incentive-model-and-awards#qa-and-gas-optimization-reports). If you need further assistance, please fill out our help form at [https://code4rena.com/help](https://code4rena.com/help).", "Question: Are web applications included in the scope of the contests on CodeArena, and where can I find this information?\n\nAnswer: The scope of each contest, including whether web applications are included, is determined by the specific sponsors of the contests. You can find this information listed in the contest details on our website at https://code4rena.com/contests, as well as in the README.md file and the \"Known Findings\" section for each contest. If you have specific questions about the scope of a contest, we encourage you to directly reach out to the sponsor through their contest channel or via direct message. Please note that any findings you wish to submit for consideration in the contest must be submitted through the contest submission form on our website, even if you have previously discussed them with the sponsor.", "Question: What are the methods and strategies that a smart contract can use to refuse or manage the receipt of future ERC20 transfers?\n\nAnswer: Typically, a smart contract does not have the capability to know if someone has sent ERC20 tokens to it. This is different from ERC721 or ERC1155 tokens which have a recipient contract call onReceive, and can therefore be programmed to manage the receipt of these tokens. One workaround for ERC20 tokens could be to add a function to the smart contract for an emergency withdraw to get rid of unwanted tokens. \n\nIn terms of managing the receipt of different types of tokens, different approaches can be used. For instance, safeTransferFrom function can be used in the context of an ERC-777 token contract. Trading callbacks in solidity can also be activated by several methods, including safeTransferFrom, onERC721Received, onERC1155Received of ERC1155 and tokensReceived tokensToSend of ERC777. \n\nHowever, there are certain issues that need to be considered. For instance, depositing funds in an uninitialized contract might pose potential risks. It is also important to be aware of possible vulnerabilities in smart contracts, such as missing zero address check that can lead to loss of funds. More information about this can be found here: https://code4rena.com/reports/2022-06-canto#m-01-missing-zero-address-check-can-set-treasury-to-zero-address.\n\nAnother important aspect to consider is the type of the token and its properties. Not all types of tokens are fee-on-transfer, but for those that are, they remove a small fee from every transfer. This means that the tokens received by the contract might be less than the transferred amount.\n\nLastly, it's crucial to understand and verify the contract status and the report findings. Automated tools can be used to verify if a contract has been initialized on the Ethereum mainnet. If you encounter any issues related to smart contract, it is advisable to report them based on your judgement. The categorization of severity related to state variable changes in smart contracts can also be questioned.\n\nPlease note that while these strategies might help manage the receipt of ERC20 tokens, they may not prevent unsolicited transfers completely.", "Question: How can I create and manage a team on CodeArena?\n\nAnswer: Creating and managing a team on CodeArena is possible. First, you can create a team at code4rena.com/register-team. To register a team, you should create a team handle. An example of creating a team handle can be found here: https://github.com/code-423n4/code423n4.com/blob/main/data/handles/pocotiempo.json. Further information about registering a team can be found at https://docs.code4rena.com/roles/wardens#registering-a-team. \n\nOnce you've created a team, you can add new team members to your existing team. However, you might encounter technical issues such as a blank page appearing when selecting members. If you face issues, you can submit a request through the help desk at: https://code4rena.com/help. A team request can also be submitted at https://github.com/code-423n4/code423n4.com/pull/28 to add the team. \n\nIf you need to modify your team or change your team name, you can do so by submitting a request through the help desk. Teams can also be modified by adding or removing members. \n\nOnce your team is approved, you can log in and submit findings as a team. Team members can make submissions on behalf of their teams, and they can select either their solo handle or team handle when submitting a finding. \n\nPlease note, the exact process of submitting issues as a team is not clearly outlined and you might need to seek further clarification. Also, creating a new team might require approval from the Code4Arena (C4) team.", "Question: Where and how can I address my questions and concerns related to recently closed contests, contest security issues, submissions, rewards distribution, eligibility for backstage roles, changes to leaderboard results, and other similar queries on Code4arena?\n\nAnswer: If you have any questions or concerns following a recently closed contest, about security issues, submissions--including errors, multiple submissions, or severity changes--reward distribution, eligibility for backstage roles, leaderboard results, or any other issues related to Code4arena contests, you are encouraged to submit a help desk request at https://code4rena.com/help. This system is designed to allow participants to report issues or concerns needing attention by contest administrators. \n\nIf you believe you've found a vulnerability during a contest and want to ask questions, we recommend reaching out to the sponsor team. However, to be eligible for awards, you must submit your findings via the contest submission form. \n\nFor inquiries about reward distribution, or if you are experiencing troubles with submitting your findings, you can email submissions@code4rena.com for assistance. \n\nIf you need to make changes to the leaderboard or your contest results, you can request these changes through the help desk. \n\nInformation relating to judging and prize distribution timelines post-contest can be found at https://docs.code4rena.com/structure/our-process. \n\nFor any backstage role eligibility checks or inquiries, feel free to open a help desk request. Specific questions regarding the scope of a contest can be directed to the respective sponsor. \n\nAlways remember to submit your help requests in case of any issues encountered while participating in contests on Code4arena.", "Question: How are rewards displayed on the 60-day leaderboard, and why are there instances where some rewards are not shown immediately after a contest has ended?\n\nAnswer: The 60-day leaderboard on CodeArena reflects the last 60 days of finalized rewards, counted from the day of the contest announcement. There may be instances where some rewards do not appear immediately due to various factors. Rewards distribution does not occur instantly upon the announcement of the reward. It may take some time due to the involvement of various sponsors and the time it takes to finalize the full public report of a contest. \n\nMoreover, points for the leaderboard may expire 60 days after the contest has ended. It's recommended to wait until the full public report is published before doing a write-up of some issue or bug found on a project. The leaderboard gets updated every time awards are announced, however, not all contest types are currently supported, and there have been instances where rewards for a contest have not yet been paid out to participants. \n\nThere have been concerns that the leaderboard might not accurately reflect a user's accomplishments, with contest results potentially not being counted for the full duration. To address this, our development team is considering changing the leaderboard from tracking the last number of days to the last number of contests, which will be more accurate. \n\nLastly, users can change the default settings of the leaderboard to view results for a specific time period. Once a user has earned a reward and appears on the leaderboards, they can acquire the \"leaderboard\" discord role. Please note that there was an issue with a couple of items being double counted in the leaderboard, which was scheduled for an update later that day. \n\nYour understanding and patience as we continue working on improving the leaderboard system are highly appreciated. We are also considering potential improvements like having different timelines (all-time, last 3 months, etc.), adding badges for various achievements, and introducing leaderboard seasons. For more details, please follow this [link to our discord chatroom](http://example.com).", "Question: How does Code4rena handle the same vulnerabilities reported by multiple wardens, particularly in terms of severity assessment and reward distribution?\n\nAnswer: In Code4rena, when the same vulnerability is reported by multiple wardens, they each receive an equal share of the reward, regardless of who found the vulnerability first. In cases where wardens report the same vulnerability, but assign it different severity levels, a deduplication process occurs where each of the wardens is given the same severity for award calculation. This process is based on a subsequent review and judgement of the reported severity. \n\nWardens are encouraged to evaluate the severity of vulnerabilities based on the guidelines provided at https://code423n4.com/judging-criteria/. Even low and non-critical issues, if reported by multiple wardens, are grouped together as a single report and recognized in summary reports, such as the Olympus report. If a warden finds a high-severity bug in an automated report that was initially classified as low severity, this can be reported again during the contest and could be awarded with the higher severity. \n\nAdditionally, the level of detail in the submission, such as the inclusion of a Proof of Concept (PoC), and the comprehensive coverage of the issue can significantly influence the award amount. While wardens may be concerned about the potential misuse of disclosed vulnerabilities, trust between wardens and sponsors is a key aspect of Code4rena's operation. \n\nFor more details on the reward distribution and submission process, refer to https://docs.code4rena.com/incentive-model-and-awards and https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues.", "Question: How should I submit an issue that repeats in multiple files, and how does the severity of the issue affect the submission?\n\nAnswer: Your submission method typically depends on both the type and severity of the issues found. For gas-related and low/quality assurance findings, it's sufficient to submit all instances in one report. But, for medium and high-risk findings, each issue should be submitted individually. However, the same type of issues, such as a Reentrancy attack or similar gas optimization issues, can be reported together. If the root causes of high-risk findings are the same, they are usually counted as one. If you are unsure, refer to the official documentation [here](https://docs.code4rena.com/) for further guidance. \n\nRemember, judges appreciate when similar issues are grouped together and reports are expected to be specialized. For instance, QA findings and gas findings should be submitted separately. You can also submit more than one report in a contest if you're missing any items. If certain high-risk findings are not deemed as such in the specific contest, make sure to present your case to the judge as they have the final say. Also, if an issue identified in an automated finding can lead to a higher severity finding, it can be reported again during the contest. \n\nFor more detailed guidance on handling multiple occurrences of the same issue, you can check the discussion [here](https://github.com/code-423n4/org/issues/8).", "Question: How does CodeArena handle the reporting and rewarding of the same vulnerability by multiple wardens, taking into account the order of submission, severity, report detail, and duplicate submissions?\n\nAnswer: CodeArena has a comprehensive system for handling multiple reports of the same vulnerability. The company does not consider the order of submission for the reward allocation; whether a warden reported a vulnerability first or last will not affect the reward they receive. If multiple wardens report the same vulnerability, each will receive the same share of the reward. However, depending on how many wardens identify the same issue, each warden's share of the reward may decrease as the total reward for that issue is divided among them.\n\nIf wardens report the same vulnerability but with different severities, a deduplication process standardizes this, and they are all given the same severity for award calculation. This process takes place during the judging and the severity determination stages. \n\nAnother factor that can influence the award amount is the level of detail in the submission. For instance, submissions that include a Proof of Concept (PoC), or that cover the issue in as many aspects as possible, can potentially receive higher rewards. Similarly, if an issue identified in an automated finding could potentially cause a high severity problem, it could be reported again during the contest by a warden and could be considered for higher severity.\n\nIt's also important to note that while there may be financial incentives to report non-critical vulnerabilities, these are not typically considered for awards. However, they are still valuable as they can benefit the sponsor.\n\nRegarding duplicate submissions, CodeArena uses a sybil resistance mechanism. If two people submit the same issue using the same warden but different wallets, each person gets less than half of the reward. Each instance of a duplicate submission is awarded a share of one point, depending on the number of duplicates.\n\nIn case of any uncertainties related to the severity of a reported issue, wardens are advised to review the judging criteria and make a case for the chosen severity using relevant evidence. The judging criteria can be found at https://docs.code4rena.com/roles/wardens/judging-criteria#estimating-risk.\n\nTrust between wardens and sponsors is paramount, and CodeArena takes measures to ensure that disclosed vulnerabilities are not misused. Wardens who demonstrate integrity, and who have encountered at least one high severity bug and competed in at least three contests, can qualify for the certification, which allows them to see other submissions immediately after contests end.\n\nTo understand this process in more detail, you can refer to the following links: https://docs.code4rena.com/incentive-model-and-awards, https://docs.code4rena.com/awarding/incentive-model-and-awards#duplicates-getting-partial-credit.", "Question: Should I submit similar issues together or separately during a smart contract audit?\n\nAnswer: Whether you should submit similar issues together or separately largely depends on the nature and root cause of these issues. If two different issues can be resolved by fixing the same thing and share the same root cause, these are typically considered as one issue. This also applies for multiple instances of the same vulnerability. Judges and sponsors generally appreciate when similar submission issues are grouped together. However, it's important to note that if fixing the root cause doesn't address both issues, you may want to consider submitting them separately. \n\nIn the case of different optimizations, it's recommended to report them as separate issues. This is because single issues will be judged as a single one. Also, if the same vulnerability appears in different components of the codebase, it might count as separate findings, though the final call rests with the judge. A single report with all occurrences of the same issue is acceptable when submitting findings. \n\nIf you find the same type of issue more than once, such as a Reentrancy attack or gas optimization of the same type, it's usually beneficial to report them together. However, if two separate vulnerabilities can be combined to create a more powerful one, you can submit a third finding explaining this combination. \n\nOn a final note, it's acceptable to submit a single report that combines all QA/gas report issues. \n\nFor more guidance on handling multiple occurrences of the same issue, you can refer to the discussion thread at https://github.com/code-423n4/org/issues/8 \n\nPlease note that the decision to submit issues separately or combined often involves a lot of nuances and is subject to the discretion of the judges. When in doubt, it's always helpful to seek clarifications in the chatroom or through the discussion thread.", "Question: Can I distribute a survey regarding auditing research here and how can I participate in auditing research, events or contests?\n\nAnswer: While we don't typically allow survey distribution directly on our platform, you might find it more effective to connect with individuals interested in your research on a one-to-one basis. Regarding participation in auditing research, projects, events or contests, there are several ways you can get involved at CodeArena. \n\nFirstly, you can join auditing contests, which are excellent opportunities to get a better understanding of audit reports and practice on real projects through reverse engineering and understanding old audit reports. Both individual and team participation are encouraged in these contests. If you're part of a team but wish to participate solo, please communicate this with your team directly to avoid any conflicts.\n\nSecondly, you can join the conversation around auditing projects online. You can ask questions, discuss findings of past projects or even share your thoughts about different methods to format arguments and function names in audit reports. \n\nNext, if you're interested in becoming a certified auditor, you can do so through multiple paths which include participating in contests and understanding old audit reports. The number of audits to participate in to have Activity Stream available on your profile is not specified, however, you can always reach out to the CodeArena team for clarity. \n\nLastly, if your company is interested in running an audit contest, please reach out to our booking team who can assist you with setting up the contest. This includes inquiries about pricing and operational details.\n\nPlease note that our platform primarily focuses on audits, though we do sometimes handle smart contract gigs as well. For more specific queries or to get started, please contact us directly or visit our website. [Insert Link]", "Question: How can I register and get started with Code4rena?\n\nAnswer: To register for Code4rena, navigate to https://code4rena.com and sign up using a username and password. If you are interested in more information about Code4rena and its teams, you can visit https://docs.code4rena.com/. \n\nOnce you are registered, you can apply to become a certified contributor at https://code4rena.com/certified-contributor-application to gain access to private contests. The approval process may involve completing KYC and becoming a certified warden, as per the guidelines mentioned in the Code4rena documents. If you encounter any issues during this process, or if you forget your registration wallet address, you can submit a help request at https://code4rena.com/help. \n\nIf you want to create a team, you can do so at https://code4rena.com/register-team. However, creating a new team might require approval from the Code4Arena (C4) team. If you encounter any issues, or need to make changes to your team's membership, you can open a help desk request at https://code4rena.com/help. \n\nUsers also have the option to bind their Twitter accounts to their Code4Arena profiles by submitting a help desk request at https://code4rena.com/help. \n\nKeep an eye out for upcoming contests listed on the Code4rena main page at https://code4rena.com.", "Question: How can I submit a report for the JPEG'd contest, and where can I find it once it's been announced?\n\nAnswer: The report submission for the JPEG'd contest, as well as other contests, should be done through our platform's Vulnerability details section in .md (markdown) format. You can include images or screenshots that help explain your proof of concept. To add an image, you can upload it to a free image hosting service like [Cloudinary](https://cloudinary.com/) or even to your Gist. After uploading, you can embed the image in your report using markdown.\n\nTo add code snippets with line numbers, you can create .orig files and use the 'git diff' command of the project folder. This could be a useful tool for displaying your findings.\n\nOnce your report is submitted, it will be reviewed and graded on a scale from 0 to 100, considering whether it shows unique findings and the clarity of its presentation. A combined report compiling all QA findings might be made, but the decision on which reports get featured in the client report is based on an internal process.\n\nOnce the reports are announced and made public, you will be able to find your submitted report in your email. In the meantime, you can check previous reports like the [ElasticDAO report](https://ipfs.io/ipfs/QmU7JQUCuciGJ9EVApWnPvBCy32eYQnREDFGsxoyDR6w3j) to get an idea of what a high-quality submission looks like. You can also visit the findings report repositories to understand why certain findings were or were not accepted. \n\nPlease note that certain reports, such as the one for JPEG'd, are not yet announced. Keep an eye on our platform for the announcement.", "Question: When will the audit report for CodeArena contests, such as JPEG'd, be made public?\n\nAnswer: The exact timeline for the public release of audit reports for CodeArena contests, including JPEG'd, is not predetermined as it relies on several factors. After a contest concludes, the submitted findings are reviewed and triaged by the judges. Following this, they await sponsor review, final judging, and Quality Assurance. Once these steps are complete, the report is prepared and the findings repository is made public. \n\nThe final say on the timing of the report publication rests with the sponsors, as they may need time to mitigate any issues identified during the audit. This process usually takes between 4 to 6 weeks but can sometimes be longer. It's advisable for participants to wait for the report to be published before discussing their submissions or specific findings publicly. \n\nIn addition, the public report page is updated mid-contest and findings submitted during the contest remain private until the report's publication. While CodeArena strives to expedite the report generation process, it is important to note that not all findings submitted for a contest may make it to the final report. Participants can view their submissions and the reasons for their rejection once the report is published. \n\nAs a participant, you are encouraged to keep an eye on your email for updates regarding the report's status. You can also inquire about the progress and schedule of final reports in the relevant CodeArena channels. Please note, the awards for a contest are typically announced after the report publication. \n\nFor more information on the reporting process, visit (relevant link).", "Question: How can I get my team's pull request accepted at CodeArena?\n\nAnswer: To have your team's pull request (PR) accepted, it needs to be submitted by a team member and then approved by a member of the C4 team. You can submit your team's PR at https://github.com/code-423n4/code423n4.com/pull/28. This will allow you to add your team and update your team information. In case you are adding new team members, you might face some issues that could be resolved by trying again or by submitting a help desk request at https://code4rena.com/help. If you want to submit an issue with multiple lines changed, you can send a git patch or a PR to the repo. Merged PRs can be seen at https://github.com/heiho1/code423n4.com/pulls. When reporting issues, ensure to add your team handles. You can also create your team handle by dropping a PR. If the analysis is accidentally submitted from a personal account, it is advised to re-submit it from the team's account and submit a help desk request at https://code4rena.com/help to withdraw the previous submission. Remember, merging your team's PR allows you to submit findings as a team.", "Question: When and where are the announcements for awards, contests, and findings made on CodeArena?\n\nAnswer: CodeArena makes its announcements in the #\ud83d\udce2announcements channel on Discord. Among these announcements are the results of contests, findings from paid contests, and awards distribution. Contest results generally take about 2 months to be announced after their conclusion. Once the results are announced, the awards for the contest are typically distributed between 1-2 weeks later. The process for this distribution includes signing the awards in a standing Monday meeting, after which they are processed and sent out. \n\nIn addition to contests and awards, the platform also announces updates regarding its procedures, such as sensitive disclosures. It's important to note that there has been a period of 24 days without announcements of rewards, but this varies. \n\nAs for audit findings, the timing of their public release can vary. It's stated that findings from already paid contests are made public when the report is posted in the #\ud83d\udce2announcements channel. \n\nFurthermore, when new public contests are confirmed, they will be posted in the #\u270brsvp channel. \n\nPlease keep an eye on the #\ud83d\udce2announcements channel for any updates and announcements from CodeArena.", "Question: I noticed a difference in the bounty amount for a contest on the C4 website and the #\u270brsvp channel on Discord. Which one is accurate and where should I rely on for the most up-to-date information?\n\nAnswer: The bounty amount or other contest details may vary between the C4 website and the #\u270brsvp channel on our Discord due to updates or changes made after the contest was initially booked. While we make an effort to update the Discord channel regularly, the most accurate and up-to-date information will always be on the C4 website [https://code4rena.com]. We've also added a note to the #\u270brsvp channel description indicating that contest details are subject to change. Therefore, for the most reliable information regarding contests, including bounty amounts, contest status, whether they are public or private, and any updates on bot qualifier races, please refer to our website. New contest announcements, RSVP procedures, and other related information, are also regularly updated on the #\u270brsvp channel. Please note that private contest details are only visible to certified wardens in the #\ud83d\udd96rsvp-certified channel. All participants are encouraged to monitor these channels and direct message C4 staff members for any queries or concerns.\n", "Question: What resources are available to help me understand and use static and dynamic tools like Mythril and Slither for testing smart contracts I\u2019ve downloaded from Github?\n\nAnswer: Several resources exist to guide you in understanding and using smart contract testing tools like Mythril and Slither. If you're beginning in the field of smart contract auditing, you can start learning from resources such as https://cmichel.io/how-to-become-a-smart-contract-auditor/ and https://docs.code4rena.com/roles/wardens/tools-and-resources. \n\nIt is important to understand that static analysis tools like Slither look at the code without interacting with it, checking for potential vulnerabilities and bugs. You can write custom checks for Slither based on your needs. Another useful resource for compiling and checking solidity code for syntax mistakes is the online Remix IDE. \n\nIf you're interested in testing frameworks, Hardhat comes highly recommended. You can find guidance on how to set up certain contract environments, even with limited documentation, no test cases, and no deployment scripts, using tools like eth-brownie for mocking contract deployments. \n\nFor those who prefer a more visual understanding of smart contracts, graphical interfaces like Surya (https://github.com/ConsenSys/surya) can be helpful, though it may be slightly outdated. \n\nIn addition to these, there are tools available to verify if a contract has been initialized on the Ethereum mainnet or for viewing on-chain contracts of etherscan in an integrated development environment (IDE). An example of such a tool can be found here: https://discord.com/channels/810916927919620096/810931711609143326/1012727690396176484.\n\nRemember that understanding reports and concepts related to smart contracts can be challenging, but these resources should provide a solid jumping-off point.", "Question: How should I categorize a finding and what are the potential consequences of misclassifying the severity of a bug in my submission?\n\nAnswer: The severity of a bug is determined by its estimated impact, following the guidelines provided here: https://docs.code4rena.com/roles/wardens/judging-criteria#estimating-risk-tl-dr. If an issue, initially classified as low-risk or QA, is judged and found to be of medium risk by other wardens or judges, it can be automatically upgraded. This will make your submission eligible for medium rewards as outlined here: https://docs.code4rena.com/awarding/incentive-model-and-awards/qa-gas-report-faq#what-happens-when-an-issue-submitted-by-the-warden-as-part-of-their-qa-report-an-l-or-n-does-get-bum.\n\nIt is essential to note that judges have the discretion to upgrade or downgrade issues depending on their judgment of severity. For instance, an issue marked as 'Medium' could be downgraded to 'QA'. Similarly, findings in your QA report could be upgraded if judges believe the severity should be higher. \n\nWhen reporting an issue but unsure about its severity, it is recommended to file it as a QA unless a Proof of Concept (POC) is coded. This will allow the judges to evaluate and classify the issue appropriately. \n\nIn the case of 'on the fence' vulnerabilities, where it is unclear whether to rate them as High or Medium risk, it is still uncertain which category they should fall under. However, remember that in terms of potential losses caused by the issue, if all rewards can be lost, it's classified as MED/HIGH. If there's a risk of losing some rewards, it's probably medium. If rewards are lost due to roundings (a negligible amount of rewards), it's probably QA. And if the principal can be stolen without needing extra requirements, then it's probably HIGH.\n\nFor concerns about the potential impact of misclassifying a bug's severity on rewards, rest assured that even if a High severity bug turns out to be only Medium, the reward for a Medium bug is still received. \n\nWhen in doubt, it is advisable to use the 'issues' section on our org repo to address any inconsistencies you identify: https://github.com/code-423n4/org/issues. This platform is designed to aid in process improvement.", "Q: What is the significance of being a certified warden in CodeArena and how does it relate to eligibility for a judge role and participation in contests?\n\nA: Becoming a certified warden at CodeArena holds several benefits. Firstly, it does make you eligible for a judge role. While judges have traditionally been soft doxed or known to at least one party at CodeArena, becoming a certified warden can be viewed as a more scalable approach to ensuring credibility and trust. This certification also allows wardens to participate in private contests and can greatly enhance their ability to qualify for such competitions.\n\nFurthermore, certified wardens get the privilege of accessing findings shortly after contests end and they may also get access to private repositories after a contest is finished. Certain contests, such as PolynomialFi and Versus contests, are only open to certified wardens, and if a warden is certified, it allows them to be marked as \"Available for Hire\". \n\nThe process of becoming a certified warden involves an application and likely a KYC process, which might require a passport or a certified copy of one's identity. It's important to note that the process might take some time, even after approval. To meet the criteria for certification, wardens are typically required to participate in a certain number of contests and have a certain number of valid findings or reports. \n\nFor more detailed information about becoming a certified warden, the eligibility requirements, and the certification process, please refer to the following links: \n- https://docs.code4rena.com/roles/wardens/certified-wardens#who-is-eligible-to-be-a-certified-contributor\n- https://docs.code4rena.com/roles/certified-contributors#certification-process-and-constraints\n\nPlease note, while certification may yield many advantages, it may not be a requirement to participate in all aspects of CodeArena at the current time.", "Q: What is the process and importance of becoming a certified warden in CodeArena, and does it impact participation in audits or contests?\n\nA: Becoming a certified warden in CodeArena is an important process that involves verifying your identity, and in some cases, completing KYC certification. Once certified, you gain several privileges and opportunities. For instance, certification is a prerequisite for gaining backstage access and participating in private audits, versus audits, and audits requiring KYC. It's important to note that every individual team member needs to be certified in order to be eligible for payout. \n\nEven though participation in some contests is possible without being certified, certification becomes necessary if any submissions are awarded to receive the payouts. Also, only certified users have the ability to edit their profiles. The certification process is approved by provenance and usually takes a few days for the role to reflect on your profile. Once your certification is finalized, you'll receive an email confirming the status.\n\nIt's also noteworthy that certification doesn't require a full-time commitment; it simply indicates that your identity has been verified. If you wish to apply for certification, especially after a high finding, you can do so by contacting the organization through the help desk form. If there's a change in your username, you can reapply for certified status.\n\nAdditionally, there's a need for a more formal process for achieving Certified+ status, which requires meeting more stringent criteria like being in the Top 3 in 3 contests or making a high finding. Also, to be a certified warden, you might need to participate in a certain number of contests and have a certain number of valid findings or reports.\n\nIn terms of checking your certification status, you can do this by clicking on your name to see assigned roles, and also through email updates. Please note, as a certified warden, you must comply with certain conditions to attend a private audit. Any requirements for audits, like KYC certification, will be specified in the applicable channels.", "Question: What is CodeArena's policy on the confidentiality of findings, techniques, or recommendations discovered during contests and when can they be disclosed or used?\n\nAnswer: CodeArena's policy dictates that all findings, techniques, or recommendations discovered in a contest are to be treated as private and confidential until the contest report is officially made public. This policy is in place to respect the Non-Disclosure Agreement (NDA) with the sponsors of the contest and to give them time to act on the feedback received. It does not prohibit the use of new methods or learnings; instead, it discourages the public discussion or sharing of specific findings related to the sponsors' issues until the official report is published.\n\nFindings, including those not selected for the final report, remain private for a certain period after the contest ends. This period can vary, and the specific duration is not pre-stated. During this private period, only the team has access to the submissions, and those with the \"backstage\" role can take part in the triaging process. Sponsors do not have access to the findings repository until the contest ends.\n\nAfter this private period, the findings repository becomes publicly available for reviewing and learning from other submissions. However, the organization encourages professional conduct from all certified wardens, including refraining from discussing findings publicly until the report is published, as per their professional conduct guidelines (https://docs.code4rena.com/roles/wardens/certified-wardens#certified-warden-professional-conduct-guidelines). \n\nPlease note that the findings cannot be viewed or discussed even after a contest concludes but before the report is officially published, as per C4's policy. Additionally, the contest findings are not shared directly with anyone, including the project team and the judge, until after the contest deadline passes. Once the findings become public, they can be used or applied to other contests or situations.", "Question: How are enums managed in Solidity? Are they stored in storage or in the contract bytecode? \n\nAnswer: Enums in Solidity are user-defined types explicitly convertible to and from all integer types, but implicit conversion is not allowed. They require at least one member, and its default value when declared is the first member. However, they cannot have more than 256 members as of version 0.8.0 ([source](https://docs.soliditylang.org/en/latest/types.html)). \n\nStoring an enum will take up part of a storage slot. If using it as a literal, it will be the same as a uint8. When stored, enums are treated as state variables that are stored in 32 bytes storage slots. Multiple variables can be potentially packed into a single slot if they are declared next to each other, which can reduce gas costs ([source](https://docs.soliditylang.org/en/v0.8.17/internals/layout_in_storage.html)). This approach is common in optimizing smart contracts for gas usage since the cost of reading the entire bytecode of a contract is constant. \n\nNote that functions are automatically generated for public storage variables which aren't stored in storage. That includes enums, constants, and immutables ([source](https://docs.soliditylang.org/en/v0.8.13/contracts.html#state-variable-visibility)). \n\nFor more information about enums in Solidity, please refer to these resources: [Solidity Documentation](https://docs.soliditylang.org/en/latest/types.html) and [Ethereum StackExchange](https://ethereum.stackexchange.com/a/75961).", "Question: What is the process and importance of getting certified on CodeArena?\n\nAnswer: Certification on CodeArena is not always required, but it is a prerequisite for various activities. These include participating in audits that require KYC, accessing backstage features, editing your profile, participating in versus contests, and receiving rewards for reported submissions. Additionally, for private audits, certification is usually sufficient. However, for certain contests, all members of a team need to be certified in order to be eligible for any payouts.\n\nThe process of becoming certified involves sending your identity for verification. This can be initiated within 48 hours of a contest, and upon completion, a participant may be awarded if they are eligible. After applying for certification, approval is given by provenance, and it generally takes a few days for the role to reflect on your profile. You will be updated about the status of your certification process via email. If you wish to become a certified warden, you may need to participate in a certain number of contests and have a certain number of valid findings or reports.\n\nOnce you are certified, you can join any contest, including those that require certification. Also, a certified user can apply for KYC certification. It is also suggested that the criteria for certification+ could be more stringent, such as being in the Top 3 in 3 contests or making a high finding.\n\nYou can check your certification status by clicking your name to see assigned roles or through email communication. If you have a high finding, you can apply to be certified by contacting the organization through the help desk form. \n\nPlease note that being certified does not require a full-time commitment; it merely indicates that your identity has been verified. You will receive an email once your certification has been finalized.", "Question: What is the current status of the LPT rewards and when can we expect them to be released?\n\nAnswer: From the discussions observed in our chatroom, it's evident that many participants are keen on updates regarding the LPT (Livepeer) rewards. As of now, the rewards for LPT tokens along with NFTX and Insure payments are still pending. However, we expect to release these rewards within the coming week. Please note that this timeframe is an estimate and may change due to unforeseen circumstances. \n\nWe understand that there has been a period without announcements regarding rewards, and we appreciate your patience. In terms of the impact on the leaderboard, it's important to note that the release of these rewards may indeed influence standings. \n\nIn addition, we would like to clarify that rewards are also given for other activities, including the submission of new detectors, for which \"Karma Points\" are awarded. There are also bonus rewards given for the best reports in contests. It's also important to note that, in case no high or medium issues are found in a contest, or if no issues are found at all, there are still specific protocols on how the reward pot will be distributed.\n\nPlease keep an eye out for further updates on our official channels. We aim to be as transparent and prompt as possible with all reward-related announcements. Thank you for your understanding and continued participation in CodeArena contests.", "**Q: How can I register a team or group on Code4Arena?**\n\n**A:** Registering a team on Code4Arena involves several steps. First, you need to sign up as a warden, a role that enables you to participate in the audits or contests. To sign up as a warden, you can join the #\ud83d\udc3ai-want-to-be-a-warden channel. \n\nAfter registering as a warden, you'll have access to the #\u26bdteam-formation channel, where you can gather information about forming a team. To officially register your team, you should visit code4rena.com/register-team. Here, you'll need to create a team handle which is a unique identifier for your team. You can refer to this [example](https://github.com/code-423n4/code423n4.com/blob/main/data/handles/pocotiempo.json) for how to create a team handle. \n\nAlso, it's important to remember that to participate and receive shares as a team, your team members must register their handles and Ethereum (ETH) addresses. \n\nIf you decide to change your team name after registration, you'll have to re-register. Similarly, users can re-register to change their usernames. \n\nOnce your team is approved, you can submit findings as a team. If you're interested in auditing, instructions to register as an auditor can be found [here](https://docs.code4rena.com/roles/wardens). \n\nFor further information, detailed guidelines on how to register a team can be found in the [documentation](https://docs.code4rena.com/roles/wardens#registering-a-team).", "Question: Who should I contact for collaboration, investment issues, or potential partnerships at CodeArena (C4)?\n\nAnswer: At CodeArena (C4), you have several options for making contact depending on your specific needs. For matters related to collaboration, investment issues or potential partnerships, reaching out to our staff through a help request is highly recommended. \n\nFor specific audit contests or bug bounties, you can direct message the designated contacts of the sponsoring teams. Cofounders and engineers from various projects including Reality Cards, Pool Together, Lion's Mane, Tracer DAO, and Gro, among others, are available for communication on their respective projects. \n\nIf you are interested in running an audit contest, we can direct you to the appropriate individual for follow-up. \n\nFor questions about the scope of a contest, you can direct your queries to the respective sponsor. While a contest is ongoing, it is possible to discuss potential issues with the sponsor. There are specific channels to ask general questions, and sponsors' team members are available for questions via direct messaging. \n\nIn the event of a disagreement over the scope of a particular issue with the sponsor, we encourage you to report the issue nonetheless. \n\nIf your company has concerns about inconsistencies, process, or lack of clarity in rules, you are encouraged to review issues at our organizational GitHub page: https://github.com/code-423n4/org/issues. \n\nFor inquiries about participating in private audits or findings of past projects, you can reach out to us online or ask for support from the C4 website. \n\nIf there is a risk to funds on the mainnet, project owners are advised to reach out to our staff via a help request. Please note that project owners cannot see the findings as they are reported. \n\nPlease remember that direct communication and personal contact have been encouraged for specific queries. However, if you are unsure whether it is appropriate to contact judges or the streams' protocol team for clarification, it is best to ask. \n\nFinally, for questions regarding invoicing, you can refer to this document: https://docs.code4rena.com/awarding/incentive-model-and-awards/awarding-process#tax-and-legal-questions.", "Question: How can I verify if I have submitted my wallet address for rewards, update it, or check the status of my submission and rewards?\n\nAnswer: You can easily verify if you have submitted your wallet address for rewards and update it if necessary by filling out the help form available at [Code4rena Help](https://code4rena.com/help). The submission form for each contest includes a field for your wallet address, which can be updated after your finding has been submitted and before the reward payout. If you choose to use a new wallet address in your report, the rewards for the report will be distributed to the new address. \n\nIn terms of submissions, you can check if they were accepted at [Code4rena Reports](https://code4rena.com/reports). Once your submission is confirmed and reward amounts announced, you just need to wait for it to go to your wallet. You will receive confirmation via email regarding your submission. If you have forgotten your wallet address, you can refer to this confirmation email. \n\nPlease note, rewards from contests are distributed to your registered wallet address. For more information about changing your wallet address for receiving awards, please refer to [Code4rena's Warden Auth Documentation](https://docs.code4rena.com/roles/wardens/warden-auth#can-i-change-the-wallet-address-where-i-receive-awards).\n\nThe status of your rewards, including the payout for vulnerability issues, can be verified by checking the wallet address with which you registered, using platforms like polygonscan.com or wallet trackers like debank.com. Please be aware that some rewards may be pending after the contest has finished. \n\nTo ensure you receive your share of the rewards, you need to register your handle and ETH address. There is a field for the polygon address when you submit findings. Remember, you can submit a report without being certified, but certification is needed to receive rewards. Wardens must connect their wallet to their account to submit findings. \n\nLastly, if you need to create an invoice for the rewards received from a contest, you can find the necessary information at the bottom of [Code4arena's Awarding Process page](https://docs.code4rena.com/awarding/incentive-model-and-awards/awarding-process#tax-and-legal-questions).", "Question: Why does the multiplication of a uint8 and a uint256 value in Solidity cause an overflow error?\n\nAnswer: The issue of overflow you're encountering is due to the multiplication operation between a uint8 and a uint256. In Solidity, when performing an operation between two different types, the EVM implicitly converts the smaller type to the larger one. In your case, the uint8 is being converted to a uint256. However, the value you've chosen for the uint8 variable (195) multiplied by 86400 is more than the maximum value a uint8 can hold (255). This leads to an overflow error. \n\nTo fix this, you need to cast all variables you multiply to uint256 to avoid the overflow. In Solidity versions before 8.0, you could potentially use fuzzing tools for audits to catch these types of errors. However, from Solidity 8.0 onwards, an overflow/underflow check is implemented at the language level, which should catch these errors during compilation. \n\nIt's worth noting that this sort of error could lead to serious vulnerabilities in smart contracts. Therefore, understanding the nuances of type conversion and overflow handling in Solidity is important for writing secure smart contracts. For more details, you can refer to the Solidity documentation [here](https://docs.soliditylang.org/en/latest/types.html).\n\nAlso remember, gas efficiency is a major concern in smart contracts. The use of large numbers and complex computations can lead to higher gas costs. Some developers use gas optimization strategies such as using the '++i' instead of 'i++' in for loops, or not initializing default variables to 0. These strategies can help reduce the overall gas costs of executing your contract.", "Q: I've submitted some issues for an audit, how can I confirm my submission status, verify if my wallet address has been recorded for rewards, and see any feedback or rewards for my report?\n\nA: To verify the status of your issue submission and check if your wallet address has been recorded for rewards, you can use our help form at https://code4rena.com/help. After submitting an issue, it might not become immediately visible in the Issues in the repo created for the audit. If your report does not appear on the award list, it's likely that it was rejected. You'll be able to confirm this by reviewing the available report. \n\nRemember, if you wish to change your wallet address, you must do it before the reward payout. This can be done by submitting a request through the Help Desk. If you use a new wallet address in your future reports, the rewards will be distributed to this new address. \n\nThe reward for finding vulnerabilities can be verified by checking your registered wallet address using polygonscan.com or wallet trackers like debank.com. If multiple auditors report the same bug, they all get a portion of the bounty unless the finding is common and is usually picked up by the C4udit tool. Make sure to review our submission policy at https://docs.code4rena.com/roles/wardens/submission-policy for best practice. \n\nYou can track your past reports and confirm the receipt of your issues by checking for an email confirming your submission and enabling you to edit your findings. You can also view your submission replies regarding a contest through the same method. \n\nEarly feedback on submissions for auditing is occasionally available, and a link to the feedback will be posted on Discord. Concerns about reward distribution or any other issues can be addressed by opening tickets with our team.", "Question: How does Solidity handle calculations when two different types interact with each other, especially considering gas cost and the potential for overflow issues?\n\nAnswer: The calculations in Solidity are processed from left to right. However, you might face an issue if you're trying to implicitly convert and multiply uint values. The common theory that swapping the order of variables resolves the overflow issue has been disproved. In terms of gas cost, Solidity stores state variables in 32 bytes storage slots and packing variables into fewer slots can reduce gas costs. Additionally, using 1e36 as a shorthand for representing big numbers is more gas efficient, as per the Solidity documentation. Keep in mind that a misunderstanding of how Solidity handles type interaction could lead to unexpected behavior or potential vulnerabilities in your smart contracts. More detailed information on how Solidity manages these interactions and storage can be found here: https://docs.soliditylang.org/en/v0.8.17/internals/layout_in_storage.html and https://docs.soliditylang.org/en/v0.8.15/types.html#rational-and-integer-literals.", "Question: What is the result of multiplying uint8 with uint32 in Solidity? \n\nAnswer: In Solidity, there can be some confusion regarding the multiplication of uint8 and uint32 due to the implicit conversion rules of Solidity. Solidity's integer types uint8 and uint32 are unsigned integers of 8 and 32 bits respectively. When you try to multiply uint8 with uint32, Solidity implicitly converts the uint8 into uint32 for the operation to be valid as the language operates on a type system that requires explicit type conversions to avoid unexpected outcomes. Thus, the result will not be uint24, but uint32 instead. This is because the size of an integer is determined by the largest operand when performing arithmetic operations. \n\nRemember that Solidity stores state variables in 32 bytes storage slots, which can impact how variables are stored and the gas costs associated, as mentioned in the Solidity documentation [here](https://docs.soliditylang.org/en/v0.8.17/internals/layout_in_storage.html). Also, consider other efficient ways of handling large numbers in your code. For instance, the use of 1e36 is a shorthand and more gas-efficient way of representing big numbers in Solidity. \n\nPlease note that this explanation is based on the observations and discussions from our community and may require you to test it in your specific context. It's always a good idea to stay updated with the latest version of Solidity and refer to the [official Solidity documentation](https://docs.soliditylang.org/en/latest/) to understand the language's nuances and updates.", "Question: Where can I find more detailed information on how functions such as delegatecall work in Solidity and what implications they may have on storage, return value, and reverts in the target function?\n\nAnswer: Detailed information about how functions like delegatecall work, including their interactions with storage, can be found in the Solidity documentation and the Geth source code. The Geth source code contains the Ethereum Virtual Machine's (EVM) command line interface implementation, which could help you understand how delegatecall and other function calls operate at a lower level. You can find it on GitHub at [this link](https://github.com/ethereum/go-ethereum/blob/master/core/vm/evm.go#L302). \n\nIn terms of understanding the return value of delegatecall and its behavior during a revert in the target function, these topics are often discussed in our platform's chatroom, and you can find numerous threads related to these topics there. \n\nWhen using delegatecall or any other function call, it's important to bear in mind that the calling convention used can differ from what is actually called on the contract in the EVM. For instance, you can use calldata arguments for external/public functions and send calldata data pointers to internal and private functions.\n\nTo supplement your learning, you might also want to watch a video that walks you through eth_call, which you can find at [this link](https://www.youtube.com/watch?v=bEUtGLnCCYM).\n\nRemember to ask questions on our platform if you're struggling with understanding any reports or concepts related to smart contracts. Our community is always available to provide assistance and share useful resources.", "Q: What are the factors contributing to the delay in judging the Sublime March 2022 contest?\n\nA: The delay in judging the Sublime March 2022 contest can be attributed to a variety of factors. Primarily, the slow pace of sponsor review is a significant factor. Sponsors play a crucial role in the contest process and are incentivized to complete their review promptly. If they do not fulfil their responsibilities in a timely manner, it makes the judging task much more challenging. Judges often have to identify duplicate submissions and essentially act as a voice for the sponsors, which can add to the delay.\n\nAdditionally, it's important to note the overall increase in contest submissions, which can potentially lead to increased workloads for judges and thus longer judging periods. Some contests have also experienced an increase in issues and challenges which, combined with limited judge availability, can result in a backlog. \n\nThe complexity of certain contests, such as the recent one that was challenging for the judges, can also be a factor in the delay. Unforeseen factors related to the protocol itself, not just the judge, may also contribute to the delay.\n\nThere is no stated penalty for judges for delayed judging of the contests. In some instances when a judge cannot complete their work in a timely fashion, the contest may be reassigned to another judge. The company has been working to address these issues, including increasing offers for judging compensation to help clear the backlog.\n\nPlease note, the timeline for publishing contest results varies, depending on the time taken for judging. The review and judging phases can take some time, especially when dealing with high participation rates and complex codebases. \n\nLastly, it's worth mentioning that some contest delays are beyond our control, such as pauses that happen around big conferences or delays in the distribution of awards. Rest assured, we are always working to improve the contest process to ensure timely judgments.", "Question: How are contests announced and how is compensation handled for finding vulnerabilities in CodeArena's contests? Can participants know which bugs have been found already? \n\nAnswer: Contests at CodeArena are announced in advance. The compensation or payout for finding vulnerabilities is not dependent on who finds the bug first. Instead, there is a system in place where the overall value of the bug is reduced and split among all the participants who discover it. Therefore, the first person to find a bug and any subsequent person who finds the same bug receive a share of the bug's overall value. These shares give the owner a pro rata piece of the contest prize pot.\n\nParticipants cannot know which bugs have been found until the contest is over and the judging process is completed. All bugs found during the competition are kept confidential until the results are out, this is done to ensure fairness in the competition. It's important to note that common findings are usually out of scope as they are picked up by the C4udit tool. If they're not picked up by the tool, they should be submitted. \n\nAfter a contest, every participant can consult the contest report that reveals the bugs found for learning purposes. This detailed list of rewards for each participant for each bug per contest is available at [this link](https://raw.githubusercontent.com/code-423n4/code423n4.com/main/_data/findings/findings.csv). \n\nIn case there are no medium or high vulnerabilities found during a contest, the remaining funds are divided based on the QA Report curve. This situation is considered a rarity. If a high or medium severity vulnerability is found a few days after the contest ends, it should be disclosed responsibly to the development team, however, it won't be eligible for awards. \n\nIt's also worth mentioning that Code4rena encourages participants to reach out to the sponsor team during the contest if they have questions or believe they've found a vulnerability. However, for it to be eligible for awards, the vulnerability must be submitted via the contest submission form. \n\nRemember, CodeArena operates similarly to a bug bounty platform where prize pools and fees are defined upfront. For more information about the incentive system and rewards, you can check out [our docs](https://docs.code4rena.com).", "Question: What are the privacy considerations regarding a certified warden's Github and email information, and what are their privileges and processes on CodeArena's platform?\n\nAnswer: Certified wardens' emails and Github usernames are not publicly listed by CodeArena (C4). Instead, they are included in a permissions group or team on Github, which is necessary for them to access private repositories. Individual users have the choice to make their membership in these private teams public or not. \n\nA certified warden has certain privileges and responsibilities on CodeArena's platform. For instance, they can view submitted reports on Github during the triage process, provided they have a certain level of established contribution. They can also see their submission and the comments in it after the announcement once the repository is set to public, unless they have certified backstage access. \n\nCertified wardens are also given the ability to submit findings and view repositories. Their applications to become certified wardens are submitted and feedback is received via email, including from the email address @provenance.company. \n\nTo become a certified warden, one must apply through the application form available on CodeArena's website and adhere to the professional conduct guidelines, which require all findings to be treated as private and confidential until the contest report is made public. Further information on the certification process is available at https://docs.code4rena.com/roles/certified-contributors. \n\nEligibility for becoming a certified warden includes encountering at least one high-severity bug and participating in at least three contests. Once certified, they get earlier access to the findings repositories to assist with post-contest processes. For example, a certification allows access to private audit contests (https://mirror.xyz/c4blog.eth/Ww3sILR-e5iWoMYNpZEB9UME_vA8G0Yqa6TYvpSdEM0).\n\nIt's important to note that the time it takes for a Github organization invite to be sent to a certified warden could vary, and users can check their acceptance as a warden on CodeArena's platform.", "Q: How should I determine and report the severity of an issue in a smart contract I'm auditing?\n\nA: The severity of an issue should be determined based on its potential impact on the end-user and the protocol. This could range from a minor issue affecting a user in a rare situation, to a major issue locking all the protocol's assets. Assessing the severity of an issue involves a balance between the potential consequences of the issue and the likelihood of its occurrence. High severity issues usually involve substantial fund loss or severe consequences without pre-conditions, while medium severity issues typically have lesser impacts and specific preconditions such as high attack difficulty or specific market conditions. \n\nTo report an issue and its severity, you should first describe the vulnerability and its impact on the protocol/code in the impact section. Then provide a Proof of Concept (PoC) in the corresponding section, which should contain the lines from code/github or an added test written as an exploit. \n\nKeep in mind that the specific severity assigned to an issue does not matter as much as a good explanation of the finding. If the severity is unclear, continue working on the PoC until it becomes clear. Note that issues can be upgraded to a higher severity if further investigation reveals a greater potential impact. \n\nMisjudging a vulnerability's severity does not have specific penalties. For example, even if a high severity bug turns out to be only medium, the rewards for finding a medium bug will still be given. \n\nLastly, it's recommended that you refer to the estimating risk guide in the Code4Rena documentation for further guidelines on how to determine the severity of an issue: https://docs.code4rena.com/roles/wardens/judging-criteria#estimating-risk-tl-dr\n\nIt's important to remember that every finding doesn't necessarily have to be a severe vulnerability. There can be a wide variety of findings based on different combinations of issues found to create different attacks. The acceptance of these issues depends on their severity and presentation clarity as evaluated by the sponsors and judges.", "Question: I saw a pull request for all-time statistics on the leaderboard. Can you explain how this was decided and what it means for the users of CodeArena?\n\nAnswer: The decision to show all-time statistics on the leaderboard was made without a public vote. This change implies that although the leaderboard will primarily showcase current year statistics, the all-time stats of users will remain accessible. It's part of CodeArena's continuous efforts to improve the leaderboard functionality, in line with discussions about potentially integrating the website with Github to track specific timestamps. You can view the details of the pull request at https://github.com/code-423n4/code423n4.com/pull/1850. \n\nIn case any user has disagreements with such decisions, they can always address their concerns by reviewing and commenting on issues at https://github.com/code-423n4/org/issues, or even opening a new one if their concern is not already addressed. It's worth noting that CodeArena is actively considering feedback from participants to enhance the user experience, such as the recent suggestion to add direct links and preferred avatars from competing participants to the homepage.", "Question: Can this Discord channel be used for all types of security discussions, or is it strictly limited to questions related to Code4rena?\n\nAnswer: This channel can indeed be used for general security discussions alongside Code4rena related inquiries. However, there are certain guidelines to facilitate the organization and smooth functioning of the discussions:\n\n1. For specific Code4rena related concerns, participants are encouraged to direct message someone from Code4rena or submit a help request at [Code4rena Help](https://code4rena.com/help).\n2. Questions about the Certified Wardens process can be asked directly to Code4rena.\n3. If a participant has a question about a contest's security issue, they can also submit a help request at [Code4rena Help](https://code4rena.com/help).\n4. Doubts related to EVM security can be posted in the #\ud83c\udf33everything-evm channel.\n5. Questions related to specific topics or contests should be asked in the designated channels.\n6. For those interested in sponsorship, they can visit the channel #\ud83d\udcbci-want-c4-to-audit-our-code.\n7. If a user happens to find vulnerabilities impacting Code4rena's webapp, they should report it by either sending a direct message to a specific individual or emailing the issue to security@code4rena.com.\n8. For private inquiries to a member of the Code4rena team, a Help Desk request can be made at [Code4rena Help](https://code4rena.com/help).\n\nPlease always use the appropriate channels for your questions and discussions, to ensure that they are handled promptly and effectively. We appreciate everyone's cooperation in maintaining the efficiency of this Discord channel.", "Question: \nWhat happens when a selfdestruct function is called in a smart contract and why does it seem to run to completion particularly within a delegatecall?\n\nAnswer: \nIn Ethereum Virtual Machine (EVM), when the selfdestruct function is called, it registers the current account to be destroyed at the end of the current transaction. This information can be verified at [EVM Codes](https://www.evm.codes/#ff). However, even though the remaining lines in the function aren't executed because they no longer exist after a selfdestruct call, the function seems to run to completion if it's being executed within a delegatecall.\n\nThis is due to the unique nature of the delegatecall function. A delegatecall function executes in the context of the calling contract and has access to the caller's state variables, but the code of the called address is used. The execution doesn't stop because the state of the calling contract is still active. \n\nMoreover, if there's a change in the function's state first and then a require statement in that function fails, a user's state will remain the same. If there is a failure in the require statement after a state change, the state will be reverted back to what it was prior to calling the function.\n\nIt's also important to mention that gas fees are incurred when calling a selfdestruct function, and a function can run out of gas if the input is large enough. A common solution to prevent this is to have a start offset and a maximum length to process it in batches.\n\nFor more detailed information on how delegatecall function interacts with contract storage, you can refer to Solidity docs and the [Geth source code](https://github.com/ethereum/go-ethereum/blob/master/core/vm/evm.go#L302). \n\nIt's also worth noting that even automated tools have reported vulnerabilities in smart contracts, which is why people continue to audit their contracts. Even if a function is called on the contract with address(0) as one of the parameters and it has no impact other than a mapping being filled with random entries, it should be reported as Quality Assurance (QA).", "Question: Why does the function run to completion even after a selfdestruct opcode is executed, and what happens to the code size afterwards?\n\nAnswer: When a selfdestruct opcode is executed in a smart contract, it indicates that the current account is to be destroyed at the end of the current transaction, as detailed on the EVM codes page (https://www.evm.codes/#ff). However, it doesn't mean that the remaining lines of code in the function will not be executed. The function will run to completion, but at the end of the transaction, the selfdestruct opcode will remove the contract from the blockchain state, effectively reducing the code size to 0. It's important to note that any state changes made by the function will still be permanent unless the function encounters an error and reverts, or the contract's state is otherwise reset. In case of failures, the Ethereum protocol will revert the state back to what it was prior to calling the function. For further understanding, you may want to look at static security testing tools like Solidity linter or Remix for any compilation warnings before deploying your contracts.", "Question: Why does the condition \"require(size>0)\" evaluate to true even after a selfdestruct operation in smart contracts?\n\nAnswer: The reason behind this is the nature of the selfdestruct operation in Ethereum's EVM (Ethereum Virtual Machine). According to the description on evm.codes, the selfdestruct operation \"registers the current account to be destroyed, and will be at the end of the current transaction.\" This implies the current state of the account, including values of its variables, is retained until the end of the transaction, so the condition \"require(size>0)\" will still evaluate to true if it's checked within the same transaction. \n\nAlso, some users have noted that the check \"x != 0\" is generally cheaper than \"x > 0\" only in require statements and this was true only prior to the Solidity version 0.8.13. It's important to remember that if a function's state is changed first, and then a require statement in that function fails, the user's state will remain the same. As a result, if there is a failure in the require statement after a state change, the state will revert back to what it was prior to calling the function. \n\nHowever, it's also worth noting that the use of \"magic numbers\" in require statements like 'require(abc<123)' is often considered a low finding in smart contract audits because it reduces code readability. To improve this, it's recommended to declare a constant value for such numbers.\n\nIn relevance to gas consumption, a point to consider is that as of Solidity version 0.8.0, the assert operation no longer consumes all gas, and hence, any remaining gas should be refunded if the assert operation fails. Some users also discussed the gas efficiency of custom errors compared to require statements with a string in Solidity smart contracts.\n\nFor more details on the selfdestruct operation, you can refer to [evm.codes](https://www.evm.codes/#ff).", "Q: How can I gain a more in-depth understanding of how functions like delegatecall work with storage in solidity, particularly regarding gas optimization and understanding solidity syntax?\n\nA: For a deep dive into delegatecall and its interaction with storage, the Solidity docs and the Geth source code are great resources. You can find an in-depth explanation on delegatecall at the Solidity docs and delve into the actual implementation in the Geth source code [here](https://github.com/ethereum/go-ethereum/blob/master/core/vm/evm.go#L302).\n\nRegarding gas optimization, it's important to note that Solidity stores state variables in 32 bytes storage slots. You can potentially reduce gas costs by packing multiple variables into a single slot if they're declared next to each other. More details on this can be found in this [document](https://docs.soliditylang.org/en/v0.8.17/internals/layout_in_storage.html). Be mindful of the order of function checks from storage and calldata as swapping these order could lead to optimization of gas.\n\nFor understanding Solidity syntax and programming, two resources come highly recommended: [Solidity by Example](https://solidity-by-example.org/0.6/) and the [Solidity docs](https://docs.soliditylang.org/en/v0.7.5/).\n\nMath associated with Solidity projects is a crucial part of understanding the implementation and optimization of smart contracts. To learn about this, the YouTube channel [Smart Contract Programmer](https://www.youtube.com/@smartcontractprogrammer) is a useful resource.\n\nIn the context of audits and understanding reports, you might find it valuable to review multiple staking contracts to comprehend different ways staking functionality can be implemented. Consider the severity of issues, context is important. For example, the number of functions in an interface and their usage in code becomes significant during a protocol interaction with a contract on-chain.\n\nFinally, if you're just starting in the space of smart contract auditing, consider learning from resources like [How to become a smart contract auditor](https://cmichel.io/how-to-become-a-smart-contract-auditor/) and [Code4rena's Tools and Resources](https://docs.code4rena.com/roles/wardens/tools-and-resources). Questions can always be asked on our platform for further clarification or guidance.", "Q: What is the process and requirements for becoming a Certified Warden with CodeArena (C4), and what are the steps if I'm already partway through the process?\n\nA: The process to become a Certified Warden involves submitting an application, followed by a Know Your Customer (KYC) process delegated to Provenance. The exact requirements for the application may vary but often include an identity document such as a passport or driving license. Some users have also reported needing a selfie and possibly a proof of residence, though the latter isn't always necessary.\n\nThe process involves an applicant queue, and after the Provenance verification process, it roughly takes 1-2 business days for the next steps to be initiated. It could take about 2-3 weeks to receive the KYC email from compliance@provenance.company after submitting your application (check your spam folder as the email could land there). \n\nThere might be a requirement that you participate in a certain number of contests and have a certain number of valid findings or reports. Specifically, to become a certified warden, you need to have at least 3 top finishes in either the QA or gas report from past contests. \n\nIf you are already partway through the process, it is highly recommended to complete it. Please ensure that all your documentation is updated and consistent across all instances, as some users have identified inconsistencies. \n\nAfter approval, it might take some more time for a warden to be marked as certified. At the end, notifications and updates on your certification process will be sent to your email, including from the address @provenance.company.\n\nFor more detailed information, visit: https://docs.code4rena.com/roles/certified-contributors#certification-process-and-constraints. \n\nPlease note that it is possible for a foreigner to become a certified warden. If you are interested in having access to private repos after a contest is finished, consider applying for the Certified Plus Warden role, which has some entry requirements.", "Q: What is the process and requirements to become a certified warden at CodeArena?\n\nA: The process of becoming a certified warden involves competing in audit contests, as well as having a certain number of top finishes in either the QA or gas report from past contests. Alongside this, you may need to submit certain documentation as part of the application, including completing a Know Your Customer (KYC) process, which may require a passport or a certified copy of your identity. Please note that certain contests are only open to certified wardens. \n\nCertified wardens are eligible for certain benefits like attending private audits and potentially playing a judge role, although the exact conditions may vary. \n\nPlease be aware that the eligibility requirements to become a certified warden can be found at [Code4Arena](https://docs.code4rena.com/roles/wardens/certified-wardens#who-is-eligible-to-be-a-certified-contributor). More information on the process and constraints of getting certified can be found at [Code4Arena Certification Process](https://docs.code4rena.com/roles/certified-contributors#certification-process-and-constraints). If you're ready to apply, you can make the application at [Certified Contributor Application](https://code4rena.com/certified-contributor-application). \n\nForeigners are welcome to apply, but they must meet the same criteria and complete the same verification process as everyone else. If you have further questions about the process or eligibility, feel free to raise them in our Discord chatroom.", "Question: How can I check if my past submission ranked in the top-3 for the QA or gas report, and what are the criteria to become a certified warden for Code4rena?\n\nAnswer: You can request Code4rena to check whether your past submission achieved a top-3 finish in either the QA or gas report. Be aware that to become a certified warden, you must have at least three top finishes in these categories from past contests. \n\nWardens are now required to submit just one QA report and one gas report per contest. You can find more details on this in the submission policy [here](https://docs.code4rena.com/roles/wardens/submission-policy#report-format). \n\nIf you submitted an issue as a low in a QA report and the judges determine it's a medium, it may be eligible for medium rewards, which you can read more about [here](https://docs.code4rena.com/awarding/incentive-model-and-awards/qa-gas-report-faq#what-happens-when-an-issue-submitted-by-the-warden-as-part-of-their-qa-report-an-l-or-n-does-get-bum). \n\nIf your report exceeds the character limit in the submission form, you can submit a placeholder and send the report via email. Details on this can be found [here](https://docs.code4rena.com/roles/wardens/qa-gas-report-faq#why-is-a-large-gas-or-qa-report-not-successfully-submitting-through-the-contest-submission-form). \n\nYou can check whether your submissions were accepted at the Code4Rena reports page [here](https://code4rena.com/reports). \n\nFor more detailed information about the judging criteria and the QA/Gas Optimization reports, please refer to these links: [Judging Criteria](https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical) and [QA and Gas Optimization Reports](https://docs.code4rena.com/awarding/incentive-model-and-awards#qa-and-gas-optimization-reports).\n\nIf you have more questions related to the Certified Wardens process, you can ask directly to Code4rena.", "Question: What are the different avenues and processes to reach out to CodeArena (C4) for learning more about the project, discussing potential partnerships, collaborations, and other related inquiries?\n\nAnswer: CodeArena encourages open communication and offers several avenues for discussions, collaborations, and inquiries. \n\n- For general information, support, or reporting issues, the C4 website is a good place to start. Some users have reported trouble accessing it, but C4 is continuously working on improvements. \n\n- If you're interested in partnerships or investments, you can directly message the C4 staff members or submit a Help Desk request. Also, you can reach out to project team members listed in specific Discord channels for consultation. \n\n- For discussions about potential issues or questions about findings of past projects, there are specific channels available. Even during ongoing contests, you can reach out to the sponsor team. Direct messaging is possible, but remember, if you've found a vulnerability during a contest, you need to submit it via the contest submission form to be eligible for awards.\n\n- If you are interested in starting a contest or learning about C4 auditing, you can use the #\ud83c\udfebeducation channel on Discord.\n\n- Sharing your experiences with C4 is welcomed as part of warden outreach, and inquiries about users' experiences with C4 are being made frequently. \n\n- For those wanting to sponsor a C4 audit, you can use the #\ud83d\udcbci-want-c4-to-audit-our-code channel on Discord.\n\nRemember, after applying for KYC, you'll receive an email from Provenance and C4. Further, there's also the possibility of C4 grants for building tools, which you can explore. If you're a certified auditor and curious about linking your C4 profile to a Twitter profile, it can be done by completing a help desk request.\n\nIt's worth noting that some of the C4 team will be present at ETH.Denver, providing an opportunity for face-to-face interactions. \n\nFor more technical insights into C4, you can refer to the whitepaper available in the C4 GitHub repository under /docs.", "Question: How can I check the status of my past submissions and know if they achieved a top-3 finish in either the QA or gas report?\n\nAnswer: Participants in CodeArena contests can view their past submissions and their status by checking their Analysis Report on the CodeArena website. This includes knowing whether your submission achieved a top-3 finish in either the QA or gas report. If you need specific details on this, CodeArena can provide the information upon request. \n\nWhen you make a submission, you'll receive an email confirmation. This will also give you the ability to edit your findings if the contest is still open. You can do this by selecting the \"My findings\" option on the contest page. \n\nRemember, each participant can submit one combined gas report and one combined QA report per contest. You can add more findings to your report even after initial submission. If you encounter issues with online submissions, you can send your reports via email to report@code4rena.com.\n\nIn terms of grading, it's important to know that judges consider both quantity and quality of submissions. A single item in a QA submission is unlikely to receive a high grade. You can read more about the judging criteria at: [https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical](https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical) and [https://docs.code4rena.com/awarding/incentive-model-and-awards#qa-and-gas-optimization-reports](https://docs.code4rena.com/awarding/incentive-model-and-awards#qa-and-gas-optimization-reports).\n\nExamples of top QA/Gas reports can be found at: https://code4rena.com/reports. You may also find answers to additional questions in our FAQ section at: https://docs.code4rena.com/awarding/incentive-model-and-awards/qa-gas-report-faq#why-is-a-large-gas-or-qa-report-not-successfully-submitting-through-the-contest-submission-form.", "Question: How can I reach out to the CodeArena team for potential collaborations, partnerships, or to discuss specific issues?\n\nAnswer: Absolutely! CodeArena encourages communication and is open to discussing potential collaborations and partnerships. For specific questions or issues, you can directly message (DM) any of the CodeArena staff members. This can also include contacting the representatives from our sponsor teams throughout the duration of a contest for any queries.\n\nFor general questions, each contest has a specific channel in our Discord where you can post your queries. Moreover, various project co-founders and engineers from organizations like Lion's Mane, Tracer DAO, Gro, Reality Cards, and Pool Together are also present and available for communication. \n\nFor discussions about potential submission, vulnerabilities, or high severity issues, you can either use the contest channel or contact the project's dev team directly through private messaging. Always feel free to ask questions about past projects or participate in private competitive audits.\n\nFor specific protocols such as the Vader protocol, DMs can be sent directly to @strictly-scarce. If you're interested in discussing potential partnerships, like with Amber Group's Investment and Research division, you can visit their website at https://ambergroup.io/.\n\nIn case of any account issues or inquiries about auditing projects, you are encouraged to DM for assistance. Remember, you are permitted to directly message the project team about potential vulnerabilities. \n\nPlease note that not all inquiries may receive an immediate response, but the team strives to address all questions and concerns promptly.", "Question: What is the process and criteria for applying to be a certified warden at CodeArena, and how can I check the status of my application and reports?\n\nAnswer: To apply to be a certified warden at CodeArena, one needs to have at least 3 top finishes in either the QA or gas report from past contests. The organization can check the criteria for a top-3 finish upon request. It is important to note that the criteria could be more stringent for certification+, such as being in the Top 3 in 3 contests or making a high finding.\n\nAfter you submit your application, the review process takes place as part of the application process and this could take between 3-6 weeks on average, depending on the number and complexity of the reports under review. If your application is close to the eligibility criteria but doesn't quite meet them, the team might pause your application and revisit it a few weeks later. \n\nYou can check the status of your report submission by looking out for an email and the ability to edit submitted findings. Additionally, the reports from contests are typically checked within an average period of 3-6 weeks, with the precise time depending on the contest and the number of reports on review concurrently.\n\nYou should note that while you are allowed to submit findings you are unsure about, having more than 3 reports rejected in a competition will prevent you from getting any payout for that competition.\n\nIn terms of report submission, it is recommended to submit one Quality Assurance (QA) report per contest and ideally group all issues together. Make sure to separate the Gas report from the QA report. \n\nFinally, if you are unsure about your submission or the process, you can always contact the organization through the help desk form. Keep in mind that all applicants for a working group will be contacted, regardless of whether they are accepted or not. Please be patient and wait for your report to be published and the findings repo to be made public to check on your submissions.", "Question: Where and how can I ask questions or post doubts related to different topics, contests, or issues I'm studying at CodeArena?\n\nAnswer: At CodeArena, we have several dedicated channels on our Discord server where you can ask questions or discuss doubts. Here's a quick guide:\n\n1. For questions related to EVM security, please use the #\ud83c\udf33everything-evm channel. This channel can also be used for general security discussions, not just those related to CodeArena.\n\n2. Each contest has a specific channel where general questions about the contest can be asked. If you have specific questions about the scope for a contest, you can address these to the respective sponsor.\n\n3. In the event of an issue being marked as invalid, you can follow the process of querying this by monitoring the backstage channel for the post-judging stage of the concerned contest.\n\n4. The #\ud83c\udfebeducation channel is a great source of information for those starting a contest or learning about C4 auditing.\n\n5. If you have queries related to profile help, then the #profile-help channel is the place to go.\n\n6. If your questions are about findings of past projects or if you want to take part in private competitive audits, you can do so on the platform.\n\n7. If you have questions related to website matters or proposals to improve the platform, you can post these on the GitHub or a new channel that may be created in the future.\n\n8. If you have queries about how to find which findings of a contest were rejected and why, or how to view others' findings after a contest finishes, these are also raised within our chat.\n\nRemember, while it's encouraged to use these channels, questions about specific topics should ideally be asked on the forum post itself, as chat is ephemeral. However, if your question is particularly delicate or requires privacy, you can Direct Message (DM) a Code4rena team member for guidance. Lastly, if you want to discuss potential issues with a sponsor while a contest is ongoing, sponsors' team members are available for questions via direct messaging.", "Question: What is the KYC process at CodeArena, and how does it relate to participating in contests and receiving payments?\n\nAnswer: The KYC (Know Your Customer) process at CodeArena is an important aspect of participating in some contests and is crucial for receiving payments. To initiate the KYC process, users must complete this form: https://code4rena.com/certified-contributor-application. \n\nThe KYC process is managed on behalf of CodeArena by Provenance, a third-party provider. It involves an identification verification, which may not necessarily require a passport; other forms of ID are also often acceptable. However, Provenance may require more detailed documentation than what is outlined in CodeArena's guidelines. \n\nSome contests, like the OpenSea contest, specifically require KYC certification to participate. This requirement, if applicable, will always be specified in the related channels. Furthermore, all members participating in the base and chain link contest are required to undergo KYC verification. \n\nBecoming a \"Certified Warden\" requires successful completion of the KYC process. Certified contributors, who have passed KYC, have the additional advantage of participating in private contests. However, becoming a warden does not automatically imply KYC certification. \n\nAccess to the backstage, which allows for contest repo access post-closure and pre-public report release, is granted after KYC certification. Certain changes to this process are expected in the future. \n\nMoreover, KYC certification might be required to receive payment for some audits, particularly for bot crews. However, this is not always the case. \n\nThe KYC process can take several days, possibly longer depending on the back-and-forth communication with Provenance. Once the KYC process is successfully completed, confirmation is communicated to CodeArena for processing.\n\nPlease note that there are some restrictions for the KYC process, primarily related to OFAC sanctions and background checks. Some users may face delays in the KYC process due to these checks. \n\nIn sum, while not every participant may wish to go through the KYC process, it serves as a crucial element for participating in certain contests and for receiving payments.", "Question: What is the detailed process and requirements to become a Certified Warden at Code4rena?\n\nAnswer: To become a Certified Warden at Code4rena, you need to follow a specific process that begins with an application which can be filled out at https://code4rena.com/certified-contributor-application. As part of the process, you will undergo a Know Your Customer (KYC) verification, which may require documents such as a passport. This is to confirm your identity and eligibility. \n\nIt's also noteworthy that eligibility requirements could involve competing in audit contests and providing certain number of valid findings or reports. You may also need to participate in a certain number of these contests to be considered. More details about the certification process and eligibility requirements can be found at https://docs.code4rena.com/roles/certified-contributors#certification-process-and-constraints and https://docs.code4rena.com/roles/wardens/certified-wardens#who-is-eligible-to-be-a-certified-contributor. \n\nOnce certified, you may be eligible to participate in private audits and contests, however, there may be additional conditions to meet. Also, being a Certified Warden may give you early access to findings shortly after contests end. Please note that the process and eligibility requirements to become a Certified Warden at Code4rena may vary, so it's always a good idea to check the most current information on our website.", "Question: How was the prize distribution structure determined for the OpenSea contest on CodeArena?\n\nAnswer: The OpenSea contest on CodeArena featured a unique prize distribution structure, where the size of the prize pot increased based on the severity of the findings. This approach is similar to a bug bounty platform, where contestants are awarded shares for bugs discovered according to their severity. These shares offer the contestant a proportional part of the prize pool.\n\nThe decision about the reward for the severity of a bug in the contest is made by the judges, who also have the power to upgrade or downgrade the risk level of the submitted findings. If a contestant submits an issue as a high severity finding but it is downgraded by a judge, it does not necessarily invalidate the submission; this is clarified in the guidelines on https://docs.code4rena.com/awarding/incentive-model-and-awards#satisfactory-unsatisfactory-submissions.\n\nAdditionally, the level of detail provided in a contestant's submission can influence the award amount. For instance, submissions that include a Proof of Concept (PoC) or cover the discovered issue in as many aspects as possible can receive a higher reward.\n\nThe OpenSea contest was a public contest that required Know Your Customer (KYC) processes and it ended on June 3. It is worth noting that the reward structure for each contest, including the pot size, can depend on various factors such as the number of lines in the contract that is up for review. \n\nLastly, there has been interest in seeing more high prize contests like the $1M OpenSea contest in the future. This might indicate that the structure of prize distribution used in the OpenSea contest was well-received by the contestants. However, as the contest's terms were unique, it is currently unclear who exactly came up with them or if similar terms will be used in future contests.", "Q: I have not received my rewards from the Sherlock contest, have they been paid out yet? \n\nA: There might be a couple of reasons why you haven't received your rewards yet. First, the payout for contest awards usually happens between 1-2 weeks after the announcement. If it's been longer than this, please bear in mind that there can be delays in distributing rewards due to several factors such as pending results from audits, changes to the award calculation process, or the use of multisig wallets which require signatures from multiple parties before funds can be released. For example, the Sherlock contest was technically unaudited at the time of the chat since the Quantstamp audit results were not back yet. It's also worth mentioning that some rewards may still be pending for reasons unspecified in the chat. \n\nAfter an award is announced, the distribution is done manually in batches for multiple contests at a time, usually processed on Monday or Tuesday after all signatures for the award distribution are rounded up in a standing meeting. Once your submission is confirmed and the reward amounts are announced, you will have to wait for it to go to your wallet. \n\nMoreover, in some instances, there have been issues with users not receiving email receipts for their contest findings. \n\nLastly, it's important to note that the rewards in a contest are subject to the findings of the audit. If no high or medium issues are found, the reward distribution might be affected. \n\nIn case you still have concerns, we can have a more detailed conversation via direct message to track down the issue. Please contact us.", "Question: Why did CodeArena choose Provenance as a KYC provider and how does the KYC process work?\n\nAnswer: CodeArena selected Provenance as its Know Your Customer (KYC) provider based on recommendations from other Cayman-based vendors. To become a Certified Warden with CodeArena, applicants must go through a KYC process which is delegated to Provenance. After applying for KYC, applicants receive an email from both C4 and Provenance, typically within one business day after the application is submitted. The KYC process can take a while, depending on the back and forth between the applicant and Provenance. In some cases, responses from Provenance may take more than a week. Provenance directly communicates the successful completion of KYC to CodeArena, who then processes the applicant's role. If there's no response after a few days after registering with Provenance and receiving KYC approval, applicants can open a help desk request at https://code4rena.com/help. Once the KYC process is successfully completed, the applicant can participate in private audits. It is important to note that Provenance may have more detailed requirements for documentation than what is outlined in C4's guidelines. Emails related to the KYC process will come from the email address kobus@provenance.company or compliance@provenance.company and are legitimate. In the event of delay in receiving such emails, it is advisable to check the spam section of the email.", "Question: What is the structure and timeline of contests like the OpenSea contest at CodeArena (C4)?\n\nAnswer: The contests at CodeArena (C4) vary in terms of structure and timeline, with special events like the OpenSea contest having unique attributes. Typically, the company runs week-long contests each week, but it is not uncommon to have longer contests, with durations extending up to 13 days or even 4 weeks for larger projects involving over 12k sloc. \n\nThe OpenSea contest, in particular, was an exception where the prize pool expanded and had a unique system of scaling up the rewards based on the level of severity of the findings. Participants had the opportunity to edit their submissions until contest close, and after the contest closed, there was a period of time before the findings repo became publicly available for discussion. \n\nThe timeline for publishing the contest results is dependent on the judging process, which can vary with each contest, but generally takes about 2 months. The certification process can be started within 48 hours of the contest and upon completion, a participant may be awarded if they are eligible. \n\nIt's worth noting that the number of wardens participating in a contest is disclosed only after the contest ends. For specifics about the scope of a contest or any other queries, participants can address the respective sponsor. For upcoming contests, you can check our website, like this link for the Livepeer contest https://code4rena.com/contests/2022-01-livepeer-contest. \n\nMany users have expressed a desire for more high prize contests like the $1M OpenSea contest. However, the lead time for sponsoring such a contest is not explicitly defined and it's suggested to not be long. The next public contest was scheduled to begin on February 16th. Please stay tuned for upcoming high prize contests and other opportunities to participate!", "Question: What is the Certified Warden program at CodeArena, and how does it affect participation in the contests?\n\nAnswer: The Certified Warden program at CodeArena is a system that provides certain privileges to highly active and successful participants, often called 'wardens'. A certified warden gets the ability to participate in private contests and has access to findings shortly after contests end. The Certified Warden role requires applicants to be active participants with a track record of valid findings. For instance, a warden who has encountered one high severity bug and has competed in at least three contests can be eligible for the certification.\n\nThere's also an advanced level within the program called 'Certified Plus'. Certified Plus wardens have entry requirements and get access to private repositories after a contest is finished. They can also see other submissions immediately after contests end.\n\nThe introduction of the Certified Warden program led to a new type of contest, the 'Versus Contest', which is invitational and involves only a few wardens competing against each other. These contests are typically private and open only to top wardens - participation is often decided by a warden's rank in previous contests or their recent performance.\n\nTo become a certified warden, participants need to sign up as a warden and compete in the audit contests. All wardens registered prior to the OpenSea contest announcement are eligible for certification. More detailed information about the Certified Warden program and how to apply can be found at https://docs.code4rena.com/roles/certified-contributors#certification-process-and-constraints.\n\nRegarding the first contest to include the certified warden perks, we are planning to phase in the certified+ post-contest \"triage swarm\" with progressively larger groups to figure out the process and create norms around it. The specifics and timelines haven't been detailed yet, so please keep an eye on our official announcements for updates.", "Question: If my submission to a CodeArena contest is rejected, how can I find out the reasons for the rejection and discuss or argue my case before the report is finalized and published?\n\nAnswer: Once a contest has ended and the judging process is initiated, you will not be able to view or check the status of your submission until the report is published and the findings repo is made public. This is because findings and reports are immediately reviewed and triaged by judges after a contest ends, and then await sponsor review, final judging, and Quality Assurance before being made public. \n\nHowever, there is a process in place for you to understand why your submission was rejected and how you can improve future submissions. Once the report is out and the findings repo is fully opened, you can review the reasons for the rejection of your submission. This will allow you to see the discussions that took place among sponsors and judges regarding your submission. \n\nIf you wish to discuss or argue your case, CodeArena provides \"backstage access\" that allows you to communicate with a judge to re-evaluate your submission and provide comments on it. Additionally, you can ask judges for feedback regarding your submission to better understand the reasoning behind their decision and what areas could be improved. \n\nPlease note that although the severity of issues can be updated post-submission by judges, the submitted findings cannot be modified until the report is published. If you believe a submitted finding was marked as invalid, you can expect to receive feedback from a judge. \n\nIn case you submitted a finding for the contest but did not make the award list, it is likely that your finding was rejected. You can confirm this by reviewing the published report. \n\nKeep in mind that the rules for submitting findings prohibit making them \"public\" until the contest is finalized. \n\nFor more information, please refer to our [insert link to contest rules or other relevant page].\n", "Question: What is the link about FEG token flashloan exploit analysis provided on Certik's website and does it elucidate on the nature of vulnerabilities in smart contracts?\n\nAnswer: The link https://www.certik.com/resources/blog/w6AxRmf6l2ow4zL884gr8-feg-token-flashloan-exploit-analysis directs you to a blog post on Certik's website that provides an analysis of the FEG token flashloan exploit. This is an invaluable resource for understanding how smart contracts can be vulnerable to attacks, specifically flashloan exploits. \n\nHowever, it is just one example of the kinds of vulnerabilities that can exist in smart contracts. For a more comprehensive understanding of how to identify vulnerabilities and bugs in smart contracts, you might find other resources useful. For instance, the GitHub links shared in our Discord chatroom provide a wealth of information on this topic. They include instructions on sharing vulnerability discovery PoCs (https://github.com/code-423n4/code-contests/tree/main/contests/01-slingshot#sharing-vulnerabilitydiscovery-poc) and resources implementing proofs of concepts for hacks (https://github.com/Crypto-Virus?tab=repositories). \n\nAdditionally, it's necessary to understand that categorizing the severity of a vulnerability requires clear explanation of the exploit path. Without this, a finding may not be eligible for a medium or high categorization and could be downgraded to QA. For further insights on this matter, you can read https://github.com/code-423n4/org/discussions/34. \n\nFor beginners looking to start smart contract bug bounty hunting or those wanting to learn about Web2 security in the context of Web3 security, https://cryptozombies.io/ for solidity training and https://capturetheether.com/ for Capture the Flag challenges can be helpful starting points. \n\nLastly, it is important to note that the link mentioned may not work for some due to certain unidentified errors. In such cases, it is recommended to seek other resources or ask for assistance in the chatroom.", "Question: What are some recommended tools to debug Hardhat tests, introspect contract execution at the EVM opcode level, and overall improve the auditing process of smart contracts?\n\nAnswer: There are numerous tools available to debug Hardhat tests and introspect contract execution at the EVM opcode level, as well as to aid in the auditing process of smart contracts. \n\nFirstly, the tool \"Foundry debug\" has been mentioned as an excellent resource to debug Hardhat tests and introspect contract execution at the EVM opcode level. It also has the convenient feature of being able to fork its state from a public testnet or even the mainnet, which can be particularly useful for testing smart contracts. You can also log gas remaining after a state variable update within Foundry. \n\nFor testing contracts downloaded from Github, tools like Mythril and Slither are available. Slither is a static analysis tool for smart contracts that's useful in finding vulnerabilities and bugs. Another tool worth mentioning is eth-brownie, which can be used for mocking contract deployments.\n\nIf you are interested in opcode, an opcode learning resource was provided at https://www.evm.codes/. Additionally, for those who have an interest in viewing on-chain contracts of etherscan in an IDE like remix, the following link was shared: https://discord.com/channels/810916927919620096/810931711609143326/1012727690396176484.\n\nTo benchmark your code for gas savings, you can use the Hardhat gas report plugin. Also, EVM.storage and Metadock chrome extension from BlockSec are suggested tools that can read on-chain storage slot value including private states. For graphical interfaces, Surya (https://github.com/ConsenSys/surya) is a potential tool for observing smart contract interactions, though it may be slightly outdated.\n\nFor those wanting to learn the testing framework of Hardhat, the Codecademy Javascript testing module and the Alchemy University's Ethereum Bootcamp in week 4 are good resources. In addition, CodeArena runs contests for analyzing smart contracts which can be a good way to learn.\n\nAn automated tool that can verify if a contract has been initialized on the Ethereum mainnet, and a smart contract scanning tool that can detect price manipulation vulnerabilities are also discussed, though specific tools aren't named in the observations.\n\nPlease note that while these tools and resources are valuable, understanding solidity syntax and programming is key. There are tools and plugins to check solidity code for syntax mistakes and checks, similar to the functionality of the online Remix IDE, though these aren't specifically named in the observations. It's also worth noting that in a web3 console, the calling convention used can differ from what is actually called on the contract in the EVM. \n\nFinally, for more advanced users, Sherlock is another option for auditing smart contracts but it requires strong competence in the field.", "Q: How are the prizes for different severity levels determined and distributed in the bounty program at CodeArena (C4)?\n\nA: At CodeArena (C4), the prizes for different severity levels in the bounty program are determined based on the standard model. The full pool of prizes is paid out, which scales according to the severity of the finding. The decision on how to reward severity escalations in a contest report is made by the judges, who are chosen based on their experience and reputation. Their decisions on a bounty are only shared after the contest concludes. \n\nIf multiple contestants, including members of the same team, identify a bug, the reward is typically split. The formula used to calculate this split can be viewed at https://docs.code4rena.com/incentive-model-and-awards#high-and-medium-risk-bugs. The award amount can vary, however, depending on the level of detail in the submission, such as the inclusion of a Proof of Concept (PoC), and how comprehensively the issue is covered. \n\nIn the event that the same vulnerability is reported by multiple auditors but with different severity levels, all are given the same severity for award calculation due to the deduplication process and the post-submission judging/determining of severity. Even if a bug initially classified as High severity is later judged to be only Medium, the reward for a Medium bug is still received. \n\nFor a more detailed understanding, you can refer to the list of rewards for each warden for each bug per contest at https://raw.githubusercontent.com/code-423n4/code423n4.com/main/_data/findings/findings.csv and the ranking of the severity of issues at https://docs.code4rena.com/awarding/judging-criteria/severity-categorization. \n\nThe judging process is ongoing and includes a reward for the best reports. Bonus rewards may also be provided in certain contests. The judges are incentivized to perform their roles diligently as they receive a share of the prize pool. Any confusion about the distribution of rewards or the calculation of bounties can usually be resolved by referencing our extensive documentation at https://docs.code4rena.com/.", "Question: What are the requirements and conditions for being eligible for certification in CodeArena, and how does the severity of a bug impact this? \n\nAnswer: To be eligible for certification at CodeArena, you must meet two criteria: encounter at least one high-severity bug and compete in a minimum of three contests. The severity of a bug is determined based on its impact, and guidelines for estimating risk can be found at https://docs.code4rena.com/roles/wardens/judging-criteria#estimating-risk-tl-dr. If you misclassify a bug's severity, the reward for the actual severity is still received, but remember that submitting a high-severity issue without working code to demonstrate its impact could lead to a downgrade in severity or ineligibility for awards. If a bug's severity is raised or lowered after a contest, this can be addressed with the judge. If a low severity finding is escalated to high severity, it doesn\u2019t automatically become invalid. The criteria for such cases are explained at https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues. In order to be eligible for payout, each individual team member needs to be certified. After encountering a high-severity bug, you can apply for certification by contacting the organization through the help desk form. The certification+ requires more than just reporting a high severity bug. The platform is considering even more stringent criteria for certification+, such as being in the Top 3 in three contests or making a high finding. Please note that the reporting of a high or medium severity vulnerability found a few days after the contest ends would most likely involve responsible disclosure to the development team and would not be awarded by C4 outside the contest timeframe.", "Question: What is the process and benefits of becoming a certified or certified+ warden at Code4rena, and does this include immediate access to findings repo?\n\nAnswer: The process of becoming a certified or certified+ warden involves a provenance verification process by Code4rena. You can find more information about becoming a certified warden at [https://docs.code4rena.com/roles/wardens/certified-wardens]. There are several benefits to becoming a certified or certified+ warden. Certified Wardens have backstage access, which allows them to observe the report submission and triage process, and this is open to those with an established level of contribution. \n\nHowever, the standout benefit is for certified+ wardens who get earlier access to the findings repositories immediately after a contest ends, which can accelerate their learning process. This allows them to assist with post-contest processes, including viewing other submissions, and means they can apply to see the submitted reports on Github during the triage process. The findings reports become public once the final contest report has been published. There are buttons labeled \"View Repo\" and \"Submit Findings\" for certified wardens to use and a private channel for certified+ wardens to assist with various process-related tasks. Certified+ status also comes with some entry requirements and access to private repos after a contest is finished. \n\nHowever, as of the time of the chat, it has not yet been rolled out to anyone. The process is ongoing to ensure beta-testing. Also, it's important to note that certified wardens must treat all findings as private and confidential until the contest report is made public, as per the professional conduct guidelines [https://docs.code4rena.com/roles/wardens/certified-wardens#certified-warden-professional-conduct-guidelines]. \n\nPlease note that there may be a requirement to participate in a certain number of contests and have a certain number of valid findings or reports to be a certified warden. Any questions related to the Certified Wardens process can be asked directly to Code4rena.", "Q: Can you provide an example of a widely-used token that doesn't revert on failure but simply returns false? How should I use such tokens in my smart contracts?\n\nA: A prime example of a token that does not revert on failure, but instead returns false, is ZRX. When dealing with such tokens in your smart contracts, you need to be careful about the methods you choose to interact with them. For instance, whether you use \"safeTransferFrom\" or not relies on the token you're using and the expected behavior of your code. \n\nYou can explore more such tokens and gain insights into their peculiarities from this repository: https://github.com/d-xo/weird-erc20#no-revert-on-failure. It's crucial to remember that not all tokens are fee-on-transfer and the gas efficiency of your code can vary depending on how you handle errors and reverts. \n\nIf you're working with a token that is already wrapped inside IERC20, you may discuss whether it's safe to use safeTransferFrom in your code. You can always check the token details on platforms like Etherscan for more clarity: https://etherscan.io/token/0xdac17f958d2ee523a2206206994597c13d831ec7#code#L95. \n\nRemember that while a function call that always reverts does not necessarily put assets at risk, it can be categorized as a Medium or High finding depending on the context it's in. Always take into account the possibility of re-entrancy attacks when transferring tokens, especially when dealing with external functions. However, unless there's a clear exploit path, such findings may not necessarily be of high severity.\n\nIn summary, while ZRX and similar tokens that do not revert on failure are widely used, they require careful handling in smart contracts to avoid unexpected behaviors and potential vulnerabilities.", "Question: What tools and methods can be used for gas estimation and optimization in smart contracts with Truffle and VScode?\n\nAnswer: There are numerous tools available for gas estimation, optimization, and auditing in Truffle combined with VScode. Among these, users primarily use the Hardhat gas report plugin for gas benchmarking. This can be activated by modifying the 'test' command in the 'package.json' file to affect the 'REPORT_GAS' function. The command \"REPORT_GAS=true hardhat test\" can be adjusted according to different operating systems. For Windows cmd, it is recommended to use a docker image. \n\nUsers also have the option to use Foundry, another smart contract testing framework, to log the remaining gas after updating the state variable. The gas cost in Foundry is measured in units of gas. For more advanced gas optimization, users may refer to [this automated c4udit tool](https://github.com/byterocket/c4udit) used by Code4rena. However, only optimizations that appear in the generated report are considered valid, the rest can be found at [Code4rena's common issues page](https://github.com/byterocket/c4-common-issues/blob/main/0-Gas-Optimizations.md).\n\nOther notable tools include \"eth-brownie\" for mocking contract deployments and Mythril and Slither for testing contracts downloaded from Github. Further, \"foundry debug\" can be utilized to debug hardhat tests or introspect contract execution at the EVM opcode level. For on-chain contracts, users can use EVM.storage and the Metadock chrome extension from BlockSec to read on-chain storage slot values, even private state. \n\nPlease note, these suggestions do not cover all the possibilities and users are encouraged to explore other tools and methodologies based on their specific needs.", "Question: I'm participating in an Ethernaut CTF challenge and I need help understanding how the fallout level worked. Specifically, I want to know how identifying the default function argument (the \"from\" argument) works when calling the fal1out function from the hacker account to change the contract owner, even though the contract doesn't seem to have an argument. Could you also guide me on how to deploy a similar contract that takes a struct as an argument in the constructor?\n\nAnswer: There's a key difference between the calling convention you use in a web3 console and what is actually called on the contract in the Ethereum Virtual Machine (EVM). When you make a call in the format from: , it causes msg.sender (within the Solidity contract) to be . This is because in a web3 console, the calling convention can differ from what is actually called on the contract within the EVM. You can get a more detailed explanation from this video that walks through the eth_call at https://www.youtube.com/watch?v=bEUtGLnCCYM.\n\nAs per the contract deployment with a struct in the constructor, you can follow the guidance given in this Ethereum StackExchange thread: https://ethereum.stackexchange.com/questions/68519/creating-a-new-contract-specifying-a-sender-and-value-with-factory-pattern.\n\nWhile participating in CTFs or while hunting for smart contract bugs, resources like The Ethernaut challenges and Damn Vulnerable DeFi can help you understand the common vulnerabilities and learn advanced Solidity programming standards. These resources can be found at https://ethernaut.openzeppelin.com/ and https://www.damnvulnerabledefi.xyz/ respectively. Moreover, if you are a beginner and want to start smart contract bug bounty hunting, you can also visit https://cryptozombies.io/ for solidity training and https://capturetheether.com/ for Capture the Flag challenges. \n\nRemember, it's always helpful to understand the behavior of EVM opcodes. For instance, the self-destruct opcode indicates that the current account is registered to be destroyed, and will execute at the end of the current transaction. More detailed information on EVM behavior is available at https://www.evm.codes/#ff. \n\nFinally, understanding more about Solidity fundamentals and getting more hands-on developer experience can definitely help you catch vulnerabilities during CTFs. Don't hesitate to ask questions, participate in discussions, and share your findings with others in the community. We all learn together!", "Question: \nIn the context of smart contracts, do special variables such as msg.sender and msg.value get automatically assigned, and how does this interact with calldata arguments, internal/private functions, and Ethereum-specific calls like \"eth_call\"? \n\nAnswer: \nYes, in Ethereum smart contracts, special variables like msg.sender and msg.value are automatically assigned. These variables hold the sender's address and the number of wei sent with the message respectively.\n\nNotably, msg.sender can change depending on the contract's context. For example, if a contract calls its own function like \"InterfaceA(address(this)).functionA();\", it's considered an external contract call, changing the msg.sender value inside that function. Moreover, if 'from: ' is used in a call, it makes 'msg.sender' inside the Solidity contract to be ''.\n\nIn terms of calldata arguments, they can be used for external/public functions. Interestingly, these arguments can also send calldata data pointers to internal and private functions. This ability adds a layer of flexibility in smart contract design.\n\nWhen interfacing with Ethereum's JSON-RPC, such as using Quicknode's \"eth_call\", a \"value\" parameter is available to specify the amount of Ether sent with the message call. Understanding the interaction of these special variables with Ethereum's RPC calls can be crucial in contract development and auditing.\n\nYou may also want to be aware of gas optimization techniques. For instance, it's recommended not to initialize default variables to 0 for gas efficiency. Similarly, the order in which you check storage and calldata can affect gas costs.\n\nMore on state variable visibility and how special variables work can be found here: https://docs.soliditylang.org/en/v0.8.13/contracts.html#state-variable-visibility.\nAnd for understanding how delegatecall interacts with storage, see the Solidity docs and the Geth source code https://github.com/ethereum/go-ethereum/blob/master/core/vm/evm.go#L302.\n\nThis information is crucial when performing audits of smart contracts, as understanding these variables and their interactions can help identify potential vulnerabilities or inefficiencies.", "Question: What are the guidelines and requirements for reporting gas optimizations in contests at CodeArena?\n\nAnswer: At CodeArena, the process of reporting gas optimizations in contests has certain guidelines to enhance the quality of the report and ensure fairness. First, it's important to note that not all gas optimizations are valid when the optimizer is enabled. Therefore, users should be careful about what they report to avoid confusion.\n\nUsers are encouraged to report any gas optimizations separately. If you have multiple ideas about gas optimizations, these can be written separately and later compiled into one comprehensive report. However, remember only one report of gas optimization can be submitted per contest. Additional findings can be added to the report by navigating to the contest page and clicking the 'Your Findings' button.\n\nWhen it comes to the content of the report, participants can include the amount of gas saved for each optimization. Although it's not mandatory, including this information could potentially increase points. It's also helpful to provide a description and mention of gas saved, even though it's not explicitly clarified whether it's necessary to show Proof of Concept for the gas saved.\n\nGas optimization inside view/pure functions can be reported, and known issues should be excluded. Also, an issue might be non-critical and still be included in gas optimization. The current focus is on high/medium/low severity vulnerabilities and gas optimizations, and there's no direct incentive to report non-critical findings.\n\nHowever, there's been some confusion around the validity of gas optimizations. For example, some users stopped reporting them because certain judges were refusing them, while others accepted them. The necessity to specify how much gas is being saved for each optimization is based on the judge's decision. Therefore, participants can ask for clarification on this matter.\n\nFor contests like the one referred to in this link, https://code4rena.com/reports/2022-04-dualityfocus, there are no gas optimizations in the final report as there wasn't a gas pool for that particular contest. Note, there is no dedicated pot for gas optimizations.\n\nTo see examples of the top QA/Gas reports for each of these contests, visit https://code4rena.com/reports. Lastly, it's crucial to remember that gas optimization reports and gas reports are the same, and all findings related to gas optimization should be compiled under one report.", "Question: How can I edit my warden profile on CodeArena to add a profile picture and a Twitter handle, and what are the requirements and steps to follow in this process?\n\nAnswer: At the moment, the editing of a warden profile on CodeArena is not directly accessible to users, it can be requested via our help desk at https://code4rena.com/help. To do this, you need to submit a help desk request with your warden name and the URL to your Twitter profile, and another request to change your avatar. Note that only certified wardens have the ability to edit their profiles. This means to get features like \"Available for Hire\" status, you should have completed the certification process when warden profiles were introduced. There's also a provision for updating your Discord name on your warden profile's Account Management page, but your Discord nickname should remain as your registered C4 username. Furthermore, you can link your Code4rena profile to your GitHub account by completing a form upon registration as a warden. Finally, remember that warden registration needs to be completed fully before your handle will appear on the leaderboard. For more information about the process, you can refer to our guidelines at https://docs.code4rena.com/roles/wardens.", "Question: When can I expect the results of the Enso contest and where can I get updates on the progress?\n\nAnswer: The results of CodeArena contests like the Enso contest are typically announced approximately two months after the contest ends, depending on the time taken for judging. We understand that participants are eagerly awaiting the results. Updates on contest progress, including the Enso contest, can be found in the \"Past Contest Status Updates\" section, which provides a timeline of where contests are in the process. We aim to keep this section updated regularly, including mid-contest updates. \n\nAlso, once judging is complete for a contest, the results are posted in the contest channel. For more information on the process and timelines of judging and payout after a contest ends, please visit our documentation at https://docs.code4rena.com/structure/our-process. Please note that while findings cannot be viewed after a contest finishes and before the results are published, we are working on making updates on past project results and they should be up soon. Thank you for your patience and participation in the Enso contest.", "Question: How are teams formed and operated on Code4rena, and what are the implications of team participation on rewards and report submission?\n\nAnswer: Teams on Code4rena can be formed by registering at code4rena.com/register-team. Each team determines how to split their share of a contest's reward amongst themselves, as documented on the Incentive Model and Awards page (https://docs.code4rena.com/incentive-model-and-awards). The reward is diminished semi-geometrically based on the number of independent individuals who identify an issue; however, within a team, the reward is evenly distributed among members. When a team submits a finding, one payment is made, and the team has full discretion over how to distribute that payment among its members.\n\nReports are submitted collectively by the team. Participants can log into their individual accounts and switch between their personal account and team account before submitting. The reports from past contests can be found at https://code4rena.com/reports. If participants identify a potential security issue or vulnerability, they can reach out to the sponsor team during the contest but they must submit their findings via the contest submission form to be eligible for rewards.\n\nFor questions or potential issues, such as changes in team membership or if a contestant encounters problems with reward distribution, participants can submit a help request at https://code4rena.com/help. Code4rena encourages open communication and has a dedicated help desk to address any concerns or issues.", "Question: What are the latest updates and procedures concerning the LPT Livepeer reward and its potential impact?\n\nAnswer: The Livepeer contest is upcoming and has been raising a lot of curiosity among participants. The contest details can be found at https://code4rena.com/contests/2022-01-livepeer-contest. The contest opens in 2 days + ~8 hours, and participants can also check two related issues on Github: https://github.com/code-423n4/2022-01-livepeer-findings/issues/193 and https://github.com/code-423n4/2022-01-livepeer-findings/issues/195 for further information. The rewards from contest including LPT tokens, NFTX, and Insure are currently pending and they are expected to be updated and possibly released within the upcoming week. Please note that all rewards will be distributed to the user's registered wallet address. Participants should monitor the announcement channel for updates on distribution. There were also questions about whether duplicate issues receive a reward or just the first reporter, but we don't have a definitive answer at the moment. In case of any changes in the wallet address, it is advisable for users to include their new wallet address in their reports. We are also exploring the possibility of creating a notification system such as a Telegram bot for announcing new contests.", "Q: What can we expect in terms of future contests and their potential rewards structure, particularly in relation to high prize contests like the $1M OpenSea contest?\n\nA: CodeArena regularly hosts contests for auditing smart contracts, allowing participants to submit audits and potential gas optimizations. It must be noted that the OpenSea contest was unique, with a prize pot that scaled up based on the severity of the findings. While such high prize contests are not common, CodeArena is expected to host more contests in the near future, some of which may follow a similar structure. \n\nThere is an ongoing process for judging contest bounties, and the payout distribution varies based on the nature of the issues found. For example, if no high or medium issues are found in a contest, there are questions around what happens to the reward pot. \n\nThe company also organizes contests related to specific topics such as staking platform contracts, which users have shown particular interest in. This might be due to the opportunity these contests provide to see multiple designs and best security practices. \n\nIn some instances, contests have been structured with an initial audit prize pool and a mitigation review pool. For instance, in the Caviar contest, the highest-ranking wardens from the open contest were assigned to the Mitigation Review, which had a prize pool of $8,100 USDC. \n\nIt is also important to note that the prizes for each contest can vary. Examples of past contests include a $50k audit contest and a contest that had a $67,500 USDC main award pot and a $7,500 USDC gas optimization award pot. \n\nFuture contests, their structures, and rewards will be announced on our platforms. There has also been interest in creating a notification system, such as a Telegram bot, for announcing new contests, which we are actively considering. \n\nPlease stay tuned to CodeArena [LINK TO CODEARENA WEBSITE] for future updates and announcements.", "Q: What is the significance and procedure for submitting a Proof of Concept (PoC) when reporting an issue for a contest at CodeArena?\n\nA: Submitting a Proof of Concept (PoC) when reporting an issue for a contest at CodeArena is highly recommended. A PoC not only substantiates your claim but also helps illustrate how a particular vulnerability can be exploited, thereby strengthening your submission. Without a PoC, there's a higher likelihood of the issue being marked as invalid, unless the problem is extremely obvious.\n\nYou can present your PoC in either code or plain English. If you have written a PoC script for a vulnerability, you can include the link in your submission where relevant. Medium severity bugs are often disregarded if no PoC is provided, unless the bug is very obvious.\n\nIf the PoC for an issue is too large to be embedded directly in the issue, you can provide a link using external platforms like Gist or by creating a public GitHub repository. You may also provide a diff of an existing sponsor-supplied test/contract. For detailed instructions on how to include a PoC, you can refer to the guide at: https://docs.code4rena.com/roles/wardens/submission-policy#how-to-include-a-proof-of-concept.\n\nDo note that the inclusion of a PoC and the level of detail in the submission can influence the award amount. Furthermore, creating a coded PoC can increase your chances of your report being selected, which comes with a 30% bonus.\n\nPoCs for CodeArena do not necessarily need to be executable. They can be written in any language, as long as they demonstrate the vulnerability. An example of how to present a PoC for a bug and its impact can be found here: https://github.com/code-423n4/2022-12-caviar-findings/issues/376.\n\nIn summary, providing a clear and substantial PoC significantly enhances the value and credibility of your submission.", "Question: Has there been any changes in the starting date of the ChainSafe contest and can you provide clarifications for contest timelines at CodeArena?\n\nAnswer: Yes, the ChainSafe contest starting date has indeed been moved back by 6 days. It's important to note that contest timelines at CodeArena can vary. For instance, some contests such as the one involving over 12k sloc, have been extended to 4 weeks. Other contests like the Chainlink staking v 0.2 and the Overlay Protocol contest have experienced delays. The correct starting dates are always updated on the Code4Arena website, and any discrepancies between dates on other platforms and the website should be resolved in favor of the website's information. Please always confirm contest dates on the [official contest page](https://code4rena.com/contests). In case of any further queries or need for clarifications about contest timelines, feel free to ask in the chatroom.", "Question: Has the start date for the ChainSafe contest been postponed, and if so, why do these delays occur?\n\nAnswer: Yes, the ChainSafe contest starting date has indeed been moved back by 6 days. Delays in contest start dates and judging can be due to a number of reasons. In some cases, it might be related to the protocol itself, or due to slow review from the sponsors. For instance, the judging for Sublime March 2022 was delayed due to slow sponsor review. Additionally, an increase in contest submissions and limited judge availability can also lead to a backlog, prolonging the duration of the contest. It's important to note that sponsors play a pivotal role in contest delays and judgement. Lastly, there have been some instances of discrepancy between the contest start dates on different platforms which might necessitate a clarification. So, always refer to the CodeArena website for the most accurate information on contest schedules.", "Question: What are the various channels available on the CodeArena Discord and what are their specific functions?\n\nAnswer: CodeArena's Discord is organized into various channels, each serving a distinct purpose. The #\ud83c\udf00awesome-nonsense channel is for general discussions. Updates about the company and contests are posted in the #\ud83d\udce2announcements channel. For those who want CodeArena to audit their code, there is a dedicated channel labeled as #\ud83d\udcbci-want-c4-to-audit-our-code.\n\nFor each new contest, a unique channel is created for questions and code walkthroughs. Information about upcoming contests can be found in the #\u270brsvp channel. The awards list for contests is also shared in the #\ud83d\udce2announcements channel. In case of any queries or clarifications regarding the contests, it's best to reach out on the specific contest channel.\n\nThere is also a suggestion to have an announcements-like channel named #audit-reports, where a new message would be posted whenever a new audit report gets published on the CodeArena website [LINK to CodeArena Website]. \n\nFor general security discussions, the server offers a general channel. There are also private channels for certified+ wardens that assist with various process-related tasks. \n\nThe #\ud83c\udfebeducation channel serves as a source of information and the company also uploads educational and other contest-related videos on their YouTube channel [LINK to YouTube Channel]. \n\nTeam building is also encouraged via a dedicated team-building channel. The chat also features a '+backstage', a place for informal discussions and networking. \n\nLastly, it's important to note that to access the contest channels, users need the 'warden' role, which can be obtained by filling out a form on the website.", "Q: What does the process of becoming a Certified Warden at CodeArena entail, and what are the benefits associated with it? \n\nA: The process of becoming a Certified Warden at CodeArena involves completing a Know-Your-Customer (KYC) process, possibly requiring a passport or a certified copy of an ID. Some other conditions, such as participating in a certain number of contests and producing a certain number of valid reports, may also be necessary. \n\nAs for the benefits, Certified Wardens enjoy certain privileges like being eligible for a judge role and participating in private contests and private audits, although there may be additional conditions to meet. Some specific contests, such as Versus contests, are also exclusively open to Certified Wardens. The difference between a Certified Warden and a Certified Plus Warden is that the latter has some entry requirements and gets access to private repos after a contest is finished. \n\nPlease note that the exact specifics of the certification process and its benefits can be found in the official documentation, which can be accessed here: [https://docs.code4rena.com/roles/wardens/certified-wardens#certified+-contributors].", "Question: What are some important channels on the CodeArena Discord server and how can I use them to get the most out of CodeArena's services?\n\nAnswer: The CodeArena Discord server has several important channels that you can utilize to get the most out of our services. The #\ud83d\udcbci-want-c4-to-audit-our-code channel is designated for those who want CodeArena to audit their smart contracts. The #\ud83d\udce2announcements channel is where updates are posted. You can tag a channel by typing \"#channel\", and it's worth noting that the name of the 'awesome-nonsense' channel has been reverted back to 'random'. \n\nFor information regarding our contests, the #\u270brsvp channel is your go-to place. This is where new contests are announced, and where users can find out when a contest is going to be publicly available. It's important to note that there may be discrepancies in the bounty for contests between the #\u270brsvp channel and the official CodeArena website [https://code4rena.com], but such details are subject to change and usually updated promptly. Top tier projects also occasionally appear in this channel. \n\nThere's also a suggestion to have a new announcements-like channel named #audit-reports. This proposed channel would be used to post a new message whenever a new audit report gets published on the CodeArena website. Furthermore, new channels are created for each contest on the Discord server for specific questions and code walkthroughs relating to that contest. \n\nThere's a new feature called 'bot race', and it's suggested to pin key information to specific channels to help newcomers find the necessary information. You can change your username and team name in CodeArena, and if you want to discuss website-related matters, feel free to submit pull requests with any ideas to our GitHub. \n\nLastly, there is the #\ud83d\udd06hm channel, but it's important to note that this channel doesn't have to do with findings in a contest. We hope this information helps you navigate our Discord server more effectively!\n", "Question: How does CodeArena handle the use of different wallets by the same user or team in a contest, and what processes are in place for changing handles and wallets?\n\nAnswer: CodeArena has plans in progress to implement a system that allows the same user handle to use different wallets in a single contest. The first step towards this is the ongoing rollout of wallet authentication. However, at present, rewards are distributed to one address for one handle per contest. A user or a team participating in auditing contests needs to register using a single wallet.\n\nWhen it comes to changing user handles, while it is possible, it is currently not advised as it might cause issues with past and ongoing contests. The leaderboard standings and submissions under the previous handle are not transferable to the new account. Moreover, the process of verifying changes to user handles involves creating a signed message on mycrypto.com and adding the JSON to the PR using a wallet address that has been used in a contest. You can do this [here](https://app.mycrypto.com/sign-message).\n\nIf you're part of a team and you find the same issue but submit it with different wallets, each person gets less than half the reward. You can find more details about this in the incentive model and awards section [here](https://docs.code4rena.com/#incentive-model-and-awards).\n\nIf you're considering changing your wallet address, you can indeed use a new wallet address in your reports moving forward and the rewards for the report will then be distributed to the new address. Winning awards from contests are distributed to the user's registered wallet address. Users can check the announcement channel for updates on distribution.\n\nKeep in mind that using different wallets and changing handles could also affect your team's operations. Some teams have reported challenges with managing the same team name but with different team members working on different contests at the same time or at different times.\n\nIn the future, we anticipate changes that will make it easier to change handles and wallets, but for now, it's essential to choose them wisely.", "Question: How does the handle system work at CodeArena and what should I know about changing it?\n\nAnswer: At CodeArena, your handle is an important part of your identity. It's used for the leaderboard, handling award processing, and can be linked to your Twitter handle as well. To participate in contests, you need to add your handle to the code423n4.com repository via a pull request at https://github.com/code-423n4/code423n4.com/tree/main/_data/handles. \n\nIf you wish to attach your Twitter handle or a profile picture to your CodeArena profile, you can make another pull request following the instructions at the same link, or submit a helpdesk request. \n\nHandles for teams can also be created by dropping a PR and using the team handle when submitting issues. If you're part of a team, you can make submissions on behalf of the team and choose between your solo handle or team handle for submitting a finding.\n\nWhile it is possible to change your handle due to certain design decisions, it is currently not advised. This is because leaderboard standings and submissions under your previous handle are not transferable to your new handle. Also, there can be a risk of findings being credited to the wrong person if you use someone else's handle. However, there are plans to make handle changes easier in the future.\n\nIf you have changed your Discord handle and it affects your warden role, you can update your new Discord handle in your profile on the site. If you have completed the KYC process but are still unable to access private contests, it might be due to your handle not having a certified status, in which case you can create a help desk request at https://code4rena.com/help.\n\nOverall, your handle is a key part of your interaction with CodeArena. While changes are currently tricky, we are working to improve this aspect of the platform.", "Question: How can I change my wallet address for receiving rewards on CodeArena, and will the rewards for my new reports be distributed to the updated address?\n\nAnswer: Yes, it is possible to update your wallet address for receiving rewards on CodeArena. If you want to use a new wallet address in your reports moving forward, the rewards for those reports will then be distributed to the new address. Here's how to do it:\n\n1. You can update your wallet address within your user profile on Code4rena.\n2. Alternatively, if you need assistance or have issues, you can submit a request through our Help Desk at [https://code4rena.com/help].\n3. If your wallet has been compromised, you can change your payment address and create a help desk request, given that you logged in via the same wallet.\n4. You can also check whether you've submitted an address for rewards using the help form at [https://code4rena.com/help].\n5. More information about changing your wallet address can be found at [https://docs.code4rena.com/roles/wardens/warden-auth#can-i-change-the-wallet-address-where-i-receive-awards].\n\nBear in mind that if you change your wallet address, the rewards will be sent to the wallet address on file at the time the awards are calculated for an audit. Once a submission is confirmed and reward amounts are announced, you just need to wait for it to go to your updated wallet. If you have forgotten your wallet address for receiving the bounty, you can refer to the email you received when the bug report was submitted.\n\nIn the case of team payouts, if your team's payout address is a smart contract, you may need to inquire about how to proceed. Please note that while it is possible to change the wallet address to which tokens are received, it involves significant effort to manage as this information is not centrally stored.", "Question: What does \"QA/gas issue optimizations are finalized\" mean in the context of Code4rena's activities?\n\nAnswer: This phrase generally refers to the completion of a set of tasks related to Quality Assurance (QA) and gas optimizations in the auditing of smart contracts by Code4rena. QA addresses low issue or non-critical bugs, which may also include aspects that reduce gas usage. On the other hand, gas optimizations involve tweaks to the code that make the smart contract more efficient in terms of gas usage on the Ethereum network. \n\nAll QA and gas optimization issues should ideally be merged into a single report each. Examples of top QA/gas reports can be found at [Code4rena reports](https://code4rena.com/reports). It\u2019s noteworthy that the level of detail needed for these reports is not as extensive as for high-severity issues. \n\nGas optimizations are separately reported from QA reports and only those stated in the generated report are considered invalid. The rest can be found at [c4 common issues](https://github.com/byterocket/c4-common-issues/blob/main/0-Gas-Optimizations.md). \n\nThe grading criteria and the formula used for awarding gas and QA are comprehensively described in the [incentive model and awards](https://docs.code4rena.com/awarding/incentive-model-and-awards/qa-gas-report-faq#what-happens-when-an-issue-submitted-by-the-warden-as-part-of-their-qa-report-an-l-or-n-does-get-bum) page. \n\nIt's also important to note that not all gas optimizations are valid when the optimizer is enabled and there can be confusion about what to report in such scenarios. \n\nUltimately, the process of finalizing QA/gas issue optimizations involves identifying, documenting, grading, and submitting these issues and optimizations for evaluation.", "Q: How can I submit my findings as part of a team and what should I consider if not all team members are certified?\nA: If you are part of a team, you have the option to submit findings either individually or as part of your team. This flexibility allows members to participate solo in a contest that their team is also auditing. When submitting a finding, you can select either your solo handle or team handle. In order to submit findings as a team, your team would need to be approved first. Once the team is approved, the participants can log in and submit findings as a team. Teams can submit their issues through a PR and add their team handles when reporting issues. \n\nHowever, all members need to be certified in order to be eligible to receive funds from OpenSea. This requirement is in line with anti-money laundering laws OpenSea is bound by and is non-negotiable. If a team member is not certified, they can apply to be certified after a high finding by contacting us through the help desk form. \n\nPlease keep in mind that if a team submits a non-duplicate finding, the team gets more rewards than if they had individually submitted the same finding. Also, all members will receive the bug stats when submitting as a team. \n\nIt's worth noting that there are some challenges related to managing the same team name with different team members working on different contests. If you find yourself in such a situation, or you need assistance with adding new members, feel free to submit a help desk request. \n\nRemember that if you are unsure about whether to submit findings that you aren't sure of due to lack of specification in documents, it is generally advised to submit these findings or direct message the sponsor team for additional context. If you are unsure whether findings should be submitted as separate issues or as one, please reach out to us for clarification.\n\nIf you think you've found something during a contest and want to ask questions, we encourage you to reach out to the sponsor team. You can also disclose a vulnerability directly to them, but remember to submit it via the contest submission form as well, or it won't be eligible for awards.", "Question: What is the process for discussing, submitting, and altering bug findings during and after a Code4rena contest?\n\nAnswer: During a Code4rena contest, participants can openly discuss potential issues with the sponsor, including severity and in-scope/out of scope questions. If they think they've found a vulnerability, they can disclose it directly to the sponsor, but it must also be submitted via the contest submission form to be eligible for awards. Any bug reports or changes to the severity of reported bugs should be submitted before the contest ends. While submitting an issue, it is beneficial to include a proof of concept and a case made for how an item can be exploited to avoid being marked as invalid.\n\nAfter the contest ends, discussion of bugs and exploits is restricted until the contest results are out to give sponsors time to fix the issues. However, participants can view or edit their own submissions on the site and can change the severity of reported bugs either through the PR or by contacting one of the judges. \n\nAfter the leaderboard is shown and rewards are sent, the final report of the contest may not immediately appear on the C4 site. It's recommended to wait until the full public report is published before doing a write-up of some issue or bug found on a project. Any high or medium severity vulnerabilities found after the contest ends must be responsibly disclosed to the development team, and will not be awarded by C4 outside of the contest timeframe. \n\nAll participants' submissions may be made available after the contest for learning purposes, and past contest reports revealing vulnerabilities can be found at https://code423n4.com/reports. Additionally, there are plans to allow certified contributors to view submitted issues right after contest closure and to comment or give input on these issues during judging. \n\nIt's important to note that feedback for submitted issues typically comes within a couple of months, once the report is published. The details on the process of releasing all unverified submissions a few days after a contest ends for learning purposes are discussed in this forum post: https://forum.code4rena.com/t/rfc-certified-wardens-rulebook-scout-role-contest-qa-and-mitigation-review-services/123.", "Question: What are the rules and guidelines regarding the discussion and disclosure of bugs and exploits during and after a CodeArena contest?\n\nAnswer: During a CodeArena contest, participants are allowed to discuss potential submissions with the project's dev team. These discussions can take place in the contest channel or through private messaging. Participants can openly discuss issues with the sponsors before the contest is finished, including severity and in-scope/out of scope questions. If participants believe they've found a vulnerability, they are encouraged to reach out to the sponsor team but they need to submit it via the contest submission form to be eligible for awards.\n\nAfter submissions for a contest are closed, all discussions, including private ones, about bugs and exploits are restricted until the contest results are out. This includes discussing findings publicly even if the final report has not yet been published. This restriction is in place to give sponsors time to fix the issues before they are made public. However, private conversations solely among wardens who have agreed to the certified contributor agreement are under that agreement\u2019s NDA, thus they are permissible.\n\nAfter the contest ends and bugs have been patched, participants' submissions may be made public and findings can be openly discussed. A specific timeframe for when the findings repo becomes publicly available for discussion is not mentioned, but it is after the contest is closed. The contest releases a report about the bugs found, which can be used for learning.\n\nIf a high or medium severity vulnerability is found a few days after the contest ends, it should be responsibly disclosed to the development team, but it may not be awarded by C4 outside the contest timeframe. The bugs found during the competition are kept confidential until the contest is over and judging process is completed. For more information about the incentive system and rewards, visit [https://docs.code4rena.com](https://docs.code4rena.com).", "Question: What type of access do Certified Contributors, Certified+ Wardens, and other users have to submitted issues and judging process after contest closure on CodeArena?\n\nAnswer: Certified Contributors and Wardens at CodeArena are gradually being allowed to view and comment on submitted issues immediately after contests close, as part of a phased roll-out process. This level of access is currently being tested with a select group of top contributors.\n\nCertified+ Wardens and those with backstage access have the privilege to view other submissions immediately after a contest ends, which can enhance their learning experience. They can also see the judging results before they are published and raise any issues they identify to the judge for reconsideration. Additionally, they have early access to the findings repositories and can assist with post-contest processes.\n\nDuring the post-judging QA period, backstage wardens can comment on judges' decisions. More details about backstage wardens can be found at [this link](https://docs.code4rena.com/roles/certified-contributors/backstage-wardens).\n\nUsers can alter the severity of reported bugs after the contest closing time either through the PR or by contacting one of the judges. It's also worth mentioning that findings reports are made public once the final contest report is published, allowing all users to learn from them.\n\nThere is a consideration to release all unverified submissions a few days after a contest ends, before judging for educational purposes. This is still under discussion, as seen in this [forum post](https://forum.code4rena.com/t/rfc-certified-wardens-rulebook-scout-role-contest-qa-and-mitigation-review-services/123).\n\nFinally, participants can review why their submission was not accepted once the report is out and the repository is fully opened. This allows them to see the discussion among sponsors and judges on the specific issue. Users can also edit their submissions after submitting an issue.\n\nPlease note, these practices are subject to change as we are constantly working on improving our processes. You can find more detailed information at [this link](https://docs.code4rena.com/roles/certified-contributors#certification-process-and-constraints).", "Question: Can you provide more information about the new qualifications section in the warden registration page and the process to become a certified warden?\n\nAnswer: The new qualifications section on the warden registration page was added due to a surge in new warden registrations after the OpenSea contest announcement. This influx led to some changes in procedures, but it's expected to return to the previous state after the contest ends. \n\nTo become a warden, you need to complete the registration process. Once completed, your handle will appear on the leaderboard. Detailed guidelines on how to register for Warden can be found here: https://docs.code4rena.com/roles/wardens. \n\nAfter registration, if you're interested in becoming a certified warden, you would need to complete a Know Your Customer (KYC) process. Certified wardens receive access to findings shortly after contests end and have the ability to edit their Warden profiles. To be marked as \"Available for Hire\", you must be a Certified warden. \n\nIt's important to note that there's a process and eligibility requirements to become a certified warden. Detailed information about this can be found here: https://docs.code4rena.com/roles/wardens/certified-wardens. This process is currently in queue after the provenance verification process is completed, and applicants will hear from us soon. \n\nHowever, you don't necessarily have to be a certified warden to participate in a contest. As long as you're registered as a warden and logged into your account, you can join the competition.", "Question: After my KYC approval, what are the next steps or actions I should take?\n\nAnswer: After your Know Your Customer (KYC) approval, a confirmation will be communicated to you and processed by the organization. This process can take a few days. If you have applied to become a Certified contributor or for a Certified+ role, you will receive an invitation link via email from Provenance, and CodeArena will confirm your certified role within a few days. You may experience some delays, but if your KYC application is still pending after a significant amount of time, you can submit a help desk request to track the status of your KYC confirmation.\n\nIf you wish to participate in an audit, depending on the requirement, you may need to clear your KYC certification. This information will be specified in the applicable channels. If you're applying to become a certified contributor, Provenance will usually send the KYC email within one business day after your application is submitted.\n\nYou can start the KYC application process at https://docs.code4rena.com/roles/certified-contributors. If everyone on your team is KYC'ed, your team can get paid after participating in the Base audit. If your KYC application is rejected, it's advised that you work directly again with the originator of the application. \n\nPlease remember to check your spam section for the KYC email from \"compliance@provenance.company\", and if you don't receive any reply to your KYC application within five business days, raise a help request through the form on the company's website. Supply your necessary documents promptly to facilitate a quick KYC process. Other forms of ID might be acceptable if a passport is unavailable for identification verification.", "Question: I have been a warden prior to the introduction of the KYC requirement. Do I need to do anything else to maintain my status?\n\nAnswer: Yes, even if you have been a warden before, you still need to go through the new Know Your Customer (KYC) process to become a certified warden. The KYC process is a recent requirement introduced for all wardens. To apply to become a Certified Warden, please complete an application at https://code4rena.com/certified-contributor-application/ and follow the guidelines at https://docs.code4rena.com/roles/wardens/certified-wardens. \n\nAfter submitting your application, you might expect to receive a KYC email within 2-3 weeks from compliance@provenance.company. Please check your spam folder in case the email is sent there. The KYC process is delegated to Provenance. \n\nPlease note that being a warden does not automatically mean that the KYC process has been passed. There might be additional eligibility requirements, such as participating in a certain number of contests and having a certain number of valid findings or reports. \n\nCertified Wardens can receive benefits including backstage access and payments from KYC-required sponsors like Chainlink. Further details of the process and eligibility requirements can be found at https://docs.code4rena.com/roles/wardens/certified-wardens#who-is-eligible-to-be-a-certified-contributor.", "Question: How can I become a Certified Warden on CodeArena, and what are the benefits?\n\nAnswer: Becoming a Certified Warden on CodeArena involves an application process, which includes a Know Your Customer (KYC) process. More details can be found on the guidelines provided in the following links: \n- https://code4rena.com/certified-contributor-application/ \n- https://docs.code4rena.com/roles/wardens\n- https://docs.code4rena.com/roles/certified-contributors#certification-process-and-constraints\n- https://docs.code4rena.com/roles/wardens/certified-wardens#who-is-eligible-to-be-a-certified-contributor\n\nBeing registered as a Warden is necessary to access certain channels, join a competition, and even be marked as \"Available for Hire\" on your profile. The profile editing to reflect this status is done via the profile editing screen. Once registered as a Warden, your handle will appear on the leaderboard. \n\nIt's important to note that there may be a requirement to participate in a certain number of contests and have a certain number of valid findings or reports to be a certified warden. You can also request to be a backstage warden or inquire about getting an OG Warden status on your profile. \n\nAs a Certified Warden, you may be eligible for a judge role and are also qualified to receive payouts. You might also get some additional privileges, although the specifics of these privileges have not been detailed yet. Regardless of your location, you may be able to become a Certified Warden, as there was an inquiry about a foreigner becoming a certified warden. \n\nPlease note, in case of any update or amendment in the registration process, please refer to the links provided above for the most accurate and up-to-date information.", "Question: Why haven't there been any contests for the past three days?\n\nAnswer: There can be gaps in the schedule for live contests at CodeArena. The company sometimes experiences a break in contests, which can happen for a variety of reasons. Some possible reasons could be a pause around big conferences, or there might be a delay in updating the specific channels with upcoming contests. It's also worth noting that the Submission Policy states that submissions cannot be made more than 3 hours prior to the contest stop time, so there might be ongoing contests that are just about to end. Additionally, the company has week-long contests each week, and it also runs contests that can last up to 13 days, such as the Nouns DAO contest. So, even if there is a break for a few days, rest assured that there are more contests scheduled, like the two contests queued up for next week and the next public contest starting on February 16th. Please keep an eye on our channels to stay updated with the latest news about our contests.", "Question: What role do sponsors play in CodeArena contests and how can participants interact with them during the contest?\n\nAnswer: Sponsors play a crucial role in CodeArena contests. They decide the scope for their contests and list the specifics in the contest info. They also play a role in contest delays and the judgement of submissions. Participants are encouraged to reach out to the sponsors' team during the contest if they have found potential issues or have questions. Specific queries about the contest scope can be addressed directly to the respective sponsor. Participants can also disclose a vulnerability directly to them, but they need to submit it via the contest submission form to be eligible for awards. Direct messaging with sponsor teams is permitted during a contest, and sponsors have designated contacts for this purpose. \n\nIn case of any conflict with the sponsor about the scope of a particular issue, participants are still encouraged to report the issue. Sponsors are given access to the findings repo either after the contest ends or one week after with triaged and deduped issues. Once the contest payouts have been sent, the outcome cannot be changed, but any overlooked issues can be flagged to the judge and the sponsor. \n\nHowever, trust in the sponsors is crucial. There have been discussions about potential conflict of interest scenarios, such as sponsors hiding bugs. To address this concern, sponsors may not have access to the findings repo before the contest ends. \n\nPlease note, discussing findings immediately after a contest ends is not allowed to give sponsors time to fix the issues. Also, reports or findings get reviewed and triaged immediately after the contest ends, but they await sponsor review and final judging before being made public. Future audit events or contests are dependent on sponsors confirming details and dates.", "Question: What changes in the warden registration page can be expected after the OpenSea contest ends and how can I become a certified warden to participate in private contests at CodeArena?\n\nAnswer: After the OpenSea contest ends, the qualifications section in the warden registration page is expected to revert back to its usual form, while still retaining some form of application process. This adjustment is due to an influx of new warden registrations following the OpenSea contest announcement. If you're interested in becoming a certified warden, which allows participation in private contests among other benefits, you need to complete the Know Your Customer (KYC) process. Information about this process can be found on Code4rena's documents: https://docs.code4rena.com/roles/certified-contributors#certification-process-and-constraints. Certified+ wardens also get access to other submissions immediately after contests conclude which aids in the learning process. Other roles such as backstage wardens have additional permissions, more details about these can also be found on the previously mentioned site. However, remember that the process should ideally be started within 48 hours of a contest's close. Finally, potential wardens can check their acceptance status on CodeArena's platform.", "Question: Can anyone provide resources or cases where an external call is made to a token with incorrect decimal specifications, and how this might lead to potential vulnerabilities or exploits in smart contracts?\n\nAnswer: While specific instances of this issue do not seem to be readily available, the topic touches upon important aspects of smart contract vulnerability, such as the proper functioning of external calls, the correct specification of token decimals, and the handling of tokens in contract interactions. \n\nThe decimals() function, as per the ERC-20 standard, is technically valid but is optional. Other contracts must not assume these values to be present (https://eips.ethereum.org/EIPS/eip-20). This point becomes crucial when an external call is made to a token with too many or too few decimals, as it could potentially lead to contract errors or exploits. \n\nIn a related issue, users have sought understanding on tokens received by a contract potentially being less than the amount reported (https://github.com/code-423n4/2022-04-axelar-findings/issues/5). Similar misalignments could occur if the decimals are not properly accounted for. \n\nThere also has been discussion around the safeTransferFrom function which suggests that the conclusion should be based on the token used and the expectation of the code. This highlights the importance of understanding the specific characteristics of the token involved (https://etherscan.io/token/0xdac17f958d2ee523a2206206994597c13d831ec7#code#L95).\n\nFurthermore, repositories explaining tokens that do not revert on failure, such as this one (https://github.com/d-xo/weird-erc20#no-revert-on-failure), could offer useful insights into potential issues and vulnerabilities when dealing with tokens and external calls. As always, the security of smart contracts often comes down to the nitty-gritty details of contract implementation and interaction.", "Question: How does physical exercise relate to the improvement of auditing skills, and what other steps can be taken to enhance one's auditing proficiency in CodeArena?\n\nAnswer: Physical exercise can indeed foster overall well-being, and this can translate into improved concentration and cognitive functioning, which can be beneficial to meticulous tasks like auditing. However, specific strategies and skills related to auditing are equally crucial. Here are some steps to enhance your auditing proficiency in CodeArena:\n\n1. Continuous Learning: Enhance your auditing skills by reading past audit reports and understanding the codebases being audited. This will provide a good understanding of what to look for during audits.\n2. Mathematics Proficiency: Depending on the complexity of the smart contract being audited, your skills in mathematics could play a significant role. Basic calculus is usually sufficient, but certain projects, especially those involving financial mathematics, may necessitate a more advanced understanding.\n3. Participate in Audits: Engage in the audit process even before your code is complete. This will give you firsthand experience and insights into how the audit process works.\n4. Join Teams: Collaborating with others can be beneficial. Sharing ideas and learning together can expedite your learning process.\n5. Certification: To participate in private audits, certification is necessary. Certified wardens may even have the opportunity to join private auditing contests. However, additional conditions might also apply.\n6. Contests: Participate in audit contests. This can provide you with a comprehensive understanding of audit reports and an opportunity to improve your skills.\n7. AI and Automation: With AI becoming an increasingly important aspect of auditing, learning about automated processes for identifying potential issues in the code can be beneficial.\n8. Gas Optimization: This could be a potential starting point for a first-time audit.\n\nRemember, persistence and continuous learning are key to improving your auditing skills. You can always ask questions about past projects' findings and even participate in private competitive audits to further enhance your skills.", "Q: How can I share my proof of concept (POC) for potential vulnerabilities and where can I find examples of accepted POCs?\n\nA: If you've written a Proof of Concept (POC) script for a vulnerability, you can include it in your submission in several ways. You can create a public Github repository, provide a diff of an existing sponsor-supplied test/contract, or even paste the code directly into your submission with a detailed comment about the bug and its impact. If the POC is too large to be embedded directly in the issue, you might consider submitting a gist link. Here are some examples of how to present a POC for a bug and its impact: [Example A](https://github.com/code-423n4/2022-12-caviar-findings/issues/376), [Example B](https://github.com/code-423n4/2022-12-caviar-findings/issues/343), [Example C](https://github.com/code-423n4/2023-06-lybra-findings/issues/364#issuecomment-1689165295). \n\nAdditionally, the [C4 website](https://github.com/code-423n4) hosts a variety of repositories ending in -findings that you can explore for more examples. If you're interested in other resources related to smart contract security, you can check out the [Crypto-Virus repositories](https://github.com/Crypto-Virus?tab=repositories) or the repos [solcurity](https://github.com/transmissions11/solcurity) and [C4-report-categolized](https://github.com/Tomosuke0930/C4-report-categolized).\n\nFor more guidance on how to share your POCs, refer to these instructions: [Sharing vulnerability discovery POC](https://github.com/code-423n4/code-contests/tree/main/contests/01-slingshot#sharing-vulnerabilitydiscovery-poc) and [How to include a Proof of Concept](https://docs.code4rena.com/roles/wardens/submission-policy#how-to-include-a-proof-of-concept).\n\nWhen submitting your POC, please remember to ensure the security of your personal data; for instance, avoid leaking private keys on public repositories.", "Question: Is there an automated tool that can verify if a contract has been initialized on the Ethereum mainnet, including checking for internal transactions?\n\nAnswer: Currently, there is no direct tool available that can automatically verify if a contract has been initialized on the Ethereum mainnet, including checking for internal transactions. However, you can manually check for opcode usage on-chain, and certain tools like Mythril, Slither, and the smart contract scanning tool MetaTrust (https://app.metatrust.io/project) can help in auditing and finding vulnerabilities in smart contracts.\n\nIf you are dealing with ERC721 or ERC1155 contracts, you may know if tokens were sent there as it includes a recipient contract call onReceive. Also, for auditing purposes, testing contracts downloaded from Github and even those deployed at a specific address visible on etherscan.io can be useful.\n\nIt's worth mentioning that understanding smart contracts and their interactions can be complex. Tools like Surya (https://github.com/ConsenSys/surya) might be used for graphical visualization, but it's deprecated and might not be the best option. \n\nFor gas optimization and code quality assurance, you can explore tools like https://github.com/byterocket/c4udit. However, it is currently unclear whether this is being used by Code4rena.\n\nKeep in mind that while auditing, it is also important to be vigilant about vulnerabilities such as front-running. An example can be found in this case study: https://github.com/trailofbits/publications/blob/master/reviews/hermez.pdf.\n\nRemember, auditing smart contracts is a meticulous task that requires a careful and thorough approach. As a beginner, try to seek help and explore various resources before diving into the process.", "Question: After completing the certification for OpenSea and achieving a high finding in AbraNFT, how can I request for Certified+ status within CodeArena?\n\nAnswer: While there isn't an official process for requesting Certified+ status as of now, you can apply for it by submitting a help desk request. Generally, after completing your certification process with ProvenanceDAO and participating in at least 3 contests, you can apply for Certified+. \n\nTo do so, you must have already completed KYC (Know Your Customer) verification as part of the OpenSea contest. For the contest, you need to complete the form at https://code4rena.com/certified-contributor-application and go through the ID verification process run on behalf of CodeArena by Provenance.\n\nOnce your certification process is approved by Provenance, it generally takes a few days for the Certified+ role to reflect on your profile. The status of the certification process will be updated via email. If you believe you qualify for Certified+ but are not seeing the status change, it's recommended that you create a help desk request for assistance. \n\nAs a Certified+ contributor, you'll have access to private repositories after a contest is finished where you can see what others have submitted and learn more quickly. You can also participate in any contest, including those that are certified. \n\nPlease note that the criteria for Certified+ may become more stringent in the future, such as requiring a placement in the Top 3 in 3 contests or making a high finding. You can find more details about getting certified by reading the document at https://docs.code4rena.com/roles/certified-contributors.", "Question: What are the available options and best practices for asking questions, reporting findings, discussing issues, or seeking clarification on CodeArena?\n\nAnswer: There are several options available for you to ask questions, report findings, seek clarifications, or discuss issues on CodeArena. Here are some of the best practices:\n\n1. If you have queries about your findings, submission rules, audit-related issues, or Certified Wardens process, you can ask them directly on Code4rena. If you encounter issues in multiple places in the codebase, you may report them via this link: https://discord.com/channels/810916927919620096/810936719003090974/1134472653437145149\n\n2. You can enquire about the significance of icons or the difference between advice and a valid issue by reaching out to the contest channel in Discord. \n\n3. If your question pertains to more fragile aspects of the system, you can privately ask questions and receive guidance. Direct messaging and personal contact are encouraged for specific questions. \n\n4. If your query is about how your findings were judged, collaborating, your submission replies, or the C4 token, it's best to ask them on the forum post itself, as chat is ephemeral. \n\n5. You can seek clarification from the streams' protocol team, or discuss high severity issues with a sponsor before submitting them. However, at the time of this response, there is no official process for requesting Certified+. \n\n6. If you have questions relating to the platform or need support, you can ask for it from the C4 website. \n\n7. Finally, if you're unsure about the severity after reporting an issue or want to find out why certain findings were not accepted, you could check the findings report repositories. \n\nPlease note that an office hour for GoGopool was planned, where users could ask questions if they participated. Also, it's important to remember that questions should ideally be asked on the forum post itself because chat is ephemeral. Lastly, if you wish to change usernames on Code4arena or maintain anonymity, it's best to contact CodeArena directly.", "Question: What advantages come with being a Certified Plus Warden at CodeArena and how can one become one?\n\nAnswer: A Certified Plus Warden at CodeArena enjoys several benefits such as gaining earlier access to the findings repositories immediately after contests end, which fast-tracks their learning process. Plus, they are eligible to attend private audits, participate in private contests to some extent, and can potentially apply for judge roles. This exclusive status also grants them access to a private channel for Certified Plus Wardens and allows them to assist with post-contest processes. Certified Plus Wardens can also gain backstage access and are even eligible for payments from KYC-required sponsors like Chainlink. \n\nTo become a Certified Plus Warden, there are entry requirements to meet which include participation in a certain number of contests, a number of valid findings or reports, and encountering at least one high-severity bug. In addition, a warden needs to have at least three top finishes in either the QA or gas report from past contests. The certification process involves an application and completion of the KYC process. \n\nHowever, there is a queue to certify a warden and it might take some time to become certified even after approval. The eligibility requirements and the process to become a certified warden can be found at the following links: \n\n1. https://docs.code4rena.com/roles/certified-contributors\n2. https://docs.code4rena.com/roles/wardens/certified-wardens#who-is-eligible-to-be-a-certified-contributor\n3. https://docs.code4rena.com/roles/certified-contributors#certification-process-and-constraints \n\nPlease note that these requirements may vary and hence it is always beneficial to check the official documents for the up-to-date process and requirements.", "Q: I noticed in the #\u270brsvp channel that the Canto audit was supposed to start today. Has it been delayed? \nA: Yes, the Canto audit was expected to start on the day of your chat but it has been pushed back a few days to the following Friday. The #\u270brsvp channel is where you can view upcoming public audits and express your interest in participating by raising your hand. Details about upcoming audit contests, including the specific dates and timings, are also shared in this channel. However, the scheduling of future audit events and contests is dependent on our sponsors confirming the details and dates. There might be delays in the start dates and even in the judging process due to slow sponsor review. I recommend keeping an eye on the #\u270brsvp and #announcements channels for any updates or changes. Also, please note that projects in audit contests are not deployed yet. If you're interested in joining a contest, you might need to RSVP first, and you can confirm this in the RSVP channels. In the case of any discrepancies in the start dates between the RSVP and the Code4Arena website, please reach out for clarification.", "Question: \nCan you provide more comprehensive information about the $ARENA token and how I can acquire it?\n\nAnswer: \nThe $ARENA token is CodeArena's minimum-viable-governance token, which gives its holders sovereignty over the DAO treasury. This token is integral to CodeArena's operations, but it currently does not have substantial trading volume that would qualify it for listing on platforms like CoinGecko. Additionally, it's important to note that there is no staking mechanism for the ARENA token. The tokens can be acquired using the contract address 0x6847D3A4c80a82e1fb26f1fC6F09F3Ad5BEB5222. \n\nHowever, please be cautious of phishing scams associated with untrustworthy URLs for purchasing the ARENA tokens. It's also worth mentioning that a proposal for listing the ARENA project on a major exchange is being considered, but no definitive information is available at this moment. For detailed information about the $ARENA token and the DAO constitution, you can refer to this link: https://github.com/code-423n4/org/blob/main/CONSTITUTION.md\n\nAs a potential token holder, you might be interested in discussions about maximizing profits in arbitrage opportunities. However, this would require you to derive an optimal strategy from the Automated Market Maker's (AMM) price formula, considering price impacts and transaction costs. \n\nPlease note that CodeArena focuses heavily on blockchain security and does not speculate on token prices. We recommend learning more about us via our documentation: https://docs.code4rena.com/ and our previous work with various protocols can be found at https://code4rena.com/contests.", "Q: How can I join or create a team on CodeArena, and what are the benefits and processes involved? \n\nA: At CodeArena, we encourage collaboration and offer the opportunity to join or create a team to work together, share ideas, and learn faster. To get started, you can join our team-building channel on the platform where people look for teammates. \n\nCreating a team can be done at code4rena.com/register-team. You can also register as a team and submit findings collectively. If you're looking to create a bot team, this involves registering the bot during the qualifier. Once your team is approved, you and your team members can log in and submit findings as a team. \n\nPlease note that if you're facing any issues while adding new members to your team, feel free to submit a request through our help desk. Also, if you wish to change your team's name, submit your findings solo, or modify your team in any way, these can all be done via our platform. \n\nTo register as a team, you can check the information in our docs: https://docs.code4rena.com/roles/wardens#registering-a-team. This document also contains information on how to access the team-formation channel, however, you'll need to register as a warden first. \n\nRest assured, once you join a team, you are not obligated to always participate as a team. You can choose to submit findings as an individual whenever you want. The submission form allows you to select whether you're submitting as an individual or as a team member. \n\nLastly, when submitting findings, team members can make these submissions on behalf of their teams, selecting either their solo handle or team handle. If you achieve a high finding, you can apply to be certified by contacting us through the help desk form. \n\nFor any further questions, you can direct message our designated contacts during a contest. \n\nPlease be aware that while creating a team on our platform is possible, some users have reported technical issues, such as a blank page opening when selecting members. We're working continuously to resolve these issues.", "Q: Can I review the issues related to the AbraNFT audit before the report is published?\n\nA: Yes, you can review issues before they are reported. For instance, if you achieved a high finding in AbraNFT, this could be a step towards requesting for a Certified+ status. It's important to note, however, that the process of reviewing and reporting issues can vary based on the judgement of the reviewer. \n\nFor example, participants could inquire about their high finding related to buying NFTs with zero amount being categorized as medium. In such cases, they are usually advised to wait until the report is published to check on their submissions. Reports related to smart contracts are graded, and wallets can also be under review on the platform, which may affect the ability to submit findings.\n\nParticipants can also open issue tickets regarding problems with their rewards. These tickets are reviewed by the CodeArena team and early feedback on submissions for improving audits might be available. For example, a link to the judge's post can be found at [here](https://discord.com/channels/810916927919620096/1030197723619659806/1042826344544870440). \n\nAdditionally, issues can be browsed on [Code4rena](https://code4rena.com/reports) where each issue provides a link to the relevant Github issue. However, you may not be able to view the issues you submitted for a contest until the report goes live and the findings repository is made public. \n\nIf you are a beginner in smart contract auditing, don't worry. There is a community to help you understand smart contract related concepts and reports. Also, the procedures for disclosing issues related to smart contracts can be found at [here](https://github.com/code-423n4/code-contests/blob/main/SUBMISSION_POLICY.md). Remember, it's also possible to edit a submitted QA report until the audit deadline.", "Question: I submitted my finding on CodeArena but haven't received a confirmation email. Is this standard and are there alternative ways to confirm my submission?\n\nAnswer: When a finding is submitted on CodeArena, you should typically receive a confirmation email from submissions@code423n4.com within a few minutes, as this is the primary method of confirming your submission. The email should arrive in your inbox, but please also check your spam folder as there have been instances where it ended up there. \n\nDelays in receiving the email can occur, and in some instances, users have reported not receiving the email at all due to various issues. If you don't receive your email or you see a 'No findings submitted for this contest' message despite making a submission, there could be submission or loading issues.\n\nYou can also verify the success of your report submission by checking the ability to edit your submitted findings and viewing them on the C4 Contest page under the \"Findings\" tab. If you still don't receive a confirmation or cannot view/edit your findings, you can open a help desk request at [https://code4rena.com/help/](https://code4rena.com/help/). \n\nNote that receiving two identical confirmation emails doesn't require any specific action on your part. Additionally, you don't need to be entirely sure about your finding before submitting it. \n\nWe appreciate your patience and understanding as we work to provide a seamless experience for our users, and we welcome all findings to make the auditing process more thorough and efficient.", "Question: How can I participate in the CodeArena community calls, and am I able to record the discussions if I cannot join live?\n\nAnswer: Yes, you can participate in the CodeArena community calls. These calls are organized for discussion and updates, and you can submit your questions ahead of time for these calls. If you are unable to join the calls live, it is indeed possible to record them. A detailed guide on how to record a community call on a Discord voice channel can be found at https://www.howtogeek.com/677198/how-to-record-discord-audio/. \n\nIn addition, our office hour sessions and community calls are also recorded and uploaded to our YouTube channel for you to watch at your convenience. The date for the next community call is usually announced following a regrouping after a period of busyness due to events like ethcc. We even have a new chat created specifically to post questions leading up to a monthly call. \n\nFor further updates and participation, you can join our Discord server at https://discord.gg/5WHvfHeSwr. You can also contact the C4 staff members directly via direct message if you have any questions or require clarification.", "Question: How can I submit a report for audit if it exceeds the character limit allowed on the CodeArena submission form?\n\nAnswer: CodeArena has a procedure for submitting reports that exceed the usual character limit. If your report, such as a gas report, exceeds ~65k characters (due to Github's max character limit for issue descriptions), you can submit a placeholder on the contest page and then email the full report directly to us at submissions@code423n4.com. For example, if you're submitting a gas optimization report and hit a character limit, follow this two-step process: submit a placeholder first, then email the full report. \n\nThis method is also particularly useful if you encounter any error messages when attempting to submit your report through the form, or if you encounter issues related to API rate limits. \n\nThis procedure is also helpful if you wish to submit additional findings after an initial submission, or if you want to update the report you've previously submitted. \n\nAfter you've emailed your report, you will receive an email confirmation upon successful submission. If your submission fails, the form should return an error. Please note that some users have reported that it might take some time to receive the confirmation email. \n\nAdditionally, if you have any reservations about the number of submissions you can make in a contest, please note that you can submit more than once if you're missing any items or have additional findings to share. \n\nDetails on the process can be found in our official documentation here: https://docs.code4rena.com/roles/wardens/qa-gas-report-faq#why-is-a-large-gas-or-qa-report-not-successfully-submitting-through-the-contest-submission-form.", "Question: I previously filed a bug report with CodeArena but I've forgotten the wallet address to receive my bounty. How can I retrieve or update this information?\n\nAnswer: If you've forgotten your wallet address for receiving the bounty, there are a few ways to retrieve or update it. You can refer to the email you received when you submitted the bug report, as it will contain the wallet address used. \n\nIf you need to change your wallet address after the bug report has been submitted but before the reward payout, you can submit a request through CodeArena's Help Desk at https://code4rena.com/help. On the other hand, if your C4 wallet was compromised, you will need to also submit a request through the Help Desk for assistance. \n\nPlease note that you can use a new wallet address in your reports moving forward, and rewards for the report will then be distributed to the new address. \n\nIf you are uncertain whether you submitted an address for rewards, you can check using the help form on the Help Desk page. \n\nMoreover, the payout for vulnerability issues can be verified by checking the wallet address with which you registered, using polygonscan.com or wallet trackers like debank.com. \n\nIf you've accidentally submitted all your findings to the wrong contest, you can submit them again to the correct contest and fill out a form to inform the C4 staff about the incorrect submissions. The form can be found at https://code4rena.com/help. \n\nRemember, the wallet address used to register as a warden can also be found in the data folder of a recent contest\u2019s findings repo on GitHub. \n\nFor more information about changing the wallet address where you receive awards, you can refer to the documentation at https://docs.code4rena.com/roles/wardens/warden-auth#can-i-change-the-wallet-address-where-i-receive-awards.", "Question: How does CodeArena's report submission and confirmation process work, and what should I expect after submitting a report?\n\nAnswer: When you submit a report with CodeArena, you should expect to receive an email confirmation upon successful submission. This email serves as your primary verification that the submission was successful. You can also check the status of your submission by looking for the ability to edit your submitted findings. \n\nIf you submitted a finding for a contest but did not make the award list, it is likely that your issues were rejected. However, you can confirm this by reviewing the available report. \n\nIf you experience any issues or delays in receiving your submission confirmation email, don't panic. It has been reported that it may take some time for a submission to be confirmed via email. If your submission fails, the form should return an error. \n\nAlternatively, if you did not receive an email after submitting a finding, you can open a help desk request at https://code4rena.com/help/. \n\nYou can also check all the reports you submitted during the competition on the C4 Contest page under the \"Findings\" tab. \n\nRemember, it is recommended that you receive an email confirmation for each submission, which should arrive within a few minutes. However, delays may occur. \n\nIf you have issues with the online submission, QA and gas reports can be sent via email to report@code4rena.com, and you can expect our team to reach out and confirm receipt. \n\nIf you forget the wallet address to receive the bounty, you can refer to the email received when the bug report was submitted. \n\nRemember, after submitting a finding, you can expect a follow-up from us. Also, if you're looking for ways to stay updated on new reports, stay tuned to our communication channels.", "Question: How can I submit, edit, check the status, and find feedback for my smart contract audit findings in CodeArena?\n\nAnswer: After you've completed your smart contract audit, you can submit your findings through the form available for each contest on the CodeArena website. After submitting your findings, you can expect a follow-up and should receive a confirmation email. The submission process is further detailed in our guide [here](https://docs.code4rena.com/roles/wardens/sub). \n\nIf you want to modify your findings, this can be done by navigating to the contest page and clicking on the 'Your Findings' button. This option is also helpful for checking the status of your submission or verifying its success without making any adjustments.\n\nAfter submitting a finding, you may have queries about how to submit additional findings, especially after an initial low-risk finding. This can be managed through the same process. Remember, there is no reward for submitting findings first; the important thing is to submit before the audit closes.\n\nYour submitted findings will be reviewed by our judges after the contest ends. The findings repo is made public and the report is published, allowing everyone to review the submissions for a contest. Potential feedback for your submitted findings can also be found at this stage.\n\nPlease understand that it may take some time for the submission of a finding to be confirmed via email. If the submission fails, the form should return an error. If you encounter any issues related to submitting findings or loading submitted findings, please reach out to our support team.\n\nYou can also withdraw your findings under 'Your Findings' on the contest page. All findings need to be submitted before the audit closes. Be sure to follow our [submission guidelines](https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues), and please remember that examples of past submissions can be found at [https://code423n4.com/reports](https://code423n4.com/reports).", "Question: What is the general organizational structure and operational procedures of C4?\n\nAnswer: CodeArena (C4), being a Decentralized Autonomous Organization (DAO), operates primarily on weekdays, and it is not typically staffed on weekends. However, participants can still direct message the C4 staff members. The C4 team is always working on improving their tools and procedures to speed up their operations. For instance, they have made changes to allow for invoicing. In terms of community involvement, they delegate the process of becoming a Certified Warden to Provenance. This also involves a Know Your Customer (KYC) procedure. Users can change their profile photo or link their C4 profile to a Twitter profile by creating a help desk request on their website (https://code4rena.com/help). However, it is important to note that the process of linking a C4 profile to a Twitter profile might be specifically for certified auditors. It is also observed that some users have reported issues in accessing the C4 website or logging in, for which support can be asked from the C4 website. The team's general English level, particularly in reports, could use some improvement. C4 also provides grants for building tools, particularly for building a website to display results in a nice way for job hunting. They are open to proposals and suggestions from the community, as seen in the proposal to call a certain issue \"C4 MEV\". They also share their upcoming office hours in the C4 rollup in their announcements. Lastly, there is a high level of trust in C4 staff and projects within the community.", "Question: How can I change my wallet address in CodeArena and get a new corresponding private key?\n\nAnswer: If you want to change your wallet address in CodeArena, you can do so by following the procedure detailed on our documentation page: https://docs.code4rena.com/roles/wardens/warden-auth#can-i-change-my-wallet-address. \n\nThere are two types of wallets in CodeArena, one is a login wallet that you set up when creating an account and the other is a payment wallet. You can update your payment wallet in your profile if needed. Note that if you change your wallet address, rewards will be sent to the wallet address on file at the time the awards are calculated for an audit.\n\nIf you forgot your wallet address, you can refer to the email you received when you submitted the bug report or seek help at our help desk at https://code4rena.com/help. \n\nAs for obtaining a new private key, you should generate a new one when you create a new wallet. Remember, if you don't have the private keys, you don't truly own the coins in the wallet. If you cannot obtain private keys, we recommend competing again. \n\nPlease be aware that if you lose the seed phrase from your wallet, you should follow the steps mentioned here: https://docs.code4rena.com/roles/wardens/warden-auth#what-if-my-wallet-was-hacked. \n\nLastly, if you suspect your private key might have been leaked and want to verify malicious transactions, you can do so by checking your wallet address using polygonscan.com or other wallet trackers like debank.com. If you're looking to prevent future attacks on your wallet, it's important to keep your keys safe and make sure that you're the only one who has access to them.", "Question: Can I obtain a private key from a public key and how can I change my wallet address on CodeArena?\n\nAnswer: No, you cannot obtain a private key from a public key. This principle is a cornerstone of asymmetric cryptography. Attempting to reverse-engineer a private key from a public key would fundamentally break the security of these cryptographic systems. If you need to change your wallet address on CodeArena, you will need to generate a new private key. You can then switch your network in Metamask to Polygon Mainnet, copy your new public key, and paste it into your Code4rena account. However, it's important to remember to keep your private key secure. Don't store it on a public repository, as there have been cases where private keys have been leaked, leading to wallets being compromised. If you suspect your key might have been compromised, check for any unknown transactions and consider competing again to ensure your security.", "Question: How can I quickly locate and verify a specific transaction, particularly when a user has given allowance to a contract, given only the user's address and the contract's address?\n\nAnswer: To quickly locate transactions, you can work backwards from past payments made to you, as all these transactions are public information. In a specific scenario where a user has given allowance to a contract, and you only have the user's address and the contract's address, you can locate the transaction hash by filtering the contract's logs and checking topics for the specific address.\n\nMoreover, for verification of transactions, you may need to consider transaction details such as the wallet address and the corresponding private key. Tools can also be helpful in this process. For instance, auditors can use a diff command to spot differences between two contracts. Additional resources also exist, like these two GitHub links shared in our community: https://github.com/transmissions11/solcurity and https://github.com/Tomosuke0930/C4-report-categolized.\n\nRemember, it's crucial to be careful with private keys and wallet addresses to avoid potential scams or leaks. Using a two-step change process with critical addresses is considered safer and better practice than a one-step change, as it can help prevent errors such as passing in the wrong address. \n\nPlease note that there might be instances where the process may not work as expected, and you may require additional assistance. We are always open to helping you navigate through these issues.", "Question: Can I change my payment address on CodeArena and will future payments be directed to the new address?\n\nAnswer: Yes, you can change your payment address on CodeArena. You can do this from the Manage Account section of your user profile on the CodeArena website: https://code4rena.com/account. This will allow you to update your payment address to a new wallet address, which can be effective in preventing future rewards from being stolen. Once you update your payment address, future payments, such as rewards for reports, will be directed to the new address. If necessary, you can update the wallet addresses used in a finding after it has been submitted and before the reward payout by submitting a request through the Help Desk at https://code4rena.com/help. However, it's important to note that CodeArena only supports payments to one address, and your team will need to distribute the funds as needed if your team payout address is a smart contract.", "Question: Where can I find updates, contest results, and relevant information on contests and audits in CodeArena's Discord chatroom?\n\nAnswer: There are several channels on the Discord chatroom that you can refer to for different types of information. \n\n1. For all contest results, you can refer to the #\ud83d\udce2announcements channel. You can also find the awards list for contests here. \n\n2. If you're looking for information about public contests and when they are going to be open, you can check the #\u270brsvp channel. This channel also provides updates about RSVP contests, future qualifiers, information on the next bot qualifier, and news on contests for non-KYC participants. You can also indicate your intention to participate in upcoming public audits by reacting to the message in this channel. Here is a link to the RSVP channel: https://discord.com/channels/810916927919620096/958800160870240286/1142165149050998784.\n\n3. The #\ud83c\udfebeducation channel is another great source of information. \n\n4. To access the contest channels, you need the warden role, which you can get by filling the form on the website. Each contest has a channel where you can ask general questions. \n\n5. If you're interested in sponsoring a contest, you can go to the #\ud83d\udcbci-want-c4-to-audit-our-code channel. \n\n6. For more in-depth information, you can contact someone on the streams' protocol team for clarification. The contest channel in Discord was suggested as the best option to reach out for clarification.\n\nPlease note that there is a proposal for new announcements channels and pinning key information to specific channels for easier access. One such proposed channel is #audit-reports for updates whenever a report gets published on the C4 website. \n\nAdditionally, the community calls are available to watch on YouTube, and office hours sessions will be posted there early the following week.\n", "Question: How does CodeArena handle issues found by multiple people or teams, issues found in different instances, and issues that could be combined or resolved by the same fix?\n\nAnswer: CodeArena (C4) has a detailed system to handle issues submitted by different wardens or teams. If the same issue is reported by multiple wardens, the reward for that issue is divided among them, regardless of the order of submissions. However, when an issue is found in a different instance or is similar to the automated findings, it can still be submitted as a valid report. This includes bugs or gas optimizations stated in publicly known issues that are applicable to other files within the same repository.\n\nIf you're unsure whether to submit findings as separate issues or as one combined issue, consider this: if two different issues can be resolved by simply fixing one thing, they would be considered as one issue. Similarly, multiple issues of the same nature in a code can be reported as one. For nuanced combinations of similar issues, you can refer to our discussion thread (#8).\n\nAs for bugs introduced through mitigation efforts, or assumptions made in the code not explicitly mentioned in the README/code comments, these can be submitted as valid issues. But remember, if a finding is mentioned in the known issues section for the contest, it will likely be disqualified. \n\nFor participants who are part of a team and find the same issue but submit it with different wallets, it's important to clarify these scenarios while submitting. \n\nIn case of any concerns or inconsistencies, you are strongly encouraged to use our Github repository for discussions and issue escalations: [https://github.com/code-423n4/org/issues](https://github.com/code-423n4/org/issues). Your inputs help us continually refine our processes. We also offer detailed reports after each contest, where you can check which findings were rejected and why. \n\nFor more information on handling of issues and their rewards, refer to our documentation: [https://docs.code4rena.com/incentive-model-and-awards](https://docs.code4rena.com/incentive-model-and-awards).", "Question: When and how can I view the issues from the Biconomy Hyphen 2.0 contest's audit and is it possible to review issues before they are reported?\n\nAnswer: Once the audit for the Biconomy Hyphen 2.0 contest is completed, the report will go live and users can view these issues. The audit results are currently under review and are expected to be published in the coming weeks. Until the report goes live, the issues found cannot be viewed by the participants. There is a possibility that the issues in the published reports might be the same as those reported initially, however, this is not entirely clear. Additionally, our platform allows for the review of issues before they are formally reported. It is also important to note that the public visibility of the reports is confirmed, meaning that all users will have access to them once they are released. The severity of issues can be updated post-submission by our judges. We are also planning to allow certified contributors to view submitted issues right after contest closure and offer their comments or input on these issues during the judging process. It's worth noting that questions about issue types relating to the platform can be asked and discussed.", "Question: How does the submission of issues work in CodeArena's competitions, and does the order or timing of submission affect the payout or judgment process?\n\nAnswer: In CodeArena's competitions, the order of submitting issues does not influence the judgment or the payout process. The judges select the primary issue based on the quality of the write-up, not the sequence of submission, incentivizing participants to focus on the quality of their submissions. Each issue is evaluated strictly based on what was submitted. If multiple wardens find the same issue, the payout for each warden decreases. This is part of our incentive model, which you can find more about here: https://docs.code4rena.com/incentive-model-and-awards. \n\nWhen submitting multiple similar issues, it is appreciated if they are grouped together. However, note that multiple items within one submission count as one issue in terms of rewards. If you wish to withdraw an old issue to make a new submission of the same issue, you are allowed to do so. Also, it's possible to submit issues as a team, but the procedure for doing so isn't explicitly mentioned.\n\nIf you're unsure whether your finding should be submitted as separate issues or as one, or have any other questions regarding submission, feel free to contact our team for clarification. After submitting an issue, you will receive an email regarding the status of your submission, whether it is valid or not. It's also possible to edit your submissions after they have been submitted.\n\nImportantly, there is no incentive for being the first to submit an issue. Moreover, issues found in out-of-scope contracts can also be submitted, as long as the process outlined in our C4 form is followed. We allow submissions at any time before the contest ends, accepting only the first or last entry that a participant or team sends.", "Q: When and how are the Biconomy rewards distributed at CodeArena?\n\nA: The Biconomy rewards at CodeArena are usually announced and distributed within 1-2 weeks after the completion of a contest. Once a submission is confirmed and the reward amounts are announced, participants just need to wait for it to be sent to their registered wallet address. The rewards are not distributed immediately after the announcement due to the use of multisignature (\"multisig\") wallets which require signatures from multiple parties before funds can be released. The rewards are then typically sent out manually in batches for multiple contests at a time. There have been instances where some rewards are pending after the contest has finished, but these are addressed and paid out eventually. Users can check the announcement channel for updates on the distribution. The team aims to process and distribute multiple contest rewards within the same week they are announced or by the end of a specified week. If a report is accepted, the reward payment is usually made within 1-2 business days of the announcement. Please note that the process of distribution is in the process of being automated, with future awards expected to be distributed via smart contract once more pieces are in place. To ensure that you receive your rewards, make sure your wallet address in your reports is up to date.", "Question: After submitting an issue or bug report, how can I see the status or read the issues found? \n\nAnswer: Once an issue or bug report has been submitted to CodeArena, it enters into a review and judging process. This means that the findings are not immediately available for viewing. After submitting, you will receive an email confirmation of your successful submission. However, you will need to wait for the report to be published and the findings repository to be made public to check on your submissions. \n\nThis process can take anywhere from two to six weeks, or even longer in some cases. During this time, the submissions are reviewed, triaged, and await sponsor review and final judging. After the leaderboard is shown and rewards are sent, the final report of the contest may not appear instantly on the C4 site. It is advised to wait until the full public report is published before doing a write-up of some issue or bug found on a project. \n\nPlease keep in mind that all your submissions may not make it to the final report, and the reason might not be immediately clear. Additionally, only the findings submitted by you or your team will be visible to you until the final report is made public. \n\nOnce the report is published and the repo becomes public, you can view your submissions, the reasons for potential rejections, and see the status of your submissions. You can also review issues before they are reported. For further queries, you can check previous reports to understand what a high-quality submission looks like. \n\nThere are future plans to allow certified contributors to view submitted issues right after the contest closure and to comment or give input on these issues during the judging process. Until then, your patience is appreciated. You can check the success of your report submission not only through the email confirmation but also by your ability to edit the submitted findings. \n\nFor further insights and updates, you can check on the CodeArena website [INCLUDE LINK].", "Question: How can I accurately estimate the risk of the vulnerabilities I find during a smart contract audit?\n\nAnswer: Risk estimation for vulnerabilities identified during a smart contract audit follows a specific process. It is important to review the judging criteria detailed at https://docs.code4rena.com/roles/wardens/judging-criteria#estimating-risk and make a case for the chosen severity using substantial evidence. \n\nWhen reporting bugs, the severity depends on the impact of the bug. Therefore, you should use our guidelines for estimating risk as outlined in https://docs.code4rena.com/roles/wardens/judging-criteria#estimating-risk-tl-dr. This includes a range from non-critical to high risk. \n\nRemember that the self-assessment of risk is taken into consideration, and a judge will make the final determination of severity. This can impact the award levels. High-risk findings are contest and judge dependent. When submitting such findings, make a case to the judge if you believe it should be considered. \n\nMedium risk vulnerabilities ideally require test codes as Proof of Concepts when writing reports, similar to high-risk vulnerabilities. Uncertainty exists about whether 'on the fence' vulnerabilities should be rated as High or Medium risk. In such cases, it's recommended to review our guidelines and, if necessary, direct message us for further clarification. \n\nKeep in mind that high-risk issues typically have a higher burden of proof and issues marked as high risk may be downgraded or discarded by judges based on the evidence provided.", "Question: Does CodeArena provide a README template for projects, and how can I best utilize it for auditing a project?\n\nAnswer: Yes, CodeArena provides sponsors with a set of example READMEs to work from, as well as a checklist of items to include. These templates can be found in every repository with 'findings' in the name on the CodeArena GitHub page [here](https://github.com/code-423n4). Guidelines for gas/QA reports in terms of formatting can also be found on the same page.\n\nWhen submitting your findings through the Code4rena interface, a markdown template will be proposed. However, the old GitHub template for submissions is outdated and not updated anymore. It is recommended to submit findings using the \"Submit finding\" button of the specific contest on the main page, each finding separately. \n\nThe README.md for each contest outlines what is in scope for auditing and what is not. It's important to read this thoroughly before starting your audit. Participants have discussed various ways to reference code in their reports. While some favor direct links to the code on GitHub, others suggest referring to a specific file and line number. \n\nIf you're using Foundry in a project that employs Hardhat, a base template can be found [here](https://github.com/foundry-rs/hardhat-foundry-template). If you're unfamiliar with Markdown, this [resource](https://markdown-it.github.io/) could be helpful. If you're a beginner and face issues in understanding certain code instances, it's advised to make one report and reference the related issues in it.\n\nFor additional context, there is a responsible disclosure guideline recommended for reading located [here](https://github.com/RD-Crypto-Spec/Responsible-Disclosure#the-standard). Finally, the estimated timeline for the process can be found in the organization's docs [here](https://docs.code4rena.com/structure/our-process).", "Q: How can I submit a Proof of Concept (POC) for my findings? Should I create a public Github repository?\n\nA: A Proof of Concept (POC) can be submitted either by directly providing a diff of an existing sponsor-supplied test/contract or by creating a private gist on Github and linking it. When using Github, it is recommended to keep your repository private to avoid exposing potential vulnerabilities to the public. If your POC is long, you can use external platforms like Gist. You can also link your Github repositories as proof of concept in your finding submissions.\n\nTo submit a POC, fill the Proof of Concept section when submitting a finding by providing direct links to all referenced code in Github and adding screenshots, logs, or any other relevant proof that illustrates the concept. You can present your POCs in either code or plain English. If your POC script for a vulnerability is too large to be embedded directly in the issue, you're allowed to provide a link. \n\nA POC should always be provided to support your submission, even for medium severity bugs. Not providing a POC might lead to your finding being disregarded unless the bug is very obvious. A coded POC along with the report can increase the chances of the report being selected, which comes with a 30% bonus. Images can also be included by linking them externally.\n\nFor precise instructions and examples on how to include a POC, you can refer to our submission policy [here](https://docs.code4rena.com/roles/wardens/submission-policy#how-to-include-a-proof-of-concept) and an example POC [here](https://github.com/code-423n4/2022-12-caviar-findings/issues/376). For instructions on sharing vulnerability discovery POCs, check [this link](https://github.com/code-423n4/code-contests/tree/main/contests/01-slingshot#sharing-vulnerabilitydiscovery-poc).", "Question: What is the recommended procedure when submitting a Proof of Concept (PoC) for a vulnerability that I've found?\n\nAnswer: When submitting a Proof of Concept (PoC) for a vulnerability, it's important to provide detailed evidence of the bug. You can submit a PoC for each bug you find. This can be done by creating a public Github repository, providing a diff of an existing sponsor-supplied test/contract, or by linking to a private gist, which can be used to keep the exploits private and avoid exposing vulnerabilities publicly. \n\nIf your PoC is long or complex, including it as a link rather than embedding it directly in the issue is acceptable. However, make sure your PoC successfully demonstrates the vulnerability and if possible, it should fully show every step in code. You can write a PoC in any language, as long as it clearly demonstrates the vulnerability. \n\nA PoC should support your submission, especially when reporting precision-loss issues. If the vulnerability you're reporting is a medium severity bug without a PoC, your finding may be disregarded unless the bug is extremely obvious. Even when reporting a vulnerability without a PoC, the process should be clearly described in bullet points. If two separate vulnerabilities can be combined to create a more powerful one, you can submit a third finding explaining the PoC.\n\nWhen submitting an issue, the vulnerability and its impact on the protocol/code should be explained in the impact section. The PoC section should contain the lines from your code/github or a test which you've written as an exploit. Please note that all participants' submissions might be made available after the contest ends, once the possible exploits have been patched.\n\nBe aware that having a coded PoC along with the report can increase your chances of your report being selected, which comes with a 30% bonus. For more detailed instructions on how to include a PoC, visit [Code4Arena's Submission Policy](https://docs.code4rena.com/roles/wardens/submission-policy#how-to-include-a-proof-of-concept).", "Question: \nHow can I correct a typo or make changes to a submitted report on CodeArena?\n\nAnswer: \nIf you made a typo or need to make changes to a submitted report, you can do so by updating your Quality Assurance (QA) report. Navigate to the \"My findings\" option on the contest page to edit your report. It's recommended to only make these changes if they substantially alter the meaning of your finding or if you need to add additional details to your report. \n\nIf you accridentially included too much information or information that should not be publicly available, editing your report is the suggested course of action. You can also include screenshots, code snippets, and inline math in your reports to provide thorough evidence of your findings. \n\nIn special cases, such as encountering issues with the submission process, experiencing rendering issues in your report preview, or discovering discrepancies in the reports, you can create a help desk ticket to resolve these issues. \n\nRemember, your report should contain the issue, description, proof of concept (where necessary), and mitigation (where necessary) in a semi-professional report format. You can only submit one QA issue per contest, but you can edit the existing submission if you discover another error.\n\nTo confirm the success of your report submission, look out for a confirmation email from CodeArena. \n\nIn the event you made a typo in a public contest, such as the SLOC count for a contest, you can visit https://code4rena.com/contests/2023-08-arbitrum-foundation#top and follow the same process to correct your error. \n\nRemember, it's always important to ensure accuracy in your reports, as they play crucial role in the auditing process of smart contracts.", "Question: I have discovered a potential exploit in a smart contract. How should I report it to ensure it remains confidential and does not pose a security risk?\n\nAnswer: We take the security and confidentiality of vulnerabilities very seriously at CodeArena. If you've discovered an exploit, you should report it through our vulnerability submission process. \n\nIn your report, be sure to explain the vulnerability and its potential impact on the protocol or code in the Impact section. If the exploit is associated with a specific line of code, include the affected lines of code or a test that is written as an exploit in the Proof of Concept section. If a single line of code has multiple ways of being exploited, each bug should be reported separately, with priority given to the most significant one.\n\nTo ensure the confidentiality of your report, you can utilize a private gist (https://gist.github.com/) to share your findings. If you have a Proof of Concept (POC) script for the vulnerability, you can simply drop the private gist link into your submission where it is relevant. \n\nAdding screenshots to your report can be helpful. You can include them in the Vulnerability Details section by copying the Github permalink and the lines of code for the affected code. \n\nTrust between wardens (those who discover vulnerabilities) and sponsors (those who want their contracts audited) is paramount to us. If you have concerns about potential misuse of disclosed vulnerabilities, please feel free to bring it to our attention. \n\nIf your vulnerability is found in an out-of-scope contract but affects a main contract, it should still be reported. In case you stumble upon a vulnerability that is difficult to fix without major changes to the protocol, it can still be reported. Recommendations on how to fix it are appreciated but not required.\n\nAfter the vulnerability has been addressed and patched, your submission may be made public for learning purposes. However, if you feel it's a security risk to have the contents of your issue made public, a Help Desk request can be submitted.\n\nFor detailed instructions on sharing vulnerability discovery PoCs, you can refer to our GitHub link: https://github.com/code-423n4/code-contests/tree/main/contests/01-slingshot#sharing-vulnerabilitydiscovery-poc.", "Question: How does a smart contract decide which version of a library, such as ERC20.sol from \"@openzeppelin\", to import? Is the most up to date one always used, or does it depend on other factors?\n\nAnswer: The version of a library that a smart contract uses is dependent on the version specified in the packages.json file in the project directory. It's important to note that this does not automatically default to the latest version. In fact, many projects take a \"snapshot\" of OpenZeppelin contracts and include the code directly in their repositories rather than importing them via npm. This practice allows for necessary modifications to the external contracts to better suit the specific requirements of the project. You may notice these \"snapshots\" when reviewing contracts for audits. \n\nIt's worth mentioning that when navigating multiple smart contracts, a personal approach suggested by users includes starting with libraries and interfaces that have the least dependencies. This can help you understand the basic constructs before moving on to more complex contracts. \n\nIn terms of security and stability, it's not always the latest version of Solidity that is the most stable or secure. It's best to refer to the Solidity documentation and community for the most up-to-date advice regarding version selection. \n\nFor more information, you can refer to the OpenZeppelin's documentation at https://docs.openzeppelin.com/contracts/4.x/wizard. If you plan to compile code on Remix, you can clone the whole repository and install the dependencies with forge, or manually include the contracts on remix from the OpenZeppelin contract repo (https://github.com/OpenZeppelin/openzeppelin-contracts) and Solmate (https://github.com/transmissions11/solmate).", "Question: What is the process and timeline for CodeArena's announcement and distribution of contest awards?\n\nAnswer: CodeArena announces contest awards separately from the distribution of funds. The process of distributing the awards involves several steps. After announcing the awards, they are sent out manually in batches for multiple contests at a time, a process that can take anywhere from 1-2 weeks after the announcement, although the goal is to disburse them within the same week they are announced. The timeline for distribution can vary based on the need for internal double-checking at each step of the process to ensure it\u2019s done correctly and securely.\n\nThe process does not occur immediately after the reward computation due to the time required by the involved sponsors and the use of multisignature (\"multisig\") wallets, which require signatures from multiple parties before funds can be released. This means that the signatures for the awards distribution are generally rounded up in a standing Monday meeting, with the expectation that any announced awards should usually get processed Monday or Tuesday of the following week.\n\nThere may be instances when there is a delay in distribution, as was the case with the Nested Finance audit contest. In such cases, the community is usually notified of these delays. Once the award is processed, it is sent to the participant's registered wallet address, which is public on the blockchain. If the award is for a team, the prize is sent to a single address and it is the team's responsibility to distribute it among themselves.\n\nCodeArena aims to eventually distribute awards via smart contracts once the necessary infrastructure is in place. In the meantime, the method for distributing awards on a curve, based on different tiers of quality, is being considered and will be designed after observing the scoring of initial contests. \n\nThe community has suggested improving clarity by splitting the 'Awarding' announcement into 'Awarding' and 'Paid' sections. The company has taken this feedback on board and aims to process awards faster in the future.", "Question: How can I achieve the Certified+ status after gaining a high finding in a contest at CodeArena?\n\nAnswer: To apply for Certified+ status after a high finding, follow these steps:\n\n1. You must have completed the Know Your Customer (KYC) verification. This is a mandatory process for all users aiming for Certified+ status.\n\n2. Participate in CodeArena contests. Having a high finding in a contest such as AbraNFT can be a stepping stone towards your Certified+ application. It's suggested that the criteria could include being in the Top 3 in at least 3 contests or having a high finding. In some cases, you may need to make a strong case to escalate a known low from the automated findings to a high.\n\n3. After the contest, if you have submitted a high-risk finding, you can expect a follow-up. Also remember, if an issue identified in an automated finding can lead to a high severity finding, it could be reported again during the contest by a warden and could potentially be awarded with higher severity. \n\n4. Apply for the Certified+ status through the application guidelines available at https://docs.code4rena.com/roles/certified-contributors.\n\n5. Once your application is approved and processed, you'll receive the Certified+ status. This status grants you benefits such as access to more contests and immediate access to findings repository which accelerates your learning process after contests end.\n\n6. After becoming certified, you may participate in private contests by RSVPing in the rsvp-certified channel and ensure a high position on the leaderboards from the last 90 days. \n\nRemember, achieving Certified+ status might involve meeting certain criteria like participation in a set number of contests and having a certain number of valid findings or reports. Each contest at CodeArena has its own requirements and the judgment depends on specific contest conditions and the judge. It's important to make a compelling case in your submission if you believe a high-risk finding should be considered. \n\nIf you have any further queries or need assistance, you can contact us through the help desk form and we'll respond as soon as possible.\n", "Question: How can I change my Twitter username on Code4rena?\n\nAnswer: Users can change their Twitter username on Code4rena by submitting a help desk request at https://code4rena.com/help. In your request, include your current username and the new Twitter username you'd like to use. It's important to note that changing your username may affect certain aspects of your account. For instance, leaderboard standings and submissions under the previous username are not transferable to the new account. If any issues arise regarding this change, such as your username not updating correctly, please resubmit your request for further assistance. Also, please be aware that if you re-register to change your username, your statuses wouldn't carry over to the new account. If you want to link your Twitter account to the Code4rena leaderboard, you can do so by submitting a help desk request with your Twitter handle.", "Question: Where can I find detailed information on the Infinity NFT Marketplace system parameters and resources to learn about smart contract auditing?\n\nAnswer: Detailed documentation of the Infinity NFT Marketplace system parameters is available in the README file in the contest repository. You can access it here: https://github.com/code-423n4/2022-06-infinity#readme. For resources related to smart contract auditing, you may want to view videos or books that provide an in-depth exploration of the subject. Our community often discusses auditing methods, web3 security, and tools useful for auditing, such as etherscan.io for viewing on-chain contracts. \n\nThere's also mention of a tool for viewing on-chain contracts of etherscan in an IDE like Remix, which you may find valuable: https://discord.com/channels/810916927919620096/810931711609143326/1012727690396176484. \n\nFor those starting out, discussions on topics such as exploit smart contracts, flash loans, and the Geth node could be of interest. Furthermore, understanding the relationship of interfaces to smart contracts in the overall system, and learning about blockchain forensics analysis, specifically for hacks and incidents in smart contracts, may be beneficial. \n\nFor specific questions or discussions, feel free to join our Discord chatroom. If you're planning on running an audit contest for contracts, we recommend reaching out to us via the chat to discuss pricing and operational details. \n\nKeep in mind, learning smart contract auditing is a complex process, often involving challenges such as setting up certain contract environments with limited documentation, no test cases, and no deployment scripts. Therefore, patience and persistence are essential.", "Question: Where and in what form are CodeArena rewards sent to participants?\n\nAnswer: CodeArena rewards are sent to participants on the Polygon network, not on the Ethereum network. These rewards are paid in USDC, a type of cryptocurrency. To receive rewards, participants need to register their handle and both their Ethereum and Polygon addresses. Rewards are distributed to one address for one handle per contest. When participants submit their findings for audits, there is a field for the Polygon address where the rewards will be sent. The rewards can be monitored on the Polygon network at https://polygonscan.com/address/ and can be moved back to the Ethereum mainnet using the Polygon bridge at https://wallet.polygon.technology/. It's important to note that the assets are sent to the user's address and the user controls the key to that address. To move the funds, a transaction on the Polygon network is required. If users wish to bridge from Polygon to Ethereum and later withdraw USDCs on Coinbase, they will need both Matic and Eth if using the Polygon bridge. However, if they choose to use the Hop Bridge, only Matic is required, but they will receive less USDC on the Ethereum Mainnet.", "Question: How do I apply for Certified+ status at CodeArena after achieving a high finding and completing the KYC process?\n\nAnswer: To apply for Certified+ status after a high finding, you must first have completed the Know Your Customer (KYC) process. This process is a requirement for becoming a Certified Contributor, and you can start the application at [https://docs.code4rena.com/roles/certified-contributors](https://docs.code4rena.com/roles/certified-contributors). After completing the KYC process, which typically takes a few days, you will receive a confirmation email from Provenance and C4. \n\nIf you have already completed the KYC process and have achieved a high finding in a contest, you can apply to be Certified+ by contacting us directly through the help desk form. Please note that this process may take some time depending on the volume of requests, but we aim to respond as quickly as possible. \n\nKeep in mind that Certified+ has its entry requirements and additional privileges including access to private repositories after a contest has finished. This allows you to see what others have submitted and learn more quickly. \n\nIf your KYC application is still pending after a considerable period, or if it was rejected, we recommend you submit a help request or work directly with the originator of the application. \n\nIt's also important to note that you can reapply for certified status after changing your username. Additionally, if you have participated in more than three contests after completing the certification process, you can request an upgrade to Certified+. \n\nPlease note that KYC might be required to receive prizes for some contests. If you have any concerns or queries about the process or timeline for receiving your KYC confirmation email after submitting an application, don't hesitate to reach out through the help desk. The certification process and its constraints are outlined in more detail here: [https://docs.code4rena.com/roles/certified-contributors#certification-process-and-constraints](https://docs.code4rena.com/roles/certified-contributors#certification-process-and-constraints).", "Question: How should I submit my Quality Assurance (QA) and gas findings for a contest at CodeArena?\n\nAnswer: At CodeArena, you are required to submit one Quality Assurance (QA) report and one Gas report per contest. \n\nIn the QA report, you should ideally group all your findings together. While it's acceptable to compile all non-critical or low severity issues into one single report, medium and high severity findings should each be submitted as separate issues. This is because the evaluation of QA reports is based on both the quantity and quality of findings. \n\nYour Gas report should be separate from the QA report. If your findings are extensive and the report does not fit in a single submission, you can split it into separate submission requests. \n\nIf a finding is relevant to both QA and gas savings, it can be included in either report, and the judges will decide where it best fits. You're also allowed to edit existing findings if you discover more details or errors. \n\nWhen reporting issues of the same nature in a code, you can report them as one. Remember that both the quantity and the quality of your submissions will be considered during grading.\n\nIf your QA report exceeds the character count for regular submissions, you can submit it through a help ticket.\n\nFor more information on the judging criteria and how awards are allocated, refer to these links: [Judging Criteria](https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical) and [Incentive Model and Awards](https://docs.code4rena.com/awarding/incentive-model-and-awards#qa-and-gas-optimization-reports)", "Question: When and under what circumstances is the findings repo of a C4 contest made public?\n\nAnswer: The Findings repository of a C4 contest is typically made public once the final report of the contest is published. This policy is to facilitate learning from others and to promote a fair and transparent assessment. The exact timing, however, is not specified and it may vary. The reasoning for this is that the sponsor of the contest generally has not completed their mitigation work by the time the awards are published. \n\nThe Findings repo comprises all the submissions of a contest and can be reviewed after the report is published. This includes information about the average payout for gas optimizations, non-critical findings, and low-risk findings. Once the report is published and the repo is made public, participants can view their submissions and the reasons for their rejection. \n\nImmediate access to the findings repo after the contest ends is planned for Certified+ wardens, although this feature has not been rolled out yet. The public visibility of all analysis reports is confirmed by C4. \n\nIt is important to note that C4 has a policy of not discussing findings publicly until the report is published, and participants are advised to wait for the report to be published to check on their submissions. \n\nThe Findings repo, along with all the reports, can be found on the C4's GitHub repository: https://github.com/code-423n4.", "Question: How can I properly format and submit my code in the issue form on Code4rena?\n\nAnswer: Code4rena provides a way to format Solidity code in submissions using Markdown. When submitting, you can format your code by surrounding it with ` for inline code or with ``` for dedicated code blocks. This formats your code to be more readable. If you need to edit your submission after submitting, it is possible to do so.\n\nThe form used for analysis submissions supports markdown and after clicking \"CREATE ISSUE\" in \"SUBMIT FINDING\", the form data gets turned into a submission that goes into the findings repository for the given contest, which will be evaluated by judges after the contest ends. \n\nIf you encounter any issues while submitting, such as the gas report being larger than ~65k characters, you can submit your report via email to submissions@code423n4.com, as Github has a maximum character limit for issue descriptions. If this happens, you can submit a placeholder through the form and send the full report via email. More details can be found here: https://docs.code4rena.com/roles/wardens/qa-gas-report-faq#why-is-a-large-gas-or-qa-report-not-successfully-submitting-through-the-contest-submission-form\n\nAdditionally, if you accidentally submit to the wrong contest, you can submit again to the correct contest and fill out a form to let the C4 staff know about the incorrect submissions. The form can be found at https://code4rena.com/help/\n\nRemember that markdown formatting can be included in issue titles and for other queries or persistent issues with submissions, help requests can be submitted at https://code4rena.com/help or you can forward your requests to submissions@code4rena.com.", "Question: What is the process and timeline for compiling and releasing audit reports after an audit contest has concluded on CodeArena? \n\nAnswer: The process of compiling and releasing audit reports on CodeArena involves several stages. After the conclusion of an audit contest, reports are first reviewed and triaged by judges. Then, they undergo sponsor reviews, final judging and Quality Assurance before they are eventually made public. \n\nThe timeline for this process can vary based on the specific contest and the number of reports under review. On average, it typically takes about 3-6 weeks for reports to be compiled and released. However, it could take less time (approximately one week) once sponsor review and judging are done, or it could take longer in some cases (up to 8 weeks). For instance, the audit report for the Yaxis project had a longer timeline due to a high participation rate and numerous submissions to review.\n\nOnce the reports are published, the results of the submissions can be seen. If a report is accepted, the reward payment is usually made within 1-2 business days of the announcement. Participants need to complete certification within 30 days of the end of the audit in order to receive their payout. \n\nIt's important to note that while some findings submitted for contests may not always make it to the final report, the reason might not be immediately known. To check, you need to wait until the reports are published. \n\nCodeArena continues to work towards decreasing the time from audit competition to the release of reports. More details about the process can be found at https://docs.code4rena.com/roles/certified-contributors.", "Q: How are rewards from CodeArena distributed, and what does the process involve?\n\nA: Rewards from CodeArena are paid out in the cryptocurrency USDC over the Polygon network, not on the Ethereum network. This means you receive them on your Polygon address, not your Ethereum address. You may require MATIC, another type of cryptocurrency, to transfer your rewards to another wallet, as MATIC is used to pay the gas fee for certain transfers within the system. \n\nIf you need to bridge from Polygon to Ethereum and then withdraw your USDC on Coinbase, you will require both MATIC and Eth if you use the Polygon bridge. However, if you use the Hop Bridge, only MATIC is needed, although you will receive less USDC on the Ethereum Mainnet. You can find more information on where to buy MATIC here: https://discord.com/channels/810916927919620096/824698635815223316/915880736664461322\n\nIn order to convert your rewards, you can connect your Polygon to MetaMask for conversion and withdrawal. The conversion process from Polygon Token to EUR can be done through the MetaMask bridge and Coinbase.\n\nPlease note that the rewards are not distributed immediately after computation. This is because CodeArena uses multisignature (\"multisig\") wallets, which require signatures from multiple parties before funds can be released. The company is planning to distribute awards via smart contract once more pieces are in place. If a contest is listed as 'awarding', it means the rewards are queued at the multisig and should be distributed within a week. \n\nThe amount of rewards for finding issues can vary significantly, with some wardens getting thousands of USDC while others only get hundreds. You can find an overview of the rewards here: https://docs.code4rena.com/awarding/incentive-model-and-awards/curve-logic\n\nPlease note, rewards are generally aimed to be paid out in the same week they are announced. However, in some cases rewards could be paid partially or fully and there may be delays in distribution. If you have issues with receiving an award, be aware that rewards are distributed by the CodeArena team and cannot be withdrawn via a smart contract. So it's advisable to reach out to the team for resolution.", "Question: Where and how can I access the scoring breakdowns, reports, and findings for past contests on CodeArena?\n\nAnswer: Scoring breakdowns, reports, and findings from past CodeArena contests are accessible from various sources. Firstly, you can check the #\ud83d\udce2announcements channel on our Discord. In addition, each contest page on the CodeArena website provides this information. For a more comprehensive view, you can visit https://github.com/code-423n4/code423n4.com/blob/main/_data/findings/findings.csv where we host all our findings data.\n\nReports from past contests and the leaderboard with cumulative results are hosted on the CodeArena website at https://code4rena.com/reports and https://code423n4.com/leaderboard/ respectively. You can also view the status updates for past contests to understand their progress timeline. \n\nPlease note that your submitted findings and QA reports from past contests can be viewed even after a contest has concluded. However, visibility of all findings from a contest might not be available immediately after the contest ends and before the results are published. \n\nIf you are new to auditing and looking for practice, these past reports and findings can provide valuable learning resources. Additionally, you can use the tool located at https://github.com/sseefried/c4-stats for accessing contest-related information. \n\nFor any specific queries regarding past contests, such as knowing why certain findings were rejected, or to understand the criteria for a top-3 finish, please reach out to us directly.\n", "Question: Is there a possibility for CodeArena to host a bug bounty program for web applications, and what would the process and potential rewards look like?\n\nAnswer: Currently, there are no specific plans for CodeArena to host a bug bounty program specifically for web applications. However, the possibility of conducting such a program in the future has not been ruled out. CodeArena does conduct audit contests which are somewhat similar to bug bounty programs. These contests may occasionally include web applications in their scope.\n\nWhen a bug is reported, the usual process is to split the bounty reward among those who found the bug. If the same or a very similar bug is reported by multiple auditors, they each receive a portion of the bounty. The findings from these contests can be submitted and examples of past submissions can be viewed at https://code423n4.com/reports.\n\nAs for the bounty price, it is not disclosed upfront. It is determined based on the severity of the bug, which can range from non-critical to high risk. The specific risk estimation process for bug bounties is described in detail in the website docs. After a bug has been submitted, users can view or edit their own submissions on the site for open contests.\n\nFor those interested in learning about the process, resources for beginners who want to start smart contract bug bounty hunting include https://cryptozombies.io/ for Solidity and https://capturetheether.com/ for Capture the Flag challenges. \n\nCodeArena also provides a comparison of bug bounties and C4 audit contests on their documentation page, which can be found at https://docs.code4rena.com/. Remember that the process is subject to change and the community will be updated as things evolve.", "Q: I've submitted a report for a contest and received an award for it. Can you guide me on how to check the status of my submission, retrieve the payout, and understand whether my findings were accepted or rejected?\n\nA: Sure, if you have been awarded for a report submission, you need to wait for the payout process to be completed. The steps following a contest include Sponsor Review, Judging, Awarding, and then Reporting. You can check the status of your submission and whether your findings were accepted or not once the final report is published and the findings repo is made public. This process can take at least a month, and sometimes less than a week once the sponsor review and judging are finished. \n\nYou will also receive a confirmation email regarding your submission. If your submission is not on the award list, your findings might have been rejected. You can confirm this by reviewing the available report. \n\nIf you want to withdraw your submission and create a new one, you can do so under the \"your findings\" on the contest page. Please note that the ability to edit submitted findings indicates the success of your report submission. However, if an issue is submitted twice and marked as a duplicate, it could potentially affect the payout. \n\nFinally, if you submitted a report without being certified, you need to be aware that certification is required to receive rewards. \n\nFor more detailed information regarding the submission, withdrawal, and payout process, refer to the CodeArena documentation ([insert link here]).", "Question: Is copying an array to memory before processing it a viable method to reduce gas usage in smart contracts?\n\nAnswer: No, this approach is not generally beneficial. When you copy an array to memory for processing, you need to read each element from storage and copy it into memory. For instance, if an array has 10 elements, you're reading these 10 times from storage to copy them 10 times into memory, which is not cost-efficient when compared to reading directly from storage.\n\nHowever, the choice between using storage, calldata, or memory is dependent on their costs in a given context. For example, using calldata is cheaper for read-only arrays because they don't need to be iterated and copied into memory. Similarly, caching a storage pointer can also prove cheaper as it avoids re-computing the position.\n\nThere are other methods to optimize gas usage that may prove more efficient. For instance, excluding the increment (++i) in a for loop, using the 'unchecked' command in loops or using function inlining when an internal function is only called once can save gas. Additionally, Solidity stores state variables in 32 bytes storage slots and packing these variables into fewer slots can also reduce gas costs [More about this can be read at https://docs.soliditylang.org/en/v0.8.17/internals/layout_in_storage.html]. \n\nFurthermore, it's recommended to include the amount of gas saved for every finding in gas optimization reports, which can provide more context and help when comparing different methods of optimization. \n\nRemember, it's beneficial to validate gas optimization strategies with actual testing, as the cost can vary depending on several factors, including the specific implementation and the Ethereum network's current gas price. For more details on gas optimization strategies and possible savings, refer to a recent CodeArena report like this one: https://code4rena.com/reports/2022-11-non-fungible/#gas-optimizations.", "Question: How can I register a team on CodeArena and submit our collective findings?\n\nAnswer: At CodeArena (C4), team registration and collaboration during smart contract audits are facilitated to ensure a comprehensive audit process. To register a team, you need to make a pull request (PR) with your team handle at https://github.com/code-423n4/code423n4.com/pull/28. You can find detailed instructions on registering a team here: https://docs.code4rena.com/roles/wardens#registering-a-team.\n\nOnce your team's PR is merged, it allows your team to submit your findings collectively. Team members can submit findings on behalf of the team by picking either their solo handle or team handle when reporting issues. In case of updates to team information, a new PR should be created.\n\nIf you are part of a team, the submission form allows you to choose to submit solo findings whenever you like. This addresses any concerns regarding team members wanting to participate solo in a contest that their team is also auditing.\n\nAfter the contests are over, only those with the \"backstage\" role get access to findings to assist with triaging. By submitting as a team, all members will receive the bug stats.\n\nIf your team is having trouble adding new members or modifying team details, you are advised to submit a help desk request. It's important to note that only the team has access to submissions before a contest ends. If you encounter any roadblocks during this process, you can reach out to our help desk for assistance.", "Question: Could you explain the meaning of '?' and ':' on the third line of a code snippet, how they function in the context of smart contracts, and how to reference this in reports?\n\nAnswer: The symbols '?' and ':' together form the ternary operator in coding, which is essentially a shorthand for an if-then-else statement. This operator can play a crucial role in the logic of smart contracts, such as in an 'initialize function' to prevent harmful actions like 'frontrunning'. \n\nWhen referring to specific lines of code in reports, the preferred method at CodeArena seems to vary among participants. Some suggest providing direct links to the code on GitHub, which can be done by clicking on the left tab of the code line to change the URL. If you need to reference a range of lines, holding SHIFT will enable you to capture this range. \n\nAlternatively, others suggest referencing the specific file and line number. For instance, if you are reporting a finding and want to include a code snippet for clarity, you can use three backticks and specify the language (e.g., ```solidity) to achieve syntax highlighting. A VS code extension called \"Copy With Line Numbers\" can also be useful in these scenarios for obtaining line numbers along with the code snippet. \n\nRemember, when coding and auditing, clarity and readability are paramount. Even a line like 'require(abc<123)' could be considered a valid low finding as it contains a \"magic number,\" which can be unclear. Declaring a constant value instead can help make the code more readable. \n\nFor more details, you can refer to CodeArena's discussion history here: https://github.com/code-423n4/code423n4.com/blob/main/_data/findings/findings.csv#L9336-L9434", "Question: Can you explain the function \"uint256 x = a > b ? a : b;\" and how it may be optimized for gas usage?\n\nAnswer: The function \"uint256 x = a > b ? a : b;\" is an example of using a ternary operator in Solidity coding. This function sets the variable 'x' to the maximum value between 'a' and 'b'. The ternary operator is a shorthand for if-then-else statements. In this case, if 'a' is greater than 'b', 'x' will be assigned the value of 'a'. If 'b' is greater, then 'x' will be assigned the value of 'b'. \n\nWhen it comes to optimizing for gas usage, an important point to keep in mind is whether the function is internal or external. If it's an internal function that is only called once, it can be inlined to save gas. Inlining eliminates the overhead of a function call by replacing the call with the actual code of the function. However, this may not always lead to gas savings, especially if the function is complex or called multiple times, as the size of the contract bytecode could increase, leading to higher deployment costs.\n\nIn addition, the use of public functions declared as external can also help with gas optimization, as external functions cost less gas when they are called externally compared to public functions. However, they are more expensive when called internally.\n\nRemember that gas optimization should not compromise the readability and maintainability of your code. For instance, while it is common to prepend internal function names with an underline for clarity, this does not have any impact on gas usage. \n\nFor more information on Solidity syntax and best practices, visit the Solidity docs (https://docs.soliditylang.org/) and the Geth source code (https://github.com/ethereum/go-ethereum/blob/master/core/vm/evm.go#L302), which provide valuable insights into how various functions interact with storage and can be optimized.", "Q: How does team formation work in CodeArena, how are the rewards split, and what are the advantages of joining a team?\n\nA: In CodeArena, team formation is incentivized to encourage collaboration and collective auditing of smart contracts. When issues are found separately by individuals, the reward is reduced semi-geometrically based on the number of people. However, if a team submits a finding, the reward is split evenly among team members. This means a team could earn more rewards than individuals submitting the same finding separately. \n\nYou have the flexibility to submit findings as an individual or as part of your team, thanks to our submission form. It's worth noting that when a submission is made as a team, the rewards go to the team, and it's up to the team to decide how to divide the funds. \n\nApart from the potential for higher rewards, there are other advantages to joining a team. You can work together, share ideas, learn faster, and some members might excel in identifying and theorizing attack paths, vital to the auditing process.\n\nHowever, it's important to manage expectations within the team. There are ongoing discussions about how to handle scenarios where some team members want to participate solo in a contest that the team is also auditing, or not all members participate in the same contest. It's also crucial to consider how to distribute rewards among team members who have contributed differently.\n\nFor more details about the rewarding formula and award distribution, you can refer to our documentation: https://docs.code4rena.com/incentive-model-and-awards#high-and-medium-risk-bugs and discussion here: https://github.com/code-423n4/org/discussions/43.\n\nRemember, it's essential to establish trust within the team, especially since teams can comprise anonymous individuals over the internet. If you have any concerns or queries during the contest, feel free to reach out to the sponsor team.", "Question: How are rewards distributed amongst individual wardens and teams in the Code4Arena audit process, particularly when multiple people find the same issue?\n\nAnswer: In Code4Arena, both individual wardens and teams are incentivized for finding faults in smart contracts. If you are part of a team, all rewards go to the team and the team is then responsible for dispersing the funds. It is critical to note that if you are part of a team and submit a non-duplicate finding, the team gets greater rewards than if the same finding was submitted individually. This reward is sent to a single address, and the team decides how to distribute it amongst themselves. More details on team rewards can be found at https://docs.code4rena.com/roles/wardens.\n\nWhen multiple wardens, whether from the same team or not, discover the same issue, the reward for that issue is divided among them. The overall value of the bug is reduced and split based on how many people find it, with no priority given to who found the bug first. It's also important to note that repeated findings by the same team decrease the overall value of the submission. You can find more details about the reward division at https://docs.code4rena.com/incentive-model-and-awards.\n\nThere's no definitive answer to how the reward is split in a case where multiple people, including members of the same team, identify an issue. However, the rewards can be calculated using the formula found at https://docs.code4rena.com/incentive-model-and-awards#high-and-medium-risk-bugs. \n\nThe reward amount can vary significantly, with some wardens receiving thousands of US dollars in tokens while others only receive hundreds. This is determined by the severity of the discovered bugs and how many people find the same issue. As stated in the chat, the best report typically receives more money. However, common findings are usually out of scope as they are picked up by the C4udit tool. \n\nLastly, please remember that the reward and recognition are split between all who found the bug irrespective of who found it first.", "Q: I'm part of a team that's participating in a Code4rena audit contest. We, along with other individuals and teams, have identified a gas optimization. How is the reward split among us and within our team?\n\nA: When multiple individuals or teams identify a gas optimization, the reward is shared among them. This distribution is calculated using the formula provided on our [Incentive Model and Awards page](https://docs.code4rena.com/incentive-model-and-awards#high-and-medium-risk-bugs). Typically, the gas optimization pool constitutes 5% of the total prize pool, although this percentage can vary based on the specific project's need for gas savings. It's important to note that all valid gas optimization findings are weighted the same, and the prize amount reduces by approximately 10% for each duplicate submission.\n\nIn the context of a team submission, Code4rena treats the entire team as a single entity, or 'warden'. Consequently, if your team has a non-duplicate finding, you collectively receive a larger reward than if each member had made individual submissions. However, it's the team's responsibility to divide this reward among its members, as Code4rena sends the prize to a single address per finding.\n\nPlease refer to these documents for a better understanding of your potential earnings: the [Curve Logic](https://docs.code4rena.com/awarding/incentive-model-and-awards/curve-logic) for the award calculation, and this [example spreadsheet](https://docs.google.com/spreadsheets/d/1qTQ7PApFMwpUFikcHHtww7p1oncPLj_y-UY_SZq6qFg/edit#gid=0) for a practical illustration of reward distribution. \n\nRemember, only one gas optimization report can be submitted per contest. However, you can add more findings to your report by visiting the contest page and clicking the 'Your Findings' button. In your report, do mention the amount of gas saved for each finding, as this might be a requirement based on the judge's assessment criteria. \n\nLastly, there's no disadvantage to finding a bug later than others. The reward and recognition are shared among all finders, regardless of who identified it first.", "Question: What are the services and opportunities related to website, infrastructure pentesting, and smart contract audits provided by CodeArena, and how can I contribute as an auditor in this platform?\n\nAnswer: \nCodeArena primarily offers smart contract audits within the crypto space. However, there has been a suggestion of potentially adding website and other infrastructure pentesting audits as well, as we are always interested in expanding our scope. \n\nIf you are interested in becoming an auditor and contributing to the project, some ways to get there include reverse engineering and reading old audit reports, which can be found at https://chainsecurity.com/audits/. For those starting their journey in smart contract auditing, resources like https://cmichel.io/how-to-become-a-smart-contract-auditor/ and https://docs.code4rena.com/roles/wardens/tools-and-resources can be helpful. \n\nThere's also an interest in the community for more web2 whitebox audits, and discussion about the use of fuzzing tools like Echidna for auditing in contests. If you have experience with these, your contribution would be valuable. \n\nAdditionally, users have raised questions about the tools used for audits, such as Hardhat/Truffle or Foundry, indicating that learning about these tools could be beneficial for prospective auditors. \n\nRemember, auditing security is possible without focusing on the frontend of the blockchain. Besides identifying vulnerabilities, providing solutions or mitigations is generally a part of the audit process.\n\nIf you're looking for more opportunities outside of CodeArena, websites like https://immunefi.com/ (for bug bounties), https://spearbit.com/ (for freelancing?), and https://hats.finance/ (for decentralized bug bounties) are alternatives to consider.\n\nNo matter your level of expertise, CodeArena welcomes auditors who are willing to learn and contribute to the crypto security space.", "Question: I've noticed that the leaderboard doesn't seem to reflect FactoryDAO, despite the findings.csv being updated. Is this normal and if so, can you explain how the leaderboard gets updated?\n\nAnswer: Yes, this is a known issue that has been observed with the leaderboard. The leaderboard is updated when awards are announced, not immediately when the findings.csv file is updated. It's important to note that not all contest types are currently supported in the leaderboard updates, so certain contests may not be reflected right away, like FactoryDAO or Sublime contest, that are being worked on. \n\nThere have also been instances of minor issues like certain items being double-counted, which are usually corrected later. The \"total\" column you see on the leaderboard represents the valid findings of all severity levels by a specific individual or team. \n\nThe findings.csv file can be found at https://github.com/code-423n4/code423n4.com/blob/main/_data/findings/findings.csv and contains details about each finding and corresponding rewards. The file can be parsed to create a table of all wardens and their deduplicated findings. \n\nIn situations where the raw findings.csv file has less entries for a warden than they submitted, it could mean an entry was deemed invalid or was a duplicate. Furthermore, after the leaderboard is updated and rewards are sent, the final report of the contest may not immediately appear on the C4 site. It's generally recommended to wait until the full public report is published before doing a write-up on any issue or bug found on a project.\n\nWhile the company's website does not currently track the dates awards went out, rather building the leaderboard off the dates of the audits themselves, there are discussions about making changes to the leaderboard to show current year statistics primarily, while keeping the all-time stats visible. \n\nPlease note that if a participant's name isn't mentioned in the report, it does not affect future submissions, but it may have a minor impact on the leaderboard ranking.", "Question: What is the process for submitting QA/gas reports for auditing in CodeArena?\n\nAnswer: When submitting reports for auditing in CodeArena, participants are advised to create one combined Quality Assurance (QA) report and one combined gas report per contest. All identified issues should ideally be grouped together in these reports. \n\nWhile there are no standardized rules for formatting these reports, you can find templates or guides on how they should look in terms of formatting on our GitHub page [here](https://github.com/code-423n4).\n\nIf your report exceeds the number of characters allowed in the submission form, you can submit a placeholder and send the report via email to report@code4rena.com. More details on this procedure can be found at this [link](https://docs.code4rena.com/roles/wardens/qa-gas-report-faq#why-is-a-large-gas-or-qa-report-not-successfully-submitting-through-the-contest-submission-form). \n\nYou can also view examples of top QA/Gas reports at [https://code4rena.com/reports](https://code4rena.com/reports). Remember, judges consider both the quantity and quality of submissions when grading QA reports, and a single item in a QA submission is unlikely to receive a high grade. For more insights on how grades are assigned, follow these links: [Judging Criteria](https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical) and [Incentive Model and Awards](https://docs.code4rena.com/awarding/incentive-model-and-awards#qa-and-gas-optimization-reports).\n\nFurthermore, participants have the ability to edit their existing findings. If you require guidance on how to prepare a gas and QA report, you can refer to our YouTube tutorial [here](https://www.youtube.com/watch?v=nady250cNo4). Please note that only the best or most comprehensive QA/gas reports are accepted.", "Question: What is the recommended format for submitting audit reports and can markdown formatting be used for issue titles and report bodies at Code4Arena? \n\nAnswer: At Code4Arena, the preferred format for audit reports should include the issue, its description, proof of concept (where applicable), and mitigation (where needed). Markdown formatting is a key part of this reporting process and can be used to structure both the issue titles and the body of the report. \n\nThe main platforms used for writing these reports are GitHub, Joplin, VScode, and Notion. It is essential that your chosen tool supports markdown. You can format your code in the submission issue form using markdown to make it more readable. Furthermore, you can add code in a block format using markdown, a guide to which can be found here: https://docs.github.com/en/get-started/writing-on-github/working-with-advanced-formatting/creating-and-highlighting-code-blocks.\n\nIn the proof of concept section, you can provide direct links to all referenced code in GitHub. You may also add screenshots, logs, or any other relevant proof that illustrates the concept. You can include the proof of concept in a gist file or refer to a specific file and line number. Another option is to use a tool like the one available at https://marketplace.visualstudio.com/items?itemName=yassh.copy-with-line-numbers to submit issues in a specific format. \n\nRemember, the vulnerability and its impact on the code should be explained in the impact section. The proof of concept should contain the lines from code/GitHub or add a test which exploits the vulnerability. If mitigations are involved, you can use markdown to write the code in the report. \n\nIt's worth noting that while markdown formatting can be used in the finding body, only links should be included in the small box. There are no standardized guidelines or rules on the formatting of the gas/QA reports, just markdown. Be aware that a submission without a proof of concept may be disregarded unless the issue is extremely obvious (such as a wrong parameter, typo, or code that doesn't compile). \n\nAdditionally, Visual Studio's preview tool and other markdown tools like HackMD can be helpful for formatting your reports. Markdown formatting in the submission form on Code4rena is fully supported, making it an ideal tool for creating a semi-professional report format.", "Question: What are the best practices for improving the presentation of my report for the CodeArena judges?\n\nAnswer: The key best practice for improving your report's presentation for CodeArena judges involves heavily utilizing Markdown for formatting. Markdown is a lightweight markup language that adds formatting to text. Markdown and HackMD are popular tools mentioned for enhancing report's look, but the primary formatting for reports is done in markdown. \n\nYou can write your reports using various platforms such as GitHub, Joplin, VScode, and Notion, as long as the chosen tool supports markdown. Markdown allows you to add code blocks to your reports, which is especially useful if your report involves mitigations. The submission form on Code4rena accepts Markdown for formatting the text, including adding images. More on adding images to markdown can be found [here](https://docs.github.com/en/get-started/writing-on-github/getting-started-with-writing-and-formatting-on-github/basic-writing-and-formatting-syntax#images). \n\nWhen adding code blocks in reports, use markdown to ensure it shows in the report. The reporting section supports Markdown (MD) format for this purpose, and a guide to doing so can be found [here](https://docs.github.com/en/get-started/writing-on-github/working-with-advanced-formatting/creating-and-highlighting-code-blocks). \n\nHowever, it's important to note that there are differing opinions on whether issue titles should include markdown formatting or if line numbers should be included in code snippets. The format of your report can indeed influence its evaluation by judges. High-quality and high-quantity findings tend to score better in CodeArena competitions. For more insights, participants can compare their findings with winning reports found at [this link](https://code4rena.com/reports/2022-09-artgobblers#low-risk-and-non-critical-issues).\n\nIn some cases, users choose to write their QA/gas reports directly into the submission form without using any special formatting tools. It's acceptable to link to other contests in a report to demonstrate findings, but citing examples from Code4rena is considered more convincing due to a more rigorous judging and QA process. \n\nWhen you submit through the Code4rena interface, a markdown template is proposed. Remember, CodeArena competitions prioritize both the quality and quantity of submissions when grading QA reports. For a comprehensive guide on the judging criteria, refer to the following links: [Judging Criteria](https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical) and [Incentive Model and Awards](https://docs.code4rena.com/awarding/incentive-model-and-awards#qa-and-gas-optimization-reports).\n", "Question: As a warden, when and how can I see the findings submitted by other wardens after a contest concludes? \n\nAnswer: Findings reports are made public and visible to all wardens after the final contest report has been published. This allows wardens to review and learn from each other's findings. However, if you are a Certified+ warden, you get early access to the findings repository immediately after the contest ends. This accelerates your learning process and can potentially assist with post-contest processes. \n\nTo become a Certified+ warden, you can apply through our platform. Keep in mind, Certified+ status requires adhering to professional conduct guidelines which include treating all findings as confidential until they are made public. \n\nFindings submissions are not disclosed to other competing wardens during the contest. They are reviewed and triaged after the contest ends, and any issues detected can be raised to the judge for reconsideration. Any modifications or withdrawals to your findings can be made until the contest closes. Once the findings repo becomes public, you can see your submission and the comments in it unless you have backstage access, which allows you to observe the report submission and triage process.\n\nWe are also considering releasing unverified submissions a few days after a contest ends for learning purposes. If you want to participate in future contests as a warden, you can log into your account on our platform. For further details about submission and discussion of findings, you can refer to our submission policy: [https://docs.code4rena.com/roles/wardens/submission-policy#audit-contest-guidelines] and our Certified warden professional conduct guidelines: [https://docs.code4rena.com/roles/wardens/certified-wardens#certified-warden-professional-conduct-guidelines].", "Q: I'm having trouble submitting findings through the website using my browser. I'm seeing an error about the permalink and I can't see my submissions in the \"Findings\" tab. How can I resolve this?\n\nA: It seems that a number of users have reported issues with submitting findings through certain browsers, such as Firefox and Chrome, due to an error related to the permalink. There are also known issues related to loading submitted findings. If you're seeing an error about your permalink not having a line number at the end, it might help to use a tool like the one at https://marketplace.visualstudio.com/items?itemName=yassh.copy-with-line-numbers, which allows you to submit issues in a specific format. \n\nAfter submitting a finding, it may take some time for the submission to be confirmed via email. If your submission fails, the form should return an error message. If your gas report is larger than ~65k characters, it can't be submitted through the form due to Github's max character limit for issue descriptions. In such cases, you can email your submission to submissions@code423n4.com.\n\nIf you're unable to see your submissions in the \"Findings\" tab, it's possible that there's a delay or issue with the site. You can also check the success of your report submission by looking out for a confirmation email and your ability to edit submitted findings. If necessary, you can edit your findings by navigating to the contest page and clicking on the 'your findings' button. \n\nPlease note that bug reports cannot be submitted after the contest has ended, all findings have to be submitted prior to the audit closing. There's also a known issue where numbered lists in markdown do not show numbers in the preview tab, but the numbers are visible when submitted. If you continue to experience issues, please reach out for further assistance.", "Question: I saw an error message after submitting my findings on Firefox, should I take any steps to ensure that my submission was successful?\n\nAnswer: Yes, there are several steps you can take to confirm your submission was received. Firstly, check your email as you should receive a confirmation upon successful submission. Please note that it may take some time for this confirmation to arrive. If you do not receive an email, check your spam folder in case it was mistakenly flagged. If the issue persists, you may want to try resubmitting your findings using a different browser as some users have reported issues when submitting through Firefox and Chrome. Opera was hinted to work when others fail. In addition, if you realize there is an error or false positive in your submission after it has been submitted, you can retract it by visiting the contest page and clicking on the findings tab. It is also possible to edit an already submitted finding if you notice another error. If you continue to experience problems, please contact the C4 team or visit the help page at https://code4rena.com/help/.", "Q: I am having trouble submitting findings for auditing on CodeArena, with errors across different browsers. What could be causing this and how can it be resolved?\n\nA: From our chat history, it appears that several users have experienced similar issues when making audits submissions on our platform, via various browsers such as Firefox and Chrome. Some of these errors are related to the form validation not producing an error message, permalink issues, or a potential size limit on submissions. \n\nThis could be due to API limitations or even issues with GitHub, which affects our contest submission form. For instance, if a gas report is larger than ~65k characters, it can't be submitted through the form due to Github's max character limit for issue descriptions. In such cases, you can email your submission directly to submissions@code423n4.com.\n\nThere's also a known problem with the submission form that replaced the page with a purple screen when a dropdown was clicked, but this issue has been acknowledged and fixed.\n\nWe have previously proposed a fix for submission issues at https://github.com/code-423n4/code423n4.com/pull/2338, which might have resolved some but not all errors.\n\nWhen experiencing these issues, we have a few suggested solutions. Firstly, refreshing the page or switching browsers could help. It was hinted that Opera might work better for creating submissions when others fail. If you are performing tasks via mobile and having issues, you can send requests to submissions@code4rena.com for assistance. Also, ensure to unblock captcha in your browsers as this can cause submission errors.\n\nIf your issue persists, please let us know so we can look into it further. It's important to us that our process is as user-friendly as possible, and your feedback helps us improve.", "Q: What should I know about submitting findings on CodeArena, including issues I might face and any available solutions?\n\nA: Users on CodeArena can encounter various issues related to submitting findings. Some users have reported problems with submitting findings through Firefox and sometimes Chrome due to a permalink related error. This may also impact loading of submitted findings. It's advisable to try refreshing the page or switching browsers if you encounter these issues. \n\nSome users have experienced issues when submitting findings to specific contests, such as the Escher contest, where despite submitting their findings, they see 'No findings submitted for this contest'. It has also been observed that it can take some time for a submission to be confirmed via email. If a submission fails, the form should return an error.\n\nThere are also queries about options to submit findings without authenticating and questions about how to submit additional findings after an initial finding was submitted. A user also raised a query about other options to submit findings, outside of the form on the website, while waiting for warden verification.\n\nYou can edit your submitted findings on the contest page under 'your findings'. The 'Findings' tab is also where you can edit your QA issue submissions. There is a suggestion that there should be a 'Your findings' button to help with updating submissions. There is also a request for information on how to modify submitted findings.\n\nThere are submission guidelines and policies related to automated findings available at https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues. Users can submit findings from bug hunts, and examples of past submissions can be found at https://code423n4.com/reports. After clicking \"CREATE ISSUE\" in \"SUBMIT FINDING\", the form data becomes a submission that goes into the findings repository for the given contest, which is later evaluated by judges after the contest ends.\n\nUsers can find feedback for their submitted findings and can expect a follow-up after submission. However, some users have expressed concerns about the lack of feedback on bug submissions and the need for an editing feature for submitted findings to unburden the team handling tickets. \n\nWhen submitting findings, it is acceptable to provide a single report with all occurrences of the same issue. Users are also curious about the impact of automated findings on the contest and if bugs introduced through mitigation efforts should be reported. \n\nRemember that submitted findings can be modified through the \"your findings\" button on the contest page, and you can check the success of your report submission by looking out for a confirmation email and the ability to edit your submission.", "Q: How does the process of submitting, editing and confirming findings function in CodeArena, and what should I do if I encounter issues?\n\nA: When submitting a finding in CodeArena, after clicking \"CREATE ISSUE\" in \"SUBMIT FINDING\", the form data gets turned into a submission that goes into the findings repository for the given contest. These submissions are later judged after the contest ends. \n\nHowever, some users have reported issues when submitting their reports on various browsers such as Chrome and Firefox, often related to the permalink. These issues can occasionally lead to error messages, despite successful submissions. This can also occur when trying to submit a Gas Optimization report for a contest if one has already been submitted. \n\nIf you're experiencing an issue with your submission, try refreshing the page, changing browsers, or making multiple attempts. Some users have also reported problems related to size limits on submissions, so reducing the size of your submission may help.\n\nYou should receive a confirmation email after your submission. If you don't receive this, or see a message like 'No findings submitted for this contest' despite having submitted your findings, it might indicate a problem. You can also check the success of your report submission by checking your email and the ability to edit submitted findings.\n\nIf you want to edit your submitted findings or if you've realized a submission is a false positive, you can do so by navigating to the contest page and clicking on the 'your findings' button. There were instances where participants did not see their submissions on the Findings tab and could not edit them, in these cases, trying again in a different browser or at a later time may resolve the issue.\n\nPlease note that after submitting a finding, participants can expect a follow-up. In addition, feedback for submitted findings can be accessed, providing valuable input for future submissions. If you are still facing issues, submitting a help request might provide a solution.", "Question: What might be the reasons for an error message during my submission process in CodeArena and how can I resolve it?\n\nAnswer: Several factors might trigger an error message during the submission process. These include:\n\n1. Issue with regex validation of the submissions: Our system uses regex to validate your submissions, and any discrepancy could lead to an error.\n\n2. Submission size limit: If your submission, such as a Gas Optimization report, exceeds Github's max character limit for issue descriptions (~65k characters), it might not be accepted through the form. In such cases, you can email your submission to submissions@code423n4.com. More details can be found at this link: https://docs.code4rena.com/roles/wardens/qa-gas-report-faq#why-is-a-large-gas-or-qa-report-not-successfully-submitting-through-the-contest-submission-form.\n\n3. Duplicate submissions: If you're making multiple submissions for the same contest, you might encounter an error. \n\n4. API limitations: There could be issues due to API limitations.\n\n5. Form validation issues: Errors could be a result of form validation issues not producing the right error message.\n\n6. Issues with GitHub integration: Some reported issues were related to Github, which affected our contest submission form.\n\n7. Browser-specific issues: Some users reported problems while using Firefox or Chrome due to errors related to a permalink. Trying a different browser might resolve the issue.\n\nTo resolve these issues, you can refresh the page or change browsers. If the issue persists or if you have queries about submission rules, feel free to seek assistance from our team in the platform. It's also worth noting that there can be a delay in receiving a submission confirmation email. Finally, if you're worried about the reasons for findings rejection or if you're concerned about being penalized for too many unsatisfactory submissions, we have a process in place to help you understand why a bug was not accepted to improve future submissions.", "Question: How can I propose a fix to a code issue and get it reviewed and approved in CodeArena?\n\nAnswer: If you've identified an issue and have a potential solution, you can propose a fix by submitting your edited source code on GitHub. This can be done by creating a pull request (PR) in the relevant repository. For example, a fix for the submission issue was proposed and merged via [this pull request](https://github.com/code-423n4/code423n4.com/pull/2338). \n\nIn case your proposed fix involves a large number of line changes, you can also send a git patch or a PR to the repo to facilitate the review process. If you need to submit an update for team information, you can do so through [this link](https://github.com/code-423n4/code423n4.com/pull/3592). \n\nIt's noteworthy that the review and approval process might take some time, especially for larger codebases, so please be patient. Your PR will need to be reviewed and approved by either CodeArena staff or other users. For instance, team PRs need to be accepted by a team member while other users can also review and approve general PRs.\n\nOnce the PR is reviewed and approved, it will be merged. The PRs that have been merged can be viewed [here](https://github.com/heiho1/code423n4.com/pulls). Remember that you can also review issues before they are reported, make changes to your submissions after issue submission, and even propose changes to the CodeArena documentation at [this link](github.com/code-423n4/docs). \n\nFor further discussion of changes, you can refer to [this discussion thread](https://github.com/code-423n4/org/discussions/91). Please make sure to include a detailed comment about the bug and its impact when submitting an issue or a proposed solution. \n\nIf you're unsure about what constitutes a valid issue or how to modify submitted findings, please refer to the rulebook [here](https://github.com/code-423n4/rulebook/) or ask in the chatroom for clarification.", "Question: How is the severity of a griefing/DoS attack on a smart contract determined during an audit by CodeArena?\n\nAnswer: CodeArena categorizes the severity of a griefing/DoS vulnerability as high or medium risk based on a balance of consequence and likelihood. High risk vulnerabilities generally involve substantial asset loss, disrupting system functionality and have potentially severe consequences. They do not require pre-conditions. For example, if a user can push to an array arbitrarily and cause a Denial of Service for everyone else, breaking system functionality, it should be submitted as a High/Medium severity issue. \n\nMedium risk vulnerabilities, on the other hand, usually have a lesser impact and specific preconditions such as high attack difficulty, specific market conditions, or user unawareness. For instance, if a function call in a smart contract always reverts but assets are not at risk, it can be considered as a Medium or High finding depending on the context. \n\nIf a vulnerability is found a few days after the contest ends, responsible disclosure to the development team is expected, and it would not be awarded by C4 outside the contest timeframe. \n\nIt's important to note that if automated tools are used for initial findings, there is a higher burden of proof to demonstrate a relevant High or Medium severity exploit path to be considered satisfactory, as explained in the submission policy of CodeArena (https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues). \n\nFinally, even if a vulnerability breaks the protocol but no funds get stolen, it could still be classified as high risk. Similarly, if a vulnerability causes a direct loss of assets, such as a large portion of the yields, it may also be considered high risk. \n\nUncertainty remains in the case where a vulnerability is on the fence between high and medium, and final determination relies on experience and the specific context in which the vulnerability is found.", "Question: What is the process and timeline for judging, announcement, and payout after a CodeArena contest concludes?\n\nAnswer: After a contest concludes, the process generally involves a sequence of Sponsor Review, Judging, Awarding, and Reporting. Findings from the contest are reviewed immediately, including a review by sponsors. The judges, who are chosen based on experience and reputation, then undertake a thorough review, before the process moves on to final judging and Quality Assurance. The finalized findings become public once the auditing report is published. \n\nAs for the timeline, it often varies and is dependent on the time taken for judging and other processes. Generally, it can take from 2 weeks to over 8 weeks for the whole process to be completed and for the results to be announced. Notably, the announcement of contest results is made in the contest channel once the judging process is completed, and the reports or findings are made public after the announcement. \n\nOnce the awards are announced, the payout process begins. Payouts for contest awards are usually made between 1-2 weeks after the announcement. The signatures for award distribution are typically rounded up in a standing Monday meeting, so any announced awards should usually get processed Monday or Tuesday of the following week.\n\nIt is also important to note that once the contest payouts have been sent, the outcome cannot be changed. However, any overlooked issues can be flagged to the judge and sponsor. Furthermore, the findings repository becomes publicly available for discussion after a certain period of time post contest closure.\n\nYou can find detailed information about the process on our documentation site at [https://docs.code4rena.com/structure/our-process].", "Question: How are gas optimizations validated and reported in CodeArena?\n\nAnswer: In CodeArena, gas optimizations are evaluated based on the inefficiency of the current implementation and the gas saved through the proposed solution. It's suggested to report all kinds of gas optimizations separately, even those within view/pure functions. This includes cases where the optimizer is disabled - although there has been inconsistency in how these are judged, leading to confusion among participants. \n\nIf you have multiple ideas about gas optimizations, it's recommended to write them separately and then merge them into one report. Note that all valid findings for gas optimizations are weighted the same, irrespective of the gas saved. \n\nWhen it comes to known issues, only those mentioned in the generated report are considered invalid; others can be found at https://github.com/byterocket/c4-common-issues/blob/main/0-Gas-Optimizations.md. \n\nIt's worth noting that the purpose of gas reports is not specifically clarified in terms of whether it is necessary to show Proof of Concept (POC) for the gas saved or if a description and mention of gas saved is enough, adding to the confusion about the judgment criteria. A user also expressed concerns about the calculation of bounties for Gas Optimization reports; however, no clear response was provided.\n\nTo alleviate confusion, it's encouraged to ask for clarification on gas optimization. If in doubt about a particular issue, such as code simplification or the use of public functions declared as external, feel free to raise your concerns. Remember that gas optimization is not just about reducing gas cost, but also about improving the efficiency of the implementation.", "Question: How should I appropriately report gas optimizations and handle flagged improvements that are no longer valid in CodeArena audits?\n\nAnswer: When it comes to gas optimizations, it's crucial to understand that not all optimizations are valid when the optimizer is enabled. This can cause confusion about what should be reported. If any flagged gas optimization improvements are found to be no longer valid, it's recommended to either stop flagging them or better qualify them in future reports. \n\nHowever, when you do find valid optimizations, it's beneficial to report them separately and include the amount of gas saved for every finding in your report. This proof of gas savings from refactored code can significantly affect the grade of your submission. If you find a low issue or non-critical bug that also reduces gas usage, include it in the QA category and mention the gas savings. If the issue is solely related to gas savings, it may be downgraded from QA to gas optimizations. \n\nUsers sometimes have questions about the judgment criteria for gas optimizations and their significance. If you have any doubts, feel free to ask for clarification. There is also a GitHub link [https://github.com/byterocket/c4-common-issues/blob/main/0-Gas-Optimizations.md] where you can find all the approved findings and gas optimizations. \n\nOnce you've compiled your findings, you can upload your gas report under \"your findings\" on the contest details page. If you have multiple ideas about gas optimizations, they can be written separately and then merged into one report. \n\nRemember, gas optimization is not only a potential starting point for a first-time audit but also a way to earn more, depending on your proficiency. However, there might be a concrete threshold for \"marginal\" gas savings, which is still unclear. We are planning on updating the formula used for awarding gas and QA, so stay tuned for updates.", "Question: How should I handle reporting gas optimizations during a smart contract audit, especially if my valid improvements are marked as invalid?\n\nAnswer: \nDuring an audit, if you've identified potential gas optimizations, these should be reported separately. Remember, not all gas optimizations are valid, especially when the optimizer is enabled, leading to a certain amount of confusion on what should be reported. Here are few things to keep in mind:\n\n1. It's recommended to only report gas optimizations that are not already included in the generated report or listed in the common issues repository on GitHub (https://github.com/byterocket/c4-common-issues/blob/main/0-Gas-Optimizations.md).\n\n2. If your valid gas optimizations are marked as invalid, you should provide a Proof of Concept (POC) in your next contest submission that includes the finding. \n\n3. If a low issue/non-critical (QA) bug that also reduces gas is discovered, it should be included in the QA category and mention the gas savings. If the issue is only related to gas savings, it could be downgraded from QA to Gas. \n\n4. To avoid misunderstandings, providing proof of how much gas the refactoring saves could positively influence the grade of your submission. \n\n5. Each report should contain all your findings. Only one report of gas optimization can be submitted per contest, but more findings can be added to the report by going to the contest page and clicking the 'Your Findings' button. \n\n6. Always remember, if you list any of the C4udit gas findings, it will void your report and count as 3 rejected reports. \n\nIf you still have any doubts about how to handle gas optimizations, you are always welcome to ask for clarification in the Discord chatroom. Remember, your proficiency in identifying gas optimizations can impact your earnings from the contest, and including gas savings from refactored code in your submissions may have a positive impact on your results.", "Q: What are the guidelines for asking questions and seeking assistance in CodeArena, including private inquiries and account issues?\n\nA: At CodeArena, we encourage open communication and are dedicated to providing guidance to our members. For specific questions or intricate issues related to your account, you can direct message (DM) a CodeArena staff member or someone from Code4rena. We also have sponsor teams who have designated contacts that participants can direct message during a contest to ask questions. Users can privately ask questions and receive guidance on more fragile aspects of the system. \n\nFairSide and Vader protocol related queries can be sent via DM to the respective contacts. For any changes related to wallet addresses, which are usually complex, we request you to DM us only if the change is critical (like in the event of the old wallet being hacked). Questions about Yield v2 and its code can also be asked in private.\n\nEach contest has a designated channel where general questions can be asked, and these are usually the best places to seek clarification. We also schedule office hours and community calls where you can submit your questions. Changes to profile pictures, Twitter links, and applying for backstage roles can be done through a help desk request.\n\nPlease note that it's important to respect the privacy of other members and only DM for valid reasons. Also, while potential vulnerabilities can be confirmed via private DMs by the sponsor, their consideration for submission depends on the judgement of the event.", "Question: Will all applicants for the working group get feedback on their application, and what is the expected communication procedure after submission?\n\nAnswer: The CodeArena working group, which is not a mentorship opportunity but a group established to provide input on potential initiatives, plans to communicate with all applicants. After you submit your application, you should receive an email acknowledging receipt of your submission. The timeline for this may vary, but it typically happens quickly after the submission. If your application is not accepted, you should expect to receive feedback on the reasons for rejection, allowing you to understand the decision and potentially improve future applications. All of these communications are typically conducted via email, so ensure the email address you provide during application is accurate and actively monitored. However, it's important to note that the formation of the working group will take some time, so there may be a delay in receiving a response. We aim to make this process as transparent and informative as possible to all our applicants.", "Question: What is the process and timeline for communication after I apply for a role or submit findings at CodeArena?\n\nAnswer: After you apply for a role or submit your findings at CodeArena, here's what you can expect:\n\n- For role applications: All applicants will be contacted regardless of whether they were accepted as part of the working group or not. The timeline for this communication is not specified in our chat history, but rest assured, you will be notified of your application status.\n\n- For findings submissions: Once you've submitted your findings for a contest, you should expect an email confirmation about the validity of your submission, regardless of the outcome. This applies to issues submitted before the deadline, and you'll be able to check your submission without modifying it. The time it takes for project findings to get reviewed can vary with each contest. Also, it's important to know that sometimes multiple people are rewarded for their findings, based on the rewarding formula that considers findings count and partial credits.\n\nIf you have questions specific to a contest's scope, these can be addressed to the respective sponsor. If your findings were submitted for a closed contest, confirmation of acceptance or rejection will be known when the report is generated or when you qualify to be Backstage.\n\nFor applications to become a certified warden, upon approval, expect an email about the next steps which include completing a KYC process. The timeline for receiving this KYC mail after submitting an application was not answered in the chat history we have.\n\nThroughout this process, it is not clear from our chat history whether you can directly contact judges with questions or if there is a specific timeline for when decisions about roles such as Backstage will be made.\n\nAdditional opportunities such as C4 grants for tool-building and volunteering roles may also be available. For more specifics, please refer to our website or connect with our team directly.", "Question: How can I verify an account's existence before executing .call() on it in a smart contract?\n\nAnswer: There are several ways to check for an account's existence in a smart contract before calling .call() on it. A common method is to use the Address library from OpenZeppelin, specifically the function isContract, which checks if an address is a contract. Here's a snippet of how it works:\n\n```javascript\nif (address(0) == account) \n revert AccountInvalid(account); \naccount.call{value: msg.value}();\n```\nThe idea here is that if the account is the zero address, it's considered invalid and the account.call() function won't execute.\n\nIn another approach, you can check the size of the account's contract code using the following snippet:\n\n```javascript\nrequire(0 != address(myAddr).code.length)\n```\nIn this example, if the length of the code at the account's address is zero, it means the account does not exist.\n\nFailing to check for an account's existence is considered a medium issue as it could possibly lead to loss of funds if the call function is used to send Ether to an address. A transaction could go through but the address being sent to may not be a valid recipient. This was discussed in the context of a missing zero address check, a common vulnerability in smart contracts. You can read more about it on the Code4Rena report [here](https://code4rena.com/reports/2022-06-canto#m-01-missing-zero-address-check-can-set-treasury-to-zero-address).\n\nRemember to consider the context of your smart contract and the potential risks associated with your chosen method of account verification. It is always recommended to conduct proper testing to ensure the security of your smart contracts. Tools like Mythril and Slither that are available for testing contracts from Github may also be useful in this regard.", "Question: How do I apply for Certified+ status at Code4rena and what does it entail?\n\nAnswer: To apply for Certified+ status with Code4rena, you first need to become a Certified Contributor through the Know Your Customer (KYC) verification process. This process can be initiated by reading and following the steps outlined in our documentation at https://docs.code4rena.com/roles/certified-contributors. \n\nOnce you've cleared the KYC process, which usually takes a few days, you become a Certified Contributor and can participate in private contests. After participating in more than 3 contests and having a high finding, you may then apply for Certified+ status by contacting us through our help desk form at https://code4rena.com/help/. \n\nCertified+ status grants you access to private repositories where you can view other submissions after a contest ends, providing a learning opportunity. \n\nPlease note that KYC might be required to receive prizes for some contests. If you have applied for KYC, Provenance typically sends the KYC mail within one business day after you have submitted your application. If you are awaiting your KYC email after applying, you can contact our help desk for assistance. \n\nIt's important to note that qualifying for Certified+ status requires minimum requirements of submissions and participation in our contests. If you have further questions about this process or need assistance, don't hesitate to reach out to us.", "Question: \nWhat are the implications of misclassifying the severity of an issue in a bug report, specifically if an issue is perceived as medium severity but later evaluated as low or high severity by the judges?\n\nAnswer:\nWhen it comes to bug classification, it's important to note that the severity of an issue can vary based on the impact it has on the overall system or user. For instance, if an issue affects an end-user in a rare situation, it's typically considered a medium severity issue, but if it locks all the protocol assets, it's a high severity. However, misclassifying a bug's severity in your submission doesn't necessarily mean you'll miss out on rewards. If a high severity bug you reported is later deemed to be medium, you will still be eligible for a medium bug reward. \n\nSimilarly, a bug submitted as medium severity but evaluated as low might be considered for a Quality Assurance (QA) report reward. The term 'low issue' generally refers to QA reports in our discussions. In fact, if a bug is initially submitted as a low in a QA report and later determined by judges to be of medium severity, it will be eligible for medium rewards, as per our incentive model and awards policy [here](https://docs.code4rena.com/awarding/incentive-model-and-awards/qa-gas-report-faq#what-happens-when-an-issue-submitted-by-the-warden-as-part-of-their-qa-report-an-l-or-n-does-get-bum).\n\nOn the other hand, if a medium issue is judged as high, it gets raised to high unless there's a reason to penalize it, such as it being incomplete, lacking detail, or not as accurate. It is always recommended to provide a Proof of Concept (PoC) for medium severity bugs to avoid disregards unless the bug is extremely obvious.\n\nWhile there's some level of uncertainty with bug classification, the consensus seems to be that it's better to submit a finding even if you're not 100% sure of its severity. However, always strive for accuracy and provide sufficient detail in your report to help the judges make the best evaluation.", "Question: What are some other platforms like Code4Arena where I can earn rewards for auditing smart contracts, and how does CodeArena compare to them?\n\nAnswer: Several platforms offer rewards for auditing smart contracts, similar to CodeArena. These include ImmuneFi, Spearbit, and Hats.Finance. ImmuneFi (https://immunefi.com/) offers bug bounties, while Hats.Finance (https://hats.finance/) also provides decentralized bug bounties. The service provided by Spearbit (https://spearbit.com/) can be likened to freelancing.\n\nCodeArena, however, sets itself apart by conducting contests for auditing smart contracts. This unique setup allows for a competitive environment that can be both exciting and rewarding. If you're a beginner, CodeArena offers resources for you to learn about smart contract auditing at https://docs.code4rena.com/roles/wardens/tools-and-resources. You can also join their #\ud83c\udfebeducation channel for more insights. \n\nThere has been discussion about CodeArena possibly expanding its scope to include website and other infrastructure pentesting audits in the crypto space. However, this is not yet confirmed. \n\nFor an in-depth comparison between bug bounties and CodeArena's audit contests, you can refer to their documentation at https://docs.code4rena.com/. \n\nRemember, while these platforms provide opportunities for rewards, smart contract auditing requires a certain level of expertise. Newcomers to the field are encouraged to study and gain experience before diving into these challenges. Useful resources for beginners include https://cmichel.io/how-to-become-a-smart-contract-auditor/ and https://cryptozombies.io/ for learning Solidity.", "Question: Can overlooking the requirement check \"require(0 != address(myAddr).code.length)\" in smart contract coding potentially result in a medium issue?\n\nAnswer: Yes, overlooking the requirement check \"require(0 != address(myAddr).code.length)\" may potentially be considered as a medium issue, especially if the address is user-supplied and funds are being transferred. This issue is often seen as a \"missing zero address check\" that can lead to the loss of funds if not addressed, as discussed in this link: https://code4rena.com/reports/2022-06-canto#m-01-missing-zero-address-check-can-set-treasury-to-zero-address. \n\nThis requirement check verifies the existence of an account before any operations are performed on it in smart contracts, which significantly mitigates risk. Various methods suggested for checking account existence include using OpenZeppelin's Address library and checking the length of the account's code. \n\nAn alternate optimization is to use assembly to check for address(0), as described at https://github.com/0xKitsune/solstat/blob/main/src/report/report_sections/optimizations/address_zero.rs. However, take note that while assembly optimization might save a little gas, it might not be valuable or necessary for all sponsors. \n\nAlso, in terms of gas efficiency, it's vital to note that the condition \"x != 0\" is cheaper than \"x > 0\" only in require statements and only prior to Solidity version 0.8.13. \n\nAs a caveat, it's worth noting that no code is considered perfect and it's unlikely that a contest would have no high or medium issues. Therefore, it's always advisable to remain vigilant and thoroughly check smart contract code for potential issues.", "Question: Is Sherlock a platform solely for expert auditors? What are the prerequisites to participate in auditing contests?\n\nAnswer: Sherlock indeed is another platform for auditing smart contracts and it does require a strong level of competence in the field. However, it's not just confined to the most experienced auditors. At CodeArena, we host different types of audits: public, private, and invitational. To participate in private audits, one usually needs to be a certified auditor, and the qualifications are described in the #\ud83d\udd96rsvp-certified channel. For invitational audits, only specific, high-ranking wardens are invited.\n\nWe also provide opportunities for team-ups between wardens who are strong technical writers but are just beginning as auditors and wardens whose technical skills are more advanced than their ability to communicate in English. This allows newer members to learn and grow in the field.\n\nIn terms of the complexity of audits, some smart contract projects may even require professional mathematicians to audit complex formulas, reflecting the depth of knowledge that may be needed in certain scenarios. However, tools like 'brownie' and fuzzing tools like 'Echidna' are also commonly used for auditing, indicating a diversity of methodologies in the process.\n\nOur audit contests are generally shorter than Sherlock's, largely due to achieving high-quality results with a smaller auditor participation. The Sherlock contest specifically will not have an advisor to the protocol participating, leaving more opportunities for other participants. Rankings do play a role in some contests, with top 3 or 5 usually taken for mit review or invitational. However, this is not always the case, and all contests will specify their own eligibility criteria.\n\nTo become a certified auditor, one has to go through a certification process that helps ensure they have the skills required to effectively audit smart contracts. The length of this process can vary based on a variety of factors, including the individual's existing knowledge and experience in the field.", "Question: Is there a way to clean the findings.csv file from empty lines or non-rewarded findings and where can I access this file?\n\nAnswer: Yes, the findings.csv file from CodeArena can be cleaned from empty lines or non-rewarded findings. This file contains all rewards based on each finding and can be found at _data/findings/findings.csv before deletion. It includes information about the average payout for gas optimizations, non-critical findings, and low-risk findings. If the raw findings.csv file has x entries for a warden and the warden submitted x+1 findings, it could mean one entry was eliminated as invalid or it was judged as a duplicate of one of the other findings. \n\nThe findings.csv file is open-source and can be found on CodeArena's website repository [here](https://github.com/code-423n4/code423n4.com/blob/main/_data/findings/findings.csv). You can parse this file to create a table with all wardens and their deduplicated findings. It's important to note that findings that are valid, but non-critical, such as the presence of \"Open Todos\" or the \"use of Block.timestamp\", are not rewarded and do not have a share in the reward pot. \n\nCodeArena has guidelines for rewards and duplicity of findings which can be accessed [here](https://docs.code4rena.com/awarding/incentive-model-and-awards#duplicates-getting-partial-credit). It's also worth noting that high-quality and high-quantity findings tend to score better in CodeArena competitions. For more insight, you can compare your findings with winning reports found [here](https://code4rena.com/reports/2022-09-artgobblers#low-risk-and-non-critical-issues).\n", "Question: How does the wallet authentication process work on Code4arena and can I change my wallet address for submitting findings and receiving rewards?\n\nAnswer: At Code4arena, you are required to connect your wallet to your account when you sign in in order to submit your findings. This does not mean you have to connect your wallet every time you submit findings. The submission form for each contest includes a field for users to enter their wallet addresses. \n\nIf you have already submitted findings before, you should be redirected to a confirmation page, not the registration page, when you connect your wallet. It's important to note that wallet addresses can be under review on the platform, which may affect the ability to submit findings. \n\nYou can change the wallet address you use for logging in, submitting findings, or receiving rewards. If you want to use a new wallet address in your reports moving forward, the rewards for the report will then be distributed to the new address. However, if awards are already being calculated for an audit when you change your wallet address, the rewards will be sent to the wallet address on file at the time of calculation.\n\nTo change your wallet address, follow the instructions provided at: https://docs.code4rena.com/roles/wardens/warden-auth#can-i-change-my-wallet-address. \n\nPlease note that the login wallet address cannot be changed presently, but if you are using Metamask, you can link multiple addresses. More information on this can be found at: https://docs.code4rena.com/roles/wardens/warden-auth#can-i-change-the-wallet-address-i-log-in-with. \n\nIf your wallet gets compromised and you change your payment address, please create a help desk request at https://code4rena.com/help.\n\nAdditionally, Code4arena is considering implementing a system for users to use different wallets for different submissions in a single contest. The first steps towards this direction are underway with wallet authentication. For any further changes or updates to your registered wallet, please reach out to our help desk. \n\nMoreover, users also have the option to participate in auditing contests as a team, using a single wallet registered during the contest. If there are any issues regarding multiple members of a team submitting findings with different wallets, it's recommended to reach out to our help desk. \n\nRemember, always keep your wallet address updated and confirm your handle and ETH address to ensure you receive your share of the rewards. If you're unsure if you've submitted an address for rewards, you can check it using our help form at https://code4rena.com/help.", "Question: How does the wallet system function for teams participating in CodeArena's auditing contests?\n\nAnswer: Teams participating in CodeArena's auditing contests register using a single wallet. All audit findings submitted by the team belong to that team and funds for these findings are sent to the single wallet used for registration. Currently, there is an option for an individual to contribute findings as themselves or as their team once their wallet is connected. However, Code4Arena is working on a system to permit different wallets for different submissions within a single contest - a feature that is currently under development with wallet authentication. \n\nIn cases where the same issue is identified by different team members using different wallets, it's important to note that the reward is divided evenly among team members when an issue is found within a team. This system incentivizes team formation as the reward is lessened semi-geometrically when an issue is found by separate individuals. \n\nTeams are responsible for distributing the funds among themselves, which can be managed through multisig wallets or using a contract like OpenZeppelin's PaymentSplitter (https://docs.openzeppelin.com/contracts/4.x/api/finance#PaymentSplitter). If the team's payout address is a smart contract, it might require Matic (a cryptocurrency) to transfer the awards. \n\nIt's worth noting that there are two types of wallets: a login wallet set up when creating the account and a payment wallet, which can be updated in your profile. You can find more information about changing your wallet address where you receive awards at https://docs.code4rena.com/roles/wardens/warden-auth#can-i-change-the-wallet-address-where-i-receive-awards. \n\nIt's also possible to change wallet addresses used in a finding after the finding has been submitted and before the reward payout by submitting a request through the Help Desk at https://code4rena.com/help. \n\nCodeArena recognises the need for more clarity on how rewards are split for teams and is actively working to improve this aspect of their process.", "Question: I have linked my Payeer wallet to my CodeArena account. Can I encounter any issues with this, and if so, how can I change or update my wallet address?\n\nAnswer: CodeArena supports various wallets, including Payeer, as long as they are compatible with WalletConnect. You can find more details on supported wallets at [WalletConnect's registry](https://walletconnect.com/registry?type=wallet).\n\nAt CodeArena, you can have two types of wallets: a login wallet and a payment wallet. The login wallet is established during account creation, but you can update your payment wallet in your profile at any time. If you need to change your registered wallet address, you can do this from your user profile. However, be aware that changing your wallet address may affect your ability to submit findings if your wallet is under review. \n\nIn case of any issues with your wallet, such as unauthorized transactions or potential threats, it's advisable to replace your current wallet with a new one to prevent future attacks. After changing your wallet address on CodeArena, you can use this new address in your future reports. Any rewards for these reports will then be distributed to your updated address. \n\nIf you encounter any difficulties logging in, connecting your wallet, or have concerns about unexpected notifications regarding your payment address, you can submit a request through the Help Desk at [CodeArena's Help page](https://code4rena.com/help). Please note that using the correct wallet and email is essential to avoid login issues. \n\nLastly, it's worth mentioning that you can participate in contests without linking a wallet; only a payment wallet is necessary. Also, if you are part of a team and find the same issue but submit it with different wallets, the rewards will be distributed to the wallet from which the report was submitted. \n\nRemember that the payout for vulnerability issues can be verified by checking the wallet address with which you registered using trackers like polygonscan.com or debank.com.", "Question: I'm trying to re-register with my existing warden handle during the new registration process but can't find it on the username list. What should I do?\n\nAnswer: If you are unable to find your existing warden handle on the username list during the re-registration process, this issue is currently being investigated by our team. Here's what you can try:\n\n1. Connect your wallet from the dropdown at the top right of the page. This option will not be visible directly on the registration page. If you've submitted findings before, you may be redirected to a confirmation page instead of the registration page when you connect your wallet. \n\n2. Ensure that your warden registration is fully completed, as your handle will only appear on the leaderboard once this has been done. \n\n3. If you wish to change your username, you will need to re-register, but keep in mind that changing your username could affect your account registration as a warden. \n\n4. Check your permissions - a missing permission issue could be resolved by registering as a warden. \n\n5. If you are facing issues, consider directly communicating with our staff for further clarification and support. \n\nRemember, you can find detailed guidelines on how to register as a warden at [https://docs.code4rena.com/roles/wardens](https://docs.code4rena.com/roles/wardens). If you want to change your username or have other questions related to warden registration, you can also consult our troubleshooting section at [https://docs.code4rena.com/roles/wardens/warden-auth#faq-troubleshooting](https://docs.code4rena.com/roles/wardens/warden-auth#faq-troubleshooting), or submit a help request at [https://code4rena.com/help](https://code4rena.com/help).", "Question: I've connected my wallet to CodeArena but can't find my username. How can I resolve this issue?\n\nAnswer: If you've successfully connected your wallet but can't locate your username, the team at CodeArena is aware of this issue and actively working on resolving it. While the Login Wallet - which you set up during account creation - cannot be changed at present, you do have the option to link multiple addresses if you're using Metamask, which might help you to maintain access to your account. More information on this can be found here: https://docs.code4rena.com/roles/wardens/warden-auth#can-i-change-the-wallet-address-i-log-in-with.\n\nMoreover, you can change your payment wallet address within your user profile on the Code4rena platform. If your wallet is hacked, or you suspect a compromise, and you change your payment address, you can create a help desk request if you logged in via the same wallet. Help with forgotten registration wallet addresses is available at https://code4rena.com/help.\n\nFor connection issues or any other assistance with the CodeArena website using WalletConnect, we advise reporting them to the #auth-help channel. It's also worth noting that you can switch to using a username and password for login. \n\nIn a scenario where you lose the seed phrase for your wallet, follow the steps mentioned here: https://docs.code4rena.com/roles/wardens/warden-auth#what-if-my-wallet-was-hacked. We always encourage our users to add their payment wallets to their accounts and to take precautions to prevent future attacks on their wallets.", "Question: How can I set up and manage my wallet for Code4rena?\n\nAnswer: Wallet integration in Code4rena involves two types of wallets - a login wallet and a payment wallet. The login wallet is set up when creating your account, and you can update the payment wallet in your profile. While a login wallet is not required to participate in contests, you are encouraged to connect your wallet to your account to submit findings and receive payments. \n\nYou can check if your wallet is supported by visiting https://walletconnect.com/registry?type=wallet. For instance, Metamask wallet is known to be functional for submitting findings and receiving payments.\n\nSome participants have experienced issues with logging in and connecting their wallet, which can be reported to the #auth-help channel. You may also encounter login issues if you're not using the correct wallet or email. \n\nIf you need to change your wallet address, it's worth noting that while it is possible, it's a significant effort to manage and not centrally stored. In case of a compromised wallet or to prevent future unauthorized transactions, it is suggested to use a new wallet. However, be mindful that if you wish to use a new wallet address in your reports moving forward, you'd need to confirm if the rewards for the report will be distributed to the new address.\n\nLastly, there is a possibility of needing Matic (a cryptocurrency) to transfer awards to another wallet and wallet address updates are handled through the help desk. For further assistance, you may reach out to Code4rena's help desk.", "Question: What is the process and timeline for getting a certified status at CodeArena (C4)?\n\nAnswer: The process of becoming certified at CodeArena (C4) involves a number of steps. Firstly, you will need to complete the Know Your Customer (KYC) process. This is typically initiated by Provenance, who will send an email to start the process within one business day after your application has been submitted. \n\nThe KYC process involves verifying your identity and can take between a few days to over a week to complete. This duration can vary depending on the back and forth between you and Provenance. Once you have completed the KYC process, Provenance will send a confirmation email. However, this email doesn't specify a timeframe for delivery. \n\nFollowing the KYC approval, there is a processing period where the CodeArena team will update your role. This typically takes between 2 days to 5 business days. In some cases, it may take up to 2-3 weeks to become certified after completion of the KYC process. The status of the certification process is updated via email and it's important to note that the email may appear in your spam folder. \n\nIf you are participating in a contest, the certification process needs to be completed within 30 days of the end of the audit to be eligible to receive a payout. If there is any delay or issue in certification, you can open a help desk request at [https://code4rena.com/help](https://code4rena.com/help). \n\nPlease be aware that all timeframes given are approximate and can vary.", "Question: I was able to connect, but now when I submit it says your wallet is under review. Does this prevent me from submitting smart contract audit findings to CodeArena?\n\nAnswer: Yes, your wallet being under review might temporarily affect your ability to submit findings to CodeArena. You need to have your wallet connected to your account to submit findings. It's important to remember that this connection is required only once during the sign-in process and not each time you attempt to submit findings. \n\nIf you've previously submitted findings, you should be redirected to a confirmation page rather than the registration page when you reconnect your wallet. However, please note that there have been instances where users reported issues related to submitting findings and loading previously submitted findings. If your submission fails, the form should return an error.\n\nOnce the submission has been made, you should receive a confirmation via email. It has been reported to take some time for these confirmations to be sent out, so please be patient. You can also check the status of your submission by navigating to the contest page and clicking on the \"Your Findings\" button.\n\nYou have the option to edit or withdraw your findings while the audit is still open. This can be done from the contest page by selecting the \"Your Findings\" button [Example Contest page](https://code4arena.com/contests/2023-02-ethos-reserve-contest). Please keep in mind that some participants have reported not seeing their findings under the \"Findings\" tab or being unable to edit them. \n\nIf you encounter any difficulties, it's recommended trying a different web browser or ensuring your Metamask wallet is functional for C4 payments.", "Question: What does Sloc mean in the context of CodeArena smart contract audits, and how is it determined?\n\nAnswer: Sloc stands for Source Lines of Code. In the context of CodeArena, it refers to the count of lines in a smart contract's code, excluding the number of lines that are comments. It serves as one of the measures of contract size considered during CodeArena's smart contract audits. \n\nThe Sloc count is calculated using a tool called 'cloc'. However, it's important to note that there can be some discrepancy in the number of lines of code measured using different tools such as Solidity Coverage and Solidity Metrics nSLOC. This has been a cause of concern among participants and there have been suggestions to standardize how LOC is determined across different contests.\n\nThe Sloc for a contract is typically provided for each contest, as visible in the contest details on the CodeArena website. For example, in the GovernorBravoDelegate.sol contract mentioned in https://code4rena.com/contests/2022-06-new-blockchain-v2-contest, the Sloc is reported as 148. However, there have been instances where the reported Sloc was incorrect, as was the case with Dopex where spaces were initially included in the count.\n\nFurthermore, the duration of CodeArena contests is not directly proportional to the size of the source code (sloc). For example, concerns were raised about the 20-day duration for the audit of the Maia project, which has 12K Source Lines of Code (SLOC), prompting an extension to 4 weeks.\n\nVisit https://www.google.com/search?q=SLOC+meaning&oq=SLOC+meaning for more information on the meaning of SLOC.", "Question: What is the process and requirements to become a Certified+ auditor at CodeArena and why are findings repositories kept private until the final report is available?\n\nAnswer: \n\nTo become a Certified+ auditor at CodeArena, there are specific entry requirements that must be met. These include having a certified contributor role, making a significant number of findings (at least three medium findings and four total findings), and actively participating in contests. Backstage access, which allows participants to discuss their findings, is also based on this certified contributor role. Once you meet these criteria, you can apply for Certified+ status through a more formal process which is still under discussion [https://docs.code4rena.com/roles/certified-contributors/backstage-wardens]. \n\nOne of the perks of a Certified+ status is that you obtain earlier access to the findings repositories after a contest ends, providing the opportunity to learn more quickly from what others have submitted. However, as of the time of the chat, this feature has not been rolled out to anyone.\n\nFindings repositories are kept private until the final report is published to facilitate learning and to give sponsors ample time to act on the feedback received. This means that only the findings submitted by a user or their team are visible to them until the final report is made public. After the final report is published, the findings repositories are made public, and participants can review their submissions, the reasons for their rejection, and view others' findings. \n\nPlease note that the specific duration after a contest ends before the findings repo becomes publicly available has not yet been specified.", "Q: What is the Certified+ program and why are the findings from CodeArena competitions kept private until the final report is available?\n\nA: The Certified+ program from CodeArena is designed for wardens who've demonstrated competence and commitment in contests. It comes with entry requirements, such as the submission of a certain number of findings (at least three medium findings and four total findings), and participation in multiple contests. Certified+ members gain certain privileges, such as immediate access to the findings repositories after a contest ends, which allows them to learn more quickly from others' submissions. This access is applied for once the results are published to the leaderboard. You can find more about Certified+ at https://docs.code4rena.com/roles/wardens/certified-wardens#certified+-contributors.\n\nIn terms of contest findings, these are kept private until the final report is available for several reasons. Firstly, it provides sponsors with the necessary time to act on the feedback they've received. Secondly, it prevents premature public discussion of findings which can influence the contest outcomes or reveal sensitive information. Once the report is published, the findings repository becomes public, allowing for discussions and further learning. If a finding submitted for a contest does not make it to the final report, the specific reason may not be immediately known. To check, participants have to wait until the reports are published, which usually takes at least a month. For a more in-depth understanding, participants can review their submissions and the reasons for their rejection once the report is published and the findings repo is made public.", "Question: How should I report gas optimization findings that can be applied in multiple lines of code in a CodeArena contest?\n\nAnswer: When you find a gas optimization that can be applied in more than one line of code, it should be submitted as a single finding, with all relevant lines where it can be applied mentioned. This finding should be included in one comprehensive report per contest. To add more findings to the report, visit the contest page and click the 'Your Findings' button. \n\nIn the event of multiple gas optimization ideas, these can be written separately and then merged into one report. It's important to note that there are restrictions on submitting more than one gas optimization report in a contest, so all findings should be consolidated into one submission. \n\nWhile it's not mandatory, including the amount of gas saved for each finding or refactored code can potentially enhance the report and possibly increase your points. All valid gas optimization findings are weighted the same, regardless of how many lines of code they affect. \n\nIf a finding is notably relevant to both QA and gas savings, it can be included in either report, and the judges will decide where it best fits. \n\nRemember, if you need to add additional gas optimization findings after your report has been published, you should update the existing report rather than creating a new one. \n\nYou can find a list of all approved gas optimizations on our GitHub page [here](https://github.com/byterocket/c4-common-issues/blob/main/0-Gas-Optimizations.md). \n\nIt's vital to clarify, however, that not all gas optimizations are valid when the optimizer is enabled, and there has been some confusion about what should be reported in such cases. Always ensure your findings are valid before submitting. \n\nWe encourage you to follow these guidelines when reporting gas optimization findings to streamline the process and improve the quality of your submissions.", "Q: How long does it take for a contest report to be reviewed, the repo to be opened, and feedback to be received from sponsors?\n\nA: The timeframe for these processes can vary depending on different factors. Typically, the findings from contests are reviewed immediately after the contest ends, but these reports then await sponsor review and final judging before being made public. This process can take 3-6 weeks on average, but may take longer if the contest has a high participation rate or a complex codebase. \n\nSponsors are usually given access to the findings repo either after the contest's conclusion or one week after with triaged and deduped issues. However, they may not always have access before the contest ends due to concerns about fairness and potential exploitation of the information. \n\nFeedback for submitted issues generally comes within a couple of months, once the contest has closed and the report is published. However, the timeline can be extended if the sponsor agrees. Conversely, the process of getting awards and reports out can sometimes take less than a week once the sponsor review is completed and judging is done. \n\nIn some cases, the delay in judging may be due to slow sponsor review. To address this, a deposit was introduced in March to motivate sponsors to complete their reviews on time. \n\nAfter a contest is closed, there is a certain period of time before the findings repo becomes publicly available for discussion, allowing participants to review why their submission was or was not accepted. However, the specific duration for this is not specified and can vary.\n\nOverall, the average turnaround time from the end of an audit competition to the release of reports is about a month, although efforts are being made to reduce this time. Please note that these timelines are subject to change and can vary depending on the individual contest and specific circumstances.", "Question: What is Slither, and how efficient is it as a bug finding tool for smart contracts?\n\nAnswer: Slither is a static analysis tool for smart contracts. It's primarily utilized to generate output, and while some users have reported limited success in using it as a bug finding tool, this does not undermine its potential. The tool allows users to write custom checks, which can significantly enhance its bug detection capabilities. However, to use Slither alongside certain tools, such as Foundry's remappings, you may need to identify those remappings for Slither. While there are alternatives for testing contracts, such as Mythril and Echidna, the choice of tool largely depends on your specific requirements and familiarity with the tool. It's important to note that no tool can guarantee the detection of all bugs, and the effectiveness of a tool can greatly depend on the skill and knowledge of the user. For more information on how to use the slingshot code (an important part of our auditing process) in the overall system, you can refer to this link: [https://github.com/code-423n4/code-contests/tree/main/contests/01-slingshot#how-it-works](https://github.com/code-423n4/code-contests/tree/main/contests/01-slingshot#how-it-works).", "Question: I'm new to smart contract auditing and would like some career advice. What resources are available, what should I focus on, and what are the potential earnings in this field?\n\nAnswer: Transitioning into smart contract auditing can be quite rewarding, both in terms of knowledge gained and potential earnings. The field is still developing, with room for those interested in both specializing solely in smart contract auditing or balancing it with traditional hacking and web2 security.\n\nThere are abundant resources available to get you started:\n\n1. For beginners, Code4rena recommends you start with resources like [How to become a Smart Contract Auditor](https://cmichel.io/how-to-become-a-smart-contract-auditor/) and [Wardens: Tools and Resources](https://docs.code4rena.com/roles/wardens/tools-and-resources). \n\n2. For an interactive learning experience, you might find YouTube videos on how to audit smart contracts helpful.\n\n3. For more in-depth study, consider books and certifications on smart contract security. Additionally, there are discussions and resources available on blockchain forensics analysis, which can be relevant to auditing smart contracts.\n\n4. If you're interested in practical application, there are platforms like [ImmuneFi](https://immunefi.com/), [Spearbit](https://spearbit.com/), and [Hats Finance](https://hats.finance/) that reward for auditing smart contracts.\n\n5. Code4rena also has an #\ud83c\udfebeducation channel where you can learn more about auditing smart contracts. \n\nAs for earnings, the field is relatively new and exact figures are not readily available. However, the consensus seems to indicate that while the initial income might not match that of traditional software development, the gap closes as you gain experience and proficiency. \n\nIt's also worth mentioning that smart contract auditing does not require focus on the front-end of the blockchain. In fact, some roles may involve the use of specialized tools for finding vulnerabilities and bugs, or the application of machine learning techniques.\n\nFinally, while there are automated tools that report vulnerabilities, human auditors are still in demand due to the complexity of blockchain security and the limitations of current tools. \n\nRemember, the path you choose should align with your interests and career goals. Enjoy the journey into this exciting new field.", "Question: Can I form a team to participate in smart contract audits on CodeArena, and if so, how does it work?\n\nAnswer: Yes, you can form a team on CodeArena. Teams can register and submit findings collectively, which allows members to collaborate, share insights, and learn faster. To create a team, you can head over to code4rena.com/register-team. Once the team is formed, changes such as the addition or removal of members are possible by submitting a request through the help desk. \n\nEach team can comprise individuals with different levels of English language proficiency and technical skills. If you are looking for teammates, you can utilize the team-building channel on the platform. \n\nOnce you're part of a team, you are not obligated to participate only as a team. You can choose between your solo handle or your team handle when submitting a finding. It's also worth noting that all team members need to be certified to receive the payout if competing as a team.\n\nSponsor teams also provide designated contacts that participants can direct message during a contest to ask questions. \n\nThere is no technical limit to the number of members that can be part of a team. However, managing the same team name with different members working on different contests simultaneously or at different times can be challenging. \n\nAs a team, you can participate in auditing contests, and high-ranking teams also have the opportunity to compete. The leaderboard can be viewed at https://code423n4.com/leaderboard/ \n\nPlease note that there have been reported technical issues such as a blank page opening when selecting team members, and the exact process of submitting issues as a team has not been clearly defined. If you encounter any issues or have further questions, you can always reach out to our help desk.", "Question: Can I work solo on CodeArena's audits or do I need to be part of a team? Are there any advantages of joining a team?\n\nAnswer: At CodeArena, you have the flexibility to choose how you participate in smart contract audits. You can work solo or be part of a team. If you're part of a team, you can still choose to submit solo findings whenever you want. When submitting findings, our submission form allows you to select whether you're submitting as an individual or as a team member. \n\nTeam participation is not mandatory. However, joining a team does have its benefits. It allows you to work together, share ideas, and learn faster. All rewards go to the team and it's the team's responsibility to disperse the funds. You can create your team at [code4rena.com/register-team](https://code4rena.com/register-team).\n\nRemember, once you join a team, you're not obligated to always participate as a team. You can still participate individually. We have a team-building channel on our platform where you can look for teammates if you need to. \n\nThere have been concerns about how to manage team members who want to participate solo in a contest that their team is also auditing. These situations should preferably be discussed and handled within the team. \n\nPlease note that some users have had negative experiences while pairing in teams, potentially due to differing levels of experience/knowledge or difficulties in establishing trust with anonymous individuals over the internet. So, choose your team wisely. \n\nLastly, be aware that teams are considered when comparing leaderboard ranks to select people for RSVP certified jobs. This can be checked at our leaderboard [code423n4.com/leaderboard](https://code423n4.com/leaderboard).", "Question: How can I edit my submitted findings for a CodeArena (C4) contest?\n\nAnswer: You can edit your submitted findings for a CodeArena contest while the contest is still open. To do this, navigate to the specific contest page and click on the \"Your Findings\" button. This feature allows you to update the format and contents of your findings. If a user accidentally submits their findings to the wrong contest, they can submit them again to the correct contest and fill out a helpdesk form at https://code4rena.com/help/ to let C4 staff know about the incorrect submissions. Please be aware that after editing or submitting a finding, the C4 team, along with the contest sponsor, will be able to see the changes. You can confirm your submission by waiting for a confirmation email from us. If, for any reason, you need to edit your finding after the contest has closed, you can make a helpdesk request with all the information and the update for the finding. \n\nPlease note that there is ongoing discussion about allowing authors to edit their findings after the submission deadline. Also, be aware that if you submitted a finding before the deadline, it is not publicly available, and you can check it without modifying it. We are continuously working on improving our tools and procedures for a more efficient experience. In case of any issues related to submitting or loading submitted findings, please contact our support team.", "Question: What distinguishes a Certified Warden from a Certified Plus Warden and how can I become one?\n\nAnswer: Both the Certified Warden and Certified Plus Warden roles come with their own sets of privileges and responsibilities within Code4rena. A Certified Warden has the privilege to partake in private audits and certain contests exclusive to certified wardens. \n\nThe process to become a Certified Warden involves an application, and certain eligibility criteria, such as participating in a number of contests and submitting a certain number of valid findings or reports. As part of the verification process, you might need a passport or a certified copy of your identity. More detailed information about the process and eligibility requirements can be found at the following links: \n- https://docs.code4rena.com/roles/certified-contributors\n- https://docs.code4rena.com/roles/wardens/certified-wardens#who-is-eligible-to-be-a-certified-contributor\n\nThe Certified Plus role has additional entry requirements and comes with the added advantage of gaining access to private repos once a contest is finished. This allows Certified Plus Wardens to see other submissions immediately after the contest ends, accelerating their learning process. They also get early access to the findings repositories, assisting with post-contest processes. \n\nThere is a private workspace for Certified Plus Wardens where they can assist with various process-related tasks. The Certified Plus status also makes one eligible for a judge role. However, keep in mind that it may take some time to be marked as certified, even after approval. \n\nIt is important to note that the ability to become a certified warden does not depend on nationality and foreigners can also apply. \n\nPlease note that the specifics about the privileges of Certified Wardens and Certified Plus Wardens may change over time so always check the documentation for the most current information.", "Question: How can I modify or edit my submitted findings in CodeArena?\n\nAnswer: As per the discussion in our chatroom, it's possible to edit the submitted security findings for a contest. However, it's important to note that the original submission may still be visible in the edit history, even after it has been edited. If the severity of a submitted bug needs to be increased during a contest, you can submit a help request to remove the original submission and then submit again via our help portal, accessible at code4rena.com/help. Additionally, users are allowed to update the format of their findings if necessary. \n\nWhile the functionality for authors to modify their findings directly by responding to the submission confirmation email has been proposed, it has not yet been implemented. Moreover, there is no current feature allowing submissions without authentication. It's also worth noting that a hypothetical situation was raised in our chatroom concerning a potential security threat from hackers compromising our mail server and submitting findings as their own, reinforcing the importance of secure submission processes.\n\nPlease remember that it's paramount to ensure the accuracy and completeness of your findings upon initial submission, to minimize the need for subsequent modifications. If you have incorrectly filled out a form, there should be an option to edit it as well. While the submission process may seem involved, it's designed to maintain the integrity and quality of our audits.", "Question: How can I edit my submissions or report issues on the Code4rena platform?\n\nAnswer: While we understand the need for an editing feature for submitted findings, we currently do not have one in place. However, our team is diligently working on improving our tools and procedures to allow users to edit their findings and speed up these steps. Until then, if you need any modifications in your reports, you can submit a help desk request here: https://code4rena.com/help.\n\nThe help desk can also be used to address issues with team changes, user status updates, or even updates on your Discord and Twitter handles linked to your C4 account. If your helpdesk request exceeds the character count, you can still edit the submission. Rest assured, our staff will assist you in editing your submissions and resolving your help tickets.\n\nWhen you submit an issue on the C4 website, you don't need to create an issue on GitHub as well, as our system handles this automatically. If you find discrepancies in the reports, feel free to create a ticket.\n\nWe are considering various proposals to enhance the user experience, including a tool for sponsors to fix smaller issues in advance, aimed at reducing spam submissions. We sincerely appreciate your patience and cooperation.", "Question: \nI've been having issues with email notifications from CodeArena, can you help me understand how this process works and what I can do if I experience problems?\n\nAnswer: \nCertainly, typically, the confirmation of issue submission and other updates from CodeArena are sent out to users through an email from submissions@code432n4.com. However, we've noticed some users have experienced issues receiving these emails. \n\nThere have been instances where the email was not delivered successfully due to an error with our domain. If you are expecting an email from us and haven't received it, please check your spam folder as some participants have reported our emails landing there. If you find our emails in your spam folder, please mark them as \"Not Spam\" to help ensure future emails arrive in your inbox. \n\nAlso, please be aware that there are some email notifications we currently do not send such as for updated issues or for updates on issues. We are working on improving our communication methods to keep our user base better informed. If you're awaiting confirmation for becoming a certified warden and haven't received an email, please let us know.\n\nSome users have also reported not having access to the findings repo on Github, please reach out to us if you need to be added to the backstage group on Github. Feedback on submissions, including those that were denied, may not be provided directly to the user but can be checked on the public GitHub repository [here](https://github.com/code-423n4/code423n4.com/pull/2095).\n\nPlease note that for Maple submissions, the recommended channel is [https://c4-maple.netlify.app/](https://c4-maple.netlify.app/), not through email. Additionally, if you have any other issues such as not receiving a password reset email, please let us know, detailing your username and any other relevant information to help us troubleshoot effectively. \n\nLastly, if you want to change any personal details, you can do so in the account settings. You can change your email, discord and github username, but not the link or photo.\n\nWe appreciate your patience as we work out these issues and strive to provide a seamless experience when using CodeArena.", "Question: What can you tell me about the status and distribution of LPT and Insure rewards?\n\nAnswer: We understand there's been a lot of anticipation and curiosity surrounding the status and release of LPT and Insure rewards. We want to assure everyone that we are aware of these inquiries and are working diligently to address them. While we can't provide specific dates due to various factors at play, we can confirm that the rewards are expected to be settled and distributed soon. Furthermore, the reward for LPT tokens and NFTX are also pending. As for how these rewards might impact the leaderboard, it's best to keep an eye on our leaderboard updates which are announced periodically. If you've submitted a new detector, your reward will be in the form of \"Karma Points\". We apologize if there has been a delay in announcements of rewards and we appreciate your patience and understanding. For any other reward-specific questions such as the rewarding formula for contests, change of wallet address for report rewards, or specifics on contest rewards like the \"arcade reward\" and the \"pool together reward,\" we encourage you to refer to our contest guidelines or reach out to our support team for more personalized assistance.", "Question: How does indexing in Event fields of Smart Contracts affect gas usage and off-chain parsing, and what should I consider when I am dealing with indexed fields?\n\nAnswer: In the context of smart contracts, indexing is a feature that impacts the event fields. When a field is indexed, it becomes easier for off-chain tools to parse the data, enhancing the efficiency of data management and extraction. However, indexing comes at a cost, it increases the gas used during the emission of events. \n\nSpecifically, there was a mentioned issue about missing indexed fields in an event, which can be seen in detail here: https://code4rena.com/reports/2022-05-sturdy/#n-10-event-is-missing-indexed-fields. This highlights the importance of indexing fields for off-chain tools to parse data efficiently, but at the same time, it reminds us to consider the gas cost during the event emission.\n\nWhen working with indexed fields, it is important to balance the need for easier parsing with the potential increase in gas cost. This can be especially relevant when optimizing smart contracts to reduce gas costs, not just for protocol contracts, but also for other contracts and non-view/non-pure functions. \n\nFor a deeper understanding of the concept of indexing, you can refer to the Solidity documentation here: https://docs.soliditylang.org/en/v0.8.14/abi-spec.html?highlight=indexed#events. However, like many aspects of smart contract development and auditing, it may require some experience and understanding of the overall system, including interfaces and state variable changes, to fully grasp. \n\nRemember, when working on smart contract optimization and encountering issues, it's recommended to report them separately for different optimizations. The severity of these issues can impact their acceptance and is generally determined by judges or sponsors.", "Question: What is the best way to reference code in reports for auditing smart contracts?\n\nAnswer: The best way to reference code in reports for auditing smart contracts is a topic of some debate. There are generally two approaches that users take: \n\n1) Providing a URL to the GitHub repository with the line number mentioned in the text. This can be done by clicking on the specific code line on GitHub, which changes the URL. Holding SHIFT can capture a range of lines. An example of this could be a reference to a specific section of the USDT token code on Etherscan: https://etherscan.io/token/0xdac17f958d2ee523a2206206994597c13d831ec7#code#L95.\n\n2) Providing a solidity code block. This can be helpful when discussing specific lines of code, especially in the context of smart contract vulnerabilities. However, it's recommended to also include the URL to the repository with the line number for completeness.\n\nWhen referencing a smart contract's line of code like 'require(abc<123)', it's considered a valid low finding as a \"magic number\" and it's suggested that declaring constant value will make the code more readable.\n\nAlso, in the 'Links to Affected Code' section of high/medium findings, one can add the GitHub permalink for the respective code block.\n\nHowever, it's important to consider the potential for mismatch between the number of lines of code mentioned in the README.md and the actual lines in the contract files, as has been noticed in some repositories (e.g., https://github.com/code-423n4/2022-01-sherlock). \n\nAdditionally, it's crucial to understand how to properly format Solidity code in submissions to make it easier for others to read and understand. This can be done using the MD format for adding Solidity syntax to code blocks.\n\nUltimately, the best method for referencing code may depend on the complexity and length of the code, the specific details of the smart contract audit, and the preferences of the readers. More information can be found at https://github.com/code-423n4/code-contests/blob/main/SUBMISSION_POLICY.md and https://docs.code4rena.com/roles/wardens/submission-policy#how-to-include-a-proof-of-concept.", "Q: Why do I now need to sign in with MetaMask to submit a report on CodeArena, and can I use a new wallet address in my reports moving forward?\nA: The requirement to sign in with MetaMask was introduced when we rolled out wallet-based authentication for our website and submission form. Originally, non-logged-in users were still supported to allow time for re-registrations and we used the label \"old-submission-method\" in reports to track this transition. Now, however, signing in with MetaMask has become a requirement to submit findings. You will need to connect your wallet when you sign in, but not every time you submit findings. \n\nIf you have already submitted findings before, you should be automatically redirected to a confirmation page rather than the registration page when you connect your wallet. Please note, you are not required to login with a wallet to participate in contests, but it is necessary to submit findings and receive rewards for them. \n\nIf your MetaMask wallet has been compromised or hacked, you can use a new wallet address in your reports moving forward. The rewards for the reports will then be distributed to the new address. If you need to change the login address on CodeArena due to a compromised account, a help desk request needs to be submitted with the details and a mycrypto.com signed message. Please bear in mind that wallet reviews on our platform may affect your ability to submit findings.\n\nFor more information, you can refer to the following link: [https://discord.com/channels/810916927919620096/810929015509483554/991410741678719278](https://discord.com/channels/810916927919620096/810929015509483554/991410741678719278)", "Question: Why is there a discrepancy between the announced sum for contests and my computed sum, and how are contest rewards distributed amongst multiple findings of the same bug?\n\nAnswer: Discrepancies between announced sums and personal computations may occur for various reasons. For instance, in contests like the Forgotten Runes, judges may participate and receive credit for their findings on the leaderboard despite forfeiting their winnings, which could affect the sum. Additionally, errors in computation, such as double-counting items on the leaderboard or typing errors, can also cause discrepancies. Changes to a contest's bounty, such as the Cally contest where the bounty was updated from 50K to 75K, can also contribute to such inconsistencies. \nHowever, most of the time, discrepancies are due to the reward distribution mechanism for multiple findings of the same bug. If multiple auditors report the same bug, they all get a portion of the bounty, thereby reducing the individual payout. The overall value of the bug is divided based on how many people find it. Factors such as the level of detail in a submission, including a Proof of Concept (PoC), and how comprehensively the issue is covered can influence the award amount. Please keep in mind that the leaderboard may not update immediately with these changes. For more information, check Ellie's Math Geekery thread [here](https://discord.com/channels/810916927919620096/957048606962106408/957049602291413022). Also, refer to the specific contest readme for contest-specific reward calculations.", "Question: How can I become a Certified Warden at Code4rena, and where do I make comments pertaining to Warden Auth, issues, and reports?\n\nAnswer: To become a Certified Warden at Code4rena, you can apply through our website at https://code4rena.com/certified-contributor-application. More information on the role and its application process can be found in our documents at https://docs.code4rena.com/roles/certified-contributors and https://docs.code4rena.com/roles/wardens. \n\nOnce your application has been reviewed and approved, you are granted access to various features. This includes the ability to submit findings, view the repo, and comment on reports. Comments related to warden auth, issues, and reports can be made in the #auth-help channel. \n\nA special feature for certified wardens with an established level of contribution is backstage access. This allows you to observe the report submission and triage process and, for some, comment on the judges' decisions during a post-judging QA period. More details on backstage wardens can be found at https://docs.code4rena.com/roles/certified-contributors/backstage-wardens. \n\nShould you encounter any issues while submitting findings, registering as a warden, or interacting with the warden system, please communicate directly with our staff for further clarification. Additionally, if you have questions about the Certified Wardens process, you can ask Code4rena directly. We also suggest reviewing other warden's submissions on GitHub to learn from marked and invalid cases. Please note that to access the team-formation channel or contest preview channel, you should register as a warden first.", "Question: How is it possible that the amount of tokens received by a contract is less than the amount specified in a report? \n\nAnswer: The discrepancy between the amount of tokens received by a contract and the amount specified in the report could be due to the way \"fee-on-transfer\" tokens operate. Fee-on-transfer tokens are a type of token that deducts a small fee from every transfer made. This means that the actual amount received by a contract could be less than the original amount sent. For instance, if you were to transfer 200 tokens and the fee is 2%, 4 tokens would be sent to the token contract owners, with the remaining 196 reaching their destination. \n\nPlease note that not all tokens are fee-on-transfer tokens, and the rules can vary depending on the specific token contract. For example, ERC721 or ERC1155 contracts may have a recipient contract call function onReceive, which could affect the received amount. It's best to understand the specifics of the token contract you are dealing with. \n\nFor more details and an example report, please refer to the following link: [GitHub - Code 423n4 Findings](https://github.com/code-423n4/2022-04-axelar-findings/issues/5). \n\nAlso, remember that the reporting of smart contract issues can differ based on the judgement of the reviewer. Reports are graded and the best report typically receives more money. You can find more about the incentive model and awards policy at [Code4rena Docs](https://docs.code4rena.com/#incentive-model-and-awards). \n\nFinally, if you're submitting gas optimization reports, the necessity to specify how much gas is being saved for each optimization is subject to the judge's decision. More information on this can be found at [Code4rena Docs - Curve Logic](https://docs.code4rena.com/awarding/incentive-model-and-awards/curve-logic).", "Q: Why is there a discrepancy between the announced award amount and the sum of my findings in the Forgotten Runes PR? Additionally, how are the rewards divided among multiple finders of the same issue?\n\nA: The discrepancy between the announced award amount and the sum of your findings in the Forgotten Runes PR could be due to the participation of the judge in the contest. Judges will forfeit their winnings, but they will still be credited for their findings on the leaderboard, causing a difference in amounts between what is awarded and what is on the leaderboard. \n\nRegarding the division of rewards among multiple finders of the same issue, the prize amount is not directly linked to who finds the bug first. The overall value of the bug is reduced and split based on how many people find it. However, the quality of the report can influence the award amount. For instance, a report that includes a Proof of Concept (PoC) and covers the issue in as many aspects as possible will typically receive a higher reward. \n\nFurthermore, duplicate findings that do not exceed a certain threshold might not receive any money. Non-critical findings also do not share in the award pot. In a situation where only one high and one medium issue are found, the reward distribution would be calculated based on these factors. \n\nAfter announcing the awards, the rewards are sent out manually in batches for multiple contests at a time. For detailed information on our incentive model and awards division, refer to our guide at [https://docs.code4rena.com/awarding/incentive-model-and-awards](https://docs.code4rena.com/awarding/incentive-model-and-awards). \n\nFor the specific PR related to the Forgotten Runes contest you mentioned, you can check the details here [https://github.com/code-423n4/code423n4.com/pull/2353/files#diff-74910905ffc9d3c8f8510410dbaa9089f77209d36db0cf1368c1cb7e32e92473R13694-R13696](https://github.com/code-423n4/code423n4.com/pull/2353/files#diff-74910905ffc9d3c8f8510410dbaa9089f77209d36db0cf1368c1cb7e32e92473R13694-R13696).", "Question: Are all types of tokens subject to fee-on-transfer and how does it affect the transferred amount?\n\nAnswer: No, not all types of tokens are subject to fee-on-transfer. Fee-on-transfer tokens are designed to remove a small fee from every transfer, which is why the amount of tokens received by a contract might be less than the transferred amount. This is particularly important when interacting with various token contracts. The use of functions such as \"safeTransferFrom\" can vary depending on the token used and the expectation of the code. A notable example of a fee-on-transfer token is PAXG, the source code of which can be found on Etherscan at [this link](https://etherscan.io/address/0x74271f2282ed7ee35c166122a60c9830354be42a#code). Keep in mind that trading callbacks in Solidity can be activated by several methods, including safeTransferFrom onERC721Received, onERC1155Received of ERC1155, and tokensReceived tokensToSend of ERC777. Also, be aware that while transferring ERC tokens via platforms like Uniswap, there is a minimal fee of 0.05%. Therefore, it's crucial to understand the token's mechanism before any transfer to avoid any unexpected fees or discrepancies in the amount received.", "Question: How do you access the state variable of a different contract and what considerations should be kept in mind regarding state variable visibility and its related security implications?\n\nAnswer: To access the state variable of another contract, you need to call the specific instance of the contract you want to query, like contractB(contractBaddress).stateA(). However, it's important to understand the visibility of the state variable. \n\nIn Solidity, functions are automatically generated for public storage variables, constants, and immutables which aren't stored in storage. Private storage variables require a view function to be seen. An example of this is the _totalSupply variable in the OpenZeppelin contract. More information about state variable visibility can be found at the Solidity documentation here: https://docs.soliditylang.org/en/v0.8.13/contracts.html#state-variable-visibility.\n\nMoreover, it's also critical to understand the security implications and the severity of changes related to state variables in smart contracts. The severity of issues can vary considerably, especially if a bug in a contract impacts another contract. For example, in upgradeable contracts, changes to the state variables can have severe implications. \n\nFinally, it's also important to note that Solidity stores state variables in 32 bytes storage slots, and multiple variables can potentially be packed into a single slot if they are declared next to each other, which can reduce gas costs. You can read more about this here: https://docs.soliditylang.org/en/v0.8.17/internals/layout_in_storage.html. \n\nOverall, accessing state variables from different contracts is a nuanced process that requires a thorough understanding of Solidity's contract visibility rules and potential security implications.", "Question: How does assert() impact gas consumption and what are some practices to optimize gas in smart contracts?\n\nAnswer: Prior to version 0.8.0, assert() consumed all gas in Ethereum transactions, regardless of the transaction's success or failure. However, since version 0.8.0, assert() does not consume all gas. The remaining gas is refunded if the assert fails. There are also other practices that can help optimize gas usage in smart contracts. For instance, using immutable variables, which cost less gas than constants, can be helpful. You can find an example of this in this [Github link](https://github.com/code-423n4/2021-11-overlay-findings/issues/111).\n\nAnother way to save gas is by using custom errors instead of require statements with a string, which can save approximately 50 gas each time they're hit by avoiding the need to allocate and store the revert string. You can find a detailed explanation of this in these links [here](https://gist.github.com/IllIllI000/ad1bd0d29a0101b25e57c293b4b0c746) and [here](https://blog.soliditylang.org/2021/04/21/custom-errors/#errors-in-depth).\n\nFurthermore, calling a view/pure function from a non-view/non-pure function in the same contract does cost more gas. It is also recommended to use the 'unchecked' command in loops as a way to further optimize for gas. Excluding the increment (++i) in a for loop can also reduce gas costs significantly.\n\nLastly, for gas optimization in smart contracts, it is recommended not to initialize default variables to 0 and function inlining can be used to save gas in smart contracts. \n\nPlease note that it's essential to analyze the specific needs of your smart contract and the context in which it operates to determine the most effective gas optimization strategies.", "Question: What happens if I submit a finding that is determined to be incorrect or false by a judge? Will I receive feedback about it?\n\nAnswer: Yes, if a judge determines that a submission is incorrect or false, they will typically provide an explanation on why the finding was marked as invalid. Participants can view this feedback by going to the contest repository when it's made public. Additionally, if a participant realizes that a submission is a false positive after making it, they can retract the submission by navigating to the contest page and clicking on the 'Findings' tab. \n\nIt's also worth noting that there is currently no penalty for incorrect submissions. However, all participants are advised to read the discussions about grading and awarding criteria, as there could be potential penalties for incorrect submissions in the future. \n\nIf a submission was made but was not rewarded, participants can review why it was not accepted once the contest report is made public and the repository is fully opened. This allows participants to see the discussions among sponsors and judges on the specific issue. Also, if a correct bug issue is submitted with an incorrect proposed solution, the submission can be updated if the contest hasn't ended.\n\nThere is also no disadvantage for reporting a finding that is later determined not to be an issue. However, it is recommended that such reports be withdrawn to save the judges' time. If uncertain about a finding, participants can contact judges directly to seek advice before submitting. \n\nTo view or edit your findings, navigate to the contest page and click on the 'Your findings' button. If a submission fails, participants should receive an error message. Successful submissions are confirmed via email. Remember, the severity of issues can be updated post-submission by judges, so a high-risk finding could still be rewarded if judged as low risk, and vice versa. \n\nLastly, if a participant submits a finding with a proposed mitigation, but the judge and sponsor disagree, the final decision on the mitigation rests with the sponsor. Even if the mitigation is not accepted, participants will be credited for highlighting a judge-approved bug or logic flaw.", "Question: What are the benefits and access rights of being a Certified+ member at CodeArena, and how can I view submissions and participate in contests?\n\nAnswer: As a Certified+ member at CodeArena, you are granted several exclusive privileges. Firstly, you are given access to more contests, including both public and private contests. For private contests, you can RSVP in the #\ud83d\udd96rsvp-certified channel and aim for a high position on the leaderboards from the last 90 days. More information about these exclusive contests can be found in the certification documents. \n\nYou also gain access to private repositories where you can see what others have submitted once a contest is completed. This accelerates your learning process as you can learn from the work of others. You can view your QA reports for contests that have already closed. \n\nHowever, being certified does not automatically grant you access to the previously participated contest's in-progress judging repository. To view reports of past contests, you would need the backstage role. More details can be found on how to obtain backstage access [here](https://docs.code4rena.com/roles/certified-contributors/backstage-wardens). \n\nTo qualify for Certified+ status, you need to complete the certification process with ProvenanceDAO and participate in more than 3 contests. There are suggestions that the criteria for certification+ could become more stringent in the future, such as being in the Top 3 in 3 contests or making a high finding. \n\nIf you believe you qualified for Certified+ but cannot find the correct submission form, or you have any other inquiries about the certification process, participation in contests, or viewing submissions, feel free to ask in our Discord chatroom.", "Question: What is the process and potential consequence if a vulnerability is submitted but it turns out to be a mistake or misjudgment on the warden's part?\n\nAnswer: In instances where vulnerabilities are submitted but turn out to be a mistake on the warden's part, historically, no penalty has been applied. However, it is crucial for wardens to submit findings in good faith. If the rate of false submissions were to increase and it became clear that individuals were attempting to exploit the system, there could potentially be rule changes to address this. \n\nIf you submit a vulnerability with what you believe to be a high severity, for example, and the judge disagrees, the issue might be downgraded. Nevertheless, you would still be awarded for the found issue, unless judges invalidate it for overinflating severity. If wardens report the same vulnerability but with different severities, they are given the same severity for the award calculation. This is due to the deduplication process and the judging/determining severity that happens afterward.\n\nWhen considering reporting bugs, the severity to be reported depends on the impact of the bug. Wardens are encouraged to refer to the guidelines for estimating risk provided in the following link: https://docs.code4rena.com/roles/wardens/judging-criteria#estimating-risk-tl-dr. \n\nAdditionally, according to the submissions policy, submissions based on automated findings need to provide strong evidence to demonstrate a relevant High or Medium severity exploit path to be deemed satisfactory. More information can be found here: https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues.\n\nIt is also worth noting that if a bug relies on users making a mistake in interaction with a contract, it may still be valid, but will likely not have the same severity as if it doesn't require a mistake. Finally, if there are concerns or issues with a report, clarification may be sought from the other \"wardens\".", "Question: What should I do if I've accidentally submitted my findings to the wrong contest on CodeArena?\n\nAnswer: If you've accidentally submitted your findings to the wrong contest, don't worry, you can rectify this. First, you should submit your findings again to the correct contest. You can do this by navigating to the correct contest page and clicking on the 'your findings' button. \n\nIf you realize something is a false positive after submission, or if a correct bug issue is submitted with an incorrect proposed solution, you can retract or edit your submission from the contest page. To do this, go to the contest page and click the 'Findings' tab or the 'Your Findings' button. From there, you can withdraw your findings or edit them as necessary.\n\nAfter submitting your findings to the correct contest, you should then fill out this form to let the C4 staff know about the incorrect submissions. Here is the link to the form: https://code4rena.com/help/\n\nRemember, you can always track your report status and see and edit your findings in the \"findings\" tab next to the contest description. If a submitted bug severity needs to be increased during a contest, you can submit a help request to remove the original submission and then submit again via the above link. \n\nLastly, if you've encountered any issues or have any concerns, don't hesitate to ask for support. The CodeArena team is always here to help.", "Question: Is obsolete code considered a quality assurance (QA) issue or a gas optimization issue at CodeArena, and how should these issues be reported?\n\nAnswer: Yes, obsolete code is considered a quality assurance (QA) issue at CodeArena. However, it can also be categorized as a gas optimization issue, especially when each action costs gas. This categorization depends on the impact of the issue. If a low issue or non-critical (QA) bug is discovered that also reduces gas, it should be included in the QA category and mention the gas savings. But if the issue is purely related to gas savings, it could be downgraded from QA to Gas. Code simplification, such as combining two for loops into one, can also be considered either QA or Gas optimization depending on the context.\n\nWhen reporting these issues, users can submit one combined gas and one combined QA report, and they can edit existing findings. All QA/gas reports issues should be combined into a single report. If the same type of issue is discovered more than once, they should all be reported together. The amount of detail required for these reports is not as comprehensive as for high severity issues. Examples of top QA/Gas report can be found at https://code4rena.com/reports. It's also suggested to mention the amount of gas saved for every finding, and provide proof of how much gas the refactoring saves as it may affect the grade of the submission.\n\nMoreover, gas optimization strategies, such as function inlining or using the 'unchecked' command in loops, can be employed. If a gas optimization finding applies to more than one line of code, it should be reported as one finding and mention all applicable lines. Note that currently, there's no intentional incentive for reporting QA type of submissions, as sponsors are more interested in high/medium/low severity vulnerabilities and gas optimizations. \n\nFor more details, you can refer to https://github.com/byterocket/c4-common-issues/blob/main/0-Gas-Optimizations.md for gas optimizations and https://github.com/byterocket/c4udit for the static analyzer used by CodeArena for QA and gas optimization. Lastly, discussions around how QA and gas reports handle duplicates and their formulae can be found in the recent CodeArena report: https://code4rena.com/reports/2022-11-non-fungible/#gas-optimizations.", "Question: What is the process and timeline for LPT and Insure payments, and how are unexpected issues like changes in payment addresses or delayed contest rewards addressed?\n\nAnswer: LPT and Insure payments, along with other rewards such as NFTX, are typically batched and processed once a week, though this can take up to two weeks due to the need for double-checking at each step to ensure that it is done correctly and securely. We understand that sometimes issues can arise, such as unexpected emails regarding changes in payment addresses or delays in contest rewards. If you receive an email about a change in your payment address without your knowledge, please report the issue and our team will investigate. \n\nAs for the delay in contest rewards, there may be a variety of reasons. For larger contests involving over 12,000 sloc, for example, the timeline can extend to 4 weeks. Additionally, the audited reports validated by judges typically take about 4 to 6 weeks to be received. If there are changes to the report and rewards calculation system, this can also cause a delay in updating the content reports on our homepage. We assure you that we're always working on updating past project results and they should be up soon.\n\nAlso, please note that after an audit payout, it usually takes a few weeks for the compilation of reports. There is a possibility of revising the payment amount (increase or decrease) after payout. \n\nWe appreciate your patience as we strive to ensure the accuracy and security of payments and encourage you to reach out with any questions or concerns. Updates on payments, awards, and other important information are announced on our Discord chatroom. \n\nRest assured, we are working hard to ensure that all payments and awards are processed in a timely and secure manner. Thank you for your understanding.\n", "Question: How can I track, view, and manage my submitted audit reports in CodeArena?\n\nAnswer: CodeArena provides several ways for users to track and manage their audit reports. After you've submitted a report, you can track its status and edit your findings under the \"Findings\" tab next to the contest description. An email confirmation is also sent to verify successful report submissions. \n\nYour submitted reports, including those for contests that have already closed, can be viewed in your CodeArena profile. To maintain competition integrity, only the findings you or your team submit will be visible to you until the final report is made public. \n\nOnce a report is published, the findings repository is made public, and you can check your submissions against this. For further insights on what a high-quality submission looks like, you can review previous reports and findings. \n\nYou can also view your Analysis Report to see the details of your submissions. If you've submitted findings, you can check the issues on Github via the report link. Any discrepancies or issues can be addressed by creating a ticket or a help desk request. \n\nAdditionally, there are discussions ongoing about integrating CodeArena with Github to provide specific timestamps and consolidating recent reports into a database for future references. Please stay tuned for these potential features.\n\nLastly, if you have further questions about past findings or encounter issues with your report status, you can submit a help desk request for assistance. CodeArena is committed to providing a comprehensive and user-friendly audit report tracking system.\n", "Question: How can I confirm that my issue has been correctly submitted and received, especially given the occasional technical difficulties with email confirmations and site submissions?\n\nAnswer: Receiving confirmation for your submitted issue involves several steps. Initially, you should receive an email confirmation for your submission. If you do not receive this, make sure to check your spam folder as the email might be directed there. There have been instances of delays or failures in receiving these emails, which could be due to various factors such as an incident on GitHub (refer to https://www.githubstatus.com/incidents/r5qrpp2f5fc0 for such instances). \n\nYou can also double-check and review issues before they are reported. Once your issue has been reported, you can check your issue for the findings you sent on GitHub from the report. There is also a process for checking reported findings via a link on the Discord channel.\n\nIt's important to note that if you submitted issues for a contest but did not make the award list, it is likely that your issues were rejected. You can confirm this by reviewing the available report. If you have queries about an issue marked as invalid, you can monitor the backstage channel for the post-judging stage of the concerned contest.\n\nIf you have submitted a report for the first time and received an error, you can check if it has been successfully submitted by checking your email for confirmation or viewing the findings through the \"View Context\" function.\n\nRemember to unblock captcha in your browsers when experiencing errors in submissions and ensure that the GitHub account you're using is logged in and that it's the same account given for CodeArena.\n\nIn case there are still difficulties, reach out to the team through the help form at https://code4rena.com/help. The team is aware of site issues as they arise and works actively towards a resolution.", "Question: I have completed the certification process with ProvenanceDAO and participated in more than three contests at CodeArena. When can I expect to receive my Certified+ status?\n\nAnswer: After completing the certification process with ProvenanceDAO, the status of the certification process is generally updated within 5 business days by the C4 team. You'll be notified about your updated status via email. However, to be eligible for Certified+ status, there are additional criteria to meet. These often include achieving a high finding in contests or being in the Top 3 in multiple contests. \n\nOnce you have attained Certified+ status, you'll gain access to private repositories after a contest is finished, enabling you to see what others have submitted and expedite your learning process. This status also allows you to join any contest including those exclusive for certified participants. \n\nFor instance, to participate in private contests after certification, you can RSVP in the rsvp-certified channel and ensure a high position on the leaderboards from the last 90 days. Also, to receive payment for contests, such as the OpenSea contest, you need to complete the form at https://code4rena.com/certified-contributor-application and go through the ID verification process run on behalf of CodeArena by Provenance. \n\nPlease note that despite being certified, you may not automatically gain access to the previously participated contest's in-progress judging repository. You'll require backstage access for that, which is granted once you meet certain criteria like the number of findings and contest participations. \n\nLastly, keep in mind that the criteria for Certified+ status may become more stringent in the future as per community suggestions.", "Question: How can I confirm the receipt and check the status of my issue submission at CodeArena? \n\nAnswer: Once you submit an issue at CodeArena, you will receive a confirmation email. This email is the primary method to confirm that your submission has been received successfully. If you do not receive this email, please check your spam folder as it might have been redirected there. In case of any delays in receiving the email, please be patient as it could take some time. \n\nYou can also double-check your submission by reviewing your report on Github where you can view the findings you sent. This way, you can review your issues before they are reported. To view all the reports you have submitted during the competition, you can use the \"View Context\" function.\n\nIf your issue submission did not make it to the award list, it might have been rejected. This can be confirmed by reviewing the available report. If an issue is marked as invalid, you can query about it by monitoring the backstage channel for the post-judging stage of the concerned contest. In case of a \"sponsor-disputed\" issue where no explanation is provided, you can check for duplicates and directly ask the judge after judging. \n\nIn case of any issues with the confirmation emails or if you have any doubts regarding your submission, you can create a helpdesk request. The process of submission includes a confirmation that your request has been received. If it's your first time submitting a Quality Assurance report and you receive an error, you can check for a confirmation email or view the findings through the \"View Context\" function to confirm successful submission.\n\nIt is important to note that duplicate issues might not receive a reward, the reward is often given to the first reporter. Be sure to understand how to assess the severity of the issues you report as it can affect your reward.\n\nPlease remember, at each step of the payment process, there is a double-checking process to ensure your rewards are given correctly and securely. If you are unsure about why your finding was rejected, do not hesitate to ask for the reasons. The CodeArena team strives to provide clarity and assistance in all stages of the issue submission process.", "Q: What is the process and time frame for completing a smart contract audit, and what does the \"reporting\" part of the process entail? \n\nA: The process of auditing a smart contract at CodeArena (C4) includes several stages such as Sponsor Review, Judging, Awarding, and Reporting. The review and judging phases can be time-intensive, particularly with high participation rates or a complex codebase. Following the awarding phase, we move on to the \"reporting\" phase. In this phase, C4 staff or sponsors draft/edit the report for the contest, and it's reviewed prior to publication. This phase can also be time-consuming, especially if there are critical or complex findings that need to be mitigated before the report is published. It's essential to note that the final published report may not include all findings submitted for a contest, and understanding the reason for this might require waiting until the reports are published. The average turnaround time for this process can range from 2 to 6 weeks, but it could take longer depending on the complexity and volume of the findings in a particular contest. \n\nIn terms of making submissions, we recommend having one big report for gas issues and one big report for Quality Assurance (QA). There are discussions on how to categorize findings that could fit into multiple categories in a report, and if you're unsure, it's best to reach out for clarification. Once the final report is published, it allows participants to understand the results of their submissions. It's worth noting that the report and rewards calculation system is currently undergoing changes, which could affect the time taken to compile these reports. We assure you that efforts to reduce turnaround times is a high priority for us. You can check the status of specific reports, or any changes to this process, on our official website or Discord channel.", "Question: How do I handle payouts to a team when the payout address is a smart contract? \n\nAnswer: If your team's payout address is a smart contract, the prize money will still be sent to this single address after an audit contest. The responsibility of distributing these funds amongst team members falls on the team. This distribution can be managed through multisig wallets or using a contract like OpenZeppelin's PaymentSplitter, which can be found here: https://docs.openzeppelin.com/contracts/4.x/api/finance#PaymentSplitter. \n\nRegarding the timing of rewards, they are not distributed immediately after computation due to the use of multisig wallets, which require signatures from multiple parties before funds can be released. However, CodeArena plans to distribute awards via smart contract once more pieces are in place, which would automate this process. \n\nIf you need to update the wallet address used in a finding, this can be done after the finding has been submitted and before the reward payout by submitting a request through the Help Desk at https://code4rena.com/help. \n\nPlease note that the guidelines on how to report issues related to smart contracts, and other procedures for disclosing such issues, can be found at https://github.com/code-423n4/code-contests/blob/main/SUBMISSION_POLICY.md. \n\nLastly, if invoice is required for contest payouts, it should be sent to the Code4rena Foundation.", "Question: How can I change my nickname, avatar, or other details on my CodeArena (C4) account, and what will be the impact on my leaderboard status and previous submissions?\n\nAnswer: At CodeArena, we have different ways to adjust your profile details depending on what you want to change:\n\n1. **Nickname/Username:** To change your nickname or username, you'll need to create a new registration. This includes registering a new Discord handle or re-registering using your existing email or GitHub address. However, be aware that if you were previously on the leaderboard, you would need to start over with the new name as leaderboard standings and submissions under the previous handle are not transferable to the new account. Your Discord nickname should remain as your registered C4 username.\n\n2. **Avatar/Profile Photo:** If you would like to change your profile avatar or photo, you can submit a help desk request at [https://code4arena.com/help](https://code4arena.com/help). \n\n3. **Twitter/GitHub username:** Similarly, you can change your Twitter or Github username on C4 by submitting a help desk request. \n\n4. **Wallet Address:** You can also change your registered wallet (login address) on the platform. \n\n5. **Team Name:** Details about how to change your team name on CodeArena are not provided, however, you may find relevant information by submitting a help desk request.\n\nPlease note, some users have experienced mismatch issues between their site username and Discord nickname in the past. If you encounter such an issue, we recommend reaching out to our developer team via the Help Desk for review.", "Question: When are the upcoming code audit contests taking place at CodeArena and how can I participate in them?\n\nAnswer: CodeArena frequently organizes contests for auditing smart contracts, including those related to staking platforms and streaming protocols. Upcoming contests are regularly listed on the CodeArena main page (https://code4rena.com). For example, you might be interested in the upcoming Livepeer contest (https://code4rena.com/contests/2022-01-livepeer-contest) or the Basin audit for the Bean Money protocol (https://code4rena.com/contests/2023-07-basin). \n\nMore detailed information about the contests, including the contest rules and judging and payout timelines, can be found in the CodeArena documentation (https://docs.code4rena.com/). If you want to participate in private contests, you'll need to complete KYC and become a certified warden. You can find more information about this process in the CodeArena documents. \n\nIf you identify a vulnerability during a contest, you can reach out to the sponsor team or disclose it directly to them, but remember to submit it via the contest submission form to be eligible for awards. If you have issues related to rewards distribution, you can submit a Help Desk request here: https://code4rena.com/help/.\n\nCodeArena encourages beginners and experienced developers alike to participate, and they are open to the possibility of hosting Rust contests in the future. They are also considering implementing a system for using different wallets for different submissions in a single contest. So keep an eye on their documentation and main page for updates on these fronts. \n\nRemember, finishing in third or fourth place in Code4Rena contests is considered a highly-valued achievement in the industry. Good luck!\n", "Question: I'm a Certified Warden at CodeArena, and I was under the impression that I'd have access to a private channel and early access to reports. However, I can't find this channel or know how to access these reports. Could you provide clarity on the role and privileges of a Certified Warden?\n\nAnswer: As a Certified Warden, you should indeed have access to a private channel where you can assist with various process-related tasks. This is a workspace for Certified Wardens to help streamline post-contest processes. However, it's important to note that you do not get early access to reports, but rather, early access to findings repositories. It's the Certified+ Wardens who have this privilege. \n\nBeing a Certified Warden comes with other benefits too, such as backstage access which allows you to observe the report submission and triage process. This privilege is only open to those who have a certain level of contribution established. It's also worth mentioning that Certified Wardens must have a backstage role to access specific reports, such as the Chainlink Staking v0.1 on C4. \n\nThere is a certification process which includes a Know Your Customer (KYC) procedure. The process to become a Certified Warden and additional information on the role can be found [here](https://docs.code4rena.com/roles/certified-contributors). Detailed information on the backstage access can be found [here](https://docs.code4rena.com/roles/certified-contributors/backstage-wardens). \n\nIt's worth noting that your email and GitHub username will not be publicly listed by C4. However, as a Certified Warden, you will be part of a permissions group/team on GitHub that gives you access to private repos. \n\nPlease make sure you're registered as a warden to gain the necessary permissions. If you're unsure, you may verify your registration through this [discord link](https://discord.com/channels/810916927919620096/810931711609143326/1092556195337863309). If you're still facing issues, please let us know and we'll be happy to assist further.", "Question: What does it mean to be certified at CodeArena (C4) and how can I participate in different roles within the platform?\n\nAnswer: Being certified at CodeArena (C4) means that your identity has been verified, this does not require full-time commitment and does not prohibit you from being employed elsewhere. The certification process allows you to participate in various contests and roles within the platform. \n\nIt's possible to participate in certain contests without being certified. However, if any of your submissions are awarded, some contests require certification for pay-outs. You can apply for certification if you meet certain criteria. This might include having a certain number of valid findings or reports, or having participated in a certain number of contests. For example, a warden who has encountered one high severity bug and has competed in at least three contests can be eligible for certification.\n\nCertification also grants you the possibility to apply for the backstage role at CodeArena. This role requires meeting certain qualifications including having a certain number of findings in different areas or of different scores. To gain access to backstage, you can submit a help desk request if you meet the qualifications based on published contest results.\n\nThere are a few other roles you might be interested in. For example, the \"scout\" role and the \"lookout\" role were mentioned in our chat, but no specific requirements were detailed. Being a certified warden makes you eligible for a judge role, but certification may not be required at the current time.\n\nBeing certified does not automatically grant access to the previously participated contest in progress judging repository - backstage access is needed for that. Also, not everyone desires to go through the KYC (Know Your Customer) verification process to become a backstage warden.\n\nIf you're interested in participating in a versus contest, certification is a requirement. Additionally, teams are considered when comparing leaderboard ranks to select people for RSVP certified jobs. \n\nRemember, participation in contests is not only a way to improve your skills, but it also allows you to progress within the platform and take on new roles. To apply for a certification or any role, you can contact the organization through the help desk form.", "Question: As a new warden at CodeArena, what process should I follow to understand the system, access resources, and become a certified warden?\n\nAnswer: As a new warden, the learning curve may seem steep as you will need to understand the architecture of different projects, interact with the code, and identify vulnerabilities within a set time frame. It's important to take notes while auditing to help with this process. \n\nTo become a certified warden, there's a specific process to follow which includes completing a Know Your Customer (KYC) process. It's worth noting that being a certified warden makes one eligible for a judge role, although certification may not be required at the current time. There may also be a requirement to participate in a certain number of contests and have a certain number of valid findings or reports to become certified.\n\nTo access resources like the team-formation channel, you need to register as a warden. This channel can be useful for teaming up with other wardens with complementary skills. For instance, wardens who are great technical writers but just starting as auditors can team up with wardens who are more technically advanced but have less advanced English communication skills.\n\nOnce registered, you become eligible to participate in contests such as the \"vs contest\", which involves only 3 wardens and has an RSVP process. This registration also allows you to join competitions and view findings of other wardens in the findings repository once it becomes public.\n\nShould you face any issues with new warden registration or bug submission, you are encouraged to communicate directly with our staff for further clarification. If you are a foreigner, you are still eligible to become a certified warden. There are also opportunities to become a backstage warden, although you need to be certified to get a backstage pass.\n\nLastly, our community is constantly learning and evolving, so don't hesitate to ask for help or clarification, and always check the new qualifications section in the warden registration page for updates.", "Question: How can I include code snippets with line numbers in my reports for auditing and problem-solving?\n\nAnswer: CodeArena recommends using a VS code extension called \"Copy With Line Numbers\" to include code snippets with line numbers in your reports. This will make the auditing process more streamlined and efficient as it will allow others to directly reference the specific lines of code in question. \n\nDiff tools available on Linux can also be used to include replaced lines in your submissions. For example, you can run 'git diff' in your terminal and use backticks in your report. \n\nIf your report includes large text that doesn't fit in the textbox on the help desk site, you can create and link a gist instead. This will prevent any important information from being left out. \n\nIn the event where you need to copy code from Github along with the contract file name and line numbers, you may need to manually include the contract file name and line numbers as Github does not inherently provide this feature. \n\nLastly, remember to practice good online safety, such as using VPNs like NordVPN, especially if you're dealing with sensitive information like code snippets that may potentially have vulnerabilities. To learn more about online safety, you can refer to the Blackhat briefing on hunting and exploiting recursive MMIO flaws in QEMU/KVM [here](https://www.blackhat.com/asia-22/briefings/schedule/index.html#hunting-and-exploiting-recursive-mmio-flaws-in-qemukvm-25484).", "Question: What should I do if I have reported an issue, but I am unsure about its severity? Can it be escalated or deescalated? What is the process and potential impact on rewards?\n\nAnswer: If you have reported an issue but are unsure about the severity, we recommend referring to the TLDR criteria and presenting the best case for the severity you perceive, backed by evidence. The severity of an issue can range from high, medium, to low, or even QA. \n\nAfter the report, the judges have the ability to either escalate or deescalate the severity. For instance, a low severity report could be upgraded to medium by judges, as evidenced by this case: https://discord.com/channels/810916927919620096/810931711609143326/938133534982406144. Similarly, if a medium severity report is actually deemed high, unless there's a reason to penalize it (such as it being incomplete, lacking detail, or not as accurate), the report gets raised to high severity. \n\nConsequently, the potential rewards can also change. If a finding is submitted as a low in a QA report, but the judges determine that its severity is medium, it will be eligible for medium rewards according to: https://docs.code4rena.com/awarding/incentive-model-and-awards/qa-gas-report-faq#what-happens-when-an-issue-submitted-by-the-warden-as-part-of-their-qa-report-an-l-or-n-does-get-bum. If a High severity bug turns out to be only Medium, you will still receive the reward for a Medium bug.\n\nAdditionally, when submitting a report, it's possible to include both high severity and medium/low severity issues in the same report, but the highest effort should be put into the high severity issues. You can also submit a medium/high report without recommended mitigation steps, but it should include an explanation as to why it cannot be feasibly mitigated. \n\nRemember, the quality of the report is crucial. The platform advises against submitting a high volume of low-quality reports. High-quality reports should have a clear explanation or path to the finding. More details of this can be found at: https://github.com/code-423n4/org/discussions/34. \n\nSo, when in doubt, discuss the specific issue in the chatroom, or consult the judging criteria provided in this link: https://docs.code4rena.com/roles/wardens/judging-criteria#estimating-risk-tl-dr.", "Question: Where can I find information on the TLDR criteria, how to submit an Analysis Report, and how the severity of issues are ranked?\n\nAnswer: You can find detailed information on various aspects of the CodeArena process through the following resources:\n\n1. The TLDR criteria, which provides a quick overview of estimating risk, is available at https://docs.code4rena.com/roles/wardens/judging-criteria#estimating-risk-tl-dr.\n\n2. If you're interested in submitting an Analysis Report, guidelines and FAQs can be found at https://code4rena.notion.site/Analyses-Guidelines-and-FAQ-2808a71e08e44c81a985527194f5f118.\n\n3. Specific details on how issues are categorized based on their severity (low, medium, high) can be accessed at https://docs.code4rena.com/awarding/judging-criteria/severity-categorization.\n\nRemember, the severity of a bug or issue is dependent on its impact, which can be determined using the aforementioned judging criteria. If there's any uncertainty about the severity of a reported issue, you are advised to review these criteria and make a case for the chosen severity using evidence. Also, if you have questions about how your findings were judged or why they were rejected, you may find it beneficial to review the submission policy at https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues. Lastly, for queries about risk rating for findings, it's suggested to review these guidelines, look at how similar issues were judged in the past, and make the best and clearest case possible.", "Question: How can I change the severity of a bug I've already submitted during a CodeArena contest, and what impact does this have on my submission and potential reward?\n\nAnswer: If you've already submitted a bug during a contest and wish to change the severity, you can submit a help request to remove the original submission and then submit again on code4rena.com/help. The platform is considering adding the severity of bugs to the emails sent out after issue submission, and it's important to note that your bug submission will not be invalidated if the severity level you assign differs from the evaluated severity level. However, it's recommended to make separate submissions depending on the type and severity of the bugs found.\n\nAfter the contest's closing time, you can alter the severity of reported bugs either through the Pull Request (PR) or by contacting one of the judges. Even if a High severity bug turns out to be only Medium, you'll still receive the reward for a Medium bug. Judges may not increase the severity of a bug if it's a duplicate of other bugs and hasn't been well explained or proven.\n\nIf you submit an issue with an incorrect proposed solution, you can update your submission if the contest hasn't ended. However, keep in mind that submitting a high severity issue without working code that shows the impact may lead to the issue being downgraded or deemed ineligible for awards.\n\nThe judges also have the ability to upgrade your issue to a higher severity if they deem it necessary. Your explanation of the finding is more important than the specific severity you assign, and a good explanation can even lead to a Quality Assurance (QA) issue being elevated to Medium or High severity. If your bug is not accepted, there's a process in place to understand why, which can help improve your future submissions.\n\nThe value of a bug is partly based on correctly assessing its severity and presenting evidence to back up your claim. Clear, understandable writing and evidence to support your chosen severity and validity are crucial for quality submissions. For more details, visit https://docs.code4rena.com/roles/wardens/submission-policy.", "Question: What is the process for the release of reports after a contest and how can participants interact with these reports?\n\nAnswer: Yes, every contest at CodeArena releases a report detailing the bugs found, which serves as a learning tool for participants. These reports are run after every contest and are made public once the contest is over and the judging process has been completed. However, they may not be immediately available on the CodeArena site. We recommend waiting for the full public report before doing a write-up of any bugs found.\n\nAlso, users can view their QA reports for contests that have already closed. Contestants can inquire about the progress and schedule of final reports, and all participants' submissions may be made available after the contest ends, once the possible exploits have been patched. Findings submitted for contests may not always make it to the final report. To check this, you will need to wait until the reports are published, which usually takes about a month. \n\nIf you make a submission to a contest that is not rewarded, you can review why your submission was not accepted once the report is out and the repository is fully opened. This provides an opportunity to see the discussion among sponsors and judges on the specific issue. You can view examples of past reports and submissions at https://code423n4.com/reports. \n\nPlease note that there are restrictions on discussing bugs and exploits after submissions for a contest are closed and before contest results are out. Furthermore, not every bug reported by a warden within an hour of a contest's start is considered. Lastly, it's still unclear if more than one high/medium bug report can be submitted per contest. The overall value of a bug is reduced and split based on how many people find it, regardless of who found it first. \n\nThe rules, incentive system, and rewards information are available at https://docs.code4rena.com. For any changes to the severity of reported bugs after a contest ends, these can be passed on to the judge through designated contact points either through the PR or by contacting one of the judges.", "Question:\nHow can I privately get in touch with a member of the Code4rena team for various queries or issues related to contests, team management, security vulnerabilities, or linking my social accounts?\n\nAnswer:\nYou can privately reach out to a member of the Code4rena team by submitting a Help Desk request at https://code4rena.com/help. You can use this platform for a variety of inquiries and issues such as asking questions about contests, reporting security vulnerabilities, seeking approval for team changes, and linking your Code4rena profile to your Twitter account, among other things. If your question is about a security issue related to one of the contests, please make sure to detail it in your Help Desk request. Additionally, you can also direct message someone from Code4rena on Discord for immediate assistance. In case you have identified a vulnerability impacting Code4rena's webapp, please email the issue to security@code4rena.com. For matters relating to contest operations including prize distribution and report submission, or if you need further assistance after a contest is closed, the Help Desk is your primary resource.", "Question: Will CodeArena be supporting Solana audits and what more services does the platform offer?\n\nAnswer: Yes, CodeArena has plans to support Solana audits. However, contests for Solana have not been hosted yet. The platform is not only focused on smart contract audits but also offers other services. For instance, it provides a tool for running audits which is currently a work in progress, accessible at https://github.com/HardlyCodeMan/audit_helper/. Furthermore, there's a booking team in place that can assist you with setting up audits. CodeArena also offers assistance to beginners in smart contract auditing and provides a platform for users to ask questions about findings of past projects or to participate in private competitive audits. Additionally, the platform has conducted audits with a Rust focus and for products built on Polygon. In terms of future services, there's interest in hosting more web2 whitebox audits and there could potentially be an addition of website and other infrastructure pentesting audits in the crypto space. Please note, while we aim to provide comprehensive audit services, the specifics can vary depending on the complexity and nature of the project.", "Question: I received two identical confirmation emails after submitting a finding on CodeArena. Is this normal, and do I need to take any actions?\n\nAnswer: Yes, this is normal and you don't need to worry or take any specific action. When a finding is submitted, users should receive a confirmation email. However, there may be occasional system glitches that result in sending two identical emails. This does not affect your submission or the subsequent review process. Confirmation emails usually arrive within a few minutes of submitting a finding, although there may be occasional delays. \n\nYou can always check the success of your report submission by looking out for the confirmation email and the ability to edit your submitted findings. These confirmation emails typically come from submissions@code423n4.com. If you didn't receive the email confirmation, it's a good idea to check your spam folder. \n\nIf the same vulnerability is found in multiple different components of the codebase, it might count as two separate findings, but it's ultimately the judge's call to determine if they're duplicates. Therefore, getting two confirmation emails does not necessarily mean your findings are considered duplicates. \n\nFor more detailed information, you can view all your reports during the competition on the C4 Contest page under the \"Findings\" tab. If there are any issues with your submission not showing up there, or if you receive any error messages, please reach out to the CodeArena team for assistance.", "Question: What should I know about issues related to USDC use at CodeArena, including any potential concerns or procedures?\n\nAnswer: There have been various discussions and concerns raised regarding the use of USDC at CodeArena. The rewards for findings in contests can vary significantly, with some wardens receiving thousands of USDC while others may only receive hundreds. All rewards are made through the USDC cryptocurrency over the Polygon network. There was a discussion about potential risks associated with depositing funds in an uninitialized contract and concerns about official entities flagging accounts. [This article](https://taibbi.substack.com/p/the-financial-bubble-era-comes-full?utm_source=substack&%3Butm_campaign=post_embed&%3Butm_medium=email&utm_medium=email) was shared, raising concerns about USDC. It's also important to note that there was a case where a user could not see the $ in their Polygon wallet, suspecting a potential compromise of their key. Users have expressed interest in understanding how to prevent future attacks on their wallet. There were suggestions regarding the deposit of USDC into Coinbase from Polygon and the possibility of converting it into BTC. Please note that the ability to participate in USDC reserve contests may be limited to certain groups. There was also talk about potentially sending USD (fiat) to participants instead of USDC in countries where converting crypto to fiat is difficult. Lastly, trust between wardens and sponsors is crucial, and concerns were raised about potential misuse of disclosed vulnerabilities.", "Question: How is machine learning, along with other methods and tools, applied in smart contract auditing?\n\nAnswer: Machine learning is introduced to smart contract auditing in several ways. One of the innovative ideas involves converting a non-image task into an image task. This means transforming a smart contract into respective visual shapes, training a machine learning model based on a dataset of these shapes, and using the model to predict the vulnerability of future contracts. You can see an example of a smart contract visualizer at this GitHub page: https://github.com/DanielVF/evm-contract-draw.\n\nGraph neural networks have also been leveraged for smart contract auditing, as evidenced in the research paper found here: https://www.ijcai.org/proceedings/2020/0454.pdf. \n\nIn addition to machine learning, fuzzing tools such as Echidna and static analysis tools like Slither are being utilized to find vulnerabilities and bugs in smart contracts. Another smart contract scanning tool that can detect price manipulation vulnerabilities is available at https://app.metatrust.io/project. \n\nMore traditional platforms for auditing smart contracts include Sherlock, though this requires a high competence level in the field. You can learn more about such platforms and other auditing tools at https://docs.code4rena.com/roles/wardens/tools-and-resources.\n\nLastly, our CodeArena platform is not only focused on auditing but is also involved in running audit contests for contracts. Apart from that, our platform is open to beginners seeking to learn about smart contract auditing, which you can start by viewing resources available on our #\ud83c\udfebeducation channel or from sources such as https://cmichel.io/how-to-become-a-smart-contract-auditor/.", "Question: What is the process for submitting, modifying, and checking the status of my report on CodeArena?\n\nAnswer: On CodeArena, you can submit your reports directly on our website. If your report is too large for the submission form, you can submit a placeholder and then email the full report to report@code4rena.com. Detailed instructions, including how to handle exceptionally large reports, can be found at https://docs.code4rena.com/roles/wardens/qa-gas-report-faq#why-is-a-large-gas-or-qa-report-not-successfully-submitting-through-the-contest-submission-form. \n\nAfter submitting your report, you will receive a confirmation email. If you do not receive this email, it's possible that there was an issue with your submission. However, please note that it may take some time for the confirmation email to arrive. If you encounter an error while submitting your report, such as \"API rate limit exceeded for user ID 81770958,\" please try again after some time. \n\nIf you need to modify your submitted findings, you can do so by viewing the findings through the \"View Context\" function. If you're unsure about the severity of an issue you've reported, or if you need to submit additional findings after an initial low-risk finding, please submit a new report. \n\nFinally, to check the status of your submission, wait for the report to be published and the findings repo to be made public. You can also check your email for any updates. If you have difficulties performing these tasks via a mobile device, please send your requests to submissions@code4rena.com for assistance. \n\nRemember that all submissions should adhere to our guidelines, which can be found at https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues.", "Question: How should I properly submit a gas optimization report in a CodeArena contest and what should I do if I have multiple gas optimization findings?\n\nAnswer: When participating in a CodeArena contest, you are allowed to submit a report on gas optimizations you have found. However, it's crucial to compile all your gas optimization findings into a single report. To add more findings to the report, navigate to the specific contest page and click the 'Your Findings' button. Here, you can edit your submitted gas report findings while the contest is open. In case you have accidentally submitted multiple reports, you can cancel the extra ones by withdrawing the findings under the \"your findings\" on the contest page.\n\nIt is also imperative to include how much gas your proposed optimizations could potentially save, as this information can influence your report's grading. The judge's decision is based on various factors, one of which is the projected gas savings.\n\nGas optimizations are awarded from a separate award pool which can be found on the C4 website and each contest's page. It's important to note that certain contests, like the DualityFocus contest (https://code4rena.com/reports/2022-04-dualityfocus), might not involve a gas optimization pool.\n\nFor more detailed guidelines on submitting findings and gas optimization, you can refer to the CodeArena submission policy: https://docs.code4rena.com/roles/wardens/submission-policy. And for any further assistance, you can submit a help request at https://code4rena.com/help.\n\nRemember, your report's quality and thoroughness, including clear proof of how much gas your refactoring can save, can significantly impact the contest outcomes.", "Question: How can I submit a help request on Code4rena.com?\n\nAnswer: If you are experiencing any issues, need assistance, or have inquiries on CodeArena's platform or its processes, you can submit a help request at https://code4rena.com/help. This includes issues with your account status, questions about contest security, analysis submission process, adding new team members, private inquiries to a member of the Code4rena team, increasing a submitted bug's severity during a contest, or wanting to add a Twitter handle to your profile page. Should you encounter any errors during the submission process, don't hesitate to report those as well via the same link. Additionally, if you meet certain criteria, you can even request backstage access through a help request. Just outline your issue or question in the help form provided, and the team will address your request as soon as possible.", "Question: How should I structure and submit my gas optimization report for a CodeArena contest?\n\nAnswer: Your gas optimization report should compile all of your findings related to gas optimization into one document. For each gas optimization you identify, it is suggested that you detail the amount of gas that could potentially be saved. If you have multiple ideas or findings, they can be written separately and then merged into the final report. It's important to note that only one gas optimization report can be submitted per contest, but you can add more findings to your report by navigating to the contest page and clicking the 'Your Findings' button. \n\nKeep in mind that some gas optimizations may not be valid when the optimizer is enabled. This has led to some confusion about what should be reported, so do not hesitate to ask for clarification on this matter in the chatroom. Also, automated reports are sometimes uploaded after starting contests, so it may be helpful to check these for reference. \n\nKnown issues should be excluded from your report. Also, note that the level of detail required for gas optimization reports is not as comprehensive as for high severity issues. Examples of top QA/Gas reports can be found at https://code4rena.com/reports. \n\nThere may be some questions about the criteria for a report to get selected in a contest and how the reward for gas optimization is distributed. To get a better understanding of this, you can refer to the example spreadsheet: https://docs.google.com/spreadsheets/d/1qTQ7PApFMwpUFikcHHtww7p1oncPLj_y-UY_SZq6qFg/edit#gid=0. \n\nEven if you only have 1-2 Low and 1-2 Gas issues, it might still be worth creating a report. While it's not necessary to specify the amount of gas saved, including that information could potentially increase your points. And lastly, remember that gas optimization inside view/pure functions can be reported, and bot-generated reports should theoretically include all kinds of findings, including gas-related issues.", "Question: What options do I have if I need to change or update my submission after the contest has ended?\n\nAnswer: Once a contest has ended, you typically cannot amend your submissions. However, you can alter the severity of reported bugs after the closing time of the contest either through the PR or by contacting one of the judges. To do so, you would need to submit a help request with all the necessary information to https://code4rena.com/help. If you're having issues with the submission process, encountered an error, or did not receive an email confirmation after submitting a finding, you can open a help desk request at the same link. In the future, CodeArena has plans to allow certified contributors to view submitted issues right after contest closure and to comment or give input on these issues during judging. All participants' submissions may be made available for review after the contest ends and the findings repo is made public, once the possible exploits have been patched. Please note that there are restrictions on discussing bugs and exploits after submissions for a contest are closed and before contest results are out.", "Question: Can smart contract auditing tasks be converted into image tasks, and if so, how does this method improve the audit process?\n\nAnswer: Yes, it is indeed feasible to convert smart contract auditing tasks into image tasks. This innovative approach involves visualizing a smart contract into their respective shapes. A machine learning model is then trained based on these shapes, using a dataset of both vulnerable and non-vulnerable shapes. The trained model can then be used to predict if future contracts are vulnerable or not. This method may prove beneficial in enhancing understanding of smart contracts, as it provides a more intuitive, graphical insight into their structures and potential vulnerabilities. \n\nThere are various tools that can assist in this process. For instance, the EVM contract draw available on GitHub (https://github.com/DanielVF/evm-contract-draw) allows the conversion of Ethereum Virtual Machine (EVM) bytecode into an image. Another potential tool is the now deprecated Surya (https://github.com/ConsenSys/surya), which was earlier used for visualizing smart contract interactions. \n\nThere is also an interesting approach that involves the use of graph neural networks, as outlined in this paper https://www.ijcai.org/proceedings/2020/0454.pdf. This method may tackle the inherent complexity of smart contracts and tackle the challenges users often face in understanding smart contract reports and the overall system.\n\nFor further reading, you may find the Fastai notebook interesting, as it demonstrates how image recognizers can be applied to non-image tasks: https://github.com/fastai/fastbook/blob/master/01_intro.ipynb.\n\nPlease note that the effectiveness of these visual and machine learning-based methods depends on multiple factors, including the complexity of the contracts and the quality of the training data. Some highly complex smart contract projects may still require professional mathematicians to audit complex formulas. Despite this, the visualization of smart contracts can be a valuable tool to aid in understanding and auditing smart contracts, particularly for those new to the field.", "Question: If I submit a finding as a medium severity issue but the judges consider it to be a high severity issue, will my report be upgraded to high severity?\n\nAnswer: Yes, your report's severity level may be upgraded from medium to high. The judges at Code4Arena have the discretion to upgrade or downgrade the severity of your findings. If they believe that the issue you submitted as medium severity is, in fact, a high severity issue, they will adjust it accordingly. However, the determination of severity relies on a balance of consequence and likelihood. High severity issues generally involve substantial fund loss or other severe impacts and do not require preconditions, whereas medium severity issues typically have less impact and specific preconditions such as high attack difficulty, specific market conditions, or user unawareness.\n\nIt's also worth noting that you can include both high and medium/low severity issues in the same report, but your highest effort should be given to the high severity issues. If your report is incorrectly categorized and the severity of your report is upgraded, this will not be a reason for penalty unless your report lacks detail, accuracy, or is incomplete. Regardless, you would still receive a reward commensurate with the actual severity of the found issue.\n\nThe exact criteria for low, medium, and high severity issues can be found on our judging criteria page: https://docs.code4rena.com/awarding/judging-criteria/severity-categorization\n\nKeep in mind that it is also possible for judges to upgrade findings from your QA report if they believe the severity should be higher and to downgrade issues if necessary. Here is some further information on this: https://docs.code4rena.com/awarding/incentive-model-and-awards/qa-gas-report-faq#what-happens-when-an-issue-submitted-by-the-warden-as-part-of-their-qa-report-an-l-or-n-does-get-bum.\n\nThe most important thing to remember is that the specific severity of an issue is not as crucial as a thorough and precise explanation of the finding.", "Question: How does CodeArena handle issue severity levels and the possibility of them being upgraded or downgraded within the contest environment?\n\nAnswer: At CodeArena, judges have the discretion to determine the severity of identified issues in submitted reports and can make changes in severity levels as necessary. If an issue is submitted with what is thought to be a high severity issue, and the judge disagrees, the issue might be downgraded. However, the participant will still be awarded for the found issue unless it is invalidated for overinflating severity. \n\nConversely, if a finding is submitted as medium severity but judges believe it is high, the severity can be upgraded unless there is a reason to penalize it. Judges have been known to elevate the severity of a QA issue if it is described in detail and they can upgrade an issue labeled as medium to high if they deem it necessary. \n\nHowever, they may choose not to increase the severity of a bug if it is a duplicate of other bugs and has not been well explained or proven. Importantly, the value of a bug is assessed based on its severity and the level of evidence provided. If a participant identifies a low bug but does not provide evidence of how it can be exploited, judges cannot upgrade it based on the efforts of other people.\n\nParticipants are advised to make a strong case in their submissions if they believe a high risk finding should be considered, or if they aim to escalate a known low from the automated findings to a high. Independent judges with deep solidity knowledge make the final determination of severity, so a thorough and well-argued submission can be crucial.\n\nRegarding the fate of a submitted report, if it is actually deemed high, it is confirmed that unless there's a reason to penalize it (such as it being incomplete, lacking detail, or not as accurate), it gets raised to high. The inclusion of high-risk findings depends on the contest and the judge, and a good explanation of the finding is regarded as more important than the specific severity of an issue. \n\nFor more details on how severity escalations are rewarded, participants should refer to the guidelines at https://docs.code4rena.com/awarding/incentive-model-and-awards#satisfactory-unsatisfactory-submissions and https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues. Issues can be updated post-submission by judges, and the final determination of severity, which can impact award levels, is made by a judge. Users can inquire about the fate of a finding if the judge and sponsor disagree with their proposed mitigation.", "Question: What are the ways I can reach out to CodeArena (C4) or contest sponsor teams if I have questions or need assistance?\n\nAnswer: There are several ways you can get in touch if you have queries or you need assistance. You can direct message (DM) CodeArena staff members or you can reach out to sponsor team members who are available for questions via Direct Message (DM). Each contest has a specific channel where general queries can be posted. If you have questions related to specific projects like FairSide or Vader protocol, you can DM them directly. \n\nFor more sensitive issues, you can privately ask questions and receive guidance. If you're facing account issues, you are advised to reach out via DM for assistance. If you need to update your submissions, you can do so by direct messaging certain identified individuals.\n\nAlso, for specific projects, you can consult with project team members who are listed in a specific discord channel. Members can also submit questions for the next recorded community call. For any general queries, the best option is to post in the contest channel in Discord. \n\nHowever, please be aware that there have been reports of scams in direct messages, so exercise caution with any unsolicited messages or requests. If you have questions about the DAO voting system, how to change your wallet address, or the address of the C4 token, it's recommended that you ask these on the forum post itself as chat can be ephemeral.\n\nRemember, direct communication is encouraged and welcomed. At CodeArena, our aim is to provide as much support and assistance as possible.", "Q: How can I add or remove team members in CodeArena and manage my team effectively?\n \nA: You can make modifications to your team, including adding and removing members, by submitting a help desk request at https://code4rena.com/help. If you encounter any issues while adding members, it may be worth trying again on a different day. If the problem persists, please report the issue through the help desk. \n\nYou also have the option to change your team name, although this would require creating an entirely new team and the new team would not retain any leaderboard positioning.\n\nIt's important to note that once a participant joins a team, they are not obligated to participate in all team activities. Team members can work together, bounce ideas off each other, and learn faster but can also choose to participate solo. Managing a team where not all members participate in the same contest and distributing rewards among contributors can be challenging. You can find a relevant discussion on team management issues here: https://github.com/code-423n4/org/discussions/43 \n\nTo further enhance collaboration among new wardens, there's a #\u26bdteam-formation channel where people can look for teammates. Once wardens find a team, they can create one at code4rena.com/register-team. \n\nIf you accidentally submit an analysis from a personal account instead of a team account, it's recommended to re-submit it from the team's account and submit a help desk request to withdraw the other one at https://code4rena.com/help. \n\nTeams are essential in CodeArena as they are considered when comparing leaderboard ranks to select people for RSVP certified jobs.\n\nFinally, remember that managing a team requires continuous effort and open communication. It's important to address any issues promptly, and the CodeArena platform offers channels for resolving issues or improving team collaboration.", "Question: How should I report an issue concerning a project's licensing, such as instances where dependencies within the project require a specific license that the project doesn't currently use?\n\nAnswer: If you come across a problem with a project's license, especially a situation where a dependency used by the project calls for a specific license that the project doesn't possess, you can report it directly. This type of issue is generally regarded as being of informational severity. \n\nWhen you issue a report, it should include the following information: the problem, a thorough description, Proof of Concept (if necessary), and mitigation (if applicable). If you're a beginner and find it challenging to understand certain code instances, it's recommended to compile a single report and refer to the related issues within it. In case you discover a vulnerability in an out-of-scope contract, you can include it in your report as an unrewarded finding or directly message the project about it. \n\nIf you're not confident about the severity of a reported issue or unsure of how to proceed after reporting, you can provide your reasons for flagging the issue directly in the report itself. This provides context and allows the team to better assess the situation. \n\nIf you find the same issue in multiple parts of the codebase, you should definitely add them to your report. Even if the bot race reports an issue but doesn't indicate all the actual parts of the codebase where the issue appears, adding them is deemed eligible. For instruction on how to report issues found in multiple places, you can refer to this [link](https://discord.com/channels/810916927919620096/810936719003090974/1134472653437145149).\n\nAlways remember that submitting a high-severity issue without working code that demonstrates the impact may result in the issue being downgraded or ruled ineligible for rewards. But don't let this discourage you; it's always better to report an issue even if there is a disagreement about the scope. \n\nLastly, be aware that adding a link to a sponsor's GitHub repo code in a findings report will not automatically pull that code snippet into the report. If required, it's best to manually embed the code in your report. If you need help with this or face any other issues during the analysis submission process, you can submit a help desk request.", "Question: What is the process and guidelines for categorizing the severity of issues identified in smart contract audits? \n\nAnswer: The severity of an issue identified during a smart contract audit can be classified as High, Medium, Low, or Informational. The classification depends on various factors such as the potential impact of the issue on users and the system, the likelihood of the issue being exploited, and the conditions required for its exploitation. \n\nIf an issue can cause significant fund loss or other severe consequences and doesn't require specific preconditions for exploitation, it's typically classified as High severity. If the impact is lesser and specific preconditions are required, such as high attack difficulty, specific market conditions, or user unawareness, the issue is usually classified as Medium severity. If the issue affects an end-user in a rare situation, it's a Medium severity issue, but if it locks all the protocol assets, it's a High severity issue. Constraints on admin 'setter' functions for state variables can be considered a Low or Medium finding. \n\nThe severity of an issue can be revised post-submission by CodeArena judges. An issue submitted as Medium can be upgraded to High if judges deem it so, unless there is a reason to penalize it (such as it being incomplete, lacking detail, or not as accurate). Conversely, a High severity issue could be downgraded to Medium or Low if the judges disagree with the initial severity assessment. However, you will still receive a reward for a Medium or Low bug, even if it was initially submitted as High severity, unless judges invalidate it for overinflating severity. \n\nSubmissions based on automated tools must provide strong evidence to show a relevant High or Medium severity exploit path. If a low severity finding in a contest's bot report is escalated to a high severity, it is not automatically invalid, but strong justification is required. \n\nFindings can be submitted with or without recommended mitigation steps. If there are no feasible mitigation steps, an explanation as to why it can't be mitigated should be included.\n\nIt's important to note that the specific severity of an issue does not matter as much as a good explanation of the finding. Also, submitting a high severity issue without working code that demonstrates the impact may lead to a high severity issue being downgraded or deemed ineligible for awards. \n\nFor further clarity on submission policy and judging criteria, refer to the official documentation: \nhttps://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues\nhttps://docs.code4rena.com/awarding/incentive-model-and-awards#satisfactory-unsatisfactory-submissions.", "Question: What is the process and expected timeline to receive my certified role after my Provenance application has been approved?\n\nAnswer: Once your Provenance application is approved, you can expect to receive an email confirming this. The email is sent from compliance@provenance.company, so please check your spam folder as well. Subsequently, the CodeArena team will update your certification status on your profile, which usually takes about 5 business days. However, it may take up to 2-3 weeks in some cases. \n\nDuring this time, you may want to participate in at least 3 contests to be eligible for a Certified+ upgrade. If you are interested in becoming a Certified Warden, you must go through a KYC process delegated to Provenance. \n\nYou can check your current roles by clicking your name on the platform. Please note that the initial email from Provenance doesn't have a specified timeframe for delivery, but the process after working with them generally takes around 1-2 business days. \n\nIf there's a delay in processing your role or you have not received any response after a few days, you can open a help desk request at https://code4rena.com/help. \n\nFor further details on the certification process or to start your application, please refer to https://docs.code4rena.com/roles/certified-contributors.", "Question: How can I write the equivalent of `(Bool success,) = address(someAddy).call{value: msg.value}(someFuncSignature);` in JavaScript hardhat or EthersJs, while also ensuring the account existence before calling .call() on it?\n\nAnswer: The equivalent of this Solidity code in JavaScript using Hardhat or Ethers.js would be something like this:\n```\nlet tx = await acct.sendTransaction({to: addressTo, value: 0, data: myContract.interface.encodeFunctionData(\"withdraw\", [etherBalance])});\n```\nHowever, while using this approach, to ensure the existence of the account before calling `.call()` on it, you could make use of OpenZeppelin's Address library or check the length of the account's code before making the call.\n\nIt's important to note that the calling convention used can vary. For example, in a web3 console, what's called can differ from what is actually called on the contract in the Ethereum Virtual Machine (EVM).\n\nAlso worth mentioning, calling a contract's own function like `InterfaceA(address(this)).functionA();` would be considered an external contract call and would change the `msg.sender` value inside the function.\n\nMoreover, there are instances where the 'eth_call' in Quicknode includes a 'value' parameter referring to the amount of ether sent with the message call. This might be worth to look into as well.\n\nFor more on how functions like delegatecall work with storage, you can refer to the Solidity docs and the Geth source code at https://github.com/ethereum/go-ethereum/blob/master/core/vm/evm.go#L302. \n\nAlso, if you are using Foundry, you may use a tool named \"foundry debug\" to debug hardhat tests or introspect contract execution at the EVM opcode level.\n\nRemember, if a function call in a smart contract always reverts but assets are not at risk, it can be considered as a Medium or High finding depending on the context.\n\nFinally, to better understand the Solidity syntax and programming, you can refer to discussions on our Discord chatroom or check out the Ethereum StackExchange thread here: https://ethereum.stackexchange.com/questions/68519/creating-a-new-contract-specifying-a-sender-and-value-with-factory-pattern.", "Question: Are there any upcoming C4 events similar to the C4 ethcc event?\n\nAnswer: Yes, C4 regularly participates in various events. Some of the C4 team were present at ETH.Denver and they maintain an active presence at events like ETH.NYC. Upcoming C4 appearances include gatherings such as ETH CC Paris and ETH Belgrad. There's also a plan for Code4rena to host an event at devcon, as shared on their twitter [https://twitter.com/code4rena/status/1577405876952272896?s=21&t=YjWD5aNJCZKKN9jXrRDh7A]. However, please note that the number of contests C4 participates in can fluctuate and specifics regarding these events, including availability of spots, are subject to change. Keep an eye on the official C4 website [https://code4rena.com] and their social media channels for the most accurate and up-to-date information.", "Question: I'm having trouble connecting my Discord account with my Code4Arena account. How can I check my participation in the audit and update my leaderboard standings?\n\nAnswer: If you're experiencing issues connecting your Discord account with your Code4Arena account or have made a mistake, you can resolve this by creating a help desk request at https://code4rena.com/help. Clearly explain your issue in the request. \n\nIf you need to change the link with your username in the leaderboard/contest results or update your Discord username on your Code4rena account, you can also do this through the help desk. \n\nIt's important to have an updated Discord username tied to your CodeArena account as it ensures you can be tagged in for any award announcements. However, the absence of this does not affect your eligibility to receive awards.\n\nRemember, you can also check whether your submissions were accepted at https://code4rena.com/reports. If you have accidentally submitted a finding from a personal account instead of a team account, re-submit it from the team's account and at the same time, make a help desk request to withdraw the incorrect one. \n\nIf you are unsure about your participation or need any further assistance, don't hesitate to reach out. Our team is always here to aid you in resolving your issues.", "Q: I submitted an audit report for a few audits, but I don\u2019t see my name in the leaderboard. I think I might have registered anonymously. How can I verify my participation in the audit?\n\nA: To verify your participation in an audit, you can check your Analysis Report for your submissions. This can be done by clicking on the \"My findings\" option in the contest page. You will also receive a confirmation email with details of your submission. If your name isn't mentioned in the report, it doesn't affect your future submissions, but it may have a slight impact on your leaderboard ranking. Please note that the leaderboard is built off the dates of the audits and doesn't track when the awards were distributed. If your submission is not appearing in the leaderboard, you could create a help desk request explaining the issue. \n\nFurthermore, to participate in private audits or gain permission to audit private contests, you typically need to be certified and rank on the leaderboard. If you're interested in auditing private contests or becoming a warden, you can check your certification status by clicking on your name to see assigned roles, or through email communication. To become a certified contributor or a warden, you may refer to https://docs.code4rena.com/roles/certified-contributors and https://mirror.xyz/c4blog.eth/Ww3sILR-e5iWoMYNpZEB9UME_vA8G0Yqa6TYvpSdEM0 respectively. Also, remember that teams can participate in auditing contests with a single wallet used during registration.\n\nPlease remember, submitting a Quality Assurance report for the first time may result in an error. In such a case, you can check if it has been successfully submitted by checking your email for a confirmation or viewing the findings through the \"View Context\" function.", "Q: Can you explain how the leaderboard works at CodeArena, including how one gets on it, its relation to awards, and considerations for its updates?\n \nA: The leaderboard at CodeArena is a representation of the achievements of participants in various contests. It gets updated every time awards are announced. However, it's worth noting that not all contest types are currently supported for leaderboard updates. Additionally, there might be a minor delay in leaderboard updates as there have been issues with awards being announced before the leaderboard is updated.\n\nIf a participant's name isn't mentioned in the report, it doesn't affect future submissions, but there's a possibility of it having a minor impact on the leaderboard ranking. This is because the leaderboard ranking is affected by both the current contest and the total participation of a contestant. \n\nTo get on the leaderboard and gain the \"leaderboard\" tag for their profile, a user needs to place in the top 5 of a contest and receive the reward. An individual's name can appear twice on the leaderboard; once individually and once as part of their team.\n\nIt's important to clarify that the company's website does not currently track the dates awards go out, but instead builds the leaderboard based on the dates of the audits themselves. Also, judge payment and lookout/scout payment are not included in leaderboard ranking calculations.\n\nAs for private contests, permission to audit them usually requires certification and ranking on the leaderboard. If a warden receives rewards both individually and as part of a team, the team and the individual will appear separately on the leaderboard.\n\nFinally, there are concerns about the leaderboard not accurately reflecting a user's accomplishments, with contest results potentially not being counted for the full duration, and certain contests like the Sublime contest and FactoryDAO not being currently reflected. CodeArena is aware of these issues and is actively working on improvements. For more detailed information, you can refer to the leaderboard and awards announcements on the CodeArena Discord server.", "Question: How can participants check the awards list, learn about the award distribution process, and find previous competition results?\n \nAnswer: Participants can check the awards list, leaderboard updates, and the announcement of winners in the #\ud83d\udce2announcements channel on our Discord chatroom. Furthermore, participants can find detailed information about their submitted reports, the results of previous competitions, as well as the leaderboard which is updated when awards are announced on CodeArena's website. The website does not track the dates awards were distributed, but rather builds the leaderboard based on the dates of the audits. \n\nFor more specific details about past contest awards, the following link can be used: https://code4rena.com/contests/2023-01-numoen-contest. While the team aims to process awards quickly with a goal to process a list of awards by the end of the week, the actual distribution of awards is generally done manually in batches for multiple contests at once, typically within 1-2 weeks after the announcement of the awards. \n\nUsers can check the status and replies of their submissions by reviewing the available reports from the competition. If a participant submitted issues for a contest but did not make the awards list, it's likely that their issues were not accepted. \n\nAll contests, public and private, are listed on the CodeArena website. Specific criteria for awards like a top-3 finish in either the QA or gas report can be requested from the organization. We also have a comprehensive document explaining our incentive model and how awards are divided between grade A and grade B for QA and Gas reports, which can be accessed at: https://docs.code4rena.com/awarding/incentive-model-and-awards. \n\nPlease note that changes to the award calculation process are currently underway, and awards cannot be distributed until the process is completed. Our goal is to establish an efficient process of getting awards and reports out in less than a week once sponsor review and judging are done. \n\nLastly, users can check their certification status by clicking their name to see assigned roles and also via email communication.", "Q: When a single line of code has multiple ways of exploitation, should it be reported as one bug or several, especially when these exploits look different and have varying impact levels?\n\nA: In a situation where a single line of code can be exploited in various ways, it is recommended to report every distinct vulnerability. However, it's important to prioritize the bug which has the most severe impact. Consider each exploitation as a separate bug, but if they stem from the same root cause, they may be considered duplicates. It's up to the judge's discretion to determine if they're duplicates or separate findings.\n\nIf the same vulnerability is found in multiple different components of the codebase, it could be reported as separate findings, unless they are instances of the same vulnerability, in which case they should be reported as one issue. When reporting, the vulnerability and its impact on the protocol or code should be thoroughly explained in the impact section, while the proof of concept section should include the lines from code or the written exploit.\n\nIf two separate vulnerabilities can be combined to create a more powerful one, users can submit a third finding explaining the proof of concept. Similarly, if a gas optimization finding that can be applied to more than one line of code is found, it should be submitted as one finding and all applicable lines should be mentioned.\n\nFor clarity, it's useful to focus the bug report on one specific attack or issue, feature the project's code, provide a simple to understand proof of concept or specific example, and offer a coded test that demonstrates the vulnerability. A simple example of such a report can be found here: https://github.com/code-423n4/2022-12-caviar-findings/issues/141\n\nLastly, if two people submit the same or similar bugs, how the bounty price is handled can vary, while known issues can be used to build more complex exploits. More information can be found at these links: https://github.com/code-423n4/org/issues/8 and https://github.com/code-423n4/org/discussions/50.", "Question: Can you provide information about the upcoming audit events or contests at CodeArena?\n\nAnswer: CodeArena regularly hosts audit contests; however, specific dates and details are dependent on sponsors confirming these elements. Upcoming contests, including those like the Reality Cards and Pool Together, are listed on the CodeArena website (code423n4.com). Currently, there may not be any competitions in the pipeline, but our team is constantly in conversation with several sponsors about potential audits. \n\nWe also have a structure in place for contests that includes an initial audit prize pool and a mitigation review pool. These contests and their results, such as the Biconomy Hyphen 2.0 contest's audit, are usually published after several stages \u2013 namely, the contest's conclusion, sponsor reviews, judging, and awarding. The entire process can range anywhere from 2 to over 6 weeks. If you're interested in participating, our audit contests are open to teams, and participating can provide a better understanding of audit reports. For more information about CodeArena's audit contests, please visit our documentation at https://docs.code4rena.com/. Please note, the specific details about our contests, including start dates, can be found in our Discord channel, under #\u270brsvp.\n", "Question: Why hasn't there been a contest announcement for a while and when can we expect the next one?\n\nAnswer: CodeArena occasionally experiences gaps in our contest schedule. This can sometimes be attributed to factors such as major conferences or delays in finalising contest details. We've recently experienced a 24-day period without contest announcements. However, we are currently anticipating a number of contests in the coming month. The exact dates and details are being finalized as we work with sponsors. Some upcoming contests may not have been updated on the specific channels yet. Additionally, we are continuously working on process improvements to prevent long delays in the future.\n\nPlease note that after a contest closes, there is a certain period of time before the findings become publicly available for discussion. The specific duration for this period is not mentioned, but we aim to make this information accessible as soon as possible. We are also considering changes to our leaderboard tracking system to better reflect recent contests.\n\nLastly, please be aware that CodeArena doesn't typically operate on weekends, and the lead time for sponsoring a contest is not long, but is not explicitly defined. We appreciate your understanding and patience during these times. For the most accurate information, always refer to our official channels.", "Question: How are the schedules and delays for CodeArena's contests influenced by sponsors and large industry conferences such as ETH CC Paris and others?\n\nAnswer: The contest schedule at CodeArena is influenced by several factors, among which sponsors and large industry conferences, like ETH CC Paris, play a significant role. It's been observed that a hiatus in contests often coincides with big conferences. This pause is believed to be an opportunity for sponsors and wardens to capitalize on the break from contests. \n\nThe role of sponsors goes beyond just financing the contests. They also contribute to the timeline and delays of contests. For example, slower sponsor reviews have been recognized as a reason for delays in judging contests, such as in the case of the Sublime March 2022. It's important to note that only sponsors, not judges, have early access to the findings. \n\nThe trust in sponsors is critical to the operations, despite occasional concerns expressed about potential conflicts of interest scenarios, such as sponsors hiding bugs. \n\nIn terms of contest timing, CodeArena usually runs week-long contests each week, with gaps observed in the schedule for live contests, and there are often multiple contests lined up for the upcoming weeks. The company does not typically operate on the weekends. As an example, the Canto audit, which was expected to start on a certain day, was delayed to the following Friday. \n\nThe duration of a contest can sometimes be extended, such as a contest involving over 12k sloc, which was extended from the usual week-long duration to 4 weeks. \n\nAwards are generally paid in the same week they are announced, with funds for the contests being sent out on specified days, such as on a Monday or Tuesday. Despite occasional delays and breaks, there is usually an expectation for rewards to be sent out in the forthcoming week. \n\nIn summary, while the contest schedule at CodeArena is influenced by several factors including sponsors and large industry conferences, the company strives to maintain a regular weekly schedule, with pauses around big events and occasional extensions for larger contests.", "Question: When can I expect the results of a CodeArena contest and where are they announced?\n\nAnswer: The timeline for publishing the results of a CodeArena contest, such as the Putty contest, depends on the time taken for judging. Judging can vary for each contest, but results are usually announced a couple of weeks to two months after the contest ends. Once the judging is complete, the results are posted in the contest channel. It's worth noting that the findings submitted during the contest may not always make it to the final report, and to check, you have to wait until the reports are published. The published reports, which include the findings, become publicly available after the contest ends for open discussion. If you're a Certified+ warden, you can view the findings repo immediately after a contest ends. All participants' submissions may also be made available once the possible exploits have been patched. Also, the cumulative results from contests can be viewed on the leaderboard at https://code423n4.com/leaderboard/. Please note that currently, findings from a contest cannot be viewed after it finishes but before the results are published.", "Q: What tools and resources can I use to effectively audit smart contracts on the CodeArena platform?\n\nA: The CodeArena platform offers a variety of tools and resources to assist you in auditing smart contracts effectively. One commonly used tool is a Miro board, which is ideal for collaborative planning and brainstorming. You can access a sample Miro board [here](https://user-images.githubusercontent.com/13383782/179862144-097cd187-abf6-48bc-b73d-503e9d1e51a3.png).\n\nFor automated findings, the platform provides a tool that is currently under development, located [here](https://github.com/HardlyCodeMan/audit_helper/). It's also important to note that if you're using automated tools, there is a higher burden of proof required to demonstrate a relevant exploit path. More information can be found [here](https://github.com/code-423n4/org/discussions/50).\n\nIf you need to view on-chain contracts in an IDE like remix, a useful tool can be found [here](https://discord.com/channels/810916927919620096/810931711609143326/1012727690396176484). You can also make use of the \"brownie\" tool, the Solidity sequence diagram tool (other than sol2uml), and the CodeArena Report Generator. \n\nFor accessing contest-related information, you can refer [here](https://github.com/sseefried/c4-stats) and you can also review previous competition findings [here](https://github.com/code-423n4/2022-09-artgobblers-findings/issues/137) to understand areas of improvement. \n\nIn terms of graphical interfaces for understanding smart contract interaction, although the Surya tool [here](https://github.com/ConsenSys/surya) was mentioned, it might be outdated. Another tool for smart contract visualization can be found [here](https://github.com/DanielVF/evm-contract-draw).\n\nIf you want to detect price manipulation vulnerabilities, you might want to look into this smart contract scanning tool [here](https://app.metatrust.io/project). \n\nIn regards to report formatting, Visual Studio's preview tool has been suggested as a helpful tool, and issues can be submitted in a specific format using a tool available [here](https://marketplace.visualstudio.com/items?itemName=yassh.copy-with-line-numbers). \n\nAdditional resources include C4udit for finding publicly known issues with its newest fork called Analyzer [here](https://github.com/Picodes/4naly3er), and other GitHub resources available [here](https://github.com/transmissions11/solcurity) and [here](https://github.com/Tomosuke0930/C4-report-categolized). \n\nYou can upload an image when submitting a report by registering a free account on [Cloudinary](https://cloudinary.com/), uploading the image, and copying the image URL. \n\nFinally, always remember to refer to the guidelines and FAQ [here](https://code4rena.notion.site/Analyses-Guidelines-and-FAQ-2808a71e08e44c81a985527194f5f118).", "Question: How can I become a certified member or contributor at CodeArena?\n\nAnswer: To become a certified member or contributor at CodeArena, there is a specific process you need to follow. The process and requirements are detailed at both https://docs.code4rena.com/roles/wardens/certified-wardens and https://docs.code4rena.com/roles/certified-contributors. \n\nOnce you fulfill the prerequisites, you can apply for certification by filling the form available at https://code4rena.com/certified-contributor-application. This process involves KYC (Know Your Customer) verification which includes submitting your identity for verification. \n\nBeing certified allows you to participate in private audits, join any contest including certified contests, gain backstage access, and possibly rank on the leaderboard. It also allows you to apply for Certified+ status if you have a high finding.\n\nOnce the certification process is approved by provenance, it may take a few days for the role to reflect on your profile. The status of your certification will be updated via email. You can also verify your certification status by clicking on your name on the platform to see assigned roles. \n\nPlease remember, to participate in invitational audits or private contests after being certified, you must RSVP in the rsvp-certified channel and ensure a high position on the leaderboards from the last 90 days.", "Question: I am facing an issue with the Certified Warden form - it says status is expected to be multi-select after clicking agree and submitting. Can you help me understand and resolve this?\n\nAnswer: This seems to be a known issue with the Certified Warden form indicating a \"status expected to be multi-select\" error. This is currently being looked into. In the meantime, you can try updating your profile to reflect your status as \"Available for Hire\" through the profile editing screen. Please keep in mind the requirements for becoming a Certified Warden, which includes participating in a certain number of contests and having a number of valid findings or reports. More details about the process can be found in the documentation at https://docs.code4rena.com/roles/wardens/certified-wardens. After the provenance verification process is completed, the certification process goes into queue. It usually takes 2 business days for your request to be processed, and 2-3 weeks to receive the KYC email. Please check your spam folder as well since the email is sent from compliance@provenance.company. If you've already submitted an application and are waiting, we appreciate your patience. For any other queries or issues, please feel free to ask in the chatroom.", "Question: How can I view the status of my submitted reports or issues during the triage process on GitHub?\n\nAnswer: If you have submitted a report or issue for a contest on CodeArena, the visibility depends on your role and the stage of the contest. \n\nBefore the contest ends, only the team has access to the submissions. However, certified wardens who have been granted \"backstage access\" can observe the report submission and triage process. This role allows you to review issues even before they are publicly reported, although it requires an established level of contribution. \n\nAfter a contest ends, the findings are posted on a private GitHub repository. Sponsors are given access to this repository either after the contest concludes or one week after with the triaged and deduplicated issues. \n\nOnce the contest report is published, all users, including participants, can view their submissions on the concerned GitHub repository. You can review why your submission was accepted or not, as the report allows visibility into the discussions among sponsors and judges. \n\nDuring this time, you can also access all issues, including yours, on the GitHub repository. Each report title on the CodeArena reports page (https://code4rena.com/reports), is a link that points to the relevant report. \n\nPlease note, feedback on submissions, including those that were denied, may not be provided directly to the user but can be checked on the public GitHub repository later. \n\nFor those who submitted a report for the first time and are unsure of how to check the submission status or report, past submissions and their discussions can be viewed on the public GitHub repository and the CodeArena reports page. \n\nAlso, there are plans in the pipeline to further enhance the experience of certified contributors by permitting them to view submitted issues right after contest closure and to comment or give input on these issues during judging.", "Question:\nWhat is the process and schedule for the CodeArena community calls?\n\nAnswer:\nCodeArena organizes regular community calls as a platform for discussion, updates, and Q&A sessions. While the exact dates are announced following periods of significant activity (such as the recent ethcc event), these calls are typically planned for the following week. Members can participate actively by submitting questions for the recorded community calls. A specific chat channel is dedicated for this purpose, allowing members to post their questions leading up to the monthly call. \n\nThe community calls are not only interactive but are also recorded and available to watch on YouTube for those who cannot attend live. Here's a useful guide on how to record a call on a Discord voice channel: https://www.howtogeek.com/677198/how-to-record-discord-audio/\n\nAdditionally, all participants are invited to join the CodeArena community via this Discord link: https://discord.gg/5WHvfHeSwr. As part of our commitment to transparency and easy access to information, key updates related to the calls and other important events are pinned in specific channels to aid newcomers.\n\nFor upcoming community calls and other events, keep an eye on the C4 rollup in our announcements. We look forward to your participation!", "Question: How can we participate and submit questions for the next recorded community call of Code4rena?\n\nAnswer: Yes, you can definitely participate in our next recorded community call and submit questions ahead of it. We generally announce the date for the next community call following a period of regrouping after large events like the ethcc event. \n\nA separate chat is created leading up to the monthly call, where you can post your questions. The community call is organized for discussions and updates about our ongoing and future events, audits, contests, and platform issues. You can also ask questions about specific contests, proposal submissions, or submission rules in this chat.\n\nMoreover, we also offer the facility to record the community call on a Discord voice channel. You can find the steps for this process at [this link](https://www.howtogeek.com/677198/how-to-record-discord-audio/). \n\nIn addition, if you missed the call, you can watch the recorded community calls on our YouTube channel. If you have other questions or need further clarification, feel free to direct message someone from Code4rena. Remember, all questions related to specific topics or contests should be asked in the designated channels.", "Q: I encountered a message stating \"Status is expected to be multi_select.\" What does this mean and how can I resolve it?\n\nA: This message refers to a known issue that our team is actively investigating. It is likely related to the progression of status updates in the \"Past Contest Status Updates\" section which is represented as a timeline. If you are having issues with this status, you can create a help desk request to have it resolved. While we are working on this issue, please remember that some updates, such as adding \"Available for Hire\" status on your profile may not immediately appear due to manual steps on the backend. If you have submitted a report and are unsure of your submission status, you can check the success of your submission by looking out for an email or the ability to edit submitted findings. We appreciate your patience while we work on resolving this issue.", "Question: If I have a base contract that uses SafeMath for uint256, and I have another contract that inherits from this base contract, do I need to declare SafeMath again if I want to utilize its functions in the inheriting contract? Also, can this inheriting contract access the internal functions of the base contract?\n\nAnswer: In the context of Solidity and smart contracts, the directive \"using SafeMath for uint256\" is not visible or accessible in a contract that inherits from the base contract. This essentially means that if you want to use SafeMath functions in the inheriting contract, you will have to declare SafeMath again. \n\nAs for accessing the internal functions of the base contract from the inheriting contract, there is a concept of function inlining that could be utilized to save gas in smart contracts. However, for a user to directly call internal functions, a child contract needs to be written and used like wrappers, as discussed in the context of Foundry.\n\nAlso, it's important to note that if a contract is within the scope of an audit and it inherits from another contract, both of these contracts should be audited to ensure the security of the overall system. \n\nIn terms of managing your code, it was suggested in the chat that the console.sol can be imported inside the original Contract itself and not necessarily be in the x.t.sol file. This directly importing of code may allow for necessary changes to the external contracts to better suit your project requirements.\n\nLastly, the importance of code readability was emphasized, suggesting that declaring constant values can make the code more understandable. For instance, a line of code like 'require(abc<123)' is considered a \"magic number\" and declaring a constant value would enhance clarity.\n\nIn conclusion, while inheriting contracts can utilize the structure of the base contract, the use of libraries as in the case of SafeMath, and internal functions require specific handling to ensure security, efficiency, and readability.", "Question: If I am utilizing SafeMath on Contract B, and my contract A inherits from B, do I need to declare the directive 'using for' again in contract A? Additionally, can Contract C access the internal functions of Contract B if Contract A inherits from Contract B, and Contract C inherits from Contract A?\n\nAnswer: In the context of SafeMath and other similar libraries, the 'using for' directive is not directly visible in child contracts. As such, if you want to utilize SafeMath in an inheriting contract, you will need to declare the 'using for' directive again in the inheriting contract. This applies to any contract that is inheriting another, including in the case of Contract A inheriting from Contract B and Contract C inheriting from Contract A. \n\nFurthermore, when it comes to accessing internal functions, if Contract A inherits from Contract B, and Contract C inherits from Contract A, then Contract C should be able to access the internal functions of Contract B. However, it is important to remember that while internal functions can be called inside the contract they are defined or in contracts that inherit from the defining contract, they cannot be accessed by external contracts. \n\nIf you wish to access those internal functions externally, you might need to write a child contract and use it as a wrapper to the parent contract. This is applicable in the context of foundry and similar platforms.\n\nThese intricacies of contract inheritance and function visibility are important to understand while designing and auditing smart contracts. It allows for more secure and efficient contract design, while also enabling better identification and management of potential vulnerabilities. \n\nRegarding the use of SafeMath, it's worth noting that the use of \"safeTransferFrom\" depends on the token being used and the expectation of the code. It is always advisable to refer to the official documentation of the token being used for specific guidelines. For instance, you can consult Etherscan for further information: https://etherscan.io/token/0xdac17f958d2ee523a2206206994597c13d831ec7#code#L95. \n\nLastly, it might be beneficial to use tools such as Slither, a static analysis tool for smart contracts, to identify any potential issues in the contracts.", "Q: How can I optimize my smart contract code to manage gas consumption, particularly in situations where large input sizes could cause the contract to run out of gas?\n \nA: Contract gas optimization is a multifaceted issue that depends on several factors, from the nature of the function being called to how variables are stored and accessed. Here are some strategies that might help:\n\n1. Process Large Inputs in Batches: If a function runs out of gas due to large input, a common approach is to use a start offset and a maximum length to process it in batches.\n\n2. Gas-Optimized Functions: Some optimizations can be made based on the nature of the function. For instance, if a function first checks from storage, then checks the calldata, swapping the order might optimize gas. Also, public functions can be declared as external to reduce gas costs.\n\n3. Loop Optimizations: Excluding the increment (`++i`) in a `for` loop can reduce gas costs significantly. Similarly, using the 'unchecked' command in loops can save gas. Also, consider a mitigation strategy against unbounded loops in solidity, as explained in [this blog post](https://blog.b9lab.com/getting-loopy-with-solidity-1d51794622ad).\n\n4. Error Handling: Custom errors are more gas-efficient than require statements with a string in Solidity contracts.\n\n5. Variable Storage: Solidity stores state variables in 32 bytes storage slots. Packing variables into fewer slots can reduce gas costs. More about this can be read at [Solidity documentation](https://docs.soliditylang.org/en/v0.8.17/internals/layout_in_storage.html).\n\n6. Function Inlining: If internal functions are called only once, they can be inlined to save gas.\n\n7. Constant Declaration: Instead of using \"magic numbers\", declaring constant values can make the code more readable and efficient.\n\nRemember that not every strategy will be appropriate or beneficial in every case, and some may depend on the environment in which the contract is running. As always, it's best to test any changes in a controlled environment before deploying them in a live contract. It's also critical to submit any issues you find in your smart contract to a QA report, as demonstrated in a recent [CodeArena report](https://code4rena.com/reports/2022-11-non-fungible/#gas-optimizations).", "Question: Can I publicize my findings from a contest after it has ended, or do I have to wait until the final report is published?\n\nAnswer: CodeArena maintains a policy that discourages the public discussion of findings after a contest has concluded, before the final report is published. This is to give sponsors ample time to address and fix the issues discovered during the contest. Following a contest's conclusion, findings remain private and are reviewed and triaged immediately by our judges. The findings then await sponsor review, final judging, and Quality Assurance before being made public. \n\nWhile you may be curious about the status of your submissions, we kindly ask for your patience as the review process includes several steps: sponsor review, judge review, sponsor confirmation, the judge's final report, and the announcement of results. \n\nWe understand you may want to understand why certain findings may not have made it to the final report. To check this, you need to wait until the reports are published, which typically takes a minimum of one month. \n\nOur certified+ wardens have the ability to view the findings repo immediately after a contest ends. However, all participants are advised to wait for the report to be published and the findings repo to be made public before discussing their findings or checking on their submissions. \n\nRemember, the findings from the contests are confirmed and discussed after the contest ends, and they are not shared with anyone, including the project team and judge, until after the deadline passes. \n\nIt's also worth noting that while the leaderboard, rewards, and final report of a contest may not immediately appear on the C4 site after contest completion, we recommend waiting until the full public report is published before doing a write-up of some issue or bug found on a project.\n\nFinally, it's important to note that projects have access to submitted findings before the contest completion. However, discussing bugs and exploits after submissions for a contest are closed and before contest results are out is subject to restrictions. \n\nWe appreciate your understanding and cooperation with these guidelines, which are designed to maintain the integrity of the CodeArena process and allow our sponsors adequate time to respond to findings.", "Q: How can I access and understand audit reports of past contests conducted by CodeArena? \n\nA: Audit reports from past contests are available on CodeArena's website at https://code4rena.com/reports. Each report includes a title which is a link pointing towards one of the warden's reports on CodeArena\u2019s GitHub repository, allowing you to cross-reference and see findings from other wardens who found the same issue. \n\nAs a new user, it's recommended to understand these reports by reverse engineering the findings. This can help you understand the auditing process in detail, enabling you to contribute as an auditor in the future. For more clarification on the findings, you can refer to the findings.csv file in CodeArena's website repository. \n\nIf you're interested in learning about the upcoming audit contests, they are listed on the CodeArena website: https://code423n4.com/. You can also get notified about the new audit reports by subscribing to the suggested announcement channel #audit-reports on Discord, where a new message is posted whenever a report gets published. \n\nIf you have questions about understanding audit reports without an overall understanding of the codebase, you can engage in the audit process even before the code is complete, or ask questions about findings of past projects. Private competitive audits are also an option. \n\nCodeArena also provides a comparison between bug bounties and C4 audit contests on their documentation page, which can be found at https://docs.code4rena.com/. More specific information about team audits can be found in the teams section of the same page. \n\nRemember, not all audits at CodeArena have office hours, but CodeArena's booking team can assist you with setting up audits.", "Q: In Uniswap methods tokenToEthSwapInput, tokenToEthSwapOutput, ethToTokenSwapOutput, ethToTokenSwapInput, what do \"input\" and \"output\" mean, and how can they affect token trading, especially with regard to slippage, front-running, sandwich attacks, and other optimization opportunities?\n\nA: In the context of Uniswap methods, \"input\" refers to the tokens you transfer into a contract, and \"output\" refers to the tokens you get from the contract. These terms and methods are integral to understanding how to optimize token trading for maximizing profits, especially with potential arbitrage opportunities. \n\n- For instance, in tokenToEthSwapInput, you provide the EXACT amount of ERC20 tokens you're willing to transfer (input), and the minimum Ethereum you agree to receive (output). \n- In tokenToEthSwapOutput, you define the maximum amount of ERC20 tokens you agree to transfer for a specific amount of Ethereum you want. \n- In ethToTokenSwapOutput, you provide the maximum Ethereum you're willing to spend in exchange for a specific amount of ERC20 tokens. \n- Finally, in ethToTokenSwapInput, you give the exact amount of Ethereum and the minimum amount of ERC20 tokens you agree to receive.\n\nThese methods are designed to help protect against issues such as slippage, front-running, and sandwich attacks. Each method has a specific use-case and helps you define your trading strategy based on your risk tolerance and profit goals. \n\nFor example, in arbitrage opportunities, the user would have to derive the optimal input from the Automated Market Maker's (AMM) price formula, using a specific algorithm and taking into account price impacts and transaction costs. An example is given in our chat on how to calculate the optimal amount of token A to input to lower the token B/token A ratio to the fair market value.\n\nDo note that not all tokens are fee-on-transfer. Fee-on-transfer tokens remove a small fee from every transfer, which is why the tokens received by the contract might be less than the transferred amount. Also, different AMMs like PancakeSwap V2 and Uniswap V2 have different protocol fees.\n\nYou can find more information in the Uniswap documentation [here](https://docs.uniswap.org/protocol/V1/reference/exchange), and the code for PancakeSwap V2 can be found [here](https://bscscan.com/address/0xcA143Ce32Fe78f1f7019d7d551a6402fC5350c73#code). \n\nDo remember that understanding these methods, and their implications on your trading strategy, is key to making the most of the smart contract capabilities on platforms like Uniswap.", "Question: How do precision and pricing work in Uniswap methods and how can they impact my smart contract audit and potential arbitrage opportunities?\n\nAnswer: In Uniswap methods such as tokenToEthSwapInput, tokenToEthSwapOutput, ethToTokenSwapOutput, and ethToTokenSwapInput, terms like \"input\" and \"output\" refer to tokens being transferred into a contract (input) and tokens being received from a contract (output), as explained in the Uniswap documentation [here](https://docs.uniswap.org/protocol/V1/reference/exchange). \n\nWhile auditing smart contracts, it's essential to understand that the pricing in Uniswap is not static; there might be transactions before yours that would change the price. Therefore, the price you see initially may not be the one at block creation, potentially causing your transaction to revert if the end price is not satisfactory. This is particularly crucial when seeking to maximize profits in arbitrage opportunities, where a particular algorithm derived from the Automated Market Maker's (AMM) price formula should be used. This algorithm should consider potential price impacts and transaction costs, including protocol fees, which differ between platforms like PancakeSwap V2 and Uniswap V2. \n\nOptimizing the amount of tokens to buy using the AMM's price formula is a complex task, and sometimes requires professional mathematicians to assist in auditing these formulas. However, it's also worth noting that contract-size and gas optimization are important considerations for Ethereum transactions, not just in protocol contracts but also other contracts and non-view/non-pure functions. \n\nTo avoid losing precision, when coding, ensure that calculations involving decimals are handled correctly, as explained in the EIP-20 documentation [here](https://eips.ethereum.org/EIPS/eip-20). Furthermore, remember that not all tokens are fee-on-transfer, and the usage of functions like \"safeTransferFrom\" would depend on the token used and the expectations of the code. \n\nFinally, making use of automated tools to verify if a contract has been initialized on the Ethereum mainnet, to find vulnerabilities and bugs, and to compare differences between contracts can make the auditing process more efficient. However, it's important to understand these tools' limitations, as they may not account for all potential issues, such as arbitrage opportunities across multiple tokens.\n", "Q: Can you explain how the reward process works in CodeArena, particularly in the case of false positives, misclassified vulnerabilities, and duplicate bug reports?\n\nA: In CodeArena, the reward system operates on a basis of correct bug detection and classification. Real bugs are rewarded, while false positives are not. However, there's no penalty for submitting false positives, though it is discouraged. If you want to ensure your bug is real, you can write an executable test to prove it. Misclassified bugs, for instance a high-severity bug that turns out to be of medium severity, are rewarded according to the correctly assessed severity. \n\nDuplicate bug reports are also taken into account when distributing rewards. If multiple auditors report the same bug, it doesn't nullify the reward but instead, the bounty is portioned among all the reporters. This is different from a traditional bug bounty model where duplicate reports receive no rewards. The value of the bug is reduced and distributed based on the number of people who find it. The order in which wardens report a duplicate bug does not impact how much they get paid. \n\nThe importance of a correct and high-quality report can\u2019t be overstressed. The value of a bug is partly determined by correctly assessing its severity and presenting evidence. You can submit proof of concept (PoC) code for each bug you find, which will strengthen your report. \n\nCodeArena also believes in transparency and learning. After each contest, a report is released detailing the bugs found, and you can review these at https://code423n4.com/reports. This can give you a sense of what a high-quality submission looks like. \n\nRemember, while the reward system encourages reporting of high/medium/low severity vulnerabilities and gas optimizations, all types of accepted reports can be eligible for payouts, assuming they are of high quality and accurate with a working proof of concept. For more information about our incentive model and awards, please visit https://docs.code4rena.com/awarding/incentive-model-and-awards#duplicates-getting-partial-credit.", "Question: \nI'm trying to become a certified auditor, but I'm encountering issues with the certification process. What should I do?\n\nAnswer: \nSorry to hear you're experiencing difficulties with the certification process. Our team typically responds to these issues promptly. In the meantime, here is some information which may be helpful:\n\nTo initiate the certification process, use this link: [https://code4rena.com/certified-contributor-application](https://code4rena.com/certified-contributor-application). The process involves sending your identity for verification, and once approved by Provenance, it generally takes a few days for the role to reflect on your profile. The finalization of your certification will be confirmed via email.\n\nPlease note that the process of getting the 'certified' status confirmed and added typically takes around 2 to 5 business days, but in some cases it can take up to 2-3 weeks. During this time, you can check your certification status by clicking your name to see assigned roles, and also through email updates.\n\nIf you believe you qualified for Certified+ but cannot find the correct submission form, or if you have not received your certification after an expected response time, we recommend creating a help desk request for assistance. A more formal process for requesting Certified+ status is currently under consideration.\n\nBeing certified not only allows you to edit your profile on Code4Arena, but it also grants access to a greater number of contests, including the 'Versus' contest, as well as backstage access, provided you meet certain qualifications. To gain backstage role, you need to create a help desk request to have your status evaluated. Furthermore, certification is required to receive rewards for submitted reports, despite the ability to submit reports without it.\n\nIf you've completed the certification process with ProvenanceDAO and participated in more than three contests, and are awaiting the upgrade to Certified+, rest assured that our team is working on this issue.\n\nIn case you're having issues receiving an email from Provenance, please make sure to check your spam folder. If the issue persists, feel free to contact us.\n\nWe appreciate your patience and encourage you to reach out if you have any more questions or need further assistance.", "Question: How is the severity of issues determined in the audit reports and what should a participant do if they disagree with the judge's decision?\n\nAnswer: The severity of identified issues in the submitted reports is primarily determined by an independent judge with deep solidity knowledge. Judges have the discretion to make changes in severity levels, and can also update the severity post-submission based on the detailed description of the issue and a self-assessment of risk by the participant. \n\nIn situations where there is uncertainty, participants are advised to review the judging criteria and make a case for the chosen severity using evidence. The judging criteria can be found at [https://docs.code4rena.com/roles/wardens/judging-criteria#estimating-risk](https://docs.code4rena.com/roles/wardens/judging-criteria#estimating-risk). \n\nIf a reported issue is submitted with a high severity but the judge disagrees and downgrades it, the issue might still be awarded unless it is invalidated by the judges for overinflating severity. Guidelines on this topic can be found at [https://docs.code4rena.com/awarding/incentive-model-and-awards#satisfactory-unsatisfactory-submissions](https://docs.code4rena.com/awarding/incentive-model-and-awards#satisfactory-unsatisfactory-submissions).\n\nIn case of disagreements with a judge's decision, discussions can be initiated according to the policy at [https://docs.code4rena.com/awarding/fairness-and-validity#if-you-disagree-with-a-judges-decision](https://docs.code4rena.com/awarding/fairness-and-validity#if-you-disagree-with-a-judges-decision). Judges are expected to provide reasons for classifying an issue as invalid or disputed. \n\nIt's important to note that the final determination of the severity of an issue can impact the award levels. The severity ranking can be found at [https://docs.code4rena.com/awarding/judging-criteria/severity-categorization](https://docs.code4rena.com/awarding/judging-criteria/severity-categorization). \n\nIn all cases, we ensure that our judges are fair and objective in their assessments. If you have any other concerns or inquiries, please feel free to ask the judges for feedback. It helps in understanding the reasoning behind the ruling and in improving future submissions.", "Q: How do the CodeArena reviews work in terms of awarding points to findings, categorizing them, and dealing with potential duplicates in findings?\n\nA: In CodeArena, findings are categorized into different types such as mechanism, architecture, QA, and gas optimizations. Each type has its own grading system. For instance, all valid findings for gas optimizations are weighted the same. Findings can also be graded as H/M or L/QA and added to the warden's QA report. The grading process also considers the level of impact and the quality of explanation provided for the finding.\n\nWhen it comes to duplicate findings, CodeArena has a comprehensive system in place. As seen in the \"Redacted Cartel\" contest, duplicate findings were significantly devalued. Each duplicate finding reduces the points awarded to each warden. This encourages the submission of unique, high-value findings.\n\nRegarding the categorization of findings, some findings could fit into two categories. For instance, a finding related to both QA and gas savings could be included in either report, and the judges will decide where it best fits.\n\nFurthermore, findings could be downgraded or possibly upgraded to a higher severity. The specific severity of an issue is not as important as providing a good explanation for the finding. The English level of the report also matters, as a well-written report enhances comprehension and credibility.\n\nOn the subject of code comparison, line-by-line comparisons are relevant as they help in identifying differences and understanding the impact of changes made in different versions of the code.\n\nFor specific details and nuances regarding these processes, there are dedicated discussion threads available. For instance, thread #8 provides detailed insights into the combination of similar issues.\n\nPlease note that while the published reports might seem identical to the ones initially reported, they could differ as the published reports are a summary of what was submitted by the wardens. Therefore, there might be discrepancies between the initial and final report. You can find more information about these processes and others in the link provided: [https://github.com/code-423n4/org/discussions/50](https://github.com/code-423n4/org/discussions/50).", "Question: What is the recommended way to submit bug findings, gas optimization reports, and QA reports at CodeArena, and can I make multiple submissions per contest?\n\nAnswer: At CodeArena, participants should ideally group all their findings and submit them as specialized reports. One consolidated report for Quality Assurance (QA) findings, and one report for all Gas optimization findings should be made. If there are Medium or High severity findings, each of these must be submitted as separate reports. This allows for a clear understanding and assessment of each bug and its severity.\n\nIf a participant finds the same type of issue multiple times, such as a Reentrancy attack or a similar kind of gas optimization, all instances of the issue should be included in a single report. If a line of code has multiple exploitations, it is unclear whether this should be reported as a single bug or multiple bugs. \n\nFor QA and Gas Optimization reports, the amount of detail required is not as comprehensive as for high severity issues. Examples of top QA/Gas reports for each of these contests can be found at [https://code4rena.com/reports](https://code4rena.com/reports). \n\nA participant can only submit one report for Gas optimization and one for QA per contest. However, if more findings are discovered, they can be added to the existing report by going to the contest page and clicking the 'Your Findings' button. If a QA/Gas report does not fit in a single submission request, it can be broken down into separate sends. \n\nIt's important to note that the grading criteria for submissions include correct identification of the highest severity impact of the bug, making the case for the chosen severity and validity with evidence, and clear and understandable writing. Both the quantity and quality of submissions are considered when grading QA reports, and a single item in a QA submission is unlikely to receive a high grade. You can find more details on the grading criteria at [https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical](https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical) and [https://docs.code4rena.com/awarding/incentive-model-and-awards#qa-and-gas-optimization-reports](https://docs.code4rena.com/awarding/incentive-model-and-awards#qa-and-gas-optimization-reports).\n\nLastly, it's worth noting that participants do not have to submit all reports for high, medium, QA, and gas optimization when entering a contest. They can submit as they find issues.", "Question: What are the potential issues related to EIP1967 that need to be avoided, and how are they associated with smart contract auditing?\n\nAnswer: EIP1967 pertains to standard proxy storage slots. When auditing smart contracts that utilize EIP1967, it is crucial to be cautious about several potential issues. One of the main concerns is the initialization of the contract. Since clones or minimal proxies with a fixed implementation address (EIP-1167) don't call the constructor, they require a special non-constructor initializer function to set necessary parameters. Mismanagement of this function can lead to serious security issues, such as the risks associated with depositing funds in an uninitialized contract. This issue was notably highlighted in the post-mortem report of the Audius governance takeover incident, which provides a real-world example of how such vulnerabilities can be exploited. \n\nMoreover, it's important to be aware of the implications of function calls and state variable changes. For instance, there were discussions about the use of \"safeTransferFrom\" in smart contracts and the categorization of severity related to state variable changes. \n\nFinally, the auditing process also entails identifying and reporting issues conscientiously. Known issues should be excluded from gas reports, and different issues should be created for different optimizations. While automated tools can be used to check if a contract has been initialized on the Ethereum mainnet, the final judgement about reporting issues often depends on the reviewer. \n\nRelevant links for more information:\n\n- EIP1967: https://eips.ethereum.org/EIPS/eip-1967\n- EIP-1167: https://eips.ethereum.org/EIPS/eip-1167\n- Audius Governance Takeover Post-Mortem: https://blog.audius.co/article/audius-governance-takeover-post-mortem-7-23-22", "Question: Could someone explain the issue associated with EIP1967 as mentioned in this [post-mortem article](https://blog.audius.co/article/audius-governance-takeover-post-mortem-7-23-22) and how to avoid it?\n\nAnswer: The [post-mortem article you've shared](https://blog.audius.co/article/audius-governance-takeover-post-mortem-7-23-22) concerns a governance takeover issue related to EIP1967. EIP1967 is a standard for the layout of proxy contracts' storage, which is a method for upgradable smart contracts. However, if not implemented correctly, it can lead to vulnerabilities.\n\nThe incident described in the article highlights the risks associated with improperly initialized contracts. If the initialization process is not correctly implemented or performed, it can lead to unauthorized parties gaining control as seen in this case.\n\nTo avoid such issues, proper handling of upgradeable contract findings is crucial, particularly for medium-risk vulnerabilities. This should include a thorough audit of your smart contracts. We recommend following best practices for governance mechanisms, which you can learn more about through resources like this OpenZeppelin's [webinar](https://youtu.be/6GaCt_lM_ak).\n\nAdditionally, it's crucial to understand the potential risks of depositing funds in an uninitialized contract and the categorization of severity related to state variable changes in smart contracts. You may find it useful to use tools that help understand contract interactions, like the deprecated Surya tool: [https://github.com/ConsenSys/surya](https://github.com/ConsenSys/surya).\n\nLastly, it's important to note that even if automated tools report vulnerabilities, manual audits are still essential. They help provide a thorough check and can identify issues that might not be caught by automated tools. For more information on how to perform audits, you can watch this [YouTube video](https://github.com/code-423n4/2021-08-floatcapital) or read this [blog post](https://blog.bytes032.xyz/p/audit-like-a-pro-my-3-step-game-plan).\n\nRemember, exploring, understanding, and addressing potential vulnerabilities is an ongoing process in the development and maintenance of smart contracts. It's also advisable to stay updated with the most stable and secure solidity versions, aside from the latest versions.", "Question: I'm new to CodeArena and interested in joining the upcoming contests. Can you provide some tips and insights on how to proceed and best participate?\n\nAnswer: Absolutely, we welcome and encourage new users to participate in our contests. They are a great way to improve your skills, contribute to the community and get involved with smart contract auditing. Here are some key points to get you started:\n\n1. Just Do It: The best way to start is to jump right in. Participating in a contest can provide valuable experience, whether you're a beginner or an experienced solidity developer.\n\n2. Certified and Non-Certified Contests: Once certified, you gain access to a wider variety of contests, including certified contests. However, there are also contests that you can participate in without being certified, though certification may be required for payouts if any submissions are awarded.\n\n3. How To Join: You can check the #\u270brsvp channel on our Discord to know about upcoming contests. If you're certified and interested in joining a private contest, ensure you RSVP in the rsvp-certified channel and maintain a high position on the leaderboards from the last 90 days. \n\n4. Practice and Learn: If you're new to auditing, consider reviewing past contests to practice on and read old reports. This can give you a better understanding of what's expected. \n\n5. Participate as a Warden: You also have the opportunity to join code contests as a warden.\n\n6. Access to Backstage: To gain backstage access, you should have participated in 3 or more contests. You can also meet the requirement for backstage+ by participating in a minimum of 3 contests.\n\n7. For Specific Queries: If you have specific questions about the scope of a contest, you can address these to the respective sponsor. \n\n8. Stay Updated: We're planning to implement a new submission mechanism in upcoming contests. There's also interest in creating a notification system, such as a Telegram bot, for announcing new contests. \n\nRemember, each contest is unique and may have different requirements, so always read the relevant posts for more information. For example, there were questions about a contest referred to as the \"steakhouse contest\", and participants were suggested to read relevant posts for more information. \n\nWhether it's our ongoing Spartan Protocol contest, future contests involving the programming language Rust, or our intrigued Bot Races, you can ask questions directly or engage in open discussion. Happy coding and best of luck in the contests!", "Question: How can I participate in a contest, submit my findings, and track the status of my reports?\n\nAnswer: CodeArena hosts regular contests which you are encouraged to participate in. To submit your findings in a contest, navigate to the contest page and click on the 'Your Findings' button. If you face difficulty submitting your findings, trying different browsers can sometimes help. After your submissions, you can edit your findings using the same 'Your Findings' button. \n\nYou can also keep track of your past reports and see when your findings are edited. Feedback for your submitted findings will be available to provide you with insights for improvement. If you are interested in how your findings were judged, you can review the findings of other wardens once the findings repository becomes public. This will give you a sense of what judges look for in determining which reports get featured in the client report.\n\nRemember, too many unsatisfactory submissions might result in penalties, hence it's crucial to make your submissions meaningful and valuable. If you're new, you might find it useful to review previous competition findings to understand areas to focus on; here is a link to a previous competition finding: https://github.com/code-423n4/2022-09-artgobblers-findings/issues/137.\n\nFor viewing all submissions after a contest, and for any specific queries like the significance of a yellow icon, how to participate in bot races, or concerns about privileges based on user roles, we recommend referring to our specific guidelines or feel free to ask in the chat. We also have a \"scout\" role that pre-sorts the repo and provides a summary document to the sponsor. \n\nLastly, please be cautious about the security of your account, avoid clicking on any suspicious links and report any spamming to us immediately. We hope you enjoy participating in our contests.", "Question: What are the most stable and secure versions of Solidity, apart from the latest version, and what resources can I use to learn and audit smart contracts written in these versions?\n\nAnswer: The latest versions of Solidity are always recommended for the most updated security features, but it is acknowledged that some users may have constraints that require them to use older versions. Until Solidity 8.0, fuzzing tools were commonly used for auditing as they helped to find vulnerabilities and bugs. However, with the implementation of an overflow/underflow check at the language level in Solidity 8.0, the usage of these tools has decreased. \n\nFor understanding the syntax and programming of these older versions of Solidity, resources like Solidity by Example (https://solidity-by-example.org/0.6) and the Solidity documentation (https://docs.soliditylang.org/en/v0.7.5/) are recommended. \n\nStatic security testing is another important part of auditing smart contracts. Tools like the Solidity linter and Remix can be used for this purpose, checking the contract code for compilation warnings without directly interacting with it. \n\nFor additional practice, The Ethernaut challenges and Damn Vulnerable DeFi offer practical training for understanding advanced Solidity and DeFi industry standards (https://ethernaut.openzeppelin.com/ and https://www.damnvulnerabledefi.xyz/). If you're a beginner, consider starting with resources like CryptoZombies.io and CaptureTheEther.com.\n\nStatic analysis tools such as Slither can also be of great help in auditing smart contracts. And for contracts downloaded from GitHub, tools like Mythril and Slither are available. \n\nTo share vulnerabilities found, users typically provide either a URL to the repository with a line number or a Solidity code block. To learn more about web2 security in the context of web3 security, exploring resources on the Geth node is recommended. For potential price manipulation vulnerabilities in smart contracts, you might find the tool MetaTrust (https://app.metatrust.io/project) useful. \n\nFor those new to smart contract security, yAcademy has been recommended over Spearbit DAO. And to further your understanding, there are books and certifications available in smart contract security. Always remember, the more you learn and practice, the more secure and robust your contracts will be.", "Question: How can I submit multiple findings for the CodeArena audit contest and edit or modify these findings after submission?\n\nAnswer: As a participant in CodeArena's auditing contests, you have a few options for submitting your findings. You can choose to submit multiple findings as separate issues or compile all your findings into a single report. This includes gas findings, QA findings, low-risk, high-risk, and even non-critical ones. If you are participating as part of a team, you have the option to submit findings as an individual or as a team member. \n\nIf you have already submitted a low-risk finding, you can continue to submit additional findings thereafter. To submit your findings, navigate to the respective contest page on our website and fill out the form for each contest.\n\nOnce you have submitted your findings, you can edit or modify them through the \"Your Findings\" button on the contest page. For instance, you can update the format of your findings or include a proof of concept in a gist file. If you have submitted more than one high-risk finding in the same audit but they have the same root cause, they will be counted as one.\n\nRemember, only one combined report of gas optimization can be submitted per contest. However, more findings can be added to the report by going to the contest page and clicking the 'Your Findings' button.\n\nFor detailed instructions, please refer to our official documentation: https://docs.code4rena.com/. If you need to cross-reference your findings and payouts, you may refer to the findings.csv file at https://raw.githubusercontent.com/code-423n4/code423n4.com/main/_data/findings/findings.csv. After you have submitted your findings, expect a follow-up for feedback on your submissions.", "Question: How can I become a Certified Warden at Code4rena, and what processes or resources are available for new and existing wardens?\n\nAnswer: Becoming a Certified Warden involves a few steps. Firstly, you can find guidelines on how to register as a Warden at https://docs.code4rena.com/roles/wardens. After submitting an application, the timeline for receiving KYC mail can vary. If you're facing issues with receiving an email from Provenance, try checking your spam folder. \n\nRegarding warden resources, they largely focus on Solidity tutorials, but questions about the availability of other resources like Cosmos-related learning resources have been raised. It's also possible to view reports from other wardens who found the same issue, even after contests have ended. \n\nNew functionality in Warden profiles includes private invites. Questions about topics such as this, as well as the Certified Warden process, can be asked directly to Code4rena. It's worth noting that there has been some confusion about the Certified Warden application and response email, as the documentation referring to email communications from Provenance should have been updated across all instances.\n\nIn case of issues or concerns with a report, you can seek clarification from other wardens. If you're experiencing issues with new warden registration or bug submission, we encourage you to communicate directly with our staff for further clarification. If you have other questions related to warden registration, changing the wallet attached to your user account, and other FAQs, you can check out https://docs.code4rena.com/roles/wardens/warden-auth#faq-troubleshooting. \n\nIf you don't find what you're looking for, you can submit a help request at https://code4rena.com/help. This can also be used for concerns such as whitelisting wallets. Remember that you can become a certified warden regardless of your nationality.\n\nFor more information about Certified Wardens, you can refer to our documents (docs). If any inconsistencies or issues are identified, we'd greatly appreciate your feedback, as we're always looking to improve our process and resources.\n", "Question: Where can I find the GitHub link for all approved findings, gas optimizations, and the process for submitting these issues?\n\nAnswer: The GitHub link for all approved findings and gas optimizations can be found in the C4's public repository: [https://github.com/code-423n4](https://github.com/code-423n4). Specifics about gas optimizations are detailed in this section: [https://github.com/byterocket/c4-common-issues/blob/main/0-Gas-Optimizations.md](https://github.com/byterocket/c4-common-issues/blob/main/0-Gas-Optimizations.md). The list of optimizations/L1 issues that are looked for in audits can be found here: [https://github.com/Picodes/4naly3er/tree/main/src/issues](https://github.com/Picodes/4naly3er/tree/main/src/issues). \n\nRegarding gas optimizations, it is recommended to compile multiple suggestions into a single report. However, if an optimization can be applied in more than one line of code, it should be reported as one finding with all applicable lines mentioned. It's also recommended to report any gas optimizations separately, with the amount of gas saved for each finding potentially needing to be included in the report. \n\nFor the process of submitting issues, you can refer to the submission policy here: [https://docs.code4rena.com/roles/wardens/submission-policy](https://docs.code4rena.com/roles/wardens/submission-policy). You can make submissions of gas optimizations in contests, and all the past submissions can be found in any repository ending with -findings on the CodeArena GitHub. \n\nRemember, each audit report can be viewed on GitHub, with each report title being a link pointing to the report. Also, you can ask for clarification on gas optimization, and all valid findings for gas optimizations are treated equally. For more information about specific gas-related topics like gsset and gscoldsload, you can check here: [https://github.com/wolflo/evm-opcodes/blob/main/gas.md](https://github.com/wolflo/evm-opcodes/blob/main/gas.md).", "Question: What is the scope of the audits conducted by CodeArena, do they only audit the contracts or also the script folders in the GitHub repo contract folders?\n\nAnswer: The scope of audits conducted by CodeArena primarily focuses on smart contracts. However, it can slightly vary from one audit to another. For each contest, the README.md file gives a detailed outline of what falls in the scope of auditing and what does not. It's recommended to always check this file to understand the requirements for a specific audit. \n\nFor instance, a previous audit for PoolTogether had two contracts in scope which were detailed in the README.md of the respective repo. If a contract is in scope and it inherits another contract, both contracts should be audited. \n\nWhile the focus is on smart contracts, CodeArena also acknowledges the importance of other elements like script folders within a GitHub repo. Auditors are allowed to fork the codebase and create a private repository on Github to facilitate their auditing process.\n\nAs for tools, auditors use a range of them, including diff commands to spot differences between contracts and fuzzing tools. Some auditors also use resources for testing such as Mythril and Slither. Beginners who seek guidance on using these tools or understanding contract auditing can refer to the resources available on CodeArena's website.\n\nFindings from completed audits are made accessible on the C4 GitHub repo. Despite the availability of automated tools, manual audits are still crucial as they offer a more comprehensive analysis and can uncover vulnerabilities that automated tools might miss. \n\nRemember, the contracts you'll be auditing are real and will be deployed after being audited. Our goal is to ensure the highest level of security for these smart contracts, which can span across various platforms, including products built on Polygon.\n\nCodeArena's scope isn't just limited to audits. We also conduct smart contract gigs. We're always open to expanding our services, so keep an eye on our updates.\n\nNote: Any further questions or need for clarifications can be addressed on our Discord channel or through our official communication channels. For a detailed introduction to smart contract auditing, you can watch this YouTube video: https://www.youtube.com/watch?v=wCD3fOlsGc4\n", "Question: What is the meaning and significance of \"in scope\" and \"out of scope\" in the context of CodeArena's smart contract audits and how does it impact the contest and the audit process?\n\nAnswer: \"In scope\" and \"out of scope\" are terms used within the CodeArena smart contract audits to determine what parts of the code need to be audited and what parts are not to be audited. The \"in scope\" components are subject to audit, while the \"out of scope\" components are generally excluded from the audit. The \"scope\" is decided by the sponsors of each contest and is listed in their contest information. An example of a scope description for an audit can be found [here](https://github.com/code-423n4/2022-07-golom#scope).\n\nIf there's a vulnerability in a contract that's in scope but it impacts another contract that's out of scope, it's up to the judge to decide whether it will impact the awarding of the contest. Similarly, a vulnerability in an out-of-scope contract can still be reported and may be brought in scope by a judge, depending on the impact it might have on the overall code. If a contract is within the scope of an audit, it is subject to audit, even if it inherits from another contract. Apart from the code, web applications might also come under the scope of certain contests.\n\nThe README.md file for each contest is supposed to explain what is in scope and what is not. Participants can openly discuss issues with the sponsors before the contest is finished, including questions about what is considered in-scope or out-of-scope.\n\nIt's worth noting that the scope of an audit takes into account the current state of the project and may not include vulnerabilities pertaining to deployment or early actions like initializers. Vulnerabilities found in out-of-scope contracts can be included in the C4 report as an unrewarded finding or the project can be directly messaged.", "Question: Can you explain the concept of \"out of scope\" in the context of a smart contract audit, and what happens if a vulnerability is found in an out-of-scope contract?\n\nAnswer: The term \"out of scope\", in the context of a smart contract audit conducted by CodeArena, refers to parts of the code that are not to be audited. These are typically outlined in the README.md file for each contest, with a clear delineation between 'In scope' (to be audited) and 'Out of scope' (do not audit) parts of the code. An example can be seen [here](https://github.com/code-423n4/2022-07-golom#scope).\n\nWhile the main focus is on the 'in scope' contracts, if a vulnerability is found in an out-of-scope contract, it can be reported. However, there is no guarantee of an award for such a finding. This decision is generally up to the judge. If the bug affects another contract that is 'in scope', an award might be given, again at the judge's discretion.\n\nThere are also certain scenarios where the 'out of scope' rule applies, such as known issues posted in the contest channel, vulnerabilities pertaining to deployment or early actions for projects with already deployed code, and findings listed in the best bot-generated report. \n\nParticipants can openly discuss issues with the sponsors before the contest is finished, including severity and in-scope/out-of-scope questions. If there's a specific question about the scope for a contest, it can be addressed to the respective sponsor. \n\nThe scope for the contests is decided by the sponsors and is listed in their contest information. It's important to note that an audit of a project takes into account the current state of the project, and the scope may vary accordingly.", "Question: Why isn't my warden name appearing when I try to submit findings?\n\nAnswer: Your warden name may not be appearing due to a few possibilities. First, you need to ensure that your warden registration has been fully completed, as the handle will not appear until this process is finished. Additionally, it is important to note that changing your username could potentially affect your registration as a warden. \n\nOnce your registration is complete, you should be able to see buttons labeled \"View Repo\" and \"Submit Findings\" for use. To submit findings, you might need to connect your wallet to your account and have a username and password, which you can set up using GitHub. The process of submitting findings follows a documented process available at https://docs.code4rena.com/roles/wardens/sub. \n\nIf you are a certified warden, you will have access to your submission and the comments thereon after the announcement once the repo is set to public, unless you are certified for backstage access, which allows you to observe the report submission and triage process. \n\nPlease note that once findings are submitted, they are not disclosed to other competing wardens, and the final report for a contest does not include wardens whose submissions/findings are not accepted. If you're having issues with your warden registration or bug submission, don't hesitate to communicate directly with staff for further clarification.", "Question: Can someone explain what 1e36 means in Solidity and its benefits?\n\nAnswer: In Solidity, 1e36 is a representation of a large number which is equivalent to 10**36. This is a form of scientific notation and is commonly used for handling large numbers in calculations within Solidity code. The key advantage of using this notation is that it is more gas efficient, which is crucial in Ethereum-based applications as it directly translates to the cost of executing transactions. This gas efficiency is achieved because calculations with large numbers require more computational power and hence more gas, but representing the number in scientific notation reduces this cost. Additional information about this can be found in the Solidity documentation [here](https://docs.soliditylang.org/en/v0.8.15/types.html#rational-and-integer-literals).", "Question: What is the purpose and significance of 1e36 in calculations within Solidity code?\n\nAnswer: In Solidity, 1e36 is a shorthand notation used to represent a large number, specifically equivalent to 10**36. This method of representing big numbers is more gas-efficient, which is a critical factor in writing Solidity code due to the cost associated with executing transactions on the Ethereum network. This gas-efficiency comes from the need to optimize storage, as every slot in the Ethereum Virtual Machine (EVM) is 32 bytes and it is generally recommended not to initialize default variables to 0 to save gas. For additional details about gas-efficiency and storage considerations in Solidity, you may refer to the Solidity documentation [here](https://docs.soliditylang.org/en/v0.8.15/types.html#rational-and-integer-literals) and the details about layout in storage [here](https://docs.soliditylang.org/en/v0.8.17/internals/layout_in_storage.html).", "Question: What is the process for reporting vulnerabilities in smart contracts audited by CodeArena, and is it necessary to provide a solution or mitigation for each vulnerability?\n\nAnswer: At CodeArena (C4), when a vulnerability is identified in a smart contract during an audit, it is recommended to provide a solution or mitigation for each vulnerability, particularly for medium and high severity findings. However, providing a solution is not strictly mandatory; the key is to identify the issue and explain it well. A recommended fix can be considered a bonus or a \"gift\" for the sponsor, and it doesn't affect the criticality of the vulnerability.\n\nDuring the audit, if a vulnerability is found that is difficult to address without major modifications to the protocol, it can still be reported. Recommendations for mitigating such issues are appreciated, but not required. Additionally, if a single line of code has multiple ways of exploitation, it can be reported as one bug or multiple, depending on the discretion of the auditor.\n\nFor non-critical findings, users are encouraged to group them all in one Quality Assurance (QA) report. The QA report should be separated from the Gas report. The QA category includes both \"low\" and non-critical vulnerabilities. For each report, users should include the issue, its description, Proof of Concept (if necessary), and mitigation (if necessary). \n\nIt's worth noting that currently, there's more incentive for reporting high/medium/low severity vulnerabilities and gas optimizations, as sponsors show more interest in these areas. There's no direct incentive to report non-critical findings. \n\nAs for the submission of findings, users can attach screenshots in the vulnerability details section by copying the Github permalink and the lines of code for the affected code. If a vulnerability is discovered in an out-of-scope contract, it can be included in the C4 report as an unrewarded finding or the project can be directly messaged.\n\nFinally, automated tools can be used to help find vulnerabilities and bugs in smart contracts, but manual auditing is still necessary. Automated findings do not necessarily affect the contest, but could potentially introduce bugs through mitigation efforts. These bugs should be reported as well. \n\nIt is worth noting that the way these audits and reports are handled may change over time, as C4 strives to ensure fairness for all participants, including newcomers. Therefore, it's wise to keep an eye on updates pertaining to the handling of reports.", "Question: Can you provide a detailed explanation of the \"value\" parameter in \"eth_call\" and its applications including how it might interact with other functions like delegatecall?\n\nAnswer: The \"value\" parameter in \"eth_call\" is the amount of Ether sent with the message call. This is similar to how eth_sendTransaction works. Although \"eth_call\" is frequently used to call read-only view functions, it can also simulate state-changing transactions. For instance, if you want to simulate calling a payable function, you might need to set \"value\" to simulate sending Ether. \n\nIn relation to other functions, \"eth_call\" could interact with functions like delegatecall. For instance, delegatecall's return value and what happens when a revert occurs in the target function can be significant when using \"eth_call\". \n\nMoreover, when using \"eth_call\" in different contexts like a web3 console, the calling convention used can differ from what is actually called on the contract in the Ethereum Virtual Machine (EVM). \n\nIt's also worth noting that the calldata arguments could be used for external/public functions and also for sending calldata data pointers to internal and private functions. This means that the calldata argument in an internal function is just a pointer.\n\nFor a detailed guide on how the \"eth_call\" function works, you can refer to this video tutorial shared in our chat: https://www.youtube.com/watch?v=bEUtGLnCCYM. \n\nFurther, if you want to understand how functions like delegatecall work with storage, you can find more information in the Solidity docs and the Geth source code at https://github.com/ethereum/go-ethereum/blob/master/core/vm/evm.go#L302.\n\nBear in mind that this is a complex topic. You might want to do further research or ask more specific questions if there's something you don't understand.", "Question: How can we post questions and engage in discussions in the lead up to the monthly community call at CodeArena?\n\nAnswer: Yes, you can certainly post questions and engage in discussions before the monthly community call at CodeArena. A dedicated chat is created where members can submit questions for the next recorded community call. However, as chat is ephemeral, it is recommended to ask questions on the forum post itself for a more comprehensive answer.\n\nFor questions related to specific topics or contests, there are designated channels where you can ask. Each contest has a channel where general queries can be asked, and sponsors' team members are available for questions via Direct Message (DM). If you have specific questions or need direct consultation, you are encouraged to direct message (DM) someone from Code4rena. \n\nIn addition to these, you can also participate in community calls and office hours for direct discussions and updates. For example, an office hour for GoGopool was planned where users could ask questions if they participated. \n\nRemember, engaging in these discussions not only helps to answer your questions but also allows you to contribute to the community's dialogue, making it a valuable resource for other users.", "Question: Can you provide guidance and resources on how to format and submit gas/QA reports in CodeArena?\n\nAnswer: Sure! For formatting your gas/QA reports, you should primarily use markdown. Specific examples to guide you can be found in every repository with 'findings' in the name on our GitHub page [here](https://github.com/code-423n4). Additionally, the top winning examples from each contest are included in the reports at [CodeArena Reports](https://code4rena.com/reports).\n\nFor submissions, it is recommended to compile one comprehensive report for gas and another for Quality Assurance (QA). These reports should be submitted separately for each contest. You have the ability to group all related issues together in a single report and also edit existing findings. If your report exceeds the maximum character count for the submission form, you can submit a placeholder and send an email with your report as explained [here](https://docs.code4rena.com/roles/wardens/qa-gas-report-faq#why-is-a-large-gas-or-qa-report-not-successfully-submitting-through-the-contest-submission-form).\n\nPlease note that while there are no stringent guidelines on formatting, your reports are expected to be specialized and detailed, especially for medium and high severity findings. Lower severity issues, like those in QA and Gas Optimization reports, may not require as comprehensive detail. \n\nWe also have a video guide available [here](https://www.youtube.com/watch?v=nady250cNo4) that gives additional insights on preparing a Gas and QA report. \n\nIf you're unsure about the grading system or criteria for winning, you can request an example of a top-3 finish report from past contests. Also, a spreadsheet for the award formula can be found [here](https://docs.google.com/spreadsheets/d/1qTQ7PApFMwpUFikcHHtww7p1oncPLj_y-UY_SZq6qFg/edit#gid=0).\n\nLastly, specifics about QA/Gas report submissions and the incentivizing model can be found at [Submission Policy](https://docs.code4rena.com/roles/wardens/submission-policy#report-format) and [Incentive Model and Awards](https://docs.code4rena.com/awarding/incentive-model-and-awards) respectively.", "Q: How can I best prepare for Paradigm CTF and improve my skills in advanced solidity and defi industry standards? Which resources are recommended for beginners and advanced learners alike?\n\nA: To prepare for the Paradigm CTF and to enhance your skills in advanced solidity and defi industry standards, the Ethernaut challenges (https://ethernaut.openzeppelin.com/) and Damn Vulnerable DeFi (https://www.damnvulnerabledefi.xyz/) are highly recommended. These resources provide real-world experience that can be very valuable. \n\nFor those who are new to smart contract bug bounty hunting, https://cryptozombies.io/ is a great resource for learning solidity, while https://capturetheether.com/ offers Capture the Flag challenges to hone your skills. \n\nIf you're interested in learning more about solidity compiler or the testing framework of Hardhat, the Codecademy Javascript testing module and the Alchemy University's Ethereum Bootcamp in week 4 can be useful. For those wishing to gain expertise in upgradeable contracts, https://proxies.yacademy.dev/ is a great resource. \n\nFor more comprehensive understanding, resources for studying the Geth node and Web2 security in the context of Web3 are also significant. \n\nBooks or certifications about smart contract security can be a good addition to your learning journey. For a detailed guide on starting as a smart contract auditor, refer to these resources: https://cmichel.io/how-to-become-a-smart-contract-auditor/ and https://docs.code4rena.com/roles/wardens/tools-and-resources.\n\nIt's also advised to participate in competitions and forums to ask questions and discuss challenges. Remember, the amount of time it takes to learn the basics and start finding bugs in smart contracts varies based on your prior experience and learning capabilities. Always practice and learn from others to improve.", "Question: I've discovered a medium-risk issue in the golem event and need to report it. What's the process for providing a link on the finding form and what should I consider when reporting this?\n\nAnswer: If you've found a medium-risk issue, you can report it using the finding form on the Code4rena website. In case your Proof of Concept (PoC) or related code snippet is too large to be embedded directly in the issue, you can create a permanent link to this code snippet and provide this link on the form. Here is a guide on how to do this: https://docs.github.com/en/get-started/writing-on-github/working-with-advanced-formatting/creating-a-permanent-link-to-a-code-snippet#linking-to-code.\n\nMake sure to consider the impact of the bug while labelling its severity. You can refer to our guidelines for estimating risk here: https://docs.code4rena.com/roles/wardens/judging-criteria#estimating-risk-tl-dr. It's important to understand that if you're using automated tools for attack findings, there is a higher burden of proof needed to demonstrate a relevant exploit path. More information about this can be found here: https://github.com/code-423n4/org/discussions/50. \n\nYou can calculate the reward for a medium/high finding using the formula we provide here: https://docs.code4rena.com/incentive-model-and-awards#high-and-medium-risk-bugs. \n\nOnce you've submitted, if you wish to check the status of your report, use this link on the Discord channel. If your report exceeds the character limit, you can submit a placeholder and then email us. Details for this process can be found here: https://docs.code4rena.com/roles/wardens/qa-gas-report-faq#why-is-a-large-gas-or-qa-report-not-successfully-submitting-through-the-contest-submission-form. \n\nRemember, if you find something and have questions, don't hesitate to reach out to the sponsor team during the contest. You can disclose a vulnerability directly to them, but you also need to submit it through the contest submission form to be eligible for awards.", "Question: Why are Quality Assurance (QA) reports not included in the CodeArena leaderboard ranking, and what criteria does the leaderboard follow?\n\nAnswer: \nThe CodeArena leaderboard, available at https://code423n4.com/leaderboard/, primarily reflects the accomplishments and performance of individual wardens or teams during audits and contests. However, the leaderboard may not accurately reflect some aspects of a user's contribution, such as Quality Assurance (QA) reports, because it mainly focuses on contest results.\n\nWhile QA reports are an essential part of the auditing process, not all of them are eligible for rewards or inclusion in the leaderboard ranking. For instance, QA reports that largely include automated bot findings without significant additional explanation or details are not eligible for QA report rewards. This could be a reason why some users' reports are not mentioned in the responses or on the leaderboard.\n\nThe leaderboard ranking is also influenced by other factors such as the LPT reward, judge payment, and lookout/scout payment. Furthermore, findings submitted under a user's current handle or username are not moved to another account, which means your standing on the leaderboard is not transferable.\n\nThe leaderboard gets updated every time awards are announced. However, not all contest types are currently supported. For example, private, versus, and mitigation audits do not currently impact the leaderboard, although there has been a discussion about including them in the future. \n\nTo gain permission to audit private contests, one typically needs to be certified and also rank on the leaderboard. The criteria for a top-3 finish in either the QA or gas report from past contests can be checked by the organization upon request. \n\nThere have been concerns raised about the leaderboard's accuracy and completeness, including the fact that it does not reflect FactoryDAO even though findings.csv has been updated and does not have the Sublime contest. The company has stated that it's working on these issues. \n\nFor further information and clarification on the incentive model, awards, and leaderboard ranking, please visit the FAQ page at https://docs.code4rena.com/awarding/incentive-model-and-awards/qa-gas-report-faq.", "Q: I've submitted my findings to a CodeArena contest and got confirmation but I can't see or edit it under the FINDINGS tab. What should I do?\n\nA: It seems like some of our users have experienced similar issues with viewing and editing their submitted findings. Once you submit a finding for a contest, you should receive a confirmation email. To view or edit your submitted findings, navigate to the contest page and click on the \"Your Findings\" button. For example: [https://code4rena.com/contests/2023-02-ethos-reserve-contest](https://code4rena.com/contests/2023-02-ethos-reserve-contest). It's important to note that your submissions are editable only while the audit is still open. After the contest has closed, you won't be able to edit your findings and any required changes need a help desk request.\n\nSometimes, it may take a while for a submission of a finding to be confirmed via email. If your submission fails, the form should return an error. Also, it's possible that you may not see your findings immediately after submission due to a delay in loading the data. If you believe there's an error, you can resubmit your finding and then create a help desk request for us to withdraw your invalid submission. Furthermore, if you want to retract your submission, you can do so on the contest page under the \"Findings\" tab.\n\nLastly, it's worth noting that there is an ongoing discussion on potentially allowing authors to edit their findings even after the contest has closed. But as of now, that feature is not yet implemented. We appreciate your patience and understanding as we continuously work on improving the platform to serve you better.", "Question: How can I check my submissions, receive confirmation, and possibly edit them in CodeArena?\n\nAnswer: After you have submitted a report to CodeArena, you should receive a confirmation email from submissions@code423n4.com within a few minutes. However, there may occasionally be delays. If you do not see the confirmation email in your inbox, please check your spam folder as well. \n\nYou can check the status of your submissions on the C4 Contest page under the \"Findings\" tab. This will also allow you to view all the reports you submitted during the competition. You can access this page at https://code4rena.com/reports. After submitting a bug, you can also view or edit your own submissions on the site for open contests. If you wish to edit a submission, navigate to the contest page and click on the 'Your Findings' button. \n\nPlease note that while you should receive an email regardless of whether your submission is valid or not, it may take some time for a submission of a finding to be confirmed via email, especially if there was an error with the initial submission. \n\nIf you have any issues or further inquiries, don't hesitate to reach out to our team. We are here to help!", "Question: How can I view, check, and edit my submissions on the CodeArena platform?\n\nAnswer: Once you've submitted your findings in a contest on the CodeArena platform, you can view and edit them by navigating to the specific contest page. There is a \"Your Findings\" button on the contest page, which allows you to view and modify your submissions. For instance, you can visit the Ethos Reserve contest page here: https://code4rena.com/contests/2023-02-ethos-reserve-contest. Submissions can be edited until the close of the contest. You will receive an email confirming the success of your report submission, and you can also track your report status on the platform. If you need to delete or remove a finding, this option is likely under the 'edit' button in your submissions section. For further details on editing submissions, you can refer to this announcement: https://discord.com/channels/810916927919620096/810929015509483554/1002648649135824906. If you are unsure about a submission, it's recommended to direct message specific identified individuals rather than trying to contact judges directly.", "Question: How can I follow the process for submitting findings, get notified when reports are published, and track the status of my submission on CodeArena?\n\nAnswer: CodeArena has a detailed process for submitting findings, which is outlined in the announcement provided on our Discord chatroom: https://discord.com/channels/810916927919620096/810929015509483554/1002648649135824906. Following these steps, you can edit your submissions. After submission, you can expect to receive an email receipt as confirmation. \n\nIf you didn't receive an email, it's possible there were some system load issues or glitches in the submission process. If such issues persist, you may want to seek alternative methods of submission, like through our form on the website, especially if you're awaiting warden verification. \n\nTo keep track of your submission status or to check your report, look out for follow-up emails or the ability to edit submitted findings. If you're unsure about the severity of an issue you've reported, you can expect follow-up from our team to discuss it further.\n\nTo get notified about new reports or updates, keep an eye on our Discord channel or the homepage of CodeArena. The timing of the publication of new reports can vary due to changes in our report and rewards calculation system. However, we aim to publish a batch of reports as soon as they are compiled.\n\nPlease note, if you submitted a finding close to a contest deadline, there might be delays in processing or publicizing your submission. We are working on improving procedures for sensitive disclosures and will be announcing updates soon. The timing of contests, audits, and reward distribution (for instance, like the nested finance audit contest) are shared in advance via our communication channels, including our Discord chatroom.\n\nIn case you're participating in a contest involving a large sloc (source lines of code), please note that the timeline might be extended. For instance, a contest involving over 12k sloc was extended to 4 weeks. \n\nWe understand that this process might seem daunting, especially if you're a first-time participant. Rest assured, the CodeArena community and our team are here to help you navigate this process. We regularly hold office hours and are always available on Discord to answer your queries.", "Question: \nWhat is the process for becoming a certified auditor at Code4Arena and how long does it typically take?\n\nAnswer: \nThe process for becoming a certified auditor at Code4Arena involves a few steps. First, you need to read the document at [this link](https://docs.code4rena.com/roles/certified-contributors) and fill up the necessary forms there. This process includes sending your identity for verification. To be eligible for certification, you must encounter at least one high-severity bug and compete in at least three contests. \n\nAfter completion of these steps, if your application is approved by ProvenanceDAO, you will be granted the 'certified' status. It typically takes approximately 2-5 business days for the role to reflect on your profile. However, from start to finish, the process can take around 2-3 weeks. \n\nOnce certified, you are granted access to participate in more contests, including private audits, and can be eligible for payouts upon completion of these contests. Each individual team member needs to be certified in order to be eligible for the payout. Certified status does not require a full-time commitment; it simply indicates that your identity has been verified.\n\nIn addition, you can apply for Certified+ status once you have a high finding by contacting the organization through the help desk form. The criteria for becoming Certified+ may include stringent requirements such as being in the top 3 in 3 contests or making a high finding. \n\nYou should note that the certification process must be completed within 30 days of the end of the audit in order to receive their payout. Users will receive an email once their certification has been finalized, and those with certification can edit their profile accordingly. \n\nAs of now, approximately 150 contributors have undergone and been certified through this process.", "Question: As a new user, how can I check the number of wardens that have submitted a specific issue and the corresponding bounty?\n\nAnswer: To view the number of wardens that have submitted a specific issue and the corresponding bounty, you can visit the Code4rena website and click on the \"View Repo\" button. This will take you to the repository where the issue has been documented. Please note that the more wardens find the same issue, the less money each warden receives for this issue. This is part of Code4rena's incentive model, which you can read about in detail [here](https://docs.code4rena.com/incentive-model-and-awards). \n\nIf you're a certified warden, you can also see other submissions immediately after contests end. Moreover, if you achieve a certain level of contribution, you'll have backstage access to see submitted reports on Github during the triage process. \n\nRemember, to submit your findings, you need to connect your wallet to your Code4rena account. If you're part of a team that submits a finding, one payment will be issued and your team will decide how to distribute the reward. You can find more information on this [here](https://docs.code4rena.com/roles/wardens).\n\nFor a thorough understanding of the submission process, please review the submission guidelines [here](https://docs.code4rena.com/roles/wardens/submission-policy). To see what other wardens are earning, you can check out the leaderboard [here](https://code4rena.com/leaderboard). \n\nIf you're facing any issues with registration or bug submission, don't hesitate to reach out to the staff directly for clarification. Welcome to Code4rena!", "Question: What is the process and impact of finding a bug in an in-scope contract that affects an out-of-scope contract and how does it affect the bounty reward?\n\nAnswer: If a bug is found in a contract that's within the scope of the audit but it impacts another contract that is out of scope, the decision on whether the impact will count is generally up to the judge. This also applies to vulnerabilities in out-of-scope contracts that affect a main, in-scope contract. \n\nThe severity of the bug, its impact on the overall system, and the potential for exploitation are all factors that the judge may consider. The CodeArena guidelines for estimating risk can be found [here](https://docs.code4rena.com/roles/wardens/judging-criteria#estimating-risk-tl-dr).\n\nIf a vulnerability is identified in an out-of-scope contract, it can be reported, and may sometimes be included in the CodeArena (C4) report as an unrewarded finding, or the project can be directly messaged about the issue. However, if multiple auditors find and report the same bug, the bounty is shared among them.\n\nThe scope of the audit is important because the contest pot relies in part on the number of lines of code in the contract, and wardens are interested in maximizing the pot while minimizing the scope. In this context, 'In scope' refers to code sections that are to be audited and 'Out of scope' refers to sections that are not to be audited. A specific example of outlining the scope for an audit is provided [here](https://github.com/code-423n4/2022-07-golom#scope). \n\nIn the case of inheritance, if a contract is within the scope of the audit, it is subject to audit, even if it inherits from another contract that may not be in scope. Ultimately, the inclusion of a bug from an out-of-scope contract or its impact on in-scope contracts in the final report and its effect on the bounty reward is determined by the judge's discretion.", "Question: How can I access the details of bug findings and their associated rewards from past contests at CodeArena?\n\nAnswer: CodeArena maintains a comprehensive list of all bug findings and their payouts from past contests. This information can be found at https://raw.githubusercontent.com/code-423n4/code423n4.com/main/_data/findings/findings.csv. This file allows participants to cross-reference with the contest reports. \n\nHowever, please note that this list does not specify the payout for each bug in individual contests, and the payout for a bug is not different for the first finder versus subsequent finders. The overall value of the bug is reduced and split depending on how many people find it. \n\nDetails about rejected findings or others' findings after a contest finishes are currently not available for viewing after the contest ends but before the results are published. However, known automated findings not accepted in the contests are listed in the \"Known Findings\" section of the Readme page for each contest. \n\nParticipants can track their report status and see and edit their findings in the \"findings\" tab next to the contest description. They can also withdraw their findings under \"your findings\" on the contest page. \n\nOnce a contest is closed, there is a certain period of time before the findings repo becomes publicly available for discussion. The specific findings for an already paid contest are made public when the report is posted.\n\nUnfortunately, there currently isn't a feature to view all submissions after a contest or to see previously available information in \"_data/contests/contests.csv\". \n\nWe understand that there are inquiries about the rewarding formula for the mitigation contest, viewing submission replies, and the status of pending rewards; we are considering these for future improvements. In case no high or medium issues are found in a contest, discussions are ongoing about what happens to the reward pot. \n\nTo submit findings for current contests, you can use the form on the website for each contest. We encourage participants to name their findings with a number to assist our judges. \n\nYou can also view past contest awards at https://code4rena.com/contests/2023-01-numoen-contest. We appreciate the suggestion of creating a leaderboard and are looking into it.", "Q: What are some recommended resources, including Telegram groups, for learning about blockchain security, smart contract auditing, and preventing future attacks?\n\nA: Rekt and LobsterDAO are highly recommended Telegram groups for blockchain security discussions. You can access Rekt's Telegram group via this link: https://t.me/Rekt_HQ. \n\nFor those interested in blockchain forensics analysis, especially related to incidents in smart contracts, tools like https://app.metatrust.io/project can be beneficial. This smart contract scanning tool can help detect price manipulation vulnerabilities.\n\nFor those seeking to enhance their knowledge through books and certifications, yAcademy is an excellent start, particularly for individuals new to smart contract security. Other recommended resources include GitHub repositories like https://github.com/transmissions11/solcurity and https://github.com/Tomosuke0930/C4-report-categolized. \n\nIf you're interested in understanding Geth node and Web2 security in the context of Web3, it might be helpful to note that some web2 security topics also apply to web3 security. \n\nFor those seeking practical exposure, websites like CryptoZombies.io and CaptureTheEther.com offer interactive learning resources for smart contracts and solidity. You might also consider participating in contests to see multiple designs and best security practices for different platforms.\n\nIf you're contemplating a career in smart contract security or web2 security, focus on what you enjoy and are genuinely interested in, not just potential earnings. And remember, whether you're an expert or beginner, channels like #\ud83c\udf33everything-evm can be a great place to post your questions and engage in discussions.\n\nLastly, CodeArena specializes in contract audits in the crypto space and is an excellent resource if you're interested in this field. Discussions about extending CodeArena's scope to website audits are also ongoing.", "Question: How can I join the Rekt group on Telegram and what is its significance?\n\nAnswer: Rekt is a recommended blockchain security group which you can join on Telegram. You can access this group using the following link: https://t.me/Rekt_HQ. In this group, you'll find discussions related to blockchain security, audits of smart contracts, and also receive updates on incidents in the blockchain space. For instance, there was a hacking incident reported on the Ronin Bridge that was discussed in this group. More information about this incident can be found at https://rekt.news/ronin-rekt/. Rekt also provides informative articles about various protocols like the one for TempleDao available here: https://rekt.news/templedao-rekt/. Joining the group will help you stay updated with the latest happenings in the blockchain security industry.", "Question: How can I alter my profile details such as avatar and Twitter link on CodeArena?\n\nAnswer: To change your profile details such as your avatar or to add a Twitter link to your CodeArena profile, you need to submit a help desk request. This can be done by visiting https://code4rena.com/help. Please provide relevant details like your Twitter username or a link to your preferred avatar picture in the request. Once your request is received, it is typically addressed within a week. For wardens looking to add their socials, bio, and avatar when joining, a suggestion was made to create a GitHub form. This process can also be used to change your Twitter username on the Code4rena leaderboard. All changes, including username changes and Twitter profile linkage, are subject to approval. If you are a certified user, you may have additional options for profile editing.", "Question: What happens to a finding that is disputed by the sponsor as \"won't fix\", but is considered valid in CodeArena's audit process? \n\nAnswer: A valid finding in the CodeArena's audit process will get rewarded even if it is disputed by the sponsor as \"won't fix\". This is because rewards in the audit process are not solely dependent on the sponsor's mitigation actions. The judges and the severity of the identified issue also play a critical role in determining the reward. For instance, if a participant points out a judge-approved bug or logic flaw, it's considered an achievement and will be rewarded accordingly. \n\nIf a team submits a non-duplicate finding, they get more rewards than if they had individually submitted the same finding. However, if the same issue is discovered by multiple wardens, the reward for that issue is split among them, with the best report typically receiving more money. \n\nIf a finding that was submitted as a high-risk issue is judged as a low risk, the submitter will still get rewarded, and vice versa. It's also important to note that non-critical findings, such as the presence of \"Open Todos\" or the \"use of Block.timestamp\", are not rewarded. \n\nFollowing the submission of a finding, feedback will be provided by a judge, especially if the submitted finding is marked as invalid. Participants can expect a follow-up after the submission. \n\nMore about the awarding process can be found at https://docs.code4rena.com/awarding/incentive-model-and-awards.", "Question: How does CodeArena optimize its files to overcome the eip170 spurious dragon error, and how are gas optimizations handled by the platform?\n\nAnswer: CodeArena uses an automated process that consistently uncovers more bugs and gas optimizations in a quicker timeframe. For gas optimization, only those identified in the generated report are considered invalid, the rest are listed in the [C4 Common Issues](https://github.com/byterocket/c4-common-issues/blob/main/0-Gas-Optimizations.md). \n\nGas optimization is a complex process and not all optimizations are valid when the optimizer is enabled. If you have any ideas on gas optimizations, it's recommended to write them separately and then merge them into one report. Understandably, there's been confusion about the validity of gas optimizations in certain situations, like when the optimizer is disabled. As such, participants are encouraged to ask for clarification on these matters.\n\nWhen submitting reports, it's recommended to report any gas optimizations separately and, importantly, medium and high severity findings should be each submitted as separate reports. Be aware, depending upon the judge, gas optimizations might not always be accepted, leading to discrepancies in the past.\n\nFor instance, there are known instances of queries about automated gas optimizations, specifically the one labeled 'Use assembly to check for address(0)'. It's also been asked if swapping the order of a function that first checks from storage, then checks the calldata, could optimize gas. \n\nFor further reference on gas optimizations, check out a recent CodeArena report: [CodeArena Gas Optimizations](https://code4rena.com/reports/2022-11-non-fungible/#gas-optimizations). \n\nIn terms of overcoming the eip170 error, specific measures taken by CodeArena are not explicitly mentioned in the given observations. However, as a platform that audits smart contracts, it is highly likely that they employ best practices in contract design and adherence to Ethereum network rules to avoid such errors. For more specialized queries on specific projects, access may be limited, such as with the Nouns DAO protocol. \n\nRemember, \"More auditors, more findings\" is CodeArena's mantra, as mentioned by Quantstamp's Sebastian Banescu in this [talk](https://www.youtube.com/watch?v=O1rKwDv5kLQ). This means the platform consistently encourages a thorough audit process to ensure the highest quality in smart contract development and optimization.", "Question: How are findings managed at CodeArena, and how can wardens view, appeal, or modify their submitted findings?\n\nAnswer: When a warden submits findings, it is possible that some entries might not appear in the raw findings.csv file. This could be due to reasons such as the entry being marked as invalid, identified as a duplicate, or rejected for other reasons by the judge. Each entry in the findings.csv file, which can be found at [GitHub](https://github.com/code-423n4/code423n4.com/tree/main/_data/findings), is attributed a unique id at the discretion of the judges.\n\nWardens can review their findings by referring to the data folder in the findings repo where JSON files are named as [warden-handle]-[issue number]. These issue numbers can be used to look up the findings directly. \n\nIf a warden disagrees with the judge's decision, they can appeal. The appeal process is further detailed in a section of the CodeArena documentation at [CodeArena Docs](https://docs.code4rena.com/awarding/fairness-and-validity#if-you-disagree-with-a-judges-decision).\n\nTo view the findings and payouts, there is a file available at [GitHub](https://raw.githubusercontent.com/code-423n4/code423n4.com/main/_data/findings/findings.csv) which can be cross-referenced with the contest report. This report does not include wardens whose findings are not accepted. \n\nAll findings reports become public after the final contest report is published. However, Certified+ wardens can view the findings repo immediately after a contest ends. \n\nLastly, if a warden wants to modify or submit additional findings after an initial submission, they need to follow the set protocols outlined in the CodeArena documentation. However, this information can change, and it's advised to consult the relevant section of the documentation or direct questions to the judges or administrators.", "Question: How should we handle and report gas optimizations in view/pure functions, in context of smart contracts for CodeArena?\n\nAnswer: While it doesn't cost gas to directly call a view or pure function, it does cost gas when these functions are called from another smart contract or a non-view/non-pure function within the same contract. Therefore, it is important to optimize these functions, unless it is clearly stated that their use cases are strictly tied to direct calls.\n\nGas optimization discussions can be complex, often including topics like the use of public functions declared as external, swapping the order of functions, and the consideration of storage over memory. A notable point is the concept of function inlining that can lead to gas savings - the idea that \"internal functions only called once can be inlined to save gas\".\n\nWhen reporting gas optimizations, especially for contests, it is advised to compile all findings into a single report which should ideally include the estimated gas saved per finding. However, the necessity to specify gas savings for each optimization may depend on the judgement criteria.\n\nIt's crucial to note that some gas optimizations may not be valid when the optimizer is enabled. This can lead to misunderstandings about what should be reported. Therefore, it's important to clarify any confusion and ask for guidance when needed.\n\nAlso, remember to consider code simplifications that can affect gas usage, such as merging two for loops into one. Depending on the situation, such modifications can be categorized either as a QA report or a Gas optimization.\n\nFor a list of approved gas optimizations, you may refer to the following GitHub link: https://github.com/byterocket/c4-common-issues/blob/main/0-Gas-Optimizations.md. This link can serve as a useful guide on what types of gas optimizations have been accepted in the past.\n\nIn conclusion, while looking for gas optimizations in the contracts, it's important to understand and report them accurately. Even non-critical issues can be included in gas optimizations, and users are encouraged to clarify their doubts and submit their findings.", "Question: What is the certification process at CodeArena, and how does it affect my interactions on the Discord channel and the platform in general?\n\nAnswer: The certification process at CodeArena is a system whereby users can apply for a 'certified' role that allows them to participate more fully in auditing and other activities. Instructions on how to get this role can be found at our documentation: https://docs.code4rena.com/roles/certified-contributors. You can also initiate the process by applying through this link: https://code4rena.com/certified-contributor-application.\n\nOnce certified, you have the ability to edit your profile on Code4Arena. The certified status also can influence your interactions on the Discord channel, particularly when it comes to participating in discussions, reporting findings, and requesting re-evaluations. Certification status can be checked by clicking on your name within the Discord to see assigned roles, and also through email communication. \n\nPlease note, changes to your Discord username might affect your C4 authentication, so we recommend reaching out to the team if you plan on updating your username. If you experience any issues with the certification process or any other related matter, please use the help desk form to contact the organization or reach out for clarification via the contest channel in Discord.\n\nAlso, it's worth mentioning that certification from other organizations, such as ProvenanceDAO, might grant you a certification+ status after participating in multiple contests. Please be aware that the process for this might take time and if you have concerns, feel free to raise them in the appropriate Discord channels. \n\nIn addition to this, if you are interested in furthering your knowledge in smart contract security, there are resources available, and you can consult with project team members who are listed in specific discord channels. \n\nFinally, it's important to stay safe online and avoid clicking on any suspicious links to protect your account from being compromised.", "Question: How does CodeArena consider team participants when assessing leaderboard ranks for RSVP certified job selections?\n\nAnswer: CodeArena does take teams into account while comparing leaderboard ranks for selecting members for RSVP certified jobs. In order for a team to be eligible, each individual team member needs to be certified. Notably, an individual's name can appear twice on the leaderboard; once individually and once as part of their team. The leaderboard ranking, which can be viewed at https://code423n4.com/leaderboard/, is influenced by both current contest results and overall participation. \n\nRSVPs for invitation contests are filled based on sponsor request and the 90-day leaderboard ranking of those who RSVP'ed. A high-ranking on the leaderboard can enhance a certified warden's chance to qualify for private contests. However, private audit contests are not strictly open to only top-ranking wardens. The specific eligibility criteria for each opportunity are listed in the #\ud83d\udd96rsvp-certified channel. \n\nPlease note that there have been discussions about making the criteria for certification more stringent such as achieving a high finding or being in the Top 3 in at least 3 contests. There have also been concerns raised that the leaderboard might not accurately reflect a user's accomplishments, with the potential that contest results might not be counted for the full duration. It's important to stay updated on any changes directly from CodeArena.", "Question: Is it possible for a finding to be downgraded to QA in CodeArena's auditing process, and if so, under what conditions does this occur?\n\nAnswer: Yes, findings can indeed be downgraded to QA in CodeArena's auditing process. This typically happens when an issue, initially classified as high or medium (H/M), is assessed to have a low or non-critical (NC) impact on the contract's functionality. \n\nFindings that could potentially be downgraded include those with discrepancies between documentation and code, obsolete code, or front-running possibilities depending on the impact. In such cases, the judges have the authority to downgrade the findings to QA and evaluate them alongside your QA report during grading. If a QA report includes a low/non-critical issue that also reduces gas, it should be categorized under QA with a mention of the gas savings. It's worth noting that the grading of QA reports is based on the number of low findings rather than their severity. Therefore, if two reports have similar grades, they will receive the same reward irrespective of the number of low findings.\n\nHowever, findings can also be upgraded depending on their severity and potential exploitability. For instance, if a finding initially classified as low risk in QA is confirmed as medium risk by other wardens, the judge can upgrade it automatically. However, this upgrade would require an understanding and demonstration of how the issue could be exploited. \n\nIf a contestant has doubts about whether a finding is QA or Medium, it should be filed as QA unless a proof of concept (POC) is coded. Similarly, if an issue is evaluated as low and included in a QA report but is judged as medium, the contestant will still be rewarded unless it's downgraded to grade-c.\n\nIncorrect findings in a QA report can negatively affect the QA grade, so it's crucial to ensure the accuracy of all reported findings. For further details on the grading and rewarding process, you can refer to the following links: [Judging Criteria](https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical) and [Incentive Model and Awards](https://docs.code4rena.com/awarding/incentive-model-and-awards#qa-and-gas-optimization-reports). ", "Question: Can we optimize smart contracts to reduce gas costs, not only for protocol contracts but also other contracts and non-view/non-pure functions? \n\nAnswer: Absolutely, optimizing smart contracts to reduce gas costs can be applied not only for protocol contracts, but also for other contracts and non-view/non-pure functions. This can be achieved through multiple strategies. \n\nFor instance, function inlining can be used to save gas in smart contracts. This strategy is especially beneficial when internal functions are only called once. In such cases, inlining the function can result in gas savings. \n\nAnother strategy is to avoid initializing default variables to 0 in Solidity, as it uses unnecessary gas. Solidity stores state variables in 32 bytes storage slots, and packing variables into fewer slots can also reduce gas costs. You can refer to this document for more details: https://docs.soliditylang.org/en/v0.8.17/internals/layout_in_storage.html.\n\nLoop optimization can also lead to significant gas savings. For example, excluding the increment (++i) in a for loop or using the 'unchecked' command in loops can reduce gas costs. \n\nIn some cases, swapping the order of a function that first checks from storage, then checks the calldata could optimize the gas. It's also worth noting that immutable variables can sometimes cost less gas than constants.\n\nCustom errors used judiciously can also improve gas efficiency when compared to require statements with a string in Solidity smart contracts.\n\nWhen making submissions of gas optimizations, it is helpful to quantify the gas savings from your changes. In some cases, the judge may require you to specify how much gas is being saved for each optimization.\n\nFinally, while code simplification such as combining two for loops into one can be seen as a Quality Assurance practice, it can also result in gas savings and therefore falls under gas optimization.\n\nPlease refer to this recent CodeArena report for real-world examples of gas optimization: https://code4rena.com/reports/2022-11-non-fungible/#gas-optimizations.", "**Question**: How are duplicate findings handled by CodeArena, and will it affect my submission if I submit similar findings or if a finding has the same root cause?\n\n**Answer**: CodeArena handles duplicate findings by reducing the value of a finding when multiple identical findings are submitted during the open submission period. A submission is considered a duplicate not necessarily because it was not the first, but because another similar report was chosen for publication in the report. If the root cause of a finding is the same, these will typically be accounted as duplicates of each other.\n\nHowever, if the same vulnerability is found in multiple different components of the codebase, it might be treated as separate findings, but this is ultimately the judge's call. The judges also have the discretion on the attribution of the findings ids in the findings.csv file. You can check [here](https://github.com/code-423n4/code423n4.com/blob/main/_data/findings/findings.csv#L9336-L9434) for information about duplicate reports. \n\nIf your finding is marked as a duplicate, it might affect your payout. However, a solo finding, in the absence of duplicates, secures all the share of that finding. For more information on the judging criteria for duplicate submissions, you can refer [here](https://github.com/code-423n4/code-contests/blob/main/JUDGING_CRITERIA.md#duplicate-submissions). \n\nIt is also possible to cancel a submission and create another one, by withdrawing the findings under the \"your findings\" on the contest page.\n\nIf you encounter a situation where there is a missing entry, it could mean one entry was judged as invalid or it was judged as a duplicate of one of the other findings. If an issue is labeled as \"sponsor-disputed\" but there is no explanation provided, you can check for duplicates and ask the judge after judging. \n\nRemember, when you submit your findings, it's advised to make a strong case to the judge in your submission, especially if you believe a high-risk finding should be considered. High-risk findings consideration will depend on the specific contest and the judge's discretion. \n\nRemember to be thorough and clear in your submissions. Citing similar findings from other contests to justify the severity and validity within your submission is allowed, but judges will consider the entire context when judging. Also, you are allowed to submit additional findings even after an initial low-risk finding was submitted. You will receive feedback from a judge if a submitted finding is marked as invalid.", "Question: How can we optimize gas usage in smart contracts, particularly in view/pure functions and what resources can we use to aid in these optimizations?\n\nAnswer: Yes, view/pure functions can be optimized to reduce gas costs not only for other contracts but also for non-view/non-pure functions in the same contract. Many factors can affect the gas usage in a contract, such as the order of function checks, use of public functions declared as external, and the choice between immutable and constants. \n\nA useful optimization technique is function inlining, which can save gas when internal functions are only called once. Another recommendation is the use of the 'unchecked' command in loops to further optimize for gas. Also, excluding the increment (++i) in a for loop can significantly reduce gas costs. In addition, packing variables into fewer slots could reduce gas costs as Solidity stores state variables in 32 bytes storage slots (https://docs.soliditylang.org/en/v0.8.17/internals/layout_in_storage.html). \n\nGas optimization should be considered throughout the contract, but for variables, it is recommended not to initialize default ones to 0. It's also worth considering the gas efficiency of custom errors versus require statements with a string in Solidity smart contracts.\n\nYou can refer to CodeArena's past reports for examples of gas optimization, such as this recent one: https://code4rena.com/reports/2022-11-non-fungible/#gas-optimizations. The repository https://github.com/byterocket/c4-common-issues/blob/main/0-Gas-Optimizations.md contains various gas optimization techniques. \n\nKeep in mind that it's always beneficial to include gas savings from refactored code in your submissions. If you are compiling multiple gas optimization ideas, they can be written separately and then merged into one report. You may even win an award for contract-size and gas optimization!\n\nRemember that the process might involve some trial and error, and you can always ask for clarification in our community if you are unsure of certain optimizations.", "Q: How can I manage my wallet, including whitelisting, changing address, and addressing security concerns on Code4Arena?\n\nA: To manage your wallet on Code4Arena, there are several aspects you need to consider. \n\nFirstly, to get your wallet whitelisted, you would need to register as a warden. This can be done from your account dashboard. If you encounter any issues during the process or if you have already registered and your wallet is not whitelisted, you can submit a help desk request at https://code4rena.com/help. \n\nIf you need to change your wallet address due to security concerns or other reasons, please note that it's a complex process and should only be done if extremely necessary, such as when your old wallet is hacked. The procedure to do this can be found at https://docs.code4rena.com/roles/wardens/warden-auth#can-i-change-my-wallet-address. After changing your wallet address, you can create a help desk request if you logged in via the same wallet.\n\nIn case your wallet is hacked, you are advised to use a new wallet to prevent further attacks and reach out to staff via a help desk request for assistance. If you lose the seed phrase from your wallet, you can follow the steps mentioned here: https://docs.code4rena.com/roles/wardens/warden-auth#what-if-my-wallet-was-hacked. \n\nPlease note that there are two types of wallets on Code4Arena - a login wallet and a payment wallet. The login wallet is set up when creating the account, and the payment wallet can be updated in the profile. Remember that logging in with a wallet is not required to participate in contests; only a payment wallet is needed.\n\nFor any additional queries related to warden registration, changing the wallet attached to your account, and other related concerns, you can visit https://docs.code4rena.com/roles/wardens/warden-auth#faq-troubleshooting. If you can't find answers to your questions there, please submit a help request at https://code4rena.com/help.", "Question: How does the review process work for submitted findings in a contest, and how can I access and modify my submissions?\n\nAnswer: The review process for findings starts immediately after the contest ends. It consists of a sponsor review, a judge review, a sponsor confirmation, the judge's final report, and the announcement of the results. You will receive feedback from a judge if a finding is marked as invalid.\n\nYou can track the status of your report and see and edit your findings in the \"Findings\" tab next to the contest description. To edit your findings, navigate to the contest page and click on the 'your finding' button. If you need to withdraw a finding, it can also be done under \"your findings\" on the contest page. However, please note that it is only possible to edit or withdraw findings until the contest ends. Once a finding is submitted, check for a confirmation email to ensure your submission was successful.\n\nYou can expect follow-ups after submitting findings. However, not all findings may make it to the final report, and the reasons might not be immediately known. If you want to check why certain findings were not accepted, you must wait until the reports are published, which can take at least a month. Specific feedback on rejected findings can be found after the contest, allowing for continued learning. \n\nFor those findings that have been classified as invalid but you believe are valid, there is an appeal process in place. You can find more information about this process in a section of their documentation at this link: [https://docs.code4rena.com/awarding/fairness-and-validity#if-you-disagree-with-a-judges-decision](https://docs.code4rena.com/awarding/fairness-and-validity#if-you-disagree-with-a-judges-decision)\n\nPlease note that not all reports or findings are guaranteed a reward. Reports are graded and must meet quality standards to be considered valid and satisfactory. Whether high-risk findings are considered depends on the specific contest and the judge. It is recommended that if you believe a high-risk finding should be considered, you should make a case to the judge in your submission.", "Question: How can I verify my registration and submission status on Code4Arena?\n\nAnswer: After registering on Code4Arena, you can verify your registration by clicking on your name to see assigned roles. You may also receive an email communication to confirm your registration. If you can't find your username on the list during the registration process, be assured this issue is being investigated. If you wish to change your name, you may need to re-register. Remember, registration is mandatory for submission of any kind. \n\nTo check your submission or report status, look for a confirmation email or use the help form at https://code4rena.com/help. All your reports submitted during the competition can also be checked at https://code4rena.com/reports. You can verify the success of your report submission by looking out for an email and the ability to edit submitted findings. For first-time submitters who encounter an error, you can verify submission success by checking for an email confirmation or through the \"View Context\" function.\n\nParticipants are also allowed to track their past reports and confirm the receipt of their issues. If you forget your registration wallet address, you can seek help at https://code4rena.com/help. If you wish to become an auditor, instructions for registration can be found at https://docs.code4rena.com/roles/wardens. To register a team, you can refer to https://docs.code4rena.com/roles/wardens#registering-a-team.\n\nIn case you face a missing permission issue, ensure to register as a warden. For any other inquiries about auditing projects, they can be made online. Be sure to check your spam mail for any verification communication from Code4Arena.", "Question: I've accidentally submitted two QA reports for a single contest, is there a way to delete or edit one of these submissions while the contest is still ongoing?\n\nAnswer: Yes, you are able to manage your QA report submissions in an ongoing contest. You can choose to edit or withdraw one of your submissions if it was made in error. To do this, navigate to the individual contest page and click on the 'Your Findings' button. Here, you'll find the option to edit your reports. If you wish to retract a submission, replace the contents of the report with 'withdrawn' and it will be invalidated. \n\nIf you find another error after making a submission, or if you want to update your submission for any reason (e.g. to increase the severity of a submitted bug), you can edit your existing submission as long as the contest has not ended. Note that you can only submit one Gas Optimization report per contest, but you can add more findings to the report with the same method described above.\n\nIn case you encounter any issue or need further assistance, we recommend submitting a helpdesk ticket detailing your situation at https://code4rena.com/help/. Please be advised that submissions can only be edited or retracted while the contest is still active, and once the contest has concluded, the findings can no longer be altered.\n\nRemember, you can also view your own and others' submissions, including any rejected findings and the reasoning, after the contest concludes. However, the process for removing an incorrect submission and making a new one, or for altering the severity of a bug, might be different after the contest concludes, and you might need to contact one of the judges or submit a request through our help page. \n\nPlease refer to the CodeArena documentation for a more detailed overview of the submission process and to find answers to other common questions.", "Question: How can I obtain ARENA tokens, and what is the contract address?\n\nAnswer: The ARENA tokens can be acquired using the contract address 0x6847D3A4c80a82e1fb26f1fC6F09F3Ad5BEB5222. The ARENA token is a minimum-viable-governance token that provides sovereignty over the DAO treasury. However, please note that the ARENA token does not have substantial volume and thus isn't listed on CoinGecko. Also, there is no staking system for the ARENA token. Be aware of phishing scams involving links to purchase ARENA tokens from unreliable sources like invst.icu. For more information about the ARENA token and its governance, you can check the DAO constitution here: https://github.com/code-423n4/org/blob/main/CONSTITUTION.md.", "Question: How can I use the help desk service at CodeArena for assistance or to report issues?\n\nAnswer: CodeArena has a dedicated help desk system in place for handling user queries, issues, and assistance needs. Whenever you have an issue, require assistance, or wish to report a concern, you can submit a help desk request at this link: https://code4rena.com/help. This includes issues such as problems with your status, unresolved matters, or difficulties encountered during the analysis submission process. \n\nIf your team meets certain requirements based on audits with published results, you are encouraged to create a help desk request. This is also applicable if you have issues with changes to a team, need to modify a team, or are having trouble adding new members.\n\nThe process of submission includes a confirmation that your request has been received and is typically fulfilled in a timely manner. If your query or concern potentially exceeds the character count for regular submissions such as QA reports, or if you believe it's a security risk to make issue contents public, you can also use the help desk. \n\nYou can also apply for a backstage role or make private inquiries to a member of the code4rena team through a help desk request, provided you meet the qualifications based on published contest results. In all cases, please outline the issue or request clearly in your submission.", "Q: How do I calculate the optimal amount of tokens to buy for maximum profit in arbitrage opportunities, considering factors like price impacts and transaction costs? \n\nA: Calculating the optimal amount of tokens to buy when identifying an arbitrage opportunity largely depends on the pricing formula of your chosen Automated Market Maker (AMM), such as Uniswap. Here's a detailed explanation:\n\n1. Identify how much of token B you would get by inputting an amount of token A when doing the swap A -> \u2026 -> B. You can get this through the getAmountsOut function of the UNI-v2 router.\n\n2. Determine how much of token A you would return by inputting the amount of token B from step 1, when doing the swap B -> \u2026 -> A. \n\nAt this point, you have established the arbitrage opportunity. The next step is to optimize the amount of token A to input, to maximize profits considering price impacts and transaction costs.\n\nYou can apply a formula such as dx = -x + sqrt(x * y / a) to find the optimal dx, which is the token A amount you input. Here, x and y are the initial amounts (reserves) of tokens A and B respectively. This formula doesn't factor in protocol fees, which could impact your final profits.\n\nKeep in mind the following:\n\n- Not all tokens are fee-on-transfer, but for those that are, a small fee is removed from every transfer, which can result in the received amount being less than the sent amount.\n \n- The use of a DEX aggregator like [1inch](https://app.1inch.io) could help minimize transaction costs when swapping ERC tokens.\n\n- If you're dealing with complex formulas, it may be advisable to involve a professional mathematician to help with the audit.\n\nRemember, while the potential profits from arbitrage can be significant, they're not without risk. The market is highly unpredictable, and the dynamics can change rapidly. Always trade responsibly.", "Question: How do I calculate the optimal amount of a particular token to buy in order to maximize potential profits from arbitrage opportunities, specifically in a Uniswap-like scenario, and what impact do protocol fees have on these profits?\n\nAnswer: Calculating the optimal amount of tokens to buy in arbitrage opportunities typically involves using the Automated Market Maker's (AMM) price formula and considering factors such as price impacts and transaction costs. This calculation can be complex, but a generalized formula has been provided:\n\ndx = -x + sqrt(x * y / a)\n\nIn the formula, 'x' is the initial amount (reserve) of tokenA, 'y' is the initial amount (reserve) of tokenB, 'dx' is the tokenA amount you input, and 'dy' is the tokenB amount you receive. You input enough 'dx' to lower the (y - dy) / (x + dx) ratio to the fair market value. \n\nHowever, this formula does not account for protocol fees, which can reduce profits. Different platforms may have different formulas for these fees. For instance, PancakeSwap V2 uses 8/25 of the growth in the square root of K as its protocol fee, while Uniswap V2 uses a 5 basis point (0.05%) protocol fee. \n\nAdditionally, it's important to note that the terms \"input\" and \"output\" in the context of Uniswap methods refer to tokens being transferred into a contract (input) and tokens being received from a contract (output). \n\nYou might also want to consider using a DEX aggregator like 1inch for swapping ERC tokens, which typically offers a lower fee of 0.05%. \n\nFor more detailed information on the Uniswap price formula and methods, refer to their documentation at [https://docs.uniswap.org/protocol/V1/reference/exchange](https://docs.uniswap.org/protocol/V1/reference/exchange).\n\nFor details on PancakeSwap V2's protocol fees, you can look at the code at [https://bscscan.com/address/0xcA143Ce32Fe78f1f7019d7d551a6402fC5350c73#code](https://bscscan.com/address/0xcA143Ce32Fe78f1f7019d7d551a6402fC5350c73#code).\n\nKeep in mind that all these operations could involve gas costs and could also be subject to precision loss. It's advisable to run through the numbers carefully and consider potential discrepancies.", "Question: How can I calculate the optimal amount of tokens to purchase to maximize my profit from arbitrage opportunities?\n\nAnswer: Maximizing profit from arbitrage opportunities requires an understanding of the Automated Market Maker's (AMM) price formula. These formulas can vary significantly across different AMMs, but in a Uniswap-like scenario, the formula to calculate the optimal amount of token A to input (dx) would be dx = -x + sqrt(x * y / a). \n\nIn this formula, 'x' and 'y' represent the initial amounts (reserves) of tokens A and B respectively, while 'a' represents the fair market value. 'dx' is the token A amount you choose to input, and 'dy' would be the token B amount you would receive. It is important to note that this formula does not account for protocol fees, which could potentially reduce your profit. \n\nWhen considering arbitrage opportunities across multiple tokens (A -> B1 -> B2 -> A), the calculation becomes more complex and a generalized formula may not exist. It's crucial to take into account price impacts and transaction costs, including gas costs, which can significantly impact potential profits.\n\nFor more complex calculations, professional assistance may be needed, particularly for smart contract projects with intricate formulas. Moreover, platforms like https://app.1inch.io, a DEX aggregator, can help find the cheapest way to swap ERC tokens. Remember, the importance of gas savings can vary significantly from one project to another, thus the rewards for identifying gas optimizations can also differ widely.\n\nIt's also crucial to note that some tokens, known as fee-on-transfer tokens, remove a small fee from every transfer. This means the amount received by a contract might be less than the sent amount, which must be taken into consideration when calculating potential profits. \n\nIn conclusion, calculating the optimal amount of tokens to buy is a complex process that requires a deep understanding of AMM price formulas, token economics, and transaction costs.", "Question: How can I calculate the optimal value of tokens to swap for maximizing my profit in arbitrage opportunities, specifically in Uniswap-like scenarios?\n\nAnswer: To determine the optimal amount of tokens to swap in arbitrage opportunities, you'll need to focus on the Automated Market Maker's (AMM) price formula. This requires using a specific algorithm and taking into account price impacts and transaction costs. \n\nThe core algorithm for this process is derived from the UniswapV2 swap formula and is explained through a series of mathematical formulae. It involves solving for the amount of token A, termed 'dx', that you need to input, and the amount of token B, termed 'dy', you receive. The aim is to input just enough of token A such that the ratio of token B to token A is lowered to the fair market value.\n\nHere's an example of how you could calculate the optimal amount of token A to input to lower the token B / token A ratio to the fair market value. The formula for finding the optimal dx is given as dx = -x + sqrt(x * y / a). In this formula, x and y represent the initial amounts (reserves) of tokens A and B respectively. This formula does not take into account protocol fees which could potentially reduce the profit.\n\nFor more practical scenarios, you may also want to consider arbitrage opportunities across multiple tokens e.g., A -> B1 -> B2 -> A. However, a generalized formula for such situations is not readily provided and you would need to derive it yourself.\n\nKeep in mind that the cheapest way to swap ERC tokens is by using a DEX aggregator like [1inch](https://app.1inch.io). Also, always consider gas optimization and potential transaction fees, like the fee Metamask charges for token swaps, when calculating your expected profit.\n\nYou should also be wary of malicious tokens, and always ensure that the tokens you are dealing with are safe. You can do this by inspecting the code of the token on sites like [Etherscan](https://etherscan.io/token/0xdac17f958d2ee523a2206206994597c13d831ec7#code#L95).\n\nLastly, to further deepen your understanding, check out this recent [CodeArena report](https://code4rena.com/reports/2022-11-non-fungible/#gas-optimizations). The report provides valuable insights into practical scenarios of token swapping and arbitrage.", "Question: \nHow do I calculate the optimal amount of tokens for multiple token swap arbitrage opportunities, like A -> B1 -> B2 -> A, in an Automated Market Maker (AMM) setting?\n\nAnswer: \nCalculating the optimal amount of tokens for multi-token swap arbitrage is quite complex and requires a deep understanding of the AMM price formula and the specifics of the swap functions used. The \"input\" refers to the tokens that are transferred into a contract, and the \"output\" refers to the tokens that are received from a contract. When we consider a Uniswap-like scenario, for example, the formula for calculating the optimal amount of token A to input (dx) is given as dx = -x + sqrt(x * y / a), where x and y are the initial amounts (reserves) of tokens A and B respectively. \n\nPlease note that this formula does not account for protocol fees, which could potentially reduce the arbitrage profit. It is also important to remember that the calculated optimal amount refers to the first input amount that yields the maximum difference between the last output amount and the first input amount.\n\nFor a more detailed explanation and practical application of these calculations, you would need to refer to the official Uniswap documentation, found here: [https://docs.uniswap.org/protocol/V1/reference/exchange](https://docs.uniswap.org/protocol/V1/reference/exchange). \n\nPlease note that this methodology might vary based on the specific details of the AMM and the arbitrage opportunity in question. Also, consider the impact of transaction costs and always ensure to optimize your gas usage. Lastly, remember to be aware of potentially malicious tokens and the risks associated with arbitrage strategies. \n\nAlthough we've provided a basic formula, it's recommended to derive a more generalized formula that caters to your specific arbitrage requirements. This would mean creating a formula that extends beyond two token pairs to n pairs, taking into account all the variables and nuances of each swap function. \n\nDisclaimer: This information is intended to be used for educational purposes only, and is not financial advice. Always do your own research and consider the risks before engaging in any trading activity.", "Q: Why does it take a considerable amount of time to receive payment after a contest report has been issued?\n\nA: The time taken to receive payment after a contest report is a result of a multi-stage process that involves many factors. Once a contest concludes, the submitted findings go through an intensive review and triage phase. This review process typically takes between 3-6 weeks on average, varying based on the specific contest and the number of reports under review concurrently. \n\nThe audit reports for contests are only published after various stages have been completed, including contest finish, sponsor reviews, judging, and awarding. This process can take anywhere from 2 weeks to over 6 weeks. In certain instances, your report may not immediately appear on the C4 site even after the leaderboard and rewards have been announced. We recommend waiting until the full public report is published before conducting a write-up of an identified issue or bug. \n\nOnce the awards have been announced, the payment process begins. This is manually executed in batches for multiple contests at once, typically within 1-2 business weeks from the announcement. We follow this manual process to ensure each step is done correctly and securely. However, the timeline may extend due to factors beyond our control such as those involving the contest sponsors or unforeseen delays in the review process. \n\nSo, while we understand the eagerness to receive payment after a contest, please bear with us as we navigate this complex process. We strive to ensure that every participant receives their due reward in the most secure and efficient manner possible.", "Question: Can you elaborate on the requirements to qualify for a backstage role at CodeArena, and when and how can I apply for it?\n\nAnswer: To qualify for the backstage role at CodeArena, you need to meet certain criteria. You must be a certified contributor, which means you have completed the KYC process and can participate in private contests. In addition to being certified, you must also have participated in at least 3 contests and meet one of the following standards: 1 high severity finding, 3 medium severity findings, a QA report with a score of >85, or a Gas report with a score of >85. \n\nIt's important to note that these criteria are considered satisfied when the awards are announced and they are added to the leaderboard. This means that backstage access is granted based on the certified contributor role, the number of findings, and participation in contests. However, backstage access doesn't grant you access to every contest, but it does grant you access to the contest repo post-closure and pre-public report release. It's broader than just where the wardens have submitted issues. \n\nTo apply for the backstage role, you can submit a help desk request once the contest results are published to the leaderboard, which usually happens shortly after the awards are announced. However, please note that the applications for backstage access are currently suspended until further notice. For more detailed information on the backstage role and its requirements, please refer to the CodeArena documentation here: https://docs.code4rena.com/roles/certified-contributors/backstage-wardens.", "Q: How can I qualify for a backstage role at CodeArena, and what benefits does it offer?\n\nA: To qualify for a backstage role at CodeArena, you need to meet certain criteria: \n\n1. Certified Contributor Role: You must be a certified contributor, which means you have completed KYC and can participate in private contests. \n\n2. Contest Participation: You need to have participated in at least three contests. \n\n3. Findings: You need to have at least one high severity finding, or three medium severity findings. If your team submits 3+ medium findings and they are accepted, all team members become eligible for the backstage role. \n\n4. Reports: You should have at least one QA report or Gas report with a score of over 85, or you could have at least three top finishes in either the QA or gas report from past contests.\n\nOnce you meet these requirements, you can apply for backstage access as soon as the contest results are published on the leaderboard, which typically occurs shortly after the awards are announced. \n\nThe backstage role offers several benefits. You receive access to the contest repository post-closure and pre-public report release, allowing you to view and discuss grading before the rewards are announced. You can also view reports of past contests, and get access to findings to help with triaging after the contests end. \n\nFor more information about the backstage role and its benefits, visit: https://docs.code4rena.com/roles/certified-contributors/backstage-wardens. If you meet the qualifications based on published contest results, you can submit a request to join the backstage at: https://code4rena.com/help.", "Question:\nCan you provide information regarding the timeline and process for the announcement, calculation, and distribution of awards at CodeArena?\n\nAnswer:\nAt CodeArena, the awarding process is divided into several stages. Once a contest is completed and fully judged, the awards are calculated and typically announced within 1-2 weeks. The award calculation process is currently undergoing improvements, which may affect the timeline. The specifics of the awards, including the \"Audit Summary Awards\", are typically shared before the start of the contest and the list of awards can be found in our announcement channel.\n\nThe distribution of the awards happens after the announcement and is usually done manually in batches for several contests at once, typically within the same week of the announcement. However, due to the need for double-checking at each step for accuracy and security, it could take up to two weeks for the awards to be paid out. In the future, there are plans to distribute awards via smart contracts, but the necessary components for this are still being put in place.\n\nAs for the leaderboard, it gets updated every time awards are announced, although not all contest types are currently supported. Participants should also note that the awards for each contest are announced separately from the disbursement of funds. \n\nLastly, there is an ongoing discussion about the implementation of a method for distributing awards on a curve, which will be designed after observing the scoring of the initial contests. Also, updates on specific awards such as the LPT and INS are expected in the upcoming week. For more detailed information, please keep an eye on the announcements channel and join our Monday meetings when possible.", "Question: What happens if a judge experiences a delay in judging a contest, and are there any penalties involved due to this delay?\n \nAnswer: At CodeArena, we understand that our judges have other full-time commitments, and sometimes contest judging might take longer due to a surge in submissions or other factors beyond their control, including the complexity of the protocol itself and potential delays from sponsors. If a judge cannot complete their work in a timely fashion, the contest is reassigned to another judge. However, there is no formal penalty for judges in case of delays. \n\nPlease note that judging is a complex process where the judge reviews the findings for their severity, validity, and quality. Once the judging is complete, contest payouts are sent and the results cannot be changed. \n\nSometimes, due to various factors including sponsor review and limited judge availability, there may be a backlog of contests leading to delays. We are actively working to address these issues and have even increased offers for judging compensation temporarily to clear out backlogged contests. \n\nThe timeline for contest results depends on the time taken for judging, and can sometimes take as long as six weeks. You can track the progress of contests in the \"Past Contest Status Updates\" section. \n\nRemember, you can't contact a judge directly while a contest is active as their identity is not revealed ahead of time. However, once the contest ends, you can ask for feedback to understand the reasoning behind the ruling and see what could be improved. \n\nFor more information about the judging process and payout timelines, please visit our process document at [https://docs.code4rena.com/structure/our-process](https://docs.code4rena.com/structure/our-process). \n\nKeep in mind that while delays can be frustrating, they are often a result of our commitment to ensuring a thorough and fair judging process. We appreciate your patience and understanding.", "Question: If a responsibility is assumed and it's not fulfilled within the stipulated timeline, for instance, over 5 months, is the responsible party still held accountable? \n\nAnswer: At CodeArena, we deal with varying timelines for different responsibilities, often in the context of smart contract audits. In general, if a responsibility has been assumed, it should be fulfilled within the agreed-upon timeline. However, there are instances where timelines can be extended, such as audit durations which may be extended to 5 weeks. \n\nIn situations where responsibilities are not met, for example, if a bug in the audit persists until the deadline, it is flagged for the development team to handle. Sponsors also play a part in contest delays and if they don't fulfill their duties, it makes the task of judging much harder. \n\nParticularly in the case of judging, if a judge cannot complete their work in a timely fashion, the contest is reassigned to another judge. Judging may take a lengthy period, with factors beyond the judge's control contributing to delays. This is similar to reward distribution after a competition, where reducing turnaround times is a high priority, but there may be worse-case scenarios where rewards could be expected two months after the end of the competition.\n\nIt is also worth noting that in the case of disputes with a project, the assumption is not always that the project is in default. The certification status from Provenance, for instance, is generally updated within 5 business days by the C4 team. All these factors contribute to the understanding that while timelines are important, there are factors that may cause delays.\n\nIt is always advisable to stay in communication with all parties involved to manage timelines and expectations properly. For more details, please refer to the discussions in our Discord chatroom (include Link).", "Question: What factors contribute to the delay in judging of contests and what roles do the judge and sponsor play in such situations?\n\nAnswer: A number of factors can contribute to delays in judging contests. Sponsors have a crucial role in the process as they need to review the findings and decide on their severity, validity, and quality. If sponsors don't fulfill their duties effectively, it puts an additional burden on the judges as they then have to identify duplicate submissions, resulting in a slower review process. \n\nThe increase in the number of contest submissions can lead to increased workloads for judges, potentially causing delays. The time taken for sponsor reviews and judging can vary, sometimes taking as long as six weeks. \n\nIt is important to note that some contest delays are attributed to factors related to the protocol itself, and not the judge. If a judge cannot complete their work in a timely fashion, the contest is reassigned to another judge. However, it's worth noting that most judges have full-time jobs and other commitments alongside their judging responsibilities at CodeArena, which can affect the timeline. \n\nParticipants can proactively ask judges for feedback about issues to understand the reasoning behind the ruling and to see what could be improved. If there's a dispute over issues, such as when a participant has findings but the judge and sponsor disagree with their proposed mitigation, it's ultimately the sponsor's decision on the mitigation part. \n\nThe decision to ignore an issue, determine which reports get featured in the client report, reward severity escalations in a contest report, or consider a bug that impacts another contract, is up to the judge. The decision process of judges is typically based on their expertise and reputation, and their decisions on a bounty are shared after the contest concludes.\n\nOverall, the duration for contest results to be published depends on how long the judging takes and the efficiency of the sponsor review process. It is a complex procedure and delays can occur due to various factors beyond the control of the judges and sponsors.", "Q: How are QA and Gas reports graded, managed and submitted in CodeArena contests?\n\nA: QA and Gas reports are graded on a scale of 0 to 100 based on both the quality and quantity of the issues submitted. Participants are required to submit one consolidated Quality Assurance (QA) report and one consolidated Gas report per contest, grouping all relevant issues together. The number of issues reported does not necessarily determine the grade \u2013 for instance, a report could have one significant issue and be graded B, or have multiple low-impact issues and still be graded C. High severity issues require more detailed reports than QA and Gas Optimization reports. \n\nThe best or most comprehensive QA/Gas reports are accepted, and duplicates are disregarded. If you need to add more findings to an existing report, you can do so by going to the contest page and clicking the 'Your Findings' button. There are restrictions on submitting more than one report of gas optimization in a contest. If a report exceeds the character limit on the submission form, you can submit a placeholder and send an email with the full report. \n\nThe sharing system for QA/GAS reports is structured such that Grade A reports count as 2 shares, Grade B as 1, and the best report receives a 30% bonus. It's also worth noting that when entering a contest, participants do not have to submit all reports for high, medium, QA, and gas optimization - they can submit what they find.\n\nFor more information on grading criteria and report submissions, please refer to the following links:\n\n- Judging Criteria: [https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical](https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical)\n- Incentive Model and Awards: [https://docs.code4rena.com/awarding/incentive-model-and-awards#qa-and-gas-optimization-reports](https://docs.code4rena.com/awarding/incentive-model-and-awards#qa-and-gas-optimization-reports)\n- Examples of Top Reports: [https://code4rena.com/reports](https://code4rena.com/reports)\n- Warden Submission Policy: [https://docs.code4rena.com/roles/wardens/submission-policy#report-format](https://docs.code4rena.com/roles/wardens/submission-policy#report-format)\n- QA/Gas Report FAQs: [https://docs.code4rena.com/roles/wardens/qa-gas-report-faq#why-is-a-large-gas-or-qa-report-not-successfully-submitting-through-the-contest-submission-form](https://docs.code4rena.com/roles/wardens/qa-gas-report-faq#why-is-a-large-gas-or-qa-report-not-successfully-submitting-through-the-contest-submission-form)", "Question: How can I effectively participate in CodeArena's contests with QA and Gas issues reports?\n\nAnswer: As a participant in CodeArena's contests, you have the option to submit one Quality Assurance (QA) report and one Gas Optimisation report per contest. Ideally, you should group all related issues together in one comprehensive report. You can add more findings to an existing report by navigating to the contest page and clicking the 'Your Findings' button. \n\nYou should separate the Gas report from the QA report, and remember that you have the ability to edit existing findings even after submission. While you do not have to submit all reports for high, medium, QA, and gas optimization, you are encouraged to submit what you find relevant or noteworthy. \n\nIf your report exceeds the character limit in the submission form, you may submit a placeholder and send the complete report via email. You can find more details about this process at: [https://docs.code4rena.com/roles/wardens/qa-gas-report-faq#why-is-a-large-gas-or-qa-report-not-successfully-submitting-through-the-contest-submission-form](https://docs.code4rena.com/roles/wardens/qa-gas-report-faq#why-is-a-large-gas-or-qa-report-not-successfully-submitting-through-the-contest-submission-form).\n\nRemember that the details required for QA and Gas Optimization reports are not as comprehensive as for high severity issues. For an idea of what a top QA/Gas report looks like, you can check examples at [https://code4rena.com/reports](https://code4rena.com/reports). \n\nFinally, grading of QA and gas reports considers both the quantity and quality of the submissions, so ensure your reports are thorough and well-detailed. For more insight on this, refer to [https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical](https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical) and [https://docs.code4rena.com/awarding/incentive-model-and-awards#qa-and-gas-optimization-reports](https://docs.code4rena.com/awarding/incentive-model-and-awards#qa-and-gas-optimization-reports).", "Question: How are the quality and quantity of findings in a report graded and ranked in CodeArena, and can both Alice and Bob achieve a high score if they submit different quantities in their reports?\n\nAnswer: In CodeArena, both the quality and quantity of findings in a report are taken into consideration for grading. Reports are graded on a scale between 0 and 100. The grading of reports is relative to other reports, meaning that the scores are influenced by the performance of other participants. \n\nA high-quality report often contains a high quantity of findings, but that's not the only factor judges take into consideration. For example, if Alice submits a report with 10 high-quality findings and Bob submits 20 findings of lesser quality, both could potentially score high, but Alice might receive a better score due to the quality of her findings. \n\nMoreover, a report's score may be lowered if it contains a few invalid issues, or if it's very similar to a bot report, in which case it may be further penalized. \n\nIt's also worth noting that a single item in a QA submission is unlikely to receive a high grade. A high quantity of findings is often necessary to achieve a high score, but this must be coupled with high quality. Grades are assigned for QA reports, with Grade A reports counting as 2 shares, Grade B as 1, and the best report receiving a 30% bonus. \n\nTo gain a better understanding of how reports are graded, participants are encouraged to compare their findings with winning reports found at https://code4rena.com/reports/2022-09-artgobblers#low-risk-and-non-critical-issues. \n\nFurthermore, if a submitted finding is evaluated as low and included in a QA report, but the judges determine that its severity should be upgraded to medium, it will be eligible for medium rewards as per https://docs.code4rena.com/awarding/incentive-model-and-awards/qa-gas-report-faq#what-happens-when-an-issue-submitted-by-the-warden-as-part-of-their-qa-report-an-l-or-n-does-get-bum.\n\nFor additional information on the criteria for judging reports, consult the following links: [https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical](https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical) and [https://docs.code4rena.com/awarding/incentive-model-and-awards#qa-and-gas-optimization-reports](https://docs.code4rena.com/awarding/incentive-model-and-awards#qa-and-gas-optimization-reports).", "Question: Where and how can I view the grades on published reports, understand the grading system, and check the status of my submission?\n\nAnswer: Grades on published reports are assigned based on a relative score compared to other reports, ranging between 0 and 100. At the moment, grades are visible only to users with a backstage role. These can be found in the 'score' column in findings.csv in the code4rena site repo\u2019s _data folder. \n\nYou can understand more about the grading system and how to achieve a Grade-A report by visiting https://docs.code4rena.com/awarding/incentive-model-and-awards. An 'A' grade report is considered good, with Grade A reports counting as 2 shares, Grade B as 1, and the best report receiving a 30% bonus.\n\nParticipants can view their submissions, check the status of their report, and see the reasons for their rejection in the 'findings' tab next to the contest description. You can also see if your findings are edited. The results of the submission can be seen once the report is published, which can take from 2 to 6 weeks or longer. \n\nOnce the report is published and the findings repo is made public, you can also check your submissions at https://code4rena.com/reports. You will also receive an email notification regarding the status of your report. Please note that not all reports or findings are guaranteed a reward. Reports are graded and must meet quality standards to be considered valid and satisfactory. \n\nPlease keep in mind that reports on https://code4rena.com/reports are sorted by publication date.", "Q: How can I qualify for and apply for the backstage role at CodeArena?\n\nA: To qualify for a backstage role at CodeArena you need to meet certain criteria. This may include having a high severity finding, three medium severity findings, or a QA or Gas report with a score of over 85. Additionally, you should have participated in at least three contests and be a certified contributor. More details about the certification process can be found at https://docs.code4rena.com/roles/certified-contributors.\n\nOnce you meet these qualifications, you can apply for backstage access by submitting a help desk request. The link for the help desk request is https://code4rena.com/help. Please note that the time to apply is usually shortly after contest results are published on the leaderboard. This is also when your grades on published reports become visible. You can find these in the 'score' column in findings.csv in the code4rena site repo\u2019s _data folder.\n\nTo learn more about the backstage role and its requirements, visit this detailed guide: https://docs.code4rena.com/roles/certified-contributors/backstage-wardens. Please be aware that at times, applications for backstage access may be suspended. You will be notified once your application for backstage access has been reviewed.", "Question: Can you explain why the issues encountered during the Anchor contest were not communicated to the community in real-time?\n\nAnswer: At CodeArena, we highly value the privacy and interests of all participants, including our sponsors. We believe in fostering a constructive and non-blame oriented environment. As such, we have certain protocols in place. \n\nFirst, during the contest, findings remain private and are not immediately shared with the community or sponsors. The primary reason being, if vulnerabilities are exposed prematurely, sponsors could potentially exploit this information. It is only after a contest ends and the findings have been reviewed and triaged, that the information is made accessible to the sponsors and the community. \n\nSecond, there is a specific period after a contest closes during which the findings repo becomes public for discussion. This is to give our sponsors adequate time to address the issues discovered during the contest. We discourage contestants from discussing their findings publicly after a contest is over, even if the final report has not yet been published. This also allows participants whose submissions were not accepted to understand why, as they can review the report and see the discussion among sponsors and judges on the specific issue.\n\nLastly, while we strive to keep our contests and audits running smoothly, there can be unforeseen delays. For instance, the distribution of awards may be delayed due to slow sponsor review or other factors not visible to all participants. In such cases, we believe in focusing on improving the overall process for future contests rather than dwelling on the issues of a particular event. \n\nWe understand that clearer communication is needed regarding these processes and we will continue to work on enhancing transparency. Thank you for your understanding and patience.", "Question: Why aren't delays in the audit process communicated to the community earlier, especially when wardens start raising questions?\n\nAnswer: C4 understands the community's need for timely updates, especially in matters pertaining to audit timelines. However, there are instances in which the information available to us is not conclusive enough to provide a meaningful update. In such cases, our communication would be limited to \"we are still working on figuring this out\". Rest assured, C4 is committed to maintaining transparency and we make every effort to share important information as soon as it becomes available. This includes any delays or discrepancies that may arise during the audit process, in which case, we rely on our wardens for clarification and assistance.\n\nIn addition, wardens play a pivotal role in our audit process. They are involved in various activities including reviewing findings, submitting issues, and assisting in post-contest processes. Certified+ wardens, in particular, get earlier access to the findings repositories. They can also view the judging results before they are published and if they see issues, they can raise them to the judge for reconsideration. We also encourage new participants to review the findings of other wardens once the findings repository becomes public.\n\nWe understand that our community may have questions about the timeline for receiving KYC mail after submitting an application to become a certified warden, or about the timeline for Github organization invites to be sent to certified wardens. We would like to assure you that these are important aspects of our process that we aim to streamline and expedite as much as possible. Please feel free to raise any such concerns in our wardens channel on Discord. We appreciate your understanding and patience as we continue to work on improving our processes and mechanisms.", "Question: Can you provide more information about how and when the rewards are distributed after a contest has ended at CodeArena?\n\nAnswer: Sure, reward distribution at CodeArena is a process that does not occur immediately after the contest has finished or the reward computation has been announced. This is because we use multisignature (\"multisig\") wallets, which require signatures from multiple parties before funds can be released. The exact time frame for reward distribution is not specified, however, we aim to process and distribute multiple contest rewards by the end of a specified week, and they are likely to go out the following week. \n\nTherefore, there might be instances where your reward appears as pending even after the contest has ended. It's also important to note that the rewards for certain activities, such as the \"arcade reward\" and \"pool together reward,\" are expected to be distributed the following week. \n\nRewards for your findings could be paid partially or in full depending on numerous factors, including the severity of findings, whether the issues were duplicate, and total credits. As a participant, you could expect rewards even two months after the end of the competition, though this is a worse-case scenario and we are prioritizing reducing turnaround times. \n\nOnce the rewards are ready, they are sent out manually in batches for multiple contests at a time and are distributed to the user's registered wallet address. We usually announce updates regarding the distribution on our announcement channel, so keep an eye out for that. \n\nFor more specific information on how rewards are distributed in a contest where only one High and one Medium issue are found, you can refer to our documentation here: [https://docs.code4rena.com/awarding/incentive-model-and-awards](https://docs.code4rena.com/awarding/incentive-model-and-awards). \n\nIf you have further questions about your reward or if you think there has been a mistake, it's best to submit a Help Desk request at [https://code4rena.com/help/](https://code4rena.com/help/) and someone will be able to assist you.", "Question: Can you explain how contests work at CodeArena, including the types of contests, requirements for participation and where to find contest results?\n\nAnswer: At CodeArena, we host a variety of contests aimed at auditing smart contracts. These contests can be broadly classified into two types: open contests, which anyone can participate in, and versus contests, which are invitational and opportunities are offered to wardens based on their rank in specific contests or during a recent window. \n\nParticipation in these contests is recommended to improve your skills and can also help you gain backstage access after participating in at least 3 contests. Some contests might require you to be certified for payouts if your submissions are awarded, and being certified generally grants access to more contests. \n\nContest results, including rejected findings and the reasons behind the rejection, can be found in the section where Contests are posted. You can also view cumulative results from previous contests on our leaderboard at https://code423n4.com/leaderboard/. \n\nSpecific inquiries regarding contest scope can be directed to the respective sponsor, and to submit your findings, you can use the form available on our website for each contest. \n\nIf your company is interested in running an audit contest, you can reach out to our team for a follow-up discussion. We are continuously hosting new contests and have a number of them lined up for the coming month, so keep an eye on our platforms for updates.\n\nRemember, participation in these contests not only provides an opportunity for learning and skill enhancement, but also contributes to improving the transparency and effectiveness of our community.", "Question: How can I use Direct Messages (DMs) to communicate, discuss issues, or ask for assistance on CodeArena Discord?\n\nAnswer: On our CodeArena Discord, DMs are an important means of communication for various reasons. If you have specific questions, are facing account issues, or want to discuss potential vulnerabilities, you can DM CodeArena staff members or even directly contact sponsor teams during a contest. This personal contact, however, should be used responsibly. For example, changing wallet addresses is a complex process, so you should only DM for this if it's extremely important, like in cases of a hacked old wallet. If you identify a potential vulnerability and have it confirmed by the sponsor via private DMs, it may still count when submitting it, but this would be subject to judgement. \n\nFor more general questions or for clarification, it's recommended to use the contest channel on Discord. Each contest has a specific channel where questions can be asked, allowing for broader participation and multiple insights. However, if you need to update your submissions or request for a submission to be withdrawn, you can do this by directly messaging the identified individuals or an administrator, respectively. \n\nPlease also use direct messaging for essential actions only, like reporting possible scams or raising requests for profile picture or Twitter link updates. For such requests, you might need to contact the help desk or specific individuals suggested in the chat. Also, it's possible to apply for certain roles (like backstage roles) through a help desk request. \n\nRemember to use the right channel for your inquiries. For questions around specific protocols like the Vader protocol or FairSide, or for matters related to collaboration and investment, your queries will be addressed privately. You can contact the streams' protocol team for clarification, or discuss potential issues with the sponsor while the contest is ongoing. \n\nLastly, if you come across a spammer or need to complete the KYC process, you can send help requests or directly contact the designated individuals. \n\nIn summary, DMs are a valuable tool on our Discord server but should be used thoughtfully and responsibly.", "Q: How should I make submissions at CodeArena, should I submit findings separately or make one big submission? What are the best practices, and should I follow different submission rules for gas and QA?\n\nA: At CodeArena, it is recommended to submit one big report for each issue type, gas and quality assurance (QA). When submitting bug findings, you should make separate submissions depending on the type and severity of the bugs found. If you are unsure whether to submit findings separately or as one, consider grouping similar submission issues together as judges and sponsors appreciate this approach. However, remember that awards are distributed based on individual issues, so multiple items in one submission count as one submission.\n\nIf you're part of a team, you can make submissions on behalf of your team or choose to submit solo findings whenever you want. The submission form allows you to select whether you're submitting as an individual or as a team member.\n\nWhen making submissions, especially large ones, if your QA/Gas report does not fit in a single submit request, it can be split into separate sends. Also, if you find a potential size limit while making a submission, you may submit larger reports by email and then place a placeholder in the original submission.\n\nThere are separate guidelines on what should be submitted for analysis awards, which you can refer to at [Analysis Guidelines](https://code4rena.notion.site/Analyses-Guidelines-and-FAQ-2808a71e08e44c81a985527194f5f118). And to understand the submission policy better, find more details at [Submission Policy](https://docs.code4rena.com/roles/wardens/submission-policy).\n\nPlease note that while you can submit issues as a team, the exact process of doing so is not yet clarified. Also, there's a concern among users about getting penalized for unsatisfactory submissions, so always aim for a high-quality submission, as it is considered when distributing bonuses. A higher quality submission may receive a larger bonus.\n\nLastly, it's worth noting that new submission mechanisms are being planned for future contests, and you're encouraged to keep an eye out for these updates.", "Question: How can I change my wallet address connected to my CodeArena account?\n\nAnswer: Yes, it's possible to change your wallet address connected to CodeArena. You can update your payment addresses from your C4 account screen, which can be accessed at https://code4rena.com/account. \n\nIf you need to change the wallet address where you receive awards, you can find more information on how to do this at https://docs.code4rena.com/roles/wardens/warden-auth#can-i-change-the-wallet-address-where-i-receive-awards. It's important to note that if your wallet is hacked and you change your payment address, you'll need to submit a help desk request for assistance at https://code4rena.com/help. \n\nAt present, the platform does not allow changes to the login wallet address. However, if you're using Metamask, you have the option to link multiple addresses. More information on this process can be found at https://docs.code4rena.com/roles/wardens/warden-auth#can-i-change-the-wallet-address-i-log-in-with. \n\nIf you submitted a finding and need to update the wallet address used in that finding, you can do so after the finding has been submitted and before the reward payout by submitting a request through the Help Desk at https://code4rena.com/help. \n\nIt's worth mentioning that changing the wallet address to which tokens are received is a significant effort to manage and the information is not centrally stored. Also, be aware that the payment address of C4 appears to be fixed, as other values sent at the same time matched. \n\nFinally, please remember that the address of the C4 token is 0x6847D3A4c80a82e1fb26f1fC6F09F3Ad5BEB5222.", "Question: Who has access to my submissions during and after the contest, and can I view or modify them?\n\nAnswer: Only the CodeArena team has access to submissions before a contest ends, ensuring a fair competition. Contestants have the ability to view and edit their submissions until the contest closure. After the contest ends, those with the +backstage role are granted access to the findings to aid in triaging, though applications for backstage access are currently suspended until further notice. \n\nSponsors generally do not have access to submissions until the contest ends, but they are given access to the findings repository either immediately after the contest is over or one week later with triaged and deduped issues. \n\nOnce a contest has ended and is in the judging process, users cannot view the status of their submission until the contest report is published and the repository is made public. This also allows contestants to understand why their submission was not accepted, as they can see the discussion among sponsors and judges on the specific issue. \n\nAfter the contest has ended, all participants' submissions are usually made available once the possible exploits have been patched and the findings repository is made public. Also, you can check all the reports you submitted during the competition, and will receive confirmation via email. \n\nThere are also plans for certified contributors to view submitted issues right after contest closure and to comment or give input on these issues during judging. \n\nAs per a new proposed policy, CodeArena is considering releasing all unverified submissions a few days after a contest ends for learning purposes. However, once a contest has ended, submissions for it cannot be amended. You can follow the discussion on this policy here: https://forum.code4rena.com/t/rfc-certified-wardens-rulebook-scout-role-contest-qa-and-mitigation-review-services/123. \n\nPlease note that the company is continuously improving its submission mechanism and may have different rules for upcoming contests.", "Question: Is it required to provide recommended mitigation steps for medium or high severity reports if I believe there are none available?\n\nAnswer: While it is not strictly required to provide recommended mitigation steps in your medium or high severity report, it is highly beneficial to do so if possible. However, in cases where you believe that there are no feasible mitigation steps, you should still provide a detailed explanation as to why this is the case. This can add value to your report and help the judges understand your train of thought. If the severity of a report is deemed higher than your original assessment by the judges, it can be upgraded unless there are reasons to penalize it, such as lack of detail or accuracy. It's important to note that a medium/high severity report can still be valid even if it points out a vulnerability that is difficult to fix without making major changes to the protocol. Submissions based on automated tools must provide strong evidence to demonstrate a relevant high or medium severity exploit path. The criteria for judging such cases is explained at [https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues](https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues). Finally, you can include both high severity and medium/low severity issues in the same report, but your main focus should be on the high severity issues.", "Q: I've initiated a team creation process a few days ago, but it doesn't seem to have gone through. Should I expect any pending notification or confirmation via email? \n\nA: When initiating the team creation process, it's important to remember that the process of approving a team for CodeArena contests can take up to a few business days. You should generally receive a confirmation email upon successful submission, but sometimes there might be delays or the email might land in your spam folder. In some cases, users have reported issues such as a blank page opening when selecting members or difficulty in adding members to their teams. If you encounter such issues, we recommend trying again on a different day or submitting a help desk request at https://code4rena.com/help. Remember that you can modify your team (add or remove members) after initial creation by submitting a request through our help desk. However, note that managing the same team name but with different team members for different contests can be challenging. When your team is successfully created and approved, you'll be able to log in and submit findings as a team. If the problem persists, please DM us the team name or PR link so we can assist you further.", "Question: How can I send a direct message (DM) to someone from CodeArena for help or to resolve an issue?\n\nAnswer: You can directly message any staff member at CodeArena for assistance with your queries. However, in some cases, you might not be able to send a DM due to certain privacy settings. In such scenarios, you can send a friend request to the CodeArena staff member, which upon acceptance will allow for direct communication. \n\nIf you encounter suspicious activity or face issues like scams in the direct messages, you can report it to our support team. You can also send questions related to specific projects like FairSide via DM. For account details like Twitter handle and profile picture updates, you can send a help desk request. For issues related to submissions, you can update them by direct messaging certain identified individuals. \n\nPlease note that there may be a delay in receiving responses to certain requests or applications. Also, remember that personal contact and direct messaging have been encouraged only for specific, professional reasons, and inappropriate use of this feature could result in warnings or other penalties. \n\nIf you are facing issues that you can't resolve via DM or help desk requests, please don't hesitate to reach out to our support team for further assistance.", "Question: If I discover the same vulnerability in different functions or parts of the smart contract codebase, how should I report this in CodeArena? Should I create separate reports for each occurrence, or can I consolidate them into a single report? \n\nAnswer: When you encounter the same vulnerability across separate functions in a smart contract, you can include all these instances in one report. However, it's important to note that while multiple instances of the same vulnerability can be reported as one issue, if the same vulnerability appears in different components of the codebase, it may potentially be considered as two separate findings, but this ultimately depends on the judge's call on whether they are duplicates or not. \n\nAlso, if you identify two different exploits from the same root cause, they are likely to be deemed as duplicates. But if you find two separate vulnerabilities that can be combined to create a more severe exploit, you can submit a third finding explaining the proof of concept. \n\nIt's not strictly necessary to write an exploit for medium severity bugs, but it's common to do so, especially considering that medium-risk vulnerabilities should ideally include test codes as Proof of Concepts when writing reports. \n\nWhen reporting vulnerabilities, especially those of medium and high severity, it's recommended to attach screenshots in the vulnerability details section by copying the Github permalink and the lines of code for the affected code. \n\nRemember, the highest effort should be put into the high severity issues. If multiple participants report the same vulnerability but with different severities, they are given the same severity for award calculation.\n\nPlease refer this link for more detailed discussion on this matter: https://github.com/code-423n4/org/issues/8", "Question: Can you clarify the changes regarding the submission of QA and Gas reports for contests on CodeArena?\n\nAnswer: Absolutely. Each contest participant, referred to as a warden, is now required to submit at most one Quality Assurance (QA) report and one gas report for each contest. This restriction helps maintain order and reduces overlapping information for judges, sponsors, and Contest Administrators (CAs). \n\nThe QA report should group all quality-related issues together, while the Gas report should consist of all the gas-related findings. It is suggested to make one comprehensive report for each. If a participant has additional findings to be added after submitting, these can be added to the existing report by going to the contest page and clicking the 'Your Findings' button. Please note that you can use the template of a gas report from a previous contest, but it must be modified to fit the current contest.\n\nThe grading of these reports is based on judges' scores, considering both the quantity and quality of submissions. Single items in a QA submission are unlikely to receive high grades. Duplicates are disregarded, and the handling of downgraded issues, which need to be paired up with wardens\u2019 QA reports, remains a challenge.\n\nThe details and examples of top QA/Gas reports can be found [here](https://code4rena.com/reports), and more information about the submission policy and report format can be found [here](https://docs.code4rena.com/roles/wardens/submission-policy#report-format). If a submitted report exceeds the number of characters allowed in the submission form, wardens can submit a placeholder and send an email, as explained [here](https://docs.code4rena.com/roles/wardens/qa-gas-report-faq#why-is-a-large-gas-or-qa-report-not-successfully-submitting-through-the-contest-submission-form).\n\nThese changes aim to promote fair competition and streamline the reporting process. While there are concerns that this approach may not drive the best efforts in QA/Gas reports, it is viewed as a more inclusive model, particularly for newcomers.", "Question: What are the guidelines and restrictions for submitting Quality Assurance (QA) and Gas reports in CodeArena's contests?\n\nAnswer: In CodeArena's contests, wardens are required to submit at most one combined QA report and one combined gas report. These reports should ideally consolidate all issues together, creating one comprehensive report for QA and one for gas optimizations. The QA and gas reports should be specialized and submitted separately. Medium and high severity findings should be each submitted as separate reports. \n\nThere are discussions about whether users can put all non-critical findings in one QA report or create one QA report for every finding. For smaller issues, they can be combined into a single report, but larger severity findings should be individual reports. If a report exceeds the character limit on the submission form, users may submit a placeholder and send in the complete report via email. \n\nQuality reports should focus on bugs and optimizations found in the smart contracts while gas reports should focus on gas optimization opportunities. If an issue is initially classified as low severity in the QA report but judges determine it to be of medium severity, it will be upgraded and eligible for medium rewards.\n\nHowever, there's no specific incentive for QA type submissions as sponsors are mainly interested in high/medium/low severity vulnerabilities and gas optimizations. In case of duplicate vulnerability reports from multiple wardens, only the best or most comprehensive reports are accepted. Also, known issues should be excluded from gas reports.\n\nFor more guidelines on report submission, you can refer to the links: \n1. [Submission Policy](https://docs.code4rena.com/roles/wardens/submission-policy#report-format)\n2. [QA/Gas Report FAQ](https://docs.code4rena.com/roles/wardens/qa-gas-report-faq#why-is-a-large-gas-or-qa-report-not-successfully-submitting-through-the-contest-submission-form)\n3. [Incentive Model and Awards](https://docs.code4rena.com/awarding/incentive-model-and-awards/qa-gas-report-faq#what-happens-when-an-issue-submitted-by-the-warden-as-part-of-their-qa-report-an-l-or-n-does-get-bum)\n4. [Sample Reports](https://code4rena.com/reports)\n\nPlease note, these guidelines are subject to change and can be updated for fairer treatment of all contest participants, including newcomers.", "Question: How can I submit a large QA or gas report for a contest on CodeArena if it exceeds the character limit on the submission form?\n\nAnswer: If your QA or Gas report is larger than around 65k characters, exceeding Github's maximum character limit for issue descriptions, you would encounter issues while trying to submit through the contest submission form on CodeArena's website. In this case, you are advised to submit a placeholder in the form and send the full report via email to submissions@code423n4.com. This approach is due to some recent changes, and you can find the original instructions on this page: https://docs.code4rena.com/awarding/incentive-model-and-awards/qa-gas-report-faq#why-is-a-large-gas-or-qa-report-not-successfully-submitting-through-the-contest-submission-form.\n\nAlso, remember that you are required to submit at most one QA report and one gas report per contest, and it is advised to group all issues together in your QA report and keep it separate from the Gas report. The submission policy can further clarify these details: https://docs.code4rena.com/roles/wardens/submission-policy#report-format \n\nIf you need to edit the findings in your submitted gas report, this can be done on the C4 page while the contest is open. If you encounter any issues during the submission process, you can submit a help request at https://code4rena.com/help.", "Q: Why were some of my accepted findings not merged, and why was one of my reports removed from the list?\n\nA: The removal of accepted findings or reports from the list can happen for a variety of reasons. Your findings may have been categorized as automated ones and thus not awarded, or they could have been given a low grade in the judgment procedure. If you submitted a bug that wasn't accepted, you can check on Github's closed issues for your report. Also, it could be that your submission was considered a duplicate of another similar report, so it was not included in the final published report.\n\nWhen a contest ends and the report is released, you can review the report to understand why your submission was not accepted. You can find this info in the report or when you qualify to be \"Backstage\". This process is in place to help improve future submissions. If your issues did not make the award list, they were most likely rejected. You can confirm this by reviewing the available report.\n\nTo check the status of your report submission, look out for an email notification or check under \"your findings\" on the contest page. Here, you can also modify or withdraw your findings. Additionally, for each contest, the Readme Page has a section titled \"Known Findings\" where automated findings not accepted in the contests are listed.\n\nFor further information about what types of findings are no longer valid, you can check the conversations [here](https://github.com/code-423n4/org/issues?q=is%3Aissue+is%3Aopen+label%3Arules). Remember, not all submitted findings may make it to the final report and the reason might not be immediately known. To verify this, you need to wait until the reports are published, which usually takes at least a month.", "Question: How can I update or edit my submissions on CodeArena, such as QA reports or analysis findings?\n\nAnswer: Yes, you can update or edit your submissions on CodeArena. If you need to make changes to your QA report or analysis findings, you can do so by visiting the contest page and selecting the \"My findings\" option. From there, you can edit your submission as needed. Also, even after a QA report has been submitted for a contest, it can still be edited. If you have questions about what to include in your submissions, you can refer to the Analysis Guidelines and FAQ located at https://code4rena.notion.site/Analyses-Guidelines-and-FAQ-2808a71e08e44c81a985527194f5f118 for guidance. Please note that updates on the format of your findings are allowed, but changes to the content after submission are not currently supported as stated in the Guidelines and FAQ. If you can't find the answer to your question in the FAQ, feel free to ask for support from the C4 website or you can also privately ask questions and receive guidance on more delicate aspects of the system.", "Question: How can I edit my submissions on CodeArena?\n\nAnswer: After you've submitted your findings for a contest on CodeArena, you can edit your submission at any time before the audit deadline. To edit a submission, navigate to the contest page, then click on the \"Your Findings\" button. \n\nFor example, if you participated in the Ethos Reserve contest, you would go to this page: https://code4rena.com/contests/2023-02-ethos-reserve-contest.\n\nPlease note, you can only submit one QA issue per contest, however, you can make edits to your existing submission if you find additional errors. If you've submitted a bug and later realize its severity needs to be increased, you can submit a help request to remove the original submission and then submit it again via code4rena.com/help.\n\nIn case your QA report exceeds the character count for regular submissions, you can submit it through a help ticket instead. You can find feedback for your submitted findings and check the success of your report submission by looking out for an email from CodeArena and being able to edit your submitted findings.\n\nUpdates to CodeArena's FAQ or any proposed edits to our documentation can be submitted as a pull request on our Github page at github.com/code-423n4/docs. Remember to review our existing FAQs and guidelines related to submissions and the incentive model at https://docs.code4rena.com/awarding/incentive-model-and-awards/qa-gas-report-faq.", "Question: Why were some of my findings accepted but not merged, while others were removed, and how can I understand the reasons behind this?\n\nAnswer: The acceptance and merging of findings and reports in CodeArena depend on several factors, and sometimes you may find that some of your findings have been accepted but not merged, while others have been removed. \n\nTo understand why this has happened, you can refer to the result list updates about accepted findings not being merged and reports being removed. You may also check the findings report repositories to understand why certain findings were not accepted. \n\nIn some cases, a report may be considered a duplicate if another similar report was chosen to be published, not necessarily because it was not the first. This could be a reason why some findings are not merged. \n\nIf you find that your reports are not being mentioned in responses, it might be due to your reports being listed as automated findings and not being awarded, or being rated as grade-c in the judgement procedure. \n\nThe reasons for findings rejections are usually provided in some form, and there is a process to help you understand why a bug was not accepted to improve future submissions. If your submission was one of many low-severity reports, remember that only one low-severity report among all submitted is chosen to be included in the final report.\n\nIf you are unsure of how to submit additional findings, or whether to submit findings as separate issues or as one, we don't have a definitive answer for that right now. However, you can note that a single report with all occurrences of the same issue is acceptable when submitting findings. \n\nIt's also important to note that not all reports or findings are guaranteed a reward. Reports are graded and must meet quality standards to be considered valid and satisfactory. Lastly, please bear in mind that the final report for a contest doesn't include wardens whose submissions or findings are not accepted.\n\nFor further assistance or to raise specific queries, feel free to submit a help ticket at [code4rena.com/help](code4rena.com/help).", "Question: How does CodeArena implement the grading system for QA and Gas submissions?\n\nAnswer: CodeArena utilizes a grading system for QA and Gas submissions, with Grade A reports counting more heavily than Grade B, specifically 2 shares for A and 1 for B. Judges consider both the quantity and quality of submissions when grading. A single item in a submission is unlikely to receive a high grade. An optimal approach is to submit one comprehensive report for gas and another for QA, grouping all related issues together. \n\nRewards for QA and gas reports are divided into grades A, B, C, based on their quality and associated gas savings. Currently, only grades A and B are rewarded. The best or most comprehensive QA/gas reports are highly valued and there's an award formula for gas and QA, although it's subject to updating. \n\nWhile there's no direct incentive for QA type of submissions, sponsors are significantly interested in high/medium/low severity vulnerabilities and gas optimizations. The criteria for achieving a top-3 finish in either the QA or gas report can be checked upon request. \n\nParticipants also have the ability to edit existing findings before submitting and the QA and Gas awards are given according to judges\u2019 scores. However, duplicates are disregarded, and handling downgraded issues remains a challenge. \n\nAdditionally, there are guides available on how gas/QA reports should be formatted. Participants can choose to write their QA/gas reports directly into the submission form without using special formatting tools. If a QA/Gas report does not fit in a single submit request, it can be split into separate sends.\n\nFor more detailed information about QA and gas reports, the grading system, and award formula you can refer to the following links: [judging criteria](https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical), [award incentive model](https://docs.code4rena.com/awarding/incentive-model-and-awards#qa-and-gas-optimization-reports), and [submission policy](https://docs.code4rena.com/roles/wardens/submission-policy#report-format).\n", "Question: How should I approach submitting QA and Gas reports in CodeArena contests?\n\nAnswer: In CodeArena contests, participants are advised to submit one comprehensive report for Quality Assurance (QA) and another for Gas optimizations. Judges consider both the quantity and quality of submissions when grading QA reports, hence a single item in a QA submission is unlikely to have a high grade. \n\nIt's important to note that sponsors primarily look for high/medium/low severity vulnerabilities and gas optimizations, hence there's no specific incentive for reporting QA type of submissions. However, low issue or non-critical bugs that also reduce gas should be included in the QA category with a mention of the gas savings. If the issue only relates to gas savings, it could be downgraded from QA to Gas.\n\nIn your reports, group all similar issues together and keep the Gas report separate from the QA report. The level of detail required for QA and Gas Optimization reports isn't as comprehensive as for high severity issues. However, only the best or most comprehensive QA/Gas reports are accepted. \n\nFor larger reports that exceed the character limit in the submission form, you may submit a placeholder and send your report via email. Similarly, if you encounter issues with online submission, reports can also be emailed directly to report@code4rena.com.\n\nRemember, participants can submit one combined gas report and one combined QA report and have the ability to edit existing findings. \n\nFor more details on how reports are graded and the submission process, please refer to the following links: [Judging Criteria](https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical), [Incentive Model and Awards](https://docs.code4rena.com/awarding/incentive-model-and-awards), and [Submission Policy](https://docs.code4rena.com/roles/wardens/submission-policy#report-format). You can find examples of top QA/Gas reports at [https://code4rena.com/reports](https://code4rena.com/reports).\n", "Question: Why were my findings, despite being valid, not rewarded and how can I understand the reasons for findings rejection?\n\nAnswer: At CodeArena, valid findings are not always awarded. Specifically, non-critical findings, such as \"Open Todos\" or \"use of Block.timestamp\", do not share in the reward pot. The rewarding formula considers the severity of the findings, their count value, and whether they meet our quality standards. It's important to note that findings are not guaranteed a reward - all reports are graded based on these factors to be considered valid and satisfactory. \n\nYour findings may not have been rewarded for various reasons. For example, we do not award for findings first in the competition. They might have been listed as automated findings, rated as grade-C in the judgment procedure, or considered duplicates, which can lower the value of the reward. \n\nYou can check the report repositories to understand why certain findings were not accepted. Any concerns or queries about the findings or reports can be raised in our chatroom or you can check the \"your findings\" button on the contest page. This could provide more detailed information about the status of your findings. In some instances, findings can be disputed by the sponsor as \"won't fix\", but if they are valid, they can still be rewarded. \n\nFor more information about our rewarding formula, report grading, and the reasons for findings rejection, please refer to our guidelines [include the link here].", "Question: What is the process for handling and correcting potential errors in initial reports at Code4Arena?\n\nAnswer: At Code4Arena, we understand that there can be instances where an error is made in the initial report. It's possible that certain issues may be marked as valid in the first report and later discovered to be invalid. If such a situation arises, participants are allowed to edit or replace their submitted reports with \"withdrawn\" to invalidate them. If a judge marks a submitted finding as invalid, the participant will receive feedback. \n\nHowever, there are concerns about judges marking issues as invalid without providing an explanation. We are working on addressing these concerns. It's also important to note that not all reports are guaranteed a reward, as they are graded and must meet quality standards to be considered valid and satisfactory. There are no negative consequences for accidentally reporting something that turns out not to be an issue, but we recommend withdrawing such reports to save the judges' time. \n\nIn case of a discrepancy in the number of findings, for instance, if the raw findings.csv file has x entries for a warden and the warden submitted x+1 findings, it could mean one entry was eliminated as invalid or it was judged as a duplicate of one of the other findings. \n\nThe final report only includes one low-severity report among all the reports submitted. Additionally, if an issue identified in an automated finding can lead to high severity finding, it can be reported again during the contest and could be awarded with higher severity.\n\nThere are instances where duplicate reports were rewarded, lowering their value for each warden. We follow a criterion in case the same vulnerability is reported by two or more wardens - the wardens who report a certain finding first, as well as those who also found the same finding, are recognized in reports such as the Olympus report. \n\nFinally, if a finding is valid but the severity is not correct, there is a process to re-assign it automatically. \n\nFor more information, please check our submission policy at https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues. Also, rejected reports can be found at https://github.com/search?q=org%3Acode-423n4+is%3Aissue+label%3Ainvalid.", "Question: What is the average award pot for low/non-critical vulnerabilities in contests and how is it distributed, especially when no medium/high vulnerabilities are found?\n\nAnswer: The average award pot for low or non-critical vulnerabilities in a CodeArena contest is typically 10% of the total prize pool. However, if no medium or high vulnerabilities are found, which is a rarity, the remaining funds get divided based on the Quality Assurance (QA) Report curve. An example of such a contest can be found at https://code4rena.com/reports/2021-11-fei. \n\nIt's important to note that non-critical vulnerabilities do not share in the award pot, but there is an incentive for wardens to submit them as it benefits the sponsor. In contests, high quantity and high-quality reports tend to win, as seen in this report: https://code4rena.com/reports/2022-09-artgobblers#low-risk-and-non-critical-issues. \n\nThe severity of the vulnerabilities is assessed based on the risk estimation detailed at https://docs.code4rena.com/awarding/judging-criteria#estimating-risk. The value of an award can be influenced by the level of detail in the submission, including the inclusion of a proof of concept, and covering the issue in as many aspects as possible. \n\nIf you believe you've found a vulnerability during a contest, Code4rena encourages you to reach out to the sponsor team. However, you need to submit it via the contest submission form or it won't be eligible for awards. You can learn more about this at https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues.", "Question: \nWhat is the award distribution for Low/Non-critical vulnerabilities and Gas optimization reports in CodeArena (C4) contests?\n\nAnswer:\nTypically, the award pot for low or non-critical vulnerabilities and Gas optimization reports is 5% and 10% of the total prize pool, respectively. However, the exact percentage can sometimes be adjusted by sponsors depending on how critical gas savings are to their project. Please note that there's no direct incentive to report non-critical findings as the focus is primarily on high/medium/low severity vulnerabilities and gas optimizations.\n\nIf no medium/high vulnerabilities are found, the entire award pool is divided based on the Quality Assurance (QA) report curve. This situation is rare as most contests have detected high or medium vulnerabilities. An example of a contest with only low vulnerabilities can be found at [this link](https://code4rena.com/reports/2021-11-fei). \n\nRegarding Gas optimization reports, their rewards are usually shared among reporters and awarded based on the score of each gas report. The formula used for awarding gas and QA is available at [this link](https://docs.code4rena.com/incentive-model-and-awards#high-and-medium-risk-bugs). \n\nIt's important to note that all accepted reports, from high level down to gas optimizations, are eligible for payouts, provided the report is of high quality, the findings are accurate, and there is a working proof of concept. You can view examples of top QA/Gas reports at [this link](https://code4rena.com/reports).\n\nLastly, an issue can be submitted as low in a QA report but if the judges determine it as medium, it will be eligible for medium rewards as per [this guideline](https://docs.code4rena.com/awarding/incentive-model-and-awards/qa-gas-report-faq#what-happens-when-an-issue-submitted-by-the-warden-as-part-of-their-qa-report-an-l-or-n-does-get-bum). \n\nPlease note, the formula used for awarding gas and QA is planned to be updated, and any changes to the incentive model will be communicated accordingly.", "Question: How can I update my team information, submit issues, and resolve failing checks on my PR in CodeArena?\n\nAnswer: To update your team information or submit issues, you'll need to create a Pull Request (PR). You can do this by going to the CodeArena GitHub repo and submitting a team request at https://github.com/code-423n4/code423n4.com/pull/28. Make sure to add your team handles when reporting issues.\n\nIf you're encountering failing checks on your PR, it may be due to several reasons. One common case is that checks often don't fully run for external PRs on the CodeArena platform, as seen here https://github.com/code-423n4/code423n4.com/pull/1584. However, don't worry, your PR still needs to be reviewed and approved by a member of the C4 team before it can be merged, regardless of these checks.\n\nChanging team names, adding new members, or modifying team memberships can also be done by submitting a request through the help desk at https://code4rena.com/help. \n\nIf your issue involves various lines changed, you can send a git patch or a PR to the repo. If there are any technical issues with viewing the repo or submitting findings, make sure your GitHub account is logged in and it's the same account given for C4. \n\nRemember, after the closing time of the contest, you can alter the severity of reported bugs either through the PR or by contacting one of the judges. Also, you can update your QA report by selecting the \"My findings\" option on the contest page. \n\nPlease note, there can be a backlog of dependencies before your PRs or changes can be updated in handles. If you face any issues, don't hesitate to reach out to us for support.", "Question: How is the prize pool distributed for low or non-critical severity findings in CodeArena competitions, and what happens if no Medium or High vulnerabilities are found?\n\nAnswer: The prize pool for low or non-critical severity findings, also known as QA (Quality Assurance) reports, in CodeArena competitions is typically 10% of the total prize pool. However, if no Medium or High vulnerabilities are found during a contest which is quite rare, the remaining funds are divided based on the QA Report curve. This means that the low or non-critical severity findings receive a greater share of the prize pool. It's worth noting that for gas optimization reports, the allocation is usually 5% of the prize pool, although this percentage can be adjusted by sponsors based on the importance of gas savings to their project. The exact criteria for severity categorization can be found at [https://docs.code4rena.com/awarding/judging-criteria/severity-categorization](https://docs.code4rena.com/awarding/judging-criteria/severity-categorization). Non-critical findings do not share in the award pot, and the prize for a finding reduces by approximately 10% for each duplicate submission. For each unique High or Medium finding, the submission selected for inclusion in the audit report receives a 30% share bonus. You can monitor the amount of prize money paid to each Medium/High risk at [https://raw.githubusercontent.com/code-423n4/code423n4.com/main/_data/findings/findings.csv](https://raw.githubusercontent.com/code-423n4/code423n4.com/main/_data/findings/findings.csv).", "Q: How can I correctly update or modify my team information on CodeArena, especially when my submitted PR is failing checks?\n\nA: To update your team information, you need to create a Pull Request (PR). However, checks for PRs may not fully run for external PRs on the CodeArena platform. If you're facing issues with checks failing for your PR, please don't worry, this is a known issue and you're not alone as evidenced by this case: https://github.com/code-423n4/code423n4.com/pull/1584. \n\nOnce you've created your PR, please share the link either here or send it via Direct Message (DM). It's important to note that all PRs need to be approved by a member of the C4 team before they can be merged. \n\nFor instance, if you're updating your team handle, warden profile, or adding members, you can make changes to the relevant file in the _data folder on the site repo and make a PR. For instance, if you're participating in a contest, you need to review and make a pull request for your handle at https://github.com/code-423n4/code423n4.com/tree/main/_data/handles.\n\nIf you have changes that involve many lines, you can send a git patch or a PR to the repo. Once your PR is merged, you can then submit findings as a team. Any merged PRs can be seen at https://github.com/heiho1/code423n4.com/pulls.\n\nIf you're looking to register a group, please check the information in the docs, specifically the #\u26bdteam-formation channel, the link is https://docs.code4rena.com/roles/wardens#registering-a-team.\n\nFor any other modifications, you can submit a request through the help desk at https://code4rena.com/help. Additionally, proposed changes to the CodeArena documentation can be made at https://github.com/code-423n4/docs. \n\nRemember, team pull requests need to be accepted by someone from the team and it's crucial to add your team handles when reporting issues. Your patience is appreciated, as there may be a backlog of dependencies before your changes can be fully implemented.", "Question: What is the typical reward allocation for low/non-critical severity findings in CodeArena's smart contract audits and how does it work?\n\nAnswer: In CodeArena's smart contract audits, the standard award pot for low or non-critical vulnerabilities, also referred to as Quality Assurance (QA), is typically 10% of the total prize pool. This percentage, however, can differ for gas optimization reports, where the award usually stands at 5% of the prize pool. The allocation for gas optimization can be adjusted by sponsors depending on the importance of gas savings to their specific project.\n\nNon-critical findings, while beneficial to sponsors, do not share in the award pool. This is because the importance is placed on more severe vulnerabilities. The full pool of prizes for varying severities is paid out according to the standard model. \n\nIn rare cases where no medium or high vulnerabilities are found during a contest, the remaining contest funds are divided based on the QA Report Curve. An example of such a contest can be found at https://code4rena.com/reports/2021-11-fei. \n\nIt's important to note that if a vulnerability is submitted as low in a QA report, but the judges determine it to be of medium severity, it will be eligible for medium rewards, and vice versa. The final determination of severity is made by a judge, and this can impact award levels. The exact criteria for evaluating the severity of issues can be found at https://docs.code4rena.com/awarding/judging-criteria/severity-categorization. \n\nIn case of uncertainties, it is advised to review the judging criteria and justify the chosen severity with evidence. Each vulnerability submitted is carefully evaluated, with considerations like level of detail in the submission, the inclusion of a Proof of Concept (PoC), and coverage of the issue in as many aspects as possible, all influencing the final award amount.", "Question: How are awards for low or non-critical vulnerabilities determined and distributed in CodeArena contests?\n\nAnswer: In CodeArena contests, the average award pool for low or non-critical vulnerabilities typically represents 10% of the total prize pool. Non-critical findings, however, do not share in the award pool. If no medium or high vulnerabilities are found during a contest, the remaining funds are divided based on the Quality Assurance (QA) Report curve, although such a situation is considered a rarity. \n\nIt should be noted that the awards pool includes several categories, such as HM awards, QA report awards, Bot race awards, Gas report awards, Judge awards, Lookout awards, and Scout awards. \n\nIf a finding is submitted as low in the QA report but is judged as medium, it will be eligible for medium rewards. On the other hand, if a submitted high-risk finding is judged as low risk, the submitter will still receive a reward. \n\nThe exact criteria for determining the severity of issues can be found at [https://docs.code4rena.com/awarding/judging-criteria/severity-categorization](https://docs.code4rena.com/awarding/judging-criteria/severity-categorization). \n\nThe level of detail in the submission, including elements such as a Proof of Concept (PoC), can influence the award amount. Judges also consider both the quantity and quality of submissions when grading QA reports. More information on these aspects can be found at [https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical](https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical) and [https://docs.code4rena.com/awarding/incentive-model-and-awards#qa-and-gas-optimization-reports](https://docs.code4rena.com/awarding/incentive-model-and-awards#qa-and-gas-optimization-reports).\n\nHigh quantity and high-quality reports often win in CodeArena contests. There is an incentive for participants to submit non-critical vulnerabilities, as this benefits the sponsors, even if non-critical vulnerabilities are not considered for awards. Furthermore, if a participant estimates an issue as low risk but it is judged as medium, they are eligible for the reward based on the medium risk evaluation.", "Question: My C4 wallet has been compromised. What steps should I take to change it and prevent further attacks?\n\nAnswer: \n\nIf you believe your C4 wallet has been compromised, here are the steps you should follow:\n\n1. Submit a help desk request immediately. You can do this via https://code4rena.com/help/. \n\n2. You might want to consider using a new wallet to prevent further attacks. \n\n3. Change your payment address and remove the compromised address from the login. \n\n4. If you logged in via the compromised wallet, create another help desk request. \n\n5. Update your payment addresses from your C4 account screen: https://code4rena.com/account. \n\nIt is currently not possible to change your login wallet address on Code4rena, but if you\u2019re using Metamask, you can link multiple addresses. Find more information about that here: https://docs.code4rena.com/roles/wardens/warden-auth#can-i-change-the-wallet-address-i-log-in-with. \n\nYou can also change the wallet address where you receive rewards. More details can be found at this link: https://docs.code4rena.com/roles/wardens/warden-auth#can-i-change-the-wallet-address-where-i-receive-awards. \n\nAfter you've updated your wallet addresses, ensure to follow best practices for wallet security, such as not sharing your seed phrase and private key. If your private key was leaked, generate a new one for enhanced security. If you lose your seed phrase, follow the steps mentioned here: https://docs.code4rena.com/roles/wardens/warden-auth#what-if-my-wallet-was-hacked.\n\nPlease note that changing wallet addresses is a complex procedure, so only do it if it's absolutely necessary. As always, if you have further questions or need assistance, don't hesitate to contact us through our support channel.", "Question: How can I edit, track, or withdraw a submitted finding?\n\nAnswer: To edit a submitted finding, you need to navigate to the contest page on the CodeArena website. Once there, click on the \"Your Findings\" button. This will allow you to modify your submission as needed. You can also track the status of your report and see feedback on your findings in the \"Findings\" tab next to the contest description. If you want to withdraw a finding, you can do this under the \"Your Findings\" section on the contest page as well. \n\nPlease note that after you submit a finding, you will receive a confirmation email. If there are any follow-ups needed, you can expect to receive these after submission. If you wish to know how your findings were judged, you will need to check the data folder in the findings repository and look for JSON files named like '[warden-handle]-[issue number]'. \n\nIt's also worth noting that you can find a detailed list of your findings' worth in a contest at this link: https://raw.githubusercontent.com/code-423n4/code423n4.com/main/_data/findings/findings.csv \n\nFor further details on the submission process, please review the documented process available at https://docs.code4rena.com/roles/wardens/sub. \n\nIf you have any other queries or need further assistance, feel free to make a helpdesk request with all the necessary information.", "Question: What level of English is needed for C4 reports and how is language proficiency managed within teams of varying skills?\n\nAnswer: CodeArena (C4) emphasizes effective communication in its reports over strict adherence to modern English. This focus on practicality is due to the mixed language skills and varying technical proficiencies within the teams. To better facilitate the creation of high-quality reports, C4 encourages team-ups among wardens of different skill sets. For example, a warden who is a strong technical writer but is just starting as an auditor can pair with a warden who is technically advanced but may struggle with English communication. This way, the technical skills of one can complement the English skills of the other, improving the overall quality of the reports. \n\nWhile discussions have been observed about the fairness and effectiveness of penalty systems for errors, there is currently no penalty for wrong reasoning, as long as it doesn't qualify as spam. However, all wardens are encouraged to improve their general English proficiency to enhance the quality of the reports. \n\nOn another note, the term \"online English\" used within C4 seems to be more context-specific rather than relating to a standard form of internet English. For instance, in transaction context, the term \"deal\" is not preferred but rather \"transaction\" is used. \n\nFinally, while English is the primary language, wardens are allowed to communicate in other languages like Spanish during contests. Therefore, while having a good command of English is beneficial for creating reports, it's the effective communication of the audit findings that is prioritized.", "Question: What should I know about strings exceeding the size of byte32 in smart contracts?\n\nAnswer: A string in Solidity exceeds byte32 size when it reaches 33 bytes, with one byte usually representing one character. However, it's important to note that certain characters such as emojis or non-ASCII characters may require more than one byte. The conversion of a string that exceeds byte32 size adds an additional word for the length of the string. Each slot in the Ethereum Virtual Machine (EVM) is 32 bytes, and any extra space in an address field is padded with zeroes on the left. \n\nIn terms of storage, Solidity stores state variables in 32 bytes storage slots. Multiple variables can potentially be packed into a single slot if they are declared next to each other, which could reduce gas costs. It's also worth mentioning that larger inputs can cause a function to run out of gas, a common workaround is to process it in batches using a start offset and maximum length. Here are some references for further reading:\n\n- [Solidity Byte32 vs String type](https://ethereum.stackexchange.com/questions/11556/use-string-type-or-bytes32)\n- [Dynamically-sized Byte Array](https://docs.soliditylang.org/en/v0.5.12/types.html#dynamically-sized-byte-array)\n- [Understanding how Solidity stores variables in storage](https://docs.soliditylang.org/en/v0.8.17/internals/layout_in_storage.html)\n\nThis information is vital for optimizing storage and managing gas costs in your smart contracts. However, please note that some aspects discussed in our chat are still under debate or need further clarification.", "Question: Is it truly 1 byte per character in a require statement, and how does it affect gas efficiency in Solidity smart contracts?\n\nAnswer: Yes, by default, Solidity considers 1 byte per character. This means, for example, in a require statement like `require(some_test, \"hello world wrong input\");`, each character in the string \"hello world wrong input\" would take up one byte.\n\nHowever, when the size of the string goes past 32 bytes (which is the size of bytes32), another word is added for the length. This means that a string above size byte32 begins to occupy more space when it reaches 33 bytes. \n\nIt's important to note that certain characters, such as emojis or any non-ASCII character, may require more than one byte. This can impact the gas efficiency of your smart contract. \n\nIn terms of gas efficiency, some developers have discussed the benefits of using custom errors in contrast to require statements with a string. Custom errors can be more gas-efficient and could offer a better alternative to string-based require statements, especially if your strings are lengthy or use non-ASCII characters.\n\nAdditionally, small differences like the condition \"x != 0\" being cheaper than \"x > 0\" in require statements (only prior to version 0.8.13) can also impact gas efficiency.\n\nHere are some helpful resources for further reading:\n- An explanation of using string type or bytes32: [Ethereum StackExchange](https://ethereum.stackexchange.com/questions/11556/use-string-type-or-bytes32)\n- A detailed overview of types in Solidity, including 'bytes': [Solidity Documentation](https://docs.soliditylang.org/en/v0.5.12/types.html#dynamically-sized-byte-array)\n\nIt's always important to consider these aspects when writing and auditing your smart contracts to ensure they are not only secure but also efficient.", "Question: What is the procedure if I have a finding that I'm not sure about or need to clarify before or after submitting?\n\nAnswer: If you are uncertain about a finding, it is generally advisable to submit your finding or directly message the sponsor team for additional context and clarification. Upon submission of a finding, you can expect a follow-up, and sometimes it might take a while for the submission to be confirmed via email. If you find that there's an error with your submission, the form should return an error. \n\nIf you have reported an issue but aren't confident about its severity, it's suggested to communicate with the judges for guidance. There's no penalty for mistakenly reporting something that turns out not to be an issue, but for the sake of efficiency, it's recommended to retract such reports. \n\nYou do not need to confirm findings with the project's developers before submitting; however, it's up to you to decide to submit a point you believe could be a valid finding. When a finding is submitted, you should receive a confirmation email. If you need to modify a submitted finding or correct a typo, you can file a helpdesk ticket with all the necessary information before the contest closes. \n\nIf you find an issue similar to an automated finding but in a different instance, it can still be considered a valid finding. Also, discussing potential findings with a sponsor over Discord or other private messages does not invalidate the finding. If you have findings that the judge and sponsor disagree with, the mitigation process would be initiated. For instance, if you submit a finding as medium severity and the judges believe it is high, the severity of the finding can be upgraded unless there's a reason to penalize it. \n\nDo note that users often report non-critical findings out of goodwill, despite there being no official incentive. We appreciate the community effort in maintaining the integrity of our projects. For any further questions or doubts, please feel free to reach out to our team.", "Question: What is the process and schedule for payments in CodeArena?\n\nAnswer: Payments for CodeArena are usually batched and processed once a week. This is typically done on a Monday or a Tuesday, where a standing meeting is held to queue up transactions for signature. However, the process can sometimes take up to two weeks due to the need for double-checking at each step to ensure payments are done correctly and securely. \n\nOnce a contest or audit is concluded, rewards are generally aimed to be paid out in the same week they are announced. If a report is accepted, the reward payment is ideally made within 1-2 business days of the announcement. However, participants need to complete certification within 30 days of the end of the audit in order to receive their payout. \n\nIn some cases, the payment amount might be revised after payout based on various factors. Also, rewards for submissions could be paid partially or fully. Contest rewards are typically transferred once per month, usually at the beginning of the month. \n\nFor convenience and to ensure correct payment, participants are encouraged to add their payment wallets to their CodeArena account. This can be done in the Manage Account section where users can also update their payment address if needed. \n\nCodeArena only supports payments to one address, and the team can distribute funds as needed. Alternative payment channels to crypto are also being discussed due to restrictions from certain countries. Please note that login with a wallet is not required to participate in contests, but a payment wallet is necessary. \n\nPlease report any issues or discrepancies, such as unexpected emails about updating your payment address, to our team for investigation.", "Question: Is there a service or method to convert a contract address to a separate Solidity file?\n\nAnswer: Yes, there is a service that allows you to convert a contract address into a separate Solidity file. This can be done via Etherscan by altering the URL from .io to .deth.net. For example, if your original contract address URL is https://etherscan.io/address/0x27f461c698844ff51b33ecffa5dc2bd9721060b1/advanced#code, you would change this to https://etherscan.deth.net/address/0x27f461c698844ff51b33ecffa5dc2bd9721060b1/advanced#code. \n\nAfter this, you can download all the smart contracts deployed at the specific address. Decompiling of the solidity code can then be carried out utilizing https://library.dedaub.com/decompile. If you are interested in testing these contracts, tools like Mythril and Slither are available. \n\nMoreover, for syntax checking, you might want to consider plugins or tools similar to the online Remix IDE, although availability was not confirmed in the chat excerpt. For viewing on-chain contracts of etherscan in an IDE like remix, consider using this tool: https://discord.com/channels/810916927919620096/810931711609143326/1012727690396176484. \n\nIf there are issues with the code or if you seek optimization, you may consider an automated audit tool, such as 'Use assembly to check for address(0)', as described here: https://github.com/0xKitsune/solstat/blob/main/src/report/report_sections/optimizations/address_zero.rs. However, note that this optimization may not necessarily provide substantial benefit. \n\nFor beginners in contract auditing, there are resources on our platform that can help learn the Solidity compiler and for understanding smart contract interaction, such as the deprecated Surya tool: https://github.com/ConsenSys/surya. \n\nFinally, to add Solidity syntax to your code blocks, you can use the MD format. Take care to properly format the Solidity code in your submissions.", "Question: How should I handle and submit findings that are relevant to both Quality Assurance (QA) and gas savings in my report for CodeArena (C4)?\n\nAnswer: If you have a finding that is relevant to both QA and gas savings, you can include it in either your QA or gas reports. However, it is recommended that you consolidate all issues related to gas optimization in one report and all issues related to Quality Assurance in a separate report. If a non-critical (QA) bug that also results in gas savings is discovered, it should be included in the QA category and mention the gas savings. If the issue is only related to gas savings, it could be downgraded from QA to Gas. Users have the ability to edit existing findings. Note that the evaluation of QA reports is based on both the quantity and quality of findings, and a single item in a QA submission is unlikely to receive a high grade. This information is further explained in the following links: [https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical](https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical) and [https://docs.code4rena.com/awarding/incentive-model-and-awards#qa-and-gas-optimization-reports](https://docs.code4rena.com/awarding/incentive-model-and-awards#qa-and-gas-optimization-reports). You may find examples of the top QA/Gas report for each of these contests at [https://code4rena.com/reports](https://code4rena.com/reports). For gas optimizations, it could be beneficial to mention the amount of gas saved. There is no clear consensus on whether it is necessary to show Proof of Concept for the gas saved or if a description and mention of gas saved is enough. It's also worth noting that the detail required for QA and Gas Optimization reports is not as comprehensive as for high severity issues.", "Question: How should I reference the code for a finding submission or report on CodeArena using a GitHub link?\n\nAnswer: \n\nWhen referencing the code for a finding submission or report on CodeArena, you should use a GitHub link that directly points to the code in question. This can be achieved by clicking on the line of code in GitHub, which changes the URL to that specific line. Holding SHIFT can help capture a range of lines. This link is referred to as a GitHub permalink. \n\nIn your finding submission or report, you can place this permalink in the \"Links to Affected Code\" section for high/medium findings. Here's a guide on creating a permanent link to a code snippet on GitHub: https://docs.github.com/en/get-started/writing-on-github/working-with-advanced-formatting/creating-a-permanent-link-to-a-code-snippet#linking-to-code.\n\nHowever, please note that adding a link that points to the sponsor's GitHub repo code in a findings report does not automatically pull in the code snippet to the report. Therefore, in addition to the URL, it's recommended to include a code block to show the place of vulnerability. The markdown code to include GitHub code in a report can be found here: https://docs.github.com/en/get-started/writing-on-github/working-with-advanced-formatting/creating-and-highlighting-code-blocks. \n\nThere could be technical issues with viewing the repo or submitting findings. In such cases, ensure you are logged into the GitHub account that was provided to C4.\n\nIf you're having trouble receiving an invitation to Github, the time it takes to receive a Github organization invite can vary. If you did not get an invitation despite being certified, it may be worth reaching out to CodeArena for support.\n\nLastly, please be aware that there is ongoing discussion about potentially integrating CodeArena's website with Github to track specific timestamps. Further updates on this matter will be communicated as they become available.", "Question: Where can I find information about upcoming audit contests at CodeArena?\n\nAnswer: For the most current information on upcoming audit contests at CodeArena, you can check the #\u270brsvp channel in our Discord server. The CodeArena main page and contest page also list upcoming contests, accessible at https://code4rena.com and https://code4rena.com/contests respectively. More detailed information about the structure and process of these contests can be found on our documentation page at https://docs.code4rena.com and in our Medium article about Versus contests at https://medium.com/code4rena/a-look-at-code4rena-audits-versus-6c55d57939ef. CodeArena typically schedules 2-5 audit projects per week. You may also find the reports from past contests beneficial, which are available at https://code4rena.com/reports. Please be aware that upcoming contests may include both traditional smart contract audits and potential contests in other languages such as Rust. Teams are welcome to participate, and findings can be modified while the audit is open.", "Question: How much mathematics is important for auditing smart contracts? What type of mathematics is required and are there any resources to improve on these topics?\n\nAnswer: The importance of mathematics for auditing smart contracts varies depending on the nature of the contract being audited. For most audits, basic calculus is sufficient. However, projects that involve financial mathematics may require a more advanced understanding of the subject. \n\nFor example, some audit processes, like those conducted by Elastic DAO, require professional mathematicians to audit certain formulas. This suggests that these auditors should have knowledge of specific mathematical or financial topics. Please be aware that auditing projects with complex math often requires years of experience and in-depth study, it's not merely about studying a single resource briefly.\n\nFor resources to improve your mathematical knowledge in relation to smart contracts, some users have suggested the YouTube resource: https://www.youtube.com/@smartcontractprogrammer. Furthermore, for those new to the field of smart contract auditing, you can start learning from resources such as https://cmichel.io/how-to-become-a-smart-contract-auditor/ and https://docs.code4rena.com/roles/wardens/tools-and-resources.\n\nAs you continue to improve your auditing skills, it's beneficial to read past audit reports to understand them better. Participating in contests or auditing codebases can also be a good practice. Nevertheless, becoming an effective auditor takes time and persistence. \n\nAlso, bear in mind that the auditing landscape is evolving, with AI becoming an increasingly important part of the process. Thus, it is essential to stay updated on these developments to ensure your auditing skills remain relevant.", "Question: What kind of mathematical knowledge is necessary for auditing smart contracts and are there any recommended resources to acquire this knowledge?\n\nAnswer: The level of mathematical knowledge required to audit smart contracts can vary significantly depending on the complexity of the project. Many projects may only necessitate a basic understanding of mathematical concepts such as loan-to-value calculations (loan / collateral value). However, some math-heavy projects, particularly those involving financial mathematics like the audits done by Elastic DAO, demand a more profound grasp of complex mathematical formulas and principles, requiring even the expertise of professional mathematicians.\n\nTo augment your understanding of mathematics as it relates to solidity projects, you might consider various learning resources. One recommended resource is this YouTube channel: [@smartcontractprogrammer](https://www.youtube.com/@smartcontractprogrammer) which provides valuable insights into different topics, including how accountings are done.\n\nAdditionally, reviewing past audit reports can be a useful method for understanding complex audits better. A set of sample reports is available at: [ChainSecurity](https://chainsecurity.com/audits/). \n\nAdvancements in AI and machine learning, including the use of graph neural networks, are also bringing about new dimensions in auditing. You can learn more about this in the following paper: [IJCAI Proceedings](https://www.ijcai.org/proceedings/2020/0454.pdf).\n\nRemember, becoming proficient at auditing projects with complex math often requires years of experience and study, not just a quick study of a resource. It's okay to ask questions, seek help, and take part in audit discussions to increase your understanding.", "Question: I need help with transferring my CodeArena awards to another wallet. How can I pay the gas fee and can I change the wallet address where I receive awards?\n\nAnswer: To transfer your CodeArena awards to another wallet, you will need Matic cryptocurrency to pay for the gas fee. Matic can be obtained potentially for free at https://wallet.polygon.technology/gas-swap/. This site allows wallet users to swap Matic without a gas fee. \n\nIf you want to change your wallet address where you receive awards, you can do so by following the information available at this link: https://docs.code4rena.com/roles/wardens/warden-auth#can-i-change-the-wallet-address-where-i-receive-awards.\n\nPlease note, awards are distributed on the Polygon network and will be transferred to your registered wallet address. You can check the announcement channel for updates on distribution. If you encounter a problem with receiving your award, it might be due to the use of multisignature (\"multisig\") wallets which require signatures from multiple parties before funds can be released. CodeArena is planning to distribute awards via smart contracts in the future for a smoother process.\n\nWhen bridging from the Polygon network to Ethereum to later withdraw funds on Coinbase, both Matic and Eth are required if using the Polygon bridge. However, if using the Hop Bridge, only Matic is needed, although less USDC will be received on the Ethereum Mainnet. You can move funds back to the mainnet using the polygon bridge: https://wallet.polygon.technology/. \n\nAlso, be aware of potential security issues. Some users have reported their MetaMask wallets being hacked and rewards stolen. It is advised to take preventive measures to secure your wallet. If you have any issues, you can reach out to the community on our Discord channel: https://discord.com/channels/810916927919620096/824698635815223316/915880736664461322.", "Question: What is the most cost-effective method to swap ERC tokens?\n\nAnswer: The most cost-effective method for swapping ERC tokens is typically to use a DEX aggregator such as [1inch](https://app.1inch.io) as it can help you find the best exchange rate across multiple decentralized exchanges. Uniswap and Metamask are other options, but they charge fees of 0.05% and 0.743% respectively for token swaps. It's also important to note that there may be additional costs due to slippage, especially in Metamask where there's minimum 1.01% slippage. \n\nFor those interested in arbitrage opportunities, the optimal amount of tokens to purchase can be calculated using a specific algorithm that takes into account the Automated Market Maker's (AMM) price formula, price impacts, and transaction costs. However, be advised that not all tokens are fee-on-transfer, meaning that certain tokens remove a small fee from every transfer, which may result in the received amount being less than the transferred amount.\n\nIn situations where you're dealing with gas fees, there are platforms such as [Polygontimes](https://polygontimes.com/swap-for-gas-instant-gasless-matic-tokens-on-polygon-pos/) and [Polygon](https://wallet.polygon.technology/gas-swap) where you can perform gasless swaps or swap gas, respectively. If you're dealing specifically with Matic tokens, keep in mind that transferring coins from a wallet requires Matic to pay the fee, and you can swap Matic without a gas fee at the aforementioned Polygon link.\n\nRemember, while these are currently the most cost-effective methods, it's advisable to remain updated and explore other options as the crypto landscape rapidly evolves.", "Question: I haven't participated in contests on CodeArena for awhile. Can you update me on any changes to the rules, submission guidelines, or prize splits?\n\nAnswer: There have been no major changes to the rules, contest submission guidelines, or prize splits recently. However, a new submission mechanism is expected to be implemented in upcoming contests. The detailed changes to contest rules and submission guidelines can be found in the documentation provided at [https://docs.code4rena.com/](https://docs.code4rena.com/). \n\nAlso, we suggest you check our \"Past Contest Status Updates\" section to get a sense of where contests are currently in the process. For specific questions about the scope for a contest, those can be addressed to the respective sponsor. Details on judging and payout timelines after a contest ends can also be found at [https://docs.code4rena.com/structure/our-process](https://docs.code4rena.com/structure/our-process). \n\nIn response to increased inquiries about viewing all submissions after a contest, the submissions might be released a few days after a contest ends. The details are discussed in this forum post: [https://forum.code4rena.com/t/rfc-certified-wardens-rulebook-scout-role-contest-qa-and-mitigation-review-services/123](https://forum.code4rena.com/t/rfc-certified-wardens-rulebook-scout-role-contest-qa-and-mitigation-review-services/123). Lastly, for updates on open competitions, we recommend checking the contest page at [https://code4rena.com/contests](https://code4rena.com/contests).", "Q: Can I contact CodeArena directly about the specifics and timing of contest reward distribution?\n\nA: Yes, you can direct message someone from Code4rena regarding any contest reward distribution queries. The distribution of contest rewards typically aims to be processed by the end of the specified week and likely to be distributed by the next week. You can check updates on distribution in the announcement channel. Please note that rewards are not distributed immediately upon the reward announcement due to the use of multisignature wallets, which require signatures from multiple parties before funds can be released. The eventual plan is to distribute awards via smart contracts. \n\nHowever, do note that there might be instances where some rewards may remain pending after a contest has finished, for reasons not specified. If you have any issues related to the reward distribution, you can submit a Help Desk request through this link: https://code4rena.com/help/. You can also discuss potential issues with the sponsor while the contest is ongoing through specific channels or via direct message with sponsor's team members. \n\nRemember, winning awards from contests are sent to your registered wallet address. If you wish to change the address, it's advisable to confirm with the team first. Also, in cases where no high or medium issues are found in a contest, the reward distribution could vary, so it's better to consult directly for such scenarios.", "Question: How can I manipulate transaction priority to simulate front-running scenarios in Foundry tests, similar to what I can do in Hardhat by changing block mining time and transaction fees?\n\nAnswer: Foundry provides specific features for transaction prioritization, allowing you to simulate front-running scenarios. Transactions can be prioritized by calling functions in a desired order. In addition, Foundry facilitates local forking, which eliminates the need to acquire testnet tokens for transactions or wait time on blocks, thus offering a more optimized environment for testing different transaction scenarios. \n\nRegarding front-running, remember that pending transactions in the blockchain mempool are not hashed. This means that the data of the transaction is accessible, which can potentially enable front-running. \n\nFoundry also offers specific functions such as vm.prank(address) which allows impersonation of an account, similar to what you can do in Hardhat. For a more in-depth look at Foundry's capabilities, you may refer to its documentation: https://book.getfoundry.sh/reference/config/testing#fuzz.\n\nKeep in mind, however, that while Foundry offers robust testing capabilities, it is not a complete replacement for Hardhat or other testing environments. If you're using Hardhat in your project and wish to integrate Foundry, you can use the base template found at https://github.com/foundry-rs/hardhat-foundry-template. \n\nThe choice between Hardhat, Foundry, or other tools like Truffle, largely depends on your specific project needs and which environment you are most comfortable with. These decisions are often project-specific and may require some trial and error to find the best fit.", "Question: Are there any recent changes to contest rules, submission guidelines, prize splits or ways to communicate with judges and sponsors that I need to be aware of?\n\nAnswer: There have been no major changes to the contest rules, submission guidelines, or prize splits recently. However, it's important to note that the specific scope of each contest is determined by the respective sponsor, so for specific contest-related queries, you should reach out to the sponsor. Additionally, we're planning to implement a new submission mechanism in the upcoming contests. \n\nAfter a contest ends, any changes to the severity of reported bugs can be communicated to the judge through designated contact points. Once contest payouts have been sent, the result cannot be altered, but any overlooked issues can be flagged to the judge and sponsor. \n\nYou can find all the details about the contest rules, judging, and payout timelines in our documentation at https://docs.code4rena.com/. Participants are encouraged to review the submission policy and judging criteria at https://docs.code4rena.com/roles/wardens before participating. For any queries related to findings submission, the policies can be found at https://docs.code4rena.com/roles/wardens/submission-policy#audit-contest-guidelines \n\nWe're also considering a change in policy to grade and pay for all submissions, regardless of the time of submission. You can find this discussion here: https://github.com/code-423n4/org/discussions/34. \n\nWe are often asked about how to view others' findings after a contest finishes and how to find which findings were rejected and why. These details are updated mid-contest on the public report page. \n\nFinally, for inquiries about the timing of the next audit event or contest, it's best to keep an eye on our announcements. If you have any specific questions, feel free to ask in the chatroom.", "Q: What is the process to simulate front-running in Foundry tests and are there specific features for transaction prioritization?\n\nA: In Foundry, each test corresponds to a single transaction. To simulate front-running, you need to execute multiple transactions within a single test. This can be done by calling the function of the transaction you want to front-run before the other one. This approach can cover most front-running cases. \n\nIt's important to note that Foundry provides specific features for transaction prioritization, allowing you to order your transactions as needed. Additionally, Foundry facilitates local forking, which means you can carry out your transactions without needing to obtain testnet tokens or waiting for block confirmations. \n\nFoundry can also be used to fork data from live networks like mainnet or testnet and run it locally, allowing for a broader and more realistic testing environment. You can even use Foundry to test how block re-organizations might affect block confirmation times in your smart contracts.\n\nBe aware that front-running possibilities could be considered either Medium findings or QA, depending on their impact. Also, keep in mind that you can use tools like \"foundry debug\" to introspect contract execution at the EVM opcode level, although there have been reports of issues with opcode support in Foundry.\n\nFor more complex tests, remember that Foundry allows for the sending of ether with the constructor during contract deployment, and it also supports the deployment of contracts that take a struct as an argument in the constructor. \n\nFor further information on configuring Foundry, you can refer to this link: https://book.getfoundry.sh/reference/config/testing#fuzz \n\nPlease note that while Foundry is a robust testing framework, there are alternatives like Hardhat that can also be used for testing depending on your preference.", "Question: What are the steps and considerations when using a Metamask wallet for submitting findings and receiving payments in Code4rena?\n\nAnswer: To submit findings and receive payments in Code4rena, you need to connect your Metamask wallet to your account. This can be done when you sign in and it's not necessary to repeat this action every time you submit findings. You can submit your findings as an individual or as a team, once your wallet is connected. \n\nKeep in mind that wallets can be under review on Code4rena, which might affect your ability to submit findings. If you have previously submitted findings, you'll be redirected to a confirmation page instead of the registration page when you connect your wallet. \n\nWallet addresses used in a finding can be updated after the finding has been submitted and before the reward payout by submitting a request through the Help Desk at https://code4rena.com/help. Remember, you can also edit your submitted gas report findings on the C4 page while the contest is open.\n\nFor security reasons, if your C4 wallet is compromised, please immediately submit a request for assistance through the Help Desk. Furthermore, Code4rena is considering implementing a system for using different wallets for different submissions in a single contest, which is currently in the initial stages of development. \n\nTo receive their share of the reward, participants need to register their handle and ETH address. The submission form for each contest includes a field for users' wallet addresses. However, Code4rena does not allow users to change their login wallet address. But if you have Metamask, you can link multiple addresses. More information can be found here: https://docs.code4rena.com/roles/wardens/warden-auth#can-i-change-the-wallet-address-i-log-in-with. \n\nFinally, please note that the payment address of Code4rena is a multisig and will likely remain the same unless there are accounting issues.", "Question: What is the Cosmos section on the Code4Arena website and how can it be beneficial to me?\n\nAnswer: The Cosmos section on the Code4Arena website, accessible at https://code4arena.com/cosmos, is dedicated to the Cosmos project. The Cosmos project is an ever-expanding ecosystem of interconnected apps and services, built for a decentralized future, as described on https://cosmos.network. It uses the Rust programming language for its blockchain network. \n\nAdditional information about Cosmos can be found at https://academy.terra.money/courses/cosmwasm-smart-contracts-i and https://github.com/Anchor-Protocol. \n\nCode4Arena has worked with several protocols including Cosmos, and you can find details of these partnerships at https://code4arena.com/contests. If you face any issues or need help with Cosmos or any other aspect of Code4Arena, you can submit a help request at https://code4arena.com/help.\n\nFor users interested in becoming more involved with Code4Arena, applications for becoming a certified contributor can be submitted here: https://code4arena.com/certified-contributor-application. This link would guide you through the process of becoming a certified contributor at CodeArena.\n\nIn case you wish to learn more about Code4Arena and its teams, you can visit their documentation page at https://docs.code4rena.com/. This page also includes a comparison between bug bounties and C4 audit contests, providing you a comprehensive understanding of Code4Arena's operations.\n\nPlease note that Code4Arena, pronounced as \"Code Arena\", is recommended for contract audits in the crypto space. It's a great platform for smart contract developers looking to ensure their code is secure and efficient.", "Question: What level of mathematical knowledge is required for auditing smart contracts, and how can I improve my understanding of the necessary concepts?\n\nAnswer: The level of mathematical understanding required for auditing smart contracts can vary greatly depending on the project being audited. While some audits may only require a basic understanding of calculus, others, particularly those involving financial mathematics, may necessitate advanced mathematical knowledge. For instance, some complex smart contract projects might even require the insights of professional mathematicians. Auditing tasks that involve intricate mathematical formulas are generally not something one can master through quick study but rather demand an extended period of education and practical experience. \n\nTo enhance your understanding of the mathematical concepts relevant to auditing, some effective strategies include actively participating in audit contests, reading past audit reports, and utilizing educational resources like [this YouTube channel](https://www.youtube.com/@smartcontractprogrammer), which provides content specifically targeted towards understanding math for solidity projects. Additionally, understanding financial calculations such as the loan-to-value ratio can be beneficial in auditing certain types of smart contracts. \n\nIt's worth noting that becoming a certified auditor tends to require substantial time investment, reflecting the complexity and depth of knowledge required in this field. Ultimately, the most effective auditors often combine theoretical knowledge with practical auditing experience, leading to a deeper understanding of both the mathematical and functional aspects of smart contracts.", "Question: Can auditors at CodeArena (C4) combine their auditing duties with other skills such as meme-making, coding Proof-of-Concepts (POCs), or using AI tools?\n\nAnswer: Yes, auditors at CodeArena can blend their auditing abilities with other skills, although these are generally light-hearted or supplementary to their primary function of auditing. For instance, some auditors have showcased meme-making skills. This, however, doesn't affect their auditing responsibilities or the outcome of contests per C4 guidelines. \n\nAdditionally, auditors can create coded Proof-of-Concepts (POCs) to explain their reported issues better. It should be noted that while the creation of POCs might provide more clarity on reported issues, it does not influence awards or the contest outcome.\n\nMoreover, the integration of AI into the auditing process is becoming increasingly significant. Some auditors may automate part of their tasks to identify potential issues in the code they are reviewing. \n\nFurthermore, auditors can also get involved in other aspects of C4, such as participating in private audits, joining auditing contests as a team or as individuals, and even potentially acting as certified wardens in private auditing contests. \n\nFinally, auditors are encouraged to be proactive in enhancing their skills and knowledge. They can do this by reverse engineering and understanding old audit reports, researching various auditing topics, participating in contests to gain a better understanding of audit reports, and asking questions about findings of past projects.\n\nFor more information on how to become an auditor or participate in auditing contests, please visit our website at [insert website link].", "Question: Does a specific meme (\"In former Soviet Union bloc chains you!\") exist in CodeArena's community or discussions?\n\nAnswer: No, there is no record or mention of this specific meme (\"In former Soviet Union bloc chains you!\") within the CodeArena community or discussions. Memes are occasionally used within the community as a light-hearted skill or form of communication, separate from the technical aspects of smart contract auditing. However, we could not find any references to the mentioned meme in the discussions. \n\nPlease note, apart from memes, the community also engages in discussions on various technical topics like proof of concept against a block number known on a testnet fork with state changes, leaderboard status of wardens, significance of icons, tool recommendations for Solidity and concerns on submission rules among others. For any further queries or recommendations, feel free to use the CodeArena platform. Remember, discussions and information sharing are crucial to our community's growth and development.", "Question: How is the prize money distributed in CodeArena contests, particularly when Medium/High risk findings are identified?\n\nAnswer: The amount of prize money allocated to each Medium/High risk finding can be checked at https://raw.githubusercontent.com/code-423n4/code423n4.com/main/_data/findings/findings.csv. The reward amount is calculated based on an incentive model detailed at https://docs.code4rena.com/incentive-model-and-awards#high-and-medium-risk-bugs. \n\nFor each unique High or Medium finding, the submission chosen for inclusion in the audit report receives a 30% share bonus. If multiple people, including members of the same team, identify a finding, the reward split is calculated using the same formula. \n\nIn contests where only one high and one medium issue are found, the distribution of rewards is according to the same model. If no Medium/High vulnerabilities are found, the full award pool would be divided based on the Quality Assurance (QA) Report curve. This has been a rare occurrence, as there have only been a few contests without high vulnerabilities and no contest without a medium vulnerability. An example can be found at https://code4rena.com/reports/2021-11-fei.\n\nThe severity of loss that qualifies a finding as high, medium, or QA is detailed at https://docs.code4rena.com/roles/wardens/judging-criteria#estimating-risk-tl-dr. If a participant misclassifies a bug's severity in a submission, they still receive the reward according to the actual severity. \n\nThe reward amounts in contests come from the sponsor and also include a judging pot. If no issues are found during a contest, the sponsor reward pot is divided based on the QA Report curve. Distribution of prize money amongst team members can be managed through multisig wallets or using a contract like OpenZeppelin's PaymentSplitter: https://docs.openzeppelin.com/contracts/4.x/api/finance#PaymentSplitter.", "Question: How are the rewards distributed in CodeArena contests, particularly in unique situations like the OpenSea contest or instances where only one high and one medium issue are found?\n\nAnswer: The distribution of rewards in CodeArena contests depends on the number and severity of issues found. In a typical contest, if only one high and one medium issue are found, the distribution of rewards can be checked at https://docs.code4rena.com/awarding/incentive-model-and-awards. The OpenSea contest is unique as it has a system of scaling up the reward pool based on the severity of the findings. In this contest, the prize pool expanded significantly, making it one of our highest prize contests to date. For specific rewards paid to each Medium/High risk in any contest, you can verify this at https://raw.githubusercontent.com/code-423n4/code423n4.com/main/_data/findings/findings.csv. For situations where no high or medium vulnerabilities are found, the remaining funds are divided based on the Quality Assurance Report curve, although such situations are quite rare. More information about the structure and progression of contests can be found at https://code4rena.com/contests and details about special contests like Versus can be found at https://medium.com/code4rena/a-look-at-code4rena-audits-versus-6c55d57939ef.", "Question: Are there more contests planned at CodeArena, and where can I find information about them?\n\nAnswer: Yes, there are several more contests planned at CodeArena. Information about upcoming public contests is regularly updated in the #\u270brsvp channel on our Discord. Currently, we have a number of new contests expected in the coming month and two contests queued up for the next week. The next public contest is scheduled to begin on February 16th. There might be some upcoming contests that haven't been updated on the specific channels yet, so it's recommended to check the #\u270brsvp channel frequently.\n\nPlease note that there are also private contests. A recent private contest was mentioned but it was initially unclear whether it was public or private. Information about such contests and how to gain access to them are also discussed in the Discord chatroom.\n\nUsers are eagerly awaiting the results of Enso and Putty contests, while the results for the Biconomy Hyphen 2.0 contest's audit are currently under review and are expected to be published in the coming weeks. High prize contests similar to the $1M OpenSea contest are also expected in the future.\n\nThere has been discussion about running multiple contests simultaneously, with an aim to handle up to 20 contests a week. The new submission mechanism is also slated for implementation in upcoming contests. Certified users have access to more contests.\n\nYou can find the specific details of an upcoming contest at this link: [https://code4rena.com/contests/2023-04-party-protocol-versus-contest](https://code4rena.com/contests/2023-04-party-protocol-versus-contest).\n\nPlease note that the term \"vs contest\" refers to a type of contest, the meaning of which can be clarified within the Discord chatroom.", "Question: \nWhere can I secure a flash loan on the BSC network that offers low fees and high liquidity and what are some things I should look out for when using flash loans?\n\nAnswer: \nFlash loans on the BSC network can be potentially obtained from PCS, which may offer low fees and liquidity of several millions. A flash loan involves buying an asset at one price in one market and selling it at a higher price in another market within a single transaction. \n\nHowever, it's important to note that in the context of flash loans, it's the responsibility of the recipient contract to perform necessary validations, like ensuring no funds are lost by the end of the operation. One suggested approach for handling flash loans within smart contracts is using a flag to allow or disallow the flash loan, akin to a reentrancy guard, although this could imply a gas overhead. \n\nDetailed information about smart contract exploits and flash loans can be found in resources such as FEG token flashloan exploit analysis [here](https://www.certik.com/resources/blog/w6AxRmf6l2ow4zL884gr8-feg-token-flashloan-exploit-analysis). \n\nRemember that our company, CodeArena, conducts audits similar to Venus protocol, including auditing the implementation of functions like flash loans. This ensures that your smart contracts are safe and secure.", "Question: How can I access and understand the status of my submitted reports, including the rejected ones, for CodeArena contests?\n\nAnswer: You can access your submitted reports, including the rejected ones, through the public GitHub repository of CodeArena. For each contest, a findings repository is created that is made public once the contest report is published. You can view your submissions and the reasons for their rejection in this repository. \n\nHere is the link to access the repositories: https://github.com/code-423n4. You can also find direct links to rejected (and accepted) issues in multiple .json files located in the /data/ directory of the published repo.\n\nIf your submission for a contest did not make the award list, your issue was likely rejected. To confirm this, you can review the published report. The entire discussion among sponsors and judges on the specific issue can provide insights into why certain findings were not accepted.\n\nYou can also check whether your submissions were accepted at https://code4rena.com/reports. If a link to a repository in a contest is not working, please let us know.\n\nPlease note that feedback may not always be provided directly to you but can be checked on the public GitHub repository later. Also, in rare cases, if GitHub fails to take in issues via the API, it may reject submissions resulting in a failed submission.\n\nFor an idea of what a high-quality submission looks like, you can review past submissions at https://code423n4.com/reports. This could help you improve your future submissions. All past submissions can also be found in any repository ending with -findings on the CodeArena GitHub page. \n\nRemember, your reports can be revised and resubmitted based on the feedback provided.\n", "Question: How can I effectively mock SafeERC20 to test safeTransfer and safeTransferFrom functions in my smart contract?\n\nAnswer: Mocking SafeERC20 can be a bit complex since it is a library and doesn't have an ABI like an ERC20 token. However, it's still possible to do so, especially when using tools like eth-brownie that can assist with mocking contract deployments.\n\nWhen developing your mock token, ensure that it includes the safeTransfer and safeTransferFrom functions, as these are essential for testing specific functionalities in your smart contract. Remember, the usage of safeTransferFrom or safeTransfer often depends on the specific token used and the intentions of your code. \n\nFor contracts that are ERC-777, you have the possibility of calling the safeTransferFrom function within another smart contract. This is because ERC-777 contracts usually have a recipient contract call onReceive. \n\nIn cases where you're dealing with ERC-20 tokens, they may not revert on failure, as highlighted in this helpful repo: https://github.com/d-xo/weird-erc20#no-revert-on-failure. Therefore, using a SafeTransferLib can be beneficial because it checks the return status of the call to ensure the operation of sending funds is successful. \n\nLastly, remember that your testing should not only check for successful execution but also potential vulnerabilities. Consider tools like Mythril and Slither for auditing the smart contracts. You may also want to conduct symbolic security testing, which involves interacting with your code without executing transactions on-chain. \n\nHowever, remember that there's no one-size-fits-all answer to your question as it depends on your specific use case and the tokens involved. For example, you should note that the decimals() function is technically valid in the ERC-20 standard but it's optional, and other contracts must not expect these values to be present according to the EIP-20 documentation available at: https://eips.ethereum.org/EIPS/eip-20. \n\nEssentially, create your mock, test your functions, and remember to conduct a thorough security audit to ensure your contract is safe.", "Question: As a beginner, I'm interested in doing my first smart contract audit with a focus on gas optimization. What resources should I start with to understand these concepts and apply them in the audit? \n\nAnswer: It's great that gas optimization is the focus for your first smart contract audit. Gas optimization is a crucial aspect to consider when auditing smart contracts due to the cost implications it can have for those using the contract. \n\nFor a beginner, some useful resources for understanding smart contract auditing and gas optimization include the following:\n\n1. A blog post by cmichel provides an insightful guide on becoming a smart contract auditor: https://cmichel.io/how-to-become-a-smart-contract-auditor/. \n\n2. CodeArena's documentation also provides tools and resources that can guide you through your first audit:\nhttps://docs.code4rena.com/roles/wardens/tools-and-resources. \n\n3. For an interactive learning experience, you can start with 'CryptoZombies' to understand Solidity, the core language for smart contracts, and 'Capture the Ether' for practical challenges: https://cryptozombies.io/ and https://capturetheether.com/ respectively. \n\n4. Watching webinars can also help to enhance your knowledge. OpenZeppelin's webinar series is a good starting point, and this is their first video: https://youtu.be/6GaCt_lM_ak. \n\n5. Another video that explains some aspects of contract auditing is: https://www.youtube.com/watch?v=wCD3fOlsGc4. \n\n6. If you're interested in practical examples, you can look through past contests on CodeArena and read the old reports. \n\n7. To understand how to approach auditing of larger projects, you can read this blog post: https://blog.bytes032.xyz/p/audit-like-a-pro-my-3-step-game-plan.\n\nWhile learning, remember to focus on gas optimization techniques and their implications. It's also important to understand that gas optimization should be applied to contracts only. There are also discussions in the chat about compiling multiple ideas about gas optimizations into a single report which could be helpful. \n\nLastly, do not hesitate to ask for clarification and engage in the discussions about gas optimization and other aspects of contract auditing in the community. The CodeArena Discord chatroom is a great place for this.", "Question: I have recently changed my Discord username and wallet address. Can these new changes be reflected in my CodeArena account?\n\nAnswer: Yes, with the recent changes to your Discord username and wallet address, you can certainly update these details on the CodeArena platform. \n\nFor Discord username changes, you can update this on the Account Management page of your warden profile. Keep in mind that your Discord nickname should remain as your registered C4 username. In case of a mismatch between your site username and Discord nickname, it is advised to submit these queries via the Help Desk for developer team review.\n\nRegarding wallet address changes, it's possible to change both the wallet address where you receive awards and the wallet address you use to log in. Detailed instructions for these changes can be found at the following links, respectively:\n\n- [Change wallet address for receiving awards](https://docs.code4rena.com/roles/wardens/warden-auth#can-i-change-the-wallet-address-where-i-receive-awards)\n- [Change wallet address for logging in](https://docs.code4rena.com/roles/wardens/warden-auth#can-i-change-the-wallet-address-i-log-in-with)\n\nPlease note, changing your Discord username or wallet address won't affect your ability to receive awards, but having an updated Discord username tied to your CodeArena account does ensure that you can be tagged in for any award announcements. However, changing your handle will require re-registering on CodeArena and any leaderboard standings and submissions under the previous handle are not transferable to the new account.", "Question: \nIs it considered gas optimization when a public function is declared as external, especially when it isn't called by the same contract but from another contract that's connected to the first one?\n\nAnswer: \nGenerally speaking, declaring a public function as external can contribute to gas optimization as it restricts the function's access to only allow calls from other contracts. However, whether or not this is gas optimization depends on the context. If a function is not called by its own contract but from an imported contract, the optimization may not be valid if the contract is derived, meaning it is under the same contract scope. \n\nIn terms of gas optimization reports and audits, only those mentioned in the generated report are considered invalid and the rest can be found at https://github.com/byterocket/c4-common-issues/blob/main/0-Gas-Optimizations.md. \n\nIt's crucial to note that contract optimization can extend beyond protocol contracts to include other types of contracts and non-view/non-pure functions. Moreover, other optimization techniques, such as function inlining, can be used to save gas. For instance, if an internal function is only called once, it can be inlined to save gas. But do be aware that calling a view/pure function from a non-view/non-pure function in the same contract does cost more gas.\n\nThere have been discussions about whether gas optimization and gas reports are the same \u2013 they are. These reports often involve detailing potential gas optimizations and calculating the gas cost of a contract. However, there is some uncertainty whether the report needs to show proof of concept for the gas saved or if a description and mention of the gas saved is enough.\n\nIn some cases, a function that checks from storage then checks the calldata may have its order swapped to optimize the gas. However, it's pivotal to remember that not all gas optimizations are valid when the optimizer is enabled. This has led to some confusion and it is always recommended to report any gas optimizations separately. \n\nHere's a recent report you may find useful for reference: https://code4rena.com/reports/2022-11-non-fungible/#gas-optimizations.\n\nTo further clarify, gas optimization should be looked for in the contracts only, and any improvements or changes made should be reported separately. This allows for a more thorough and organized audit. And remember, if you ever find yourself unsure about the validity of a gas optimization or any other aspects, do ask for clarification.", "Question: Does CodeArena offer services beyond smart contract auditing, such as coding or website audits?\n\nAnswer: CodeArena is primarily focused on smart contract auditing and does not currently offer coding or website auditing services. Our platform provides a variety of resources for auditing and learning about smart contracts. For those who are new to smart contract auditing, we have a dedicated #\ud83c\udfebeducation channel where you can learn more about this field. Additionally, we run contests for analyzing smart contracts. You can also access helpful resources from https://cmichel.io/how-to-become-a-smart-contract-auditor/ and https://docs.code4rena.com/roles/wardens/tools-and-resources. There are discussions about applying machine learning for smart contract auditing and using fuzzing tools in the process. Furthermore, being an auditor requires varying levels of mathematical competence, depending on the complexity of the smart contract being audited. It's also worth noting that CodeArena is highly recommended for contract audits in the crypto space. If you're interested in exploring similar platforms, you might want to check out https://immunefi.com/, https://spearbit.com/, and https://hats.finance/. Remember, the focus should be on smart contracts, although suggestions on other relevant areas are always welcomed.", "Question: How does CodeArena handle anonymity and pseudonymity, especially in terms of cybersecurity spaces and the bounty leaderboard? \n\nAnswer: CodeArena respects the privacy of its auditors and understands the need for anonymity or pseudonymity in cybersecurity spaces. Auditors have the option to remain anonymous on the bounty leaderboard and during team collaborations. This is to cater to individuals who may have concerns about their online privacy and security. \n\nHowever, it's worth noting that if a participant's name is not mentioned in the report, it won't affect future submissions, but it may have a minor impact on the leaderboard ranking. Also, some activities, such as certain contests, may require KYC (Know Your Customer) verification, which would necessarily involve some level of identity disclosure.\n\nAdditionally, auditors have the flexibility to change their usernames on Code4rena, and some even set up separate GitHub accounts for their Code4rena work to maintain their privacy. It's also worth noting that an individual's name can appear twice on the leaderboard, once individually and once as part of their team, depending on how they choose to operate.\n\nFinally, there are established procedures to handle the possibility of dishonest projects cloning white-hat reports to cut down on their payouts, ensuring the protection of auditors' work. \n\nIn terms of vulnerability report submissions, there's an option to submit findings without authenticating. However, the exact process and potential implications of anonymous submission are unclear from the existing chatroom data. \n\nSo, while CodeArena offers flexibility and options to cater to privacy needs, some trade-offs might be involved, especially in terms of leaderboard rankings and participation in certain activities.", "Question: What happens to the sponsor reward pot if no issues are found in a contest, or if a team wins but cannot claim the prize due to KYC issues?\n\nAnswer: If no high or medium issues are found in a contest, the rewards are not lost but are typically divided based on Quality Assurance (QA). This means that the reward pot is shifted down to reward those who have contributed to the QA process. More details on this can be found in Code4rena's awarding policies [here](https://docs.code4rena.com/awarding/incentive-model-and-awards). In relation to a team winning a prize but being unable to claim it due to KYC issues, it's currently unclear whether the prize will be on hold until they complete the KYC or if it would be forfeited. Once the contest payouts have been sent, the outcome cannot usually be changed, but any overlooked issues can be flagged to the judge and sponsor. It's recommended for participants with concerns about their rewards or any KYC issues to open a ticket for review by the CodeArena team.", "Q: What are some options for Ethereum bridges that allow sending to a different address on Polygon, and what are the processes and requirements for transferring funds?\n\nA: There are several Ethereum bridges that allow you to send to a different address on Polygon. Connext is one of them, and there are also third-party bridges like Wormhold and Celer which were suggested as a potential cross-chain Decentralized Exchange (DEX) between Polygon and Ethereum. \n\nTo transfer funds, you can use the Polygon bridge via [Polygon's official wallet](https://wallet.polygon.technology/). However, please bear in mind that if you want to move funds back to the Ethereum mainnet or withdraw USDC on Coinbase, using the Polygon bridge will require both Matic and Ethereum (ETH). Alternatively, you can use the Hop Bridge which only requires Matic, but you will receive less USDC on the Ethereum Mainnet.\n\nIf you receive rewards on Polygon, you can connect your Polygon account to MetaMask for conversion and withdrawal. This conversion process from Polygon Token to EUR can be done through MetaMask bridge and Coinbase. \n\nRemember that rewards are sent to the Polygon address, not to the Ethereum address. For the withdrawal process, you will need both Polygon and Ethereum addresses. \n\nYou can monitor your tokens on the Polygon network via [PolygonScan](https://polygonscan.com/address/), and if you need to swap gas, you can do so at [Polygon's official wallet gas swap page](https://wallet.polygon.technology/gas-swap).\n\nKeep in mind that to send or transfer coins from a wallet, Matic is required to pay the fee. If you are short on Matic, you can swap it without a gas fee at [Polygon's official wallet gas swap page](https://wallet.polygon.technology/polygon/gas-swap).\n\nAlways ensure that your Polygon address has been correctly submitted in any relevant account settings.", "Question: How can I become a Certified Plus contributor at CodeArena, and what benefits does it offer?\n\nAnswer: Becoming a Certified Plus contributor at CodeArena involves a few steps. First, you will need to fulfill some prerequisites and apply by following the guidelines available at [this link](https://docs.code4rena.com/roles/certified-contributors). The application process may need to be followed by a Know Your Customer (KYC) verification. If you have made a high finding, you can request for Certified+ status after contacting the organization through the help desk form. Keep in mind that the upgrade to Certified+ status may also require a more formal process, such as being in the Top 3 in 3 contests or having participated in more than 3 contests. Once your application is approved and processed by the team, which can take approximately 2-3 weeks, you will receive certified status. \n\nBeing Certified Plus not only grants you access to more contests, but also allows you to join any contest, including certified contests. You can participate in private audits and gain backstage access. Additionally, Certified Plus contributors get access to private repositories after a contest is finished, where they can see what others have submitted for learning and growth. You can confirm your Certified status by clicking your name to see assigned roles and also look for an email communication from CodeArena. Please note that the severity requirement is now only for Certified+.", "Question: How can I view, edit, retract or track my submissions for a contest on CodeArena?\n\nAnswer: Once you've made a submission for a contest, you have multiple ways to interact with it. You can view your submission replies and track your report status on the CodeArena Contest page under the \"Findings\" tab. Additionally, you can edit your findings by navigating to the contest page and clicking on the \"Your Findings\" button, as exemplified for the Ethos Reserve contest at https://code4rena.com/contests/2023-02-ethos-reserve-contest. If you wish to retract a submission, you can also do so on the contest page under the findings tab.\n\nAfter the contest has ended and the report is published, you can review all submissions and see why certain findings were rejected. This can be done by accessing the findings repository which is made public after the contest. You can also view others' findings and the discussions among sponsors and judges on the specific issues. \n\nAll your submissions and changes to them are confirmed via email. If you're a certified contributor, you might be able to view submitted issues right after contest closure and comment or give input during the judging process. Remember, you can update your submissions as long as the contest has not ended.", "Question: What's the fastest and most efficient way to bridge from Polygon to Ethereum, and are there any specific requirements or fees involved?\n\nAnswer: The speed and efficiency of bridging from Polygon to Ethereum can vary depending on the bridge used. Connext is typically faster than the bridge from Polygon due to its peer-to-peer nature. However, it comes with a fee, unlike the Polygon bridge. You can compare different bridges, their time, and fees at https://www.bungee.exchange/. \n\nOther third-party bridges like wormhold or celer are also potential options for cross-chain transactions between Polygon and Ethereum. If you're looking to move funds back to the Ethereum mainnet, the Polygon bridge at https://wallet.polygon.technology/ can be used. \n\nWhen bridging from Polygon to Ethereum and withdrawing USDC on Coinbase, if you're using the Polygon bridge, you'll need both Matic and Eth. However, with the Hop Bridge, only Matic is required, but you may receive less USDC on the Ethereum Mainnet.\n\nAdditionally, if you're seeking an Ethereum bridge that allows sending to a different address, please note that each bridge may have its specific requirements. Always remember to review the details of each bridge before proceeding. It's also worth noting that unauthorized transactions can occur if your Polygon wallet becomes compromised, so always ensure that your wallet is secure. Lastly, for monitoring your tokens on the Polygon network, you can use https://polygonscan.com/address/.\n", "Question: I'm looking for advice on how to secure my wallet and prevent future attacks, which one would you recommend, Trezor or Ledger? \n\nAnswer: Both Trezor and Ledger have their own strengths, and it depends on your individual needs. They are renowned for their security measures and are widely used in the crypto community. Trezor was the first hardware wallet invented for Bitcoin, and it supports more coins than Ledger. Ledger, on the other hand, has a more robust physical build and supports a substantial number of coins as well.\n\nBeyond just choosing between these two, it's important to note that there are several different types of wallets you can choose from. For example, on our platform, CodeArena, you'll have a login wallet set up when creating your account and a payment wallet which can be updated in your profile. \n\nWe've also noticed some of our users discussing alternatives like Revolut, ZEN, and smart contract wallets like Gnosis and Argent. Revolut and ZEN have been recommended as they are crypto-friendly. Gnosis and Argent, on the other hand, are smart contract wallets that offer unique features such as the ability to manage digital assets in a decentralized manner.\n\nAdditionally, for those participating in contests on our platform, please note that you can participate as a team using a single wallet during registration. For those who regularly change their names and wallets, you have the ability to update your details on the platform.\n\nIn terms of preventing future attacks, an important aspect is to always keep your private key secure and consider using a new wallet if you suspect that your current one might have been compromised. We also encourage users to constantly educate themselves on best practices for securing their wallets. Resources like CryptoZombies.io and CaptureTheEther.com are helpful to learn about smart contracts and solidity, which can indirectly help you understand more about maintaining your wallet\u2019s security.\n\nRemember, the choice of wallet depends largely on your individual needs, and it's always best to do thorough research before settling on any one option.", "Q: Will Code4rena continually accept new wardens without restriction, and how does this impact the distribution of prize funds?\n\nA: Yes, Code4rena plans to remain open to new wardens indefinitely as the platform is designed to encourage participation from a broad range of developers. However, the distribution of prize funds is indeed impacted by the number of wardens participating. If an issue is identified by multiple wardens using different wallets, each person gets less than the full reward. The final award for each warden depends on the incentive model and awards policy of Code4rena, detailed at https://docs.code4rena.com/#incentive-model-and-awards. It's worth noting that wardens can operate either as individuals or as part of a team. If a team identifies an issue, a single payment is made to the team and it's up to the team members to decide how to distribute that money. You can learn more about team registration here: https://docs.code4rena.com/roles/wardens#registering-a-team. Multiple participants finding the same issue does lead to a dilution of the prize money, regardless of the order of submission. You can follow the leaderboard at https://code4rena.com/leaderboard/ for a sense of what wardens are currently earning. Furthermore, to participate in private contests or in test-coverage, one needs to become a certified warden, a process you can read more about at https://docs.code4rena.com/roles/wardens/certified-wardens#certified-contributors.", "Question: Will Code4rena continue to welcome new wardens indefinitely, and how will this affect the prize funds with the possibility of running more contests simultaneously?\n\nAnswer: Code4rena plans to continue welcoming new wardens, and the growing number of participants does raise questions about the potential dilution of prize funds. However, Code4rena is actively discussing the possibility of running multiple contests simultaneously, with aspirations to handle up to 20 contests per week. This would help tackle the issues of prize fund dilution and also accommodate the growing community of developers.\n\nNotably, Code4rena contests tend to be shorter than those of our competitors (like Sherlock) because they've been able to achieve high-quality results with fewer auditors. Furthermore, the idea of showing the number of participants in a contest is being considered to provide a clearer perspective to potential entrants.\n\nAdjustments to the prize pool have been necessary in the past, particularly to address lagging contests in the backlog due to a high level of issues and limited judge availability. This included increasing offers for judging compensation temporarily to clear out these backlogged contests. \n\nAdditionally, Code4rena has been expanding its scope of contests, including the potential of hosting Rust contests in the future. It is normal for the number of contests to fluctuate, and updates on upcoming contests can be found on the Code4rena main page [here](https://code4rena.com). \n\nFinally, while there is hope that even third and fourth place finishes in Code4Rena contests will be recognized as significant achievements in the industry, the highest rewards typically go to high quantity and high-quality reports, as seen in this [report](https://code4rena.com/reports/2022-09-artgobblers#low-risk-and-non-critical-issues).\n\nThe future will see more contests with the structure of an initial audit prize pool and a mitigation review pool. Ultimately, Code4rena is committed to maintaining a fair and rewarding contest environment for all participants.", "Question: What defines \"low quality\" in the audit contest guidelines at CodeArena, and how does it relate to \"low risk\" or \"non-critical\" findings?\n\nAnswer: In CodeArena's audit contest guidelines, the term \"low quality\" doesn't necessarily equate to \"low risk\" or \"non-critical\". In fact, it refers to reports that lack clear explanation or the path to the finding. Therefore, even if a finding is of low risk or non-critical, it could still be considered of low quality if it does not provide a sufficient explanation or a clear path to the discovery of the issue.\n\nIt's also worth noting that the quality of the reports plays a crucial role in the grading process. Judges consider both the quantity and the quality of submissions, meaning that a high volume of low-quality reports isn't usually well-regarded. Each submission, particularly those in the Quality Assurance (QA) category, is carefully evaluated based on its content and clarity, and a single item in a QA submission is unlikely to receive a high grade.\n\nIf a finding is submitted as \"low\" in a QA report, but the judges determine that it's a \"medium\", it may become eligible for medium rewards. However, if a high-risk finding is judged as low risk, the submitter will still be rewarded and vice versa. The severity of loss also plays a role in the classification of findings. \n\nIt's important to bear in mind that not all reports or findings are guaranteed a reward. Reports are graded and must meet quality standards to be considered valid and satisfactory. \n\nFor more insight and clarity, discussants can refer to the following links:\n- https://github.com/code-423n4/org/discussions/34\n- https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical\n- https://docs.code4rena.com/awarding/incentive-model-and-awards#qa-and-gas-optimization-reports\n- https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues", "Q: What is the process and potential consequences when I have made findings, but the judge and sponsor disagree with my proposed mitigation?\n\nA: At CodeArena, if you have findings but the judge and sponsor disagree with your mitigation, the final decision on the mitigation part rests with the sponsor. It's important to note that pointing out a judge-approved bug or a logic flaw is considered an achievement in itself. Also, if your finding is submitted with what you believe to be a high severity, and the judge disagrees, the issue might be downgraded, but you will generally still be rewarded for identifying the issue unless the judges invalidate it for overinflating severity.\n\nThe inclusion of high-risk findings depends on the contest and the judge. If you believe a high-risk finding should be considered, you are advised to make a case to the judge in your submission. If a finding is marked as invalid by a judge, you will get feedback. Also, if a finding is submitted as medium severity but the judges believe it is high, the severity of the finding can be upgraded unless there is a reason to penalize it.\n\nYou have the right to discuss disagreements with a judge's decision according to our policy, which can be found [here](https://docs.code4rena.com/awarding/fairness-and-validity#if-you-disagree-with-a-judges-decision). If an issue is labeled as \"sponsor-disputed\" but there is no explanation provided, you can check for duplicates and ask the judge after judging is completed.\n\nIt's important to note that only the sponsor, not the judges, see the findings early. Typically, findings repositories are not made public when the awards are published since the sponsor generally has not completed their mitigation work by that time. If a finding is disputed by the sponsor as 'won't fix' but is considered valid, it will still be rewarded. \n\nIn conclusion, your role as a participant is not just to identify potential issues, but also to argue for their importance and suggest mitigations. While the final decision rests with the sponsor and the judge, there are many opportunities for you to make your case and potentially influence the outcome. Don't hesitate to submit findings you are unsure of, or to ask for clarification when needed.", "Question: How do I change my wallet address on CodeArena for receiving audit rewards and what is the process for this change?\n\nAnswer: \nYes, you can change your wallet address on CodeArena. If you have a new wallet address, you can use it in your reports moving forward and the rewards for the audits will be distributed to this new address. The wallet address on file at the time awards are calculated for an audit is the one to which the rewards are sent. \n\nTo change your wallet address, you need to update it in your user profile on Code4rena. If you have submitted a report and want to update the address used in that finding, you can do so before the reward payout by submitting a request through the Help Desk at https://code4rena.com/help. \n\nAdditionally, the wallet address used to log in can be changed. More information about changing your wallet address can be found at https://docs.code4rena.com/roles/wardens/warden-auth#can-i-change-the-wallet-address-where-i-receive-awards and https://docs.code4rena.com/roles/wardens/warden-auth#can-i-change-my-wallet-address.\n\nIn case you forget the wallet address to receive your bounty, you can refer to the email received when the bug report was submitted. Please note that rewards are distributed to one handle per contest. Once a submission is confirmed and the reward amounts are announced, you just need to wait for it to go to your wallet.\n\nRemember, if your wallet is hacked and you change your payment address, you should create a Help Desk request if you logged in via the same wallet. For checking if you have submitted a wallet address for receiving rewards, you can use the help form at https://code4rena.com/help. \n\nIn case of any further queries or concerns, feel free to reach out to our Help Desk.", "Question: Can you provide more detail on what constitutes a \"low quality\" submission in CodeArena's audit contest guidelines and how this impacts the grading of QA reports, the rewards distribution, and the submission policy?\n\nAnswer: In CodeArena's audit contest guidelines, \"low quality\" doesn't necessarily correlate to low risk or non-critical. It's defined as a report having no clear explanation or trajectory towards the finding. A high volume of such reports is discouraged as judges consider both the quantity and quality of submissions while grading QA reports. \n\nA single item in a QA submission is rarely likely to receive a high grade. More details about this can be found at these links: [https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical](https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical) and [https://docs.code4rena.com/awarding/incentive-model-and-awards#qa-and-gas-optimization-reports](https://docs.code4rena.com/awarding/incentive-model-and-awards#qa-and-gas-optimization-reports)\n\nAdditionally, if no high or medium issues are found during a contest, the entire rewards will move down to Quality Assurance i.e., they will be divided based on the QA Report curve. In the case of no medium or high vulnerabilities being found, it's considered a rarity, and there are only a few contests without high vulnerabilities and no contests without a medium vulnerability.\n\nIf a low severity finding in a contest's bot report is escalated to a high severity, it's not automatically invalid. The criteria for judging such cases is explained at [https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues](https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues)\n\nIf an auditor submits a finding as low in a QA report and the judges determine that it's a medium, it will be eligible for medium rewards as per [https://docs.code4rena.com/awarding/incentive-model-and-awards/qa-gas-report-faq#what-happens-when-an-issue-submitted-by-the-warden-as-part-of-their-qa-report-an-l-or-n-does-get-bum](https://docs.code4rena.com/awarding/incentive-model-and-awards/qa-gas-report-faq#what-happens-when-an-issue-submitted-by-the-warden-as-part-of-their-qa-report-an-l-or-n-does-get-bum).\n\nFor more detailed guidelines, you can refer to [https://github.com/code-423n4/org/discussions/34](https://github.com/code-423n4/org/discussions/34) and [https://docs.code4rena.com/roles/wardens/submission-policy#audit-contest-guidelines](https://docs.code4rena.com/roles/wardens/submission-policy#audit-contest-guidelines).", "Q: I'm interested in a career as a smart contract auditor. How can I get started, and what resources can you recommend for learning and support, especially in terms of salary and job opportunities?\n\nA: Smart contract auditing is a growing field. As a beginner, you can start learning from resources such as https://cmichel.io/how-to-become-a-smart-contract-auditor/ and https://docs.code4rena.com/roles/wardens/tools-and-resources. These sites provide valuable information on how to get started and expand your knowledge in the field. \n\nIn terms of salary, the specifics vary significantly depending on your experience, location, and the complexity of the projects you take on. Unfortunately, we don't have specific data on the average salary for a smart contract auditor. \n\nYou might also want to check resources for blockchain forensics analysis, particularly for hacks and incidents in smart contracts. This knowledge will be beneficial in your career. \n\nIf you're interested in joining an auditing firm, you can consider websites like https://immunefi.com/, https://spearbit.com/, and https://hats.finance/. These platforms offer opportunities to get rewarded for auditing smart contracts. \n\nIn addition to auditing, you can deepen your skills by understanding smart contract security, gas optimization, and vulnerabilities detection. Notably, some projects may require professional mathematicians to audit complex formulas.\n\nLastly, you can join our #\ud83c\udfebeducation channel where you'll find more resources and a supportive community to help you learn about auditing smart contracts. \n\nRemember, becoming an expert in smart contract auditing requires continuous learning and practice. Good luck!", "Q: How can I determine the validity and severity of a bug in my smart contract and successfully submit it for auditing?\n\nA: To determine the validity of a bug, it's recommended to write an executable test for it. The severity of a bug is based on its potential impact, with guidelines available at https://docs.code4rena.com/roles/wardens/judging-criteria#estimating-risk-tl-dr. After discovering a bug, you can submit it along with a written proof of concept (PoC) for it through Code4Arena, highlighting the potential exploitability, as findings without PoC could be disregarded unless the issue is extremely clear.\n\nThere are criteria for high-quality submissions that include the correct identification of the bug's severity, providing evidence to support your claims for its severity and validity, and clear, understandable writing. If a bug is a duplicate of another or relies on a user mistake, it may still be valid but may not be considered high severity. You can review examples of quality submissions at https://code423n4.com/reports.\n\nAfter submission, you can view or edit your entries for open contests on the Code4Arena site. Questions about specific bugs and severity evaluation can be addressed in the chat. If you misclassify a bug's severity, it can still be accepted under the correctly assessed severity. You should receive an email about the status of your submission, regardless of its validity. If your finding is valid but the severity is not correct, it can be re-assessed.\n\nIt's worth noting that the payout for a bug does not vary based on who found it first. If multiple people find the same bug, the bounty is reduced and split accordingly. Your submission remains valid even if a bot has found a similar issue. If the severity of a bug needs to be increased, you can request the removal of the original submission and submit again via https://code4rena.com/help.", "Q: How can I ensure that the bug I've reported is valid, and what steps should I take after reporting it?\n\nA: When you report a bug, you should receive a confirmation email from CodeArena. This email confirms receipt of your bug report, not its validity. To ensure the validity of your bug, we recommend writing an executable test for it. You can then view and edit your findings in the \"Findings\" tab next to the contest description on our website. \n\nAfter submitting your bug report, the evaluation process begins. Our judges consider several factors such as the correct identification of the highest severity impact of the bug, the arguments and evidence you've presented in support of the severity and validity of the bug, and the clarity and understandability of your writing. \n\nIt's important to note that the value of a bug report is partly based on correctly assessing its severity and presenting convincing evidence. If you're unsure about the severity of your reported bug, you can ask questions and seek clarifications in our chat. \n\nIf your bug report is not accepted and you'd like to understand why to improve future submissions, there is a process available to provide this insight. Remember, accurate bug reports get rewarded, but false positives do not. \n\nIf you have not received an email after submitting your bug report, you can open a help desk request at https://code4rena.com/help/. You can also submit a help request if you feel the severity of your submitted bug needs to be increased. \n\nFor examples of what a high-quality submission looks like, you can check previous reports at https://code423n4.com/reports. If you're unsure about whether to find all bugs before creating a final report or to create one issue per report, we recommend making separate submissions based on the type and severity of the bugs found. \n\nIt's also worth noting that there is no difference in payout between the first person to find a bug and anyone else who finds the same bug. The overall value of the bug is reduced and split based on how many people find it. \n\nFinally, please remember that all bug reports have to be submitted before the closing of the audit.", "Question: How are reported issues evaluated, accepted or rejected during judgment in CodeArena contests?\n\nAnswer: Reported issues are evaluated by judges who have the discretion to determine the severity of identified issues in the submitted reports, they may also make changes in severity levels if necessary. The acceptance of these issues largely depends on their severity as evaluated by the sponsors and judges. Judges can downgrade or upgrade the severity levels of issues based on their judgement. If a participant's issues are rejected or not listed in the award list, it is likely due to the issues being deemed invalid by the judges. \n\nThe judges are obligated to provide reasons for their decisions, whether they classify an issue as invalid, disputed, or downgrade its severity. If there are concerns about the reasons for findings rejections, participants will get feedback from a judge. Participants can also inquire about an issue marked as invalid by monitoring the backstage channel for the post-judging stage of the concerned contest. \n\nFurthermore, if an issue is submitted as high severity but is downgraded by a judge, the participant will still be awarded unless the issue is invalidated for overinflating severity. More context on this can be found [here](https://docs.code4rena.com/awarding/incentive-model-and-awards#satisfactory-unsatisfactory-submissions). \n\nOnce a contest is closed and a report is generated, participants can review the report to know if their issues were accepted or rejected. The criteria used by judges to evaluate reports can be found [here](https://docs.code4rena.com/roles/wardens/judging-criteria#estimating-risk). There is also an appeal process for valid findings that have been classified as invalid; this process is detailed [here](https://docs.code4rena.com/awarding/fairness-and-validity#if-you-disagree-with-a-judges-decision).\n\nThe process of evaluation, acceptance, and rejection of reported issues aims to ensure fairness and validity in CodeArena's smart contract auditing contests.", "Question: Can I engage in open discussions, including questions on scope and severity, with sponsors before the contest ends? \n\nAnswer: Yes, at CodeArena, we encourage open communication and transparency. During an ongoing contest, participants are allowed to discuss potential issues, including those of high severity, with the sponsor. You can also ask specific questions about the contest's scope, which is determined by the sponsor and listed in their contest information. You can reach out to the sponsor through the contest channel or via direct messaging. However, if you have identified a vulnerability, remember to submit it through the contest submission form to ensure it's eligible for awards. Please note that open discussions can only happen during the contest. Once the contest has ended and submissions are closed, there are restrictions on discussing bugs and exploits until the contest results are out. This is to give sponsors time to fix any issues. Any changes to the severity of reported bugs after the contest ends can be communicated to the judge through the designated contacts. If you have any disagreements with the sponsor about the scope of a specific issue, we still encourage you to report the issue.", "Question: Is there any harm in editing a submission on Code4Arena? I noticed that it adds a tag called 'wardener edited'.\n\nAnswer: There is absolutely no harm in editing your submission on Code4Arena. The 'wardener edited' tag is simply an indicator to track that changes have been made to the submission after it was initially sent. According to our policies and guidelines, users are allowed to edit their submissions after they have been submitted. This tag is automatically added when the submitter uses the website to edit the issue post-submission. It's worth noting that our submission guidelines are always available for wardens to check at https://docs.code4rena.com/roles/wardens/submission-policy. We recommend familiarizing yourself with these guidelines prior to submitting any issues. For certified wardens, they can view their submissions and the comments within them once the repository is set public, unless they have backstage access certification. Also, there's an ongoing consideration to release all unverified submissions a few days after a contest ends, a discussion you can follow on our forum at https://forum.code4rena.com/t/rfc-certified-wardens-rulebook-scout-role-contest-qa-and-mitigation-review-services/123.", "Q: How can I best provide code for a test or proof of concept in my CodeArena submission?\nA: The best method to provide code for a test or proof of concept in your CodeArena submission depends on various factors such as the length of the code, potential exposure of vulnerabilities, and the complexity of the code's setup. If the code is not too lengthy, you can add it directly to the report under the 'Proof of Concept' section. You can also provide direct links to all referenced code in GitHub, along with screenshots, logs, or any other relevant proof that illustrates the concept. \n\nIf the proof of concept is too large to be embedded directly or if the code reveals potential vulnerabilities, it is recommended to use a private gist or a private GitHub repo. Some wardens have also added a zip file to the submission. It's important to note, when linking to a GitHub repo, it does not automatically pull in that code snippet to the report.\n\nIt is also acceptable to use external platforms like Gist for submitting long proofs of concept. However, when showing places of vulnerability, it's recommended to include both the URL to the repository with the line number and a code block. \n\nUnderstanding the markdown code to include GitHub code in report can also be helpful. Here is a link to learn how to include that: [https://docs.github.com/en/get-started/writing-on-github/working-with-advanced-formatting/creating-and-highlighting-code-blocks].\n\nRemember, the 'Proof of Concept' section is just one part of your submission. You should also clearly explain the vulnerability and its impact on the protocol/code in the 'Impact' section.\n\nFor more detailed guidance, you can refer to the Code4Arena's submission policy at [https://docs.code4rena.com/roles/wardens/submission-policy#how-to-include-a-proof-of-concept].", "Question: Is Art Gobblers associated with the creator of Rick and Morty and how does it relate to CodeArena's activities?\n\nAnswer: Yes, Art Gobblers is a collaboration between Paradigm and Justin Roiland, who is well-known as the creator of Rick and Morty. In relation to CodeArena, Art Gobblers was a part of a competition hosted by the platform. The participants were given the opportunity to receive feedback and improvement suggestions on their entries. Further information and details from the competition can be explored through this link: https://github.com/code-423n4/2022-09-artgobblers-findings/issues/137.", "Q: I haven't received a confirmation email after my submission. How can I ensure that my submission was received successfully?\n\nA: You should typically receive an email confirmation to acknowledge the receipt of your submission in a few minutes. This email will be sent from submissions@code423n4.com. If you haven't received the email, please first check your spam folder as we've had reports of our emails landing there. \n\nAlso, you're able to view and edit your own submissions on the CodeArena site for open contests. This feature helps you verify if your submission has been received and is being processed. \n\nIf you have submitted for the first time and are unsure about the submission status, you can check all the reports you've submitted during the competition and you should receive an email confirmation regardless of whether your submission is valid or not.\n\nPlease note that if you submitted issues for a contest but did not make the award list, it could be because your issues were rejected. In such cases, you can confirm this by reviewing the available report. \n\nIf you're still facing issues with email confirmations, you can submit a request to our help desk at https://code4rena.com/help/. \n\nRemember, the correct email for sending submissions is submissions@code423n4.com. If there's an error with message delivery to this email, it could be due to a domain error or your submission might fail. In case of failure, the form should return an error message.", "Q: I'm having trouble submitting my findings on CodeArena, what steps can I take to handle this situation?\n\nA: If you're having trouble submitting your findings on the platform, here are several potential solutions:\n\n1. Try refreshing the page or changing browsers. Some users reported these steps helped them resolve their submission issues.\n\n2. Check the size of your submission. If your gas report is larger than ~65k characters, it may exceed Github's max character limit for issue descriptions and cannot be submitted through the form. In such cases, email your submission to submissions@code423n4.com.\n\n3. If you are having trouble with the 'Create Issue' or 'Submit' button, try to check for console errors or report the issue to us. There have been instances where these buttons were unresponsive due to various technical issues.\n\n4. If you are still unable to submit your findings, you may have encountered a potential API limitation. In such a case, try submitting a help request or report this issue to us.\n\n5. After submitting, you can view or edit your submissions on the site for open contests. Look for a \"Your Findings\" button on the contest page to do so.\n\n6. If you're trying to submit via mobile and experience issues, send requests to submissions@code4rena.com for assistance.\n\n7. If you've submitted your findings but they don't appear, it could be due to delays in confirmation emails or potential issues with the Escher contest.\n\nRemember, if you encounter any issues, you can always contact us directly. Also, for ongoing or previously reported submission issues, you can check https://github.com/code-423n4/code423n4.com/pull/2338 for potential fixes.", "Q: I can't find my name in the drop-down username list when I went to submit a new bug. What should I do and how can I check the status of my submission later?\n\nA: If you are unable to find your username in the drop-down list during bug submission, it might be due to an issue we are currently investigating. In the meantime, you can try refreshing the page, switching browsers, or even re-registering to change your username. If these methods do not resolve the problem, you can reach out directly to our team for further assistance. \n\nFor submissions related to open contests, you can view and edit your submissions on the \"Findings\" tab of our site. Please be aware that it may take some time for your submission to be confirmed via email. If the submission fails, the form should return an error. \n\nIf you wish to change your account details, such as your Twitter handle, you can submit a help desk request at code4rena.com/help. Furthermore, if you believe that the severity of a submitted bug needs to be increased during a contest, you can request to remove the original submission and submit again via the same link. \n\nPlease note that the grading of bug reports can be affected by user error and that different types and severities of bugs should be submitted separately. We also encourage you to ask any questions about the submission process in our chat, whether they relate to creating a final report or individual reports per issue. \n\nRemember, your feedback is invaluable to us. Concerns about the lack of feedback on bug submissions, issues with the submission form, or any other topics can be reported in our #profile-help channel on Discord.", "Question: I'm experiencing issues submitting and updating my bug findings, what should I do? \n\nAnswer: We're sorry to hear you're experiencing difficulties. Firstly, it's important to ensure you're using a compatible browser, as users have reported issues with Firefox and occasionally Chrome. Next, navigate to the contest page and look for the 'Your findings' button - this is where you'll be able to submit or edit your findings. If you're participating in a contest like Escher or Caviar, ensure that your findings are distinct and separate for each type and severity of bug found. \n\nAfter you've submitted your findings, it may take some time for you to receive a confirmation email. If your submission fails, the form should return an error. However, if you're not seeing your submissions on the 'Findings' tab or if you aren't able to edit them, please direct message us with a screenshot of the issue for further assistance. \n\nFor examples of past submissions, visit https://code423n4.com/reports. If you're curious as to why certain findings were not accepted or are looking for feedback on your submissions, you can check the location of findings report repositories. \n\nPlease note that user error can impact the grading of bug reports. It's also worth noting that there's currently a desire within our community for an editing feature to be added for submitted findings, to unburden our ticket handling team. \n\nHere is a simpler example of a bug report, to give you a sense of what to aim for: https://github.com/code-423n4/2022-12-caviar-findings/issues/141. We hope this helps and please let us know if you have further questions!", "Question: What is the process for receiving feedback and understanding the distribution of rewards for the Canto Dex Oracle contest on CodeArena?\n\nAnswer: The Canto Dex Oracle contest, which involved a prize of $20,000, has already concluded. After a contest, participants can generally inquire about the progress and schedule of final reports. These reports, once finalized, are published and can be viewed by the participants at this link: https://code4rena.com/reports. Contest results, such as the Canto Jun 20 results, are also published when available. \n\nWhile we understand there have been instances where rewards for a contest have not yet been paid out to participants, rest assured that CodeArena is committed to ensuring that all payouts are properly distributed. Prizes are given out not only for winning, but also as bonus rewards for the best reports. High quantity and high-quality reports tend to win in CodeArena contests, as seen in this example report: https://code4rena.com/reports/2022-09-artgobblers#low-risk-and-non-critical-issues. \n\nIn the event you're facing issues or have concerns about the validity of the issues you've submitted, please bring it to our attention. We have noted that users have potentially experienced issues when submitting findings to the contests, where they see 'No findings submitted for this contest' despite having submitted their findings, and we are actively working on resolving these issues. \n\nFor future contests, it's also worth mentioning that participants have the ability to submit an analysis. In addition, participants who have completed a certification process with ProvenanceDAO and participated in more than 3 contests can inquire about when their certification+ will be granted. \n\nPlease bear in mind that the process of reviewing and auditing results takes some time and we thank you for your patience. If you have any more queries, feel free to contact us.", "Question: What happens if someone identifies a vulnerability in a smart contract? How is the severity of the issue determined and what kind of rewards can be expected?\n\nAnswer: At CodeArena, we encourage the identification of vulnerabilities in smart contracts through our contests. If you identify a vulnerability, you should submit it for evaluation. An independent judge with deep Solidity knowledge makes the final determination of the vulnerability's severity. The severity decision is influenced by factors such as whether any funds can be stolen, or even if the vulnerability breaks the protocol. Based on the severity of the identified issue, contestants are given shares for bugs discovered. These shares give the owner a pro rata piece of the pot.\n\nIt's important to note that if the same vulnerability is reported by multiple wardens, they each get the same share. This is to ensure fair reward distribution. However, a solo finding, in the absence of duplicates, secures all the share of that finding.\n\nJudges are selected based on their experience and reputation and their decisions on a bounty are shared after the contest concludes. These judges also receive a share of the prize pool as an incentive. The decision on how to reward severity escalations in a contest report is entirely up to the judge.\n\nIt's also worth noting that if you have concerns about potential centralization risks, you can report them, stating all your reasons, and let the judge make the final call. Additionally, if a team wins an audit but cannot claim the prize due to KYC issues, the matter will be addressed on a case-by-case basis.\n\nIn the unlikely event of dishonest practices, such as cloning white-hat reports or compromising C4's mail server, we have measures in place to ensure fairness and security, including revealing the findings to the project only when the contest is over.\n\nLastly, there is a penalty system in place for certain mistakes or errors, but no penalty had been applied in past instances if a vulnerability submission was a mistake on the warden's part. We strive to ensure fairness in all aspects of the contest and reward distribution.", "Question: What resources are available for beginners to learn about blockchain forensics analysis, smart contract auditing, and security?\n\nAnswer: At CodeArena, we acknowledge the increasing interest in blockchain forensics analysis, specifically regarding hacks and incidents in smart contracts. Here are some resources that can assist beginners in this field:\n\n1. For a general introduction to smart contract auditing, you can start with resources like [https://cmichel.io/how-to-become-a-smart-contract-auditor/](https://cmichel.io/how-to-become-a-smart-contract-auditor/) and our very own [https://docs.code4rena.com/roles/wardens/tools-and-resources](https://docs.code4rena.com/roles/wardens/tools-and-resources). \n\n2. For those interested in smart contract bug bounty hunting, [https://cryptozombies.io/](https://cryptozombies.io/) is a good place to start learning solidity, and [https://capturetheether.com/](https://capturetheether.com/) offers Capture the Flag challenges.\n\n3. There are also tools for finding vulnerabilities and bugs in smart contracts, such as Mythril and Slither, which can be used to test contracts downloaded from Github.\n\n4. For those interested in understanding Geth node and Web2 security in the context of Web3, there is a need for further resources and study.\n\n5. To see how smart contract auditing is done in practice, you can review old audit reports at [https://chainsecurity.com/audits/](https://chainsecurity.com/audits/).\n\n6. If you're interested in learning math regarding solidity projects and how accountings are done, this YouTube channel can be a good start: [https://www.youtube.com/@smartcontractprogrammer](https://www.youtube.com/@smartcontractprogrammer).\n\nPlease note that while there is also interest in areas like machine learning for smart contract auditing and the application of DDOS attacks, these fields are still in their exploratory stages. It is also important to mention that while CodeArena primarily focuses on smart contract auditing, we also host contests for analyzing smart contracts and encourage our users to contribute to this growing field. For further learning resources, please visit our #\ud83c\udfebeducation channel on Discord.", "Q: What are the guidelines for submitting Gas Optimization reports in CodeArena contests, how are they evaluated, and what is the process for distributing bounties for such reports?\n\nA: Gas Optimization reports are an important part of CodeArena contests. Each participant can submit one report of gas optimization per contest, but can add more findings to the same report via the 'Your Findings' button on the contest page. \n\nFor gas optimization, only those points in the generated report are considered invalid, the rest are valid as per [Code4Arena's common issues guideline](https://github.com/byterocket/c4-common-issues/blob/main/0-Gas-Optimizations.md). It's important to note that not all gas optimizations are valid when the optimizer is enabled, and it's recommended to ask for clarification in such cases.\n\nWhen submitting reports, the necessity to specify how much gas is saved with each optimization is typically based on the judge's decision. The reports are evaluated based on their quality, the accuracy of the findings, and the presence of a working proof of concept.\n\nThe bounty for gas optimization is distributed from a pool shared among the reporters, and is awarded based on the score of each gas report, as per CodeArena's [Curve Logic](https://docs.code4rena.com/awarding/incentive-model-and-awards/curve-logic) model. In a scenario where multiple people, including members of the same team, identify a gas optimization, the reward split is calculated using a formula present in CodeArena's [incentive model and awards guidelines](https://docs.code4rena.com/incentive-model-and-awards#high-and-medium-risk-bugs).\n\nIt's still worth submitting reports for 1-2 Low and 1-2 Gas issues. However, there's been some confusion about the handling of duplicates in QA and gas reports, and whether they affect the payout. As a rule, it's best to compile multiple similar findings into one report to avoid any issues being marked as duplicates.\n\nWe would like to clarify that gas optimization and gas reports are indeed the same. An example of a top QA/Gas report for reference can be found at [Code4Arena's reports page](https://code4rena.com/reports). \n\nRemember, you can encounter an error message when trying to submit a Gas Optimization report if one has already been submitted for that contest. So, ensure you compile all findings into one report before submitting.", "Question: What is the importance of including a Proof of Concept (PoC) when reporting a medium severity bug and what would be the potential consequences if it\u2019s not provided?\n\nAnswer: Providing a Proof of Concept (PoC) for reported bugs, including those of medium severity, is strongly recommended in our process at CodeArena. The absence of a PoC could potentially lead to a finding being disregarded unless the bug is glaringly evident, such as in cases of wrong parameters, typos, or code that does not compile. \n\nHowever, if the PoC for an issue is too large to be embedded directly in the report, it is acceptable to provide a link to it. This practice is well-known and implemented by many wardens. If the code for a test is lengthy, it can either be added directly to the report under 'Proof of Concept' or linked on a private repo on Github. More information about this can be found at https://docs.code4rena.com/roles/wardens/submission-policy#how-to-include-a-proof-of-concept.\n\nAdditionally, the level of detail in the submission, such as the inclusion of a PoC and comprehensive coverage of the issue, can influence the award amount. Therefore, even for a precision-loss issue or a potential medium finding, a PoC that proves the case is always beneficial. \n\nIt's also worth noting that the severity of an issue can be upgraded if a good explanation of the finding is provided. However, if the severity is not clear, it's advisable to continue working on the PoC until it becomes clearer. \n\nWhen you submit a report, it is advised to include the issue, description, PoC (where necessary), and mitigation (where necessary). If you can't provide recommended mitigation steps, an explanation as to why it can't be feasibly mitigated should be included. \n\nIn the end, establishing trust between wardens and sponsors is essential, and a well-documented PoC can contribute significantly to that. However, be aware that a misuse of disclosed vulnerabilities can have serious implications. \n\nIn case of any concerns or issues with a report, don't hesitate to seek clarification from other wardens. Remember, it's not necessary to confirm findings with the project's developers before submitting them; it's up to the warden to submit a point thought to be a valid finding. In case of any confusion, refer to our submission policy here: https://docs.code4rena.com/roles/wardens/submission-policy.", "Q: How can I create a team, update its information, add members, and submit issues as a team on Code4Arena?\nA: To create a team, you can register on https://code4rena.com/register-team. If you need to update team information, add new members, or have problems creating a team, you will have to create a pull request (PR). If you have chosen a team handle, be sure to use it when submitting issues. Remember, PRs need to be approved by a member of the C4 team before they can be merged. If you encounter problems such as a blank page when selecting team members, you might want to try again later or open a help desk request at https://code4rena.com/help. If you want to start a discussion about managing teams or distributing rewards among team members, you can do so at https://github.com/code-423n4/org/discussions/43. Note that not all members need to participate in the same contest.", "Q: What happens if I misclassify a vulnerability's severity in my submission? What is the procedure if a low severity issue submitted in a QA report is judged as medium or high? \n\nA: Misclassifying a vulnerability's severity can have different outcomes, depending on the situation. If you submit a vulnerability as high severity and it turns out to be medium, you will still receive the reward for a medium bug as there is no penalty for such misclassification unless there's a reason to penalize it, such as it being incomplete, lacking detail, or not as accurate. If you submit a medium severity vulnerability and it's deemed high, it will be upgraded unless there are reasons to penalize. \n\nThe severity of a vulnerability (High, Medium, or QA) is often based on the potential loss caused by the issue. For instance, if all rewards can be lost, it's considered MED/HIGH. If there's a risk of losing some rewards, it's probably medium. If rewards are lost due to roundings (a negligible amount of rewards), it's probably QA. If the principal can be stolen without needing extra requirements, then it's probably HIGH.\n\nIn the case of a low severity issue submitted in a QA report being judged as medium, it will be eligible for medium rewards as per the guidelines on the Code4Rena help page: https://docs.code4rena.com/awarding/incentive-model-and-awards/qa-gas-report-faq#what-happens-when-an-issue-submitted-by-the-warden-as-part-of-their-qa-report-an-l-or-n-does-get-bum. \n\nHowever, it's important to note that judges have the ability to downgrade issues from medium to QA or upgrade items from your QA report if they feel the severity should be higher. Therefore, it's crucial to use your best judgement when evaluating the severity of an issue, relying on experience and considering both the potential consequences and likelihood of the vulnerability. \n\nIf no Medium/High vulnerabilities are found during a contest, the remaining funds are divided based on the QA Report curve. Also, in case of a vulnerability finding regarding an external function with the transfer of ERC20 tokens without reentrancy protection, such finding may not be eligible for medium or high categorization and could be downgraded to QA unless a clear explanation of the exploit path is provided. \n\nLastly, if a contest's bot report ranks an issue as low but a participant escalates it to high, the submission is not automatically invalid. However, such submissions must provide strong evidence to demonstrate a relevant High or Medium severity exploit path to be considered satisfactory. You can refer to this policy for more details: https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues.\n", "Question: What is the average timeline for the review and release of project findings after a contest on CodeArena?\n\nAnswer: The timeline for the review and release of project findings can vary greatly depending on the contest and the number of reports under review. Generally, the review process for reports starts immediately after a contest ends and includes a sponsor review, judge review, sponsor confirmation, judge's final report, and the announcement of the results. This process could take between 3-6 weeks on average, but can sometimes take as long as 8 weeks, especially with a high participation rate and complex codebases. After judging is complete and the results have been posted, the release of the report can sometimes take additional time because the CodeArena team needs to get the green light from the projects involved. The average turnaround time from audit competition to the release of reports is approximately one month, although efforts are being made to decrease this time. Please refer to our process documentation at https://docs.code4rena.com/structure/our-process for a more detailed breakdown of the timeline.\n", "Question: How long does it typically take for project findings to get reviewed and published after a contest ends in CodeArena?\n\nAnswer: The review and publication process for project findings submitted in a CodeArena contest can range from 2 to 8 weeks, depending upon several factors. The project findings are reviewed and triaged immediately after the contest ends, but they await sponsor review and final judging before being made public. The timeframe can vary based on the number of reports under review, the complexity of the code, the participation rate, and the speed of the sponsor review. Following the review, the results of the submissions can be seen once the report is published. Additionally, you might not immediately know if your findings are included in the final report. You can check inclusion once the report is published, which typically takes a minimum of a month after the contest ends. Note that once the judging is complete and the results are posted, the final report's release may sometimes take additional time as the CodeArena team needs approval from the projects involved. You can find more details on the review process here: [https://docs.code4rena.com/roles/certified-contributors](https://docs.code4rena.com/roles/certified-contributors).", "Question: How does CodeArena prevent and handle potential insider extortion or misuse of disclosed vulnerabilities?\n\nAnswer: At CodeArena, we take the security and trust of our users very seriously. In order to prevent insider extortion or misuse of disclosed vulnerabilities, we have implemented several safety measures. \n\nFirstly, backstage access is no longer solely based on trust, but also involves Know Your Customer (KYC) and Non-Disclosure Agreement (NDA) procedures. This is to ensure that only verified users can access sensitive information and to legally bind them to maintain confidentiality. \n\nSecondly, we also have mechanisms in place to deal with potential instances of backstage privilege abuse. For instance, any reported misuse of early access to vulnerability submissions for personal gain is taken very seriously and appropriate action will be taken.\n\nLastly, we maintain trust between wardens and sponsors by allowing wardens to be paid for confirmed issues, and sometimes even disputed ones, to discourage any attempts at extortion. However, we are aware of potential conflicts of interest, such as sponsors hiding bugs, and are actively working to mitigate such risks.\n\nIn case of any issues, users have the option to report any suspected malicious activity, and these reports will be thoroughly investigated. If a violation is confirmed, such as a breach of the confidentiality agreement, strict actions will be taken according to our policy.\n\nWe encourage our users to be vigilant and proactive in maintaining the security and integrity of our platform. We understand that these measures might not completely eliminate the potential for insider extortion, but we are committed to continually improving our security measures based on the feedback and experience of our users.\n\nIn conclusion, we strive to create a safe, transparent, and fair environment for all users of CodeArena. Your trust in us is paramount, and we work tirelessly to improve our systems and processes to protect you.", "Question: How can I get my Warden profile update PR approved and what do I need to know about becoming a Certified Warden at CodeArena?\n \nAnswer: To get your Warden profile update PR approved, you will need to make a pull request to the _data folder on the CodeArena site repo. You can also edit your Warden profile, including adding a profile picture and a Twitter handle, through the profile editing screen on the CodeArena website. However, keep in mind that this feature is currently only available to those who were certified when warden profiles were introduced. If you have further inquiries or requests, you can contact the help desk at https://code4rena.com/help.\n\nTo become a Certified Warden, you must apply via the Certified Contributor Application form at https://code4rena.com/certified-contributor-application. After your application is submitted, you will receive feedback via email. If you are accepted and become a Certified Warden, you will be marked as \"Available for Hire\" on your profile, and you will have access to backstage, which allows you to observe the report submission and triage process. This, however, is only open to certified wardens with an established level of contribution. Additionally, there is a private channel for certified+ wardens to assist with various process-related tasks. For more information on becoming a certified warden, you can visit https://docs.code4rena.com/roles/certified-contributors. \n\nIf you believe you meet the criteria for '+backstage', you can submit a help desk request at https://docs.code4rena.com/roles/certified-contributors/backstage-wardens. Please be aware that there may be a wait for a Github organization invite to be sent to a certified warden. If you encounter any issues or have any concerns with a report, you can seek clarification from wardens. It's important to note that the certification process for a warden is completed after the provenance verification process, and the applicant will be informed about the status of their application.", "Question: How can I update or change my wallet address on Code4rena and how long does the process take?\n\nAnswer: You can update or change your wallet address on Code4rena through various methods. If you wish to update the wallet address that is used in a finding, you can do so by submitting a request through the Help Desk at https://code4rena.com/help after the finding has been submitted and before the reward payout. Your payment wallet addresses can also be updated within your user profile on Code4rena, or in the Manage Account section.\n\nIf you wish to change the wallet address you log in with, you can find instructions on how to do so at https://docs.code4rena.com/roles/wardens/warden-auth#can-i-change-the-wallet-address-i-log-in-with. If you need to change your wallet address due to it being hacked, you can create a help desk request as long as you logged in via the same wallet. Alternatively, if you forget your registration wallet address, you can seek help at https://code4rena.com/help.\n\nDue to the complexity of changing wallet addresses, it is advised that participants only request a change if it is extremely important, like if the old wallet was hacked. The time it takes to process a wallet address change wasn't explicitly mentioned in the chat history, but for requests like profile picture changes, typically, they are addressed within a week. Please note that this is a rough estimate and actual processing times may vary.", "Question: What is the timeline and process for accessing and reviewing submitted findings in a contest?\n\nAnswer: Once a contest is underway, project teams are given access to the findings submitted by wardens through a private GitHub repo. Note, however, sponsors do not have access to this repository until the contest ends. Wardens and their teams can track and edit their findings in the \"findings\" tab next to the contest description till the contest deadline. Any findings not submitted before the end of the contest will not be eligible for review.\n\nAfter the contest closes, there is a period of review and triage done by the CodeArena team, the duration of which may vary with each contest. During this time, users' submissions are not publicly accessible and specific findings are not open to discussion. It's important to note that even though the findings are reviewed, they are not shared with anyone, including the project team and judge, until after this review period.\n\nAfter the review period, the findings repository becomes publicly available, but the specific timeline for this is not explicitly mentioned. Once the findings repository is public, participants can review why their submissions were not accepted by observing the discussion among sponsors and judges on the specific issue. However, a user can only view those findings that were submitted by them or their team until the final report is published.\n\nThe final report includes the findings that made it through the review and triage process. It's worth mentioning that findings submitted for contests may not always make it to the final report, and the reason might not be immediately known. Users are notified when these reports are published, which usually takes at least a month from the contest end.\n\nFuture plans hint towards allowing certified contributors to view submitted issues right after a contest closure and to comment or give input on these issues during the judging process. It is also planned to allow users to access their submissions for completed challenges on the concerned GitHub repo once the contest report has been published.", "Question: What should I do if I encounter issues while trying to submit my findings for a contest on the CodeArena platform?\n\nAnswer: Occasionally, there may be issues with the submission process due to form validation errors, intermittent glitches, or potential API limitations. Some users have reported problems with the 'Submit' and 'Create Issue' buttons not responding, or the submission form replacing the page with a purple screen upon clicking a dropdown. \n\nIf you encounter these or similar problems, here are some steps you can try:\n\n1. Refresh the page or try using a different browser.\n2. Try submitting your findings directly to submissions@code4rena.com if you are unable to use the submission form due to these issues.\n3. Check your email for a confirmation of your submission. If your submission was successful, you should receive a confirmation email. If the submission fails, the form should return an error.\n4. If you're trying to update your submission, there should be a \"Your Findings\" button on the contest page where you can edit your submission.\n\nPlease note that some users have reported a delay in receiving the submission confirmation email, and there may be a size limit on submissions which could lead to failed submissions. \n\nAlso, if you wish to remove a finding submission, this option is likely found under an 'edit' button. \n\nFinally, please be aware that if you make too many unsatisfactory submissions, there may be a risk of penalty. If you have any concerns or questions about this, or if you are unsure whether to submit something, we recommend reaching out to the team for guidance.\n\nRemember that addressing technical issues is a priority for us at CodeArena. For example, a potential fix for the submission issue has been proposed at https://github.com/code-423n4/code423n4.com/pull/2338. We greatly appreciate your patience and understanding as we work to resolve any problems you might encounter.", "Question: I'm facing problems creating a new PR (Pull Request) as I can't push a new branch. What is the procedure to resolve this issue?\n\nAnswer: If you're unable to create a PR due to issues with pushing a new branch, it could possibly be a permission issue. The process to resolve this and successfully submit your PR involves a few steps.\n\n1. To update team information or submit an issue that involves various lines changed, you need to create a PR.\n\n2. Your PR needs approval from either a member of your team or a C4 team member before they can be merged.\n\n3. If you're updating the maple-core repository, remember that the submodules may not update via public git due to a 'Permission denied (publickey)' issue. \n\n4. Upon submitting an issue, use your team handle. Team handles can be created by submitting a PR at https://github.com/code-423n4/code423n4.com/pull/28. \n\n5. If you have problems with the 'Create Issue' button, it's best to check if you're logged into the same GitHub account given for C4. \n\n6. If you're still unable to push a new branch, it could be because you have not received an invitation link to GitHub, despite being certified. To rectify this, you can request to be added to the backstage group on Github.\n\n7. If you're not already part of a team, you can submit a team request at https://github.com/code-423n4/code423n4.com/pull/28, and that should be all you need to add the team. Once a team's PR is merged, they can submit findings as a team.\n\n8. After your PR is successfully merged, review and make a pull request for your handle at https://github.com/code-423n4/code423n4.com/tree/main/_data/handles to participate in contests.\n\nRemember, the exact process of submitting issues as a team is not clarified, so if you face any issues, feel free to ask for help in the Discord chatroom.", "Q: I'm having trouble creating a team on CodeArena through the site and adding members, can you guide me through the process?\n\nA: Sure, let's start with creating a team. You can create a team at code4arena.com/register-team. In case you come across any issues like a blank page appearing while trying to select members, it's recommended to try again on a different day as this might resolve the issue. \n\nAfter creating a team, you'll need to create a team handle by submitting a PR at https://github.com/code-423n4/code423n4.com/pull/28. This handle will be used when submitting your team's issues. You can see an example of how to do this at https://github.com/code-423n4/code423n4.com/blob/main/data/handles/pocotiempo.json. \n\nIf you're facing problems with adding members to your team, submit a help desk request. It's been noted that a team's PR needs to be approved by a member of the C4 team before it can be merged. \n\nNow, when you're ready to submit issues as a team, you can do so through a PR and use your team handle. If you're having difficulty with the 'Create Issue' button, it's been reported that sometimes it doesn't respond and no console errors are present. If this issue persists, please report it. \n\nIf you're having trouble with viewing the repo or submitting findings, please ensure your GitHub account is logged in and it's the same account you've provided to C4. In case you're not able to create a PR because you can't push a new branch, make sure that you're not having issues with permissions on the repository such as 'Permission denied (publickey)' issue.\n\nFinally, remember that all your team information can be updated by creating a new PR, as demonstrated here: https://github.com/code-423n4/code423n4.com/pull/3592. \n\nMake sure to have all your team requests accepted by someone from your team. In case of any changes in your Github user, these requests can be made and they'll be processed by our team. It's also important to know that if you're certified and haven't received an invitation link to Github, please let us know. \n\nRemember, the CodeArena team is here to support you, so don't hesitate to reach out if you encounter any issues during this process.", "Question: Can I submit multiple reports for a single project and how does this affect the payout, especially in the case of similar or duplicate reports?\n\nAnswer: Yes, participants can submit multiple reports for a single project. However, it's important to submit high-quality, accurate reports with a working proof of concept in order to be eligible for payouts. All types of accepted reports, from high-level security vulnerabilities down to gas optimizations, are eligible for these rewards.\n\nIf you submit two similar reports and one is marked as duplicate, it may affect the payout. The best report typically receives more money, and if a duplicate report does not surpass a certain quality threshold, it might not be awarded any payout. However, even duplicate issues may receive a partial reward, based on the quality and completeness of the report. More details can be found in our incentive model and awards section: https://docs.code4rena.com/awarding/incentive-model-and-awards\n\nYou do not necessarily have to be certified to submit a report, although certification is required to receive rewards. The reward for a successful report may be paid out partially or in full, and you'll need to wait for the payout once an award is received. Also, while you can use a new wallet address for your reports, the rewards will be distributed to the address used at the time of report submission.\n\nRemember that projects have already paid in full at the time the contest starts, so they have no financial incentive to hide reports. As a participant, you can review your submission and the reasons for its acceptance or rejection once the report is published and the findings repo is made public. \n\nPlease note that submitting more than 3 rejected reports in a competition will prevent you from getting any payout for that competition. Furthermore, automated reports are sometimes uploaded after starting contests, reporting gas optimizations.\n\nThe potential solution to avoid dishonest practices was proposed as revealing the findings to the project only when the contest is over. \n\nTo view all your submissions, visit the competition page and check the reports you submitted. After submission, you will receive a confirmation via email. If your report is accepted, USDC will start flowing into your wallet.\n\nLastly, while entering a contest, you do not have to submit all reports for high, medium, QA, and gas optimization. You can submit what you find. However, the best reports often receive bonus rewards. \n\nThis complex process is designed to ensure fairness and to incentivize high-quality report submissions. If you still have questions, don't hesitate to ask in our Discord channel.", "Question: How does CodeArena handle duplicate submission findings in a contest, and what role do judges and sponsors play in this process?\n\nAnswer: CodeArena addresses duplicate submissions by diminishing the value of a finding when more of the same findings are submitted during the open submission period. After a contest ends, the findings are reviewed by sponsors - they are the first to see these findings. Following the sponsor review, the findings proceed to the judges for review. Judges have the final say on the findings and they determine their severity, validity, and quality. Judges also decide whether a submission is a duplicate - an issue is often labeled as a duplicate when another similar report was chosen to be published in the client report, not necessarily because it was not the first one submitted. \n\nIf a sponsor doesn't fulfill their responsibilities, it complicates the judges' task as they have to identify duplicate submissions. Conversely, judges appreciate when similar submission issues are grouped together. Moreover, if an issue is tagged as \"sponsor-disputed\" but no explanation is given, participants can check for duplicates and ask the judge post-judging. If any finding is marked as invalid, participants will receive feedback from a judge.\n\nRegarding reports, they are reviewed and triaged immediately after the contest ends but they await sponsor review and final judging before being made public. Please note that if the same vulnerability is found in different components of the codebase, it might be considered as two separate findings, but it's ultimately the judge's discretion to determine if they're duplicates. \n\nFor more information on this process, please refer to https://github.com/code-423n4/org/discussions/50.", "Question: What measures are in place to prevent dishonest projects from exploiting vulnerability reports and affecting the payout for wardens?\n\nAnswer: CodeArena (C4) has implemented several safeguards to prevent such exploitation. Firstly, it's important to note that the project sponsors pay for the contest at the very beginning, hence they have no financial gain in hiding reports or acting dishonestly. \n\nMoreover, to ensure fairness, reports are unveiled to the project sponsors only after the contest ends. This prevents the misuse of disclosed vulnerabilities and the potential exploitation of the information by sponsors. It was also proposed that providing a link to a competitor of the project as a mitigation of an issue could serve as a deterrent against dishonest practices.\n\nIn order to maintain trust between wardens and sponsors, potential conflict of interest scenarios are taken seriously. For example, a sponsor hiding bugs in the codebase and reporting them in hopes no one else finds them is a concern that is looked into.\n\nIn the event of a dispute, the assumption is not always that the project is decent. C4 also has a process in place to deal with a source code leak, including the possibility of forking a project and deploying the same code. \n\nWhen it comes to awarding calculations, the best report will receive more money than other reports. If a duplicate report does not surpass a certain threshold, it might not receive any money. However, there are instances where duplicate reports were rewarded. If the same vulnerability is reported by multiple wardens, they each get the same share. \n\nIn case of potential scams or if a team wins an audit but can't claim the prize due to KYC issues, the matter will be investigated thoroughly. \n\nThe payout for vulnerability issues can be verified using polygonscan.com or wallet trackers like debank.com. The potential anonymity of users in cybersecurity spaces and on the bounty leaderboard is respected.\n\nIn the case of exceptional situations such as a hacker compromising C4's mail server, preventive measures are in place to deal with this. \n\nC4 encourages high-quality, accurate reports with a working proof of concept, all of which are eligible for payouts. Even if a finding breaks the protocol but no funds get stolen, it could still be classified as a high risk. If no Medium/High vulnerabilities are found, remaining contest funds will be divided based on the Quality Assurance (QA) report curve. Trust and fairness are essential in the C4 community, and all measures are taken to maintain it.", "Q: If I discover a vulnerability in an out-of-scope contract that could potentially impact an in-scope contract, can I report it? \n\nA: Yes, vulnerabilities found in out-of-scope contracts that may affect in-scope contracts should be reported. Although the final decision is up to the judges and sponsors, if the vulnerability poses a medium to high severity risk to an in-scope contract, it is likely to be accepted. When submitting such a finding, it's important to include a clear explanation of the exploit path, as well as any relevant proof of concept. If you've developed a POC script, include the link in your submission. You can report vulnerabilities either directly in the C4 report (where they may be included as unrewarded findings), or message the project directly. If you believe you\u2019ve found something and want to ask questions, you are encouraged to reach out to the sponsor team during the contest, but remember to submit the vulnerability via the contest submission form to be eligible for awards. If the vulnerability is confirmed by the sponsor via private messages, it could still count for submission, depending on the judges' decision. However, if the same vulnerability is found in multiple parts of the codebase, the judge will decide whether they are duplicates or separate findings. Lastly, if the vulnerability is discovered after the contest ends, it should be responsibly disclosed to the development team, but note that such vulnerabilities are not eligible for awards outside of the contest timeframe.", "Question: What are the guidelines and expectations when creating and submitting reports in CodeArena?\n\nAnswer: Reports in CodeArena can range from simple one-liners to more detailed evaluations. However, it has been observed that judges generally prefer more detailed reports than one-line summaries. An ideal report should include the issue, description, proof of concept (where necessary), and mitigation (where necessary) in a semi-professional format. You can use markdown or tools like hackmd for improving the presentation of the report, and it's also possible to include images or screenshots as necessary. \n\nFor code issues, it's recommended to compile all findings into one combined report if they are of the same category, such as all non-critical findings or all gas optimizations. For each category, you should aim to create one comprehensive report. You could separately list multiple ideas about gas optimizations or different reasons why a function won't work, but these should be merged into one report for each category. \n\nIt's acceptable and sometimes beneficial to include line numbers in code snippets, particularly for high-medium issues. Visual Studio's preview tool might help with this. It's also worth mentioning that the way you group your findings and format of your report can influence its evaluation.\n\nYou can submit an analysis report about the system even if you have no significant findings. This serves to provide advice on things to consider in the future of the project. The judges will decide which reports get featured in the client report, and there may be a bonus for each low finding selected for the report.\n\nFor more detailed instructions and elaborations, visit this link: [https://github.com/code-423n4/org/issues/21](https://github.com/code-423n4/org/issues/21)", "Question: How do I manage and modify my team membership on CodeArena?\n\nAnswer: To manage your team including changing members, you can navigate directly to the site. If you encounter difficulties with team management, particularly with adding or removing members, you may need to submit a help desk request at CodeArena (https://code4rena.com/help). In case of persistent issues, you might want to try again on a different day as some issues get resolved this way. \n\nIf you are interested in creating a team, you can do this at https://code4rena.com/register-team, and once you become a warden, you can access the team-formation channel for more information on team registration. It's worth noting that there have been reported issues with team registration visibility on user profiles, and sometimes a blank page may appear when selecting members during team creation. \n\nAlso, if you wish to change your team name, please be aware that you are required to create an entirely new team. This new team, however, would not inherit any leaderboard positioning from the previous team. To update any team information, you would need to create a PR. \n\nThere is no technical limit to the number of members in a team, so feel free to include as many members as you wish. However, keep in mind that once a participant joins a team, they are not obligated to always participate as a team. They can join and participate in the audits individually as well.", "Question: What is the \"LOC reference\" and how is it determined in the context of CodeArena's smart contract audits?\n\nAnswer: LOC or Lines of Code is a metric used to measure the amount of code in a particular contract or program. In CodeArena's context, we commonly refer to Source Lines of Code (SLOC), which is the number of lines of code minus the number of lines that are comments. This measure is used to gauge the size of a project or contest and assess the potential level of effort a scope will require.\n\nThe tool used to calculate LOC is 'cloc'. However, there have been instances where participants noticed a mismatch between the LOC mentioned in the README.md and the actual lines in the contract files. This highlights the importance of accurate LOC references.\n\nWhen referencing code in reports, participants often debate whether to leave direct links to the code on GitHub or to refer to a specific file and line number. It's also possible to reference another issue when submitting a second issue within the same context, thereby providing a comprehensive perspective of the code under review.\n\nIt should be noted that the calculation of lines of code can differ based on how comment lines are accounted for. Concerns have also been raised about the limited duration for the audit of larger projects, such as Maia, which has 12K Source Lines of Code (SLOC).\n\nFor more information about SLOC, you can refer to this [Google Search](https://www.google.com/search?q=SLOC+meaning&oq=SLOC+meaning). And for a view of our recent CodeArena report, please check [here](https://code4rena.com/reports/2022-11-non-fungible/#gas-optimizations).", "Question: What is the recommended way to prepare and submit QA and Gas Optimization reports in CodeArena competitions, and how should different severity issues be handled in these reports? \n\nAnswer: Participants in CodeArena competitions are expected to submit two specialized reports: one for Quality Assurance (QA) and one for Gas Optimization. Each of these reports should ideally group all relevant issues together. \n\nFor QA reports, it's recommended to include all audit concerns, even those categorized as 'Lookout' findings, in a detailed Medium finding format (impact/Proof of Concept (POC)/mitigation, etc.). If a low issue/non-critical bug that also reduces gas is discovered, it should be included in the QA category and mention the gas savings. However, if the issue is only related to gas savings, it could be downgraded from QA to Gas. \n\nOn the other hand, all findings related to gas optimization should be put under one Gas report. \n\nMedium and high severity findings should be each submitted as separate reports. If you are uncertain about the severity of a finding, it is suggested to continue working on the POC until the severity becomes clear.\n\nThe best reports are focused on one specific issue, feature the project's code, have a simple to understand POC or specific example, and have a coded test that demonstrates the vulnerability. Each report should include the issue, description, POC (where necessary), and mitigation (where necessary) in a semi-professional report format.\n\nTemplates or guides are available on how QA/gas reports are supposed to look in terms of formatting. Examples of top QA/Gas reports from past contests can be found [here](https://code4rena.com/reports). \n\nPlease note that there is currently no intentional incentive for reporting QA type of submissions, as sponsors are more interested in high/medium/low severity vulnerabilities and gas optimizations. However, the level of detail in your submission, including the inclusion of a POC and comprehensive coverage of the issue, could influence the award amount.\n", "Q: I requested help for my Backstage application through the website but didn't receive a confirmation email. Can someone please check my application status?\n\nA: We acknowledge your request for Backstage application assistance. As per our policy, we review every help desk request and get back to our users in the next 1-2 days. However, please note that new backstage applications are currently paused and there is no clear ETA for when they will resume. Once the process is resumed, previous application requests will be reviewed. If you believe you meet the criteria for a backstage role, which requires being a certified contributor and possibly having over three medium findings, you can check your eligibility and continue to apply when applications are resumed. Kindly refer to our guidelines at https://docs.code4rena.com/roles/certified-contributors/backstage-wardens for detailed information about the backstage role, its benefits, and how to apply for it. We appreciate your patience and will notify you once your request has been reviewed.", "Question: How are contest prizes distributed at CodeArena and what process do I need to follow to receive them?\n\nAnswer: Contest winnings at CodeArena are distributed in the cryptocurrency USDC over the Polygon network to your registered wallet address. Once your submission has been confirmed and the prize amount announced, you do not need to perform any action. You can expect the payout to be sent to your wallet within a week. \n\nIt's worth noting that the rewards are sent on the Polygon network, not the Ethereum network. However, if you want to bridge from Polygon to Ethereum and later withdraw USDCs on Coinbase, both Matic and Eth are needed if you're using the Polygon bridge. Alternatively, if you're using the Hop Bridge, you will only need Matic, but you will receive less USDC on the Ethereum Mainnet. You may require Matic (a cryptocurrency like Eth) to pay for the gas fees associated with transferring your awards to another wallet. However, free Matic can potentially be obtained at: https://wallet.polygon.technology/gas-swap/\n\nIf you are participating in a contest, remember to register your handle and ETH address. There is a field for the Polygon address when you submit your findings. After a contest ends, you may be asked to verify your identity to receive the payout. \n\nPlease note that there might be a delay in the distribution of rewards due to the use of multisignature wallets, which require signatures from multiple parties before funds can be released. The rewards will eventually be distributed via a smart contract once more pieces are in place. You can check the announcement channel for updates on distribution. \n\nIf you have any questions about how to exchange USDC on Polygon into another cryptocurrency, such as BTC, feel free to ask in the chat.", "Q: What happens if I submit a bug at CodeArena with a certain level of severity and the judges end up downgrading or upgrading its severity? Will my submission still count and will I still be eligible for a reward?\n\nA: If you submit a bug with a certain level of severity and the judges decide to downgrade or upgrade its level, your submission will still count and not be invalidated. The severity level of a bug is not the sole determinant of its validity. If a high severity bug you submitted is downgraded to medium or a low severity bug is upgraded to high severity, you will still receive a reward based on the judge's final severity judgement. However, it's crucial to note that submissions based on automated tools need to provide strong evidence demonstrating a relevant High or Medium severity exploit path to be considered satisfactory, as explained in CodeArena's submission policy [here](https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues). \n\nRegarding rewards, if a bug initially submitted as high-risk is judged as low-risk, a corresponding low-risk reward will be given, and vice versa. Similarly, if a bug submitted as medium severity is judged to be of high severity, it can be upgraded unless there is a reason to penalize it (such as it being incomplete, lacking detail, or not as accurate), and you will receive a high severity reward. \n\nHowever, submitting a high severity issue without a working code that demonstrates the impact may result in it being downgraded or deemed ineligible for awards. Also, while it is possible to submit a medium/high report without recommended mitigation steps, it would be beneficial to include an explanation as to why it cannot be feasibly mitigated.\n\nIf it happens that no Medium/High vulnerabilities are found during a contest, the remaining funds are divided based on the QA Report curve. More details can be found [here](https://docs.code4rena.com/awarding/incentive-model-and-awards#satisfactory-unsatisfactory-submissions). Currently, there is no penalty for incorrect medium/high submissions. However, if you submit a correct bug with an incorrect proposed solution, you can update your submission if the contest hasn't ended.\n\nIt's important to remember that the ultimate judgement rests with the judges, who have the authority to downgrade or upgrade the severity of your findings based on their analysis and assessment. Their grading criteria for quality submissions include: correct identification of the highest severity impact of the bug, making the case for the severity and validity chosen with evidence, and clear and understandable writing. \n\nIn a nutshell, ensure your submission is thorough, precise, and clear to maximize your chances of a satisfactory judgement and reward.", "Question: How can I participate as a warden in CodeArena contests and when can I discover the number of participants?\n\nAnswer: To participate as a warden in CodeArena contests, you need to register an account, sign up as a warden, and potentially undergo a certification process. The number of participants, referred to as wardens, in a specific contest is disclosed only after the contest ends, and some wardens may participate without submitting anything. \n\nCertain contests, like the \"vs contest\", may only involve a limited number of wardens (e.g., three), and these contests often run an RSVP process. The top performing wardens are prioritized for contests, and this is typically determined by their rank in recent contests or within a certain window. \n\nIf you're interested in participating in private contests, you need to be a certified warden, a process that involves participating in a certain number of contests and providing valid findings or reports. More details on this process can be found [here](https://docs.code4rena.com/roles/certified-contributors#certification-process-and-constraints). \n\nPrivate contests, like the PolynomialFi contest and versus contests, are often only open to certified wardens. Versus contests are typically invitational and competitive, providing access to a limited number of the highest performing wardens who RSVP. \n\nOnce contests end, certified+ wardens get earlier access to the findings repositories and can view other wardens' submissions, assisting with post-contest processes. \n\nThere are also opportunities to join contests as teams or groups; you can find information about registering a team [here](https://docs.code4rena.com/roles/wardens#registering-a-team). You can also check the leaderboard [here](https://code423n4.com/leaderboard/).\n\nFurther contest details, including potential RSVP processes, are available in the #\u270brsvp channel on the Discord. There is a consideration to create a page listing or linking to wardens, judges, and sponsors for each contest, but this is not confirmed yet.", "Question: What is the process and requirements for a digital nomad or a foreigner to become a certified warden at Code4Rena?\n\nAnswer: Yes, a digital nomad or foreigner can become a certified warden at Code4Rena. The first step involves completing an application at https://code4rena.com/certified-contributor-application/. The application process will involve Know Your Customer (KYC) procedures which are delegated to our partner Provenance.\n\nIn terms of identity verification, you may submit proof of identity, such as a passport, driving license or a certified copy of your identity, even if it's not in English. While proof of residence might traditionally involve presenting a utility bill, bank statement, or credit card bill, our process has been designed to have flexibility considering the unique circumstances of digital nomads. Therefore, you can alternatively provide a selfie or a bank account ownership as proof.\n\nAfter submitting your application, expect a KYC email within 2-3 weeks from compliance@provenance.company, which might end up in your spam folder. Always check there if you haven't received it in your inbox. \n\nOnce certified, wardens are eligible to attend private audits among other privileges, although there might be other requirements to meet. The complete details about the certification process, benefits, and constraints can be found at https://docs.code4rena.com/roles/certified-contributors#certification-process-and-constraints and https://docs.code4rena.com/roles/wardens/certified-wardens#who-is-eligible-to-be-a-certified-contributor.\n\nNote: The process might take a few weeks, and during this time, it's recommended to complete the Provenance's certified warden process if you're partway through.", "Question: What are the guidelines for submitting reports for high, medium, QA, and gas optimization when entering a Code4Rena contest?\n\nAnswer: Contest participants are not required to submit all reports for high, medium, QA, and gas optimization. Instead, they should submit what findings they have discovered. It is important to note that only one Quality Assurance (QA) report and one gas optimization report should be submitted per contest. These reports should ideally group together all related issues. \n\nFor gas optimization reports, all findings should be compiled into one report. Any additional findings can be added by going to the contest page and clicking the 'Your Findings' button. The level of detail required for these reports isn't as comprehensive as for high severity issues, but they should still be as detailed as possible. Examples of excellent reports can be found at https://code4rena.com/reports. \n\nPlease note that judges consider both quantity and quality of submissions when grading QA reports. A single item in a QA submission is unlikely to receive a high grade. More information on this can be found at the following links: [https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical](https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical) and [https://docs.code4rena.com/awarding/incentive-model-and-awards#qa-and-gas-optimization-reports](https://docs.code4rena.com/awarding/incentive-model-and-awards#qa-and-gas-optimization-reports)\n\nIn case no High/Medium issues are found in a contest, the rewards are divided based on Quality Assurance. Lastly, if a finding is originally submitted as low in a QA report, but the judges determine that it's a medium, it will be eligible for medium rewards as per [https://docs.code4rena.com/awarding/incentive-model-and-awards/qa-gas-report-faq#what-happens-when-an-issue-submitted-by-the-warden-as-part-of-their-qa-report-an-l-or-n-does-get-bum](https://docs.code4rena.com/awarding/incentive-model-and-awards/qa-gas-report-faq#what-happens-when-an-issue-submitted-by-the-warden-as-part-of-their-qa-report-an-l-or-n-does-get-bum). \n\nRemember, all reports, from high severity to gas optimizations, are eligible for payouts, given they are of high quality, the findings are accurate, and there is a working proof of concept.", "Question: Are sponsors flexible about what tooling is used to provide Proofs of Concept (PoCs)? For instance, can I use Foundry in a project that employs Hardhat, or even if the project uses Brownie for testing?\n\nAnswer: Yes, the sponsors are quite flexible concerning the tooling used for Proofs of Concept (POCs). A POC in the context of C4 does not necessarily need to be executable, so if you prefer Foundry, that should be acceptable. In fact, Foundry can be used in a project that employs Hardhat, and there is a base template for this integration which can be found at [this link](https://github.com/foundry-rs/hardhat-foundry-template). Furthermore, it's possible to write a project in Foundry even if the project uses Brownie for testing. \n\nKeep in mind that while Hardhat and Foundry can be used to generate gas reports and test smart contracts, they are not the only options. You may also consider tools like Truffle, or even fuzzing tools like Echidna, depending on the requirements of your project. \n\nIt's important to note that while PoCs can be submitted in code, they can also be submitted in plain English. If your Proof of Concept is too large to be embedded directly in the issue, you may provide a link to it. This could be a link to a public GitHub repository or even a link to a gist if the POC is very long. \n\nKeep in mind that if you are unable to provide a proof of concept for a medium severity bug, your finding might be disregarded unless the bug is extremely obvious. Hence, it's recommended to always write a PoC to be sure. \n\nLastly, please be aware that if you use automated tools for initial findings, there is a higher burden of proof for demonstrating to sponsors a relevant high or medium severity exploit path. More details can be found in [this discussion](https://github.com/code-423n4/org/discussions/50).", "Q: I'm new to auditing and having challenges understanding and installing the tools needed for studying audit reports. What steps should I take to build my skills and overcome these difficulties?\n\nA: Installation and understanding the tools for auditing can indeed be challenging, especially if you're new to the field. However, persistence is key in overcoming these obstacles. Here are some suggested steps:\n\n1. **Engage in Active Learning:** Participate in CodeArena's contests, especially those associated with Foundry. This will give you hands-on experience and a better understanding of the auditing process. You can check the contests by visiting our site [insert site link].\n\n2. **Reading Reports:** Cultivate the habit of studying past audit reports. Many successful auditors have emphasized the importance of this practice in understanding the audit process better. \n\n3. **Auditing Codebases:** Try auditing real-life codebases. This will not only help you build your auditing skills, but also help you understand the context in which audit reports are created.\n\n4. **Community Interaction**: Don't hesitate to ask queries about the findings of past projects, or engage in discussions on our Discord channel. You can also participate in private audits or distribute surveys to gather more knowledge.\n\n5. **Practical Experience:** Consider participating in the audit process, even if you're not successful in finding any bugs. The experience you gain from this process is invaluable.\n\nIn terms of installation, most old repos don't compile, so you might be better off forking from the repo on their GitHub and going from there. Stick with it, as installation is a common struggle for many. If you have further difficulties with specific courses or installations, you can create a help desk request explaining your issue. \n\nRemember, every contributor can become an auditor through multiple paths, one of which is reverse engineering and understanding old audit reports. So, keep pushing and soon you will find yourself at ease with the process.", "Question: How can I modify my profile details, such as my username, profile picture, Twitter handle, and the link associated with my username in the leaderboard/contest results on Code4rena?\n\nAnswer: To modify your profile details on Code4rena, you can only change your email, Discord, and Github usernames directly in your account settings. To change the other details, such as your username, profile picture, Twitter handle, and the link associated with your username in the leaderboard/contest results, you need to submit a help desk request. \n\nFor instance, to update your username or profile picture in the leaderboard/contest results, submit a request at https://code4rena.com/help with the new username or a link to the new picture. Similarly, to link your Twitter handle, include your Twitter handle in your request. \n\nPlease note that changes to the leaderboard/contest results link, profile picture, and Twitter links are not immediately updated as they need to be reviewed and approved by the developer team. In addition, changing your username may require creating a new registration/discord handle and starting over with the new name if you were on the leaderboard. \n\nWhile it's possible to change your username on Discord and have these changes reflected in your C4 account, it's advisable to confirm such changes through the Help Desk. \n\nLastly, remember that you can't transfer leaderboard standings and submissions under a previous username to a new account. \n\nAs always, your feedback is valuable to us. Feel free to share ideas on improving our website, leaderboard systems, contest processes, and Discord setup through our suggestion box.", "Question: How can I resolve installation and setup issues I'm experiencing on Windows, especially related to the software 'Yarn' and Foundry?\n\nAnswer: For installation and setup issues, we highly recommend switching to Ubuntu 20.04 which runs on windows via WSL2. This method has been found to be particularly effective in dealing with issues associated with Windows. \n\nIf you're having problems with the software 'Yarn', common solutions include checking for potential permission problems, ensuring proper installation or reinstalling the software. In some cases, you may need to run specific commands such as `forge i` to install dependencies.\n\nWhen it comes to setting up and running contests, you can try commands such as 'npm install foundry' to set up the contest. However, please note that setting up the environment for contest repositories can be time-consuming due to multiple interrelated contracts and limited documentation. Therefore, persistence is encouraged. \n\nIf you're trying to install Foundry with Docker and encounter errors, it may be beneficial to seek technical help in our Discord server or check through past discussions for possible solutions.\n\nRemember, when reviewing downloaded packages from a sponsor, you should consider system isolation for safety. VirtualBox has been suggested as a possible solution for this.\n\nLastly, it's worth mentioning that if you're facing difficulties understanding certain code instances or dealing with specific coding courses due to lack of development background, it's advisable to make a single report and reference related issues in it. It's also good practice to check the sponsor's GitHub for a potential test setup or pull out the code to test it in isolation, particularly if there's no test setup in the C4 repo. \n\nPlease, don't hesitate to ask for help on the Discord server if you're still facing difficulties after trying these solutions. We're here to help!", "Question: How is the attribution and matching of the findings ids in the findings.csv file managed in CodeArena and what is the best way for me to review my findings?\n\nAnswer: The attribution of the findings IDs in the findings.csv file is indeed at the discretion of the judges. During the final report release, the issue numbers will match with the entries in the findings.csv file. If there appears to be a discrepancy, like an extra entry, it could indicate that one finding was invalidated or deemed a duplicate. \n\nIf you're looking to review your findings, you can refer to the data folder in the findings repo. The JSON files in that folder are named as [warden-handle]-[issue number], from which the issue numbers can be used to directly look up the findings. You can also refer to the 'findings.csv' file, which includes all wardens and their deduplicated findings. This file is available at https://github.com/code-423n4/code423n4.com/blob/main/_data/findings/findings.csv. \n\nIn cases where you want to modify or add to your findings, there should be a \"Your findings\" button. You can also track the status of your reports and see and edit your findings on the \u2018findings\u2019 tab next to the contest description.\n\nRemember, the order of reported issues doesn't necessarily follow the submission timeline. Judges pick the primary issue based on the quality of the write-up, not the submission order. So, always make sure to provide high-quality submissions. \n\nIf you disagree with a judge's decision regarding the validity of your submitted findings, there is an appeal process as detailed in the documentation at https://docs.code4rena.com/awarding/fairness-and-validity#if-you-disagree-with-a-judges-decision. \n\nSo, make sure to keep these points in mind while reviewing or submitting your findings in CodeArena.", "Question: How are user-induced bugs in smart contracts handled and evaluated in terms of severity during audits, especially when the bug affects other contracts?\n\nAnswer: User-induced bugs, which rely on errors in interaction with a smart contract, can still be considered valid during audits. However, such bugs typically do not carry the same severity as those not requiring a user mistake. Judges play a key role in determining the severity of these bugs. If a bug in a contract is within the audit scope, but its impact extends to another contract that is out of scope, the judge may also consider this impact in their evaluation. \n\nHowever, the acceptance of such bugs and the evaluation of their severity are decided by the judges and sponsors. If the severity is not immediately clear, we recommend providing a Proof of Concept (PoC) to solidify your findings. Keep in mind that setting an incorrect severity could lead to a penalty. In some cases, if the bug affects an out-of-scope contract, it can still be reported but may not be rewarded. \n\nIn the context of a user-induced bug, an example of a potential risk is a ransom attack where an attacker takes ownership of an uninitialized contract and demands a ransom to release it. For such reasons, it is crucial to write tests to verify the validity of a bug. Tools such as Slither can be used for static analysis of smart contracts to find vulnerabilities and bugs. \n\nIt's also important to note that automated tools alone may not be sufficient for finding all vulnerabilities, which is why manual audits of smart contracts are still necessary. In some cases, a vulnerability report without a PoC might be disregarded unless the issue is extremely obvious, such as a wrong parameter, typo, or code that doesn't compile. \n\nIn summary, while user-induced bugs in smart contracts can still be considered valid, their severity and acceptance largely depend on the evaluation by judges and sponsors, the extent of their impact, and the provision of a PoC.\n", "Question: If I started participating in contests since June, am I still eligible for any token airdrops and other rewards?\n\nAnswer: No, unfortunately, participants who started joining contests since June are not eligible for any token airdrops. The eligibility for token airdrops would have required participation to have started in 2021. However, there are other rewards that you may be eligible for. Contest rewards are typically transferred once per month, typically at the beginning of the month to your registered wallet address. You don't need to be KYC'd or certified to receive rewards from most contests unless it is explicitly stated in the contest requirements. More information on this can be found at: https://docs.code4rena.com/roles/certified-contributors. Furthermore, some contests might require KYC to receive prizes, and the form can be found at the same link above. \n\nPlease keep in mind that certain contests do require certification for payouts if any submissions are awarded. Once you are certified, you gain access to more contests. If a contest is listed as 'awarding', it means the rewards are queued at the multisig and should be distributed within a week. There are also private contests and your eligibility depends on certain metrics or prerequisites. Current ongoing contests can be found by checking the respective platform, or you can seek information from our team which is regularly in contact with various projects about upcoming audits.", "Question: I have previously submitted a QA report for a contest, but I've found additional issues that need to be included. How can I update my report?\n\nAnswer: You absolutely can update your QA report even after its initial submission. To do so, navigate to the contest page and select the \"My findings\" option. This will lead you to the \"Findings\" tab where you can edit your current QA issue submissions. \n\nRemember, all QA and gas reports should ideally be combined into a single, comprehensive report per contest. For example, one report for gas and one for QA. If you've found additional errors after your initial submission, you can include them in the existing submission. \n\nFor different types and severity of bugs found, you're encouraged to make separate submissions. However, medium and high severity findings should be submitted as separate reports. For low-risk or non-critical issues, it is acceptable to combine all occurrences of the same issue into one report. \n\nIf you encounter any problems or need further assistance during the process, feel free to fill out a help form at: https://code4rena.com/help.\n\nPlease note, it's possible to edit a submitted QA report up until the audit deadline. After submitting, it may take some time to receive a confirmation via email. If your submission fails, the form should return an error message.\n\nWhen in doubt about how to submit findings or whether to group issues together or list them separately, it's advisable to opt for clarity and detail. More information is typically better than less in these scenarios. \n\nTo give you an idea of what a high-quality submission looks like, you can check previous reports on Code4Arena. Just remember, the results of submitted bugs are only revealed once the report is made public.", "Question: What is the name of the lowest level of reported vulnerability in the CodeArena system that isn't a gas optimization, and how does it relate to QA?\n\nAnswer: The lowest level of reported vulnerability in the CodeArena system that isn't a gas optimization is referred to as \"Low.\" This term, along with \"Non-critical,\" falls under the broader category of \"QA\" (Quality Assurance). The QA category encompasses a variety of findings, including those that are non-critical, those that reduce gas usage, and those that require refactoring. However, it's important to note that issues solely related to gas savings could be downgraded from QA to Gas. \n\nIf an issue is discovered that is a low issue/non-critical (QA) bug that also reduces gas, it should be reported under the QA category, with the gas savings mentioned. It's also worth noting that findings that are initially submitted as low in a QA report but are later determined by judges to be of medium severity, will be eligible for medium rewards, as per CodeArena's guidelines.\n\nIn terms of grading QA and Gas reports, the number of issues reported doesn't necessarily determine the grade. Rather, judges consider both the quantity and quality of submissions when grading QA reports. For instance, a report could have one good issue and be graded 'B', or it could have multiple low-impact issues and still be graded 'C'. \n\nWhile there is currently no intentional incentive for reporting QA type of submissions, should no Medium/High vulnerabilities be found, the remaining contest funds are divided based on the QA Report curve. \n\nFor more information on the grading of QA reports, you can refer to the following links: \n- [Judging Criteria for QA Reports](https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical)\n- [Incentive Model and Awards for QA and Gas Optimization Reports](https://docs.code4rena.com/awarding/incentive-model-and-awards#qa-and-gas-optimization-reports) \n\nRemember, when submitting reports, they should be specialized, with QA findings and gas findings submitted separately. When submitting Medium and High severity findings, these should each be submitted as separate reports.", "Question: Can you tell me more about the token airdrop for Code4Arena and how I can obtain ARENA tokens?\n\nAnswer: Yes, Code4Arena did have a token airdrop, but it took place quite some time ago. As for obtaining ARENA tokens now, one way is by participating in audit contests or by receiving them as rewards, which are distributed by the CodeArena team. The process of distribution isn't conducted via a smart contract. If you need assistance with rewards distribution, you can submit a Help Desk request here: https://code4rena.com/help/. The contract address for obtaining ARENA tokens is 0x6847D3A4c80a82e1fb26f1fC6F09F3Ad5BEB5222. However, please note that there is no token staking for the ARENA token. For more detailed information, refer to the CodeArena's documentation page or the help desk.", "Question: What is the difference between Low and Non-critical vulnerabilities in the context of Code4Arena's auditing process?\n\nAnswer: Low and Non-critical vulnerabilities are two types of issues identified during the auditing process. Both are categorised under the Quality Assurance (QA) level and have a quantifiable impact on the code, but they differ in terms of severity. \n\nLow vulnerabilities, also dubbed as \"QA\", refer to the smallest level of reported vulnerability that isn't a gas optimization. These vulnerabilities have an impact on the code and could potentially affect functionality if not addressed. \n\nOn the other hand, Non-critical vulnerabilities, also referred to as \"NC\", are essentially deviations from best practices. These vulnerabilities do not have a damaging impact but reporting them is incentivized as they offer value to the sponsor and help strengthen the overall code quality.\n\nIt is important to note that while both Low and Non-critical vulnerability findings contribute to the QA report, the current focus is more on high, medium, and low severity vulnerabilities and gas optimizations. There is no direct incentive in the awards system for reporting non-critical findings, but it's considered beneficial for the sponsors. \n\nWhen a vulnerability is reported, its severity is determined based on the impact it has on the code. For instance, a High or Medium risk vulnerability would typically have a larger impact, requiring test codes as proof of concepts. If a vulnerability is found but its resolution requires major changes to the protocol, it can still be reported, and while recommendations are appreciated, they aren't mandatory.\n\nFurthermore, the average award pot for low or non-critical vulnerabilities in contests is typically 10% of the total prize pool. If no medium or high vulnerabilities are found during a contest, the remaining funds are divided based on the QA Report curve. \n\nWhen assessing the severity of a vulnerability, it's crucial to consider both the consequence and likelihood of exploitation. High consequences generally involve sizeable fund loss or other severe consequences and don't require pre-conditions. Medium consequences usually have lesser impact and specific preconditions such as high attack difficulty, specific market conditions, or user unawareness.\n\nMore details on estimating risk and categorization can be found on Code4Arena's Judging Criteria page: https://docs.code4rena.com/awarding/judging-criteria#estimating-risk", "Question: What is the policy regarding findings mentioned in the \"Known Issues\" section of a contest, and how is it related to the contest's eligibility criteria?\n\nAnswer: If an issue is mentioned in the \"Known Issues\" section of a contest, it is generally considered out of scope and is likely to be disqualified. These known issues are typically results from the automated c4udit tool and are excluded from the contest's scope because they are already known findings. Each contest's Readme Page has a section titled \"Known Findings\" where these known issues are listed.\n\nHowever, if a low severity finding from the automated bot report is escalated to a high severity, it doesn't automatically become invalid. You can find more information about this in our submission policy at https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues.\n\nPlease also note that the \"C4 output\" for the contest, which includes issues reported, is available within an hour of the contest opening. However, reports that appear to be copy-pastes or use the same underlying risk may be deemed out of scope or already known.\n\nIf your finding is labeled as \"sponsor-disputed\" but there is no explanation provided, you can check for duplicates and ask the judge after judging. If you've submitted issues for a contest but did not make the award list, it's likely that your issues were rejected, which you can confirm by reviewing the available report.\n\nRemember to include a proof of concept and a case made for how an item can be exploited to avoid being marked as invalid when submitting an issue for any contest. You can also edit your submitted security findings for a contest.\n\nFor queries about how to find which findings of a contest were rejected and why, as well as how to view others' findings after a contest finishes, monitor the backstage channel for the post-judging stage of the concerned contest. If you are experiencing any issues during the submission process or if you want to withdraw a finding, this can be done under \"your findings\" on the contest page.\n\nLastly, please refrain from discussing specific findings until the report has been posted for the contest in question. And always remember, the findings listed in the best bot-generated report will be out of that contest's scope.", "Question: What are the advantages of being selected for a primary issue in CodeArena?\n\nAnswer: The primary advantage of being selected for a primary issue in CodeArena is the potential to receive a bonus. Only the issues selected for the client report, including the primary issue, are eligible for bonus rewards. The primary issue is picked by the judges based on the quality of the write-up, not the order of the submission. This system is designed to incentivize high-quality submissions. If your submission is marked as a primary issue, it will be used as a reference to cluster duplicate issues around it. However, it is important to note that if more than one warden finds the same issue, the reward for that issue is distributed among them. Therefore, the uniqueness of your finding is another factor that can affect your reward. For more details on the reward distribution and grading system, refer to CodeArena's official documentation at https://docs.code4rena.com/awarding/incentive-model-and-awards and https://docs.code4rena.com/awarding/incentive-model-and-awards/curve-logic.", "Question: How are findings processed in a contest at CodeArena and what happens if they are marked as invalid?\n\nAnswer: After the submission of findings in a contest at CodeArena, they are reviewed by judges who decide on their severity, validity, and quality. The judges are expected to provide feedback on the findings, particularly those marked as invalid to aid participants' learning. If a finding is classified as invalid, it is disqualified from the contest. Reasons for invalidation can range from the finding being a duplicate, already listed in the known issues section of the contest, or not meeting quality standards. \n\nParticipants can check their submissions and make modifications, even replacing their reports with \"withdrawn\" to invalidate a finding. They can also appeal against a finding being classified as invalid following the process detailed at https://docs.code4rena.com/awarding/fairness-and-validity#if-you-disagree-with-a-judges-decision. \n\nPlease note that valid findings that are non-critical, such as the presence of \"Open Todos\" or the \"use of Block.timestamp\", are not rewarded. The final report for a contest doesn't include participants whose submissions or findings are not accepted. \n\nFor more information on which findings were rejected and why, or to view others' findings post-contest, participants can refer to the findings report repositories. The location of these repositories can be found in the chat. Remember, findings that are not submitted before the end of the contest will not be eligible.\n\nPlease also note that there is a rewarding formula for findings of different severity and a change in finding count value in the case of partial credit. For each contest, the Readme Page has a section titled \"Known Findings\" where automated findings not accepted in the contests are listed.", "Question: What are the potential risks and implications of an uninitialized smart contract in a system and how do they impact the security of the overall smart contract system?\n\nAnswer: An uninitialized smart contract can pose several risks to a system. The most significant is that the contract could be subject to a ransom attack, where an attacker takes ownership of the uninitialized contract and demands a ransom to release it. This uninitialized state can also be exploited if someone stumbles upon it, possibly with malicious intent. For example, if a user tries to front-run 'less contract literate' individuals by interacting with the contract outside of the web UI, the contract could be exploited for personal gain. \n\nHowever, it is important to note that a vulnerability that relies on a user making a mistake in their interaction with the contract may not have the same severity as one that does not. Judges, in general, determine the severity of a bug in a smart contract, and vulnerabilities affecting a main contract, even if found in an out-of-scope contract, should be reported. \n\nConcerns have also been raised about potential DDOS attacks on smart contracts and the risks of depositing funds in an uninitialized contract. Even a medium vulnerability in smart contracts like missing a zero address check can lead to loss of funds. \n\nEven though automated tools may report vulnerabilities, smart contracts are still audited by humans because they offer a more comprehensive review of the code and can detect complex vulnerabilities that automated tools might miss. \n\nIn conclusion, initializing smart contracts is a fundamental step in securing a smart contract system. Any potential vulnerability in a smart contract, uninitialized or otherwise, can be reported, and the severity of it would be evaluated by trained judges.\n\nRelevant Links:\n[Code4Arena Fractional Report](https://code4rena.com/reports/2022-07-fractional#h-01-vault-implementation-can-be-destroyed-leading-to-loss-of-all-assets)\n[Code4Arena Canto Report](https://code4rena.com/reports/2022-06-canto#m-01-missing-zero-address-check-can-set-treasury-to-zero-address)\n[TrailOfBits Hermez Audit](https://github.com/trailofbits/publications/blob/master/reviews/hermez.pdf)", "Question: Can I use markdown formatting, such as code blocks and images, in my Issue titles and report submissions on CodeArena?\n\nAnswer: Yes, you can definitely include markdown formatting in issue titles and report submissions. Markdown formatting is an excellent tool to improve the presentation of your reports. Code can be formatted in the submission issue form using markdown, and you can also include links and images. \n\nIf you're unsure of how to format your report, users find it helpful to create issues in Notion, format them, and then copy-paste the formatted text when submitting, as it maintains the necessary markdown formatting. \n\nFor code referencing, it seems there's no strict rule whether to leave direct links to the code on GitHub or to refer to a specific file and line number. Both methods can be used according to your discretion. \n\nIf you are including images, the guidelines for doing so can be found here: [Markdown Guide for Images](https://www.markdownguide.org/basic-syntax/#images-1). \n\nTo include code blocks, follow the instructions here: [Creating and Highlighting Code Blocks](https://docs.github.com/en/get-started/writing-on-github/working-with-advanced-formatting/creating-and-highlighting-code-blocks). \n\nRemember, the submission form on Code4rena supports markdown for formatting text. However, please note that markdown preview may not properly display lists when submitting issues. This only affects the preview and not the final submission. \n\nFinally, if you choose to write your QA/gas reports directly into the submission form without using any special formatting tools, that's perfectly fine. The key is to ensure that your report is clear, concise, and easy to understand.", "Question: Can I appeal a finding submitted in the Nouns DAO contest that wasn't accepted in my QA report and is there a way to upgrade this from a QA issue to a medium or high issue?\n\nAnswer: If you have submitted a finding as part of your QA report in a contest such as the Nouns DAO contest, and it wasn't accepted, there is indeed an appeal process in place for your situation. You can find more information about this process at https://docs.code4rena.com/awarding/fairness-and-validity#if-you-disagree-with-a-judges-decision. \n\nIn terms of upgrading your issue from a QA report into a medium or high issue, there are guidelines available at https://docs.code4rena.com/awarding/incentive-model-and-awards/qa-gas-report-faq#what-happens-when-an-issue-submitted-by-the-warden-as-part-of-their-qa-report-an-l-or-n-does-get-bum. Here, it is confirmed that if a finding is submitted as a 'low' in your QA report but the judges determine it's a 'medium', it will be eligible for medium rewards. \n\nYou can also update your QA report by selecting the \"My findings\" option on the contest page. However, it's worth mentioning that the level of detail in your submission can influence the award amount. Including a Proof of Concept (PoC) and covering the issue in as many aspects as possible can improve your chances. \n\nLastly, remember that if a QA issue is submitted, a judge can elevate its severity to medium or high if necessary. Therefore, even if you initially classify it as a QA issue, it can potentially be considered a more severe issue based on the judges' assessment.", "Question: I am experiencing issues with Yarn, including potential permission problems and wrong installation. How can I resolve these problems?\n\nAnswer: The issues you are experiencing with Yarn might be due to an incorrect installation or a permission problem. One common solution to this kind of issue is to delete and reinstall Yarn. \n\nBefore reinstalling Yarn, ensure that you've properly uninstalled it first. After uninstalling, reinstall Yarn by following the correct installation procedure for your operating system. After the installation, try running your action again.\n\nIf you continue to experience difficulties even after reinstalling, it's recommended to check for dependencies that may need to be installed. These dependencies might be necessary for the proper functioning of Yarn.\n\nIf you're still facing problems, you can post your issues in a specific format using the tool available at https://marketplace.visualstudio.com/items?itemName=yassh.copy-with-line-numbers. This would help us better understand your issue and provide you with a more accurate solution. \n\nAlso, for participants who need a more visual guide to solve similar issues, a Loom video is being created to show how to set up the environment and address common problems. \n\nRemember, you're not alone in this. There are discussions concerning difficulties with code compilation and requests for technical help across our Discord server, where you can learn from other users' experiences and solutions. \n\nKeep in mind that these solutions may not always be applicable to your specific problem. If you're unable to resolve the issue on your own, don't hesitate to reach out for further assistance. We are here to help!", "Question: What does the \"Verified Contest\" in the #rsvp channel signify and how can I participate?\n\nAnswer: The term \"Verified Contest\" in the #rsvp channel could have been posted erroneously. Generally, contests are announced in the appropriate channels. Public contests are typically announced in the #\u270brsvp channel, which is accessible via this link: https://discord.com/channels/810916927919620096/958800160870240286/1142165149050998784. You can participate in these contests by reacting to the message in the #\u270brsvp channel.\n\nPrivate contests, on the other hand, are exclusive to certified wardens and are announced in the #\ud83d\udd96rsvp-certified channel. You need to be a certified member to participate in these contests. Qualifications for becoming a certified member are outlined in the same channel. After certification, you can RSVP for private contests and secure a high position on the leaderboards of the past 90 days to increase your chances of participating. \n\nPlease note that some contests are open only to those who participated in the original audit. Also, the company organizes RSVP contests and updates about them can be found on the RSVP channels. For news on contests for non-KYC participants, it's best to monitor the #\u270brsvp channel. The contest details are available for wardens to decide whether they want to compete and future contests may require an RSVP. \n\nRemember, top tier projects can suddenly appear in the #rsvp channel, and the number of contests on CodeArena can sometimes decrease, which is considered normal. We also have a participation reward for a formal verification contest. Keep an eye on the #\u270brsvp channel for updates on new contests, bot registrations, and future qualifiers.", "Question: What is the criteria for a report to be selected in a CodeArena contest and how are rewards for submissions, particularly gas optimizations, determined?\n\nAnswer: The selection of a report in a CodeArena contest and the reward allocation is a multi-faceted process. The time of submission does not influence this process. Judges assess both the quantity and quality of reports, with a focus on accuracy, quality, and the provision of a working proof of concept. Primarily, they grade reports into A, B, C categories based on their quality and gas savings, with grade A and B reports receiving rewards. \n\nFor gas optimizations, only one report can be submitted per contest and it must be separate from the Quality Assurance (QA) report. However, you can add more findings to this report by going to the contest page and clicking the 'Your Findings' button. Bonus rewards are often given for the best reports. \n\nOnce a contest is completed, reports are reviewed and triaged by judges, then go through sponsor review, final judging, and QA before being made public. If a submission is not rewarded, participants can review why their submission was not accepted once the report is out and the repository is fully opened. \n\nRegarding rewards for gas optimizations, they are divided among reporters based on the score of each gas report. The best report or those with the highest quality and quantity will receive more money than other reports. However, if a duplicate report does not exceed a certain threshold, it might not be rewarded.\n\nIt\u2019s also worth noting that all types of accepted reports from high level down to gas optimizations are eligible for payouts, provided they meet the high-quality standards set by CodeArena. For a deeper understanding of this process, reference links are provided: [Link 1](https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical), [Link 2](https://docs.code4rena.com/awarding/incentive-model-and-awards#qa-and-gas-optimization-reports), and [Link 3](https://docs.code4rena.com/awarding/incentive-model-and-awards/curve-logic).", "Question:\nWhen can we expect the announcement of rewards for the various CodeArena contests like Olympus, Enso, Biconomy Hyphen 2.0, and others? Why are some rewards still pending even after the contest has finished?\n\nAnswer:\nThere is typically a process in place after the contest ends before the rewards can be distributed. This involves the review and triage of reports or findings, sponsor review, and final judging. The timeline for publishing contest results and distributing rewards largely depends on the time taken for this process. The team aims to process and distribute multiple contest rewards by the end of a specified week. However, it's important to note that in some cases, rewards may be pending after a contest has finished for reasons that are not always publicly specified. \n\nFor specific contests like the Biconomy Hyphen 2.0, the audit results are currently under review and are expected to be published in the coming weeks. Updates on LPT and INS awards, as well as Marginswap awards and results, are also expected soon. As for the other contests, there are several pending, some of which have been fully judged but the awards are still being calculated. \n\nOnce the announcement is made and the leaderboard is updated, the rewards are sent. However, the final report of the contest may not immediately appear on the CodeArena site. Participants are advised to wait until the full public report is published before doing a write-up of some issue or bug found on a project. Changes to the award calculation process are currently underway which could also impact the announcement timeline. \n\nIt's also worth noting that there have been instances where rewards for a contest have not yet been paid out to participants. In case no issues are found in a contest, the treatment of the sponsor reward pot is also a subject of interest, but these details are yet to be clarified. \n\nWe continue to strive for transparency and timely updates. For more information, participants are encouraged to keep an eye on the CodeArena site and chatroom for the most recent updates and announcements.", "Question: Is CodeArena planning to host an event at Devcon and what other activities does CodeArena typically engage in?\n\nAnswer: Yes, CodeArena is planning to host a party at Devcon, which you can learn more about [here](https://twitter.com/code4rena/status/1577405876952272896?s=21&t=YjWD5aNJCZKKN9jXrRDh7A). In addition to hosting parties at major events, CodeArena is also actively involved in various activities such as organizing audit contests for which specific details can be found in the #\u270brsvp channel on our Discord. The list of upcoming contests is regularly updated on the CodeArena website which you can check out [here](https://code4rena.com). We also participate in events such as ETH.NYC or ETH.Denver with our growth team. \n\nWe are considering hosting Rust contests in the future and have both private and public contests currently active. The details of our collaborations with different protocols can be found [here](https://code4rena.com/contests). Reports resulting from these contests are submitted by participating teams. CodeArena encourages participants to reach out to the sponsor team during the contest if they have questions or if they've discovered a vulnerability. \n\nWe also have an application process for becoming a certified contributor at CodeArena. Interested individuals can apply [here](https://code4rena.com/certified-contributor-application). Our operations include an aspect similar to a bug bounty platform where prize pools and fees are defined upfront. \n\nAdditionally, we announce awards for specific contests and results of previous contests can be found on our website. We also record our office hour sessions and upload them to YouTube. For latest updates, you can subscribe to our newsletter or follow our announcements channel on Discord. \n\nLastly, we have policies in place for team operation on CodeArena, including guidelines on how prizes are split and how reports are submitted. All CodeArena-related activities are expected to be conducted in a timely and professional manner.", "Question: What is the process of fund distribution among ranked findings and team members in Code4rena? \n\nAnswer: At Code4rena, the distribution of funds among ranked findings involves several concepts such as \"score\", \"pie\", \"split\", and \"slice\" referred in the findings file, as per the C4 documentation. Each team has the discretion to determine how to split their portion of the contest reward among themselves. In cases where a team submits a single finding, one payment is issued and the team decides how to distribute that money among its members. Even if multiple people, including team members, identify a single finding, the reward is distributed according to a formula available in the documentation. \n\nIn situations where multiple wardens find the same issue, the best report generally receives more money and duplicates below a certain threshold may not receive any money. The grading system, which categorizes submissions into grades A, B, C, and the differences between \"primary issue\" and \"selected for report\", also plays a significant role in determining the fund split. The entire findings repo is publicly available for more details.\n\nMore information about the incentive model, including gas optimization awards, non-critical findings, low-risk findings, and their average payouts can be found in the findings.csv file on the C4's website repository and on the documentation page: https://docs.code4rena.com/awarding/incentive-model-and-awards/curve-logic.\n", "Question: How is the reward for gas optimization distributed among wardens in CodeArena, and how does the 'curve logic' work in determining these awards?\n\nAnswer: The reward for gas optimization in CodeArena is distributed from a separate pool shared among the reporters. The distribution is based on the score of each gas report, determined by the 'curve logic'. This method of award calculation is outlined comprehensively in the CodeArena documentation, where a table with an overview of the rewards and a formula for calculation in case of multiple reporters is provided. \n\nIn a scenario where multiple people (sometimes even from the same team) identify a gas optimization, the reward split can be calculated using the formula mentioned in the documentation. The highest quality report typically receives more money, and duplicates below a certain threshold might not receive any reward. If two people submit the same issue using the same warden but different wallets, each person gets less than half of the reward. \n\nThe quality of the report influences the reward as well, and reports that cover the issue in as many aspects as possible, including a Proof of Concept (PoC), will likely receive a higher award. For gas optimization reports, awards are divided into grades A, B, and C, based on their quality and the amount of gas saved. Only grade A and B reports receive rewards.\n\nIn terms of gas savings, you need to specify how much gas is being saved for each optimization, the judgement of which is based on the judge's decision. For instance, the award for gas optimization reports is usually 5% of the prize pool, but this percentage can be altered by sponsors based on the importance of gas savings to their project. \n\nIt is also important to note that the rewards are not distributed immediately due to the use of multisignature (\"multisig\") wallets that require signatures from multiple parties before funds can be released. However, it is expected that the awards will eventually be distributed via smart contracts once the system is fully established. An example spreadsheet is provided in the documentation for further reference and understanding. \n\nFor more detailed information, please refer to the following links:\n- Gas optimization awarding policies [here](https://docs.code4rena.com/awarding/incentive-model-and-awards)\n- Curve logic [here](https://docs.code4rena.com/awarding/incentive-model-and-awards/curve-logic)\n- Example spreadsheet [here](https://docs.google.com/spreadsheets/d/1qTQ7PApFMwpUFikcHHtww7p1oncPLj_y-UY_SZq6qFg/edit#gid=0)\n- Submission policy [here](https://docs.code4rena.com/roles/wardens/submission-policy)\n- Audit contest reports [here](https://code4rena.com/reports)", "Question: I'm new to CodeArena and I've encountered an error while auditing a smart contract. I've reported the issue but I'm unsure about its severity. Could you guide me on how to fix potential errors and proceed after reporting an issue?\n\nAnswer: Absolutely, at CodeArena, we aim to help our users in every way possible. If you've encountered an error, one way to attempt to fix it is to ensure you have all necessary dependencies installed. For certain software issues, reinstalling the software might help, for instance, reinstalling 'Yarn' has proven to fix some users' issues. \n\nIf you're auditing a smart contract and find a vulnerability, we suggest treating each occurrence of the same bug appearing in multiple places separately. If your error is specifically related to missing imports on sol files, this might be linked to the error \"not found: File import callback not supported\". \n\nAfter reporting an issue, we understand you might be unsure about its severity. If that's the case, consider submitting a help desk request at [https://code4rena.com/help](https://code4rena.com/help) for clarity, and our team will guide you accordingly. If you're unsure about how to check the submission status of your report, you can use the same help desk link. \n\nIf the reported issue has been found by multiple people, we handle such situations on a case-by-case basis. If the same or similar bug is reported, the bounty price is divided equitably based on the quality and timeliness of the report. Our system is equipped to handle such instances to ensure fairness. \n\nLastly, if your error relates to the use of specific tools such as the 'brownie' tool or embedding code on reports, or if you encountered difficulties while submitting your report update, please let us know via the help desk. We're here to assist you every step of the way in your journey with CodeArena.", "**Question:** What do terms like 'score', 'pie', 'split', and 'slice' signify in the findings file provided by CodeArena, and how can I relate these to my findings?\n\n**Answer:** These terms are part of the fund allocation system implemented by CodeArena for its smart contract auditing contests. \n\n'Score' is a grading assigned to the findings in the report and can be found in the 'score' column in the findings.csv file in the Code4rena site repo's _data folder. \n\n'Pie' refers to the total fund pool available for a particular contest, and 'split' and 'slice' are mechanisms by which these funds are distributed amongst the participants based on the value and quality of their findings (e.g., high-quality and high-quantity findings tend to score better). \n\nThis allocation is well documented in the C4 documentation at [Link](https://docs.code4rena.com/awarding/incentive-model-and-awards/curve-logic). \n\nIn addition, each finding is assigned a unique ID at the discretion of the judges. If there are discrepancies in the number of entries for a warden in the raw findings.csv file, it could mean one entry was judged as invalid or a duplicate. \n\nYou can refer to the findings.csv file to understand the average payout for various types of findings, including gas optimizations, non-critical findings, and low-risk findings. This file also reflects the rewarding formula for findings of different severities and the change in finding count value in case of partial credit. \n\nThe findings.csv file can be found at [Link](https://github.com/code-423n4/code423n4.com/blob/main/_data/findings/findings.csv#L9336-L9434). For more detailed analysis of previous findings and payouts, you can also refer to the contest report at [Link](https://raw.githubusercontent.com/code-423n4/code423n4.com/main/_data/findings/findings.csv) and compare your findings with winning reports on the CodeArena website. \n\nPlease note that the findings.csv file can be cleaned from empty lines, and findings can be submitted and modified via the contest page on the CodeArena website. The judging process and your contest performance can be tracked via the platform's leaderboard and the 'findings' tab next to the contest description.", "Q: I am experiencing various issues with the terminal, software installation and usage, login and issue submission on CodeArena. What should I do?\n\nA: The resolution to your issue can vary depending on the specifics. \n\nIf you're having trouble opening your terminal, try running it as an administrator. Additionally, you might consider using Bash commands for environmental variables, or using a docker image.\n\nFor issues related to software installation and usage, reinstalling 'Yarn' or ensuring correct permissions might be a solution. Sometimes, switching to Ubuntu 20.04 via WSL2 can solve installation issues, especially if you're on Windows. Another common software issue is with viewing the repo or submitting findings; this can be resolved by checking if your GitHub account is logged in and it's the one registered with CodeArena.\n\nIf you're experiencing login issues, you can submit a help desk request at https://code4rena.com/help for assistance. Please note that there have been reports of the system showing users as logged in, but the interface not changing, or issues with the 'Create Issue' button not responding. \n\nTo submit issues, you can follow the process mentioned in the discussion at https://github.com/code-423n4/org/issues/8. If your issue is related to gas optimization, you can include 'git diff' in the terminal and use backticks in the report. If you're having trouble fitting large text in the textbox on the help desk site, you can link a gist. Also, remember to use the tool available at https://marketplace.visualstudio.com/items?itemName=yassh.copy-with-line-numbers for a specific format when submitting issues. \n\nIf you're using a mobile device and experiencing issues with viewing the console or performing other tasks, you can email your requests to submissions@code4rena.com.\n\nIf your issue remains unresolved after following these steps, you can submit a help desk request at https://code4rena.com/help. We are here to assist you.", "Q: I'm experiencing hardware issues with my PC which randomly shuts off and only powers up briefly when trying to restart. This has prevented me from submitting my findings for the MaiaDAO contest. Can you provide some guidance on how to resolve this?\n\nA: It sounds like your problem could be due to a faulty PSU or motherboard power module. Issues with your RAM or CPU would usually signal error beeps or a code on the numerical display depending on the motherboard manufacturer. If your PC powers up briefly when trying to restart, this strongly suggests a power-related issue. Unplugging your PC from the main power for about 30-60 minutes may help reset some components and could resolve your problem. \n\nOn the other hand, if you're finding that you're having difficulty accessing our site or logging in, this could be a separate issue. If this is the case, create a help desk request regarding the issue and we'll look into it as soon as possible. \n\nRegarding the MaiaDAO contest, we understand that hardware issues can cause unexpected delays and could prevent you from submitting your findings before the deadline. We suggest that you report your issue immediately to us, so we can assess the severity and provide assistance as needed. \n\nIn the meantime, if you're considering using an older PC for the contest, bear in mind that these can have slower processing speeds and may require more patience. Also, it's important to keep your wallet secure and prevent future attacks by keeping your software up to date and using strong, unique passwords.\n\nLastly, if you're working on your report and encounter any software problems, try using Bash commands for environmental variables or using a Docker image to help solve the problem. You can also discuss potential solutions with other users on our Discord chatroom.", "Question: How can users manage their profile settings and interact with the CodeArena platform?\n\nAnswer: CodeArena offers several features that allow its users to manage their profiles and interact on the platform. Users can create teams or change their team name, however, creating a new team might require approval from the Code4Arena (C4) team. If a participant needs to update their Discord username or change their profile image, they should create a help desk request on the Code4Arena website [here](https://code4rena.com/help). \n\nAdditionally, users can associate their Twitter handles with their CodeArena profiles by sending a similar helpdesk request. If a user needs to change the wallet address connected to their profile, they can also do so. For any issues or concerns that may arise, CodeArena has a help ticket system located at code4rena.com/help, which is usually responsive within a certain timeframe. \n\nIf users want to propose changes to the CodeArena documentation, they can do so on GitHub [here](github.com/code-423n4/docs). When it comes to submitting reports, Markdown format is supported for adding code blocks. For more details about the protocols Code4Arena has worked with, users can check [here](https://code4rena.com/contests). \n\nFor users interested in becoming a certified contributor at CodeArena, applications can be submitted via this [link](https://code4rena.com/certified-contributor-application). CodeArena aims to be transparent and effective, and there are discussions about its operations being similar to a bug bounty platform where prize pools and fees are defined upfront. Users can find more about this comparison on their documentation page [here](https://docs.code4rena.com/). \n\nFinally, CodeArena provides sponsors with a set of example READMEs to work from, as well as a checklist of items to include. There was consideration of a different tool, a \"CodeArena Report Generator,\" but it was not made clear to participants that this tool was being used. It is recommended that users keep an eye on updates for any changes in the toolset. \n\nPlease note that some changes may require approval, and for any issues, users are encouraged to use the help desk system.", "Question: What should I do if I'm not receiving the password reset link in my email from CodeArena?\n\nAnswer: If you're having problems with receiving the password reset email, there are a few steps you can take:\n\n1. First, make sure that you're using the correct email or wallet for logging in, as using incorrect details may cause login issues. Some users reported not receiving confirmation emails due to them landing in the spam folder. So, be sure to check your spam folder as well.\n\n2. If you still don't see the password reset email, you can raise a help desk request through CodeArena's website at https://code4rena.com/help. Provide as much information as possible, especially if you believe there may be an issue with your account.\n\n3. Due to some users mentioning discrepancies in password requirements (16 digits upon sign up, but not when resetting), ensure you're following the password requirements when resetting your password.\n\nPlease note that there is currently no support for changing the login address on CodeArena. If your account has been compromised or you've lost the seed phrase from your wallet, please follow the steps mentioned here: https://docs.code4rena.com/roles/wardens/warden-auth#what-if-my-wallet-was-hacked. \n\nFor the quickest assistance, we encourage you to open a help desk request for any other issues related to your account or password reset problems. It's always better to get help directly from CodeArena's support team to ensure the safety of your account.", "Question: Can I utilize a gas report template from a previous contest for my submission, and are there any specific guidelines and restrictions I should be aware of regarding gas report submissions?\n\nAnswer: Yes, you are allowed to use a gas report template from a previous contest for your submission. However, the content must be relevant to the current contest and should provide value to the sponsor. \n\nIt's crucial to note that only one gas report can be submitted per contest. If you have additional findings, you should update your existing report instead of submitting a new one. This can be done by visiting the contest page and clicking on the 'Your Findings' button. \n\nDo remember to consolidate all your findings into one comprehensive report. Multiple ideas about gas optimizations can be written separately and then merged into one report. Participants can submit one combined gas report and one combined Quality Assurance (QA) report per contest.\n\nMoreover, the QA report should ideally group all issues together and be separate from the Gas report. For gas-related submissions, a single consolidated report is advised. If you encounter an error when trying to submit a Gas Optimization report, it's probably because one has already been submitted.\n\nThe selection of a report in a contest depends on its quality, the accuracy of its findings, a working proof-of-concept, and better definition of the formula. Reports from high level down to gas optimizations are eligible for payouts provided they meet these criteria. You can check the criteria for a top-3 finish in either the QA or gas report from past contests on request.\n\nWhile screenshots should not be used in submissions, if your report exceeds the character limit in the submission form, you can submit a placeholder and send an email. More details can be found at: https://docs.code4rena.com/roles/wardens/qa-gas-report-faq#why-is-a-large-gas-or-qa-report-not-successfully-submitting-through-the-contest-submission-form \n\nIn case the contest you're participating in doesn't have a gas pool, like the one referred to in this link https://code4rena.com/reports/2022-04-dualityfocus, there won't be any gas optimizations in the final report. \n\nFinally, always remember to provide a detailed and high-quality report, even for low and gas issues, to increase your chances of success in the contest.", "Q: My computer suddenly shut off and won't stay powered on when I try to restart it. Could this be due to an issue with the Power Supply Unit (PSU) or the motherboard power module? Is this something that could affect my ability to participate in CodeArena (C4) contests or submit reports?\n\nA: Yes, it could potentially be your PSU or motherboard power module causing the issue. Consider unplugging your PC from mains power for about 30-60 minutes and try to power it back on. If the problem persists, you might need to consult with a hardware expert or consider using a different PC. Although older PCs might require more patience due to slower processing speeds, they can still be used for C4 contests. In fact, issues with the submission process and accessing the C4 website have been reported by users and are not necessarily related to the hardware you are using. These issues can include the website being temporarily down (you can check the site's status at [here](https://downforeveryoneorjustme.com/code4rena.com)) or intermittent errors with submissions. In such scenarios, retrying or clearing local storage may help. Keep in mind that there can be a delay in receiving responses to certain requests or applications. We recommend that users create a help desk request to check on status updates if they encounter such issues. It's also worth noting that heavy system load, login issues, and even incidents on services like Github may cause interruptions in C4's services. In case of a power cut or similar hardware issue that prevents you from meeting a contest deadline, reach out to us through our help desk so we can assist you.", "Q: Can I include markdown formatting in the \"Links to Affected Code\" section of the high/medium findings in my report or should I only add the Github permalink for the respective code block? \n\nA: In the \"Links to Affected Code\" section for high/medium findings, you should only add the Github permalink for the respective code block. Markdown formatting can be added in the finding body. The reporting section supports Markdown (MD) format, which can be used to add code blocks, the guide to which can be found [here](https://docs.github.com/en/get-started/writing-on-github/working-with-advanced-formatting/creating-and-highlighting-code-blocks). You can show places of vulnerability in two ways: 1) by providing a URL to the repository with the line number in the text, and 2) by providing a solidity code block. However, adding a link that points to the sponsor's GitHub repo code in a findings report does not automatically pull in that code snippet to the report. If the code for a test is too large to be embedded directly in the report under 'Proof of concept', you can link it on a private repo on Github. For further instructions on providing a proof of concept in your submissions, you can refer to this [link](https://docs.code4rena.com/roles/wardens/submission-policy#how-to-include-a-proof-of-concept).", "Question: How are gas optimization reports rewarded in CodeArena contests and what are the guidelines for creating and submitting these reports?\n\nAnswer: Gas optimization reports in CodeArena are rewarded from a dedicated pool, typically comprising 5% of the total prize pool. However, this percentage can vary as sponsors can adjust it based on how important gas savings are to their project. When submitting these reports, participants should be aware that the amount of gas saved for each optimization might need to be mentioned, but this is subject to the judge's decision. \n\nIt's important to compile all gas optimization findings into one report, since only one report of gas optimization can be submitted per contest. More findings can be added to this report by accessing the 'Your Findings' button on the contest page. All findings, starting from high-risk to gas optimizations, are eligible for payouts provided the report is high quality, the findings are accurate, and a working proof of concept is provided. \n\nThe reward distribution for gas optimization reports is based on the score of each report. In case where multiple people, including team members, identify a gas optimization, the reward split can be calculated using the formula provided in the official documentation.\n\nPlease note that not all gas optimizations are considered valid when the optimizer is enabled, leading to some confusion about what should be reported. Participants can ask for clarification on these points. Automated reports may sometimes be uploaded after starting contests reporting gas optimizations. The method of award calculation for gas optimizations is outlined in the documentation.\n\nFor more information about the scoring and distribution of the gas optimization rewards, you can refer to the official documentation here: https://docs.code4rena.com/awarding/incentive-model-and-awards/curve-logic. You can also refer to this example spreadsheet to understand the criteria for report selection: https://docs.google.com/spreadsheets/d/1qTQ7PApFMwpUFikcHHtww7p1oncPLj_y-UY_SZq6qFg/edit#gid=0.", "Question: Can I modify the \"REPORT_GAS=true\" command in the \"test\" field of the package.json file, and if so, how does it affect the gas report generation and optimization process?\n\nAnswer: Yes, you can modify the \"REPORT_GAS=true\" command in the \"test\" field of the package.json file. This command is part of the Hardhat gas report plugin used to benchmark your code for gas savings. By modifying this command, you can affect the 'REPORT_GAS' function.\n\nHowever, when modifying this command, bear in mind that it might behave differently depending on the operating system. For instance, on Windows cmd, it is recommended to use a docker image. \n\nWhen reporting gas optimizations, it's advisable to report each optimization separately. Known issues should be excluded from gas reports, and only invalid ones in the report are considered for gas optimization. Further information about this can be found in the [C4 Common Issues repository](https://github.com/byterocket/c4-common-issues/blob/main/0-Gas-Optimizations.md).\n\nFor instance, excluding the increment (++i) in a for loop was reported to significantly reduce gas costs. Additionally, using the 'unchecked' command in loops is another recommended way to optimize for gas.\n\nAs for the gas optimization reports, it's suggested that you mention the amount of gas saved for every finding. While not mandatory, this could potentially earn you more points. Any findings related to gas optimization should be gathered under one report. You can submit one combined gas and one combined QA report, and even edit existing findings.\n\nMake sure to avoid importing screenshots into your submissions. Instead, paste your gas report directly.\n\nFinally, note that gas optimization and gas report are not the same, but they work closely together to help you develop more efficient smart contracts. For further information on how to log gas remaining after the state variable update within Foundry and how to compile multiple gas optimization ideas into a single report, refer to the [C4 templates or guides](https://github.com/code-423n4).", "Question: I have received the \"verify your email\" email, but the link in it isn't working. Who should I contact?\n\nAnswer: It appears there have been various issues reported with email communications from CodeArena, including non-receipt of verification emails, issues with specific domains, and emails being flagged as spam. Please check your spam folder first as some emails from CodeArena, such as the KYC mail from \"compliance@provenance.company\", have been reported to land there. If the issue persists, it's possible there's an issue with the domain as emails to \"submissions@code432n4.com\" have been reported to fail. If you're still encountering issues, please submit a help desk request at https://code4rena.com/help/. If your email issue is related to receipt of documentation from Provenance, please note that there have been reported inconsistencies in the Certified Warden application and response email. It might take some time for email confirmation of findings submission as well, so please remain patient. If you're experiencing issues with password resetting or certification processes, these are known issues and our team is working on them. Finally, if your issue is specifically related to Github, it's worth checking Github's incident reports at https://www.githubstatus.com/incidents/r5qrpp2f5fc0.", "Question: What are the criteria for achieving the backstage+ role at CodeArena and when are these considered met?\n\nAnswer: According to the CodeArena documentation, there are four minimum criteria for achieving the backstage+ role. These include being a certified contributor, identifying at least one high vulnerability, participating in a minimum of 3 contests, and having at least 3 medium findings and a total of 4 findings. Criteria 2 and 3 are considered satisfied when the awards are announced and the participants are added to the leaderboard. Once these criteria are met, users who believe they are eligible can submit a help desk request for backstage access. More information on these requirements can be found at [https://docs.code4rena.com/roles/certified-contributors/backstage-wardens](https://docs.code4rena.com/roles/certified-contributors/backstage-wardens).", "Question: How can I effectively report gas optimizations in an audit, considering the optimizer settings, potential confusion, and calculation of gas savings?\n\nAnswer: When reporting gas optimizations for smart contracts, it's essential to understand various factors. Firstly, the optimizer settings for Solidity play a crucial role. Not all gas optimizations will remain valid when the optimizer is enabled or disabled, and this can lead to confusion. Therefore, understanding these differences is important.\n\nWhen submitting reports, you need to understand the process. It's generally recommended to report optimizations separately, and if there are multiple ideas about a particular optimization, you can compile them separately and merge them into a single report.\n\nCalculating the gas savings for each finding is a key part of such reports. However, it's worth noting that it's up to the judge to decide whether it's necessary to specify the exact amount of gas saved for each optimization. If you're unsure about how to calculate the gas cost, there are resources available to help with this, including documentation provided by CodeArena. \n\nIn terms of validity, gas optimization can be reported for non-view/non-pure functions, and situations where public functions are declared as external. An example of this is the statement \"INTERNAL FUNCTIONS ONLY CALLED ONCE CAN BE INLINED TO SAVE GAS\". There was confusion related to this in the chat, and providing clarification in your report would be beneficial.\n\nGas optimization reports and gas reports are the same, so understanding this can clear up any confusion. Earnings from reporting gas optimization are based on proficiency and are awarded based on the score of each gas report. The calculation is outlined in the documentation: https://docs.code4rena.com/#incentive-model-and-awards.\n\nFinally, if you are new to contract auditing, gas optimization is a potential starting point. CodeArena also provides a list of all approved findings and gas optimizations on their GitHub page, which can be a helpful reference for beginners.\n\nIt's crucial to benchmark the code and come to your own conclusions. This approach can help you write findings that you can validate, improving the quality of your reports over time.", "Question: What options do I have for submitting, checking, and editing my findings on CodeArena?\n\nAnswer: You can submit findings through our form on the website. Even as a non-authenticated user, you can submit a report, but you need to be certified to receive rewards. Once you've submitted a finding, it might take some time for it to be confirmed via email. If the submission fails, the form should return an error. You can check your submissions and potentially edit them by navigating to the contest page and clicking on the 'Your Findings' button. If you're submitting as part of a team, team members can make submissions on behalf of their teams and can select either their solo handle or team handle for submitting a finding. However, please note that sometimes participants do not see their submissions on the Findings tab and cannot edit them. We are aware of these issues and are working towards improving this feature. For more information on submission policies, refer to our guidelines at https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues and https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-ineligible.", "Question: As a beginner IT student, should I focus on smart contract auditing or web2 security as a career path? Are there any resources you recommend for learning more about these fields?\n\nAnswer: It's important to focus on what personally interests you and aligns with your career goals. Both smart contract auditing and web2 security offer promising career paths. \n\nIf you are inclined towards smart contract auditing, platforms like CodeArena (C4) can provide opportunities to learn and grow. We also offer resources for beginners who want to start smart contract bug bounty hunting. You can check out https://cryptozombies.io/ for learning solidity and https://capturetheether.com/ for Capture the Flag challenges. For a more in-depth understanding, you can refer to resources like https://cmichel.io/how-to-become-a-smart-contract-auditor/ and https://docs.code4rena.com/roles/wardens/tools-and-resources. Moreover, platforms like Sherlock require a high level of competence in smart contract auditing but can be a useful resource once you've built a strong foundation.\n\nFor those curious about web2 security, it's important to note that some topics of web2 security apply to web3 security as well. A practical understanding of web2 security, including aspects like DDOS attacks, can be beneficial. If you're looking for resources to study Geth node and Web2 security in the context of Web3, more resources may be desired and we're open to share them once available.\n \nIn terms of certifications, there are several available for smart contract security but the choice should be based on your personal interests and career goals. If you're considering a full-time career in Web3 and potentially looking for an entry-level role in an auditing firm, it might be a good idea to focus more on smart contracts.\n\nOverall, the choice ultimately depends on your career objectives and interests. The cybersecurity field is broad, and each path provides unique learning opportunities that will contribute to your professional development.", "Question: I'm encountering various errors when trying to run contests, install dependencies, and submit my findings on CodeArena, even though I followed the provided instructions. What should I do?\n\nAnswer: Based on the issues observed in our chatroom, these problems can arise due to various factors. \n\nFirstly, if you're facing errors after cloning the repository for a contest such as the GoGoPool, make sure you've installed all the necessary dependencies. You can do this using the `forge i` command or by running 'npm install foundry'. Installation issues can also arise due to the operating system you're using. If you're using Windows, you might face some difficulties, so we recommend using Ubuntu 20.04, which can be run on Windows via WSL2.\n\nSecondly, for issues related to software like 'Yarn' or 'Foundry', there could be permission problems or incorrect installations. Reinstalling 'Yarn' has been found to help some users. For Foundry, you can try installing it with Docker. \n\nRegarding submission of your findings, make sure you're using a supported browser. If the problem persists, contact our team directly. If you're trying to submit to a specific repository like https://github.com/code-423n4/2023-07-axelar-findings and facing issues, please report it in the chatroom or contact the support team.\n\nIf you're having trouble logging in, ensure that you've completed all necessary steps like passing the KYC for private contests. There might also be login issues where the system shows you as logged in, but the interface doesn't change. Our developers are looking into these reported errors to provide a fix.\n\nLastly, if you qualify for Certified+ but cannot find the correct submission form or if you have not received an invitation link to Github despite being certified, please reach out to us directly. We're here to help resolve these issues and ensure you have a smooth experience on CodeArena.", "Question: How can I get started with and track my Know Your Customer (KYC) process application at CodeArena?\n\nAnswer: To begin your Know Your Customer (KYC) process, you need to apply as a Certified Contributor on the CodeArena platform, which can be done at https://docs.code4rena.com/roles/certified-contributors. During this application, you will be asked to complete the KYC process. The KYC process is essential for participating in certain audits, contests, and becoming a Certified+ member or a Certified Warden. \n\nThe process usually takes a few days to complete, but there can be delays. If you don't receive any reply to your KYC application within five business days, you can submit a help desk request through the form on the company's website. If you're participating in an event like the Chainlink contest or looking to join private audits, ensure that you have completed your KYC process beforehand.\n\nOnce you've successfully completed the KYC process, Provenance will send you a confirmation email. Please be aware that the KYC process can take a while depending on the back-and-forth between you and Provenance, and it may take a week or longer to complete in some cases. \n\nIt's important to note that changes to the KYC process are expected soon, and these changes will be communicated through the appropriate channels. Stay patient and feel free to nudge Provenance if your KYC process seems to be taking an unusually long time.\n\nFor more details about the KYC process and Certified Contributor role, visit https://docs.code4rena.com/roles/certified-contributors#certification-process-and-constraints.", "Question: I'm an undergrad IT student intending to specialize in cybersecurity, particularly as a penetration tester. I've been learning about web application security and am now interested in smart contract auditing. Should I focus solely on smart contract auditing for its financial potential or continue developing my web2 security skills while doing smart contract auditing as a side project?\n\nAnswer: Picking a career path is a highly personal decision and should ideally balance both your interests/passion and the potential financial rewards. In your case, both web2 security and smart contract auditing offer promising prospects. However, the decision to focus on one over the other depends on your personal interests and learning pace.\n\nIf you're passionate about learning smart contracts and find it more interesting than conventional web2 security, then investing more time in this area could be beneficial. Resources such as [CryptoZombies.io](https://cryptozombies.io/) and [CaptureTheEther.com](https://capturetheether.com/) are excellent places to start learning about smart contracts and solidity.\n\nHowever, it's worth noting that some aspects of web2 security apply to web3 security, so having a practical understanding of web2 security could be advantageous. For example, DDOS attacks share commonalities in both domains, as they share a common mindset in terms of security.\n\nYou can also consider becoming a part of Code4rena and participate in their audit contests, which are quite similar to bug bounty programs. Being a part of Code4rena doesn't prohibit you from being employed elsewhere, so you can certainly incorporate it as a side project while you continue to learn and progress in your web2 security skills.\n\nMore specialized resources for smart contract auditing include https://cmichel.io/how-to-become-a-smart-contract-auditor/ and https://docs.code4rena.com/roles/wardens/tools-and-resources.\n\nIn summary, there isn't a definitive \"right\" choice here. It depends largely on your interests, learning capabilities, and career aspirations. If you're driven by the potential financial gains, smart contract auditing presents a lucrative opportunity. However, it's crucial to also consider your passion and interest in the field, as this will play a significant role in your long-term success and satisfaction.", "Q: How and when are the criteria for the backstage+ role and leaderboard ranking satisfied after a contest, and what processes follow the completion of a contest?\n\nA: The criteria for the backstage+ role, which includes criteria 2 and 3, are considered fulfilled when the awards for a contest are announced and subsequently added to the leaderboard. Under normal circumstances, the process that follows a contest's conclusion includes Sponsor Review, Judging, Awarding, and Reporting in that order. \n\nShortly after a contest ends, reports and findings from the event are reviewed and triaged by judges. They are then subject to a sponsor review and final judging before the process of awarding occurs. During this time, an initial leaderboard update is done to reflect the awards. However, it's important to note that the leaderboard ranking is influenced not only by the current contest but also by the total participation of a player.\n\nThe final stage, Reporting, is when the report from the event is made public, giving participants the opportunity to see the outcomes of their submissions. The time frame for this can vary, typically ranging from 3 to 6 weeks, depending on the contest and the volume of concurrent reports under review. \n\nTherefore, for complete and accurate insights into one's performance, it is recommended to wait until the final report is published before assessing the findings or bugs discovered during a project. This is because some findings may not make the final report for reasons that might not be immediately apparent. \n\nYou can access the leaderboard at https://code423n4.com/leaderboard/ to view the cumulative results from past contests. The status of all your submissions and their feedback can also be checked once the report is published and the findings repo becomes public. However, please be aware that the leaderboard might not perfectly reflect a player's accomplishments, as contest results may not be counted for the full duration.", "Question: How long does the certification process take at CodeArena and what does it involve?\n\nAnswer: The certification process at CodeArena involves sending your identity for verification, known as the KYC process, and getting approved by Provenance. Following approval, it typically takes a few days to a couple of weeks for the certified role to reflect on your profile. The initial verification stage can be started within 48 hours of a contest, with the status of the certification process being updated via email. Depending on the process's complexity and the number of reports under review, the entire process of becoming certified can take between 2 to 3 weeks. It is also important to note that the review process for reports could take between 3-6 weeks on average, potentially extending the time it takes to become a certified auditor. Participants need to complete certification within 30 days of the end of the audit in order to receive their payout. For a detailed overview of the certification process, you can refer to our guide [here](https://docs.code4rena.com/roles/certified-contributors). Please note, timeframes can vary and it's recommended to follow up on your application status if you have not heard back within an expected timeframe.", "Question: How can I deploy a contract with a struct as an argument and send Ether with the constructor using Foundry, considering the need to optimize for gas use and overcome common issues related to opcode support or hardhat integration?\n\nAnswer: Deploying a contract with a struct as an argument and sending Ether with the constructor using Foundry involves several steps and considerations. \n\nFirstly, we suggest referring to this thread on Ethereum StackExchange that provides a detailed answer on creating a new contract specifying a sender and value with a factory pattern: https://ethereum.stackexchange.com/questions/68519/creating-a-new-contract-specifying-a-sender-and-value-with-factory-pattern\n\nWhen deploying the contract, you may encounter issues related to opcode support in Foundry or difficulties integrating with hardhat projects. In such cases, consider using the \"foundry debug\" tool to introspect contract execution at the EVM opcode level. A base template for a project that employs Hardhat and uses Foundry can be found here: https://github.com/foundry-rs/hardhat-foundry-template\n\nFoundry allows you to fork its state from a public testnet or even the mainnet, which can be a more convenient option for testing smart contracts. Log gas remaining after state variable updates to optimize for gas use. \n\nIf you're facing difficulties testing on the polygon POS network with Foundry, consider using the tool eth-brownie for mocking contract deployments. \n\nRemember that to receive your share in the context of a smart contract, you need to register your handle and Ethereum (ETH) address. \n\nBear in mind that this process may involve a steep learning curve, and there may be difficulties or uncertainties along the way. We encourage you to engage with the community for support and advice based on their expertise and experience. For more complex scenarios, consider professional auditing services to ensure the security and efficiency of your smart contracts.", "Question: How should I submit my findings related to gas optimization and quality assurance during a smart contract audit?\n\nAnswer: When submitting your findings from a smart contract audit, the process depends on the nature of your findings. All findings related to gas optimization should be compiled into a single comprehensive report per contest, even if the optimizations are different. It's recommended you specify the amount of gas saved for each optimization, particularly if the same type of issue is found more than once, such as a Reentrancy attack or a specific gas optimization. However, the need for specifying is ultimately based on the judge's decision. If you've identified a gas optimization that applies to multiple lines of code, it should be submitted as one finding and include all applicable lines. Be aware that not all gas optimizations are valid when the optimizer is enabled. Only those included in the generated report are considered invalid; the rest are documented here: https://github.com/byterocket/c4-common-issues/blob/main/0-Gas-Optimizations.md\n\nFor low risk or quality assurance (QA) findings, you can compile them all into one report and submit. If a low issue/non-critical bug is found that also reduces gas consumption, it should be included in the QA report and specify the gas savings. If it solely pertains to gas savings, it could be downgraded from QA to Gas category. \n\nFor medium and high-risk findings, create and submit a separate report for each issue. Remember, if your report does not fit into a single submission request, it can be split into separate sends.\n\nMake sure that you only submit one report of gas optimization and one QA report per contest. If you have additional findings to add to your gas report after submission, you can do so by visiting the contest page and clicking on the 'Your Findings' button. \n\nYou can find additional details regarding our submission policy here: https://docs.code4rena.com/roles/wardens/submission-policy", "Question: What is the process for receiving rewards for findings in Code4rena and how do I know if I have received them?\n\nAnswer: In Code4rena, wardens who report a certain finding first, as well as those who also found the same finding, are recognized and eligible for rewards. The rewards for different contests, such as Olympus, Amun, stakehouse-nov11, and others, are distributed after the contest ends. Information on the distribution of rewards is typically announced in the chatroom or via email.\n\nAfter you've submitted your finding, you will receive a submission confirmation email. Rewards are usually sent to the participants' MetaMask wallets. For some contests, such as Fairside, awards are distributed on the Polygon network. \n\nIf you have completed the certification process with ProvenanceDAO and have participated in more than 3 contests, you might be eligible for an upgrade to Certified+. You will receive an email from Provenance and C4 regarding your KYC application and certification status.\n\nHowever, please note there can be some delays and issues regarding the distribution of rewards and email receipts. If you've not received any communication after a reasonable time, please contact the team for an update. You can also check specific contest updates, like Olympus reward PR results, Enso contest results, and others, in the chatroom.\n\nIt's also worth noting that based on our chatroom observations, there has been no instance where C4 has revised a payment amount after payout. If you have any further questions regarding reward distribution, feel free to raise them in the chat.", "Question: How can I edit my findings submission in a contest if I have made an error or need to provide additional information?\n\nAnswer: If you need to edit your findings after submitting them in a contest, you can do so by navigating to the contest page and clicking on the \"Your Findings\" button. This will allow you to modify your submission as required. If you submitted your findings to the wrong contest, you would need to resubmit them to the correct contest and fill out a helpdesk request form at https://code4rena.com/help/ to inform the C4 staff about the incorrect submissions. You can withdraw a submission if it is identified as a false positive, or edit it if too much sensitive information was mistakenly included. Please be aware that all edits and submissions can be made up until the contest closes. If you have any issues or require further assistance, you can reach out in our Discord chatroom.", "Q: As a new auditor, what resources and methods can I use to enhance my auditing skills and to better prepare for future audits? \n\nA: There are several resources and methods you can leverage to improve your auditing skills. As a starting point, you might want to check out these resources: https://github.com/transmissions11/solcurity and https://github.com/Tomosuke0930/C4-report-categolized. You can also practice by reading old audit reports and participating in past contests. An example set of reports are available at: https://chainsecurity.com/audits/. Furthermore, you can consult a blog post at https://blog.bytes032.xyz/p/audit-like-a-pro-my-3-step-game-plan to understand how to approach auditing for big projects.\n\nThe platform also has a tool for running audits, which is still in its development stages, but could be useful for your future audits. You can find it at: https://github.com/HardlyCodeMan/audit_helper/.\n\nA great way to prepare for future audits is to consolidate past reports and all detected vulnerabilities into a database. This could serve as a \"to-do list\" or a \"things to check\" list during your audits. You can even participate in private audits to deepen your understanding and skills. \n\nFor inquiries about different aspects of auditing, such as how to format arguments and function names in audit reports, you can join the platform's chat and ask your questions. You can also use 'brownie' in the context of auditing, and explore the use of fuzzing tools like Echidna for auditing in contests.\n\nIf you are interested in gas optimization, it can be a good point to start with for auditing contracts. You can participate in the audit process even before the code is complete, and send an analysis report about the system even if you have no significant findings, to provide advice on future aspects of the project.\n\nFinally, remember that the entire audit process, even if you don't find bugs, can be a great learning opportunity. You could also consider joining a team to further enrich your auditing experience.", "Question: How does CodeArena carry out audit contests, and how are the winners of these contests determined?\n\nAnswer: CodeArena is a platform designed to help companies receive audits of their smart contracts. It operates in a way similar to a bug bounty platform, where prize pools and fees are set upfront. To illustrate, there is an ongoing audit contest with a total prize of $50k. The winners are determined based on the vulnerabilities they identify within the smart contracts. There can be multiple winners, as in one instance where about 50 people received rewards. \n\nHowever, audit contests are not just about identifying vulnerabilities. Some contests also include a gas optimization award. For example, one contest had a $67,500 USDC main award pot and a $7,500 USDC gas optimization award pot. The gas optimization is a critical factor in the judging criteria, as the smart contract's efficiency in using gas can significantly impact its performance.\n\nIt's worth noting that all participants are not expected to understand the entire codebase fully. To help with this, each proof of concept is usually about 50 lines long and can be run using a hardhat project. Participants can also engage with the team for any queries. For instance, in an upcoming contest for Float Capital, the team is available to answer questions regarding their well-documented code and synthetic asset protocol. The code for this contest is available at https://github.com/code-423n4/2021-08-floatcapital.\n\nThe rewarding formula for each contest may differ. In some cases, the cash prize is distributed over a bell curve with different tiers of quality. In others, rewards might be distributed differently, like in a contest where only one high and one medium issue were found. \n\nFor more detailed information on how CodeArena audit contests work, you can refer to their documentation page at https://docs.code4rena.com/.", "Question: Can you explain the process and timeline between the announcement of the awards and their distribution at CodeArena?\n\nAnswer: Sure, the process begins with the announcement of the awards for the contest, which is separate from the actual disbursement of funds. This announcement is usually made public on the CodeArena announcements channel. \n\nAfter the awards have been announced, the distribution of these rewards is done manually in batches for multiple contests at a time. The team gathers the signatures for the award distribution in a standing Monday meeting, implying that the processing of announced awards usually happens early in the week (Monday or Tuesday). \n\nFrom the time of the announcement, the awards are generally aimed to be sent within 1-2 weeks. However, this timeline can vary depending on factors like the time taken for judging and the number of contests being processed simultaneously. There may also be potential delays, like the one observed during the Nested Finance audit contest. \n\nPlease note that the distribution of awards doesn't occur immediately after the announcement due to factors like sponsor's time involvement and ongoing changes to the award calculation process. \n\nThe process after a contest is completed notably includes Sponsor Review, Judging, Awarding, and Reporting. The final published report helps the participants see the results of their submissions, and can be viewed once all the previous steps have been completed.\n\nThe awards from the contests are sent to the user's registered wallet address. The company does have plans to distribute awards via smart contracts in the future, but there are still many pieces that need to be put in place before this can be implemented.\n\nLastly, to provide better clarity on the awarding process, it has been suggested by the community to split the 'Awarding' announcement into 'Awarding' and 'Paid' sections. This would help participants better understand when they've won an award versus when they can expect the payout to be completed.", "Q: What is the process between the announcement of contest awards and their distribution on CodeArena, and why is there a delay after contest completion?\n\nA: After a CodeArena contest concludes, the announcement of awards and their distribution occurs in a multi-step process. First, the submissions are thoroughly analysed to confirm their validity and the respective reward amounts. The results of this analysis are then announced separately from the disbursement of funds. This information can generally be found in the announcements channel and on the company's website.\n\nThe distribution of the awards, however, does not occur immediately after the announcement. This delay is primarily due to two reasons. One, the awards are sent out manually in batches for multiple contests at a time, usually by the end of a specified week. This batching process is an effort to streamline the distribution. Two, CodeArena currently uses multisignature (\"multisig\") wallets for award distribution. These wallets require signatures from multiple parties before funds can be released, which can add to the delay. The company does plan to automate this process via smart contracts in the future, but this implementation is still in progress.\n\nAdditionally, it's important to note that the final report of the contest may not immediately appear on the C4 site after the leaderboard is shown and rewards are sent. Participants are advised to wait until the full public report is published before doing any write-ups about the issues or bugs found on a project. \n\nFurthermore, the distribution of rewards among team members who contributed to the same contest is determined by each individual team, as per the awards information provided on the [C4 website](https://docs.code4rena.com/incentive-model-and-awards). For teams where not all members participate in the same contest, discussions are ongoing on how to manage the distribution of rewards. \n\nLastly, if a team wins a prize but is unable to claim it due to KYC issues, it is currently unclear whether the prize would be held until they complete the KYC or if it would be void. For more detailed information about the process, please refer to the [C4 process document](https://docs.code4rena.com/structure/our-process).", "Question: How does CodeArena (C4) conduct audits for smart contracts and is there a way to verify if a specific contract has been initialized on the Ethereum mainnet?\n\nAnswer: CodeArena's audit process is designed to ensure the security and integrity of smart contracts, similar to protocols like Venus. While it does not directly check DAI or USDC, it often handles audits for projects that may be live on-chain and simultaneously being audited on C4. For instance, it has been observed recently that users are auditing projects such as Dopex, which involves options trading. \n\nIn terms of verifying contract initialization on the Ethereum mainnet, there isn't a standard automated process provided by C4. However, a tool was mentioned for scanning smart contracts that could potentially serve this purpose: https://app.metatrust.io/project. Also, it's possible to check opcode usage on-chain, which could be helpful in verifying initialization.\n\nIf you are auditing a contract and have specific findings, there is a process for checking reported findings via a link on the Discord channel. Furthermore, some project's audit reports, like the ElasticDAO report, are publicly available for anyone to review: https://ipfs.io/ipfs/QmU7JQUCuciGJ9EVApWnPvBCy32eYQnREDFGsxoyDR6w3j.\n\nFor beginners in smart contract auditing, it's essential to note that C4 has made changes to allow for invoicing, and a community is available on the platform for those seeking help. The platform also offers certification after participation in several contests. For instance, one user recently completed a certification process with ProvenanceDAO after participating in more than three contests. \n\nFor more specific queries or findings about particular projects, such as the Nouns DAO or the Visor Finance contracts, it's encouraged to use the dedicated channels or links provided like https://github.com/code-423n4/2022-08-nounsdao-findings/issues/315 and https://github.com/code-423n4/2021-10-badgerdao-findings/issues/5.", "Question: \nWhat is the process and timeline for the distribution of rewards after a contest has been judged on Code4rena?\n\nAnswer: \nAfter a contest has been judged at Code4rena, rewards are typically sent out manually in batches within 1-2 weeks. These rewards are sent out for multiple contests at a time, and the team aims to process and distribute multiple contest rewards by the end of a specified week. Users can check all the reports they submitted during the competition and will receive a confirmation via email once their prizes have been sent. \n\nThe distribution of rewards for each contest, such as Olympus, Stakehouse, Amun, Enso, and others, has varied based on the contest. In some instances, there have been delays in the distribution of awards due to changes in the award calculation process or other factors. However, once the payouts have been sent, the outcome cannot be changed. \n\nPlease note, the reward amounts in contests come from the sponsor, and awards cannot be distributed until the contest process is completed. If a team wins a prize but is unable to claim it due to KYC issues, it's unclear whether the prize will be on hold until they complete the KYC or if it's gone forever. \n\nFor specific inquiries about the distribution of payouts for a particular contest, or if there are any overlooked issues, participants are encouraged to flag them to the judge and sponsor. Invoices regarding the contest payouts should be sent to the Code4rena Foundation. \n\nThere might also be instances where some of the rewards are pending even after the contest has finished; this could be due to the manual distribution process. Therefore, it's critical to keep an eye on your email for confirmations and any communications from Code4rena. \n\nIt's worth mentioning that the distribution timeline is an estimate and sometimes subject to change. We appreciate your understanding and patience in this regard.", "Q: How can I track the status of my findings during a contest, view other participants' findings after the contest ends, and understand the reasons if my findings were rejected?\n\nA: You can track the status of your findings and make necessary edits during the contest within the \"Findings\" tab next to the contest description on the contest page. To edit your submissions, you need to navigate to the contest page and select the 'Your Findings' button. You also have the option to withdraw your findings under the same \"Your Findings\" tab.\n\nAfter the contest is completed, the review process begins - this includes Sponsor Review, Judging, Awarding, and Reporting. If you have submitted issues for a contest but did not make the award list, it is likely that your issues were rejected. You can confirm this by reviewing the published report which usually takes at least a month to be released after the contest ends. \n\nThe final report allows participants to understand the reasons for rejection as it includes discussions among sponsors and judges on the specific issues. Please note, your findings may not always make it to the final report and the reasons might not be immediately known. \n\nTo view other participants' findings, you need to wait until the report is published and the findings repository is made public. Unfortunately, currently, there is no way to view the findings of a contest immediately after it finishes but before the results are published. \n\nThe 'Known Findings' section on the Readme Page of each contest has a list of automated findings not accepted in the contests. \n\nWe understand the process can be complex and we are working on ways to make this smoother. Please have patience and stay tuned for updates.", "Question: Is it safe and optimal to use safeTransferFrom in the specific code snippet \"IERC20(USDT_TOKEN).transferFrom(msg.sender, address(this), _amount)\", particularly when the token is already wrapped inside IERC20? \n\nAnswer: The use of \"safeTransferFrom\" depends on both the specific token used and the expectations of the code. For the given code snippet, it is important to consider whether the interface expects a return value. If it does, the code might not work as expected. Conversely, if the interface does not expect a return value, the code could function as expected and could be seen as a gas optimization, especially since USDT reverts on failed transfer.\n\nIn the context of ERC-777 tokens, it is possible to call the safeTransferFrom function of an ERC-777 token contract in another smart contract. However, this is subject to specific conditions and the code's requirements. For example, trading callbacks in solidity can be activated by several methods, including safeTransferFrom, onERC721Received, onERC1155Received of ERC1155, and tokensReceived tokensToSend of ERC777.\n\nWhen testing functions from a smart contract, a mocked token should have safeTransfer and safeTransferFrom functions. The safeTransferFrom function ensures that the transfer of tokens is successful and helps prevent potential risks associated with depositing funds into an uninitialized contract.\n\nIt's also important to note that SafeTransferLib is utilized for safely transferring funds to a user. This library checks the operation of sending funds' success by checking the return status of the call. This becomes particularly relevant when dealing with fee-on-transfer tokens, as these tokens deduct a small fee from every transfer, resulting in the received amount being less than the transferred amount.\n\nFor more detailed information on the USDT token code, you can refer to the code here: https://etherscan.io/token/0xdac17f958d2ee523a2206206994597c13d831ec7#code#L95. \n\nLastly, bear in mind that not every token is a fee-on-transfer token and the choice of whether to use safeTransferFrom should be based on the specific token and the requirements of your smart contract.", "Question: Can you provide detailed information about the concept of \"bins\" in Trader Joe contracts and where can I find relevant resources to better understand it?\n\nAnswer: The concept of \"bins\" is a unique aspect of Trader Joe contracts. While we don't have a direct explanation in this chat, you can find more detailed information about \"bins\" in their official documentation here: https://docs.traderjoexyz.com/concepts/concentrated-liquidity. It's important to note that understanding \"bins\" might be challenging, as it is a complex concept within the context of smart contracts. We recommend patience and thorough reading of the provided documentation. Additionally, if you're interested in understanding the main contracts in the Vault, there's a helpful video available at https://youtu.be/D-hSiGeNpuY. It's always beneficial to expand your knowledge about different aspects of contracts while conducting audits.", "Question: Is it possible to run continuous smart contract audits on CodeArena, and if so, how can beginners get started with it?\n\nAnswer: Yes, it is indeed possible to run continuous smart contract audits on CodeArena. We not only allow multiple audits to be run simultaneously, but also hold contests for analyzing smart contracts, which can be an excellent opportunity for those starting in this field. For beginners wanting to learn more about auditing smart contracts, we have a dedicated #\ud83c\udfebeducation channel, and there are resources available at https://docs.code4rena.com/roles/wardens/tools-and-resources and https://cmichel.io/how-to-become-a-smart-contract-auditor/. \n\nWe also have tools in the works to assist with audits, such as https://github.com/HardlyCodeMan/audit_helper/. For more advanced audits, there are discussions about using machine learning and fuzzing tools for better results. CodeArena is expanding its scope to include audits for products built on Polygon and Solana, and even considering the idea of visualizing smart contracts into shapes to predict vulnerability.\n\nIn case your project is already live on chain, we still provide auditing services and it's beneficial to engage in the auditing process before your code is complete. We recommend you to watch a YouTube video on how to audit smart contracts for better understanding, and you can also check out other websites like https://immunefi.com/, https://spearbit.com/, and https://hats.finance/ for additional insights and to get rewarded for auditing smart contracts.", "Question: Is it a vulnerability if the USDT token is used and the smart contract updates account mapping after the transfer?\n\nAnswer: It depends on the specific implementation of the smart contract and the token. To have a better understanding of a potential vulnerability, it's important to look at the code itself. In the case of the USDT token, you can review the code at the following link: [USDT token code](https://etherscan.io/token/0xdac17f958d2ee523a2206206994597c13d831ec7#code#L95). \n\nThe usage of tokens such as USDT and the implementation of transfer methods such as \"safeTransferFrom\" can lead to varying degrees of vulnerabilities. As discussed in our chat, it is important to understand the exploit path of a potential vulnerability before drawing conclusions. An external function transferring ERC20 tokens without reentrancy protection, for instance, might not necessarily be a high or medium risk vulnerability unless there is a clear explanation of the exploit path.\n\nIn addition, it's crucial to remember that a smart contract doesn't inherently know if someone has sent ERC20 tokens to it. Therefore, an erroneous transfer to a contract could lead to loss of funds if not properly designed to handle such scenarios.\n\nLastly, vulnerabilities in out-of-scope contracts should be reported as well. While they may not be rewarded, these findings are important to the overall security of the smart contract system.\n\nRemember that the severity of a vulnerability can be affected by multiple factors, including whether it relies on a user making a mistake or not. Also, setting an incorrect severity can result in penalties during the auditing process. This underscores the importance of a thorough understanding of the code and potential exploit paths when assessing vulnerabilities.", "Question: What resources and strategies are available for improving skills in identifying smart contract vulnerabilities, specifically in Capture The Flag (CTF) competitions?\n\nAnswer: There are several resources and strategies available for those looking to improve their skills in identifying smart contract vulnerabilities. For beginners, CryptoZombies.io and CaptureTheEther.com are recommended as learning platforms for understanding smart contracts and solidity. For additional practice, you can reverse engineer examples from post-mortem analysis, such as the TempleDao incident found at https://rekt.news/templedao-rekt/. \n\nFor more advanced training, resources like The Ethernaut challenges and Damn Vulnerable DeFi are recommended (https://ethernaut.openzeppelin.com/ and https://www.damnvulnerabledefi.xyz/). If you're struggling with capturing vulnerabilities during Capture The Flag exercises, you might find it beneficial to deepen your understanding of solidity fundamentals or gain more developer experience. \n\nTools such as fuzzing utilities like Echidna, and smart contract scanning tools like https://app.metatrust.io/project can be useful in detecting vulnerabilities. There's also an interesting approach being discussed in the community involving machine learning. The idea is to convert a smart contract into respective shapes, train a model based on these shapes to predict the vulnerability of future contracts. For more on this, check https://github.com/DanielVF/evm-contract-draw.\n\nFinally, participating in contests run by platforms like CodeArena can offer practical experience in analyzing smart contracts. Websites like https://immunefi.com/, https://spearbit.com/, and https://hats.finance/ can also be handy for getting rewarded for auditing smart contracts. Remember, practice is key in improving your skills in catching vulnerabilities.", "Question: Is it advisable to use the safe version of token transfers in smart contracts, particularly when a token does not revert on failed transfer?\n\nAnswer: Yes, it is generally considered good practice to use the safe version of token transfers in smart contracts, especially when dealing with tokens that do not revert on failed transfers, such as ZRX, but instead return false. Such tokens pose a vulnerability that can be exploited if their transfer failure is not appropriately checked.\n\nThe choice between using \"safeTransferFrom\" or \"transferFrom\" largely depends on the token used and the expectations of your code. For instance, if you're dealing with an ERC-777 token contract, it's possible to call the safeTransferFrom function in another smart contract. Additionally, when working with IERC20 wrapped tokens, it's essential to consider the safety of using the safeTransferFrom function.\n\nIt's worth noting that not all tokens are fee-on-transfer, meaning not all of them remove a small fee from every transfer. However, for those that do, the received amount might be lesser than the transferred amount due to the deduction.\n\nAlso, it's important to remember that a smart contract does not automatically know if someone sent ERC20 tokens to it. Thus, when testing certain functions from a smart contract, a mocked token needs to have safeTransfer and safeTransferFrom functions.\n\nIn the case of potential vulnerabilities, such as a function call in a smart contract that always reverts but the assets are not at risk, it might be considered a Medium or High finding depending on the context. However, if the bug relies on the user making an error in interaction with the contract, its severity might be lower.\n\nFor more information on tokens that do not revert on failed transfers, you can refer to this repository: https://github.com/d-xo/weird-erc20#no-revert-on-failure. Furthermore, for more information on not checking failed transfers/approves, refer to: https://github.com/yearn/yearn-security/blob/master/disclosures/2020-09-25.md.\n\nThe ultimate goal is to ensure the security and stability of your smart contracts. Therefore, it's advisable to use the most stable and secure solidity version and to be aware of potential risks such as depositing funds in an uninitialized contract.", "Question: What are the potential risks if a token doesn't revert on failed transfer and the failure isn't checked?\n \nAnswer: The consequences of not properly checking a failed token transfer can vary, depending heavily on the specifics of the smart contract code and the nature of the token involved. For instance, if there is a gap in the code that allows all funds to be stolen, the severity of the issue becomes high. \n\nTokens that do not revert on failed transfers, such as ZRX, just return false instead. There can be several reasons for a transfer to fail, such as a lack of funds or a fee being deducted during the transfer. Fee-on-transfer tokens for example, remove a small fee from every transaction, which can result in the contract receiving less than the transferred amount. Not all tokens are fee-on-transfer, and the exact behavior can depend on the particular token used. \n\nIn the case of an ERC777 token contract, you could use the safeTransferFrom function to ensure a safe transaction. However, whether or not to use this function also depends upon the token involved and the expectations of the code. If a bug relies on a user making a mistake in interaction with a contract, it can still be considered valid, but may not have the same severity if it doesn't require a mistake. \n\nIt's also important to consider potential risks like an uninitialized contract being exposed to a ransom attack. This can occur when an attacker takes control of the uninitialized contract and demands a ransom to release it. \n\nAdditional insights and discussions can be found in the following links: \n- https://github.com/d-xo/weird-erc20#no-revert-on-failure\n- https://github.com/yearn/yearn-security/blob/master/disclosures/2020-09-25.md\n- https://etherscan.io/token/0xdac17f958d2ee523a2206206994597c13d831ec7#code#L95\n- https://code4rena.com/reports/2022-06-canto#m-01-missing-zero-address-check-can-set-treasury-to-zero-address\n- https://github.com/code-423n4/2022-04-axelar-findings/issues/5\n\nRemember to always conduct thorough audits and checks when working with smart contracts to ensure the security of your funds.", "Question: How can I obtain the company identification number and address details of Code4rena for invoicing and other official purposes?\n\nAnswer: The company identification number and specific address details for Code4rena have not been provided in the chat. However, for invoicing purposes related to contest payouts, you should address your invoice to the Code4rena UNA. If you need further assistance regarding this matter or have any other queries, you can submit a help desk request on the Code4rena website. The help desk request form can be accessed at [https://code4rena.com/help](https://code4rena.com/help). For more information about Code4rena, you can visit [https://docs.code4rena.com/](https://docs.code4rena.com/).", "Question: How is the severity of a bug in a smart contract determined and categorized in CodeArena, and what are the implications of the severity level on the bug reporting and contest outcomes?\n\nAnswer: The severity of a bug in a smart contract is determined by its impact. The impact could range from minor issues, such as forgetting to check a function's return value, to significant vulnerabilities that enable the theft of funds from the contract, akin to what occurred with Temple Dao. \n\nIn the CodeArena platform, the severity of a bug is evaluated by judges and sponsors, following guidelines provided here: [https://docs.code4rena.com/roles/wardens/judging-criteria#estimating-risk-tl-dr](https://docs.code4rena.com/roles/wardens/judging-criteria#estimating-risk-tl-dr). These guidelines detail the different severity levels and the criteria for each. The severity classification can impact how the reported issue is accepted and valued, and even the outcome of contests, with contestants given shares for bugs discovered based on severity.\n\nCertain factors can influence the severity categorization. For example, if a bug relies on a user making a mistake when interacting with the contract, it is likely to be classified as less severe than a bug that doesn't require user error. Further, the context is crucial when categorizing severity, especially regarding state variable changes, upgradeable contracts, and storage variables. \n\nIt's important to note that there can be penalties for incorrectly establishing the severity of an issue during auditing. For instance, if a high severity bug is assessed incorrectly as a medium severity, the reward given will correspond to a medium severity bug. \n\nIf bugs impact contracts that are out of the contest scope, the decision to award or not is left to the judge's discretion. If no medium or high vulnerabilities are found, the remaining contest funds will be allocated based on the Quality Assurance report.\n\nIn reporting the bug, clarity and correctness in identifying the highest severity impact, presenting convincing evidence for the chosen severity and validity, and understandable writing are essential.\n\nIf the severity isn't clear while reporting issues, it's advisable to continue working on the Proof of Concept (POC) until it becomes clear. Also, changes to the severity of reported bugs after a contest ends can be communicated to the judge through designated channels. Lastly, the platform is considering adding the severity of bugs to the emails sent out after issue submission for better clarity.", "Question: How does CodeArena (C4) handle confirmations of payment, source of funds, and report submissions?\n\nAnswer: CodeArena (C4) provides a comprehensive system for confirmation of payments, sources of funds, and report submissions. Upon successful submission of reports or findings, users typically receive an email confirmation, which should arrive within a few minutes. These emails generally come from submissions@code423n4.com. \n\nIn some instances, users may experience delays in receiving these confirmation emails. In such cases, users can submit a help desk request to track the status of their confirmation. \n\nRegarding payments, the process is done once a week, but may take up to two weeks due to double-checking at each step to ensure security and correctness. If a user's payment address is updated without their knowledge, they can report this issue for investigation. \n\nAs for source of funds, once a Provenance application for a private audit is approved, applicants can expect to receive a confirmation email. Users have also raised questions about receiving payment or source of funds confirmation letters. As of now, all related documents can be found in the provided docs. \n\nPlease note that there is a possibility of revising the payment amount both increase and decrease even after payout. If users need invoices, these need to be confirmed by a specific individual within the organization. \n\nLastly, participants are advised to receive an email confirmation for each submission to track their past reports and confirm the receipt of their issues. If you have further queries regarding this, feel free to reach out to our helpdesk or check our documentation for more details.", "Question: What is the efficiency difference between \"x != 0\" and \"x > 0\" in require statements in Solidity and are there other gas savings methods to consider?\n\nAnswer: In Solidity, the condition \"x != 0\" is generally cheaper than \"x > 0\", but this cost difference is only noticeable in require statements and only prior to the release of version 0.8.13. It's worth noting that gas savings can also be obtained through other means. For example, not initializing default variables to 0, using 'for (uint256 i = 0; i < 1000; ++i)' instead of 'for (uint256 i = 0; i < 1000; i++)', and using custom errors instead of require statements with a string have all been discussed as methods to decrease gas costs. \n\nHowever, when it comes to constants and immutable variables, some small demos show minor differences but generally, constants are cheaper than immutable variables. Constants are calculated and filled in at compile-time, whereas immutable variables are read-only state variables. There was a time when immutable cost less gas than constants, but as of July 2020, this is no longer the case ([source](https://twitter.com/GalloDaSballo/status/1476925462010122245)). \n\nAlso, for gas efficiency, using 1e36 as a method of representing big numbers in Solidity code is recommended as per the Solidity documentation ([source](https://docs.soliditylang.org/en/v0.8.15/types.html#rational-and-integer-literals)). \n\nRemember that gas optimization strategies often depend on the specific context of the smart contract and may involve a trade-off with code readability and maintainability. Always consider the specific needs of your project when deciding on these optimizations.", "Question: Can anyone from CodeArena (C4) provide a confirmation or sign anything as a part of the process?\n\nAnswer: CodeArena (C4) staff can verify the accuracy of a statement and confirm it if it's sent as a help request. This confirmation can be relevant in different situations such as confirming a prepared statement, confirming submissions, or addressing issues. However, it's important to know that the C4's payment address is a multisig and would likely remain the same unless there are accounting issues. Also, certain processes like KYC, for becoming a Certified warden, are delegated to Provenance. After applying for KYC, you will receive an email from Provenance and C4. Once confirmation is received from Provenance, it is then possible to participate in a private audit. \n\nIt's also worth noting that participants can directly message the C4 staff members or ask for support from the C4 website. In case of any issue, there's a process for submitting it using the C4 form. If you're a contestant in a C4 contest and need to inquire about the progress and schedule of final reports, you can do so. Certified contributors can join backstage once they meet certain criteria, such as the number of findings and contest participations.\n\nRemember that submissions are confirmed via email and can be viewed on the C4 Contest page under the \"Findings\" tab. Additionally, all PRs need to be approved by a member of the C4 team before they can be merged. More details can be found on our website [Link to the C4 website].", "Q: How should I invoice the rewards received from a Code4rena contest and what is the process for rewards distribution?\n\nA: In order to invoice the rewards received from a contest, you should send your invoices to the Code4rena Foundation, also known as Code4rena UNA. The detailed process for creating an invoice and information about the awarding process is available at [https://docs.code4rena.com/awarding/incentive-model-and-awards/awarding-process#tax-and-legal-questions](https://docs.code4rena.com/awarding/incentive-model-and-awards/awarding-process#tax-and-legal-questions).\n\nFor team rewards in an audit contest, the prize is sent to a single address, and it is the team's responsibility to distribute it amongst themselves. The way a team splits their reward is up to them as detailed in [https://docs.code4rena.com/roles/wardens](https://docs.code4rena.com/roles/wardens). \n\nIn some contests, KYC might be required to receive prizes. In that case, you can complete the required form found at [https://docs.code4rena.com/roles/certified-contributors](https://docs.code4rena.com/roles/certified-contributors).\n\nIf you have specific issues related to rewards distribution, you can submit a Help Desk request at [https://code4rena.com/help/](https://code4rena.com/help/). \n\nRemember, once the contest payouts have been sent, the outcome cannot be changed. However, any overlooked issues can be flagged to the judge and sponsor.", "Question: How can changes be made to a user's account details like wallet address, and how can these changes and payment transactions be verified by the C4 staff?\n\nAnswer: Users can modify their account details such as wallet address and username on C4 platform at https://code4rena.com/account. Any changes made will be reflected in the user's C4 account. If a user decides to use a new wallet address in their reports, the rewards for the report will be distributed to the new address. Wallet addresses used in a finding can also be updated after the finding has been submitted and before the reward payout by submitting a request through the Help Desk at https://code4rena.com/help. \n\nRegarding payment transactions, the payout for vulnerability issues can be verified by checking the wallet address with which one registered, using polygonscan.com or wallet trackers like debank.com. If there is an issue, such as a hacked C4 wallet, a help desk request needs to be submitted for assistance.\n\nC4 staff can verify the accuracy of a prepared statement related to user's earnings or payment transaction hash and confirm it, if sent as a help request. However, the staff cannot confirm public information such as the address of the C4 token or the C4's payment address, as these are multi-signature addresses and are likely to remain the same unless there are accounting issues. \n\nPlease note, responsibility for tax reporting for C4 bounty earnings lies with the individual and is not handled by C4 or Provenance. \n\nIt's always recommended to take precautions and ensure that your private key is secure to avoid any malicious transactions.", "Question: How does CodeArena determine the payout amount for bugs found, especially in scenarios where multiple auditors discover the same bug?\n\nAnswer: CodeArena has a comprehensive incentive model for rewarding bug discovery. The payout amount for bugs found is determined by the severity of the bug and the details provided in the submission, such as the inclusion of a Proof of Concept (PoC). Importantly, there is no difference in payout between the first person to find a bug and any subsequent person who finds the same bug. Instead, the overall value of the bug is reduced and split among the finders. In other words, if multiple auditors report the same bug, they all receive a portion of the bounty. \n\nContestants are given shares for bugs discovered based on severity. These shares entitle the owner to a pro rata piece of the pot. The exact split can be calculated using the formula provided in the link: https://docs.code4rena.com/incentive-model-and-awards#high-and-medium-risk-bugs. Importantly, the minimum eligibility for payout is a total award of $5, to avoid the necessity of sending dust amounts.\n\nFor example, the award for a medium/high finding can also be calculated using this formula. Additionally, the average award pot for low or non-critical vulnerabilities in contests is typically 10% of the total prize pool. However, exact details of the awards are not fixed for each contest, and are distributed based on individual issues, so multiple items in one submission count as one submission.\n\nIt's worth noting that if there's a bug in a contract that's in scope, but it impacts another contract that's out of scope, it's up to the judge to decide whether an award will be given. Also, if a bug is found that's common and would usually be picked up by the C4udit tool, it should still be submitted if it's not detected by the tool.\n\nThe order in which auditors report a duplicate bug does not impact the payout they receive. The details of this system are outlined in the Code4Arena documentation: https://docs.code4rena.com/awarding/incentive-model-and-awards#duplicates-getting-partial-credit. \n\nPlease remember that each individual team member needs to be certified to be eligible for payout, and an individual team decides how to split their portion of a pot among themselves. Certification eligibility requires encountering 1 high severity bug and competing in at least 3 contests.", "Question: What should be included in a bug report to maximize its value, and is it necessary to recommend mitigation steps?\n\nAnswer: When constructing a bug report, it is crucial to include the issue, its description, and a Proof of Concept (PoC) where necessary. Although recommending mitigation steps isn't strictly required, providing them can increase the overall value of the report. If unsure about the severity of a reported issue, the most important factor is a good explanation of the finding rather than its specific severity. It is also acceptable to submit a single report that contains all occurrences of the same issue.\n\nWhen it comes to automated findings, if a bot reports a problem but doesn't identify all parts of the codebase where that problem is present, it is eligible to add them manually. If you find a vulnerability difficult to fix without major changes to the protocol, it is still worth reporting. The focus should be on identifying and explaining the issue; providing a recommended fix is appreciated but not mandatory.\n\nIf there are multiple non-critical findings, they can be combined into one Quality Assurance (QA) report or kept as separate issues, depending on the context. High severity issues can be included alongside medium/low severity issues in the same report, but the most effort should be emphasized on the high severity issues.\n\nIn terms of formatting, you can include images in your report and use markdown in issue titles. If a single line of code can be exploited in multiple ways, you can choose to report it as one bug or multiple, depending on how you perceive the situation. If two different issues can be resolved by fixing the same thing, they would be considered as one issue. If a mistake is made in a report, it can be corrected by filing a help ticket, unless it dramatically changes the finding's meaning. \n\nLastly, if you encounter difficulty in understanding certain code instances, consider creating one report and referencing the related issues in it. Beginners are encouraged to do this as it can help them make sense of complex code sequences. Remember, the importance of a thorough explanation of your findings cannot be overstated.", "Question: Can I submit a lengthy proof of concept (POC) via external platforms like Gist while reporting a finding to CodeArena?\n\nAnswer: Yes, you can submit a lengthy proof of concept using external platforms like Gist when reporting a finding to CodeArena. If your POC is too large to be embedded directly in the issue, you can provide a link to it, just ensure it's relevant. You can also include the POC in a gist file or present the POC in code or plain English. However, it's important to note that a finding may be disregarded without a POC unless the issue is extremely obvious, so providing a clear and comprehensive POC is recommended. \n\nIf you're concerned about vulnerability exposure risk, you can use a private gist, or make a \"secret gist\" to show a code example without being disqualified for disclosing the problem. You can also submit images as part of the POC by linking them externally, or include them in your Gist and submit the report with the gist link. \n\nFor precision-loss issues, it's particularly important to provide a clear POC to support your submission. When submitting a finding, you can fill the Proof of Concept section by providing direct links to all referenced code in GitHub and adding screenshots, logs, or any other relevant proof that illustrates the concept. \n\nYou can find detailed instructions about how to include a POC at [Code4Rena's Submission Policy](https://docs.code4rena.com/roles/wardens/submission-policy#how-to-include-a-proof-of-concept).", "Question: What resources are available for learning Solidity and Smart Contract auditing?\n\nAnswer: There are numerous resources available for learning Solidity, auditing smart contracts and mastering related concepts:\n\n1. General Solidity learning: For understanding Solidity syntax and programming, websites like https://solidity-by-example.org/0.6 and the official documentation at https://docs.soliditylang.org/en/v0.7.5/ are recommended. \n\n2. Interactive Learning: Interactive platforms like CryptoZombies.io and CaptureTheEther.com are useful for beginners, teaching smart contracts and solidity in a fun, game-based format.\n\n3. Video Tutorials: For video content, you can refer to https://www.youtube.com/@smartcontractprogrammer, which discusses math and accounting in Solidity projects.\n\n4. Advanced Solidity: For advanced learning, try The Ethernaut challenges and Damn Vulnerable DeFi: https://ethernaut.openzeppelin.com/ and https://www.damnvulnerabledefi.xyz/\n\n5. Contract Auditing: If you're interested in auditing smart contracts, resources like https://cmichel.io/how-to-become-a-smart-contract-auditor/ and https://docs.code4rena.com/roles/wardens/tools-and-resources are helpful.\n\n6. Additional Resources: For more specialized subjects like opcode learning, proxy and upgradeable contracts, refer to https://www.evm.codes/ and https://proxies.yacademy.dev/ respectively. \n\n7. Decompiling Solidity Code: To decompile solidity code, you can use the tool at https://library.dedaub.com/decompile.\n\n8. CodeArena Tutorials: CodeArena also has a dedicated #\ud83c\udfebeducation channel, where you can learn more about auditing smart contracts. \n\n9. Practice Opportunities: CodeArena regularly runs contests for analyzing smart contracts, providing a great opportunity for practical learning.\n\nPlease note, there was also a query regarding a tool or plugin for checking Solidity code syntax and checks, similar to the functionality of the online Remix IDE, but we couldn't find a definitive answer.", "Question: How should I report a vulnerability I've discovered in a smart contract that I do not know how to fix or mitigate, and what impact does its classification have on the contest rewards and process?\n\nAnswer: In the context of CodeArena, your primary responsibility as an auditor is to uncover potential vulnerabilities in the smart contracts and provide a detailed explanation of each issue. If you identify a medium or high severity vulnerability but are unsure of how to mitigate it, you can still report it. Remember to include an explanation as to why it cannot be feasibly mitigated. Although recommended mitigation strategies are appreciated, they are not mandatory for your report. \n\nVulnerabilities are categorized as high, medium, low, or QA based on their potential impact. If all rewards can be lost, it's classified as medium or high, while a risk of losing some rewards likely falls under medium. If only a negligible amount of rewards are lost due to roundings, the issue is typically classified as QA. High severity issues involve scenarios where the principal can be stolen without any extra requirements.\n\nIn scenarios where no medium or high vulnerabilities are found, remaining contest funds are divided based on the Quality Assurance (QA) report curve. This is, however, a rarity. You can see a record of past contests at https://code4rena.com/reports/2021-11-fei.\n\nWhen reporting an issue, especially medium or high severity ones, providing test codes as Proof of Concepts is ideal. Judges have the authority to downgrade or upgrade reported issues based on their assessment of the severity.\n\nThe classification of an issue can impact its eligibility for rewards. If a problem is submitted as low in a QA report, but the judges determine it's a medium, it will be eligible for medium rewards as per https://docs.code4rena.com/awarding/incentive-model-and-awards/qa-gas-report-faq#what-happens-when-an-issue-submitted-by-the-warden-as-part-of-their-qa-report-an-l-or-n-does-get-bum.\n\nIt's also important to note that medium and high severity findings should be each submitted as separate reports, while QA findings and gas findings are submitted separately. Non-critical findings, bugs, and optimizations can be included in the QA report.\n\nOn a final note, remember that the primary intent is to identify vulnerabilities. While there's no specific incentive for QA type submissions, sponsors are mostly interested in high/medium/low severity vulnerabilities and gas optimizations.", "Question: What tools and platforms does CodeArena recommend for writing and formatting audit reports?\n\nAnswer: At CodeArena, we recommend using platforms like GitHub, Joplin, Visual Studio Code (VSCode), and Notion for writing reports. The platform you choose should have support for markdown, as this is the primary format for our reports. Platforms like Markdown and Hackmd are also suggested to improve report presentation. \n\nVSCode's preview tool can be particularly helpful for formatting the report. It is crucial to include the issue, description, proof of concept (where necessary), and mitigation (where necessary) in a semi-professional report format. If mitigations are involved, users can use markdown to write the code in the report. \n\nFor embedding code snippets or screenshots in your report, you can ask about issue types relating to your chosen platform in our Discord channel. We also have report templates or guides available to help you with the format of gas/QA reports. \n\nOnce your report is complete, it is published on the Code4Rena site [https://code4rena.com/reports](https://code4rena.com/reports). However, it's important to note that not all reports get featured in the client report, a process determined by our panel of judges. \n\nRemember, all types of accepted reports, from high level down to gas optimizations, are eligible for payouts, provided the report is of high quality, the findings are accurate, and there is a working proof of concept. You can view examples of winning reports here: [https://code4rena.com/reports](https://code4rena.com/reports). \n\nWhen QA findings are involved, they should be compiled into one combined report for efficiency. If you have a finding that could fit into two categories (like mechanism and architecture), you can inquire in our Discord channel about how best to categorize it. \n\nIf you prefer, you can also write your QA/gas reports directly into the submission form without using any special formatting tools. \n\nFinally, if you have any further questions about the report writing process, or in case you want to track the status of your past reports, don\u2019t hesitate to ask within our community.", "Question: What is c4udit, how is its output handled for each contest, and how does it affect the scope of issues and bounty payouts at CodeArena?\n\nAnswer: C4udit, currently referred to as Analyzer [https://github.com/Picodes/4naly3er], is a tool used by CodeArena to generate automated findings for each contest. These findings, which can be checked via the C4 GitHub repo, are posted in the contest channel by a warden within an hour of the contest opening. If an issue is included in this output, it is considered a known issue and is therefore out of scope. \n\nThe c4udit tool plays a significant role in maintaining the quality of submissions and determining the scope of bounty payouts. It's designed to identify common or publicly known issues which are generally ineligible for rewards [https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-ineligible]. If multiple auditors report the same bug not discovered by c4udit, they all share a portion of the bounty. However, if an auditor lists any of the C4udit gas findings, their report will be voided and count as 3 rejected reports. \n\nIt's also important to note that the C4 team is continually working to improve this tool and its processes to ensure efficiency and accuracy in detecting issues. Despite the automated findings, auditors are encouraged to submit reports of undetected issues, which can be done using the C4 form on the website. After submitting, there's no need to also create an issue on GitHub as the C4 system automates this step. \n\nLastly, participants seeking support or wishing to stay informed about published reports and updates can visit the C4 website or the proposed #audit-reports announcements channel on Discord. For further insights into the C4 auditing and judging process, you can visit this Twitter thread [https://twitter.com/sayan_011/status/1629011044516655104?t=DJz16iE54QkwLxkc3MrQtw&s=19].", "Question: What is the relationship between the C4udit tool and other tools used by CodeArena for auditing, and how are these tools used within contests?\n\nAnswer: CodeArena uses a variety of tools in its audit process. A key tool is C4udit, which is primarily used for identifying Publicly Known Issues. The output of C4udit, also known as \"automated findings,\" is generated for each contest. The current version of this tool, known as Analyzer, can be found at https://github.com/Picodes/4naly3er. \n\nIt's important to note that any findings from the C4udit tool are ineligible for rewards according to CodeArena's submission policy: https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-ineligible. In each contest, a warden is typically asked to run C4udit and post its output in the contest channel. If an issue appears in the channel, it's considered a known issue and is not eligible for rewards. \n\nThere's also a possibility of using a \"CodeArena Report Generator\" tool. However, it wasn't sufficiently clarified in the past whether this tool was being used, or who had the authority to use it.\n\nCodeArena is continuously working on improving its tools and processes, which includes transitioning from simple tools to authenticated warden accounts, and considering the development of new tools, possibly even funded by C4 grants.\n\nOther tools mentioned in our community discussions include a tool for Solidity sequence diagrams and fuzzing tools like Echidna for auditing. However, there was a question about the use of the static analyzer at https://github.com/byterocket/c4udit for QA and gas optimization, but the status of its use remains unclear.\n\nFor more detailed comparison of bug bounties and C4 audit contests, you can visit our documentation page: https://docs.code4rena.com/.", "Question: Can sponsors use a tool to fix minor issues before running contests, and how could this impact fairness and the discovery of potential code vulnerabilities?\n\nAnswer: While the idea of allowing sponsors to use a tool to fix minor issues before launching contests has been proposed, it comes with a set of challenges. CodeArena aims to maintain a balance between streamlining processes and ensuring fairness. If sponsors had the tool, they could potentially fix smaller issues in advance, but it might also lead to scenarios where sponsors could hide bugs, report them, and hope that nobody else finds them. \n\nThere is also a concern of exploiting early access to vulnerability submissions if sponsors are allowed to see them prematurely. In the past, CodeArena used to let sponsors see submissions early but found it better if sponsors receive a triaged and sorted list after an initial review process. This helps ensure the fairness of the contests and that all vulnerabilities, including high and medium severity exploits, are identified and addressed effectively. Automated tools can help in finding potential issues, but a higher burden of proof is needed to convince sponsors of the relevance and severity of these exploits. This is elaborated further at https://github.com/code-423n4/org/discussions/50. \n\nTrust in sponsors is crucial, but to maintain the integrity of the contests and the accuracy of the audits, a careful balance must be struck. All participants are encouraged to review contest rules, report potential issues (including those that may be out of scope) and engage in open discussions with sponsors before finalizing their submissions. If there is any discord with the sponsor about the scope of a particular issue, reporting the issue is still highly encouraged. \n\nDespite the potential benefits of automated tools, the emphasis on manual review and reporting of vulnerabilities and a Proof of Concept (PoC) for each submission remains a critical factor in the auditing process of CodeArena.", "Question: How does CodeArena handle c4udit output and its implications for contest channels?\n\nAnswer: For every contest, CodeArena assigns a backstage warden to run the c4udit tool, which is a specially designed tool for generating automated findings. This tool, currently in use, can be found at [https://github.com/Picodes/4naly3er](https://github.com/Picodes/4naly3er). The output generated by this tool is posted in the respective contest channel, making it accessible to all participants. \n\nAny issue revealed by this output and posted in the channel is automatically classified as a \"known issue\". As per the contest rules, known issues are considered out of scope, meaning they are not eligible for rewards. More about this can be found at [https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-ineligible](https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-ineligible). \n\nIt is important to note that the c4udit output, or \"C4 output\" as it is sometimes referred to, is usually available within an hour of the contest opening. However, some reports may be deemed out of scope at the Judge's discretion, particularly if they appear to be copy-pastes or share the same underlying risk. \n\nFor further clarity about the progress and schedule of final reports, contestants can inquire in the contest channel. After the judging is complete, the results are announced in the same channel. If there's confusion regarding bounty payouts, remember that if multiple auditors report the same bug, all get a portion of the bounty. \n\nIn case of any discrepancies or doubts, participants can access specific information related to the contest at [https://github.com/sseefried/c4-stats](https://github.com/sseefried/c4-stats). They can also refer to the submission policy and audit contest guidelines at [https://docs.code4rena.com/roles/wardens/submission-policy#audit-contest-guidelines](https://docs.code4rena.com/roles/wardens/submission-policy#audit-contest-guidelines). \n\nRemember, the number of contests may fluctuate and findings submitted for contests can be edited while the audit is open. Be sure to check the contest guidelines and rules and participate actively!", "Question: Why is not using a two-step transfer pattern for access control assigned a low severity level in smart contracts audits?\n\nAnswer: The severity level for not using a two-step transfer pattern for access control in smart contracts audits is classified as low. This is because one-step changes with critical addresses could potentially lead to errors, while two-step changes are considered safer and better practice. Using a two-step change process can help prevent errors such as unintentionally passing in the wrong address. Despite this, the lack of a two-step process is not considered a major vulnerability, hence its low severity classification. For more details on severity level classifications, you can refer to these resources: [Low Risk Classification](https://github.com/byterocket/c4-common-issues/blob/main/2-Low-Risk.md#l004---use-two-step-transfer-pattern-for-access-controls) and [Estimating Risk](https://docs.code4rena.com/roles/wardens/judging-criteria#estimating-risk-tl-dr).", "Question: Could the process be improved by providing the sponsor with a comprehensive report of all issues found by the tool prior to the contest, with the intention of reducing report spam?\n\nAnswer: The idea of providing a thorough report to the sponsor before the contest starts does merit consideration. However, the current procedure at CodeArena is designed to ensure fairness and to protect the integrity of the contest. Sponsors are given access to the findings repository one week after the contest with all the issues that have been triaged and deduped. This is to prevent the potential exploitation of early access to vulnerability submissions.\n\nParticipants are welcome to discuss issues with sponsors before the contest is complete, and specific scope questions can be directed to the respective sponsor. But, sponsors may not have access to the findings repository until the contest concludes. \n\nWhen a submission is made but not rewarded, participants can review why their submission was not accepted once the report is out and the repository is fully opened. This transparency allows participants to learn from the feedback provided by sponsors and judges.\n\nAfter the contest, the process includes sponsor review, judging, awarding, and then reporting. The final published report allows participants to see the results of their submissions and to learn from the entire process. \n\nTo further reduce report spam, CodeArena has restrictions on submitting more than one report of gas optimization in a contest; contestants are encouraged to compile all findings into one report. It's also suggested that similar submission issues are grouped together for efficiency.\n\nWhile the proposal for pre-contest reporting is valuable, it's important to balance it with the current procedures that ensure fairness, learning opportunities, and integrity of the contests.", "Question: Why are certain tools' outputs not allowed in the submission process and what are the expectations for using automated findings in contest submissions?\n\nAnswer: CodeArena's policy towards tool outputs is designed to prevent judges and sponsors from wading through multiple reports consisting of the same findings. While it might seem absurd to allow one tool's output and ban another's, the goal is to encourage structured reporting and discourage the direct pasting of output from public scanners without any contextual information or triage.\n\nIn contests, if a participant escalates an issue from low to high severity, the issue is not automatically invalidated. However, it's important to note that when using automated tools for initial findings, there is a higher burden of proof to demonstrate a relevant high or medium severity exploit path to be considered satisfactory. Submissions based on automated tools must provide strong evidence to justify their ratings. Further details can be found at https://github.com/code-423n4/org/discussions/50 and https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues.\n\nThere are also instances when a bot identifies an issue and proposes a fix. But if the fix introduces more damaging exploits, it's important not to treat bot mitigations differently from incorrect fixes proposed in the chat. It's always advisable to report any discrepancies or new bugs introduced through mitigation efforts.\n\nFor each contest, a tool called the 'C4udit' is used to generate automated findings. The findings by this tool are usually considered as common findings and are out of scope in the contest as they are ineligible for rewards, as detailed at https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-ineligible. Any findings not picked up by the tool should be submitted.\n\nRemember, the aim is not simply to find the vulnerabilities but to improve the overall quality of the smart contracts. So, while tools can assist with the auditing process, they should be used judiciously and in conjunction with other auditing strategies.\n", "Question: What are the best practices for submitting findings from smart contract audits on CodeArena, and how should I handle outputs from automated tools and potential issues?\n\nAnswer: At CodeArena, we encourage our users to add context and triage when submitting the outputs from automated tools, rather than pasting the output directly. This helps provide clarity regarding the specific issues found and their potential impact. It's currently unclear whether findings should be submitted as separate issues or as one, but general consensus leans towards submitting one report for all occurrences of the same issue, rather than individual reports. \n\nThe impact of automated findings on contests is also a common question, but no clear answer has been provided yet. When in doubt, it is advised to submit any findings you come across or to direct message the sponsor team for additional context. There's no need to confirm findings with the project's developers before submitting them. \n\nNon-critical findings can be reported out of goodwill, but there isn't an official incentive for doing so. The severity of an issue does not matter as much as providing a comprehensive explanation of the finding. Similarly, citing similar findings from other contests to justify the severity and validity within a submission is allowed; however, judges will consider the entire context when judging.\n\nAs for submitting findings, it's acceptable to provide a link to a competitor as a mitigation for an issue, and a bug report without a Proof of Concept (PoC) may be accepted if the issue is extremely obvious. There is a \"CodeArena Report Generator\" tool for generating automated findings, but it's unclear if this tool is being officially used or who has the authority to run it. \n\nThere has been a discussion about potentially implementing an editing feature for submitted findings to lessen the load on the team handling tickets. As of now, it appears that findings may not be editable once submitted. \n\nMoreover, it's still uncertain whether the issues in the published reports are the same as those reported initially and whether the published reports are a summary of what was submitted by the wardens. Lastly, if you have queries about the reasons for findings rejection, you can check the findings report repositories, but the exact location is currently unclear. \n\nPlease note that all these observations are based on the current discussions from our Discord chatroom and may be subject to changes as new features or guidelines are introduced.", "Question: Can I take on the roles of both Warden and Manson in CodeArena, and what privileges and responsibilities do these roles come with?\n\nAnswer: Yes, you can assume the roles of both a Warden and a Manson in CodeArena. As a Warden, you have the opportunity to participate in our audit contests, either individually or as part of a team. You can find the method of registering a team at [this link](https://docs.code4rena.com/roles/wardens#registering-a-team). To access certain channels or to join specific contests, you'll need to register as a Warden. \n\nThere are also certified Wardens, who enjoy additional privileges like attending private audits, participating in private contests, and being eligible for the judge role to some extent. Becoming a certified Warden involves fulfilling certain eligibility requirements, which you can find [here](https://docs.code4rena.com/roles/wardens/certified-wardens#who-is-eligible-to-be-a-certified-contributor). \n\nMoreover, we encourage team-ups between wardens who are great technical writers but are just beginning as auditors, and those whose technical skills are more advanced than their English communication abilities. \n\nThere are also some contests like the \"vs contest\" which are specifically for certified wardens and have an RSVP process. We aim to offer opportunities for everyone and strive to ensure a rewarding experience for all participants. Note that further specifics about the privileges of certified wardens are not detailed at the current time, and other conditions might apply.", "Question: Is there a way to get notifications whenever a new audit report gets published on the CodeArena website?\n\nAnswer: While it's currently not implemented, there has been a suggestion to create an announcements-like channel named #audit-reports in our Discord server, where a new message would be posted every time a report gets published on the CodeArena website. Updates are currently shared in the #\ud83d\udce2announcements channel where public results and findings are posted. Contest results are also announced in this channel. Additionally, information about audit office hours is shared in the C4 rollup in the #announcements channel. For those interested in starting a contest or learning about C4 auditing, you can visit the #\ud83c\udfebeducation channel. If you want to participate in upcoming public audits, you can use the #\u270brsvp channel. The reports are published on the C4 site and findings for completed audits can also be checked via the C4 GitHub repo. For any issues with your C4 account, you can get help in the #auth-help channel. For now, you can check for updates at this Discord link: https://discord.com/channels/810916927919620096/810936719003090974/1098620465897021490 as well as in #\ud83d\udce2announcements and the C4 newsletter. We appreciate your suggestion and will take it into consideration as we continually strive to improve our communication channels.", "Question: How should I use the automated output while submitting my findings in the CodeArena audit report?\n\nAnswer: Automated output can indeed be utilized in the CodeArena audit report. However, it should not be pasted directly from a public scanner without context or triage as it is considered inappropriate. Automated findings should be used to build a strong case, particularly for issues of high or medium severity, to add real value to the sponsor, audit report, etc. In fact, if a low severity finding in a contest's bot report is escalated to a high severity, it is not automatically invalid. However, submissions based on automated tools must provide strong evidence to demonstrate a relevant High or Medium severity exploit path to be considered satisfactory. The policy is explained in detail at [Code4rena Submission Policy](https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues). \n\nThere are discussions around whether all non-critical findings can be combined into one QA report, or if it's better to create a separate QA report for every finding. This would depend on the specifics of the findings and the preferences of the auditing team. If unsure about a finding due to lack of specification in documents, it's advised to submit these findings or seek additional context from the sponsor team. \n\nWhen you submit a Quality Assurance report for the first time and encounter an error, you can confirm if it has been submitted successfully by checking your email for a confirmation or by viewing the findings through the \"View Context\" function. There's also an option to pass a link to a website for QA reports or Proof of Concepts. \n\nPlease note that findings in non-best, unpublished bot-generated reports are still eligible for submission. If you come across the same issue that was found with the automated finding but in a different instance, there's no harm in submitting it. \n\nFurthermore, while drafting your report, you can include the \"Recommended Mitigation Steps\" in the bug template. Although it's not mandatory, it can enhance the value of your report. Lastly, you can also send an analysis report about the system with no significant findings or any findings at all, to provide advice on things to consider for the future of the project.", "Question: What is the typical timeframe for the KYC process at CodeArena and what should I do if it is delayed?\n\nAnswer: The Know Your Customer (KYC) process at CodeArena typically takes a few days to a week or longer to complete. However, there have been instances where some users have reported waiting for up to 10 days or more. This timeline can vary based on numerous factors and can be expedited if the necessary documents are supplied promptly. After submitting your KYC application, Provenance usually sends the KYC mail within one business day. Following submission, there is a 48-hour deadline for response after providing all documents to Provenance for certification. Post certification, it can take a few more days to get the certified role, and backstage access request processing could take up to 24 hours after KYC is admitted. If you have not received any reply to your KYC application or it is still pending after five business days, you can raise a help request through the form on the company's website or submit a help desk request to track the status of your KYC confirmation. If you are applying to become a Certified Warden, the KYC email may take approximately 2-3 weeks to receive after submission and it takes an additional 2 weeks to mark a warden as certified post approval. Please note, the KYC application process can be initiated at https://docs.code4rena.com/roles/certified-contributors. If you've received a confirmation email from Provenance regarding your KYC, you may have to wait for a certain period for the role. Bear in mind that this email is sent from compliance@provenance.company and might appear in your spam folder. It's also important to note that the KYC process might involve rejections, and the reasons for these rejections are not always communicated.", "Q: What is the process and potential consequences for reporting issues, including those I'm not certain about or turn out to be non-issues, during the contest? \n\nA: At CodeArena, we encourage users to report issues they identify during a contest, even if they are unsure about the severity or accuracy of the issue. Accidental reporting of non-issues does not usually have negative consequences, but it is recommended to withdraw such reports to save the judges' time. If you realize something is a false positive after submission, you can retract the submission by going to the contest page and clicking the findings tab.\n\nReports can be made with worded descriptions only, and there is no penalty for wrong reasoning as long as it's not spam. That said, it's important to note that the score for a report may be lowered if it contains a few invalid issues. Furthermore, if your report is very similar to an automated bot report, it may be further penalized.\n\nIf you have submitted a medium risk report that is later deemed high risk, unless there's a reason to penalize it (such as it being incomplete, lacking detail, or not as accurate), it gets raised to high. If a High severity bug turns out to be only Medium, the reward for a Medium bug is still received. \n\nWe have guidelines for estimating the risk of a bug, which can be found here: https://docs.code4rena.com/roles/wardens/judging-criteria#estimating-risk-tl-dr. If the severity of a reported issue is still unclear, it's advisable to continue working on the Proof of Concept (PoC) until it becomes clear, or direct message the sponsor team for additional context.\n\nIssues can be reported even if they rely on users making a mistake in interaction with a contract, although these will likely not have the same severity as those not requiring a user mistake. \n\nInaccuracies in a QA report can affect the QA grade. For example, if too much information is accidentally pasted in an issue that should not be publicly available, editing is the suggested course of action. If a typo is made in a report, it can be corrected by filing a help ticket, unless it doesn't drastically change the meaning of the finding.\n\nWith recent changes, be aware that submitting more than 3 invalid issues per contest can result in punishment. Therefore, it is imperative to respect other participants' and judges' time by ensuring your reports are as accurate as possible.", "Question: What is the process and potential consequences for submitting, withdrawing, and managing issues in CodeArena contests?\n\nAnswer: In CodeArena contests, participants are allowed to submit issues they've discovered during an audit. It's worth noting that if a participant believes they've found an issue but it later turns out not to be one, there are no negative consequences. Participants are, however, encouraged to withdraw such reports to save the judges' time. \n\nSubmission of issues does not strictly follow a first-come-first-serve basis. Rather, judges pick the primary issue based on the quality of the write-up. It should be noted that even if an issue is submitted with high severity and the judge disagrees, the issue might be downgraded but the participant will still be awarded for the found issue, unless judges invalidate it for overinflating severity. \n\nThere are concerns about participants submitting invalid issues. If a participant submits invalid issues, it can lead to punitive actions if more than three of such issues are submitted per contest. There is an option for participants to withdraw their issues if they feel it might be invalid or wish to resubmit. Any withdrawn issues are marked as such and are then closed. \n\nIf a participant makes a submission to a contest but is not rewarded, they can review why their submission was not accepted once the report is out and the repository is fully opened. This allows them to see the discussion among sponsors and judges on the specific issue. It should also be noted that if two wardens submit the same issue, there is no advantage for the one who submits first.\n\nIn the case of submitting issues found in out-of-scope contracts or automated findings, participants are advised to direct their inquiries to the moderators or help desk. \n\nFinally, if participants have their submissions rejected or have concerns about the validity and invalidity of their issues, there is a process in place for them to discuss or argue their case. Feedback is often provided to help participants improve their future submissions.", "Question: Can you clarify the rewarding formula for findings of different severities and how the count value changes in case of partial credit? Moreover, what happens to the rewards in a contest if no high or medium issues are found?\n\nAnswer: The rewarding formula for findings in CodeArena is based on the severity of the issue found. High severity issues receive a higher reward compared to medium and low severity issues. The count value may be adjusted in case of partial credit, for example, if multiple people report the same vulnerability or if the finding only partially meets the criteria for the claimed severity. This way, the reward distribution remains fair and reflective of participants' contributions.\n\nIf no high or medium issues are found in a contest, rewards are still distributed amongst participants based on the value of their findings. However, the total reward pool might be less due to the absence of high or medium severity findings. It's important to note that all findings, regardless of severity, contribute to the overall quality of a project's smart contract security and are valuable to the project team. \n\nFor a more detailed explanation of the reward distribution, you can refer to our reward distribution guidelines (URL). We encourage participants to make the best and clearest case possible when submitting findings to ensure fair judgement. \n\nRegarding whether potential medium findings need to include a Proof of Concept (POC), while it's not mandatory, it certainly helps in demonstrating the issue and justifying its severity. Hence, it is highly encouraged. \n\nIf you're unsure whether to submit findings as separate issues or as one, consider the nature of the findings. If they are closely related or stem from the same root cause, it makes sense to report them as one. If they are distinct issues, it's better to report them separately. \n\nAs for automated findings or bugs introduced through mitigation efforts, they indeed impact the contest. All findings, including these, should be reported as they assist in improving the overall security of the project. \n\nRemember, honesty and transparency are crucial in our contests. We always advise revealing the findings to the project only when the contest is over to avoid any dishonest practices. \n\nLastly, keep in mind that judging can often be a complex process with many factors considered, so each decision is made carefully to ensure the most accurate and fair results. For any doubts or further queries, we are always here to assist.", "Question: How does the process of receiving rewards in USDC on the Polygon network from CodeArena work?\n\nAnswer: All rewards from CodeArena are distributed in USDC on the Polygon network, not the Ethereum network. These rewards are sent to the Polygon address registered in your account. It's important to note that your Polygon and Ethereum addresses are required for the withdrawal process. Once the rewards are distributed, you can monitor your tokens on https://polygonscan.com/address/ and funds can be moved back to the Ethereum Mainnet using the polygon bridge https://wallet.polygon.technology/.\n\nIn case you need to move funds to another wallet, you might need Matic, a cryptocurrency used to pay the transfer fee. Matic can potentially be obtained for free here: https://wallet.polygon.technology/gas-swap/ or swapped without a gas fee at https://polygontimes.com/swap-for-gas-instant-gasless-matic-tokens-on-polygon-pos/.\n\nTo bridge from Polygon to Ethereum and later withdraw USDCs on Coinbase, both Matic and Eth are needed if using the Polygon bridge. Alternatively, if using the Hop Bridge, only Matic is needed but less USDC will be received on the Ethereum Mainnet. Please note that you can deposit USDC into Coinbase directly from Polygon.\n\nRewards might not be distributed immediately after computation due to the use of multisignature (\"multisig\") wallets which require signatures from multiple parties before funds can be released. In the future, awards will be distributed via smart contract once more pieces are in place.\n\nLastly, it's important to mention that all smart contracts, including those built on Polygon, can be audited through CodeArena.", "Question: What is the process and requirement for KYC verification in order to participate in contests and receive prizes?\n\nAnswer: KYC (Know Your Customer) verification is required for some but not all contests at CodeArena. You can participate and even receive payouts for most contests without being certified or undergoing KYC verification. However, certain contests, such as the Chainlink contest, require participants to go through the KYC process to be eligible for rewards. This will be explicitly stated in the contest's rules. \n\nTo start the KYC application process, you need to visit https://docs.code4rena.com/roles/certified-contributors. If you are participating as part of a team, all team members must complete KYC verification in order to be eligible for payouts. \n\nOnce you apply for KYC, you will receive an invitation link via email from Provenance, and you will need to go through an ID verification process. It's important to note that clearing KYC and becoming a certified contributor doesn't automatically grant access to all contests, and certain contests may have additional requirements. \n\nIf a prize is won but cannot be claimed due to KYC issues, there is uncertainty about whether the prize will be held until KYC completion or if it may be lost. \n\nFor contests that require KYC, participants can verify their identity after the contest ends in order to receive the payout. However, it is generally advisable to complete the KYC process before participating in these contests.\n\nFor additional information or to check if an address has been submitted for rewards, use the help form at https://code4rena.com/help.", "Q: What happens if I submit a bug for a contest with a potentially incorrect understanding of the application logic, or if I misclassify the bug's severity?\n\nA: When you submit a bug for a contest, it's crucial to have a thorough understanding of the application logic and accurately classify the bug's severity. If the application logic is misunderstood, and it's determined that the application is working as intended, the sponsor won't confirm the issue. Misclassification of the bug's severity is another common concern. However, even if a bug initially classified as high severity turns out to be only medium, you will still receive the reward for a medium bug. \n\nIf you submit a correct bug issue with an incorrect proposed solution, you can update your submission if the contest hasn't ended. Furthermore, you have the ability to view or edit your submissions on the site for open contests. If the severity level assigned by you is evaluated differently, your submission will not be invalidated. \n\nWhile submitting an issue, it's beneficial to include a proof of concept and a case for how the item can be exploited to avoid being marked as invalid. Should you need to increase the severity of a submitted bug during a contest, you can submit a help request to remove the original submission and then submit again via code4rena.com/help. Judges may choose not to increase the level of severity of a bug if it is a duplicate of other bugs and hasn't been well explained or proven. \n\nYou can find further clarification on this in the guidelines available at https://docs.code4rena.com/awarding/incentive-model-and-awards#satisfactory-unsatisfactory-submissions. Here, they also clarify concerns about a high severity issue being downgraded to medium by a judge, and whether it would be considered overinflated severity and thus be invalidated. \n\nRemember that precision in your report and proof of concept, clear and understandable writing, and correct identification of the highest possible impact of the bug are part of the grading criteria for quality submissions. In case of duplicate submissions, you can refer to the judging criteria at https://github.com/code-423n4/code-contests/blob/main/JUDGING_CRITERIA.md#duplicate-submissions. \n\nFor any changes to the severity after the closing time of the contest, you can communicate it either through the PR or by contacting one of the judges. If you have further queries or concerns about the validity and invalidity of the issues you have submitted, we recommend reaching out to the team for clarification.", "Question: How does CodeArena determine the severity level of reported issues in smart contracts and what guidelines should I follow when reporting a bug?\n\nAnswer: The severity of reported issues in smart contracts, also known as rug-pull vectors, is determined based on the impact of the bug. This is achieved by evaluating the potential consequence and likelihood of the problem at hand. High severity problems generally involve substantial fund loss or other severe consequences that do not require specific pre-conditions. On the other hand, medium severity issues usually have less impact and require specific pre-conditions such as high attack difficulty, specific market conditions, or user unawareness.\n\nIn terms of reporting a bug, it's important to make a clear case for the chosen severity level, providing as much evidence as possible to support your arguments. The grading criteria for quality submissions include correct identification of the highest severity impact of the bug, making the case for the severity and validity of the bug with evidence, and clear and understandable writing.\n\nIf you're unsure about the severity of a reported issue, you can review the judging criteria available at https://docs.code4rena.com/roles/wardens/judging-criteria#estimating-risk. Furthermore, the exact criteria for low, medium, and high severity issues are detailed at https://docs.code4rena.com/awarding/judging-criteria/severity-categorization. If there's still uncertainty about the severity, it's advisable to continue working on the Proof of Concept until it becomes clear.\n\nPlease remember that while self-assessment of risk is taken into consideration, the final determination of severity is made by a judge and this can impact the award levels. Also, if a low severity finding is escalated to a high severity, it is not automatically invalid. The criteria for judging such cases is explained at https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues. The value of your bug report is partly based on correctly assessing its severity and presenting compelling evidence.", "Question: Can I change my username on Code4rena, and if so, how?\n\nAnswer: Currently, usernames on Code4rena are essentially immutable and cannot be directly changed as they serve as a foreign key across a variety of datasets. However, there are some instances where a username change may be considered. To change your username, you will likely need to re-register on CodeArena. For changes related to your profile such as updating a Twitter username or changing the link associated with your username in leaderboard/contest results, you can submit a help desk request at [https://code4rena.com/help](https://code4rena.com/help). Please include necessary details in your request for a smooth process. It's important to be aware that changes to your username may have different impacts on other parts of your account, for example, the leaderboard. Any issues encountered during this process can also be reported via the same help desk link.", "Q: I couldn't see any funds in my Polygon wallet and I didn't authorize any transactions. What could possibly be the issue?\n \nA: If you are certain you did not authorize any transactions and your funds are missing, it's likely your key has been compromised. However, there could be other explanations too. It's possible that you're viewing the wrong network. You can monitor your address on the Polygon network at https://polygonscan.com/address/. Also, ensure you're checking the correct wallet. For instance, rewards from our vulnerability audits and contests are sent to the Polygon network, not the Ethereum network. This could be why you're not seeing your funds if you're checking your Ethereum wallet. In addition, tokens on Polygon may not automatically show up in your Metamask wallet. You might need to manually add them. If these checks don't resolve your issue, then it's highly likely that your key has been compromised. You should take immediate steps to secure your account.", "Q: What happens if I submit an issue that I believe is a high severity, but a judge disagrees and thinks its severity is lower? Will my rewards be affected, and under what circumstances could my submission be invalidated?\n\nA: The judges at CodeArena have the discretion to adjust the severity of an issue you've submitted. If you submit what you believe to be a high severity issue but the judge downgrades it to a medium or low severity, you will still be rewarded, but the rewards will be reflective of the final severity determined by the judge. The judges may invalidate your issue if they believe you have over inflated the severity. However, if your issue is well thought out, it's unlikely to be invalidated due to a change in severity during judging. \n\nSubmitting a high severity issue without working code that demonstrates its impact may lead to the issue being downgraded or deemed ineligible for rewards. It should also be noted that severity levels can be upgraded if judges deem it necessary. Be sure to make a strong case for the chosen severity in your submission.\n\nIt's also important to note that, in rare cases, a submission could receive a 0 grade if a judge determines that it merits that grade. To avoid this, it's recommended to review the judging criteria and ensure that your submission meets the required standards. You can find the judging criteria at: https://docs.code4rena.com/roles/wardens/judging-criteria#estimating-risk, and the exact criteria for low, medium, and high severity issues can be found at https://docs.code4rena.com/awarding/judging-criteria/severity-categorization.\n\nIn case of any uncertainty about the severity of a reported issue, it is advised to make a case for the chosen severity using evidence and clear and understandable writing. Submissions that include a Proof of Concept (PoC) and cover the issue in as many aspects as possible are more likely to receive higher rewards.\n\nBe aware that the rewards for a contest are divided based on Quality Assurance if no high or medium severity issues are found. You can find more information about how rewards are awarded at: https://docs.code4rena.com/awarding/incentive-model-and-awards/qa-gas-report-faq#what-happens-when-an-issue-submitted-by-the-warden-as-part-of-their-qa-report-an-l-or-n-does-get-bum.\n", "Question: Are the issues in the published reports identical to those initially reported by the wardens, and do these published reports serve as a summary of the original submissions? How are duplicate findings and the level of details in the reports handled?\n\nAnswer: The issues presented in the published reports generally align with those initially reported by the wardens, although the published versions may be more refined and concise. The more wardens find the same issue, the less money each warden receives for this issue. However, the sequence of submitting issues does not affect the payout structure. If the same vulnerability is reported by multiple wardens but with different severity levels, the severity for award calculation is determined during the deduplication process and subsequent adjudication [https://docs.code4rena.com/incentive-model-and-awards]. \n\nThe level of detail in a warden's report, such as the inclusion of a Proof of Concept (PoC), and the comprehensive coverage of the issue can influence the award amount. For instance, if a warden identifies an issue in an automated finding that could lead to a high severity finding, it can be reported again during the contest and could potentially earn a higher severity award. \n\nIt is also worth noting that a warden's report can be revised and resubmitted. If an issue submitted as 'low' in a QA report is later determined by the judges to be 'medium', it could be eligible for medium rewards [https://docs.code4rena.com/awarding/incentive-model-and-awards/qa-gas-report-faq#what-happens-when-an-issue-submitted-by-the-warden-as-part-of-their-qa-report-an-l-or-n-does-get-bum]. \n\nFurthermore, backstage access is provided to certified wardens, allowing them to observe the report submission and triage process. The final contest report becomes public once published, and other wardens who found the same issue can also review the findings report [https://docs.code4rena.com/roles/wardens/submission-policy#report-format]. \n\nDespite the general policy, there can be cases when a warden's report is not chosen for publication, even if it's not the first similar report. The decision to feature a report in the client report rests with the judges, who may consider various factors such as the degree of uniqueness, depth of analysis, and the overall value of the report.", "Question: Can you provide resources and advice for someone seeking to learn about smart contract security and auditing, including books, certifications, tools, and potential career paths?\n\nAnswer: Absolutely. There are several resources to get started with learning about smart contract security and auditing. As a beginner, you can start with resources such as \"How to Become a Smart Contract Auditor\" by cmichel.io [link](https://cmichel.io/how-to-become-a-smart-contract-auditor/) and CodeArena's own guide on the tools and resources needed for smart contract auditing [link](https://docs.code4rena.com/roles/wardens/tools-and-resources). \n\nFor hands-on learning, consider smart contract bug bounty hunting with resources like CryptoZombies.io for solidity [link](https://cryptozombies.io/) and CaptureTheEther.com for Capture the Flag challenges [link](https://capturetheether.com/). \n\nFor practical tools used in smart contract auditing, consider studying the Geth node and Web2 security in the context of Web3. You might also find a smart contract scanning tool that can detect price manipulation vulnerabilities useful [link](https://app.metatrust.io/project). Fuzzing tools and the application of machine learning are other areas you might want to explore in smart contract auditing.\n\nIn terms of certifications and further learning, a YouTube resource was suggested for learning the math of solidity projects [link](https://www.youtube.com/@smartcontractprogrammer). Other platforms like Sherlock also offer services for auditing smart contracts, yet this may require a higher level of competence [link]. We also have an #\ud83c\udfebeducation channel in our Discord where you can deepen your knowledge in this area.\n\nAs for career paths, it really comes down to your interest. There's a demand for both smart contract security experts and traditional web2 security professionals. Some even combine the two, keeping up with traditional hacking and web2 security while working on smart contract auditing as a side project. Ultimately, you should focus on what you enjoy and are interested in, not just potential earnings. \n\nKeep in mind that while the focus should be on smart contracts, understanding concepts related to web2 security can be beneficial as some web2 security topics also apply to web3 security. \n\nNote that while there are automated tools for finding vulnerabilities in smart contracts, audits by professionals are still sought after because these tools may not catch everything. As for the average salary for smart contract auditors, we don't have specific numbers, but it's generally a well-compensated field due to its specialized nature.\n\nRemember, the field is evolving, so continuous learning is key to staying current in smart contract security and auditing.", "Question: How can potential hackers access my signature or personal data through my Discord account linked with CodeArena?\n\nAnswer: It's possible that potential hackers may attempt to access your personal data, including your signature, through Discord or other linked platforms such as CodeArena. This could occur if your Discord account gets hacked, which can happen if you click on a malicious link or if your private key gets leaked on a public platform like GitHub, where bots could be monitoring new repositories.\n\nTo safeguard your personal data and CodeArena account, ensure that your Discord account is secure. If you suspect that your account has been compromised, you can submit a help desk request with details and a signed message from mycrypto.com. Here is the link for creating signed messages: https://app.mycrypto.com/sign-message. \n\nAdditionally, always verify any changes made to your Discord and CodeArena accounts. If you opt to change your wallet or username on Discord, these changes can potentially be reflected in your C4 account. However, changing the login address on CodeArena is not currently supported. \n\nIn the case of a username change, you can update your Discord name on the Account Management page of your warden profile, but your Discord nickname should remain as your registered C4 username. If your Discord username is updated, it is advised to submit such queries via the Help Desk for the developer team's review. \n\nIn the unfortunate event of your wallet getting hacked, you can change your payment address and report the incident via the Help Desk. \n\nPlease be reminded that your personal safety and data security is of utmost importance. Always exercise caution while interacting online, avoid sharing sensitive data, and promptly report any suspicious activities.", "Question: How can I effectively use images, such as screenshots or smart contract visualizations, in my audit report to enhance my explanations of proof of concepts or findings?\n\nAnswer: Images, including screenshots and visual representations, can be quite useful in explaining proof of concepts or detailing findings in your audit report. You can add images directly into a report to help you illustrate a point more effectively. You can use Markdown to embed these images. However, make sure the images used are relevant and assist in understanding the report better.\n\nAdditionally, there's a unique approach you can take in visualizing smart contracts. You can convert a non-image task into an image task by transforming a smart contract into representative shapes, then train a model based on these shapes to predict the vulnerability of future contracts. Here's a useful GitHub link that provides more details on this approach: https://github.com/DanielVF/evm-contract-draw\n\nAlso, when understanding the information displayed in these images, it's essential to pay attention to specific icons and symbols. For instance, there was a mention about a yellow icon whose explanation could be found in a particular location. Ensure to consult these explanations to fully grasp the content of the images. \n\nPlease note, if you are using a screenshot, it's crucial to provide a complete step-by-step explanation, especially in the context of a proof of concept. If your report refers to specific lines of code or code grades, ensure that these elements are clearly displayed and explained in your image or accompanying text. \n\nLastly, be aware of the implications of certain information in these images. For example, the severity of an attack made by governance, represented in the image, can depend on the judge, as governance is usually assumed to be a trusted party. \n\nRemember, the goal is to enhance comprehension and provide a more in-depth analysis of your findings, not to confuse the reader with unnecessary or unclear visuals.", "Question: How can I protect my wallet from future attacks and what steps should I take if my wallet has been compromised?\n\nAnswer: Protecting your wallet against future attacks involves several steps. Firstly, consider moving your assets to a new wallet. This makes it more difficult for malicious parties to gain access to your assets if they've already compromised your existing wallet. \n\nAlso, remember to keep your private keys secure and never share your seed phrase with anyone. In case of social engineering attacks, be cautious about the information you provide online. \n\nIn the unfortunate event that your wallet gets hacked, you should follow various steps to mitigate the damage. Change your payment address immediately and remove the compromised address from your login information. If you've lost your seed phrase, you can follow the steps mentioned here - https://docs.code4rena.com/roles/wardens/warden-auth#what-if-my-wallet-was-hacked. If your Code4Arena wallet is compromised, submit a help desk request here - https://code4rena.com/help/\n\nRegarding vulnerabilities found in smart contracts you're auditing, make sure to report them to the relevant channels, such as security@code4rena.com for issues related to Code4Arena's web app. While reporting vulnerabilities, it's beneficial to include a proof of concept and show how an item could be exploited to help avoid invalidation. Attack findings using automated tools require a higher burden of proof, and more information on this can be found at https://github.com/code-423n4/org/discussions/50. \n\nAlso remember, multiple instances of the same vulnerability should be reported as a single issue. In addition to identifying vulnerabilities, it's also useful to provide potential solutions or mitigations. However, be aware of the potential for these mitigations to introduce new, potentially more damaging, exploits. \n\nFinally, continuous learning and practice are crucial to improving your skills in identifying vulnerabilities and preventing attacks. Participating in exercises like Capture the Flag can be a beneficial way to hone these skills.", "Question: I think my MetaMask wallet has been compromised and my Code4rena rewards have been stolen. How can I address this issue and prevent it from happening in the future?\n\nAnswer: I'm sorry to hear about your situation. Firstly, you need to verify how the malicious transaction was created. Did you sign some random things or do you have unlimited approvals to sketchy operations? Also, you should consider the possibility of your private keys being leaked on public platforms such as GitHub. \n\nTo address the current situation, you might want to consider creating a new MetaMask wallet on a new device that's not connected to the internet. This should keep it safe from further attacks. Notably, hardware wallets are also a safer option to consider.\n\nIn case your balance shows zero in your MetaMask wallet despite a hash on polygon scan with your address, it could be due to a compromised key. If you change your payment address and remove the compromised address from your login, don't forget to submit a help desk request if you logged in via the same wallet.\n\nTo prevent such situations in the future, ensure you're careful with your private keys and do not share them publicly. Also, always verify and approve transactions carefully - avoid signing any random or suspicious operations.\n\nIf you wish to change your wallet address on CodeArena, unfortunately, currently Code4rena does not allow users to change their login wallet address but if you have Metamask, you can link multiple addresses. More information about it can be found here: https://docs.code4rena.com/roles/wardens/warden-auth#can-i-change-the-wallet-address-i-log-in-with.\n\nIn case of a serious incident such as your C4 wallet being hacked, you should submit a help desk request. This can be done via https://code4rena.com/help/.\n\nPlease take note that Metamask wallet is functional for submitting findings for C4 payments. If you lose the seed phrase from your wallet, follow the steps mentioned here: https://docs.code4rena.com/roles/wardens/warden-auth#what-if-my-wallet-was-hacked.", "Question: How can I ensure the security of my wallet and protect it from potential attacks on Code4rena?\n\nAnswer: To ensure the security of your wallet, you should always start by using a new wallet and maintaining the confidentiality of your private keys. It is vital to avoid storing your private keys on a public platform like GitHub to avoid your wallet being hacked, as bots might be monitoring new repositories. Social engineering attacks should also be considered and avoided. \n\nIf you are using Code4rena, there are two types of wallets you should be aware of - a login wallet and a payment wallet. The login wallet is set up when creating your account and the payment wallet can be updated in your profile. If you suspect that your wallet has been compromised, you should immediately change your payment address to protect future rewards from being stolen. You can do this within your user profile on the Code4rena platform. \n\nIf your wallet is compromised, you should follow the guidance provided here: https://docs.code4rena.com/roles/wardens/warden-auth#what-if-my-wallet-was-hacked. In case your wallet was hacked and you wish to change your payment address, you can create a help desk request if you logged in via the same wallet. This can be done via https://code4rena.com/help/.\n\nTo verify your payout for vulnerability issues, you can check the wallet address with which you registered using polygonscan.com or wallet trackers like debank.com. If you have already submitted a finding and wish to change the wallet address used, you can do this before the reward payout by submitting a request through the Help Desk.\n\nLastly, if you are using a Metamask wallet, consider setting up a new Metamask wallet on a new device, preferably one not connected to the internet, as a potential solution to avoid future security incidents.", "Q: Could you provide a detailed explanation of the function transferWithAuthorization(address from, address to, uint256 value, uint256 validAfter, uint256 validBefore, bytes32 nonce, uint8 v, bytes32 r, bytes32 s)? \n\nA: The function transferWithAuthorization is typically used in smart contracts to enable approval and transfer of tokens in a single transaction. The parameters passed to the function include the addresses of the sender and receiver, the value to be transferred, the validity period, and a digital signature, which consists of nonce, v, r, and s. \n\nIf you're seeing this function invoked unexpectedly, there may be potential security concerns. It could indicate that your private key (PK) is compromised, allowing attackers to recreate the digital signature and authorize transactions on your behalf. Alternatively, you may have unintentionally signed off on a transaction, a common strategy used by scammers.\n\nFurthermore, it's crucial to evaluate the context in which the function is used. For example, based on the chat observations, there's a discussion about the possibility of calling the \"safeTransferFrom\" function from an ERC-777 token contract in another smart contract. This is significant because different tokens have different methods and expectations, and the safety and behavior of transfer functions can depend on these factors. \n\nTo test certain functions from a smart contract, a mocked token needs to have safeTransfer and safeTransferFrom functions. SafeTransferLib is used for safely transferring funds to a user; it checks whether the operation of sending funds is successful by checking the return status of the call.\n\nAdditional information about not checking failed transfers/approves is provided in this Github link: https://github.com/yearn/yearn-security/blob/master/disclosures/2020-09-25.md.\n\nHowever, this is a simplified explanation and to fully understand how this function and other similar functions work, including delegatecall, one must consider various factors like token specifications and contract expectations. More detailed information can be found in the Solidity documentation and source code: https://github.com/ethereum/go-ethereum/blob/master/core/vm/evm.go#L302.", "Question: What steps should I take if I suspect my MetaMask wallet has been compromised or hacked, and how can I prevent future attacks?\n\nAnswer: If you suspect that your MetaMask wallet has been compromised, the first step is to identify how the malicious transaction was created. For example, you may need to investigate if you signed any unexpected approval or have unlimited approvals to sketchy contracts. In some cases, a bot may be monitoring new GitHub repositories and exploiting vulnerabilities if private keys are accidentally leaked. \n\nTo prevent further attacks, it's recommended to create a new MetaMask wallet on a new device that's not connected to the internet. You may also consider using hardware wallets for better security. If you're unable to view your funds on your Polygon wallet, it could indicate a potential compromise of your keys. In such cases, you should remove the compromised address from your CodeArena login and change your payment address.\n\nIf you lose the seed phrase of your wallet or if your CodeArena wallet is hacked, you can follow the steps mentioned at https://docs.code4rena.com/roles/wardens/warden-auth#what-if-my-wallet-was-hacked to recover. You can also submit a help desk request at https://code4rena.com/help/ for assistance, especially if you logged in via the compromised wallet. Please note that currently there is no support for changing the login address on CodeArena, so it's crucial to keep your login credentials secure.\n\nBear in mind that while automated tools can help identify vulnerabilities, human audits are still essential to ensure the security of smart contracts. Many of the risks associated with web2 security also apply to web3 security, so comprehensive security practices are essential.\n\nFinally, remember to never share your private keys publicly and always ensure you're logging in with the correct wallet and email to avoid any potential security issues.", "Question: How can I change or update my wallet address on CodeArena?\n\nAnswer: There are two types of wallets on CodeArena: a login wallet and a payment wallet. The login wallet is set when creating your account and currently cannot be changed. However, if you use Metamask, you can link multiple addresses. More information on this can be found at: https://docs.code4rena.com/roles/wardens/warden-auth#can-i-change-the-wallet-address-i-log-in-with\n\nAs for the payment wallet, this is where you receive your awards. It can be updated within your user profile on CodeArena, specifically in the Manage Account section at https://code4rena.com/account. This could be useful if your wallet has been compromised or if you want to use a new wallet for receiving future rewards. \n\nRemember, if you change your payment wallet address, any rewards will be sent to the wallet address on file at the time the awards are calculated for an audit. If you want to use a new wallet address in your reports moving forward, the rewards for the report will then be distributed to the new address.\n\nDue to the complexity of changing wallet addresses, participants are requested to reach out only if the change is extremely important, like if the old wallet was hacked. If you need further assistance or have forgotten your registration wallet address, you can submit a request through the Help Desk at https://code4rena.com/help.", "Question: How does voting within the CodeArena's DAO system work and what are its implications?\n\nAnswer: CodeArena's DAO (Decentralized Autonomous Organization) voting system operates using the $ARENA token. This token provides governance rights, including authority over the DAO treasury. More information about the token can be found in the DAO constitution [here](https://github.com/code-423n4/org/blob/main/CONSTITUTION.md). \n\nThe DAO voting system is utilized to delegate responsibilities, such as running contests or making changes to allow for invoicing. Some actions need a vote before they are enacted, and the definition of which actions require voting can be found in this forum post [here](https://forum.code4rena.com/t/c4ip-1-2-3-4-5-constitution-dao-bootstrapping-reimbursements-token-sale/93). \n\nIn specific cases, like the ElasticDAO, a multisig controller enacts the snapshot votes on chain. This system allows for trusted functions to occur, such as controlling, minting, and burning. \n\nAdditionally, there are groups such as \"gov-wg\", which is a Working Group set up to establish a DAO structure. The DAO voting system also plays an essential role in contests. For instance, the Nouns DAO contest has a period of voting, with information about this process available [here](https://github.com/code-423n4/2022-08-nounsdao-findings/issues/315). \n\nIt is important to note that compliance with tax laws was a major reason for implementing the DAO voting system, and some changes, such as invoicing, were made to comply with these regulations. However, as all decisions are ultimately decided by voting, not all actions are immediate, which may result in delayed implementations or changes.\n", "Question: What should I do if I have accidentally leaked my private key on a public GitHub repository?\n\nAnswer: If you have leaked your private key on a public GitHub repository, you have a potentially serious security issue. Bots may monitor new GitHub repositories and could have picked up your private key. This has resulted in wallets being hacked in some reported cases. \n\nFirstly, if too much information is accidentally pasted in an issue that should not be publicly available, editing is the suggested course of action. But remember, some bot might have already scraped the key.\n\nSecondly, if you suspect that your wallet might have been compromised, you should follow the steps mentioned here: https://docs.code4rena.com/roles/wardens/warden-auth#what-if-my-wallet-was-hacked. \n\nIn the future, to prevent this, when submitting a \"Proof of Concept\" with Github, you do not have to make the repository public due to the risk of exposing vulnerabilities. Instead, a private gist can be used. Some participants even consider using a \"secret gist\" to show code examples without disclosing a problem. \n\nAlso, some community members have set up separate GitHub accounts for their Code4rena work for privacy reasons. It could be a good practice to keep your work and personal accounts separate. \n\nLastly, please remember that the findings should be posted as GitHub issues on a private repository to maintain the integrity and security of the audit process.", "Question: How can I effectively deploy a contract on Foundry that takes a struct as an argument in the constructor and also send ether with the constructor?\n\nAnswer: Deploying a contract on Foundry that takes a struct as an argument in the constructor can be achieved through the following method. Here is a sample contract:\n\n```javascript\ncontract A {\n struct Config {\n address someConfig;\n address anotherConfig;\n }\n Config config;\n constructor(Config memory param) {\n config = param;\n }\n}\n\ncontract Test {\n A a;\n function setup() {\n a = new A(\n A.Config({\n someConfig: address(0x001),\n anotherConfig: address(0x002)\n })\n );\n }\n}\n```\n\nTo send ether along with the constructor while deploying the contract, you can use the value function on the contract instance which will allow you to send ether with the initial transaction.\n\nWhen working with Foundry, it's important to note that a child contract may need to be written and used like wrappers for direct calling of internal functions. \n\nIf you're using Hardhat, Foundry can be integrated into your project. A base template for this integration can be found [here](https://github.com/foundry-rs/hardhat-foundry-template). For an equivalent of \"upgrades.deployProxy\" from Hardhat in the context of Foundry, you may refer to this [GitHub link](https://github.com/chugsplash/chugsplash-foundry).\n\nAdditionally, Foundry can be used to fork data from a live network such as a mainnet or testnet and run locally, enabling easier testing of smart contracts. It also provides tools for inspecting things like storage and gas remaining after state variable updates.\n\nTwo YouTube tutorials that might provide additional help understanding Foundry are: [Tutorial 1](https://www.youtube.com/watch?v=Rp_V7bYiTCM) and [Tutorial 2](https://www.youtube.com/watch?v=EHrvD5c93JU).\n\nPlease note that there have been issues reported about opcode support in Foundry and \"Source from artifact has no AST.\" error when running forge debug on a Hardhat project with Foundry integration. \n\nIf you're using Docker, Foundry can be installed using it and if you're encountering any errors, you may find help in the Ethereum StackExchange thread [here](https://ethereum.stackexchange.com/questions/68519/creating-a-new-contract-specifying-a-sender-and-value-with-factory-pattern).", "Question: Can you provide guidance on how to categorize and submit findings related to malicious tokens and the severity level in smart contract audits?\n\nAnswer: Absolutely, it's important to correctly categorize the severity of a vulnerability and submit it appropriately. For vulnerabilities you find, use the severity ranking provided in CodeArena's judging criteria (https://docs.code4rena.com/awarding/judging-criteria/severity-categorization) to help determine whether a finding is low, medium, or high risk. If you use automated tools for your initial findings, be aware that there is a higher burden of proof to demonstrate a relevant high or medium severity exploit path. Further clarification on this can be found here https://github.com/code-423n4/org/discussions/50. \n\nWhen submitting, remember each category of findings should be reported differently. For low risk or Quality Assurance (QA) findings and gas optimizations, you can group similar issues into one report. However, medium and high severity findings should be submitted in separate reports for each finding. More on this can be found in our submission policy (https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues).\n\nUncertainty in ranking the severity is not uncommon. If you are unsure, it's advised to submit your findings anyway or direct message our team for additional context. If you're still unsure about the severity after reporting an issue, consult the guidelines at https://code423n4.com/judging-criteria/ to help you assess.\n\nLastly, if you're dealing with a finding that you've escalated from low to high severity, it won't be automatically invalidated. However, you must provide strong evidence of the exploit path. This policy is outlined here: https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues. We understand these guidelines may look complex at first glance, but they ensure a comprehensive and fair evaluation of smart contract audits.", "Q: My MetaMask wallet connected to CodeArena was compromised and my reward was stolen. I've updated my payment address to a new wallet to prevent future thefts. Is this enough or should I take additional steps?\n \nA: Changing your payment address to a new wallet is a good first step in securing your rewards in the event of a hack. However, you will need to take further action as CodeArena doesn't currently allow users to change their login wallet address. If you're using MetaMask, you can link multiple addresses which can be detailed at: https://docs.code4rena.com/roles/wardens/warden-auth#can-i-change-the-wallet-address-i-log-in-with.\n\nIf you've logged in via the compromised wallet, it's recommended to submit a Help Desk request detailing your situation at https://code4rena.com/help/. For more information about the procedure to change your wallet address, visit: https://docs.code4rena.com/roles/wardens/warden-auth#can-i-change-my-wallet-address. It's important to note that any rewards are sent to the wallet address on file at the time awards are calculated for an audit.\n\nIn case you forget your seed phrase or registration wallet address, you can seek help at: https://code4rena.com/help. Also, remember that it\u2019s highly recommended to use a new wallet to prevent further attacks. When it comes to your login wallet address, currently it cannot be changed, but you can link multiple wallet addresses if you are using MetaMask.\n\nTo prevent future attacks, regularly check and verify your wallet address registered for rewards using polygonscan.com or wallet trackers like debank.com. This can also be done using the help form at https://code4rena.com/help. Please ensure to reach out to CodeArena directly for any important changes, especially if your old wallet was compromised.\n", "Question: How can I be notified when a new report is published on CodeArena?\n\nAnswer: Currently, CodeArena does not offer specific email notifications when a new report is published. However, we do have an announcements channel named #audit-reports on our Discord chatroom where a new message is posted each time a report is published on our website. You can easily join this Discord channel to get regular updates. Reports can be sorted by publication date on our website at https://code4rena.com/reports. Participants who have submitted a report can check the status of their submissions by waiting for the report to be published and the findings repo to be made public, they can also check the success of their report submission by looking out for an email and the ability to edit submitted findings. Please note that the findings submitted for contests may not always make it to the final report, to check, you need to wait until the reports are published, which usually takes at least a month.", "Question: \nWhat is the process and criteria for submitting gas optimization reports at CodeArena?\n\nAnswer: \nAt CodeArena, we highly value gas optimizations and encourage our users to submit them as part of their smart contract audits. Users often use the Hardhat gas report plugin to benchmark their code, measuring the potential gas savings. When submitting a gas optimization report, it's beneficial to include the estimated amount of gas saved by each finding. This can be done by comparing the gas used by the original code and the refactored code. \n\nIt's also important to note that the judgment criteria for gas optimizations can vary based on the judge's decision, and it may affect the grade of your submission. Therefore, providing proof of how much gas the refactoring saves is highly recommended. For detailed information on gas optimization and rewards, please refer to our documentation: https://docs.code4rena.com/#incentive-model-and-awards\n\nThere are also discussions regarding the usage of functions such as function inlining, combining two for loops into one, and excluding the increment (++i) in a for loop, as all these can lead to significant gas savings. A clear understanding of these concepts and techniques can be beneficial when making a submission.\n\nFurthermore, reports can also be submitted in contests, and you might find it useful to review approved findings and gas optimizations on our GitHub: https://github.com/byterocket/c4udit\n\nRemember, even if you're new to auditing contracts, gas optimization is a great starting point. So, don't hesitate to dive in and contribute.", "Q: I've applied for the Know Your Customer (KYC) process over 10 days ago and it's still pending. Is this a normal timeline or should I do something?\n \nA: The KYC process usually takes a few days to complete, but it can sometimes take a week or longer, as the completion time can vary depending on a variety of factors. If you don't receive any reply to your KYC application within five business days, it is recommended that you submit a help request through the form on our company's website. The KYC process for becoming a certified contributor or a certified Warden can take around 2-3 weeks, and you will receive a KYC email from compliance@provenance.company after you've submitted an application. Please check your spam folder as well, as the email might end up there. Once your KYC process is completed and approved, it may still take a few days to get the certified role. If you've received a confirmation email from Provenance regarding your KYC, you may still need to wait for a certain period for the role. Please be aware that your KYC application may be rejected, in which case it's suggested to work directly with the originator of the application. Always remember that KYC is an important part of our process to ensure the security and integrity of all participants.", "Q: My Metamask wallet connected to Code4rena was compromised and the reward I received was stolen. I already changed my payment address to a new wallet but my login address remains the same. How do I secure my future rewards and prevent further attacks on my wallet?\n\nA: First, it's good you've already changed your payment address to a new wallet, this will ensure your future rewards are sent to a secure location. You can do this from your account screen on Code4rena (https://code4rena.com/account). \n\nAs for your login address, currently, Code4rena does not allow users to change their login wallet address, but if you're using Metamask, you can link multiple addresses (https://docs.code4rena.com/roles/wardens/warden-auth#can-i-change-the-wallet-address-i-log-in-with). \n\nIf you've logged in via the compromised wallet, submit a help desk request for assistance at https://code4rena.com/help/. Provide as many details as possible and include a mycrypto.com signed message if your account has been compromised.\n\nFor further protection, consider switching the network in your Metamask to Polygon Mainnet and copying your public keys into Code4rena. It's also important to keep your seed phrase safe. If you lost it, follow the steps mentioned here: https://docs.code4rena.com/roles/wardens/warden-auth#what-if-my-wallet-was-hacked. \n\nIf you're unsure if you've submitted an address for rewards correctly, you can check this using the help form at https://code4rena.com/help/. Always remember, the best way to prevent future attacks is by using a secure and new wallet.", "Question: When I submit a \"Proof of Concept\" for a vulnerability, should I make my GitHub repository public or private, and how can I share the information without exposing vulnerabilities?\n\nAnswer: When you submit a \"Proof of Concept\" (PoC) for a vulnerability, it is recommended to use a private GitHub repository or a private gist. This is to minimize the risk of exposing vulnerabilities to the public. If you have code that runs a proof of concept for each bug, you could consider adding a zip file to the submission or sharing a private Github repository. These repositories typically remain private until the issues have been mitigated and cleared for publication by the sponsors. Once the repo is made public, users can access all the issues, including theirs. \n\nYou can showcase the places of vulnerability by providing a URL to the repository with a line number in the text or providing a solidity code block. As an auditor, you can fork the codebase and create a private repository on Github without it being considered as information disclosure, as the submitted findings will be created as a Github issue. \n\nFor more insights on sharing vulnerability discovery PoCs, you can refer to this GitHub link: https://github.com/code-423n4/code-contests/tree/main/contests/01-slingshot#sharing-vulnerabilitydiscovery-poc. If you are utilizing automated tools for attack findings, there is a higher burden of proof to demonstrate a relevant HM exploit path to be considered satisfactory. More information on this can be found here: https://github.com/code-423n4/org/discussions/50.\n\nFor privacy reasons, some community members set up separate GitHub accounts for their Code4rena work. You can also attach screenshots in the vulnerability details section by copying the Github permalink and the lines of code for the affected code.\n\nFinally, please be aware of the risk of accidentally leaking private keys on public GitHub repositories. This could potentially lead to your wallet being hacked as there might be bots monitoring new GitHub repositories.", "Question: I noticed that I was asked for a 16-digit password when I signed up, but this requirement was not present when resetting my password. Can you explain this discrepancy and how to recover or change my password?\n\nAnswer: Indeed, during the initial signup process, we ask users for a 16-digit password as a safety measure. However, this requirement is not present during password reset for user convenience. If you are experiencing any issues with password resets or forgetting your password, we're here to help. To change or reset your password, you should follow the instructions provided in the password reset email. If you are not receiving the password reset email, you can open a help desk request with details about your issue.\n\nPlease note that if you've forgotten your wallet's login address, you can find assistance at our help center https://code4rena.com/help. If your wallet was compromised and you need to change your payment address, please submit a help desk request with details and a mycrypto.com signed message.\n\nAlso bear in mind that we currently do not support changing the login address at CodeArena. If you suspect that your account has been compromised, we recommend submitting a help desk request with the details. Additionally, for information related to changing your wallet attached to the user account and other FAQs, you can refer to our documentation at https://docs.code4rena.com/roles/wardens/warden-auth#faq-troubleshooting. \n\nRemember, security is our utmost priority, and we are here to support and guide you through any issues you may face.", "Question: How can I receive my rewards from CodeArena and transfer them to my Binance account?\n\nAnswer: Once your submission is confirmed and the reward amounts are announced, you will need to wait for the rewards to be distributed to your registered wallet address. This process usually takes 1 to 2 weeks after the announcement. You can check the announcement channel for updates on distribution.\n\nYou have the ability to change your wallet address where the rewards will be received. This can be done by updating your wallet address in your reports or by submitting a request through the Help Desk at https://code4rena.com/help. If you change your wallet address, the rewards for the report will then be distributed to the new address. Please note that the rewards are sent to the wallet address on file at the time the awards are calculated for an audit.\n\nRewards are usually distributed in the form of USDC on Polygon's Mainnet. If you wish to receive these rewards on Binance, you need to have a wallet that can receive USDC, such as MetaMask. After receiving your rewards, you would then send these tokens from your MetaMask wallet to your Binance account. \n\nPlease note that award distribution is linked to your Discord username and specific wallet address. Therefore, ensure that your wallet address is correct and up to date. Also, keep in mind that you can only receive rewards to one address per contest. \n\nFor more information on changing your wallet address or the entire process, you can check the guide at https://docs.code4rena.com/roles/wardens/warden-auth#can-i-change-the-wallet-address-where-i-receive-awards.", "Question: Why can't I see the award transaction from NounsBuilder in my wallet, and what steps should I take to solve this issue?\n\nAnswer: There could be several reasons why you're having difficulty seeing the award transaction from NounsBuilder. This could range from delays in distributing awards, requirement of Matic (a cryptocurrency) for transferring awards, to issues related with the network you're using. Here are a few potential solutions:\n\n1. First, check your registered wallet address and make sure it's correct. If you need to change it, you can do so at https://docs.code4rena.com/roles/wardens/warden-auth#can-i-change-the-wallet-address-where-i-receive-awards.\n\n2. If your wallet address is correct, there may be a delay in the distribution of the award. Awards are usually distributed after a contest ends, and you can check the announcement channel for updates on distribution.\n\n3. Check if you're using the right network. Some awards, like from Fairside and Mellow Protocol, are distributed on the Polygon network. This might also require you to possess some Matic for transferring the awards.\n\n4. There might be a need to find a transaction hash when a user gives allowance to a contract. You can do this by filtering the contract's logs and checking topics for your address.\n\n5. If you've verified all the above and you still can't see your award, you might need to reach out to the staff via a help request at https://code4rena.com/help. Please provide as much detail as possible about your issue.\n\nPlease note that rewards aren't distributed immediately after computation due to the use of multisignature (\"multisig\") wallets which require signatures from multiple parties before funds can be released. The process will eventually be automated via smart contracts once more pieces are in place.\n\nLastly, you should also ensure you protect your wallet keys properly. There have been instances where users could not see their funds, suspecting their keys might have been compromised.\n\nRemember, uncertainties and misunderstandings can happen, and it's important to reach out for help when needed. Don't hesitate to ask questions in the community chat for further clarification or support.", "Q: How can I withdraw and manage the rewards I earned from my findings on CodeArena?\n\nA: To manage and withdraw your findings, navigate to the contest page and click on the 'Your Findings' button. From here, you can view, edit, retract, or add to your submissions. If you wish to withdraw your rewards, you can send them to your preferred crypto trading platform such as Binance. Remember to connect your wallet to your CodeArena account to make transactions smoother. \n\nOnce a submission is confirmed and reward amounts are announced, you just need to wait for it to be transferred to your wallet. You can track the status of your report and view your findings under the 'findings' tab next to the contest description. \n\nIf you need to modify your wallet address after submitting a finding but before the reward payout, you can submit a request through the Help Desk at https://code4rena.com/help. If you realize something is a false positive after submission, you can retract the submission from the 'findings' tab on the contest page.\n\nA detailed list of rewards for each warden for each bug per contest is available at https://raw.githubusercontent.com/code-423n4/code423n4.com/main/_data/findings/findings.csv. If you have any questions about your rewards or the rewarding formula, don't hesitate to raise them in our Discord community or through the Help Desk.\n", "Q: I tried to submit my QA report at the last minute, but unfortunately, I missed the deadline. I've created a secret gist on GitHub as proof. Is there anything that can be done? \n\nA: Unfortunately, we have to maintain a firm deadline and cannot accept late submissions for fairness purposes. However, if you had issues submitting the QA report due to a GitHub API failure or if your report exceeded the character count for a regular submission, that would be a different case. You could submit your QA reports via help tickets if they exceed the character count for regular submissions. If GitHub API issues prevented your submission, you might have been able to submit your QA report through the submission form via email to submissions@code423n4.com. \n\nFor future reference, it's important to note that you can edit your QA report until the audit deadline if you find additional errors or need to alter the severity of reported bugs. You can do this either through the PR or by contacting one of the judges. If your report includes a Proof of Concept, this can either be included in the report itself or via a private gist link if the code is too large. \n\nFor more information, please refer to our documentation at the following links:\n- Submission Policy: https://docs.code4rena.com/roles/wardens/submission-policy#how-to-include-a-proof-of-concept\n- QA Gas Report FAQ: https://docs.code4rena.com/roles/wardens/qa-gas-report-faq#why-is-a-large-gas-or-qa-report-not-successfully-submitting-through-the-contest-submission-form\n\nWe hope this clarifies the submission process and helps you prepare better for future submissions.", "Question: How can I effectively demonstrate a re-entrancy attack for smart contracts, using a testnet or other methods?\n\nAnswer: While you can perform a re-entrancy attack demonstration on a public testnet, this isn't always the most practical or preferred method. Public testnets are often used for testing smart contracts, particularly for complex scenarios involving large numbers of users.\n\nHowever, using tool kits like Foundry or Hardhat can provide a more convenient and efficient environment for demonstrating smart contract vulnerabilities. By forking its state from either a public testnet or mainnet, you can have a local instance that replicates the live network, allowing you to run tests without waiting for testnet tokens or block times. Here's how you can do that with Foundry: https://github.com/dapphub/dapptools/tree/master/src/foundry\n\nIn the case of a re-entrancy attack, you could write an attack contract and explain its effects. This could serve as a valid proof of concept. If you find a potential re-entrancy risk without an actual vulnerability, it's important to provide a clear explanation of the exploit path. Without it, such a finding may be considered low risk or could be downgraded to QA. Examples of such cases can be found in Code4rena's reports: https://code4rena.com/reports/2022-12-caviar#l-01-missing-reentrancy-guard-to-withdraw-function \n\nIf you discover the same type of issue multiple times, like a re-entrancy attack, report them together. This helps in accurately evaluating the overall vulnerability of the smart contract. \n\nWhen you're ready to submit a proof of concept, you can create a public Github repository or provide a diff of an existing sponsor-supplied test/contract. \n\nRemember, while the web3 sector shares many security considerations with the web2 sector, the exploitative patterns can greatly differ. As such, familiarize yourself with specific vulnerabilities inherent to smart contracts, like re-entrancy attacks, as well as the various tools and techniques available for auditing them.", "Question:\nI am trying to decode topics/data from event logs without using the web3 library, only with information from Etherscan. I have the ABI as well as the data/topics in hex but I don't know how to compute the human-readable value. Can you provide any resources or guidance on how to achieve this using Python?\n\nAnswer:\nDecoding topics/data from event logs without using the web3 library can be a bit complex, but it's possible with some understanding of how Ethereum and smart contracts work. To do this, you'll need the ABI (Application Binary Interface), which describes how to convert data between its binary representation on the blockchain and a human-readable form. You'll also need the data/topics in hex format. \n\nThis process involves parsing the hex data into its constituent parts according to the ABI specification. Here is a helpful link on the concept of decoding and encoding data in Ethereum: https://docs.soliditylang.org/en/v0.8.14/abi-spec.html?highlight=indexed#events.\n\nTo find a transaction hash when a user gives allowance to a contract, filter the contract's logs and check topics for the specific address. Also, consider that indexing can make parsing easier for off-chain tools, at the expense of gas during emission: https://code4rena.com/reports/2022-05-sturdy/#n-10-event-is-missing-indexed-fields.\n\nAdditionally, the Ethereum Virtual Machine (EVM) opcode might be beneficial for understanding the execution: https://www.evm.codes/. \n\nIf you wish to view on-chain contracts of Etherscan in an IDE like remix, consider using this tool: https://discord.com/channels/810916927919620096/810931711609143326/1012727690396176484.\n\nFinally, for additional context, if you're dealing with Solidity code, you can decompile it at https://library.dedaub.com/decompile. While this won't directly help with decoding event logs, it could provide a better understanding of the contract's internal workings.\n\nPlease note that this process requires a good understanding of Ethereum and smart contracts, as well as some knowledge of Python for implementation. If you're a beginner in smart contract auditing, you may want to start with some foundational resources before diving into advanced topics like this.", "Question: Can I withdraw my rewards if I don't use Binance, and how does the reward distribution process work at CodeArena?\n\nAnswer: Yes, you can withdraw your rewards even if you don't use Binance. Rewards earned from findings can be sent to your preferred crypto trading platforms, not limited to Binance. However, to receive the rewards, you need to submit your wallet address for payout. You can update your wallet address if needed, and rewards will be sent to the wallet address that is on file at the time awards are calculated for an audit. More information about changing your wallet address can be found at [here](https://docs.code4rena.com/roles/wardens/warden-auth#can-i-change-the-wallet-address-where-i-receive-awards).\n\nPlease bear in mind that if your team wins a prize but is unable to claim it due to KYC (Know Your Customer) verification issues, there is a question as to whether the reward will be on hold or lost forever. \n\nOnce your submission is confirmed and the reward amounts are announced, you need to wait for it to be transferred to your wallet. Rewards are distributed by the CodeArena team and you can check the announcement channel for updates on the distribution. \n\nThere may be instances where rewards for a contest have not yet been paid out or are pending after the contest has finished. This delay might be due to the use of multisignature (\"multisig\") wallets, which require signatures from multiple parties before funds can be released. In the future, awards may be distributed via smart contract once more pieces are in place.\n\nFinally, please note that Polygon and Ethereum addresses are required for the withdrawal process, and in some cases, you may need Matic (a cryptocurrency) to transfer your awards to another wallet.", "Question: How does CodeArena handle gas optimization reports and their validity, especially those found in the generated audit report versus the GitHub link https://github.com/byterocket/c4-common-issues/blob/main/0-Gas-Optimizations.md?\n\nAnswer: At CodeArena, the gas optimization issues listed in the generated audit report are considered invalid, while the rest are available in the GitHub link provided. However, not all gas optimizations are valid when the optimizer is enabled, leading to some confusion on what should be reported. It's suggested that any gas optimizations should be reported separately, and known issues should be excluded from gas reports. \n\nGas optimization reports should ideally include the amount of gas saved for each finding, although this could be subject to the judge's decision. All findings related to gas optimization should be compiled under one report, with the allowance of adding more findings through the contest page by clicking the 'Your Findings' button. \n\nIt's important to note that gas optimizations inside view/pure functions and public functions declared as external can be reported. However, there might be certain situations where the validity of gas optimizations might be questioned, particularly when the optimizer is disabled. An issue can be non-critical and still be included in gas optimizations. \n\nThere is also an automated gas optimization detected by an automated audit tool called 'Use assembly to check for address(0)', which could save a few gas units, but it might not necessarily be interesting or valuable for sponsors. \n\nYou can find examples of top QA/Gas reports for each contest at https://code4rena.com/reports. Keep in mind, for some contests there might not be a gas optimization section because there was not a gas pool for that contest. \n\nWhen it comes to reporting, there are restrictions on submitting more than one report of gas optimization per contest; users should compile all findings into one report. Notably, the amount of detail required for QA and Gas Optimization reports is not as comprehensive as for high severity issues. \n\nIn conclusion, it's crucial to understand what needs to be reported for effective gas optimization, especially when it comes to preparing reports for CodeArena.\n", "Q: How do I receive and transfer my rewards to my preferred crypto trading platform like Binance?\n\nA: To receive your rewards from CodeArena, they will be automatically sent to the wallet address you have registered with us once your submission has been confirmed and the reward amount announced. Please note that these rewards are distributed in USDC on the Polygon network, not on the Ethereum network. \n\nIf you wish to use a different wallet address, you can update it by submitting a request through our Help Desk at https://code4rena.com/help before the reward payout. Do note that if you change your wallet address, rewards are sent to the wallet address on file at the time awards are calculated for an audit.\n\nYou can then transfer your rewards to your preferred crypto trading platform, such as Binance. Remember, if you don't possess the keys to your wallet, you don't own the coins. You may need Matic (a cryptocurrency) to perform this transfer. Also, an option such as Binance P2P could be used for crypto transactions, if needed.\n\nThen, when you want to convert your rewards to fiat currency, you can use MetaMask bridge and Coinbase for the conversion process from Polygon Tokens to EUR. For USDC rewards, conversion to BTC can be done over Coinbase before withdrawing. \n\nIf you have any queries related to reward distribution, you can submit a Help Request here: https://code4rena.com/help. If you need to check if you have submitted a wallet address for rewards, this can also be done using the same help form. \n\nPlease note that the distribution of rewards is not immediate. This is due to the use of multisignature (\"multisig\") wallets which require signatures from multiple parties before funds can be released. It usually takes about 1 to 2 weeks after the announcement for Biconomy rewards to be sent out.\n\nIf your team payout address is a smart contract, please inquire on how to proceed. Additional information about changing your wallet address can be found here: https://docs.code4rena.com/roles/wardens/warden-auth#can-i-change-the-wallet-address-where-i-receive-awards.", "Question: What happens to the state of a function in a smart contract if a state is changed first and then there's a require statement which fails?\n\nAnswer: In a smart contract, should a state be changed in a function first, followed by a require statement that fails, the state will not persist with the change. It will revert back to its initial state prior to the function call. This is crucial to understand in terms of data consistency and managing potential bugs in the contract. \n\nIt's important to note that the categorization of severity related to state variable changes in smart contracts can vary. Moreover, the context of how these state variables are being used, such as constraints on admin 'setter' functions for state variables, can affect the severity of findings. \n\nIn terms of gas efficiency, there are multiple discussions, such as using check \"x != 0\" being cheaper than \"x > 0\" only in require statements, and only prior to Solidity version 0.8.13. Additionally, the use of custom errors compared to require statements with a string has been debated, with the consensus leaning towards custom errors for better gas efficiency. For more detailed information about state variables, you can refer to the official Solidity documentation about state variable visibility [here](https://docs.soliditylang.org/en/v0.8.13/contracts.html#state-variable-visibility).", "Question: What happens to the state of a smart contract if a function's state is changed first and then a require statement in that function fails? \n\nAnswer: If a function\u2019s state is changed first and then a require statement in that function fails, the state will be reverted back to what it was prior to calling the function. This acts as a safety mechanism in smart contract programming to prevent incorrect state changes. However, the categorization of severity related to state variable changes in smart contracts can vary and often depends on the specific situation. This includes considerations such as potential attack vectors, the role of governance, and the use of best practices for immutable state variables. For example, constraints on admin 'setter' functions for state variables could be considered a low or medium finding. It's also important to note the discussion around practices with state changes in relation to demonstrating proof of concepts on testnet forks or handling potential vulnerabilities. If a user identifies a potential problem, they can report it, stating all their reasons, and let the judge make the final call. As always, it's worthwhile to follow the ongoing discussions and updates in this area.", "Question: How can I convert and withdraw my rewards from CodeArena to fiat currency, and what are the considerations I should be aware of?\n\nAnswer: Converting your CodeArena rewards to fiat currency can be done through a variety of means, including peer-to-peer or centralized exchange services. You can withdraw rewards from your findings and send them to your preferred crypto trading platforms such as Binance. Additionally, if you receive your rewards in USDC over Coinbase, they can be converted to BTC.\n\nIf you are using a new wallet address in your reports, rest assured that rewards for the report will be distributed to the new address. However, you may need Matic (a type of cryptocurrency) to transfer these awards to another wallet. You can receive awards on Polygon, which can be connected to MetaMask for conversion and withdrawal. The conversion process from Polygon Token to EUR can be done through the MetaMask bridge and Coinbase.\n\nPlease bear in mind that once a submission is confirmed and the reward amounts are announced, you must wait for it to be transferred to your wallet. Awards distribution might not be immediate due to the use of multisignature (\"multisig\") wallets, which require signatures from multiple parties before the funds can be released. \n\nCodeArena is currently discussing alternative payment channels due to restrictions from certain countries. As a participant, you are encouraged to add your payment wallets to your account. \n\nFor more information on the rewards process, you can refer to the following links:\n- Overview of rewards: https://docs.code4rena.com/awarding/incentive-model-and-awards/curve-logic\n- Changing your wallet address: https://docs.code4rena.com/roles/wardens/warden-auth#can-i-change-the-wallet-address-where-i-receive-awards\n- Help Desk: https://code4rena.com/help\n- Incentive model and awards: https://docs.code4rena.com/#incentive-model-and-awards\n\nRemember, if you're experiencing difficulties converting crypto to fiat, you might want to consider alternatives that are more crypto-friendly, such as Revolut and ZEN.", "Question: What makes a report stand out and be considered high-quality in CodeArena contests?\n\nAnswer: A high-quality report in CodeArena contests is one that is focused on a particular issue or potential attack. It should feature the project's code and include a clear proof of concept or specific example demonstrating the vulnerability. A coded test that validates the vulnerability is also highly valued. Judges assess reports based on their relative scores and the report format can influence its evaluation. The report should aim to include the issue, its description, proof of concept (where necessary), and mitigation (where necessary) in a semi-professional report format. \n\nThe best or most comprehensive QA/gas reports are accepted. All types of reports, from high-level down to gas optimizations, are eligible for payouts, assuming they are of high quality, the findings are accurate, and there is a working proof of concept. Tools like Markdown and hackmd can enhance report presentation. \n\nWardens, who report a specific finding first as well as those who also found the same finding, are recognized in reports such as the Olympus report. Not all reports or findings are guaranteed a reward; they must meet quality standards to be considered valid and satisfactory. High-quality and high-quantity findings tend to score better in CodeArena competitions. For examples of winning reports, visit https://code4rena.com/reports/2022-09-artgobblers#low-risk-and-non-critical-issues.\n\nHowever, it's important to note that only the best report will receive more money than other reports, and if a duplicate report does not exceed a certain threshold, there might be no money awarded for it. There is also a process to decide which reports get featured in the client report and not all QA findings are guaranteed a place in one combined report. \n\nFinally, remember that comprehensive and detailed reports are preferred over one-line summaries, and there are differences in grading high-quality QA reports. So, strive for detail, accuracy, and a well-structured report to increase your chances of success.", "Question: What are the alternatives for testing and exploiting smart contracts on mainnet and how can they be effectively used?\n\nAnswer: Apart from exploiting directly on the mainnet, there are several methods you can use to test and exploit smart contracts. A common method is local forking, which is often preferred due to its convenience and its ability to avoid unnecessary pollution of a public testnet with data. Tools like the Hardhat Foundry can be used to create a local fork from a public testnet or even the mainnet, making it an excellent option for testing smart contracts. Foundry runs locally and eliminates the need to grab testnet tokens for transactions or the wait time on blocks.\n\nPublic testnets can also be used for testing smart contracts, especially for scenarios involving large numbers of users and complex states. However, keep in mind that this should be done responsibly to avoid polluting the testnet with unnecessary data. For simpler contracts or exploratory development, a private testnet could be a more suitable choice.\n\nIt's also possible to demonstrate a proof of concept against a block number known to work on a testnet fork with state changes. However, if there is a possibility of funds being at risk on mainnet due to an exploit, it is recommended to reach out to staff via a help request.\n\nIn addition, tools like Mythril and Slither can be used to test contracts downloaded from Github for vulnerabilities and bugs. Resources for blockchain forensics analysis may also be helpful for studying hacks and incidents in smart contracts. Remember, it's possible to build a more complex exploit based on known issues.\n\nFor instances where you're specifically working on the Ethereum mainnet, you can switch your network in Metamask to Polygon Mainnet, copy your public keys, and paste them into Code4rena. Additionally, a smart contract scanning tool, Metatrust, can detect price manipulation vulnerabilities (https://app.metatrust.io/project). Rinkeby testnet tokens can be obtained from a faucet (https://faucet.rinkeby.io) for testing purposes on the Rinkeby network.\n\nAs always, remember to reach out to the relevant staff or seek help from the community when you're dealing with uncertainties or potential risks.", "Question: Can you explain the \"Judge presort awards\" process in detail and how it relates to the judging and awarding processes at CodeArena?\n\nAnswer: The \"Judge presort awards\" is a service provided for the sponsor of a contest, where we sort out all duplicates from the contest findings, making it easier for them to review. It is part of the broader judging process at CodeArena, where a portion of awards is set aside for work performed by judges, including consolidating duplicates. \n\nDuring this process, the judges play a vital role in assessing contest submissions based on established judging criteria, which can be found [here](https://github.com/code-423n4/code-contests/blob/main/JUDGING_CRITERIA.md). If there are disagreements with a judge's decision, there is a policy in place to discuss these disagreements, which can be found [here](https://docs.code4rena.com/awarding/fairness-and-validity#if-you-disagree-with-a-judges-decision). Further details about the roles and responsibilities of judges can be found [here](https://docs.code4rena.com/roles/judges).\n\nPOST contest, the judges' comments on contest submissions may be visible, as per the question asked about the Asymmetry contest which can be found at [this link](https://code4rena.com/contests/2023-03-asymmetry-contest).\n\nFinally, once the judging process is over, rewards are distributed. The exact distribution process is not explicitly mentioned but general information on awards can be found [here](https://docs.code4rena.com/incentive-model-and-awards). Each team participating in the contest determines how to split their portion of a contest's reward amongst themselves.\n\nIn the case of duplicate submissions at the end of a contest, the judging criteria can be found [here](https://github.com/code-423n4/code-contests/blob/main/JUDGING_CRITERIA.md#duplicate-submissions).\n\nFor more detailed information on the \"Judge presort awards\" process, you can review this [discussion](https://github.com/code-423n4/org/discussions/50).", "Question: What happens if a winning team can't claim an audit prize due to KYC issues and are there specific guidelines for prize distribution among team members?\n\nAnswer: If a winning team is unable to claim their audit prize due to Know Your Customer (KYC) issues, the situation is currently unclear. It's uncertain whether the prize will be put on hold until they complete the KYC process or if it's lost forever. This issue has been raised in our discussions and we appreciate your patience as we work towards a resolution. \n\nAs for the distribution of team rewards in an audit contest, the prize is sent to a single address, and it is then the responsibility of the team to distribute it amongst themselves. Remember that the process of dividing the prize is internal to the team and CodeArena does not interfere in this process. It's strongly advised that teams agree on the division of winnings before participating in the contest to avoid disputes later on.\n\nFor more information on our audit contests and their operation, please visit our documentation at https://docs.code4rena.com/.", "Question: What could be the reason behind the sudden surge of 200+ new wardens at Code4rena within 24 hours? Could it be a Sybil attack or a strategic marketing move?\n\nAnswer: There can be various reasons for the sudden increase of 200+ new wardens on Code4rena within a 24-hour period. It may be due to a recent bounty announcement or a surge of interest in the platform, however, it's hard to confirm if it's a Sybil attack or a strategic marketing move. Some users speculate it could be one or the other. \n\nNew wardens often have a learning curve as they need to understand the project architecture, interact with the code, and identify vulnerabilities within the set time. Despite the influx of new wardens, the top performers on the leaderboard at https://code423n4.com/leaderboard/ are prioritized for contests, which might be an incentive for the increase in numbers.\n\nMoreover, becoming a Certified Warden is a topic of discussion among users. Certified Wardens are privy to some benefits like backstage access, and payments from KYC-required sponsors like Chainlink. They also have a private channel to assist with various process-related tasks. This could be a motivation for the surge in wardens. \n\nHowever, it's also important to note that there are queries on whether Code4rena will remain open to new wardens indefinitely, and how this may impact the distribution of prize funds.\n\nPlease note that the exact cause of this surge is uncertain without more information.", "Q: During a contest, is it okay to include a link to a repository for my POC in the analysis report, knowing this repository is public and can be seen by a judge?\n\nA: According to our submission policy, it is generally acceptable to provide a link to your repository as a proof of concept (POC) in your findings submissions. However, to maintain the integrity of the contest, it is crucial not to disclose your findings publicly until the contest has concluded and the final report is published. This includes making the linked repository public. \n\nTo avoid inadvertent public disclosure, you might consider using GitHub Gist or a private repository on GitHub for your POC during the contest. If the code for your POC is lengthy, you can decide the best way to provide it following the guidelines available in our [submission policy](https://docs.code4rena.com/roles/wardens/submission-policy#how-to-include-a-proof-of-concept).\n\nFor the transparency of the process, the submissions for a contest will be available for public review in the findings repository after the contest report is published. This allows all participants to understand the judging process and learn from the contest. Please note that the specific duration before the findings repo becomes publicly available for discussion is not specified.\n\nAlso, remember that while you can provide links to other contests or projects as part of your submission, citing examples from Code4rena is often more convincing due to our rigorous judging and quality assurance process.\n\nKeep in mind that sponsors and projects might have access to submitted findings before the contest is fully completed. However, they usually do not have access to the findings repository until the contest ends. \n\nFinally, don't forget that it is possible to edit your findings submissions for a contest. If you've written a POC script for a vulnerability, feel free to update your submission with a link to that script where relevant.", "Q: Why am I not receiving the password reset email from CodeArena, despite attempting to reset my password via the website?\n\nA: Multiple users have reported issues with the password reset function on CodeArena's website. This could be due to several reasons. First, it's possible that the password reset email is being sent to your spam folder, a common issue noted by several users. We recommend checking your spam folder just in case. \n\nSecondly, there have been issues with particular email providers like Yahoo and Hotmail flagging CodeArena's emails as spam. If you are using one of these providers, the email might have been inadvertently blocked.\n\nThirdly, there were reports of an interruption in email receipts potentially caused by an incident on Github. You can check the status of that issue [here](https://www.githubstatus.com/incidents/r5qrpp2f5fc0).\n\nAnother noteworthy point is that upon registration, users were asked for a 16-digit password. However, when resetting the password, this condition was not required. This could potentially cause confusion or missteps during the password reset process.\n\nLastly, make sure you're using the correct email or wallet for logging in. Users have reported issues when the wrong wallet or email was used.\n\nIf you continue to face issues, please open a help desk request. If the problem persists, please refer to this [discussion](https://github.com/code-423n4/code423n4.com/pull/2095) for more details, or submit a support ticket from the homepage. Please note that you may not receive an email notification when your ticket is received, but rest assured, it will be processed.", "Question: Can you provide a detailed explanation of what \"totalDueTokensAccrued\" represents and why the tokens received by a contract might be less than the transferred amount?\n\nAnswer: The term \"totalDueTokensAccrued\" represents the total DBR accrued. The tokens received by a contract could be less than the transferred amount due to the mechanism of fee-on-transfer tokens. These types of tokens deduct a small fee from every transfer. Therefore, for contracts dealing with such tokens, the received amount might appear lesser than the sent amount. This is a common feature in some token standards, but it's important to note that not all tokens are fee-on-transfer. \n\nRegarding your question about the totalSupply() function in the solmate ERC20 contract, in the openzeppelin contract, _totalSupply is a private storage variable so it needs a view function to see it. In contrast, in other contracts, a view function with the same name is automatically generated for public storage variables.\n\nFinally, it's important to remember that an ERC721 or ERC1155 contract may know if tokens were sent there because it has a recipient contract call onReceive. However, a smart contract does not inherently know if someone sent ERC20 tokens to it. \n\nHere are some useful links for further reading: \n1. Solmate ERC20 contract: https://github.com/transmissions11/solmate/blob/main/src/tokens/ERC20.sol\n2. Etherscan link for further information: https://etherscan.io/token/0xdac17f958d2ee523a2206206994597c13d831ec7#code#L95\n3. USDT token code on Etherscan: https://etherscan.io/token/0xdac17f958d2ee523a2206206994597c13d831ec7#code#L95\n4. Rebase tokens examples: https://github.com/buttonwood-protocol/button-wrappers/blob/main/contracts/ButtonToken.sol#L126 and https://github.com/pmerkleplant/elastic-receipt-token/blob/main/src/ElasticReceiptToken.sol\n\nRemember, when auditing smart contracts, understanding loan-to-value calculations and finding the optimal amount of tokens to buy for maximum profit in arbitrage opportunities can be quite useful.", "Question: How does Code4rena handle the distribution of rewards when a finding is reported by multiple wardens? Do all wardens receive equal shares or are there specific rules for this?\n\nAnswer: At Code4rena, both the wardens who report an issue first and those who subsequently report the same issue are recognized. The distribution of rewards is based on Code4rena's awarding policies which can be found at the following link [https://docs.code4rena.com/awarding/incentive-model-and-awards](https://docs.code4rena.com/awarding/incentive-model-and-awards). \n\nThe best report typically receives more rewards compared to others. If duplicate reports fall below a certain threshold, they might not receive any money. Therefore, it's recommended for wardens to write comprehensive reports and include a proof of concept (POC) if possible. \n\nIt's important to note that the order of reporting does not affect the reward amount. However, if multiple wardens report the same issue, the reward money is distributed among them, which might lead to each warden receiving a smaller share. \n\nFor teams, one payment will be issued for a finding and the team members have discretion over the money distribution. You can find more information about team submissions at [https://docs.code4rena.com/roles/wardens](https://docs.code4rena.com/roles/wardens). \n\nFor a comprehensive understanding of earnings, you can refer to the detailed list of rewards for each warden for each bug per contest available at [https://raw.githubusercontent.com/code-423n4/code423n4.com/main/_data/findings/findings.csv](https://raw.githubusercontent.com/code-423n4/code423n4.com/main/_data/findings/findings.csv) as well as the leaderboard at [https://code4rena.com/leaderboard/](https://code4rena.com/leaderboard/). Please remember to follow the professional conduct guidelines for wardens and treat all findings as private and confidential until the contest report is made public.", "Q: How can I correctly format and submit mathematical expressions in my GitHub findings report, and what should I be aware of to ensure it displays properly?\n\nA: You can correctly format mathematical expressions in your GitHub findings report using Markdown. The submission form used for analysis supports Markdown formatting and should render your mathematical expressions correctly. However, there have been instances where users experienced rendering issues with inline math in the preview. This issue appears to only affect the preview and should not alter the final look of your submission when published in the findings repository. \n\nIn case you encounter issues with rendering or formatting, you can experiment in a private GitHub repository. Create an issue there and format your report, as the display there will be the same as in the findings repo. Users have also found it helpful to create their report in Notion, format it there, and then copy-paste the formatted text into their submission. This approach maintains the necessary markdown formatting. \n\nFor proof of concept or additional attachments, you can link your GitHub repositories. If you have code that runs a proof of concept for each bug, you can either add a zip file to your submission or share a private GitHub repository. \n\nRemember, our system also supports mermaid syntax, and markdown formatting can be included in issue titles. However, be aware that numbered lists in markdown do not show numbers in the preview tab but the numbers are visible when submitted. \n\nIn case you're facing any technical issues or inconsistencies, you can review issues at [CodeArena's GitHub](https://github.com/code-423n4/org/issues) and add fact-based comments or open new issues. If your report is larger than ~65k characters, it can't be submitted through the form due to Github's max character limit for issue descriptions. In such cases, you can email your submission to submissions@code423n4.com. \n\nFor a detailed guide on specific issue formatting, you can refer to this [Visual Studio tool](https://marketplace.visualstudio.com/items?itemName=yassh.copy-with-line-numbers). Lastly, always ensure that you are logged into your GitHub account, and it is the same account given for C4 to avoid any submission issues.", "Question: Who should I contact for questions about invoicing, and what is the process to generate an invoice?\n\nAnswer: For inquiries regarding invoicing, you can refer to our documentation here: https://docs.code4rena.com/awarding/incentive-model-and-awards/awarding-process#tax-and-legal-questions. It provides comprehensive information on the invoicing process. If you need to create an invoice for the rewards you received from a contest, you will find the necessary information at the bottom of the aforementioned page. \n\nIf you need to inquire about specific details for invoicing, such as the Code4rena UNA address, or if your team payout address is a smart contract, you can submit a Help Desk request for private assistance from a member of the Code4rena team. \n\nAll invoices related to contest payouts should be addressed to the Code4rena Foundation. If you are based in the EU, the invoicing process will help you comply with tax laws such as MiCA. Please note that while we have made provisions for invoicing, final confirmation is required by a specific individual. \n\nFor collaboration and investment issues, or if you're interested in running an audit contest, you can contact our booking team who can assist with setting up audits.", "Question: How does Code4Arena handle rewards in cases of duplicate bug reports?\n\nAnswer: Code4Arena operates differently from a traditional bug bounty model where only the first person to report a bug receives the reward. In our model, if multiple auditors report the same bug, they all share in the bounty. The overall value of the bug is reduced and then split among the finders. The timing of the bug discovery does not affect the reward, as our system is not based on a first-come, first-serve basis. \n\nHowever, it's worth noting that the best report typically receives more money than other reports, and duplicates that do not meet a certain threshold might not receive any money. So, it is important to ensure that your reports are comprehensive and of high quality. \n\nIf a team submits a non-duplicate finding, the team gets more rewards than if they had individually submitted the same finding. In a scenario where two people submit the same issue using the same warden but different wallets, each person gets less than half of the reward.\n\nThere are cases when duplicate reports were rewarded, thereby possibly lowering the value for each warden. This is subject to some sybil resistance measures and each instance is awarded a share of one point depending on the number of duplicates. \n\nFor more specific details regarding the reward distribution and how duplicate findings are handled, please refer to our documentation on the incentive model and awards at https://docs.code4rena.com/awarding/incentive-model-and-awards. Here, you will also find a formula to calculate rewards for different risk levels of bugs.", "Question: What is the policy regarding the sharing and discussion of contest findings and submissions by Wardens at Code4Arena?\n\nAnswer: At Code4Arena, the policies regarding the sharing and discussion of contest findings and submissions are quite specific. Wardens, particularly those who are certified+ level, are not allowed to post or share contest findings until the final contest report has been published, as per our submission policy. Once the final report is published, the findings repository becomes public, and all participants, including newbie wardens, are encouraged to look through it to gain insights and learn from other submissions.\n\nIn the interim period, between the end of a contest and the publishing of the final report, the findings remain sealed for other wardens to maintain fairness and integrity of the contest. However, they are visible to C4 staff, sponsors and the judging team to allow for evaluation and judging. Certified+ wardens have the privilege of accessing the findings repository shortly after a contest ends, enabling them to assist with post-contest processes and accelerate their learning.\n\nWhile the duration between a contest ending and the findings repository becoming public is not specified, it is important to know that wardens can edit or withdraw their findings through the \"your findings\" button on the contest page until the contest closes. Any specific findings should not be discussed until the final report for the contest in question has been posted.\n\nFor full details on the conduct and policies for wardens, please refer to our [Warden Submission Policy](https://docs.code4rena.com/roles/wardens/submission-policy#audit-contest-guidelines) and [Certified Warden Professional Conduct Guidelines](https://docs.code4rena.com/roles/wardens/certified-wardens#certified-warden-professional-conduct-guidelines).", "Q: How can I create and submit an invoice for the rewards I've received from a contest at Code4rena?\n\nA: Code4rena, as a DAO, has made provisions to allow the issuance of invoices. You can create an internal invoice and attach as much proof to it as possible, like a screenshot of the award. This is to trace the source of the income. You should then send this invoice to the Code4rena Foundation. Keep in mind that the approach may vary depending on your jurisdiction. \n\nFor additional information and specifics on how to properly create and submit an invoice, refer to the guide provided on this page: [Code4rena Incentive Model and Awards](https://docs.code4rena.com/awarding/incentive-model-and-awards/awarding-process#tax-and-legal-questions). \n\nTax reporting for your earnings from Code4rena is your responsibility and should be handled individually. If you have any other questions or issues, please direct them to a specific individual appointed by Code4rena to handle such matters. You can also submit a help request if necessary.", "Question: How is the Source Lines of Code (SLOC) calculated for each contest at CodeArena and how does it affect the contest?\n\nAnswer: The number of Source Lines of Code (SLOC) for each contest at CodeArena is computed by loading the file into a buffer and then looping for each line. If a line is empty or begins with \"//\", it may or may not count as a SLOC, based on additional conditions. For instance, when a \"/*\" is encountered, the count is paused until the next \"*/\". The SLOC count is significant because it gives participants an idea of the scale of the contest. The larger the SLOC, the larger the contest, with some large contests even extending to 4 weeks, as observed with contests involving over 12k SLOC. This information is crucial for participants, helping them gauge the contest size and make informed decisions about participation. \n\nContests are processed in a specific order, which represents the order of contest progression. This is reflected in the \"Past Contest Status Updates\". For any potential discrepancies in the SLOC count (like a possible typo in the SLOC count for a contest), participants can raise queries. \n\nPlease note that the scope for each contest is decided by the sponsors and is listed in their contest info. For any specific questions about the scope for a contest, you are encouraged to connect with that sponsor via their contest channel or Direct Message (DM). More information about the contest structure and associated timelines can be found at [CodeArena's Official Documentation](https://docs.code4rena.com/structure/our-process). \n\nIf you have any further concerns or inquiries, feel free to ask in the chat or contact us directly.", "Question: What is the process for reviewing and discussing findings after a contest ends, and how can I learn about my submission and other submissions?\n\nAnswer: The review process for submissions begins immediately after the contest ends. This multi-step process includes an initial review by the contest sponsors, followed by a review by the judges, a confirmation from the sponsors, and finally the judge's final report and the announcement of the results. Note that findings are not disclosed to other competing wardens, ensuring fairness and confidentiality during the contest. Additionally, comments within the reports are generally between judges and sponsors. \n\nAs a participant, you can only see your own submission and the comments on it once the final report is published and the repository is made public. This will allow you to understand why your submission was accepted or not. However, if you're a Certified+ warden, you can view the findings repo immediately after a contest ends and assist with post-contest processes. Certified+ wardens also have the opportunity to raise any issues they see with the judging results before they are made public. \n\nMoreover, there is a post-judging Quality Assurance period where Certified+ wardens can comment on the judges' decisions. You can learn more about Certified+ wardens and how to become one here: [https://docs.code4rena.com/roles/certified-contributors/backstage-wardens](https://docs.code4rena.com/roles/certified-contributors/backstage-wardens). To ensure you understand all aspects of the submission and review process, it is recommended to familiarize yourself with our submission policy and judging criteria at [https://docs.code4rena.com/roles/wardens/submission-policy#audit-contest-guidelines](https://docs.code4rena.com/roles/wardens/submission-policy#audit-contest-guidelines). \n\nLastly, participants are free to discuss issues with the sponsors before the contest ends. This includes discussing the scope of the contest and severity of potential findings. We are exploring ways to allow all wardens to view all contest submissions after a contest, but currently, only the final report, which does not include submissions that weren't accepted, is made public.", "Question: How does CodeArena distribute rewards to people listed in the \"also found by\" section of the report? \n\nAnswer: In CodeArena's model, rewards are distributed based on findings by what are known as \"wardens\". Both the wardens who report a finding first, and those who also find the same issue, are recognized in reports. The distribution of rewards is influenced by a number of factors, including the quality of the report and whether the findings meet a certain threshold. \n\nGenerally, the highest quality report receives a larger share of the reward, and findings considered as duplicates that fall below a certain threshold may not receive any rewards. If a finding is reported by multiple wardens, the reward is split among them, irrespective of who found it first.\n\nIn case of a team finding, the reward is issued as a single payment, and the team has the discretion on how to divide that money amongst its members. The order of reporting does not impact the share of the reward for the wardens. Moreover, the reward is reduced semi-geometrically based on the number of separate people who find an issue, but within a team, it is divided evenly. \n\nFor a detailed understanding of these rules, one can refer to the Code4Arena's awarding policies, incentive model, and awards documentation at [https://docs.code4rena.com/awarding/incentive-model-and-awards](https://docs.code4rena.com/awarding/incentive-model-and-awards). An example of how high-quality and high-quantity reports tend to be more successful can be found at [https://code4rena.com/reports/2022-09-artgobblers#low-risk-and-non-critical-issues](https://code4rena.com/reports/2022-09-artgobblers#low-risk-and-non-critical-issues). Similarly, information about the rewards based on each finding can be accessed at [https://code4rena.com/community-resources/findings.csv](https://code4rena.com/community-resources/findings.csv). \n\nIt's important to note that rewards are subject to the conditions and terms of each individual competition and these guidelines may be subject to change. Therefore, the participants are always advised to refer to the official documentation before partaking in any competition.", "Question: Can you explain the concerns about CodeArena's penalty system for unsatisfactory submissions, and how can one avoid unnecessary penalties?\n\nAnswer: The penalty system at CodeArena involves a high bar for satisfactory performance, with a significant number of penalties triggered for unsatisfactory submissions and a high number of strikes for reports. This has led to concerns about its fairness and effectiveness. However, it's important to note that participants won't receive a penalty for submitting incorrect findings, although we strongly advise users to read our discussions about grading and awarding for potential future penalties.\n\nA few key guidelines to avoid unnecessary penalties include:\n\n1. Making sure your submission meets the high standards set.\n2. Being careful in the judgement of the severity of vulnerabilities - misjudging can potentially lead to penalties. For more insight, read this [discussion](https://github.com/code-423n4/org/discussions/34).\n3. Understanding the reward formula for the mitigation contest can also help avoid misunderstandings and penalties.\n4. Be aware the score for a report may be lowered if it contains a few invalid issues, and if it resembles a bot report, it may attract further penalties.\n5. Finally, it's crucial to familiarize yourself with the rules and procedures, including submission rules and the Certified Wardens process.\n\nPlease note that these guidelines are based on user observations and discussions. CodeArena is always open to feedback and suggestions to improve our system and processes.", "Question: Is Code4rena currently using the static analyzer available at https://github.com/byterocket/c4udit for QA and gas optimization processes, and where can I find more details about their QA/Gas reports?\n\nAnswer: Yes, Code4rena is using a static analyzer for QA and gas optimization, with the newest fork known as Analyzer found at https://github.com/Picodes/4naly3er. The tool is used to detect publicly known issues. However, please note that the scope of QA and gas optimization reports is less comprehensive compared to high severity issues. \n\nYou can find examples of top QA/Gas reports from our contests at https://code4rena.com/reports, including a recent report at https://code4rena.com/reports/2022-11-non-fungible/#gas-optimizations. More detailed information about QA/Gas reports and how we calculate awards for gas optimizations is available in the documentation at https://docs.code4rena.com/awarding/incentive-model-and-awards. \n\nIn case of issues with the online submission, you can send QA and gas reports via email to report@code4rena.com. The list of optimizations and L1 issues that get looked at for our audits can be found at https://github.com/Picodes/4naly3er/tree/main/src/issues. \n\nIf you're interested in understanding the first automated gas optimization detected by the c4udit tool, specifically 'Use assembly to check for address(0)', or have other queries about gas optimization, you can refer to the FAQ on our website or ask for clarification in our chatroom. \n\nPlease remember that our process is designed to find more bugs faster than other methods - \"more auditors, more findings\", as highlighted by Quantstamp's Sebastian Banescu in his talk at https://www.youtube.com/watch?v=O1rKwDv5kLQ.", "Question: I have submitted a support ticket on CodeArena and haven't received a response yet, what should I do?\n\nAnswer: Typically, our support team at CodeArena strives to review and respond to all help desk requests within a week. However, due to various circumstances, the response time may vary. If you've submitted a ticket via our help desk at https://code4rena.com/help and have not received a response within the usual time frame, it's possible that a confirmation email may not have been sent to you despite the ticket being received. \n\nYou can also follow up on the status of your help desk request through the same link. If the problem persists, or if you encounter any difficulties while submitting your request, you can forward your request to submissions@code4rena.com for more immediate attention. \n\nPlease note, this process also applies if you don't receive an email after registration, submitting a finding, or any issues related to changes to a team or KYC confirmation. If you encounter discrepancies with our reports, issues with the submission process, or lack of feedback on your submissions, feel free to open a help desk request for these as well. \n\nWe appreciate your patience and understanding as we work to resolve your issues and provide you with the assistance you need.", "Question: What is the process and requirements to become a Certified Warden at CodeArena?\n\nAnswer: Becoming a Certified Warden involves several steps and requirements. First, you will need to complete a Know Your Customer (KYC) process, which may require you to provide identification such as a passport. You will then need to submit an application, which can be made at this link: https://code4rena.com/certified-contributor-application. \n\nFurther information on the procedure, including eligibility requirements, can be found at https://docs.code4rena.com/roles/wardens/certified-wardens#who-is-eligible-to-be-a-certified-contributor. It's worth noting that to become a Certified Warden, you may need to have at least 3 top finishes in either the Quality Assurance or gas report from past contests. \n\nCertification also allows you to participate in private audit contests. However, there may be additional requirements such as participating in a certain number of contests and having a certain number of valid findings or reports. More detailed information about the process and constraints can be found here: https://docs.code4rena.com/roles/certified-contributors#certification-process-and-constraints. \n\nPlease note that the specifics of the application process, as well as eligibility requirements, may vary, so it's advisable to check the provided links for the most up-to-date information.", "Question: How is the severity of an issue determined and how does it impact the grading of Quality Assurance (QA) reports at Code4rena?\n\nAnswer: At Code4rena, the severity of an issue found during a smart contract audit is categorized as high, medium, or QA. The high or medium (H/M) category is used when an issue can lead to significant loss, such as potential theft of all rewards or principal without needing extra requirements. The medium category may also be used when there's a risk of losing some rewards. On the other hand, minor issues, for instance, losses due to rounding errors (a negligible amount of rewards), or discrepancies like a mismatch between the documentation and code with no impact, are typically classified under the QA category. \n\nIt's important to note that judges have the ability to elevate the severity of a QA issue to M/H or downgrade a medium or high issue to QA, depending on their assessment. This is considered when grading QA reports. \n\nFurthermore, judges evaluate QA reports based on both the quantity and quality of findings. For instance, a QA report with several minor issues is likely to receive a higher grade than one with a single minor issue. Quality is also considered, so a well-written and detailed QA report is likely to score higher. This includes clarity and detail in the description of issues. For example, a QA entry lacking a description is not as valuable as an H/M finding with a comprehensive description. \n\nMoreover, separate QA reports can be created for each finding, or all non-critical findings can be accumulated into one report. However, only the best or most comprehensive QA/Gas reports are accepted. \n\nUsers can further understand the grading system by referring to the following links: [https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical](https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical) and [https://docs.code4rena.com/awarding/incentive-model-and-awards#qa-and-gas-optimization-reports](https://docs.code4rena.com/awarding/incentive-model-and-awards#qa-and-gas-optimization-reports)\n\nLastly, it's worth noting that wardens with a grade-B in QA are eligible for awards and there is a specific formula for awarding QA and gas optimizations, but it's not explicitly documented. Additionally, team-ups are encouraged between wardens who are good technical writers and those who are technically skilled but may lack proficiency in English.", "Question: Can participants communicate in Spanish or other languages during a contest like the threat contest? \n\nAnswer: Yes, participants are allowed to communicate in Spanish during the contests such as the threat contest. It's important to note, however, that specific questions about the scope for a contest should be addressed to the respective sponsors. All contest participants have the ability to submit an analysis for contests and edit submitted security findings while the contest is still open. Participants can even upgrade the risk level of their findings. We offer different types of contests including private ones. Participation in these depends on certain metrics or prerequisites. In some contests, like the versus contest, participants need to be certified. Contest specific information such as the rewarding formula for the mitigation contest, participation rewards, or the judging pot can be found in the contest information provided by the contest sponsor. Do note that invalid issues could be penalized if you submit more than three of them per contest. Also, while it's allowed to use the template of a gas report from a previous contest, changes must be made to fit the current contest. Lastly, the number of participants in a given contest and whether it's a private or public contest are typically indicated in the contest announcement post.", "Q: I've submitted my application to become a certified C4 warden a week ago and I am yet to receive my KYC email. When can I expect to receive it?\n\nA: After you submit your application to become a certified warden, it usually takes about 2-3 weeks to receive your KYC (Know Your Customer) email. The email will come from the address compliance@provenance.company and it's possible that it might land in your spam folder, so be sure to check there. Once the KYC process is completed, it takes approximately 2 weeks to mark a warden as certified. The whole process, starting from your application to receiving certification, can take about 1 to 2 business days after the KYC process. Note that, certain issues might delay the process, like not receiving an email from Provenance despite applying 12 days ago, but rest assured, your application is in queue and you will hear back soon. If your KYC application is still pending after a considerable time, you can submit a help request. More information on becoming a certified warden can be found at https://docs.code4rena.com/roles/wardens/certified-wardens and you can apply to become a certified warden via this link: https://code4rena.com/certified-contributor-application.", "Question: How can I format and present arguments, function names, and other code elements in my audit report for CodeArena?\n\nAnswer: CodeArena audit reports primarily use the Markdown (MD) format for presenting code. You can use code blocks in your audit reports to present arguments, function names and other code elements. To create a code block, use three backticks (i.e., ```). You can also add syntax highlighting to your code block by specifying the language after the backticks, for example, ```solidity for a Solidity code block. \n\nText color in code blocks can be added using presets for specific languages such as javascript. To enhance the readability of your code, consider using a tool like Visual Studio's preview tool. If you want to include line numbers with your code snippets, there are specific tools available, though we do not have a standard one to recommend at this time.\n\nTo edit your findings or analysis reports, navigate to the audit page and click the 'Your Findings' button. Note that you cannot edit the analysis report directly, but you can create a help desk request including a secret gist to have edits added to the comments of your analysis report before the audit closes.\n\nFor examples of how to format reports, you can refer to templates or guides available [here](https://github.com/code-423n4) or check out past audit reports available at: https://chainsecurity.com/audits/. \n\nFor more information on using Markdown in your reports, refer to this guide: https://docs.github.com/en/get-started/writing-on-github/working-with-advanced-formatting/creating-and-highlighting-code-blocks.\n\nRemember, the format and presentation of your report can influence its evaluation by judges. It's crucial to keep your report clear, readable, and professional.", "Question: How can I gain access to participate in private contests at CodeArena, and what are the requirements and considerations involved in this process?\n\nAnswer: Gaining access to private contests at CodeArena usually requires meeting certain prerequisites. First, you need to complete Know Your Customer (KYC) procedures and become a certified warden, as private contests are only open to certified members. You can find more information about the certification process in the #\ud83d\udd96rsvp-certified channel on our Discord server. \n\nSecond, you typically need to rank on our leaderboard to be considered for private contests. Some of these contests may have a specific ranking cutoff, often selecting the top 3 or 5 participants for the contest. \n\nCertain contests like 'Versus' are usually private and open only to top wardens. Also, some private contests are only open to those who had participated in the original audit. If you're interested in the Party Protocol contest or similar private contests, you'll need to fulfill these requirements.\n\nIn terms of reports and findings, they usually remain private until after the contest ends. Once the contest concludes, those with the \"backstage\" role will get access to findings to help with the triaging process. Reports are reviewed immediately after a contest ends and await sponsor review, final judging, and Quality Assurance before being made public. \n\nRemember, when entering a contest, you don't have to submit reports for high, medium, QA, and gas optimization. You can submit what you find. The criteria for a report to get selected and how the reward for gas optimization is distributed can be found in this reference document: [Google Spreadsheet](https://docs.google.com/spreadsheets/d/1qTQ7PApFMwpUFikcHHtww7p1oncPLj_y-UY_SZq6qFg/edit#gid=0).\n\nLastly, it's essential to know that before a contest ends, only the team has access to submissions. Factors affecting the completion of a contest might not be visible to all participants. Yet, users do have the ability to submit analyses for contests and receive bonus rewards for the best reports. \n\nPlease also note that the status of some contests, like the USDC reserve contest, may not be clear initially whether they are private or public. Such details will be clarified when the contest is posted.", "Question: What does it mean that pending transactions on the blockchain's mempool are not hashed? How does this relate to the possibility of front-running?\n\nAnswer: When we say that pending transactions on a blockchain's mempool are not hashed, it means that the data within these transactions are fully accessible and transparent before they are confirmed and included in a block. This includes details such as the sender, receiver, amount of cryptocurrency being sent, gas price, and more. This transparency is a key feature of public blockchains, as it allows anyone to verify and validate transactions. \n\nHowever, this also opens up the possibility for a practice known as \"front-running.\" In the context of blockchain, front-running refers to the act of seeing someone else's pending transaction and then making a similar transaction with a higher gas price, in hopes that miners will prioritize your transaction over the original one. This is possible because miners typically prioritize transactions that offer higher gas prices, as they receive these fees as a reward. \n\nFront-running can be a serious concern in certain scenarios, particularly in decentralized finance (DeFi) where it can be used to manipulate markets. For instance, a malicious actor could see a large pending buy order for a specific token, front-run that order with a buy order of their own, and then sell the tokens immediately after the original order is executed, thus profiting from the resulting price increase.\n\nTherefore, while the transparency of blockchain technology has many benefits, it also presents challenges that developers and users must be aware of. In the context of smart contracts and DeFi, there are strategies and best practices that can be implemented to mitigate the risks of front-running, such as the use of secure coding practices, privacy-enhancing technologies, and transaction ordering protocols.", "Question: Do I always have to participate in audits as a team member once I have joined a team on CodeArena?\n\nAnswer: No, once you join a team on CodeArena, you are not obligated to always participate in audits as a team member. While joining a team allows you to collaborate, share ideas, and learn faster, you have the option to participate individually. If you wish to participate solo in a contest your team is also auditing, you can choose to submit your findings independently. When making submissions, the form allows you to select whether you are submitting as an individual or as a team member. \n\nHowever, it's essential to understand that if you are competing with a team and wish to qualify for a payout, all team members must be certified. Furthermore, in a team setting, the reward is split evenly among all members, irrespective of who found the issue. \n\nThere's an ongoing discussion on managing teams where not all members participate in the same contest and how to distribute rewards among contributing team members, which can be found at https://github.com/code-423n4/org/discussions/43. \n\nRemember, participation in contests, whether solo or as a team, is a great way to improve your skills. Additionally, bear in mind that managing a team where different members work on various contests at the same time or different periods can present challenges. \n\nFor more guidance on registering a team or how to submit findings as a team, you can refer to https://docs.code4rena.com/roles/wardens#registering-a-team.", "Question: Where can I find resources for obtaining Matic for transaction costs, and how is it used in the system?\n\nAnswer: Matic is a type of cryptocurrency that is used to pay the transaction or 'gas' fees within our system. These fees are necessary when you are sending or transferring coins from your wallet. You can acquire Matic from various online resources. One such site that was shared in our Discord chatroom is https://wallet.polygon.technology/gas-swap/, where wallet users can swap for Matic without a gas fee. \n\nIf you are bridging from Polygon to Ethereum and wish to withdraw USDCs on Coinbase, you would need both Matic and Eth if using the Polygon bridge. However, if using the Hop Bridge, only Matic is needed, though you will receive less USDC on the Ethereum Mainnet. \n\nFor further assistance, you can reach out to us at https://code4rena.com/help, or switch your network in Metamask to Polygon Mainnet, copy your public keys, and paste them into Code4rena. \n\nAdditionally, we also have a concept of \"bot races\", more about which can be found at https://code4rena.com/register/bot. Other similar platforms for earning rewards for auditing smart contracts include https://immunefi.com/ (for bug bounties), https://spearbit.com/ (for freelancing), and https://hats.finance/ (for decentralized bug bounties). For more information on Mitigation Reviews, you can visit https://code4rena.com/how-it-works. \n\nPlease remember that the availability of free Matic can vary, and the sources provided may or may not have Matic available for free at all times.", "**Question**: Does the use of storage instead of memory in view functions fit into the category of a gas report or a QA report for Code4rena?\n\n**Answer**: The choice between using storage and memory in view functions can impact both the quality assurance (QA) and gas optimization of a smart contract. Therefore, it could be relevant for both the QA report and the gas report. However, the placement largely depends on the severity and the main impact of the issue. \n\nFor instance, if the choice between memory and storage leads to a non-critical glitch but also contributes to gas savings, it should be included in the QA report while also mentioning the gas savings. If the primary concern is gas savings, judges may decide to downgrade it from QA to the gas report. \n\nFurthermore, for gas optimization reports, it would be helpful to include estimations on gas savings for every finding. For both QA and gas optimization reports, the level of detail required might not be as comprehensive as for high severity issues, although they should ideally be grouped in separate reports, i.e., one big report for QA and another for gas optimization. \n\nYou can refer to previous top reports for better comprehension at [https://code4rena.com/reports](https://code4rena.com/reports).\n\nRemember, all QA or gas report issues should be combined into a single report, and known issues should be excluded from these reports. While there is no fixed format, templates or guides can give you an idea of how these reports should look.\n\nPlease note that the static analyzer at [https://github.com/byterocket/c4udit](https://github.com/byterocket/c4udit) may be used by Code4rena for QA and gas optimization. \n\nThe aim is to ensure the smart contract is both efficient in terms of gas consumption and is of high quality, meeting set standards and guidelines.", "Question: If I join a team at CodeArena, am I required to only participate in audits with my team or can I also participate individually in contests? How are rewards handled in these cases?\n\nAnswer: \nAt CodeArena, once you join a team, you are not obligated to always participate in audits as a team. You have the flexibility to participate individually in contests if you wish to. The submission form allows you to select whether you're submitting a finding as an individual or as a team member. \n\nWhen participating in an audit, bear in mind that if you work as part of a team, all rewards go to the team and it's the team's responsibility to distribute the funds. This means that for team rewards in an audit contest, the prize is sent to a single address, and the team must manage the distribution among themselves. Each team determines how to split their portion of a contest's reward amongst themselves. More information on awards can be found on our [Incentive Model and Awards](https://docs.code4rena.com/incentive-model-and-awards) page.\n\nIf you choose to compete with a team, all members need to be certified to receive the payout. If multiple members of a team submit the same item separately, it can decrease the overall value of the submission. On the other hand, forming a team means awards are not split at a decaying level, and working together can provide benefits such as shared ideas and faster learning. \n\nPlease note that we are still discussing how to manage teams where not all members participate in the same contest and how to distribute rewards among team members who contributed. You can join the [discussion](https://github.com/code-423n4/org/discussions/43) on our GitHub page.\n\nAlso, remember that participating in contests is a great way to improve your skills, whether as an individual or as a part of a team. Teams are incentivized in the CodeArena process, and this can have a positive impact on your overall leaderboard ranking.", "Q: How does CodeArena handle bounty distribution if the same or similar bug is discovered by multiple people? \n\nA: CodeArena operates differently from traditional bug bounty systems where only the first individual to report a bug receives the reward. In our system, all wardens who report the same bug will receive a portion of the bounty. The total value of the bug bounty is divided based on how many people find it, reducing the bounty amount in cases of common findings. This approach ensures fairness and encourages thorough auditing among all participants.\n\nHowever, it's important to note that the level of detail in your submission, such as the inclusion of a Proof of Concept (PoC), can influence the award amount. Our sybil resistance system ensures each instance of a vulnerability is awarded a share of one point depending on the number of duplicates.\n\nRegardless of whether you submit as an individual or a team, all submissions are treated fairly. If you submit as a team, all team members receive the bug stats, and teams submitting non-duplicate findings can potentially earn more rewards than if they had submitted individually. \n\nRegarding the submission of multiple reports, separate submissions should be made based on the type and severity of the bugs found. If two similar reports are submitted and one is marked as a duplicate, this could affect the payout. Also, even if a high severity bug turns out to be only medium severity, the reward for a medium bug is still granted.\n\nThe timing of the bug discovery does not affect the reward - our system is not operated on a first-come, first-served basis. Participants are given shares for bugs discovered based on severity, which gives the owner a pro rata piece of the pot.\n\nFor more details, visit our judging criteria for duplicate submissions at https://github.com/code-423n4/code-contests/blob/main/JUDGING_CRITERIA.md#duplicate-submissions. You can also view examples of past submissions at https://code423n4.com/reports.", "Q: Why is my Metamask wallet showing a zero balance on Polygon network despite a valid transaction hash on the Polygon scan, and how can I ensure accurate token balance display? \n\nA: Metamask can occasionally show a zero balance, even when there's a verified transaction hash on Polygon scan. This might be due to certain tokens not being manually added or the network not being properly set up in Metamask. Here are some steps you can take to rectify this:\n\n1. Ensure you are checking the correct token balance. For instance, you might need to add a specific token, like USDC on Polygon, to your Metamask wallet before the balance shows up. \n \n2. Make sure you've set up Metamask to swap networks to Polygon. If the tokens still do not show up, you can manually add them using the \"Add Token\" function. \n\n3. Confirm that you are using the correct address associated with your Polygon network. The address can be monitored at https://polygonscan.com/address/.\n\n4. If your balance still appears as zero, it's possible that some unauthorized transactions have been made or that your private key may have been compromised. Be sure to secure your wallet and check for any suspicious activity.\n\n5. Remember, rewards are sent to your Polygon address, not to your Ethereum address. You can verify received rewards by checking the wallet address you registered with, using polygonscan.com or wallet trackers like debank.com.\n\n6. To move your funds back to the mainnet, you can use the polygon bridge at https://wallet.polygon.technology/.\n\nPlease always exercise caution when dealing with digital assets and ensure your wallet's security.", "Question: Are there any Capture The Flag (CTF) events or resources available for Rust smart contracts?\n\nAnswer: \nWhile the focus on Terra and Solana for Rust-based smart contracts may have decreased, several users in our Discord chat have hinted at the continuing interest and relevance of Rust in the smart contract space. CodeArena has performed audits with a Rust focus in the past and there's potential for hosting Capture The Flag (CTF) events centered on Rust smart contracts. While there aren't any direct CTF resources available specifically for Rust smart contracts at the moment, there are numerous resources and platforms for learning smart contract development and testing. These include CryptoZombies.io for solidity training, CaptureTheEther.com for Capture The Flag challenges, and Damn Vulnerable DeFi (https://www.damnvulnerabledefi.xyz/) for interactive learning about smart contract vulnerabilities. For advanced solidity and DeFi industry standards, The Ethernaut challenges (https://ethernaut.openzeppelin.com/) is also recommended. \n\nUsers in the chat also discussed tools for finding vulnerabilities in smart contracts. Mythril, Slither, and Hardhat Foundry were mentioned for testing and analyzing smart contracts. Another interesting approach discussed was visualizing smart contracts into respective shapes, and training a model based on these shapes to predict the vulnerability of future contracts. \n\nFurther, if you're interested in participating in future Rust-related contests or audits, CodeArena can connect you with their booking team. Remember, practice and persistence are key in catching vulnerabilities during CTFs and improving your smart contract auditing skills.", "Question: If the linear vesting function of a smart contract is zero, should parameters like _endTimestamp or _startTimestamp or _releaseIntervalSecs be used? And what are the gas implications of this choice?\n\nAnswer: In the scenario where _linearVestAmount is zero, it means there's no linear vesting. In this case, you can either remove the requirements for _endTimestamp, _startTimestamp, and _releaseIntervalSecs or impose these requirements only when _linearVestAmount is non-zero. \n\nTo take this a step further and discuss gas implications, there's a potential for gas savings. By not requiring a non-zero interval when there's no linear amount, a Gsset operation for the claim\u2019s interval can be converted to a Gsreset, resulting in saving 17100 gas. To understand this better, the term \"Gsset\" refers to setting storage from 0 to non-0, and \"Gsreset\" refers to setting storage from non-0 to non-0, or anything to 0. More detailed definitions can be found on the Ethereum Yellow Paper on page 27 (https://ethereum.github.io/yellowpaper/paper.pdf).\n\nIt's also worth mentioning that smart contract audits, like those done at Code4Arena, can help identify such optimizations.", "Question: What is the process to become a certified warden at CodeArena and how long does it take?\n \nAnswer: To become a certified warden at CodeArena, you need to submit an application through https://code4rena.com/certified-contributor-application/ and complete a Know Your Customer (KYC) process. Information about this process is available at https://docs.code4rena.com/roles/wardens/certified-wardens and https://docs.code4rena.com/roles/certified-contributors. \n\nOnce your application is submitted, it is usually estimated to take up to 2 business days for initial contact from Provenance, but the timeframe may not be specified. Please check your spam folder for an email from compliance@provenance.company. If you don't receive an email within this time, it may take up to 2-3 weeks for the KYC email to be sent after your application submission.\n\nFollowing completion of the KYC process, it can take approximately 2 weeks for a warden to be marked as certified after approval. Please note, if your application is inactive for 2 days, it may be closed.\n\nThe process to become a certified warden may require certain documentation such as a passport and is open to foreigners as well. Once certified, wardens will have access to findings shortly after contests end.", "Question: How does the order of issues submission impact the competition process and the final report?\n\nAnswer: The order of issues submitted does not have a significant impact on the competition. Judges often arrange the issues somewhat randomly, sometimes putting the most interesting issue first. It's important to know that the primary issue picked by the judges is based more on the quality of the write-up rather than the order of submission. This approach encourages participants to focus on the quality of their submissions. When the final report is released, the issue numbers will match findings.csv. It's also worth noting that when multiple wardens find the same issue, the award is divided amongst them, reducing the amount each warden receives for that issue. More details on this can be found at the following link: [https://docs.code4rena.com/incentive-model-and-awards](https://docs.code4rena.com/incentive-model-and-awards). Furthermore, the grading of reports is not solely based on the number of issues reported. A report can have multiple low-impact issues and be a grade C or have one well-written good issue to be grade B. Reports are graded based on a relative score compared to other reports. Lastly, the inclusion of recommended mitigation steps, while not mandatory, can enhance the value of the report.\n", "Question: How can I access the C4audit repo for CodeArena, and what information is available on the repo?\n\nAnswer: The link to the C4audit repo is not explicitly mentioned in the chats. However, you can find completed audit findings on the C4 GitHub repo [https://github.com/code-423n4]. This repo is made entirely public, with each report on the C4 website containing links to the findings repo. The audits' output is generated using a tool currently named Analyzer, accessible at [https://github.com/Picodes/4naly3er]. This tool produces automated findings for each contest, but these automated findings are not eligible for rewards as detailed at [https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-ineligible]. \n\nIf you are interested in participating in private audits, you can apply for this at [https://docs.code4rena.com/roles/certified-contributors]. Remember, to access private audit contests, you need to be a certified warden, and more details can be found at [https://mirror.xyz/c4blog.eth/Ww3sILR-e5iWoMYNpZEB9UME_vA8G0Yqa6TYvpSdEM0]. \n\nFor technical assistance with viewing the repo or submitting findings, ensure your GitHub account is logged in and that it's the same one you've provided to C4. \n\nPlease note that a tool for running audits is currently in development, available at [https://github.com/HardlyCodeMan/audit_helper/]. Various other resources, such as a comparison between bug bounties and C4 audit contests, can also be found on the Code4Rena documentation page [https://docs.code4rena.com/]. Please be aware that some users have reported issues accessing the C4 website and certain repositories. If you encounter similar problems, try checking your login status or contacting support.", "Question: I've applied to become a Certified Warden and haven't received the KYC email from Provenance yet. How long does the process usually take and is there anything else I can do to expedite it? \n\nAnswer: Once you've submitted your application to become a Certified Warden at CodeArena, it generally takes 2-3 weeks to receive the KYC email from Provenance. Please note, this initial email doesn't have a specified timeframe for delivery. The email will be sent from compliance@provenance.company and it may sometimes land in your spam folder, so we recommend checking there. After receiving and responding to the KYC email, the process usually takes 1-2 business days. \n\nIf you're partway through the process, it is advisable to complete it as it's an integral part in becoming a Certified Warden. If you haven't received the email yet or need further assistance, you can submit a help request at [Code4rena Help](https://code4rena.com/help). If you believe you meet the criteria for '+backstage', you can also submit a help desk request at [Backstage Wardens](https://docs.code4rena.com/roles/certified-contributors/backstage-wardens).\n\nFor more details on the Certified Warden process, you can refer to [Certified Warden documentation](https://docs.code4rena.com/roles/certified-contributors) or the [Certified Warden application link](https://code4rena.com/certified-contributor-application). Remember, becoming a Certified Warden is a process that may take some time, even after approval. \n\nFor documentation inconsistencies or other questions, please make sure to reach out to us, we're here to assist you with your journey of becoming a Certified Warden.", "Question: How is the order of addressing reported issues determined in CodeArena contests and does the submission order or the manner of reporting affect the judging process?\n\nAnswer: The order of addressing reported issues in CodeArena contests is primarily random. However, judges have the flexibility to prioritize the issues they find most interesting. It's important to note that the order of submitting issues does not influence the judging process. Judges will often pick the key issues to address based on the quality of their write-ups, not their submission order. This approach encourages participants to make high-quality submissions. While the submission order doesn't affect the discussion or the competition, it's worth noting that if multiple wardens find the same issue, the reward for each warden decreases. Detailed information about this can be found in our [incentive model and awards document](https://docs.code4rena.com/incentive-model-and-awards). \n\nOne practice that can assist judges is the numbering of findings by participants. Judges and sponsors also find it helpful when similar issues are grouped together in submissions. Questions about specific practices, such as the inclusion of line numbers in code snippets, often depend on the judge's preferences and may vary. If you have questions or disagreements about a judge's decision, these can be addressed following our policy on [fairness and validity](https://docs.code4rena.com/awarding/fairness-and-validity#if-you-disagree-with-a-judges-decision). \n\nIt's also good to bear in mind that judges often have additional commitments beyond their CodeArena judging responsibilities, including full-time jobs. Therefore, patience and understanding are appreciated in waiting for issues to be addressed.", "Question: How can I include screenshots and other evidence in my vulnerability report for CodeArena?\n\nAnswer: When submitting a vulnerability report for CodeArena, you have several options to include supporting evidence such as screenshots, scripts, or logs. For screenshots, you can host them on a free image hosting site such as https://cloudinary.com/, and then include the URL of the image in your report. Alternatively, you can upload your image to a Gist and submit your report with the Gist link, though it is recommended to delete your Gist after the submission process for security reasons. \n\nYou can also provide direct links to all referenced code in GitHub, and paste the lines of the affected code. If you have created a Proof of Concept (POC) script for a vulnerability, include the link to the script in your submission wherever relevant. \n\nRemember to paste your report in the Vulnerability Details section in .md format. Screenshots and other evidence can be helpful in illustrating your proof of concept. However, be aware that screenshots are generally recommended not to be included in a finding due to potential security issues. Thus, it is advised to only include them when they exceptionally support the explanation of a proof of concept.\n\nAfter submitting your report, you should receive an email confirmation. If you do not receive this confirmation or encounter any issues while submitting, please reach out to the CodeArena team directly either through a direct message on Discord or by emailing security@code4rena.com.", "Q: Any updates on the Trader Joe contest bounties? How long does it usually take for these to be announced and when can we expect the payouts?\n\nA: The timeline for the announcement of contest results, like the Trader Joe contest, is usually around 2 months. This duration is not fixed as it depends on the complexity of the contest and the number of reports under review. It's important to note that the process of judging is rigorous and involves experienced and reputable judges. Following the announcement of awards, the rewards are not immediately distributed. They are usually sent out manually in batches for multiple contests at once, typically within 1-2 weeks after the announcement. The precise timeline for reward distribution can vary and in some instances, there may be delays due to factors such as the DAO employees' holidays. Further details about the prizes for different severity levels in the bounty are shared post-judging. If there are no high or medium issues found in a contest, the fate of the rewards pot might vary and will be communicated accordingly. The company aims to process and distribute multiple contest rewards usually by the start of the week, often on Mondays or Tuesdays. Please note that the timing for making the contest findings public depends on when the final report is posted.", "Question: What factors can contribute to a less than optimal team hunting experience in CodeArena?\n\nAnswer: Several factors can contribute to an adverse team hunting experience on CodeArena. \n\nA primary concern is the trust factor, especially when working with anonymous partners over the internet. The lack of face-to-face communication and non-verifiable identities of team members may lead to trust issues and communication gaps.\n\nDiffering levels of experience, skills, and knowledge among team members may also affect a team's performance. Some team members may excel at identifying and theorizing attack paths, while others may struggle with this aspect of the process. Moreover, the varying levels of English language proficiency and technical skills could potentially lead to misunderstandings and miscommunications.\n\nPractical issues such as managing the same team name with different participants working on different contests at different times can also add to the challenges. Furthermore, there are certain contest factors that affect completion which may not be visible to all participants, adding another layer of complexity.\n\nThe rejection of findings without clear reasons can also lead to frustration. However, CodeArena does provide reasons for findings rejections, and team members are encouraged to view these to understand the judgement process better.\n\nLastly, there are potential technical issues, such as a blank page opening when adding team members or difficulties with specific courses due to a lack of development background.\n\nCodeArena encourages users to practice and improve their skills to navigate these challenges better. We also encourage open communication within teams and with the CodeArena community for guidance and support.", "Question: What guidelines should I follow when proposing a mitigation in my report at CodeArena?\n\nAnswer: In CodeArena, the mitigation is typically a recommendation along with the identification of vulnerabilities in your report. However, it is not mandatory and you are not obliged to follow it. When providing a mitigation, you can use markdown to write the code. While it's not strictly necessary to fill the \"Recommended Mitigation Steps\" in the bug template, including this can substantially enhance the value of your report. \n\nWhile you can submit medium/high severity reports without proposed mitigation steps, in such cases it's recommended to include an explanation as to why it cannot be feasibly mitigated. Reports generally should contain the issue, its description, a Proof of Concept (where necessary), and the proposed mitigation. The severity level of the reported bugs depends on their impact and various guidelines for estimating risk are provided in the judging criteria document [here](https://docs.code4rena.com/roles/wardens/judging-criteria#estimating-risk-tl-dr). \n\nPlease remember, if your findings suggest mitigation but the judge and the sponsor disagree, the final decision on the mitigation lies with the sponsor. If a vulnerability you've identified is confirmed by the sponsor via private messages, it may still count during submission, depending on the judgement. For more insights on the mitigation process, you may refer [here](https://code4rena.com/how-it-works) and for an in-depth understanding of how the Mitigation Review process at CodeArena works, you can refer [here](https://medium.com/code-423n4/a-look-at-code4rena-audits-mitigation-review-3e05f8b7acb7).", "Question: How does team participation work in CodeArena's smart contract audits?\n\nAnswer: At CodeArena, users have the flexibility to participate in smart contract audits either as individuals or as part of a team. Once a team is formed and approved, they can register and submit their findings collectively. While the experiences of team hunting can vary, it's generally seen as a beneficial way for members to collaborate, bounce ideas off each other, and learn faster. Some challenges, however, have been reported such as managing the same team name with different members working on various contests at different times, and dealing with members who want to participate solo in a contest that the team is also auditing.\n\nDifferent roles exist within teams, including the \"scout\" role, and roles focused on identifying and theorizing attack paths. Each member can contribute their unique skills and knowledge to the auditing process. Team members can make submissions on behalf of their teams, selecting either their solo handle or team handle when submitting a finding. All submissions can be made at https://code423n4.com/reports.\n\nThe reward system in CodeArena is structured to encourage team participation. Rewards are reduced semi-geometrically based on the number of individuals who find an issue, but within a team, the reward is split evenly among members. This means if a team submits a non-duplicate finding, they receive more rewards than if they had individually submitted the same finding. \n\nMembers are not obligated to always participate as a team; they can choose to submit solo findings whenever they prefer. Changes to teams, such as the addition or removal of members, are possible, and a team-building channel is available on the platform to help users find teammates.\n\nAlso, there's a leaderboard at https://code423n4.com/leaderboard/ where you can check team rankings. For more specific queries about contest updates, results, team information, and rewards, designated contacts from sponsor teams are available for direct messaging during a contest.\n\nKeep in mind, some issues have been reported with adding members to teams, and the process for submitting issues as a team hasn't been fully clarified. Also, there has been feedback suggesting the need for more explorations of exploits involving batches with several actions.", "Q: How can I withdraw my rewards from CodeArena and what should I keep in mind about the process?\nA: Rewards earned from CodeArena are distributed directly by the CodeArena team rather than through a smart contract. Once your submission is confirmed and the reward amounts are announced, the rewards are sent to your registered wallet address. The distribution process happens manually in batches for multiple contests at a time and typically takes place once per month, generally at the beginning of the month.\n\nYou may notice some rewards are pending after a contest has finished. This could be due to several reasons including the use of multisignature (\"multisig\") wallets, which require signatures from multiple parties before funds can be released. Please be assured that your rewards will be paid out, either partially or fully.\n\nIf you wish, you can change your wallet address where you receive awards. This can be done by submitting a request through the Help Desk at https://code4rena.com/help or simply using a new wallet address in your reports going forward. Please note that rewards for the report will be distributed to the wallet address on file at the time awards are calculated for an audit.\n\nAs for the withdrawal of findings, they can be done under \"your findings\" on the contest page. If needed, you also have the option to directly message moderators or administrators to withdraw a submission or to submit a Help Desk request for issues related to reward distribution.\n\nIf you're unsure whether you've submitted an address for rewards, or if you want to confirm or update your reward wallet address, please check out this link https://docs.code4rena.com/roles/wardens/warden-auth#can-i-change-the-wallet-address-where-i-receive-awards or use the help form at https://code4rena.com/help to get assistance.\n\nFor more details on the reward process, you can refer to the CodeArena documentation and for tax and legal questions related to the rewards, please check out this page: https://docs.code4rena.com/awarding/incentive-model-and-awards/awarding-process#tax-and-legal-questions.", "Question: When submitting a report to CodeArena, is it acceptable to not create .orig files and do git diff --no-index a.sol a.orig.sol , but instead just do git diff of the project folder? Also, how should the report be formatted and structured? \n\nAnswer: Yes, it is acceptable to not create .orig files and just do git diff of the project folder when submitting a report to CodeArena. When submitting a report, you can include replaced lines in your submissions using diff tools. If an issue involves various lines changed, you have the option to send a git patch or a PR to the repo. \n\nWhen formatting your report, you may upload results of the git diff command and even include a proof of concept (PoC) in a Gist file. It is also acceptable to provide a link that points to the sponsor's GitHub repo code, but do note that this does not automatically pull in that code snippet to the report. In case the proof of concept is very long, you may use external platforms such as Gist to share the proof.\n\nAs for the structure of the report, it's recommended to have one big report for gas and one big report for quality assurance (QA) findings. Medium and high severity findings should each be submitted as separate reports. If you've found multiple occurrences of the same issue, these can be compiled into a single report. It's not necessary to submit reports for all categories - you can submit what you have found.\n\nWhile it's acceptable to include links to the code on GitHub or to refer to a specific file and line number, there seems to be some debate on the best method of referencing code in reports. As such, it's advisable to use the method you feel is most clear and easy to follow.\n\nIt is not necessary to confirm findings with the project's developers before submitting them, but the warden can choose to submit a point thought to be a valid finding.", "Question: Can I include a \"Proof of Concept\" in my issue submission for CodeArena, and if so, what is the best way to do this without exposing potential vulnerabilities to the public?\n\nAnswer: Yes, you can and are encouraged to include a \"Proof of Concept\" (PoC) in your issue submission for CodeArena. This helps to substantiate the authenticity of an issue and can demonstrate the potential impact of the problem, making it less likely to be marked as invalid. \n\nThe PoC can be included in the submission in various ways, depending on the size and complexity of the proof. If the PoC is concise, it can be added directly to the report under the 'Proof Of Concept' section. For larger or more complex PoCs, you are allowed to use an external platform such as Github Gist to provide the evidence. \n\nWhen using Github, you do not have to make your repository public and risk exposing vulnerabilities to the public. You can use a private \"secret gist\" to share the code example and remain compliant with CodeArena guidelines. You can also add a link to the gist in your submission if the PoC is too large to embed directly in the issue.\n\nIf you're submitting a high severity issue, it's particularly important to include working code that demonstrates the impact. Not doing so may lead to a high severity issue being downgraded or deemed ineligible for awards. \n\nRemember, while it's not mandatory, including a coded PoC can better explain the reported issues and adds credibility to your findings. However, it won't affect the awards or the contest per C4 guidelines.\n\nFind more details about including a proof of concept in this link: [How to Include a Proof Of Concept](https://docs.code4rena.com/roles/wardens/submission-policy#how-to-include-a-proof-of-concept)", "Question: Can calldata arguments be used exclusively for external or public functions in a smart contract?\n\nAnswer: Contrary to common belief, calldata arguments are not strictly confined to external and public functions. They can be used as an entry point to these types of functions but they can also pass calldata data pointers to internal and private functions. Essentially, a calldata argument in an internal function serves as a pointer.\n\nThe use of calldata becomes particularly beneficial in the context of gas optimization. It's commonly used for read-only arrays as it's cheaper because these don't need to be iterated and copied into memory. Swapping the order of a function that first checks from storage, then checks the calldata, could potentially optimize the gas.\n\nHowever, note that calling a contract's own function would be considered an external contract call and would change the msg.sender value inside the function. More information about how functions like delegatecall work with storage can be found in the Solidity docs and the Geth source code at https://github.com/ethereum/go-ethereum/blob/master/core/vm/evm.go#L302.\n\nIt's also important to consider that when dealing with upgradeable contracts, the implementation contract storage can't be used to affect the delegate caller contract when delegatecall is in use. And calling a view/pure function from a non-view/non-pure function in the same contract does cost more gas.\n\nLastly, it's worth noting that while function inlining can be used to save gas in smart contracts, there's a statement that \"internal functions only called once can be inlined to save gas\" that has generated some discussion and you may want to delve deeper into it for more specific scenarios.", "Question: Can you explain how calldata argument works in an internal function and whether it's efficient in terms of gas usage?\n\nAnswer: Yes, a calldata argument in an internal function is essentially just a pointer. It's important to clarify that calldata arguments are not exclusive to external/public functions but can also be used to send data pointers to internal and private functions. \n\nCalldata is particularly efficient for read-only arrays as they don't need to be copied into memory and iterated, thus making it a cheaper option in terms of gas usage. However, the choice between using storage or calldata greatly depends on their respective costs in your specific use case. For instance, caching a storage pointer avoids re-computing the position, making it a cheaper option.\n\nWhen it comes to gas optimization, the order of a function that first checks from storage, then checks the calldata could potentially optimize the gas, but this would likely be very dependent on the specifics of the contract code. It should also be noted that function inlining, the process of replacing a function call with the contents of the called function, can be used to save gas in smart contracts where the internal function is only called once.\n\nAdditional information on how functions like delegatecall, which allows for calling functions in other contracts, work with storage can be found in the Solidity docs and the Geth source code at https://github.com/ethereum/go-ethereum/blob/master/core/vm/evm.go#L302.\n\nRemember, it's always important to consider gas efficiency when writing your smart contracts and there are various best practices and strategies available, including use of storage slots and packing variables in Solidity, which can be found at https://docs.soliditylang.org/en/v0.8.17/internals/layout_in_storage.html.", "Question: When the clone function creates a new contract instance, does it call the constructor and how does it handle initialization? \n\nAnswer: No, when a clone function creates a new contract instance, the constructor is not called. This is because a clone is a type of proxy contract, more specifically a minimal proxy with a fixed implementation address as described in this Ethereum Improvement Proposal: [EIP-1167](https://eips.ethereum.org/EIPS/eip-1167). \n\nIn the context of these clones, initialization is handled through a special non-constructor initializer function. This function is used to set any necessary parameters for the contract. It's important to note that caution needs to be exercised to ensure that this initializer function cannot be called multiple times or be frontrun. \n\nA common example of a situation where an initializer might get frontrun is in the context of an 'initialize function'. This is a crucial detail to keep in mind when writing or auditing smart contracts. \n\nIt's also worth mentioning that there are automated tools available to verify if a contract has been initialized on the Ethereum mainnet. This could be a useful resource in auditing and managing smart contracts. \n\nIn conclusion, while the creation of new contract instances through a clone function might seem similar to a standard contract deployment, the absence of a constructor call and the need for a specific initializer function introduces unique considerations and potential pitfalls.", "Question: I've noticed that the public report page is updated mid contest and my findings weren't initially listed, but now they are. How can I edit my submission or check on its status?\n\nAnswer: The public report page for CodeArena's contests is indeed updated mid-contest. However, please note that findings submitted for contests may not immediately appear on the list, and not all submitted findings make it to the final report. \n\nTo edit a submitted finding, you should go to the contest page where you submitted your finding. Here is an example link to a contest page: https://code4rena.com/contests/2023-02-ethos-reserve-contest. On the contest page, look for the \"My findings\" or \"Your findings\" option, and click it. This will allow you to view, edit, and even withdraw your findings if needed. \n\nThe status of a participant's findings is not available for view during the judging process, which happens after a contest has ended. To check if your findings have been accepted or rejected, you will need to wait until the public report is published. This usually takes at least a month after the contest ends. \n\nRemember, after the leaderboard is shown and rewards are sent, the final report may not immediately appear on the C4 site. It's recommended to wait until the full public report is published before doing a write-up of an issue or bug found in a project. \n\nYou can also review the \"Known Findings\" section on the Readme Page of each contest to see automated findings that were not accepted in the contest.\n\nLastly, if you submitted issues for a contest but did not make the award list, it's likely that your issues were rejected. You can confirm this by reviewing the published report.", "Question: How can I start auditing the codebase, and what is CodeArena's policy regarding pushing code to GitHub and disclosing information?\n\nAnswer: As an auditor, you may fork the codebase and create a private repository on GitHub without it being deemed as information disclosure. The findings during your audit will be created and submitted as a GitHub issue. It's important to note that the audit can include both contracts and script folders within the GitHub repo, but you're advised to always read the README.md for each contest, as it outlines what is in scope for auditing and what is not. \n\nWhen providing a \"Proof of Concept\", you do not need to make your GitHub repository public, which might expose potential vulnerabilities. Instead, you can use a private gist for this purpose. Additionally, you can reference code in your reports either by leaving direct links to the specific GitHub code or referring to a specific file and line number. \n\nPlease remember that the audit process can begin even before your code is complete. You can view audit reports on GitHub, and each report title is a link to the report. If no testing environment is provided in the repository, you have the option to create your own tests or isolate parts of the code for testing. \n\nFor further guidance, CodeArena provides a tool for running audits, located at https://github.com/HardlyCodeMan/audit_helper/.\n\nIn case you are worried about privacy, some community members set up separate GitHub accounts for their CodeArena work. If you have a Proof of Concept code, you can consider adding a zip file to the submission or sharing a private GitHub repository. \n\nFor more information on the auditing process, please visit https://docs.code4rena.com/roles/wardens/submission-policy#how-to-include-a-proof-of-concept. \n\nTo participate in private audits, you will need to be certified. More information on certification can be found at https://docs.code4rena.com/roles/certified-contributors.", "Question: \nIn the context of smart contracts, under what circumstances can a delegatecall return false and what are the implications if the target function reverts?\n\nAnswer: \nDelegatecall in a smart contract can return false when the called function call fails or ends with an error. It's a low-level function in Solidity often used in upgradeable contracts, where the state of the calling contract needs to be preserved. If a delegatecall encounters a revert in the target function, it means that an error or exception has occurred, which causes all changes to the state to be reverted back to what they were prior to calling the function. \n\nA key point to remember when dealing with upgradeable contracts is that the storage of the implementation contract cannot affect the delegate caller contract when delegatecall is used. This is because delegatecall runs the code of the target contract in the context of the calling contract, meaning that all changes to the state occur in the calling contract, not the target.\n\nAlso, if a delegate call from a receive function is used, it's worth noting that the calling convention could differ depending on the context. For instance, calling a contract's own function such as \"InterfaceA(address(this)).functionA();\" would be considered an external contract call and would change the msg.sender value inside the function.\n\nIn cases where a function call always reverts but assets are not at risk, the finding can be considered as a Medium or High finding, depending on the context. A bug that relies on the user making a mistake in interaction with the contract, while still valid, may not have the same severity as if it doesn't require a mistake.\n\nYou can find more about how functions like delegatecall work with storage in the Solidity documentation and the Geth source code at https://github.com/ethereum/go-ethereum/blob/master/core/vm/evm.go#L302. \n\nIt's important to be aware of these nuances when dealing with smart contracts, as they could have implications for the security and functionality of your contract.", "Q: How can I include images or proof of concepts (PoC) in my report submission at CodeArena?\n\nA: To include images or proof of concepts (PoC) in your report submission, you have several options. You can link images externally if they are part of your PoC. Free image hosting platforms such as https://cloudinary.com/ allow you to upload your image and then copy the URL to include in your report.\n\nIf you have written a PoC script for a vulnerability, you can link this within your submission where relevant. Long PoCs can be submitted using external platforms like Gist, and you can add this link to your report. The PoC can be presented in either code or plain English.\n\nAlternatively, you can create a public GitHub repository to submit PoCs or provide a diff of an existing sponsor-supplied test/contract. You can also add images to your report submissions by uploading to your Gist, submitting the report with the Gist link, and later deleting your Gist.\n\nFor more detailed instructions on how to include a PoC in your submission, you can visit https://docs.code4rena.com/roles/wardens/submission-policy#how-to-include-a-proof-of-concept and https://github.com/code-423n4/code-contests/tree/main/contests/01-slingshot#sharing-vulnerabilitydiscovery-poc.\n\nIt's important to note that while PoCs are recommended for submissions, if you're unable to provide one for a medium severity bug, it may cause your finding to be disregarded unless the bug is very obvious. So it's always best to include a PoC to back up your findings.", "Question: What is the process and timeline for becoming a certified auditor with Code4rena after approval from Provenance?\n\nAnswer: After you've registered with Provenance and your KYC has been approved, your role will be processed by Code4rena. This typically takes a few days, but if there's no response within that timeframe, you can open a help desk request here: https://code4rena.com/help. Once you're approved, you can participate in audit contests, including private audits. The review period for an audit by the judges can be approximately 8 weeks, but wardens can generally see findings immediately upon audit close. For more detailed information about the certification process and prerequisites, visit https://docs.code4rena.com/roles/certified-contributors. If you're interested in invitational audits, you must be certified, and more details can be found on this link: https://docs.code4rena.com/roles/certified-contributors. To receive payment for contests, you need to complete the form at https://code4rena.com/certified-contributor-application and go through the ID verification process run on behalf of CodeArena by Provenance. You can also find an estimated timeline for the overall process here: https://docs.code4rena.com/structure/our-process. Note, however, that timeframes can vary based on individual circumstances and workload.", "Question: What is the purpose and function of the #\ud83d\udd06hm channel in CodeArena's Discord chatroom?\n\nAnswer: The #\ud83d\udd06hm channel on CodeArena's Discord chatroom primarily functions as a space for discussing high and medium level issues, reward details, and exploit paths related to the smart contract auditing contests. It does not directly pertain to findings within a contest. When users are using automated tools for attack findings, a higher burden of proof is required to demonstrate a relevant HM exploit path. More details about this can be found [here](https://github.com/code-423n4/org/discussions/50). Please note that this channel is not the appropriate place for posting doubts related to Ethereum Virtual Machine (EVM) security - these should be directed to the #\ud83c\udf33everything-evm channel. If users are curious about the use of fuzzing tools like Echidna, it would be more appropriate to discuss this in a relevant contest or educational channel.", "Question: Could you provide any case studies on vulnerabilities related to front-running the init() function in smart contracts?\n\nAnswer: Yes, there are several examples of such vulnerabilities, one of which can be found under point no. 12, \"Initialization functions can be frontrun\", in the ToB Hermez audit. [Link](https://github.com/trailofbits/publications/blob/master/reviews/hermez.pdf). \n\nThis vulnerability can expose the contract to a ransom attack where an attacker gains ownership of the uninitialized contract and demands a ransom to relinquish it. Therefore, depositing funds in an uninitialized contract can carry significant risks. Such vulnerabilities, including sandwich/front-running attacks, are considered valid and are within the scope of CodeArena's competitions. \n\nWhen auditing smart contracts for vulnerabilities, it is important to scrutinize the initialization function because it could potentially be 'frontran'. However, it's noteworthy to mention that not all vulnerabilities found may be eligible for medium or high categorization unless there's a clear explanation of the exploit path. For instance, an external function that transfers ERC20 tokens without reentrancy protection may not be considered a critical vulnerability unless the exploit path is clearly defined.\n\nIn addition, vulnerabilities affecting the main contract, even if found in an out-of-scope contract, should be reported. It's also beneficial to include a proof of concept and a case made for how an item can be exploited to avoid being marked as invalid. \n\nFurthermore, it is suggested that you refer to past contest reports to understand the kind of vulnerabilities that have been revealed, as they can serve as valuable learning material. Automated tools alongside manual audits can also aid in verifying if a contract has been initialized on the Ethereum mainnet. A smart contract scanning tool that can detect price manipulation vulnerabilities is available [here](https://app.metatrust.io/project). \n\nBut remember, while assessing vulnerabilities, it's crucial to understand the severity and potential impact. Misjudging the severity of a vulnerability could lead to penalties. It's therefore recommended to read through platforms like [this](https://github.com/code-423n4/org/discussions/34) for more insights.\n", "Question: Why are some contest rewards still pending even after the contest has ended on CodeArena?\n\nAnswer: The reward distribution for contests on CodeArena does not occur immediately after the contest has ended or even immediately after the reward amounts have been announced. Each reward distribution is a manual process that is done in batches for multiple contests at a time, involving the calculation of awards and confirmation of sponsor contributions. \n\nThe duration between the announcement of the rewards and the actual distribution to the winners' wallets can range anywhere from 1 to 2 weeks. This delay is partly due to the time it takes for involved sponsors to process the rewards and partly due to the need for the completion of any remaining judging and calculation processes. There are instances when a contest is fully judged, but rewards are yet to be computed or distributed.\n\nAnother factor to consider is the leaderboard updates. There have been instances where rewards were announced before the leaderboard was updated, which might lead to confusion about the pending status. The final report of the contest may not immediately appear on the C4 site even after the leaderboard is shown and rewards are sent. It is recommended to wait until the full public report is published before doing a write-up of some issue or bug found on a project.\n\nIn some special cases, if a team wins a prize but is unable to claim it due to Know Your Customer (KYC) regulations, it's currently unclear whether the prize will be on hold until they complete the KYC or if it's forfeited.\n\nIt's important to note that some factors affecting the processing and distribution of contest rewards may not be visible or communicated to all participants. Therefore, it's recommended for participants to wait for official announcements and updates from CodeArena regarding the status of their pending rewards.", "Q: How do I use the #\u270brsvp channel to participate in CodeArena contests?\n\nA: The #\u270brsvp channel is a dedicated space on our Discord platform where we announce updates about upcoming contests, bot qualifiers, and public audits. To participate, you need to keep an eye on this channel for announcements about new contests which can be either public or private. Once a contest of your interest is announced, you can react to the message in the channel to indicate your interest in participation.\n\nThe bot registration for these contests is opened every couple of weeks, details of which are also posted in the #\u270brsvp channel. If a contest is labeled as a \"Verified Contest\", it means it's a top-tier project that occasionally appears. For any queries regarding these contests, you can tag the channel by typing \"#channel\" in your message. \n\nPrivate contests have their RSVPs available in a channel only visible to certified wardens. If it\u2019s in the #\u270brsvp channel, it\u2019s a public contest. You can also check the #\ud83d\udce2announcements channel for general updates. If you are participating as a team, you can signal your team's involvement by responding in the created threads or the RSVP. Please refer to the following link to access the #\u270brsvp channel: https://discord.com/channels/810916927919620096/958800160870240286/1142165149050998784.", "Question: What is the RSVP feature and how can I use it to get involved with CodeArena's audit opportunities?\n\nAnswer: The RSVP feature on CodeArena's Discord platform is a way for participants to express their interest in upcoming audit opportunities. To use this feature, simply react to the relevant message in the #\u270brsvp channel, which can be accessed using this link: https://discord.com/channels/810916927919620096/958800160870240286/1142165149050998784. \n\nThis channel is where CodeArena announces new contests and important updates. It also provides information about which contests are public or private. For private contests, you need to be a certified warden to access the RSVPs in a dedicated channel. To participate in private contests after certification, RSVP in the rsvp-certified channel and ensure a high position on the leaderboards from the last 90 days. \n\nThe RSVP process also includes participation in versus audits and bot qualifier races, the details of which are also shared in the #\u270brsvp channel. The involvement of teams is considered based on their leaderboard ranks for RSVP certified jobs. \n\nCodeArena occasionally organizes RSVP contests, and participants can signal their involvement in these contests by responding in the created threads. Information about future qualifiers, the opening of bot registration, the meaning of \"Verified Contest\", and other valuable details can also be found on the #\u270brsvp channel. \n\nKeep in mind that if a contest is in the public RSVP channel, it means it's a public contest. Notifications about new contests are also provided on the company's website and the Discord channel for the contest. \n\nIn summary, the #\u270brsvp channel is an essential resource for anyone interested in participating in CodeArena's audit contests.", "Question: What is the purpose of the #\ud83d\udd06hm channel and how are high and medium findings classified and rewarded in CodeArena contests?\n\nAnswer: The #\ud83d\udd06hm channel in our Discord chatroom is a platform for discussion and does not directly pertain to findings within a contest. In CodeArena contests, findings are classified as high, medium, or quality assurance (QA) based on the severity of the loss caused by the issue. High classification typically involves sizeable fund loss or severe consequences that do not require pre-conditions. Medium consequences usually have a lesser impact and specific pre-conditions such as high attack difficulty, specific market conditions, or user unawareness. The reward for a high/medium finding can be calculated using the formula provided here: https://docs.code4rena.com/incentive-model-and-awards#high-and-medium-risk-bugs. For each unique high or medium finding, the submission selected for inclusion in the audit report receives a 30% share bonus. If no high/medium (H/M) issues are found in a contest, the entire rewards may move down to Quality Assurance (QA). Additionally, the amount of prize money paid to each Medium/High risk can be checked at https://raw.githubusercontent.com/code-423n4/code423n4.com/main/_data/findings/findings.csv. It is important to note that misclassifying a bug's severity in a submission does not disqualify it from receiving a reward; a high severity bug that turns out to be only of medium severity still receives the reward for a medium bug. Finally, for users utilizing automated tools for attack findings, there is a higher burden of proof to demonstrate a relevant H/M exploit path to be considered satisfactory, as detailed here: https://github.com/code-423n4/org/discussions/50.", "Question: What is the process and best practice for submitting bugs and gas optimizations at CodeArena (C4)?\n\nAnswer: The best practice for submitting bugs and gas optimizations is to follow the guidelines outlined in our [submission policy](https://docs.code4rena.com/roles/wardens/submission-policy). You can also review past audit contest reports for examples of the best submissions [here](https://code4rena.com/reports). \n\nWhen submitting, gas optimizations should be reported separately, and if you have multiple ideas, they can be compiled into a single report. If a gas optimization affects multiple lines of code, it should be submitted as one finding and should mention all affected lines. Including the amount of gas saved via the refactored code in your report is also beneficial. \n\nSubmissions should be specialized, meaning QA findings and gas findings should be submitted separately. High, medium, and low severity findings should each be submitted as separate reports, although a medium-severity bug that also affects gas can be included in both medium and gas findings. \n\nIf your gas report is larger than ~65k characters and can't be submitted through the form due to GitHub's max character limit for issue descriptions, you can email it to submissions@code423n4.com.\n\nTemplates or guides for gas/QA reports in terms of formatting can be found [here](https://github.com/code-423n4). \n\nFor low and non-critical reports and gas optimizations for the Badger Citadel, they should be submitted through the same form. Examples of past submissions can be found [here](https://code423n4.com/reports). \n\nGas optimizations inside view/pure functions can be reported, and better definitions of the formula are eligible for the contest. \n\nFor rewards, the split for a case where multiple people, including members of the same team, identify a gas optimization, can be calculated using a formula present [here](https://docs.code4rena.com/incentive-model-and-awards#high-and-medium-risk-bugs). \n\nPlease note that there's no intentional incentive for reporting QA type of submissions, as sponsors are primarily interested in high/medium/low severity vulnerabilities and gas optimizations. \n\nLastly, if you require further clarification on gas optimization or have any other queries, feel free to ask in our Discord chatroom.", "Question: What is the process and timeline for becoming a certified auditor with Code4rena?\n\nAnswer: Once you have submitted your application to become a certified auditor with Code4rena, we'll start reviewing your credentials. After the initial review, if your application is accepted, you will be able to take part in audit contests. The review process by the judges can take about 8 weeks post-audit. Please note that to participate in invitational and restricted audits, you need to be a certified contributor. The full details of the certification process, including prerequisites and guidelines, are available at [https://docs.code4rena.com/roles/certified-contributors](https://docs.code4rena.com/roles/certified-contributors). If you believe you are eligible for a backstage role or wish to check your eligibility, you may submit a request at [https://code4rena.com/help](https://code4rena.com/help). Also, remember that some audits require completion of the KYC process. We always have more audit contests in the pipeline, which are listed on our website [code423n4.com](http://code423n4.com). We appreciate your patience and interest in becoming a certified auditor with Code4rena.", "Question: Is there ever a situation where using require statements with a string are more gas efficient than reverting with custom errors in Solidity smart contracts? If so, when should one be used over the other?\n\nAnswer: From discussions among users and references, it seems that custom errors generally save approximately 50 gas each time they're engaged, as they avoid the need to allocate and store the revert string. Therefore, custom errors are considered more gas-efficient than require statements with a string. You can find a detailed explanation of this at these links: https://gist.github.com/IllIllI000/ad1bd0d29a0101b25e57c293b4b0c746 and https://blog.soliditylang.org/2021/04/21/custom-errors/#errors-in-depth.\n\nHowever, it's important to note that the choice between these two might also be influenced by other factors beyond gas efficiency. For instance, code readability is often considered as critical as gas efficiency. In such a case, using a constant value to make the code more readable might be preferable. \n\nAlso, note that should there be a failure in the require statement after a state change, the state will be reverted back to what it was prior to calling the function. Furthermore, if you are looking for further gas optimization, using the 'unchecked' command in loops or function inlining is recommended. \n\nIt's also crucial to understand the details of your smart contract and the specific scenario at hand, as there might be cases where specific gas optimization techniques could be more efficient. For example, certain conditions like \"x != 0\" may be cheaper than \"x > 0\" only in require statements and only prior to version 0.8.13 of Solidity. \n\nRemember, optimizing for gas efficiency is a complex task, and it's always recommended to utilize static analysis tools or automated gas optimization tools, carefully analyze your contract and its requirements, and consider readability and simplicity alongside gas efficiency.", "Question: Are custom errors in Solidity smart contracts more gas efficient than require statements with a string, and if so, when should I use one over the other?\n\nAnswer: Custom errors in Solidity smart contracts can be gas efficient as compared to require statements with a string. As per the discussions in our chatroom, it was highlighted that custom errors can help save approximately 50 gas each time they're used by avoiding having to allocate and store the revert string. You can refer to this detailed explanation here: [1](https://gist.github.com/IllIllI000/ad1bd0d29a0101b25e57c293b4b0c746) and here: [2](https://blog.soliditylang.org/2021/04/21/custom-errors/#errors-in-depth).\n\nThe cost benefit of custom errors becomes significant when the error string in the require statement is greater than 32 bytes. This is because in Solidity, a string goes above size byte32 when it reaches 33 bytes, with one byte per character. Once it goes past 32 and becomes a string, another word is added for the length [3](https://ethereum.stackexchange.com/questions/11556/use-string-type-or-bytes32).\n\nHowever, it's worth noting that the gas efficiency of require statements can also be influenced by the condition checks within them. For instance, the check \"x != 0\" is cheaper than \"x > 0\" only in require statements and only prior to 0.8.13.\n\nFinally, remember that when it comes to error handling, gas efficiency is just one of the factors to consider. Readability of the code, the nature of the error being handled, and the implications of the error on the state of smart contracts should also be taken into account.", "Question: Is it compulsory to include the \"Recommended Mitigation Steps\" in the bug template when submitting a report? Does it influence the selection of the report for the final audit?\n\nAnswer: Including the \"Recommended Mitigation Steps\" in your bug submission is not strictly required, however it significantly enhances the value of your report. When you provide useful recommendations for resolving a bug, it makes your submission more thorough and valuable, therefore increasing your chances of being selected for the final audit report. \n\nWhile you can submit a report without mitigation steps, if you believe there are no feasible mitigation steps, it's advisable to include an explanation as to why. If a vulnerability is challenging to fix without major changes, it can still be reported. Your recommendations, while not obligatory, are highly appreciated. Furthermore, if mitigation steps are included, you can use markdown to write the code in the report.\n\nWhen reporting bugs, your report should ideally include the issue, description, Proof of Concept (where necessary), and mitigation (when possible). The severity to be reported depends on the impact of the bug, and you're encouraged to review the guidelines for estimating risk provided [here](https://docs.code4rena.com/roles/wardens/judging-criteria#estimating-risk-tl-dr).\n\nLastly, it's acceptable to provide a link to a competitor of the project as a mitigation for an issue when submitting findings. However, it's vital to note that bots are discouraged from proposing mitigations.", "Question: Does the current C4udit recommend adjusting require statements in all instances, including those that are not more than 32 characters, and how does the audit handle different scenarios in smart contracts?\n\nAnswer: The current C4udit focuses on identifying require statements with an error string attached. It does not specifically count the size of the error string. However, it's crucial to note that a string goes beyond size byte32 when it reaches 33 bytes, with one byte per character. This information can be found in this resource: https://ethereum.stackexchange.com/questions/11556/use-string-type-or-bytes32\n\nIn the context of smart contracts, a code line like 'require(abc<123)' is considered a valid low finding as a \"magic number\". It's been suggested that declaring a constant value can enhance code readability. \n\nWhile auditing, it's also important to understand the gas efficiency of custom errors versus require statements with a string. Custom errors are generally more gas-efficient and should be used when possible. \n\nMoreover, if a single line of code has multiple exploitation methods, it is advisable to report it as one bug or multiple based on its context. Known issues should be excluded from gas reports, and all occurrences of the same issue can be reported together in a single report. \n\nFor larger codebases, more time may be necessary for a thorough review to avoid missing bugs. Also, reports should contain the issue, description, Proof of Concept (where necessary), and mitigation (where necessary). \n\nOne more aspect to note is that one-step changes with critical addresses could lead to errors, and two-step changes are considered safer and better practice. \n\nIn terms of gas optimization reports, mentioning the amount of gas saved for every finding could be beneficial, and providing proof of how much gas the refactoring saves may affect the grade of the submission. \n\nFinally, it's important to consider the guidelines on how to group different reasons why a function might not work in a report and to report any gas optimizations separately when submitting findings.", "Question: What is the recommended tool or website to view and interact with on-chain contracts of etherscan in an IDE-like environment, and how can I download these smart contracts?\n\nAnswer: The referenced tool for viewing on-chain contracts of etherscan in an IDE-like environment is a specific Discord link: https://discord.com/channels/810916927919620096/810931711609143326/1012727690396176484. However, this seems to be a link to a specific Discord channel, and not a viewing tool itself. \n\nIf you want to download all the smart contracts deployed at a specific address, you can do this on Etherscan.io. You can also convert a contract address into a separate solidity file using a service that converts the typical .io etherscan link to .deth.net. For instance, you can change https://etherscan.io/address/0x27f461c698844ff51b33ecffa5dc2bd9721060b1/advanced#code to https://etherscan.deth.net/address/0x27f461c698844ff51b33ecffa5dc2bd9721060b1/advanced#code.\n\nAnother relevant tool shared in the discussion is a GitHub repository that could be useful for smart contract visualization: https://github.com/DanielVF/evm-contract-draw. \n\nRemember, when using any of these tools, be cautious and ensure security practices, especially when auditing smart contracts, as it's a critical part of the blockchain eco-system. If you're new to this field, several resources can help you get started, such as the educational channel on the CodeArena Discord server or the documentation at https://docs.code4rena.com/roles/wardens/tools-and-resources.\n\nPlease note that this information is based on user discussions and may not be fully accurate or complete. Always verify from trusted sources or seek expert advice when needed.", "Question: What is the amount of gas saved when using custom errors in smart contracts and what are the advantages over other methods like require statements with a string?\n\nAnswer: Custom errors in Solidity smart contracts can save approximately 50 gas every time they're invoked, as they avoid the need to allocate and store the revert string. This is in comparison to require statements with a string, where custom errors are more gas efficient. \n\nThe discussion about the gas efficiency of custom errors in contrast to require statements can be found in these detailed explanations: https://gist.github.com/IllIllI000/ad1bd0d29a0101b25e57c293b4b0c746 and https://blog.soliditylang.org/2021/04/21/custom-errors/#errors-in-depth.\n\nWhen optimizing for gas, other techniques can also be considered, such as using the 'unchecked' command in loops, function inlining, not initializing default variables to 0, and packing variables into fewer storage slots as Solidity stores state variables in 32 bytes storage slots. \n\nHowever, considerations must be made as to when and where these techniques are applicable. For instance, in the case of function inlining, it is only beneficial if the internal functions are only called once. Similarly, the 'unchecked' command in loops should be used with caution due to potential overflow/underflow risks.\n\nWhen submitting gas optimization reports, it is beneficial to specify the amount of gas saved for each optimization. The Hardhat gas report plugin can be a useful tool for code benchmarking and calculating these gas savings.\n\nHere are some references for further reading on gas optimization in smart contracts: \n- CodeArena Report: https://code4rena.com/reports/2022-11-non-fungible/#gas-optimizations\n- Solidity Storage Layout Document: https://docs.soliditylang.org/en/v0.8.17/internals/layout_in_storage.html\n- Common Gas Optimizations: https://github.com/byterocket/c4-common-issues/blob/main/0-Gas-Optimizations.md.", "Question: I've achieved high placements in Code4Rena contests and now require a letter from a respected security expert confirming that Code4Rena is a highly-regarded organization for my US visa application. What is the process to request such a letter?\n\nAnswer: Code4Rena recognizes the importance of your accomplishments and we are willing to assist with your request. However, such requests require a formal process. Firstly, we recommend you to become a certified contributor if you are not already one. This implies that you have a high level of knowledge and expertise which is recognized broadly in the industry. You can apply to become a certified contributor at https://docs.code4rena.com/roles/certified-contributors. \nOnce you're a certified contributor, you can send your request for a confirmation letter through our Help Desk at https://code4rena.com/help. A Code4Rena staff member will verify your information and, if approved, can provide the letter you need. \nPlease note that the certification process does require the fulfillment of some prerequisites, which are detailed on the link provided. For any additional inquiries or concerns related to this process, or for other private questions, you can contact a Code4Rena team member through a Help Desk request.", "Question: What is the procedure for discussing and revealing findings from audits on CodeArena's platform?\n\nAnswer: When you participate in a CodeArena audit, your findings should remain confidential until the final report is published. During the audit, you are permitted to discuss potential findings with the project's development team either in the contest channel or through private messaging. This does not invalidate the findings. \n\nOnce the audit is complete, the findings repository containing the results will become public. However, the precise timing of this is not specified and differs from case to case. After the findings repository is public, participants are allowed to discuss the findings. These discussions can be carried out in the #announcements channel on Discord, which is where the public announcement of the results is made. \n\nYou can also review the findings of other participants once the repository is made public. This is encouraged particularly for new participants as it can provide a learning opportunity. \n\nYou cannot edit your findings once they are submitted, although discussions around implementing this feature have been held. However, you can withdraw your findings under \"your findings\" on the contest page if needed. \n\nYou can ask questions about specific topics or contests in the designated channels on Discord. Also, feel free to use the platform for general security discussions and not just CodeArena-related questions. \n\nFor any information about which contests are public, you can refer to the #\u270brsvp channel. Automated findings for a contest can be found in the pinned messages of the contest's channel.\n\nIn any case, do refrain from discussing audit details on any public platform until the report is published. This is to give sponsors time to act on the feedback and address any issues identified during the audit. \n\nPlease note that these guidelines are based on the observations from the chat and may not reflect the current policies of CodeArena.", "Question: What are the rewards and guidelines for submitting a new detector in CodeArena audits and contests?\n\nAnswer: When submitting a new detector in CodeArena audits, you can earn Karma Points. In terms of contest rewards, there are several types, such as Scout, Lookout, and Judge awards. Additional rewards are given for the best reports and for non-duplicate findings. However, the prize for a finding reduces by approximately 10% for each duplicate submission. If a high-risk finding is judged as low risk, the submitter will still be rewarded and vice versa.\n\nIt's also important to note that while users can submit a report without being certified, a certification is necessary to receive rewards. To submit findings, there's a form on the website for each contest. After a finding is submitted, participants can expect a follow-up and can find feedback on their submitted findings. It's also possible to edit submitted findings for a contest. \n\nFor contest participants, there is a mechanism to upgrade the risk level of their submitted findings if the contest is still open. For more detailed information about the rewards for each warden for each bug per contest, please refer to [the findings list](https://raw.githubusercontent.com/code-423n4/code423n4.com/main/_data/findings/findings.csv).", "Question: How does the reward distribution work in a CodeArena audit contest, particularly for teams, and can the team modify the percentage share of the reward for each member?\n\nAnswer: In a CodeArena audit contest, the reward is sent to a single address nominated by the participating team. It is then the team's responsibility to distribute the reward amongst themselves. Teams have the flexibility to determine the share of each member according to their agreement or contributions. A multisig wallet or OpenZeppelin's PaymentSplitter can be used to manage the distribution of prize money amongst team members. \n\nWhen a team registers for a contest, all their audit findings belong to the team. If multiple auditors, be it individuals or teams, report the same bug, they all get a portion of the bounty, with the best report typically receiving more money. Duplicates below a certain threshold might not receive any money. \n\nIf a team wins a contest but cannot claim the prize due to KYC issues, it is currently unclear whether the reward will be put on hold or lost. The reward amounts in contests come from the sponsor and the distribution does not happen immediately upon reward announcement. The exact timing of the distribution has not been specified.\n\nIt's also important to note that there is ongoing discussion about managing teams where not all members participate in the same contest and how to distribute rewards among those who contributed.\n\nFor more information, please refer to the CodeArena Incentive Model and Awards document: https://docs.code4rena.com/incentive-model-and-awards, and the relevant discussion on GitHub: https://github.com/code-423n4/org/discussions/43.", "Question: What does the duration mentioned in CodeArena's contest, such as \"24 days\", refer to?\n\nAnswer: The duration or timeline mentioned in CodeArena's contest, such as \"24 days\", typically refers to the period during which the contest is active or the length of time between announcements of rewards. However, it can also refer to different timelines related to the contest, such as the duration for audit of a project, the period within which participants need to start the process after finishing the audit, or even the time within which participants can expect to receive rewards after the competition. This duration can vary based on various factors, such as the complexity of the project, the number of Source Lines of Code (SLOC), and specific contest requirements. For instance, concerns were raised about the limited duration (20 days) for the audit of a project named Maia, which has 12K SLOC. There are also instances where the project timeline was extended to 4 or 5 weeks. Additionally, participants have been given 30 days to complete the process after finishing the audit. In some cases, due to unexpected issues, the contest timeline may be extended, such as the Rolla contest which was extended by 24 hours due to Github issues [Link](https://discordapp.com/channels/810916927919620096/953009382021533696/956244354496856174). Please keep in mind that these timelines can be flexible and may be adjusted based on the contest's demands and the participants' needs.", "Question: Where can I find the list of optimizations/L1 issues that are audited, and how can I submit and review issues related to smart contract audits in CodeArena?\n\nAnswer: You can find the list of optimizations/L1 issues that are audited by CodeArena on our GitHub page, specifically at this link: https://github.com/Picodes/4naly3er/tree/main/src/issues. The list covers all approved findings and gas optimizations that are considered in the audits.\n\nTo submit issues, particularly relating to gas optimization, and for detailed discussions on specific problems, you can refer to this discussion link: https://github.com/code-423n4/org/discussions/50, and the submission guidelines available here: https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues. Remember that it's best practice to create different issues for different optimizations as single issues will be judged as one.\n\nFurthermore, if your finding is mentioned in the 'Known Findings' section in a contest, it may likely be disqualified. The 'Known Findings' section is available on the Readme page for each contest.\n\nOnce submitted, you can browse and review the issues at https://code4rena.com/reports. Each issue provides a link to the relevant Github issue for in-depth discussions. For example, here are links to top QA reports from recent audits: https://github.com/code-423n4/2022-04-backd-findings/issues/182, https://github.com/code-423n4/2022-04-phuture-findings/issues/56, and https://github.com/code-423n4/2022-04-dualityfocus-findings/issues/33.\n\nFor those starting, it's recommended to review findings from previous contests. For example, you can refer to a previous competition finding shared here: https://github.com/code-423n4/2022-09-artgobblers-findings/issues/137. This will help you understand areas of improvement and familiarize yourself with common issues. \n\nLastly, if your Proof of Concept (PoC) for an issue is too large to embed directly in the issue, you can provide a link to it. This method is widely accepted and used by many wardens.", "Question: How can I use the dollar sign in markdown without creating a mathematical expression, and what other markdown formatting options are available for use on Code4rena?\n\nAnswer: When using Markdown on Code4rena, you can write a dollar sign without creating a mathematical expression by typing \"$\". Markdown can be used for formatting text in various ways, such as adding code blocks, embedding images, or highlighting syntax. Code blocks can be added with the markdown format by enclosing the code within three backticks (```), and you can specify the language for syntax highlighting, as in ```solidity for Solidity syntax. You can embed images following the guidelines provided [here](https://www.markdownguide.org/basic-syntax/#images-1). \n\nMarkdown can be used in different sections of Code4rena such as the submission form, issue titles, reporting section, and even in the finding body. However, it's recommended to only include links in the small box of the finding body. Also note that HTML tags aren't supported in the findings report page, so Markdown is the preferred format.\n\nMore information on how to add code blocks in markdown format can be found on the [GitHub documentation](https://docs.github.com/en/get-started/writing-on-github/working-with-advanced-formatting/creating-and-highlighting-code-blocks). If you're not familiar with markdown, you may find this [resource](https://markdown-it.github.io/) useful. \n\nWhen submitting through the Code4rena interface, a markdown template is suggested, and you're free to use any platform that supports Markdown to write your reports, such as GitHub, Joplin, VScode, or Notion. However, bear in mind that the Markdown renderer on the site might not always be accurate, in which case viewing the code on Gist can give you a better formatted view.", "Question: What is the reason for the 32-byte length when encoding an address value in Solidity and how does this impact EVM and storage?\n\nAnswer: The particular 32-byte length for encoding an address value is a result of how Solidity and the Ethereum Virtual Machine (EVM) work. The EVM operates with a slot size of 32 bytes. When an address, which can be casted to \"bytes20\", is encoded using abi.encode, any extra space in the address field is filled with left padding filled with zeroes. This is to ensure the data is compliant with the ABI specs for the EVM. You can find a discussion on this topic at https://github.com/code-423n4/2022-03-maple-findings/issues/16. \n\nIt's important to note that Solidity stores state variables in these 32 bytes storage slots, which is a design choice that can impact gas costs. If variables are packed into fewer slots, it can reduce gas costs and as such is considered a good practice for optimizing smart contracts. More details about this can be found in the documentation at https://docs.soliditylang.org/en/v0.8.17/internals/layout_in_storage.html. \n\nMoreover, when a string goes above the size limit of byte32, meaning it reaches 33 bytes with one byte per character, another word is added for the length. This information can be found in this resource: https://ethereum.stackexchange.com/questions/11556/use-string-type-or-bytes32. \n\nIn the context of storage, a \"bytes\" variable is an array of bytes32, not just 32 bytes. More information about this can be found here: https://docs.soliditylang.org/en/v0.5.12/types.html#dynamically-sized-byte-array.\n\nHowever, the way the size of certain variables, like a mapping or \"bytes\" variable, impacts EVM execution and storage is not always clearly defined and may need further investigation. For example, there seems to be no performance overhead in terms of EVM execution due to the size of a mapping, but the space a \"bytes\" variable occupies in a struct is still under discussion.", "Question: Does CodeArena offer grants for tool development and how can one apply for it?\n\nAnswer: CodeArena has been observed to consider the possibility of offering grants for tool development. In particular, these grants could be used for building websites that display results in a user-friendly manner for job hunting or other purposes. However, the process for applying for such grants has not been explicitly mentioned. CodeArena also hosts both public and private contests with awards, and teams can be created to participate in these contests and share the awards. Furthermore, CodeArena provides an array of resources, including example READMEs, a checklist of items to include, and a help ticket system for addressing issues or concerns. For more information on becoming a certified contributor or to report issues, you can visit https://code4rena.com/certified-contributor-application and https://code4rena.com/help respectively. While there may be potential for tool development support, it's recommended to reach out to CodeArena for specific information or keep an eye out for announcements.", "Question: Has Curve Finance updated its user interface and can I still use the old version?\n\nAnswer: Yes, Curve Finance has indeed updated its user interface to enhance user experience and functionality. However, if you're more comfortable with the prior version or find it more efficient for your needs, you're not forced to migrate to the new interface. You can still use the classic version. One aspect to note is that understanding the relationship of interfaces to smart contracts in the overall system can sometimes be challenging. Some users have expressed interest in graphical interfaces for observing smart contract interactions. In this regard, the tool Surya was mentioned, although it might be outdated. You can access it here: https://github.com/ConsenSys/surya. Please feel free to ask for further assistance or clarity if needed.", "Question: What is the process and timeline for the announcement and distribution of awards at CodeArena?\n\nAnswer: CodeArena aims to announce and distribute awards in a timely manner. Typically, the awards for a contest are announced 1-2 weeks after the end of the contest. Once the awards are announced, they are sent out manually in batches for multiple contests. The goal is to process and distribute these awards by the end of the week following the announcement. In some cases, like the Fairside contest, a specific distribution timeline is provided separately. \n\nPayment for contest awards usually occurs the week they are announced. The signatures for award distribution are generally rounded up in a standing Monday meeting, so any announced awards should usually get processed on the following Monday or Tuesday. \n\nThe awards are named by handle and distributed from the same awards address publicly on the blockchain, so there's no hiding of any participant's wallet address. Winning awards from contests are distributed to the user's registered wallet address. \n\nParticipants can find the awards list in the announcement channel on Discord. Also, leaderboard updates are carried out when awards are announced. \n\nPlease note that there are several contests pending and some have been fully judged but the awards still need to be calculated. Changes to the award calculation process are currently underway. \n\nIn the future, the company plans to distribute awards via smart contracts, but more pieces need to be put in place before this can be implemented. \n\nLastly, if there are any questions or concerns regarding the distribution of awards for a specific contest, participants are welcome to raise them in our chatroom.", "Question: Can you explain how Ethereum addresses are stored in the EVM and why there is a gap of 12 bytes between the address size (20 bytes) and the slot size (32 bytes)?\n\nAnswer: Every slot in the Ethereum Virtual Machine (EVM) is 32 bytes long. An Ethereum address is 20 bytes (160 bits) long. When an Ethereum address is stored in the EVM, the difference in size between the slot size and the address size, which is 12 bytes, is filled with left padding filled with zeroes. \n\nThis padding is used because Solidity, the programming language for writing smart contracts on Ethereum, stores state variables in 32-byte storage slots. If variables are declared next to each other, they can potentially be packed into a single slot, which can reduce gas costs. \n\nOne byte is made up of 8 bits. An Ethereum address can be casted to \"bytes20\" which is equivalent to 160 bits, while \"uint256\" is equivalent to 32 bytes. A \"bytes\" variable, which is an array of bytes32, is not just 32 bytes. \n\nWhen it comes to larger data types like strings or bytes variables, things can become a bit more complicated. For instance, a string goes above size byte32 when it reaches 33 bytes, with one byte per character. Once it goes past 32 and becomes a string, another word is added for the length. \n\nFor more details about storage and memory layout in Solidity, you can refer to the Solidity documentation: [here](https://docs.soliditylang.org/en/v0.8.17/internals/layout_in_storage.html) and for more about dynamically-sized byte array, you can consult the Solidity docs: [here](https://docs.soliditylang.org/en/v0.5.12/types.html#dynamically-sized-byte-array).\n\nFor specific issues regarding length encoding, you might find this discussion useful: [here](https://github.com/code-423n4/2022-03-maple-findings/issues/16).\n\nPlease note that it's important to consider the context of the address being used. For instance, in the case of critical addresses, using a two-step change process is considered safer and better practice than a one-step change to prevent errors such as passing in the wrong address.", "Question: How can I get notified when a new Audit Report is added to the CodeArena site?\n\nAnswer: Currently, CodeArena does not provide email notifications when a new Audit Report is added. However, based on user suggestions, there is a proposed idea to create an announcements channel named #audit-reports. This channel would post a message whenever a new report gets published on the CodeArena website. This feature is under consideration and may be added in the future. As for now, you may monitor ongoing audit reports by visiting the audit page. You can also view old audit reports at https://chainsecurity.com/audits/. Remember that edits can be made to your own findings or analysis reports by going to the audit page and clicking the 'Your Findings' button. After submission of a report, a confirmation email is sent and you can check the status of your submission. If you are interested in participating in audits, you can join teams online. Judges can see findings immediately when an audit closes [link: https://docs.code4rena.com/roles/certified-contributors].", "Question: Will there be opportunities for Rust-focused contests on CodeArena in the future?\n\nAnswer: We've seen considerable interest in Rust-focused contests on CodeArena and we're open to hosting them. In fact, we've already had some discussions in that direction. CodeArena has previously conducted audits with a Rust focus, and we're always looking to expand the range of our contests based on the interests of our community. If you're interested in participating or auditing Rust smart contracts, you're welcome to reach out to our booking team for a discussion. \n\nPlease note, all contests, both public and private, are announced and listed on our website [Code4rena](https://code4rena.com). This includes more detailed information about each contest and a platform to submit help requests or concerns. \n\nWe encourage participants to actively engage with the sponsor team during the contest, especially if they believe they've found a vulnerability. However, remember to submit your findings via the contest submission form to be eligible for awards. \n\nFor further information about our past and upcoming contests, check out [Code4rena Contests](https://code4rena.com/contests). If you wish to become a certified contributor at CodeArena, submit your application [here](https://code4rena.com/certified-contributor-application). \n\nDo keep an eye on our [#\u270brsvp](https://code4rena.com/#rsvp) channel for specific updates and sudden appearances of top-tier projects. We're excited to see more participants join us in auditing and contesting in the future!", "Question: What is the process for feedback and review of submissions, including early feedback, for auditing contests such as Trader Joe?\n\nAnswer: There's an ongoing process for the judging of contest bounties, which includes the Trader Joe contest. Early feedback on submissions for improvement is potentially available. The judge's posts can be accessed at https://discord.com/channels/810916927919620096/1030197723619659806/1042826344544870440. It's important to note that Provenance typically takes about a week to respond to submissions. After submitting, you should receive a confirmation email, but please be aware that there may be delays. If you have submitted findings before the deadline, you will not be able to view or modify them until the competition is over. \n\nThere have been concerns about the lack of feedback on bug submissions, and there are plans to allow certified contributors to view submitted issues right after contest closure and to comment or give input on these issues during judging. If you need to modify your findings, you will be able to do so after the contest has ended. \n\nThere have been questions about alternative submission methods and the possibility of discussing high severity issues with a sponsor before submitting them. Currently, the existing system does not support these features, but CodeArena is considering releasing all unverified submissions a few days after a contest ends, before judging. The related discussion can be found at https://forum.code4rena.com/t/rfc-certified-wardens-rulebook-scout-role-contest-qa-and-mitigation-review-services/123. \n\nIt's important to mention that CodeArena used to allow sponsors to see submissions early, but they found it a better experience if sponsors receive a triaged list after an initial sorting process. This ensures a fair and unbiased review of all submissions. If you have any additional findings after an initial low-risk finding was submitted, you can submit them after the initial competition period has ended. \n\nPlease keep an eye out for updates regarding the implementation of a new submission mechanism in upcoming contests.", "Question: Why are Code4rena's audit contests shorter in duration compared to Sherlock contests?\n\nAnswer: Code4rena's audit contests are typically shorter than Sherlock contests because we have been using a consistent length-to-complexity ratio since our auditor participation was 10x smaller. Despite the shorter duration, we've consistently received high-quality results, indicating that our approach is effective. This structure also means greater competition within each contest, which encourages thorough audit reports. \n\nFurthermore, the duration of our contests, such as Basin and PoolTogether, is not directly proportional to the size of the source code. Instead, we scope the contest to the project\u2019s specific needs, which helps provide a focused and streamlined auditing process. \n\nThis structure has led to a high number of audit contests in Code4rena, somewhat similar to bug bounty programs, but with a more rigorous judging and quality assurance process. It's also important to note that the scheduling of contests is based on the timing and needs of our customers, not the community.\n\nWe encourage all auditors to actively participate, reach out to the sponsor team during the contest for any queries, and submit any vulnerabilities they find. Please remember to submit it via the contest submission form or it won't be eligible for awards. \n\nFor more information on current and upcoming contests, visit our contest page at https://code4rena.com/contests and for more details about our audit process, visit https://docs.code4rena.com/. If you're interested in understanding our Versus contests, here is a link to a detailed explanation: https://medium.com/code4rena/a-look-at-code4rena-audits-versus-6c55d57939ef.", "Question: Can I change my Warden handle, and how does it impact my account on CodeArena?\n\nAnswer: Currently, changing your Warden handle is not recommended as it could affect your account registration, as well as your participation in past or ongoing contests. However, you can make changes to your Warden profile, such as adding a profile picture or your Twitter handle, by making a request via the help desk at https://code4rena.com/help. If you need to update your Discord handle in response to an update from Discord, you can do so on the Account Management page of your Warden profile, but bear in mind that your Discord nickname should remain as your registered C4 username. Also, if you need to change the wallet address associated with your account or where you receive awards, you can follow the instructions provided at https://docs.code4rena.com/roles/wardens/warden-auth#can-i-change-the-wallet-address-i-log-in-with. Remember, any changes you make can potentially impact your permissions and standings in the community, so proceed with caution. If you have further questions or need assistance, feel free to submit a help request at https://code4rena.com/help.", "Question: What is the process and requirements to become a Certified Warden at CodeArena and participate in private contests?\n\nAnswer: To become a Certified Warden and participate in private audit contests at CodeArena, you need to follow a specific certification process outlined here: https://docs.code4rena.com/roles/certified-contributors#certification-process-and-constraints. The process involves competing in audit contests and achieving at least 3 top finishes in either the QA or gas report from past contests.\n\nMoreover, your certification status will allow you to participate in specific contests such as the PolynomialFi contest and Versus contests, which are typically private and only open to top-rated Wardens. However, note that despite being a Certified Warden, there may be other conditions to meet for some contests.\n\nAdditionally, it is worth noting the difference between a Certified Warden and a Certified Plus Warden. The latter has some entry requirements and is granted access to private repositories after a contest is finished.\n\nBecoming a Certified Warden not only grants you access to these private contests but also enables you to see findings shortly after contests end. To apply for the Certified Warden role, please visit https://code4rena.com/certified-contributor-application.", "Question: How can I find information about public and private contests on CodeArena, and is there any specific field on the website that provides detailed information about these contests?\n\nAnswer: All contests, public and private, are listed on the CodeArena website at https://code4rena.com/contests. The sponsors determine the scope for their contests and list it in their contest information. Information about which contests are public can be found on the #\u270brsvp channel on our Discord server. Private contests have their RSVPs available in a channel only visible to certified wardens. If a contest is listed in the public RSVP channel, it's a public contest. Announcements about private contests are made on the Discrod server but these might be confused with open public audits. In case of any specific questions about the scope for a contest, users are encouraged to connect with the respective sponsor via their contest channel or DM. Please note, participation in private contests depends on certain metrics or prerequisites, and certified status grants access to more contests.", "Question: What are the requirements and process to participate in private contests at CodeArena?\n\nAnswer: To participate in private contests at CodeArena, you need to fulfill certain prerequisites. Firstly, you need to be a Certified Warden. The certification process can be initiated within 48 hours of the contest, and upon completion, you can participate and be eligible for awards if your submissions are selected. \n\nCertification not only allows participation in private contests but also grants access to more contests overall. However, being certified does not automatically grant access to all private contests. Some contests might be open only to those who participated in the original audit. \n\nTo gain access to private contests, completion of KYC (Know Your Customer) process is required. The details on this process can be found in the Code4Arena documents. Once KYC approval is received, RSVP in the rsvp-certified channel and ensure a high position on the leaderboards from the last 90 days to enhance your chances to qualify for private contests.\n\nIt's worth noting that all contests, both public and private, are listed on our website. The scope for each contest is decided by the sponsors and is listed in their contest information. If you have specific questions about the scope for a contest, you are encouraged to connect with that sponsor via their contest channel or direct message.\n\nTo gain backstage access, a participant should have participated in 3 or more contests. \n\nPlease find the detailed eligibility criteria for a private contest at https://discord.com/channels/810916927919620096/810931711609143326/1044766051327557642.", "Question: How can I determine if an upcoming contest on CodeArena is public or private, and what are the prerequisites for participation?\n\nAnswer: The visibility and participation in CodeArena contests depend on whether they are public or private. All contests, both public and private, are listed on the CodeArena website. However, the distinction between public and private can be identified by checking the #\u270brsvp channel on our Discord. If a contest is mentioned in the public RSVP channel, it's a public contest. Private contests, on the other hand, have their RSVPs available in a channel only visible to certified wardens, specifically in the #\ud83d\udd96rsvp-certified channel.\n\nAccess to private contests typically requires certification and ranking on the CodeArena leaderboard. Some private contests, such as 'Versus' contests, are open only to top wardens or those who participated in the original audit. Even after KYC approval, certain private contests may not be accessible if they have already been assigned. If you have specific questions about the scope or access of a contest, these can be addressed to the respective sponsor through their contest channel or a direct message.\n\nIt's worth noting that findings during a contest remain private until the contest is closed and the report is published. Also, the identity of the judges for a contest is not revealed ahead of time. The specific period of time before a closed contests' findings repo becomes public is not fixed, but it will be available for discussion once the report is posted.\n\nRemember, contest announcements are regularly made but can be confused with open public audits, so it's always best to verify the contest type and your eligibility through the mentioned channels.", "Question: How can I determine whether an upcoming contest on CodeArena is public or private, and how do I gain access to private contests?\n\nAnswer: Upcoming contests, both public and private, are listed on the CodeArena website at https://code4rena.com/contests. To determine whether a contest is public or private, you can check the #\u270brsvp channel in our Discord chatroom. Public contests will be posted in the public RSVP channel. If the contest is private, its RSVP will be available in a channel visible only to certified wardens. \n\nPrivate contests often have certain prerequisites or metrics for participation. If you meet these requirements and are interested in a private contest, you may need to undergo KYC approval. Even then, bear in mind that certain private contests may already be assigned, and thus may not be accessible despite your approval. \n\nFor clarification on the scope of a particular contest, it is advisable to reach out to the respective sponsor, as they decide the contest's scope and list it in the contest's info. \n\nLastly, after a contest is closed, findings are posted in the contest section and there is a certain waiting period before the findings repo becomes available for public discussion. The timeline of contests can be followed in the \"Past Contest Status Updates\" section. However, the specific duration before findings are made public is not mentioned. \n\nPlease note that all the above-mentioned processes and regulations are in place to maintain the integrity and security of our contests.", "Question: What is the process to obtain the backstage role after identifying my first high vulnerability?\n\nAnswer: To obtain the backstage role at CodeArena, you must first identify a high vulnerability in a smart contract. Once you've done this, you need to become a certified contributor, which involves meeting certain qualifications and going through a certification process detailed at https://docs.code4rena.com/roles/certified-contributors. \n\nAfter becoming a certified contributor, you can request backstage access by submitting a help desk request, which is evaluated based on your status and contributions. The backstage role can also be obtained through various other ways, including having three medium severity findings, or providing a Quality Assurance (QA) or Gas report with a score of over 85. \n\nOnce you've met these requirements and your results are published on the leaderboard, you may submit a help desk request for backstage access at https://code4rena.com/help. \n\nKeep in mind that backstage access involves certain constraints and consequences and is subject to change in the future. More detailed information on obtaining the backstage role can be found at https://docs.code4rena.com/roles/certified-contributors/backstage-wardens.", "Question: Can I submit findings for the 'USDC ENS - Versus contest' and how are those findings handled, especially considering the contest is restricted to certain participants only? \n\nAnswer: Yes, you can submit findings for the 'USDC ENS - Versus contest' through the form on the contest page on our website. However, it's important to note that this specific contest is invite-only and as such, while you can submit findings, you will not receive payment unless you have received an invitation to participate. \n\nIf you have already submitted your findings but encountered issues seeing your submission under 'Your Findings', it's possible that only the team has access to submissions before a contest ends. This is done to maintain the integrity of the contest and ensure findings remain unbiased. After the contest ends, those with the \"backstage\" role can view the findings to help with triaging, although currently, applications for backstage access are suspended until further notice. \n\nYou can edit your findings after submission by navigating to the contest page and clicking the 'Your Findings' button. If you wish to withdraw your findings, you can do so from the same location. It's worth noting that all findings must remain confidential and not made public until a contest is finalised, as per our submission rules. \n\nFor any findings that were not accepted in the contest, you can review the reason once the report is out and the repository is fully opened. This allows you to see the discussion among sponsors and judges on the specific issue. \n\nRemember that findings from all contests cannot be viewed after a contest finishes but before the results are published. The exception to this rule is the list of 'Known Findings' on the Readme Page of each contest, which details automated findings not accepted in the contests. \n\nFor further information and assistance, you can refer to our official documentation: https://docs.code4rena.com/ or to specific contest pages such as the Ethos Reserve contest page: https://code4rena.com/contests/2023-02-ethos-reserve-contest.", "Question: Can you explain untyped data signing in the context of smart contracts and CodeArena's auditing process?\n\nAnswer: Untyped data signing is a method that involves signing data with a private key along with certain parameters. This method is used in the context of smart contracts and is fundamental to many operations in blockchain systems including CodeArena's auditing process. It requires an understanding of hashing and private keys. \n\nIn more practical terms, untyped data signing can be used to create a signature of data by a smart contract so that another smart contract can verify the first contract signed the data. This was a query raised in our Discord chatroom, and the user was directed to [EIP-1271](https://eips.ethereum.org/EIPS/eip-1271) for a deeper understanding. \n\nIn another discussion, the topic of signature malleability was raised, which is closely related to the signing process and in elliptical curve cryptography, a prime number is taken for the modulo operation to contain the x and y coordinates of the curve up to a finite plain.\n\nAs part of CodeArena's auditing process, the company uses a multisig method for transactions, necessitating multiple signatories. All this contributes to the security of the smart contracts and the integrity of the data involved. For more information, you may refer to [this explanation](https://github.com/code-423n4/2022-08-rigor-findings/issues/75) on GitHub. However, while this is an essential aspect of smart contract auditing, it's also crucial to understand other security testing aspects like symbolic and static security testing.", "Question: Why isn't a contest that was listed in the upcoming contest section now showing in the live contest section?\n\nAnswer: There can be several reasons why a contest isn't moved from the 'upcoming' to the 'live' section as expected. The most common reason is a delay or rescheduling of the contest. For example, the 'paraspace' and 'Vine Labs' contests were delayed. Another possibility is that the contest might be private, and you may not have access to it. In such cases, it's advisable to check the \"Past Contest Status Updates\" section for a timeline of the contests' progression. \n\nPlease note that updates to the contest channels might not always be immediate, causing occasional gaps in the schedule for live contests. The page also doesn't automatically reload when a contest starts. Please refresh manually to check for updates. Also, remember that the order in the \"Past Contest Status Updates\" represents the contest progression. \n\nFor any specific questions about a contest, such as the absence of a contest in the \"Past competition status updates\" or issues with submission, reach out in the chat room for clarification or assistance. For instance, queries about the \"Blockswap FV contest\" and the \"Sublime contest\" were addressed in the chat room. \n\nLastly, due to some technical issues, there may be instances where findings from a contest cannot be viewed after it finishes but before the results are published, or where participants are unable to submit their entries. These issues are usually resolved as quickly as possible. \n\nAlways feel free to ask in the chat room if you need more information regarding any contest.", "Question: \nIn the context of gas optimization reports for CodeArena's smart contract audits, is it necessary to specify the amount of gas saved for each finding? \n\nAnswer: \nIt is not strictly required to specify the amount of gas saved for each finding in your gas optimization reports. However, doing so can be beneficial as it may potentially increase your points and positively affect the grade of your submission. The judgment on your gas optimization report can depend on the judge's decision and could be influenced by the proof of how much gas the refactoring saves.\n\nIt is important to know that all findings related to gas optimization should be consolidated into one report. If a gas optimization finding is found that can be applied in more than one line of code, it should be submitted as one finding while mentioning all lines where it can be applied. Multiple ideas about gas optimizations can be written separately but then merged into one report. Users are restricted from submitting more than one report of gas optimization in a contest.\n\nWhen deciding whether to include a finding that is relevant to both QA and gas savings, consider that judges may decide where it best fits. Also remember that not all gas optimizations are valid when the optimizer is enabled, and this might affect what should be reported.\n\nRegarding the payout for gas optimizations, the award is usually 5% of the prize pool, although this percentage can be altered by sponsors based on the importance of gas savings to their project. More information about the average payout for gas optimizations, non-critical findings, and low-risk findings can be found in the findings.csv file on the C4's website repository.\n\nFor further clarification regarding gas optimization reports and findings, feel free to ask in the Discord chatroom.", "Question: Can you recommend a reliable VPN for enhancing online security and potentially paying in crypto?\n\nAnswer: Both NordVPN and Proton are excellent choices for enhancing online security. NordVPN is especially useful for changing your IP address to hide your online activities and secure your privacy. You can find more about NordVPN [here](https://nordvpn.com). \n\nOn the other hand, Proton and another option, Hoxx VPN, provide the unique option of paying for their services in crypto. However, it's important to note that these are recommendations for enhancing online security and preventing potential attacks on your wallet, but they are not an absolute must-follow. \n\nFor more advanced system isolation when reviewing downloaded packages, you might want to look into VirtualBox as a possible solution. Remember, always ensure your chosen VPN meets your specific needs and preferences.", "Question: I'm experiencing issues with Provenance during the KYC process. Is this a common problem, and what can I do to resolve it?\n\nAnswer: Experiences with the Provenance KYC process vary among CodeArena users. Some users have reported having no problems, while others have experienced issues such as not receiving emails from Provenance. If you're having trouble receiving emails, it's recommended to check your spam folder as emails can sometimes be found there. The email should come from \"compliance@provenance.company\" or \"kobus@provenance.company\".\n\nPlease be aware that the response time from Provenance can take up to a week or more and the verification process might involve back and forth communication. This means that the KYC process can sometimes take longer than expected.\n\nOnce you've completed the verification process with Provenance and participated in at least three contests, you can expect an upgrade to Certified+. If you're partway through the process, it's recommended to complete it.\n\nIf you don't receive a response from Provenance within a couple of days after completing your KYC application or if you need any help with the process, you can open a help desk request at [CodeArena Help](https://code4rena.com/help). \n\nRemember to be patient and persistent while dealing with KYC procedures - they are designed for your security and are a common requirement in the crypto space. Provenance was chosen as the KYC provider for Code4rena based on recommendations from other Cayman-based vendors.", "Question: Can I impersonate an account in Foundry like I can in Hardhat, and if so, how can I do this? \n\nAnswer: Yes, it is definitely possible to impersonate an account in Foundry, similar to how you can in Hardhat. To do so, you would use vm.prank(address). This method allows you to simulate actions from any account, which can be helpful for testing scenarios in your local environment. \n\nIf you are considering using Foundry in a project that already employs Hardhat, there is a base template available at https://github.com/foundry-rs/hardhat-foundry-template. This can be a convenient option for testing smart contracts, as Foundry allows you to fork its state from a public testnet or even the mainnet.\n\nAnother useful feature of Foundry is its ability to print local variables that are declared inside a function by using console.log. This can be particularly beneficial for debugging during your development process. \n\nRemember that Foundry also allows you to fork data from a live network such as a main or test net, and once forked, it runs locally. This can be great for testing scenarios without needing to grab testnet tokens for transactions or wait time on blocks.\n\nHowever, there might be some issues with opcode support in Foundry. If you encounter the \"Source from artifact has no AST.\" error when running forge debug on a Hardhat project with Foundry integration, this could be due to opcode support issues.\n\nDespite these potential challenges, Foundry is a powerful tool for writing tests and checking things like storage. It can be installed with Docker and offers various features to aid in the audit process.", "Question: What are some useful resources to learn about the mathematics related to solidity projects, the basics of smart contract auditing, and how the accounting is done?\n\nAnswer: \nLearning about the maths related to solidity projects, the basics of smart contract auditing and how the accounting is done can be a complex process, but there are several resources available. \n\n- YouTube has a variety of channels dedicated to offering quality content related to Solidity and smart contract programming. A recommended channel is: https://www.youtube.com/@smartcontractprogrammer \n- If you are a beginner in the space of smart contract auditing, you can start learning from resources such as: https://cmichel.io/how-to-become-a-smart-contract-auditor/ and https://docs.code4rena.com/roles/wardens/tools-and-resources. \n- For understanding solidity syntax and programming, CryptoZombies.io and CaptureTheEther.com are recommended resources. You'll also tackle smart contract bug bounty hunting: https://cryptozombies.io/ for solidity and https://capturetheether.com/ for Capture the Flag challenges.\n- Other resources on Solidity include https://solidity-by-example.org/0.6 and https://docs.soliditylang.org/en/v0.7.5/\n- You can also join the #\ud83c\udfebeducation channel to learn more about auditing smart contracts.\n- For advanced learning and tackling complex challenges in Solidity and DeFi, resources like The Ethernaut challenges and Damn Vulnerable DeFi are recommended: https://ethernaut.openzeppelin.com/ and https://www.damnvulnerabledefi.xyz/\n\nPlease note that the complexity of the mathematics for auditing depends on the smart contract project being audited. Some require basic math while others require advanced financial mathematics. In fact, some smart contract projects may even require professional mathematicians to audit complex formulas. Regardless of the project, having a solid foundation in mathematics would be beneficial in smart contract auditing.", "Question: What are some good platforms and methods for sending tokens from the Polygon network to the BNB network or Ethereum, and what resources are available for managing these transactions?\n\nAnswer: There are several platforms that can help with transferring tokens between different networks. Binance is frequently recommended for transferring tokens from Polygon to the BNB network. For a cross-chain dex between polygon and ethereum, third-party bridges such as wormhole or celer could be used. \n\nTo move funds back to the mainnet from Polygon, you can utilize the Polygon Bridge (https://wallet.polygon.technology/). This can also be used for converting and withdrawing Polygon tokens into EUR through MetaMask and Coinbase.\n\nYou can keep track of your tokens on https://polygonscan.com/address/. For gasless swaps, you can go to https://polygontimes.com/swap-for-gas-instant-gasless-matic-tokens-on-polygon-pos/. \n\nIf you're looking to exchange USDC on Polygon into BTC, or deposit USDC from Polygon into Coinbase, it's helpful to know that transactions from Polygon to Ethereum and Coinbase need both Matic and Eth if using the Polygon bridge. However, if using the Hop Bridge, only Matic is needed, albeit with less USDC received on the Ethereum Mainnet.\n\nPlease note that you need Matic to pay the fee for sending or transferring coins from a wallet. You can swap Matic without a gas fee at https://wallet.polygon.technology/polygon/gas-swap. \n\nIt's important to remember to switch your network in MetaMask to Polygon Mainnet if you're interacting with Polygon tokens. You can copy your public keys and paste them into Code4rena for participation. \n\nLastly, if you're asking about rewards, they are paid out in USDC but over the Polygon network.", "Question: How can I troubleshoot and resolve the \"/bin/sh: -c requires an argument\" error when trying to run the Foundry image with Docker after installing it?\n\nAnswer: The \"/bin/sh: -c requires an argument\" error might occur when attempting to run the Foundry image with Docker due to failed installation or improper command usage. Here are some potential solutions:\n\n1. Ensure that Foundry is properly installed with Docker. Foundry is a framework for writing tests and checking various elements like storage. It also offers tools to assist in debugging. You can install it using the 'npm install foundry' command, which was suggested in our chat. \n\n2. If you're trying to deploy a contract on Foundry that takes a struct as an argument in the constructor, make sure your command syntax is correctly structured. \n\n3. Use Bash commands for environmental variables and Docker image. This approach was discussed in our chat and might help resolve your problem. \n\n4. Ensure you are not encountering the \"Source from artifact has no AST\" error when running forge debug on a hardhat project with Foundry integration. This is a known issue and could be related to your problem. \n\n5. If you are trying to execute Foundry fork testing in the Polygon POS network, you may encounter difficulties. Some users reported issues with this. \n\n6. Check if you are trying to log gas remaining after a state variable update using foundry. New users reported encounters with difficulties in this area. \n\n7. If you need to use \"upgrades.deployProxy\" from Hardhat in the context of Foundry, refer to this GitHub link for guidance: https://github.com/chugsplash/chugsplash-foundry. \n\n8. To send ether with the constructor while deploying a contract in Foundry, ensure your command syntax is correctly structured. \n\n9. Foundry can be used in a project that employs Hardhat. A base template for this can be found at https://github.com/foundry-rs/hardhat-foundry-template. \n\nIf you are still having difficulties, you can watch these YouTube tutorials to gain a better understanding of how the Foundry framework operates:\n- https://www.youtube.com/watch?v=Rp_V7bYiTCM \n- https://www.youtube.com/watch?v=EHrvD5c93JU \n\nLastly, keep in mind that the `forge i` command is used to install dependencies. It may help to ensure all dependencies are correctly installed. \n\nPlease note that some issues with opcode support in Foundry have also been reported. If you are unsure of the source of your problem or if these solutions do not resolve your issue, feel free to ask for further assistance in our chat.", "Question: Is a private key required to use vm.prank(address) or to impersonate an account in Foundry similar to Hardhat?\n\nAnswer: No, using vm.prank(address) in Foundry or impersonating an account in Hardhat doesn't require a private key. This is a functionality that allows you to simulate actions from any address, without the need for the associated private key. However, the private key is critical for other operations, such as signing data in the context of untyped data signing, as discussed in the chat. It involves hashing, private keys, and signing data with your private key and some parameters. More explanation can be found at [https://github.com/code-423n4/2022-08-rigor-findings/issues/75](https://github.com/code-423n4/2022-08-rigor-findings/issues/75). \n\nIt's important to note that the security of your private key is vital. If you suspect that your private key may have been compromised, the best course of action is to generate a new one. Some users in the chat had their private keys leaked on public GitHub repositories, potentially leading to unauthorized access to their wallets. When submitting a \"Proof of Concept\" via Github, it is recommended to use a private gist rather than making the repository public to avoid vulnerability exposure.\n\nIn terms of participation in private contests or private audits, access does not require private keys but does require certification as a warden. More details can be found at [https://mirror.xyz/c4blog.eth/Ww3sILR-e5iWoMYNpZEB9UME_vA8G0Yqa6TYvpSdEM0](https://mirror.xyz/c4blog.eth/Ww3sILR-e5iWoMYNpZEB9UME_vA8G0Yqa6TYvpSdEM0).", "Question: How can I check the status or report of my recently submitted help request?\n\nAnswer: Help requests can be submitted via our form available at https://code4rena.com/help. When you submit a help request, a confirmation that the request has been received will be given during the process of submission. For any errors encountered during submission, you can forward your request to submissions@code4rena.com. You can also submit a help request to track the status of your submission. While we aim to review all help desk requests within 1-2 business days, delays can occur due to holidays or other circumstances. If you don't hear back from us within a week, we recommend reaching out again. Remember, if there are issues with performing tasks via mobile, you can also send requests to submissions@code4rena.com for assistance. Also, bear in mind that for KYC applications, if you don't get any reply within five business days, you can submit a help request.", "Question: What should I expect during and after the Provenance application process for becoming a certified warden with CodeArena (C4)?\n\nAnswer: When you apply for the Provenance certification process to become a certified warden with CodeArena (C4), you are required to submit certain documentation, which may include ID and address verification. After your application is submitted, Provenance typically sends a Know Your Customer (KYC) email within one business day. This email will be from the address kobus@provenance.company or another official address @provenance.company, and you can consider it as a legitimate source.\n\nThe Provenance verification process typically takes about a week to respond to submissions. This might involve back and forth communication between you and Provenance, and the actual time could be longer depending on the complexity of the application. If you have not received a response within this timeframe, it is advisable to nudge Provenance for a response.\n\nOnce your application is approved by Provenance, they will directly send the confirmation to process your private audit application. After this approval, it generally takes a few days for your role to reflect on your profile. C4 is typically informed once a user has been KYC'ed, and updates to roles after approval from Provenance usually take a few days.\n\nYou should expect to receive an email both from Provenance and C4 after your application is approved. The email communication from Provenance might have some inconsistencies, but C4 is working on ensuring that the documentation referring to these emails is updated across all instances.\n\nIf you've completed a certification process with ProvenanceDAO and participated in more than 3 contests, you might be awaiting an upgrade to Certified+. This status update is also typically communicated via email and takes around 5 business days to update by the C4 team.\n\nPlease note that Provenance, the KYC provider, may have more detailed requirements for documentation than what is outlined in C4's guidelines. If you\u2019re mid-way through the process, it is advisable to complete the Provenance's certified warden process.\n\nWhile most users have a smooth application process with Provenance, there might be instances where users face issues like not receiving an email from Provenance. In case you face such issues, it\u2019s recommended to check your spam folder or contact Provenance or C4 for assistance.", "Question: What does the ID and address verification process entail, and how does it relate to the KYC process at CodeArena?\n\nAnswer: CodeArena has an opt-in ID and address verification process, commonly referred to as Know Your Customer (KYC) process. You are not obligated to complete this process, but it may be necessary for certain activities. For instance, if you wish to participate in an audit, a contest, or apply for Certified+ status after a high finding, KYC certification may be required. \n\nTo start the certification process, you will need to send your identity for verification. It's important to note that this doesn't necessarily require a passport - other forms of ID like a national identification card or a driving license may also be acceptable. You may be asked to submit a photo ID and a selfie. Some users have also reported needing to submit proof of residence. \n\nOnce you submit your documentation, you can expect to receive an email confirmation of your submission. Make sure to check your spam folder as well, as emails from CodeArena may sometimes land there. You may also need to register your handle and ETH address to receive your share. \n\nThe timeline for receiving the KYC mail after submitting an application to become a certified C4 warden can vary, so please be patient. There have been instances of users experiencing delays in the process. \n\nIf you need to check if you had submitted an address for rewards or report an issue, you can use the help form at https://code4rena.com/help. You can also find instructions on how to initiate the verification process at https://docs.code4rena.com/roles/certified-contributors. \n\nRemember, getting certified doesn't require a full-time commitment; it simply means that your identity has been verified. It is also possible to participate and receive payouts without being certified. However, the KYC certification process ensures safer and more secure participation in CodeArena activities.", "Question: What are some recommended practices and resources for maintaining security and privacy in both web2 and web3 environments?\n\nAnswer: Staying safe online, whether in web2 or web3 environments, requires a mix of good practices and the right tools. It's important to remember that some web2 security principles also apply to web3 security, so a roadmap or resources for learning about web2 security in the context of web3 can be useful.\n\nWhen creating your accounts, use strong passwords and consider a two-step change process with critical addresses to prevent errors, such as passing in the wrong address. If you feel it's a security risk to have issue contents made public, you can submit a Help Desk request. \n\nFor online anonymity, consider using a VPN like NordVPN which allows you to change your IP address, making you harder to track and securing your privacy. \n\nIf you suspect that your wallet has been compromised, it's advisable to use a new wallet to prevent further attacks. If you lose the seed phrase from your wallet, follow the steps to recover it here: https://docs.code4rena.com/roles/wardens/warden-auth#what-if-my-wallet-was-hacked \n\nIt's also important to be cautious of phishing scams and fake accounts. Tools like Hashbot can help you detect scammers: https://Hashbot.io. \n\nIf you're interested in learning more about security, there are a number of resources available for studying topics like the Geth node, smart contract security, and AI security safety audit assurance: https://blog.trailofbits.com/2023/03/14/ai-security-safety-audit-assurance-heidy-khlaaf-odd/. \n\nFinally, remember to verify any changes to your payment addresses or other critical information, and check your spam mail for any verification messages.", "Question: How can I install and use Foundry in my smart contract project using Docker?\n\nAnswer: Foundry is a versatile framework that can be used to write tests and offers additional tools for audit purposes including storage checks. It can be installed using Docker, however, some users have reported issues with the installation. Here's a basic guide on how to install and use Foundry:\n\n1. You can install Foundry using npm with the command 'npm install foundry'. \n2. Foundry can be used to fork data from a live network such as main net or test net, and once forked, it runs locally. This is particularly useful for testing scenarios in a local environment, providing an alternative to public testnet.\n3. To deploy a contract on Foundry that takes a struct as an argument in the constructor, you may need to seek further guidance as this process can be complex.\n4. Foundry can be used in a project that employs Hardhat. A base template for this can be found at https://github.com/foundry-rs/hardhat-foundry-template. \n5. If you're running into issues such as the \"Source from artifact has no AST.\" error when running forge debug on a Hardhat project with Foundry integration, or having trouble executing Foundry fork testing in the polygon POS network, using a Docker image with Bash commands for environmental variables might offer a solution.\n6. Foundry also has opcode support, but be aware that some users have reported issues with this feature.\n7. If your project uses Brownie for testing, it is currently uncertain whether you can write the project in Foundry.\n8. The `forge i` command can be used to install dependencies.\n9. You can print local variables that are declared inside a function by using console.log in both Hardhat and Foundry.\n10. For additional reference on Foundry, these YouTube links can provide further understanding: https://www.youtube.com/watch?v=Rp_V7bYiTCM and https://www.youtube.com/watch?v=EHrvD5c93JU.\n\nRemember that Foundry is a powerful tool but may require troubleshooting and additional support for specific functions or errors. As such, it's important to stay connected with the community for updates and solutions to common issues.", "Question: What is the process and potential benefits of submitting gas optimization reports in CodeArena's contests?\n\nAnswer: In CodeArena's contests, participants can submit gas optimization reports which include their suggestions for improving the efficiency of smart contract code. Although it's not mandatory, it is recommended to specify the amount of gas that would be saved by each optimization as it might potentially increase the points awarded to your submission. All valid gas optimization findings are weighted the same but the one that provides proof of saved gas from refactoring code might have a higher grade.\n\nGas optimization reports should be compiled into one submission per contest. More findings can be added to this report by going to the contest page and clicking the 'Your Findings' button. Multiple ideas about gas optimizations can be written separately and then merged into this single report.\n\nIt's important to note that not all gas optimizations are valid, especially when the optimizer is enabled. So, participants should be careful about what they report. If there is confusion about what should be reported, participants can ask for clarification.\n\nThe reward for gas optimization reports comes from a separate award pool which is usually 5% of the prize pool, although sponsors can alter this percentage based on the importance of gas savings to their project. If multiple people, including members of the same team, identify a gas optimization, the reward is split according to a formula present at https://docs.code4rena.com/incentive-model-and-awards#high-and-medium-risk-bugs.\n\nThe judgement criteria for gas optimizations and their importance might be a point of confusion for some users, but the scoring is based on the quality of each gas report. You can read more about it here: https://docs.code4rena.com/awarding/incentive-model-and-awards/curve-logic.", "Q: I signed up to be a warden using GitHub. Now, to submit a finding, it requires a username and password. How can I transition from a GitHub linked account to a username-password account to submit findings in CodeArena?\n\nA: CodeArena is evolving its tools and procedures to enhance the warden experience. As part of this, there is a move from simple tools to authenticated warden accounts. If you initially signed up using GitHub, you might have to transition to a username-password authentication method. This process involves several steps:\n\n1. Submit a help request via code4rena.com/help. This will allow the team to assist you with the transition safely while maintaining your account's integrity.\n\n2. Once your request is processed, you'll likely receive a prompt to create a username and password. Remember, changing your username could affect your registration as a warden, so choose wisely.\n\n3. After your new login credentials are set, you should be able to log into your Code4rena account as usual. From there, you can switch back and forth between your individual account and your team account before submitting findings.\n\nRemember, as a certified warden, you also have the ability to submit findings through GitHub, which requires approval as part of the individual registration process. If you face any issues such as not receiving a password reset email, don't hesitate to reach out for help.\n\nAdditionally, it's important to connect your wallet to your account to submit findings. Different actions such as becoming a certified warden, joining a competition, or viewing submitted reports on GitHub during the triage process all have specific guidelines and permissions associated with them. You can find more information about this on the CodeArena documentation at https://docs.code4rena.com/roles/certified-contributors.\n\nLastly, your privacy is important to CodeArena. Your email and Github username will not be publicly listed. Certified wardens will be added to a permissions group/team on GitHub to access private repos, but individual users can decide to make their membership on these teams public or not.", "Q: What are the best practices for submitting gas optimization reports at CodeArena? \n\nA: When submitting gas optimization reports at CodeArena, you have the flexibility to include or exclude the specific amount of gas saved for each optimization. However, it's advisable to specify how much gas is saved because this could potentially increase your points or grade of the submission. \n\nIn terms of the submission process, you should consolidate all your gas optimization findings into one report per contest. You can add more findings to the report by navigating to the contest page and clicking the 'Your Findings' button. Keep in mind that not all gas optimizations are valid when the optimizer is enabled, so be cautious about what you report. \n\nWhile the purpose of gas reports is not explicitly clarified, it is recommended to include a snapshot of the gas savings from the refactored code in your submissions. Providing proof or a description of how much gas the refactoring saves might have an impact on the assessment of your submission.\n\nIt is also important to note that gas optimization reports usually receive an allocation of 5% of the prize pool, but this percentage can be adjusted by sponsors based on how crucial gas savings are to their project. The gas optimization pool is shared among reporters and is awarded based on the score of each gas report. For more information, you can visit https://docs.code4rena.com/awarding/incentive-model-and-awards/curve-logic. \n\nIf you need further clarification on gas optimization, you can ask for it in the chatroom. Be aware, however, that you might receive an error message when attempting to submit a Gas Optimization report for a contest if one has already been submitted. Furthermore, participants do not have to submit all reports for high, medium, QA, and gas optimization. They can submit what they find. \n\nRemember, gas optimization and gas reports are indeed the same. Users typically use the Hardhat gas report plugin to benchmark their code for gas savings. Lastly, guidelines suggest reporting bugs and optimizations found in the smart contracts separately, with QA findings and gas findings submitted separately. Medium and high severity findings should also be each submitted as separate reports.", "Q: I've submitted an issue via the form on the CodeArena website, but I cannot see it in the Issues section of the audit repo. Is this a normal occurrence and how can I confirm my issue submission? \n\nA: Yes, it is normal that you might not immediately see your submitted issue in the Issues section of the audit repo after using the \"Submit Finding\" form on the CodeArena (C4) website. The form data is turned into a submission that goes into the findings repository for the given contest. This is then evaluated by judges after the contest ends. \n\nConfirmation of issue submission is typically received through an email. If you don't receive the confirmation email, consider re-submitting the issue. In some instances, due to technical issues, the \"Create Issue\" button might not respond. It was also reported that it takes some time for the confirmation email to be sent out after a finding submission. If the submission fails, the form should return an error. \n\nYou should be able to check and review your issue and its report on GitHub once the repo is made public. Additionally, you can check your participation in an audit outside of the leaderboard by creating a help desk request explaining the issue.\n\nPlease be aware that all bug reports have to be submitted before the audit closes, and you can view or edit your own submissions for open contests. However, once the contest has ended, all findings have to be submitted and bug reports cannot be submitted after this. \n\nKeep in mind, if your bug report is larger than approximately 65k characters, it can't be submitted through the form due to Github's max character limit for issue descriptions. In such cases, the submission can be emailed to submissions@code423n4.com. \n\nFor future audits, please ensure you are logged into the correct GitHub account that is linked with C4, to avoid any visibility or submission issues. If you encounter any problems, please don't hesitate to raise them with our team.", "Q: What does the process of becoming a Certified Warden at CodeArena entail and what documents are required? \n\nA: The process to become a Certified Warden at CodeArena involves a Know Your Customer (KYC) process, which is delegated to Provenance. This process requires verification of the applicant's identity. While a proof of residence may be requested for identity verification, in some cases, a photo ID and a selfie might be sufficient. The types of acceptable photo IDs can include a driving license or a passport. If you only have a national identification card and no passport, it's still possible to apply and verify your identity for KYC purposes. However, it's important to note that the exact requirements may vary and some applicants might need to provide additional information such as bank account details. \n\nIn addition, being a certified warden provides eligibility to attend private audits and participate in versus contests. However, you might need to meet other conditions such as participating in a certain number of contests and having a certain number of valid findings or reports. There may also be an application queue, but applicants will be informed about the timeline for receiving their KYC mail. \n\nFor more detailed information on the process and requirements, please refer to the Certified Warden's documentation at [https://docs.code4rena.com/roles/wardens/certified-wardens](https://docs.code4rena.com/roles/wardens/certified-wardens)", "Question: What is the appropriate way to report repetitive findings related to the same type of issue, exploitation, or gas optimization in a smart contract code during an audit? \n\nAnswer: In most cases, if you discover the same type of issue multiple times, such as a Reentrancy attack or gas optimization of the same nature, you should combine all occurrences and report them together. For instance, if a specific gas optimization can be applied in more than one line of code, it should be submitted as a single finding. This includes all lines where it can be applied. \n\nHowever, if the same vulnerability is discovered in different parts of the codebase, it might be considered as separate findings. It's the judge's discretion to decide if they are duplicates. \n\nThere are a few exceptions to this, one of them being the severity of the findings. Medium and high severity findings should each be submitted as separate reports. \n\nFor instance, if a line of code has multiple ways of exploitation, all bugs should be reported, but priority should be given to the most impactful one. \n\nSimilarly, submissions related to gas optimization and Quality Assurance (QA) have specific guidelines. You can make only one gas optimization report per contest. Any additional gas optimization findings should be added to the same report. In contrast, QA findings should be combined into a single report submitted separately from the gas report.\n\nRemember, when submitting bug findings, make separate submissions depending on the type and severity of the bugs found. It's possible to submit more than one high-risk finding in the same audit, but if the root causes are the same, they would be counted as one.\n\nFor further clarity, please refer to the guidelines and discussions on reporting findings at: [https://github.com/code-423n4/org/issues/8](https://github.com/code-423n4/org/issues/8).", "Question: What is the purpose of the check \"uint8(stor2.field_160)\" in the decompiled Solidity code and how does it interact with Solidity's storage structure?\n\nAnswer: The check \"uint8(stor2.field_160)\" involves a uint8 cast on a field of what seems to be a storage struct. A uint8 value in Solidity can hold an integer between 0 and 255, which can be useful for representing states or options in a compact way, such as with enums [https://docs.soliditylang.org/en/latest/080-breaking-changes.html].\n\nThe \"stor2.field_160\" most likely refers to a state variable in storage. Solidity stores state variables in 32-byte slots, and it's possible to pack multiple smaller-sized variables into a single slot if they are declared next to each other, which can save on gas costs [https://docs.soliditylang.org/en/v0.8.17/internals/layout_in_storage.html]. \n\nIn the case of an enum, it will take up only part of a slot. If it's used as a literal, it will be treated as a uint8. This is why you might see uint8 casting in the code. \n\nOverall, understanding the specifics of this check requires an understanding of the Solidity code structure and storage layout, and would likely demand a detailed investigation into the codebase. It's also important to note that tests in Solidity are needed to check the implications of the interaction between the Contracts and the check.", "Q: Can you help me understand how the c4udit is used for finding Publicly Known Issues in CodeArena's audit process? I'm also interested in the tools utilized and where I can find results of completed audits.\n\nA: Absolutely, CodeArena uses a tool called C4udit for finding Publicly Known Issues. The newest fork of this tool is called Analyzer and you can find it at [https://github.com/Picodes/4naly3er](https://github.com/Picodes/4naly3er). This tool helps generate automated findings for each contest, however, it's important to note that these automated findings are ineligible for rewards [Submission Policy](https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-ineligible).\n\nNotably, the Analyzer tool scans for a list of optimizations/L1 issues which can be found here: [https://github.com/Picodes/4naly3er/tree/main/src/issues](https://github.com/Picodes/4naly3er/tree/main/src/issues). For each contest, a warden is asked to run c4udit and post the output in the contest channel. If an issue is posted in the channel, it's a known issue and thus, is out of scope.\n\nResults of completed audits can be checked via the C4 GitHub repo [https://github.com/code-423n4](https://github.com/code-423n4). The entire findings repo is made public, and there are links to the findings repo in each report on the C4 website. After a contest, the results of submitted bugs are revealed once the report is made public. In the meantime, users can check previous reports to see what a high-quality submission looks like. Examples of past submissions can be found at [https://code423n4.com/reports](https://code423n4.com/reports).\n\nAs for gas optimization, only those optimizations included in the generated report are considered invalid. The rest of the common gas optimizations can be found at [https://github.com/byterocket/c4-common-issues/blob/main/0-Gas-Optimizations.md](https://github.com/byterocket/c4-common-issues/blob/main/0-Gas-Optimizations.md).\n\nPlease remember, if you're using automated tools for attack findings, there's a higher burden of proof to demonstrate a relevant exploit path. You can find more information on this topic at [https://github.com/code-423n4/org/discussions/50](https://github.com/code-423n4/org/discussions/50). Lastly, if you face any technical issues with viewing the repo or submitting findings, ensure that your GitHub account is logged in and it's the same account given for C4.", "Question: Can anyone provide details on why a transaction was reverted at this specific link: https://snowtrace.io/tx/0x0806bc0a28e4d808ac4dba25997e4b68b40595e003adbaa758ce4894ee20e15a? What does it mean when a transaction gets reverted and how can I understand the reasons behind this?\n\nAnswer: The specifics of why a transaction gets reverted can often be found by analysing the decompiled bytecode associated with the transaction. When a transaction gets reverted, it means that the transaction was not successfully completed. This could be due to a variety of reasons from insufficient gas, the assert() function failing, or even due to a deliberate call to the revert() function in the smart contract. Starting from version 0.8.0, assert no longer consumes all gas, so the remaining gas should be refunded if the assert fails. You can use platforms like Etherscan or Snowtrace to examine the details of the transaction and potentially figure out the cause of the revert. However, it's important to note that the exact reasons can be complex and may require a deep understanding of the smart contract interactions involved. Here is a helpful repository that explains some of the nuances in ERC20 tokens and how some of them might not revert on failure: https://github.com/d-xo/weird-erc20#no-revert-on-failure\n\nTo understand more about the specific transaction at the provided link, you could examine the functions that were called during the transaction and look for any signs of assert failure or revert calls. You could also examine the gas usage of the transaction and cross check if it was sufficient for the operations being performed. With increased familiarity of the contract code and functionality, you'll be able to more precisely diagnose why the transaction was reverted. Please note that without specific details about the associated smart contract or the context of the transaction, it's difficult to provide an exact reason in this case.", "Question: Could you explain the terms \"Gsset\" and \"Gsreset\" used in Ethereum smart contracts auditing?\n\nAnswer: In the context of Ethereum smart contracts auditing, \"Gsset\" and \"Gsreset\" are terms used to describe storage operations in the Ethereum Virtual Machine (EVM). \n\n\"Gsset\" refers to the operation where the storage value is set from 0 to a non-0 value, while \"Gsreset\" refers to the operation where the storage value is reset from a non-0 value to a non-0 value, or from any value to 0. \n\nThese definitions can be found on page 27 of the Ethereum Yellow Paper, which serves as the technical specification for the Ethereum protocol: https://ethereum.github.io/yellowpaper/paper.pdf\n\nIn addition, the understanding of these terms can help in optimizing gas usage in smart contracts. For example, a Gsset operation can be converted to a Gsreset operation to save 17100 gas, a strategy that is especially useful when you don't need to maintain a non-zero interval. \n\nFor further detailed information about Ethereum gas operations including gsset, gscoldsload and others, you may find this resource helpful: https://github.com/wolflo/evm-opcodes/blob/main/gas.md \n\nHowever, bear in mind that these terms and their uses can become quite technical, so a solid understanding of Ethereum smart contracts and the EVM is beneficial for fully grasping their significance.", "Question: Why can't I see the latest reports? I am able to view reports only up until a certain month but not the most recent ones. How can I check my submission status or report?\n\nAnswer: The visibility of the latest reports on CodeArena can be affected by several factors. Our reports are generally published at least a month after findings are submitted. This timeline might be extended due to changes to our report and rewards calculation system, which requires time to compile results. Until the report is published, the issues found will not be visible to the participants. \n\nPlease also note that not all findings submitted for a contest may make it to the final report. If you've submitted a report for the first time and are unsure about the submission status, remember that the results of your submission will only be viewable when the report is published, which can take 2 to 6 weeks or even longer in some cases.\n\nYou can view reports from other wardens and your QA reports for contests that have already closed on our website. Reports can be found at https://code4rena.com/reports and are typically sorted by publication date. The default setting for the leaderboard shows the last 60 days results, but you can adjust the settings to view results for a specific time period. \n\nThere have been instances where the leaderboards and rewards for a project are shown and distributed, but the final report is not immediately available on our site. If this happens, it's recommended to wait until the full public report is published before doing a write-up of some issue or bug found on a project.\n\nWe are aware of queries regarding sort/filter options for the reports, visibility of reported issues on the Issues page, and notification systems for new report publications, and we are considering these features for future implementation. \n\nPlease note that there have been reports of issues with accessing the C4 website and some users not receiving email receipts for their findings. We are working to resolve these issues. If you've experienced similar issues, please let us know.", "Question: Can I change my login address on CodeArena, and if yes, how can I do it?\n\nAnswer: At present, CodeArena does not primarily support changing the login wallet address. However, if you are using Metamask, you have the possibility to link multiple addresses. If your account has been compromised, you can submit a help desk request with details and a signed message from mycrypto.com. In the meantime, you can also update your payment addresses from your C4 account screen. Please note that changes in your display username will not affect your account's status, and if you change your handle, your leaderboard standings and submissions under your previous handle will not be transferred to the new account. For more detailed information on changing the wallet address used to log in, you can visit https://docs.code4rena.com/roles/wardens/warden-auth#can-i-change-the-wallet-address-i-log-in-with. Please be aware that these adjustments can be a significant effort to manage and are not centrally stored.", "Question: Can I change or update my login address on CodeArena, and if so, how?\n\nAnswer: Currently, CodeArena does not directly support changing the login address (wallet address). However, for users having Metamask, multiple addresses can be linked. For detailed instructions, please refer to this link: https://docs.code4rena.com/roles/wardens/warden-auth#can-i-change-the-wallet-address-i-log-in-with\n\nIn some situations, such as a compromised account, you can submit a request to the help desk with relevant details and a mycrypto.com signed message. The CodeArena team may also update the database to resolve certain login issues.\n\nIt is important to note that while users can change their usernames and update their payment address under the Manage Account section, these changes will not affect the login address. Also, changing the username would not transfer leaderboard standings or submissions to the new account.\n\nIf a user's wallet is hacked, they can change their payment address and remove the compromised address from their login, after which they should create a help desk request if they logged in via the same wallet.\n\nRemember to ensure your account's security, and always take necessary precautions to protect your wallet from unauthorized access.", "Question: How can I identify the reason my transaction was reverted on the blockchain? \n\nAnswer: It's possible to determine why a transaction was reverted by analyzing the transaction on blockchain explorers like Snowtrace. For example, if you have a transaction hash, you can input it into Snowtrace. This will provide you with the decompiled bytecode of the transaction. Decompiling the bytecode allows you to understand the execution of the transaction and pinpoint the exact point where the transaction failed. \n\nFor instance, the failure could have been due to a function like assert() not being satisfied, which may cause a transaction to be reverted. Since version 0.8.0, assert() no longer consumes all the gas, so the remaining gas should be refunded if the assert() fails, which can be a clue in understanding the transaction failure. \n\nSometimes, transactions can also be reverted due to issues with tokens. For instance, fee-on-transfer tokens remove a small fee from every transfer, so if your transaction involved such a token, the received amount could be less than the sent amount, causing the transaction to fail. It's worth noting that not all tokens are fee-on-transfer. \n\nIf you suspect that your transaction failed due to reasons other than the ones mentioned above, there could be other factors at play. For instance, if the transaction involved cross-chain transfers, there could have been an issue with the InvariantTransactionData.transactionId. This isn't just a counter but a unique identifier, and any errors in its handling could cause the transaction to fail. \n\nIn summary, to identify the reason why a transaction was reverted, you need to analyze the transaction on a blockchain explorer, understand the bytecode, and consider the specific characteristics of the transaction, such as the types of tokens involved and whether it was a cross-chain transfer. \n\nLink for reference: https://snowtrace.io/tx/0x0806bc0a28e4d808ac4dba25997e4b68b40595e003adbaa758ce4894ee20e15a", "Question: How do gas optimizations work in CodeArena's smart contract audit process?\n\nAnswer: Gas optimizations are a crucial part of CodeArena's smart contract audit process. These optimizations help in minimizing the computational resources a contract uses. One example is the 'SAVE GAS BY NOT REQUIRING NON-ZERO INTERVAL IF NO LINEAR AMOUNT' issue. In this case, a Gsset for the claim\u2019s interval can be converted to a Gsreset, saving 17100 gas. \n\nWhen reporting gas optimizations, it's recommended to specify the amount of gas saved for each optimization, though this isn't always required. The decision to include such details can be left to the judge's discretion. However, including these details can potentially increase points. For example, one user reported that excluding the increment (++i) in a for loop can reduce gas costs significantly. \n\nWhen a low issue/non-critical (QA) bug also reduces gas is discovered, it should be included in the QA category and mention the gas savings. If the issue is solely related to gas savings, it could be downgraded from QA to Gas. There are also certain automated gas optimizations detected by automated audit tools, such as 'Use assembly to check for address(0)'. However, not all gas optimizations are valid when the optimizer is enabled, which could lead to confusion. \n\nThe use of gas reports is not always distinctly clarified. For instance, it's not always necessary to show Proof of Concept for the gas saved. A description and mention of gas saved is often sufficient. \n\nThere's also a recommendation not to initialize default variables to 0 for gas optimization. For loops in Solidity, the initialization of the loop variable to 0 is not necessary, which may lead to gas savings. \n\nFor more detail on this specific issue, you can use this link: https://discord.com/channels/810916927919620096/810931711609143326/1039353447977324604.", "Question: Can I change my login address or wallet address on Code4rena and how can I do it?\n\nAnswer: It is possible to update your payment addresses on Code4rena. You can do this from your C4 account screen: https://code4rena.com/account. However, as of now, there is no direct support for changing the login address (wallet address) used for signing in. If you have Metamask, you can link multiple addresses to your account. If your account has been compromised, you're advised to submit a help desk request with details and a mycrypto.com signed message. More information regarding changing the wallet address, adding multiple addresses using Metamask, and actions to take in case of compromised accounts can be found at: https://docs.code4rena.com/roles/wardens/warden-auth#can-i-change-the-wallet-address-i-log-in-with. If users face issues with login, Code4rena can update the database to resolve the issue.", "Question: How can I update my login and payment addresses on CodeArena after initial setup, especially if there is a security concern?\n\nAnswer: CodeArena enables users to change their payment address using the Manage Account section on the platform (https://code4rena.com/account). If there are unexpected notifications regarding payment address updates, you can report these for further investigation by the team.\n\nHowever, changing the login address (registered wallet on the platform) is currently not directly supported. If you have used MetaMask while setting up your account, you can link multiple wallet addresses. This is useful if your current login wallet has been compromised but it doesn't fully replace it. For instructions on this, refer to https://docs.code4rena.com/roles/wardens/warden-auth#can-i-change-the-wallet-address-i-log-in-with.\n\nIn cases of hacking incidents or other security concerns, after you update your payment address, it's advisable to remove the compromised address from your logins. If the compromised login involves the same wallet used for payments, make sure to submit a help desk request for further assistance (https://code4rena.com/help).\n\nFor any updates or changes to the wallet addresses used in specific findings, these can be made after submission and before the reward payout. Please submit a request through the Help Desk for this. If you want to use a new wallet address in your reports going forward, the rewards will be distributed to the new address. \n\nPlease remember, maintaining the security of your wallet addresses is crucial to your participation in CodeArena.", "Question: Can you please explain what the check 'if uint8(stor2.field_160)' in Solidity means and how it impacts the smart contract's gas optimization?\n\nAnswer: The check 'if uint8(stor2.field_160)' is a condition that checks the value of 'field_160' in the 'stor2' object, after casting it to a uint8 type. \n\nIn Solidity, a uint8 is an unsigned integer of 8 bits. An array of bytes32 is not just 32 bytes, but an array of 32-byte sequences. It's important to note that one byte consists of 8 bits. So, this code is likely checking a specific setting that is stored as an 8-bit (or 1-byte) value in the smart contract's storage.\n\nSmart contracts in Solidity store state variables in 32 bytes storage slots. Multiple variables can potentially be packed into a single slot if they are declared next to each other to optimize gas costs. For instance, a uint8 variable can potentially fit with other variables into a single 32-byte slot, resulting in gas savings when accessing the variable.\n\nThe way data is stored in Solidity can have significant implications on gas usage. For example, using 'for (uint256 i = 0; i < 1000; i++)' versus 'for (uint256 i = 0; i < 1000; ++i)' can lead to different gas costs.\n\nHowever, it's also important to note that even though this code is checking an 8-bit value, the actual gas usage for this operation can depend on other factors too, such as how the data is accessed and where it's stored in the smart contract's storage. \n\nFor example, if the 'stor2.field_160' value is in storage, then it may incur a higher gas cost to access than if it were in memory. This is because accessing data in storage is generally more expensive than accessing data in memory in Solidity. Solidity's documentation on storage layout can provide more insight into this: https://docs.soliditylang.org/en/v0.8.17/internals/layout_in_storage.html\n\nIn conclusion, while this line of code is checking a specific 8-bit value, its exact function and impact on gas usage can vary depending on other aspects of the smart contract's implementation. It's always recommended to review and understand the full context of a smart contract when analyzing any specific line of code.", "Question: What should I do if I lose my seed phrase from my wallet as a registered warden at CodeArena?\n\nAnswer: If you lose the seed phrase from your wallet, it's important not to panic. First, you need to follow the steps mentioned on our guide here: https://docs.code4rena.com/roles/wardens/warden-auth#what-if-my-wallet-was-hacked. This will help you in dealing with the situation. \n\nNext, you should consider registering as a warden again to get your new wallet whitelisted, as this is required to submit findings. Instructions on how to register as a warden can be found here: https://docs.code4rena.com/roles/wardens. \n\nIf the lost wallet was the one you use to log in to CodeArena, you may need to change the login wallet address. You can do this following the steps detailed here: https://docs.code4rena.com/roles/wardens/warden-auth#can-i-change-the-wallet-address-i-log-in-with. \n\nYou can also change your wallet address where you receive awards. More information on this topic can be found here: https://docs.code4rena.com/roles/wardens/warden-auth#can-i-change-the-wallet-address-where-i-receive-awards.\n\nIf you forget your registration wallet address or encounter any other issue, you can submit a help request at https://code4rena.com/help. Additionally, if you're interested in accessing specific channels or participating in private audit contests, you need to be a registered warden. \n\nFurther, to become a certified warden, you need to complete a Know Your Customer (KYC) process. More information about this can be found in our FAQ and troubleshooting section at https://docs.code4rena.com/roles/wardens/warden-auth#faq-troubleshooting. \n\nRemember, in case of such unforeseen circumstances, it's suggested to use a new wallet to prevent further attacks. Always ensure to keep your seed phrase secure and confidential.", "Question: What is the process and timeline for becoming a Certified Warden at CodeArena, and is passing the Know Your Customer (KYC) process a prerequisite?\n\nAnswer: Becoming a Certified Warden at CodeArena involves completing a Know Your Customer (KYC) process. This process is essential and delegated to Provenance. After an application is submitted to become a Certified Warden, it may take around 2-3 weeks to receive the KYC email from compliance@provenance.company, which may appear in the spam folder. Upon KYC approval, it takes approximately another 2 weeks to mark a warden as certified. \n\nThe Certified Warden role comes with certain privileges, including access to findings shortly after contests end. However, the specific benefits have not been detailed. Certified Wardens may also have access to private contests and payments from KYC-required sponsors like Chainlink.\n\nPlease note, not everyone may wish to go through this process, and there are differing opinions on its fairness for non-KYC wardens. Applicants can check their acceptance status on CodeArena's platform, and you can find more details about the process at https://docs.code4rena.com/roles/certified-contributors and the application can be made at https://code4rena.com/certified-contributor-application/.\n\nIt's also worth noting that a discussion about KYC and OFAC sanctions screening was held in regards to an OpenSea contest, and it was mentioned that KYC confirmations would be processed over a few days. However, how to know if a warden has done the KYC is unclear as it can't be seen from the front-end. There may also be a requirement to participate in a certain number of contests and have a certain number of valid findings or reports to be a certified warden.\n", "Question: \nHow many wardens typically report bugs per project, and what factors influence the process and the rewards?\n\nAnswer:\nOn average, we see about 150-300 submissions per contest. These submissions include a variety of issues ranging from quality assurance (QA) and gas issues to duplicate and invalid ones. \n\nIt's important to note that the severity of a bug to be reported depends on its impact, and there are guidelines for estimating the risk at https://docs.code4rena.com/roles/wardens/judging-criteria#estimating-risk-tl-dr. Not every bug reported within an hour of a contest's start is considered. \n\nWhen the same vulnerability is reported by multiple wardens, they each get the same share. The level of detail in the submission can influence the award amount, considerations include the inclusion of a Proof of Concept (PoC) and how comprehensively the issue is covered. \n\nThe reward structure is such that the more wardens that find the same issue, the less money each warden receives for it. The best report typically receives more money, and duplicates below a threshold might not receive any money. More details can be found at https://docs.code4rena.com/awarding/incentive-model-and-awards.\n\nAlso, bear in mind that new wardens often have a learning curve in understanding the architecture of each project, interacting with the code, and finding vulnerabilities within the allotted time. Certified Wardens process is a topic of interest to many users, and any related questions can be directed to Code4rena. \n\nThe leaderboard available at https://code423n4.com/leaderboard/ gives an idea of the performance of different wardens or teams. \n\nA detailed list of rewards for each warden for each bug per contest is available at https://raw.githubusercontent.com/code-423n4/code423n4.com/main/_data/findings/findings.csv. The reward amounts can vary significantly, some wardens may receive thousands of USDC while others only receive hundreds. \n\nThis entire process ensures a fair and comprehensive review of projects' smart contracts, helping to identify and address vulnerabilities effectively.", "Question: What's the current use of fuzzing tools in auditing smart contracts, especially after Solidity 8.0 introduced overflow/underflow checks?\n\nAnswer: The use of fuzzing tools, like Echidna, for auditing smart contracts has decreased after Solidity 8.0 implemented overflow/underflow checks. However, these tools are still employed in certain cases and contests. For example, HEVM tests for the maple-core repo use around 100 fuzz runs, which can be a lengthy process for first-time tests. It is advised to run 1 fuzz for the initial test and then increase to 10-100 for subsequent local tests. Foundry is another useful framework for conducting tests which provides tools for checks like storage and allows changing the number of cases generated by foundry fuzz ([Foundry Config](https://book.getfoundry.sh/reference/config/testing#fuzz)). There are also tools like Slither for static analysis and bug finding, though some users reported limited success with it. You can even write custom checks for Slither. When automated tools are used for initial findings, especially for attacks, they require a higher burden of proof to demonstrate a relevant high or medium severity exploit path to be deemed satisfactory ([Code4rena discussion](https://github.com/code-423n4/org/discussions/50)). This is because, as noted by Sebastian Banescu from Quantstamp, the Code4Arena process thrives on the mantra \"More auditors, more findings\". In conclusion, while some auditing tools may have seen reduced usage due to updates in Solidity, they still play an important part in bug detection and contract security audits.", "Question: What is the role of fuzzing tools in smart contracts auditing and how has their usage changed since the introduction of Solidity 8.0?\n\nAnswer: Prior to Solidity 8.0, fuzzing tools like Echidna were frequently used in smart contracts auditing. The primary function of these tools is to find vulnerabilities and bugs in smart contracts by generating a large number of random test cases. However, the implementation of an overflow/underflow check at the language level in Solidity 8.0 has decreased their usage considerably. \n\nDespite this, some users in our CodeArena community are still curious about the potential use of fuzzing tools in auditing contests. For example, Foundry Fuzz is a tool that can be adjusted to generate a specific number of cases for testing (https://book.getfoundry.sh/reference/config/testing#fuzz). However, it's important to note that when automated tools like fuzzing tools or bots are used for initial attack findings, there is a higher burden of proof to demonstrate a relevant high or medium severity exploit path. This is to ensure that the findings are indeed satisfactory and not false positives (https://github.com/code-423n4/org/discussions/50). \n\nOther tools mentioned in our community discussions for smart contract auditing include Hardhat, Truffle, Foundry for auditing, and Slither for static analysis. However, the effectiveness of these tools can vary, and some users report limited success with their use.\n\nFinally, while automation can indeed be helpful in identifying potential issues, it is also important to be aware that not all issues identified by automated tools may be genuine vulnerabilities, and that fixes proposed by bots might inadvertently introduce more damaging exploits. Hence, a manual audit is still considered crucial in the auditing process.", "Question: What does SLOC stand for in the context of CodeArena, and how is it calculated for each smart contract?\n\nAnswer: SLOC, or Source Lines of Code, is a term used in software development to denote the number of lines in a codebase minus the number of lines that are comments. In the context of CodeArena, it is used to understand the size of the smart contracts for audits. The SLOC values can be seen on CodeArena's contest pages, such as the one for Arbitrum Foundation [here](https://code4rena.com/contests/2023-08-arbitrum-foundation#top).\n\nThe calculation of SLOC is not always straightforward and can vary based on the tool being used. CodeArena primarily uses the tool 'cloc' for this purpose. The metric can differ when using other tools such as Solidity Coverage or Solidity Metrics nSLOC. For example, the SLOCs for Dopex were initially reported incorrectly, including spaces, but the correct SLOCs are 2200.\n\nConsequently, there have been suggestions to standardize LOCs across different contests to avoid confusion. There have also been instances of mismatch between the number of lines of code (LOC) mentioned in a contest's README.md and the actual lines in the contract files, such as the one noticed in the Sherlock finance's repo [here](https://github.com/code-423n4/2022-01-sherlock).\n\nParticipants may find the SLOC metric helpful in estimating the effort required for a contest, although the duration of contests is not directly proportional to the SLOC size. For example, the Maia project, which has 12K SLOC, was given a limited duration of 20 days for audit, raising concerns among participants. However, it's worth noting that contest timelines can sometimes be extended, as happened for a contest involving over 12k SLOC, which got extended to 4 weeks.\n\nPlease bear in mind that understanding SLOC is just one aspect of auditing smart contracts at CodeArena. Other skills, such as understanding how to calculate the gas cost of a contract, loan-to-value calculations, and running tests in Solidity, can also be crucial.\n", "Question: Are all bugs and gas optimizations stated in publicly known issues applicable to other files within the same repository? How should these issues be reported?\n\nAnswer: Not all bugs and gas optimizations stated in publicly known issues are applicable for other files within the same repository. When it comes to gas optimizations, only those specified in the generated report are considered invalid, the rest can be found on the [C4 Common Issues GitHub page](https://github.com/byterocket/c4-common-issues/blob/main/0-Gas-Optimizations.md). \n\nIf a gas optimization finding can be applied to more than one line of code, it should be reported as a single finding with all the applicable lines mentioned. For non-critical issues that also reduce gas, they should be included in the Quality Assurance (QA) category and the gas savings should be highlighted. If the issue is purely related to gas savings, it may be downgraded from QA to Gas.\n\nWhen reporting gas optimizations, it's beneficial to specify the amount of gas saved for every finding. Also, known issues should be excluded from gas reports. If participants have code demonstrating a proof of concept for each bug or optimization, it's recommended to share this either by adding a zip file to the submission or sharing a private GitHub repository. \n\nIt's worth noting that not all gas optimizations are valid when the optimizer is enabled. And, if a finding is relevant to both QA and gas savings, it can be included in either report, with judges making the final decision on where it best fits.\n\nUncertainty and confusion can occur in certain situations, particularly in relation to reporting issues or the validity of optimizations. When in doubt, it's advisable to seek clarification, perhaps by referring back to the [Code4Rena audits](https://github.com/Picodes/4naly3er/tree/main/src/issues). It's always better to provide as much detail and evidence as possible in your reports to enhance the credibility of your findings.\n\nRemember, the goal of these reports is to improve the quality and efficiency of the smart contracts being audited. Each valid finding contributes to this goal and helps build more secure and optimized smart contracts.\n", "Question: Can I contact a judge directly for help or feedback on my submissions?\n\nAnswer: Direct contact with judges is not typically allowed due to the anonymous nature of our process. The identity of the judge for an ongoing contest is not disclosed by design to ensure fairness. However, participants can ask for feedback about issues to understand the reasoning behind a judge's ruling or to see what could be improved. If a submitted finding is marked as invalid, you will receive feedback from a judge. Disagreements with a judge's decision can be discussed according to our policy on fairness and validity, which can be found at [https://docs.code4rena.com/awarding/fairness-and-validity#if-you-disagree-with-a-judges-decision](https://docs.code4rena.com/awarding/fairness-and-validity#if-you-disagree-with-a-judges-decision). \n\nIf you have backstage access, you may speak with the judge to re-evaluate a finding and provide comments. If an issue is labeled as \"sponsor-disputed\" and there is no explanation provided, you can check for duplicates and ask the judge after judging. Note that judges have full-time jobs and other commitments, so there may sometimes be a delay in response times.\n\nFor inquiries about auditing projects or issues with performing tasks via mobile, you can send requests to submissions@code4rena.com for assistance. You can also ask for support from the C4 website and in our Discord chatroom. More information about the roles and responsibilities of judges can be found at [https://docs.code4rena.com/roles/judges](https://docs.code4rena.com/roles/judges).", "Question: I'm considering taking up Web3 full time and aiming for a junior auditor role at an auditing firm during a bear market. I have ample time to dedicate to this. Could I succeed in this path and how should I prepare? \n\nAnswer: Based purely on the information provided, it's challenging to provide a definitive answer as success depends on various factors, including your current knowledge base, skills, and dedication to learning. However, with ample time, you can certainly make substantial progress in this field. As an aspiring smart contract auditor, starting with resources such as [How to Become a Smart Contract Auditor](https://cmichel.io/how-to-become-a-smart-contract-auditor/) and [Tools and Resources](https://docs.code4rena.com/roles/wardens/tools-and-resources) can be beneficial.\n\nFurthermore, the time taken to become a certified auditor could vary greatly depending on your prior experience and learning capabilities. Reading old audit reports, like those on [ChainSecurity](https://chainsecurity.com/audits/), and reverse engineering can be valuable learning experiences. You may also find webinars like the OpenZeppelin series helpful; the first video can be found [here](https://youtu.be/6GaCt_lM_ak). \n\nKeep in mind, the hardware requirements for auditing DeFi protocols are relatively low, so even a 10-year-old PC should be capable of handling the task. However, certain activities such as fuzzing can benefit from a faster computer. \n\nAdditionally, users interested in specific aspects of auditing, like Web2 security in the context of Web3, or studying the Geth node can refer to resources online, although it's also essential to consider your personal interests and aptitudes when deciding on a career path. \n\nLastly, while working towards certification, you may find it beneficial to participate in private audit contests, although this typically requires certification as a warden as suggested [here](https://mirror.xyz/c4blog.eth/Ww3sILR-e5iWoMYNpZEB9UME_vA8G0Yqa6TYvpSdEM0). \n\nIn summary, while it's potentially feasible to become a junior auditor even in a Bear Market, the journey will require dedication, learning, and practical experiences.", "Question: Is it acceptable to demonstrate a Proof of Concept (PoC) against a block number known to work on a testnet fork due to state changes, and how should I present this PoC?\n\nAnswer: Yes, it is acceptable to show a Proof of Concept (PoC) against a block number known to work on a testnet fork with state changes. When you present your PoC, it's important to remember that it doesn't necessarily need to be executable or exact code. A clear description or demonstration in plain English is generally sufficient. However, if you are able to provide code, you can either embed the code directly in your submission or, if it is too large, you can create a public Github repository or provide a diff of an existing sponsor-supplied test/contract. Alternatively, you can use external platforms such as Gist to submit very long PoCs.\n\nWhile local forking is preferred to avoid polluting the public testnet with unnecessary data, you can use public testnets, particularly for scenarios involving large numbers of users and complex state. Tools like the Hardhat Foundry are convenient for local forking as they can fork their state from a public testnet or even the mainnet. \n\nRemember, a PoC is recommended, especially for medium severity findings; without a PoC, your finding may be disregarded unless the issue is extremely obvious. For an example of a PoC for a bug and its impact, you can refer to [Issue 376](https://github.com/code-423n4/2022-12-caviar-findings/issues/376) and [Issue 343](https://github.com/code-423n4/2022-12-caviar-findings/issues/343) on our Github page. If the severity of the issue is unclear, you should continue working on the PoC until it becomes clear.", "Question: I discovered that abi.encode is often recommended over abi.encodePacked when auditing smart contracts, but I'm unsure why. Can this choice lead to a critical vulnerability and could you provide an example?\n\nAnswer: The choice between abi.encode and abi.encodePacked can indeed lead to potential vulnerabilities in your smart contracts. The difference between the two lies in how they handle the input data. abi.encodePacked performs a tight packing of the arguments, whereas abi.encode pads the arguments to 32 bytes each. This behavior might lead to hash collisions and potential vulnerabilities in certain situations.\n\nOne example can be seen in the wild credit contests from 2021, where it was demonstrated how the improper use of abi.encodePacked could lead to an exploit. [Check out this video for more info](https://www.youtube.com/watch?v=wCD3fOlsGc4).\n\nIt's important to note that context plays a significant role when assessing the severity of issues with smart contracts, such as the ones arising from the misuse of the two methods. For instance, an external function transferring ERC20 tokens without reentrancy protection may not necessarily be a high-risk vulnerability unless there's a clear exploit path. \n\nAs seen in our chat discussions, the solidity version, gas optimization, and use of certain functions (like safeTransferFrom) can also impact the security of the contracts. Tools like Slither can be beneficial in auditing smart contracts and identifying potential vulnerabilities. \n\nFurthermore, it's important that vulnerabilities are accurately reported and documented. Typically, this is done by providing a URL to the repository with a line inner in the text, or by providing a solidity code block.\n\nIt's also worth noting that even if automated tools report vulnerabilities, many people still opt to get their smart contracts audited by professionals, as these tools may not catch all potential security issues.", "Question: Is it best practice to prepend all internal functions with an underline in smart contracts? Does the same apply for function parameters and is it related to gas optimization?\n\nAnswer: \nPrepending internal functions with an underline is a common practice in the smart contract development community, especially when working with Solidity. This is done primarily for readability and to easily distinguish internal functions from public and external ones. The same practice can be applied to function parameters as well, although it's less common.\n\nHowever, it is important to note that this naming convention does not directly contribute to gas optimization. Gas optimization in smart contracts is largely related to how you structure your code and the functions within it. For example, function inlining - where internal functions that are only called once can be inlined to save gas - is an effective method for gas optimization. Also, the order in which you check storage and calldata within a function can influence gas costs. \n\nFor instance, swapping the order of a function that first checks from storage, then checks the calldata, could optimize the gas. Moreover, using custom errors instead of require statements with a string might be more gas-efficient. Specifics about gas efficiency can be found on various resources, such as the Solidity documentation: https://docs.soliditylang.org/en/v0.8.13/contracts.html#state-variable-visibility\n\nLastly, it's worth noting that any significant improvement found in an important function should be showcased in your audit report, and if a gas optimisation finding is found that can be applied in more than one line of code, it should be submitted as one finding and mention all lines where it can be applied. \n\nRemember, the primary purpose of these practices is to make your contracts safer and more efficient, and not necessarily to adhere to a strict naming convention.", "Question: How does Code4Arena (C4) handle the classification and reclassification of issues by severity in reports, and what impact does it have on rewards?\n\nAnswer: At Code4Arena (C4), both participants and judges play a role in classifying the severity of issues in reports. As participants, you are expected to submit issues as High, Medium, Low, or QA based on your evaluation, but keep in mind that overinflating severity can result in a report being graded unsatisfactory.\n\nJudges at C4 have the authority to review and reclassify the severity of submitted issues as they deem necessary. They can either downgrade or upgrade the severity. For instance, an issue submitted as High can be downgraded to Medium if it's not of a high order. Similarly, a finding initially categorized as Medium or Low can be upgraded to High by the judges if they deem it necessary. The same applies to QA issues, which can be elevated to Medium or High severity if warranted.\n\nThe reclassification of an issue doesn't necessarily invalidate the report or nullify rewards. If a High severity bug turns out to be only Medium, you still receive the reward for a Medium bug. Similarly, if a Low severity finding is upgraded to Medium, it will be eligible for medium rewards. However, if an issue is judged to be overinflated in severity, it could be invalidated and deemed unsatisfactory.\n\nIn scenarios where no High or Medium issues are found in a contest, the entire rewards may be allocated to Quality Assurance (QA). Also, 'on the fence' vulnerabilities can be submitted as either High or Medium risk, but it's recommended to detail your reasoning in your submission to make a case for the severity you choose.\n\nThe guidelines and policies regarding severity classification, issue submission, and rewards distribution can be found at the following links:\n\n- Submission Policy: https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues\n- Incentive Model and Awards: https://docs.code4rena.com/awarding/incentive-model-and-awards#satisfactory-unsatisfactory-submissions\n- QA and Gas Report FAQ: https://docs.code4rena.com/awarding/incentive-model-and-awards/qa-gas-report-faq#what-happens-when-an-issue-submitted-by-the-warden-as-part-of-their-qa-report-an-l-or-n-does-get-bum\n", "Question: How can I receive and manage awards at CodeArena?\n\nAnswer: At CodeArena, awards can be received by participating in our contests. Once the contest's sponsor review and judging processes are completed, awards are typically announced within 1-2 weeks and are sent out manually in batches for multiple contests at a time. The distribution of these awards is done to the user's registered wallet address. You can check the announcement channel for updates on distribution. If you wish to change your wallet address, you can do so following the instructions at this link: https://docs.code4rena.com/roles/wardens/warden-auth#can-i-change-the-wallet-address-where-i-receive-awards. \n\nTo be eligible for awards, you generally need to be certified and rank in our leaderboard. While you can participate in some contests without being certified, you would need certification to receive rewards if your submissions are awarded. More information on this and the certification process, which can be started within 48 hours of the contest, can be found here: https://docs.code4rena.com/roles/certified-contributors. \n\nOnce you are awarded, you have to wait for the payout. The awards are distributed based on individual issues, meaning multiple items in one submission count as one submission. For some contests, you might be required to complete a KYC form to receive your awards: https://docs.code4rena.com/roles/certified-contributors. \n\nIf you are part of a team, it's up to your team to decide how to split your portion of a contest's reward amongst yourselves. You can find more detailed information on awards and the awarding process here: https://docs.code4rena.com/incentive-model-and-awards. Please note that awards cannot be distributed until the whole process is completed. \n\nFor tax and legal questions related to your awards, you may refer to this link: https://docs.code4rena.com/awarding/incentive-model-and-awards/awarding-process#tax-and-legal-questions. \n\nPlease be aware that the leaderboard gets updated every time awards are announced, and not all contest types are currently supported. You can find the leaderboard and awards list in our announcement channel. We aim to process awards as quickly as possible and have a goal to process a list of awards by the end of the week. Please keep an eye on our announcement channel for specific contest awards, like the Stader Labs contest.", "Question: What is the current policy for incorrect findings, and how does the grading and penalty system work in CodeArena?\n\nAnswer: Currently, there is no penalty for submitting incorrect findings; however, it's important to note that certain mistakes or errors, such as setting incorrect severity of the issue in smart contract auditing, may bear some consequences. Also, while there is no issue with submitting findings one isn't 100% sure of, incorrect findings can affect the QA grade. \n\nParticipants typically receive feedback from a judge if a finding is marked as invalid, and any finding disputed by a sponsor as \"won't fix\" but deemed valid will still be rewarded. If a finding is submitted as medium severity but the judges believe it is high, they can upgrade the severity, unless there is a cause for penalization. \n\nKeep in mind that not all reports or findings are guaranteed a reward. They are graded and must meet specific quality standards to be considered valid and satisfactory. \n\nIt's recommended that participants read through the discussion on grading and awarding, as well as potential future penalties. This information can help them understand how different aspects of the grading and penalty system work. You can check this discussion [here](https://github.com/code-423n4/org/discussions/50).\n\nAlso, note that the submission of analysis along with findings is not mandatory, and there is no requirement to confirm findings with the project's developers before submitting them; it's up to the participant to submit a point thought to be a valid finding. \n\nAfter submitting a finding, participants can expect a follow-up. If a participant realizes that something is a false positive after submission, they can retract the submission by going to the contest page and clicking the findings tab. They can also modify submitted findings through the \"your findings\" button on the contest page.\n\nHowever, remember that any findings not submitted before the end of the contest will not be eligible for rewards. Please refer to the CodeArena guidelines for more details.", "Question: Why does the process of reporting findings take a long time and how can I track my submission?\n\nAnswer: The reporting process at CodeArena involves several stages and factors which contribute to the time taken. Submissions of findings go through a review process which can take between 3-6 weeks on average, depending on the specific contest and the number of reports under review concurrently. Some of the factors contributing to delays include prioritization of other tasks such as merging awards, sponsor review, and awaiting green light from the projects involved for the release of the report.\n\nBesides, the system also has to handle multiple submissions and deal with issues like API rate limits which could cause delays. In some cases, like the Yaxis project, high participation rates and numerous submissions for review can extend the timeframe.\n\nAfter submitting your findings, it may take some time for the submission to be confirmed via email. If the submission fails, an error message should be displayed. Once your report is submitted successfully, the results can be seen when the report is published. This could take anywhere from 2 to 6 weeks or even longer in some instances. Also, note that findings submitted for contests may not always make it to the final report, and the reason might not be immediately known. To check, you need to wait until the reports are published.\n\nLastly, in case you're unsure about the severity of an issue after reporting, or want to submit additional findings after an initial submission, reach out to the CodeArena team for guidance. Always ensure to keep track of your past reports and confirm the receipt of your issues. If you encounter any issues or errors while submitting or updating your report, try multiple attempts or seek assistance from our team. We're working actively to improve our system and reduce the average turnaround time from audit competition to release of reports.", "Question: Why hasn't the leaderboard updated immediately after the announcement of rewards?\n\nAnswer: The updating of the leaderboard on CodeArena follows a specific process and doesn't occur immediately after the announcement of rewards. This is due to several reasons. Primarily, we are working on supporting all contest types on the leaderboard. In some instances, the leaderboard might not accurately reflect a user's accomplishments, for example, with certain contest results potentially not being counted for the full duration. There was also an instance where some items were double counted due to a minor error, which is planned to be corrected in an upcoming update. \n\nAdditionally, there might be a delay in the reward distribution after the announcement, and in some cases, the rewards from previous private contests are added to the leaderboard later. This also includes certain cases where the rewards for a contest have not yet been paid out to participants, or certain rewards may be pending even after a contest has finished. \n\nMoreover, the leaderboard doesn't currently track the dates awards went out, but rather builds the leaderboard off the dates of the audits themselves. After the leaderboard is shown and rewards are sent, the final report of the contest may not immediately appear on the C4 site. It's recommended to wait until the full public report is published before doing a write-up of some issue or bug found on a project.\n\nFor the leaderboard to accurately reflect a user's accomplishments, several process pieces need to be glued together - something that we're actively working on. We are also considering potential improvements to the leaderboard, such as having different timelines, adding badges for various achievements, and introducing leaderboard seasons.\n\nRemember, once you receive a reward and appear on the leaderboards, you are eligible for the \"leaderboard\" discord role. If a warden receives rewards both individually and as part of a team, the team and the individual will appear separately on the leaderboard. \n\nWe understand the concerns about the leaderboard updates and are working to improve the system for a more seamless experience for everyone involved. For any further queries, feel free to contact us through our [Discord channel](https://discord.com/invite/codearena).", "Question: What is the definition of \"Unsatisfactory\" in the context of CodeArena's smart contract audits and how does it relate to the validity and quality of a report or findings?\n\nAnswer: In the context of CodeArena, an \"Unsatisfactory\" label is typically applied to reports or findings that do not meet the set quality standards for a valid and satisfactory submission. This could include submissions that are incorrect, overinflated in severity, lack a clear explanation or path to the finding, or contain a few invalid issues. \n\nAn unsatisfactory submission does not necessarily relate to the validity of a report. A finding could be valid but still be labeled as \"Unsatisfactory\" if it does not add value or is non-critical, such as the presence of \"Open Todos\" or the \"use of Block.timestamp\". It's important to note that not all reports or findings are guaranteed a reward, even if they are valid. \n\nFurthermore, the grading of reports involves the consideration of both quantity and quality, with judges looking for a proper understanding of how an issue could be exploited. A low-grade or a 'C' grade can indicate an unsatisfactory submission. There is also an incentive for participants to avoid submitting a high volume of low-quality reports as these could be penalized and affect the overall grading and potential rewards.\n\nFor more information on these guidelines, please see: https://docs.code4rena.com/awarding/incentive-model-and-awards#satisfactory-unsatisfactory-submissions or the discussion at https://github.com/code-423n4/org/discussions/34.", "Question: How can I understand why my bug submission was rejected and how to improve my future submissions at CodeArena?\n\nAnswer: After every contest, CodeArena releases a comprehensive report which includes details about the accepted and rejected bug submissions. If your submission was not accepted, you can review this report to understand why it was not accepted. This process gives you the opportunity to see the discussion among sponsors and judges on the specific issue. \n\nYou can find examples of past submissions and reports at [https://code423n4.com/reports](https://code423n4.com/reports). Additionally, you can review the submission policy at [https://docs.code4rena.com/roles/wardens/submission-policy](https://docs.code4rena.com/roles/wardens/submission-policy) to understand the best practices for submitting bugs. \n\nAlso, you can view or edit your own submissions on the site for open contests. And if a correct bug issue is submitted with an incorrect proposed solution, the submission can be updated if the contest hasn't ended. Furthermore, if you feel the severity of your submitted bug needs to be increased, you can submit a help request to remove the original submission and then submit again via [code4arena.com/help](https://www.code4arena.com/help).\n\nRemember, the grading criteria for quality submissions include correct identification of the highest severity impact of the bug, making the case for the severity and validity chosen with evidence, and clear and understandable writing. \n\nFinally, if your submission is rejected, there's a process for you to discuss or argue your case. You can pass on your arguments or changes to the severity of reported bugs after a contest ends to the judge through designated contact points.\n\nNote that a bug report without Proof of Concept (PoC) may be disregarded unless the issue is extremely obvious (such as a wrong parameter, typo, or code that doesn't compile).\n\nIf you have any other questions or concerns, you can always reach out in the Discord chatroom.", "Question: What are the steps and qualifying conditions to obtain the backstage role at CodeArena?\n\nAnswer: To obtain the backstage role at CodeArena, you need to meet certain criteria. Eligibility is based on the Certified Contributor role and a set number of findings, which can include a high severity finding, three medium severity findings, or a QA or Gas report with a score of over 85. In the case of team submissions, if three or more Medium findings are accepted, all team members become eligible for the backstage role. \n\nAdditionally, participation in at least three contests, as well as any awards you receive, are considered when assessing eligibility. Once you believe that you meet these criteria, you can submit a Help Desk request at https://code4arena.com/help for your status to be evaluated. \n\nPlease note that the final decision is based on a pre-set plan and your request will be reviewed once the results of your findings are published to the leaderboard. Information on the criteria and the process to apply for the backstage role can be found in more detail at https://docs.code4rena.com/roles/certified-contributors/backstage-wardens. \n\nPlease remember to be patient after submitting your request, as it may take 1-2 business days for us to respond. We value your contribution to CodeArena and will make sure to notify you once your request has been reviewed.", "Q: I have identified several potential issues during my audit, but I'm not entirely sure about their validity due to lack of specification in the documentation. Can I still submit these findings? What if I can't provide a Proof of Concept (PoC) for some of them? And can I submit these issues as a team?\n\nA: It is absolutely okay to submit any findings you're unsure of. In case of uncertainty, you can either submit these findings or direct message the sponsor team for additional context. However, it's important to note that if a PoC is not provided, a finding may be disregarded unless the issue is extremely obvious, such as a wrong parameter, typo, or code that doesn't compile. \n\nAs for your question about team submissions, yes, it's possible to submit issues as a team, although the exact process of doing so is not fully clarified in the current documentation. If you need further assistance, you can ask for support from the C4 team through the discord or on our website.\n\nIf you're unsure whether findings should be submitted as separate issues or as one, it's unclear which way is preferred but you can check the official documentation at https://docs.code4rena.com/ for potential guidance.\n\nOnce you submit your findings, if you do not receive an email confirmation, you can open a help desk request at https://code4rena.com/help/. If your findings are rejected and you would like to know the reason, the same link can be used to request this information. \n\nPlease remember that even if you don't have significant findings or findings at all, you can still submit an analysis report about the system to provide advice on things to consider for the future of the project. \n\nThe C4 team is continuously working on improving our tools and procedures to facilitate and speed up these steps, and we appreciate your participation and patience in this ongoing process.", "Question: How can I become a Certified Warden at Code4rena?\n\nAnswer: To become a Certified Warden at Code4rena, you will need to go through a specific process which includes completing an application and a Know Your Customer (KYC) process. Information on how to become a Certified Warden can be found in detail at the following links: \n\n- For an overview of the role and certification process, visit: https://docs.code4rena.com/roles/certified-contributors#certification-process-and-constraints.\n- For eligibility requirements, visit: https://docs.code4rena.com/roles/wardens/certified-wardens#who-is-eligible-to-be-a-certified-contributor.\n- To apply directly, visit: https://code4rena.com/certified-contributor-application.\n\nBecoming a Certified Warden allows you to participate in private contests and opportunities to be marked as \"Available for Hire\". It gives you the ability to access findings shortly after contests end and qualifies you for backstage roles. However, being a Certified Warden may require participating in a certain number of contests and submitting a certain number of valid findings or reports. More details about obtaining a backstage role can be found at: https://docs.code4rena.com/roles/certified-contributors/backstage-wardens.", "Question: What is the process to exchange USDC on Polygon into BTC?\n\nAnswer: To exchange USDC on Polygon into BTC, you'll need to follow a few steps. First of all, you'll receive your rewards in USDC on the Polygon network. You can then use the Polygon bridge at https://wallet.polygon.technology/ to move your USDC funds back to the Ethereum Mainnet, although you should note that this requires Matic and possibly Eth. An alternative to this is using the Hop Bridge, which only requires Matic, but you may receive less USDC on the Ethereum Mainnet. Once your USDC is on the Ethereum Mainnet, you can deposit it into Coinbase. From there, you can convert your USDC into BTC. Please note that moving funds from Polygon to Ethereum and later to Coinbase can attract transaction fees and conversion rates which can affect the final BTC amount received. It's important to explore all your options before making a decision.", "Question: What is the process and the requirements for becoming a Certified Warden at CodeArena, and what benefits and responsibilities does this certification bring?\n\nAnswer: A Certified Warden at CodeArena enjoys certain privileges including the ability to participate in private contests, have backstage access to observe the report submission and triage process, and partake in a post-judging QA period where they can comment on judges' decisions. This certification also requires wardens to adhere to a professional conduct guideline, mandating that all findings are treated as private and confidential until the contest report is made public. \n\nTo become a Certified Warden, one needs to complete the Know Your Customer (KYC) process which is delegated to Provenance by C4. Certified Wardens will then be part of a permissions group/team on GitHub that gives them access to private repos. Note that the individual wardens have the choice to keep their GitHub usernames private. For more details on how to become a certified warden and participate in private contests, you can visit [https://docs.code4rena.com/roles/certified-contributors#certification-process-and-constraints] and [https://mirror.xyz/c4blog.eth/Ww3sILR-e5iWoMYNpZEB9UME_vA8G0Yqa6TYvpSdEM0]. \n\nThere is also a private channel for certified wardens, a workspace where they assist with various process-related tasks. Questions relating to the Certified Warden process can be asked directly to Code4rena.", "Question: What steps is CodeArena taking to address concerns about the CSV design and the slowdown of the leaderboard? \n\nAnswer: CodeArena has noticed several concerns about the CSV design and the slowing down of the leaderboard. In response to these concerns, they are planning several changes. Firstly, they plan to migrate data from CSV and JSON files to a database and API to improve efficiency and reduce loading times. They are also looking into changing the leaderboard from tracking the last number of days to the last number of contests. In addition, there's a consideration to introduce different timelines for the leaderboard (all-time, last 3 months, etc.), add badges for various achievements, and introduce leaderboard seasons. During these seasons, each of which could last 4 months or 6 months, everyone on the leaderboard would receive an NFT with their rank, earnings, and a unique design at the end. \n\nIn terms of accuracy, the team is aware of minor issues with some items being double counted and plans to correct this. They are also working to ensure that all contests, such as the Sublime contest, are reflected in the leaderboard and that it accurately reflects a user's accomplishments. Additionally, CodeArena is actively working on improving their processes to prevent long delays in future updates to the leaderboard.\n\nLastly, they also have established a suggestion box for users to share ideas on how to improve the website, leaderboard systems, contest processes, and Discord setup. You may find more information about the leaderboard at https://github.com/code-423n4/code423n4.com/issues?q=leaderboard or https://code423n4.com/leaderboard/. The previous CSV file containing all rewards based on findings can be accessed at https://code4rena.com/community-resources/findings.csv. \n\nPlease note that these changes are currently under consideration and updates will be shared once the plans have been finalized.", "Question: How are findings submitted by a team handled in terms of rewards, submissions, and payout distribution on Code4rena?\n\nAnswer: When a team submits a finding on Code4rena, the submission is treated as one entity and one payment is issued for that finding. The team then has discretion over how that money is paid to its members. The submission form allows members to select whether they're submitting as an individual or as a team member, and team members can make submissions on behalf of their teams. Furthermore, all members receive the bug stats and the team, as a whole, is responsible for dispersing the funds.\n\nIt's important to note that teams are incentivised on Code4rena. If a team submits a non-duplicate finding, the team receives a higher reward than if they had individually submitted the same finding. However, if multiple members of a team submit the same item separately, it decreases the overall value of the submission. \n\nIf a team and an individual both find a bug, there is no difference in payout; the overall value of the bug is reduced and split based on how many people find it. This includes members of the same team identifying a common finding. The reward calculation can be understood using a formula present here: https://docs.code4rena.com/incentive-model-and-awards#high-and-medium-risk-bugs.\n\nPlease be aware that each individual team member needs to be certified to be eligible for payout and all rewards go to a single wallet for dispersal to the team. \n\nFor more information, visit https://docs.code4rena.com/roles/wardens.", "Question: Is it appropriate to include a link, even to a competitor, as part of mitigation in a submitted finding?\n\nAnswer: Yes, it is acceptable to include a link as part of your mitigation strategy when submitting a finding. This could even be a link to a competitor's project if it is relevant to your finding. However, it might be more convincing to cite examples from Code4rena due to its rigorous judging and QA process. Furthermore, if you have crafted a Proof of Concept (POC) script for a vulnerability, you are encouraged to include the link in the submission where it is relevant. You may also link to relevant Github repositories, previous competition findings or other contests to justify the severity and validity within your submission. Keep in mind, however, the final decision on the mitigation part rests with the sponsor if they disagree with your proposed mitigation. Also, remember that if there's an issue that's too large to be embedded directly in the issue, providing a link to a gist is acceptable. As a participant, you're encouraged to provide as much evidence as possible to validate your findings.\n\nFor further information on submitting findings, you can refer to the policies on automated findings at https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues. For guidance on HM exploit paths when utilizing automated tools for attack findings, see https://github.com/code-423n4/org/discussions/50.", "Question: Is it beneficial for individuals to join a team in CodeArena for smart contract auditing? How are the rewards distributed among teams and what factors should be considered?\n\nAnswer: Yes, there are several benefits to joining a team in CodeArena. Team members can collaborate, share ideas, and learn faster together, thereby enhancing the overall auditing experience. It is also possible for an individual to simultaneously participate solo and as a team member, and one can choose to submit findings as an individual or a team member using the submission form. \n\nIn terms of rewards, when a team submits a unique finding, they receive more rewards than if they individually submitted the same finding. The rewards are reduced semi-geometrically based on the number of people who find an issue separately. However, within a team, the rewards are distributed evenly among the members. It's important to note that all team members need to be certified to be eligible for the payout.\n\nOnce a reward is received, it's sent to a single address and the team is responsible for distributing the funds among its members as per the awards information on [CodeArena's website](https://docs.code4rena.com/incentive-model-and-awards). Also, each individual team decides how to split their portion of a reward. \n\nThere's no technical limit to the number of members in a team, and changes to team makeup (like addition or removal of members) are possible. Teams can consist of members with varying levels of English language proficiency and technical skills. If a person's findings are rewarded both individually and as part of a team, their name will appear separately on the leaderboard for each. \n\nHowever, there are some challenges. For example, managing team members who want to participate solo in a contest that their team is also auditing. Also, managing the same team name but with different team members working on different contests at the same time or different times can be complex. \n\nOverall, joining a team provides a collaborative environment that could potentially enhance the auditing experience and increase the reward potential. However, it also requires careful management and coordination among team members.", "Question: Why does it say 'No findings submitted for this contest' in the findings section of the Escher contest even though I have submitted my findings?\n\nAnswer: \nThere might be a few reasons why your findings for the Escher contest are not appearing in the \"findings\" section. After you submit your findings, they should appear under the \"Your Findings\" button on the contest page, provided it was done before the contest deadline. If you're not seeing them there, there could be a few potential causes.\n\nFirstly, check if you have received a confirmation email regarding your submission. If not, your submission might not have been registered properly. Secondly, issues with loading submitted findings have been reported before, which could be causing the problem. \n\nAdditionally, your findings may not have been accepted into the contest. The final report for a contest does not include submissions from wardens whose findings are not accepted. However, you might not immediately know the reason why. After the contest ends, automated findings that are not accepted are listed in the \"Known Findings\" section in the Readme Page of each contest. \n\nBear in mind that any findings not submitted before the contest deadline will not be eligible, as was the case for a user who couldn't submit their findings for the MaiaDAO contest due to a power cut. Also, remember that you cannot make your findings \"public\" until the contest is finalized according to the submission rules. \n\nEven if your findings were accepted, they may not always make it to the final report. To check, you need to wait until the reports are published, which usually takes at least a month. \n\nTo edit or withdraw your submitted findings, you can navigate to the contest page and click on the \"Your findings\" button. However, note that you cannot view the findings of a contest after it finishes, but before the results are published. \n\nIf you're still having issues, please contact our support team for further assistance.", "Question: How do I know if I have successfully submitted my findings and where can I review and edit them?\n\nAnswer: Once you have submitted your findings for a contest, you should receive a confirmation email. This email is sent out to confirm the successful submission of your report. It's important to note that there may be a slight delay in receiving this confirmation, but it should normally arrive within a few minutes. In case of any issues with the submission, the form should return an error.\n\nApart from the email confirmation, you can also verify your report submission and check its status on the C4 Contest page. Here, you can view your submitted findings under the \"Findings\" tab. \n\nIf you wish to edit your submissions, you can easily do so by navigating to the contest page and clicking on the \"Your Findings\" button. This should let you make any modifications to your previously submitted reports. \n\nRemember, feedback for your findings can also be found on the contest page. And after the report is published and the findings repo is made public, all submissions for a contest can be reviewed by the community.\n\nIn the unlikely event that you don't receive an email confirmation or encounter any issues with your submission, please don't hesitate to reach out to us.", "Question: How does the reporting and judging of gas optimizations work in a CodeArena contest, and can one report gas optimizations for a project like Escher even before the contest ends?\n\nAnswer: Yes, users can report gas optimizations during a CodeArena contest, even before it ends. Each user can submit one report per contest, but they can add more findings to their report by visiting the respective contest page and clicking the 'Your Findings' button. If a Gas Optimization report has already been submitted, attempting to submit another one may result in an error message. \n\nGas optimization findings are eligible for the contest and awarded from a separate pool specified on the C4 website and each contest's page. The detail required for these reports is not as comprehensive as for high severity issues, and examples can be found at [https://code4rena.com/reports](https://code4rena.com/reports). The amount of gas saved from the optimized code can be mentioned in the report, and providing proof of the gas saved may improve the grade of the submission. \n\nHowever, understand that not all gas optimizations are valid, particularly when the optimizer is enabled. Participants can ask for clarification on gas optimization on the Discord chatroom or the contest page. \n\nThere is a point of confusion about the visibility of gas optimization issues of a project like Escher before the contest ends. Automated reports are sometimes uploaded after the contest starts, which might be the reason for the visibility of such issues. To verify, you can refer to the post in the contest channel here: [https://discord.com/channels/810916927919620096/1049333479105630258/1049811704818716693](https://discord.com/channels/810916927919620096/1049333479105630258/1049811704818716693). \n\nLastly, upon contest completion, approved findings and gas optimizations can be found in the GitHub link provided. The rewards distribution is decided based on the entry's quality, and for reference, you can use this spreadsheet: [https://docs.google.com/spreadsheets/d/1qTQ7PApFMwpUFikcHHtww7p1oncPLj_y-UY_SZq6qFg/edit#gid=0](https://docs.google.com/spreadsheets/d/1qTQ7PApFMwpUFikcHHtww7p1oncPLj_y-UY_SZq6qFg/edit#gid=0).", "Q: What is the process for submitting a proof of concept (PoC) when reporting a finding in CodeArena, and can I use a Gist file if I have a large amount of data or an image?\n\nA: Yes, you can definitely use a Gist file for submitting a proof of concept in the case of a finding that requires a large amount of data. While submitting a finding, fill the Proof of Concept section by providing direct links to all referenced code in GitHub. If you have images, logs, or other relevant proof that illustrates the concept, you may also include these.\n\nIf your PoC is too large to be embedded directly in the issue, you can provide a link to an external platform like Gist, as this method is known and frequently implemented by many wardens. You can even link a private GitHub repository in the Proof of Concept section if you do not wish to make the repository public due to the risk of exposing vulnerabilities.\n\nFor a comprehensive guide on how to include a Proof of Concept, you can refer to our official documentation at https://docs.code4rena.com/roles/wardens/submission-policy#how-to-include-a-proof-of-concept. \n\nRemember, while submitting an issue, it is beneficial to include a proof of concept and a case made for how an item can be exploited to avoid being marked as invalid. If you cannot provide a PoC for a medium severity bug, it may cause your finding to be disregarded unless the bug is extremely obvious. \n\nOn top of this, you can also upload images to your report submissions by uploading it to your Gist, submitting the report with the gist link, and later deleting your gist. Images can be included as part of the Proof of Concept (POC) by linking them externally.\n\nTherefore, to ensure your finding is valid and taken into consideration, provide as much as detail as possible in your PoC, be it in code or plain English, along with any images or large amounts of data that may be required.", "Question: I submitted my findings for a contest on CodeArena, but the findings section for that contest is empty. Where can I find my submissions and can I edit them?\n\nAnswer: When you submit findings for a contest on CodeArena, you should receive a confirmation via email. Your submissions can be viewed and edited on the contest page under the \"Findings\" tab by clicking on the 'Your Findings' button. However, note that your findings remain private and will not appear in the general \"Findings\" section until the final report for the contest is published. \n\nIt is important to keep in mind that not all submissions/findings may make it to the final report, and the reason might not be immediately clear. If you're unsure, you will need to wait until the reports are published to check, which can take at least a month. Meanwhile, specific findings should not be discussed until the final report has been published.\n\nAfter the contest ends, sponsors gain access to the findings repo, but participants cannot see the status of their submissions while the contest is in the judging process. The status and all submissions for a contest can be seen after the report is published and the findings repo is made public. Also, any findings not submitted before the end of the contest will not be eligible.\n\nRemember, if you need to retract a submission, you can do so on the contest page under the 'Findings' tab, and submissions can be updated via the 'Your Findings' button.\n\nFor each contest, the Readme Page also has a section titled \"Known Findings\" where automated findings not accepted in the contests are listed. This could help you understand the evaluation criteria better for future contests. \n\nPlease remember to follow the submission rules and not make findings public until the contest has been finalised. If you have further queries, feel free to reach out in our Discord chatroom.", "Question: \nIn Solidity, what does the line \"Sale public sale\" signify and how does it relate to the visibility and naming of struct Sale?\n\nAnswer: \nThe line \"Sale public sale\" in Solidity denotes the declaration of a public state variable of the type 'Sale' named 'sale'. Here, 'Sale' is a struct and 'sale' is the instance of that struct. When a state variable is declared as 'public', Solidity automatically generates a getter function for it. This means you don't need to manually create a view function to access the value of this variable. This is similar to how a view function is automatically generated for the line \"uint256 public some_variable_name_here\". \n\nThe term 'public' here refers to the visibility scope of the variable, not to be confused with the public or private nature of a contract or audit. It's also important to note that 'Sale' (with a capital 'S') is the struct, while 'sale' is the instance of that struct. They are not the same thing, and the naming of the instance does not change the name of the struct itself.\n\nFor more information about state variable visibility in Solidity, you can refer to the official documentation here: https://docs.soliditylang.org/en/v0.8.13/contracts.html#state-variable-visibility.", "Question: What tools are commonly used for auditing in CodeArena's audit contests, and how has the usage of fuzzing tools like Echidna changed with the recent Solidity updates?\n\nAnswer: Audit contests in CodeArena encourage the use of a variety of tools to identify vulnerabilities and bugs in smart contracts. Until the introduction of Solidity 8.0, fuzzing tools like Echidna were frequently used by auditors due to their effectiveness. However, since the Solidity 0.8 update, which implemented an overflow/underflow check at the language level, the use of these tools has somewhat decreased. This change in the language level adds a validation to the bytecode during compilation and reduces the need for other external validation tools. \n\nApart from Echidna, auditors also often resort to other tools like Hardhat, Truffle, Foundry, and Slither, a static analysis tool for smart contracts. The choice of tool largely depends on the auditor's preference and the specific needs of the audit. \n\nCodeArena also uses an automated tool called C4audit for generating preliminary findings in each contest. However, results from this tool are ineligible for rewards, as detailed on CodeArena's submission policy page (https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-ineligible). This is to encourage auditors to find unique vulnerabilities that automated tools might miss. \n\nAs a newcomer to auditing or if you're interested in improving your skills, past contest reports and the findings therein can be a great place to start learning about common vulnerabilities and the most effective tools to identify them. You can find these reports on the CodeArena platform. \n\nPlease note that while CodeArena is primarily focused on smart contract audits, there have been discussions around the potential inclusion of website and other infrastructure pentesting audits in the crypto space.", "Question: How am I notified if a judge or sponsor comments on my submission, and how can I interact with them for feedback or queries?\n\nAnswer: Whenever a judge or sponsor comments on your submission, you can view these comments by checking the issue for the finding you sent on Github. You can locate the Github repository by navigating through the report on our website. You should search for your specific submissions to find related comments. \n\nPlease note that it's generally not possible to contact judges directly before the judging process is completed, as this could potentially influence their impartiality. However, once the report is out and the repository is fully opened, you can review the discussions among sponsors and judges on the specific issue. This can provide valuable insight into why your submission was not accepted if it wasn't rewarded.\n\nIn some cases, you may notice labels like \"sponsor-disputed\" on an issue without any explanation. You can check for duplicates and ask the judge for clarification after the judging process. \n\nIn the event that your submission is marked as invalid, you can ask judges for feedback about the issue to better understand the reasoning behind the ruling and constructive ways to improve future submissions.\n\nAdditionally, judges might update the severity of issues post-submission, which you can track as well. The severity and validity of your findings can be justified by citing similar findings from other contests.\n\nAlso, there are plans to allow certified contributors to view submitted issues right after contest closure and to comment or give input on these issues during judging, which would further facilitate interactivity and feedback.\n\nRemember, always make a strong case for your submission, especially if you believe a high risk finding should be considered. Judges and sponsors appreciate well-constructed and grouped submission issues.\n\nYou can find more information and review past contest interactions at [Code4Arena's contest page](https://code4rena.com/contests/2023-03-asymmetry-contest).\n\nFor any further queries or uncertainties, you may raise them in our Discord chatroom for assistance.", "Question: What are the qualifications and process to obtain a certified role and a backstage role at CodeArena?\n\nAnswer: Both certified and backstage roles at CodeArena undergo a Know Your Customer (KYC) process. A certified contributor is someone who has completed this process and can participate in private contests. If you are interested in obtaining a certified role, you can follow the process detailed at https://docs.code4rena.com/roles/certified-contributors#certification-process-and-constraints.\n\nOn the other hand, the backstage role, in addition to requiring certified status, also has minimum requirements of submissions for contest participation. This role allows access to the contest repository after the contest closes and before the public report release. The backstage role qualifications include having a certain number of findings across different areas or scores. Typically, these include at least three medium findings and four total findings. Once you meet these criteria and the contest results are published to the leaderboard, you can apply for backstage access.\n\nTo apply for a backstage role, you will need to submit a help desk request to evaluate your status. You can find the specific requirements and the process to request backstage access at https://docs.code4rena.com/roles/certified-contributors/backstage-wardens. After identifying your first high vulnerability, you can achieve the backstage role. To view reports of past contests, you would need the backstage role. \n\nFor further clarification or assistance, you can reach out via the help desk request page at https://code4rena.com/help.", "Question: What happens if the findings section for a particular contest is empty and how can I manage and view my findings and others' findings in a contest?\n\nAnswer: An empty findings section for a contest doesn't necessarily indicate a problem. The findings of a contest remain private until the report for that contest is published. You may see 'No findings submitted for this contest' despite having submitted your findings due to potential system issues, such as those experienced in the Escher contest. \n\nAs a participant, you can manage and view your findings through the \"findings\" tab next to the contest description and make modifications via the \"your findings\" button on the contest page. If you've submitted findings, but they aren't included in the final report, it's possible that your submission was disqualified or not accepted. If your name doesn't appear in the report, it may slightly impact your leaderboard ranking but won't affect future submissions. \n\nFor each contest, the Readme Page has a \"Known Findings\" section where automated findings not accepted in the contests are listed. If the finding you've submitted is already listed in this section, it will likely be disqualified. It's important to note that any findings not submitted before the end of the contest will not be considered eligible.\n\nAfter a contest is closed, there is a period of time before the findings repo becomes publicly available for discussions. Currently, the findings of a contest cannot be viewed after it finishes but before the results are published. This could lead to queries regarding visibility if there is no table with results. The good news is that the platform allows viewing reports from other wardens even after contests have ended. \n\nIf no issues are found in a contest, users are often curious about the sponsor reward pot. While it hasn't happened yet, there's a possibility that a contest could run with zero valid submissions. The specifics of how the reward pot is handled in such a case are not clear.\n\nWe recommend participants to raise a help request if they encounter any issues in viewing or managing their submissions. After a contest ends, the findings are reviewed by sponsors and then proceed to judging. The duration of this period is not defined. To check why your findings were not included in the report, you need to wait until the reports are published, which usually takes at least a month.", "Question: Can the communication between the judge, sponsor, and warden be accessed before the report is published?\n\nAnswer: Typically, the process at CodeArena is designed to maintain privacy and confidentiality during the judging phase. The communication between the judge, sponsor, and warden is not generally accessible before the report is published. The findings during a contest remain private until the report is published according to the professional conduct guidelines for certified wardens [https://docs.code4rena.com/roles/wardens/certified-wardens#certified-warden-professional-conduct-guidelines].\n\nHowever, there are certain scenarios where specific individuals have access. Wardens can see the judging results before they are published, and can raise any issues to the judge for reconsideration. Only the sponsor, not the judges, see the findings early. Certified+ wardens also have the privilege of viewing the findings repo immediately after a contest ends.\n\nBackstage access, open to certified wardens with an established level of contribution, allows users to observe the report submission and triage process and also to speak with the judge to re-evaluate a finding and comment on it. However, backstage wardens providing comments at the pre-judging stage is no longer a continuous practice.\n\nIt's also important to note that it\u2019s not possible to contact the judge of a contest ahead of time as their identity remains undisclosed by design. The findings are sealed to other wardens but in order to facilitate the judging process, they have to be visible to CodeArena staff, sponsors, and the judging team.\n\nOnce the final contest report is published, all findings reports become public. Participants can view their submissions and the reasons for their rejection once the report is published and the findings repo is made public. New participants are also encouraged to look at the findings of other wardens once the findings repository becomes public.", "Question: How do the judges at CodeArena determine which reports get featured in the client report?\n\nAnswer: At CodeArena, judges have a multifaceted process to determine which reports get featured in the client report. Firstly, the formatting of the report can influence its evaluation, with judges preferring more detailed reports over one-line summaries. The judges assess the severity, validity, and quality of the reported issues. While the judges have the discretion to alter the severity levels of the issues, it's important to note that the order of the reported issues is not necessarily in accordance with the time of submission. Instead, the primary issue is selected based on the quality of the write-up, a practice implemented to encourage high-quality submissions.\n\nOnce a contest ends, reports are immediately reviewed and triaged by the judges. It then awaits sponsor review, final judging, and quality assurance before being made public. Judges have the ability to downgrade or upgrade items in the report, depending on if they feel the severity should be higher or lower, respectively. \n\nAdding to this, a relative scoring system is used where reports are graded based on their score compared to other reports. This ensures a fair and competitive environment for all participants. The decision on how to reward severity escalations in a contest report is also at the discretion of the judge. \n\nFor more detailed information about judging criteria and the contest process, the following links are recommended: \n1. [https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical](https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical)\n2. [https://docs.code4rena.com/awarding/incentive-model-and-awards#qa-and-gas-optimization-reports](https://docs.code4rena.com/awarding/incentive-model-and-awards#qa-and-gas-optimization-reports)\n\nLastly, participants can view their submissions and the reasons for their rejection once the report is published. This transparency allows participants to learn and improve their submissions for future contests.", "Q: What are the best practices for immutable state variables in smart contracts, including their declaration, gas costs, and the use of underlines?\n\nA: Immutable state variables in smart contracts can be declared in several ways, such as \"address public immutable i_owner;\", \"address public immutable _owner;\", or \"address public immutable owner;\". The use of an underscore is more common for private variables, but consistency is more important than convention, so choose the method that aligns with your coding style. \n\nImmutable state variables are read-only, so they're different from constants, which are calculated and filled in at compile time. It was once true that immutable cost less gas than constants, but as of July 2020, this is no longer the case according to a Twitter discussion by @GalloDaSballo [https://twitter.com/GalloDaSballo/status/1476925462010122245]. For a detailed comparison of gas cost for constant and immutable, you can refer to this discussion on Ethereum StackExchange [https://ethereum.stackexchange.com/questions/118547/is-the-gas-cost-for-constant-and-immutable-about-equal].\n\nIn terms of how immutable state variables are used within the code, functions are automatically generated for public storage variables, constants, and immutables which aren't stored in storage. More information about state variable visibility can be found at the Solidity documentation [https://docs.soliditylang.org/en/v0.8.13/contracts.html#state-variable-visibility]. Additionally, Solidity stores state variables in 32 bytes storage slots, and multiple variables can potentially be packed into a single slot if they are declared next to each other, which can reduce gas costs [https://docs.soliditylang.org/en/v0.8.17/internals/layout_in_storage.html]. \n\nIn regards to severity related to state variable changes, it is context-dependent. For example, constraints on admin 'setter' functions for state variables can be considered a low or medium finding, depending on the specific circumstances of the smart contract. \n\nFinally, while not directly related to immutable state variables, it's worth noting that there's an ongoing discussion about the use of underlines in internal functions and function parameters as well. This practice is also a matter of personal preference and consistency in your coding style.", "Q: If I discover an attack path that can cause a Medium or High impact in a contract during a contest, can I submit this finding, even if it stems from an automated tool? \n\nA: Yes, you can submit such findings. CodeArena recognises the value of these discoveries, whether they originate from automated tools or personal expertise. However, be aware that findings from automated tools carry a higher burden of proof. In these cases, you need to provide strong evidence that demonstrates a relevant High or Medium severity exploit path. This is to ensure your submission is considered satisfactory. \n\nThis burden of proof is particularly vital if a low severity issue flagged in a contest's bot report is escalated to a high severity. Such an escalation is not automatically invalid, but you need to convincingly establish the exploit's path and potential damage. Similarly, if you find a vulnerability in an out-of-scope contract, you can include it in the C4 report as an unrewarded finding or directly inform the project.\n\nThe severity of a finding is typically gauged based on experience, the balance of consequence and likelihood, and specifics such as attack difficulty, market conditions, and user unawareness. High severity consequences generally involve a substantial loss of funds or other severe impacts, without many pre-conditions. Medium severity consequences are usually less impactful and have specific preconditions.\n\nWhen submitting a Medium or High finding, you should provide each as a separate report. If you find a bug that's of medium severity and impacts gas, you can submit it in both medium and gas findings. Furthermore, if an issue identified in an automated finding can potentially lead to a high severity finding, it's suggested that it could be reported again during the contest by a warden and awarded with a higher severity.\n\nRemember that you can submit a medium/high report without suggested mitigation steps, but you need to explain why it cannot be feasibly mitigated. Also, note that, if no Medium/High vulnerabilities are found, the remaining contest funds will be divided based on the Quality Assurance (QA) Report curve. \n\nFor further clarification and additional information, please refer to the following [link](https://github.com/code-423n4/org/discussions/50) and [this document](https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues).", "Question: What should I do if I realize I've submitted a finding that is a false positive? Can I retract it, edit it, or notify the judges? \n\nAnswer: If you realize something is a false positive after submission, you have several options. \n\n1. **Retraction**: You can retract the submission by going to the contest page, clicking the \"Findings\" tab, and then selecting the \"Your Findings\" section. From there, you can withdraw your finding. \n\n2. **Editing**: It's also possible to edit your submitted security findings. If you uncover another error after submitting once, or if you realize you've proposed an incorrect solution to a valid bug, you can return to the 'Findings' tab on the contest page and adjust your submission accordingly. \n\n3. **Communication with Judges**: While there seems to be some uncertainty about direct contact with judges, you can certainly make a case to the judge in your submission if you believe a high-risk finding should be considered. If a submitted finding is marked as invalid, you will receive feedback from a judge. If there are concerns about your submission, you are advised to create a help desk request to withdraw the invalid submission. \n\nPlease note that there are no negative consequences for accidentally reporting something that turns out not to be an issue. However, it is recommended to withdraw such reports to save the judges' time. \n\nRemember that this process allows for a fair evaluation of all submissions. When issues are disputed or there are queries about contest outcomes, participants can discuss or argue their case, either by monitoring the backstage channel for the post-judging stage or by flagging overlooked issues to the judge and sponsor. \n\nFor more details and discussions, please refer to this forum post: [Certified Wardens Rulebook Scout Role, Contest QA, and Mitigation Review Services](https://forum.code4rena.com/t/rfc-certified-wardens-rulebook-scout-role-contest-qa-and-mitigation-review-services/123).", "Question: How can I understand the reasons behind the rejection of my findings in a smart contract audit contest?\n\nAnswer: Once a smart contract audit contest ends, the report is published and the findings repository is made public. You can view your submissions and the reasons for their rejection in this repository. This process allows participants to understand why a certain finding was not accepted and improve future submissions. \n\nIf you made a submission for a contest but did not make the award list, it is likely that your findings were rejected. In this case, you can confirm this by reviewing the available report. \n\nIn addition, there is a process for participants to discuss or argue their case if their submission is rejected. Participants will receive feedback from a judge if a submitted finding is marked as invalid. This feedback will provide insight into why the finding was rejected.\n\nRemember, not all reports or findings are guaranteed a reward. Reports are graded and must meet quality standards to be considered valid and satisfactory. Incorrect submissions are usually labelled as \"unsatisfactory\". Therefore, it's important to ensure the quality of your findings before submitting them. \n\nAlso, the inclusion of high-risk findings depends on the specific contest and the judge. If you believe a high-risk finding should be considered, make sure to make a strong case in your submission.\n\nLastly, if you realize something is a false positive after a submission, you can retract the submission by going to the contest page and clicking the findings tab. \n\nKeep in mind, the evaluation of QA reports is based on both the quantity and quality of findings. So it's important to provide an accurate and detailed report to increase the chances of your findings being accepted.", "Question: How does CodeArena utilize automation in the auditing process, and how does this impact the role of auditors and the reporting of findings?\n\nAnswer: CodeArena, like many top auditing companies, utilizes automation to identify potential issues in a smart contract's codebase. This is done by running a tool that generates automated findings for each contest, referred to as the \"C4audit output\". The tool currently in use can be found at https://github.com/Picodes/4naly3er. However, it's important to note that automated findings are ineligible for rewards, as detailed at https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-ineligible.\n\nArtificial Intelligence (AI) is becoming increasingly important in this process, with the possibility of findings being generated by AI entities like ChatGPT. Auditors often review these automated findings and flag them with /// @audit as they read through the codebase. They then return to these issues and provide detailed reports, potentially including solutions or mitigations, in their final audit.\n\nWhile some users have questioned the impact of automated findings on the contest and the reporting of bugs introduced through mitigation efforts, there is no clear answer to this yet. Some auditors choose to consolidate all non-critical findings into one QA report, while others create a separate report for each finding. This depends on the auditors' discretion and the nature of the findings.\n\nDespite the assistance of automation, human auditors play a crucial role, particularly in understanding how an issue could be exploited -- an element not fully covered by automated processes. For instance, some audits require the expertise of professional mathematicians, indicating that special math or financial math topics are crucial in the audit process. \n\nFinally, there have been discussions about the possibility of consolidating previous audit reports and detected vulnerabilities into a database for future reference. This demonstrates the ongoing evolution and improvement of the auditing process.", "Question: Can someone elaborate on the principle \"INTERNAL FUNCTIONS ONLY CALLED ONCE CAN BE INLINED TO SAVE GAS\" in the context of smart contracts gas optimization?\n\nAnswer: The concept of inlining internal functions to save gas in smart contracts refers to a method where you take the code from one function and include it (or 'inline' it) directly within another function to cut down the gas cost associated with function calls. \n\nFor instance, assume function A calls an internal function B. Function A uses a hypothetical 100 gas and an additional 10 gas for the function call to B, whilst function B uses 20 gas. Every time function A is called, the total gas used would be 130 (100 + 10 + 20). In case function B is only ever used in function A, you can inline function B's code into function A. By doing this, you eliminate the 10 gas function call, leading to a reduction in the gas used per call to function A to 120. \n\nHowever, not all gas optimizations are valid in all situations. For example, when the optimizer is enabled, some optimizations might not apply. Also, gas optimizations should be sought only in the contracts. Further gas optimization can also be achieved by other means. An example of this is reducing gas costs by packing variables into fewer slots, explained in detail [here](https://docs.soliditylang.org/en/v0.8.17/internals/layout_in_storage.html).\n\nIt's also worth noting that gas optimization findings that can be applied in more than one line of code should be submitted as one finding mentioning all lines where it can be applied. For loop initialization to 0 in Solidity can also lead to gas savings; for instance, there's a significant gas saving difference between using 'for (uint256 i = 0; i < 1000; i++)' and 'for (uint256 i = 0; i < 1000; ++i)'. \n\nFor further reading and examples on gas optimizations, you can refer to this [CodeArena report](https://code4rena.com/reports/2022-11-non-fungible/#gas-optimizations). \n\nRemember, gas optimization in smart contracts is a complex topic that many may misunderstand. Thus, participants can ask for clarification on this topic.", "Question: How long does it take to create and approve a team after sending a request, and what should we do if we encounter any issues?\n\nAnswer: The process of creating and approving a team for CodeArena contests typically takes up to a few business days. Should you encounter any issues, such as adding new members to your team, or if you see a blank page opening when selecting members, you should submit a help desk request. The help desk reviews requests within 1-2 business days, but in some cases, it may take up to a week for your request to be reviewed. You can follow up on the status of your help desk request as well. Remember that changes to teams, including the removal or addition of members, are possible, and these changes can be requested through the help desk. You can create a team here: https://code4rena.com/register-team and if you need to open a help desk request, you can do so here: https://code4rena.com/help. Please note that certain processes within CodeArena, such as becoming a certified warden after sending a request, may require an estimated wait time of 2 business days.", "Question: How are the findings calculated in CodeArena and how does this impact rewards, particularly in regards to 'Solo' and 'Total' findings?\n\nAnswer: In CodeArena, 'Total' refers to the sum of all valid findings, across all severity levels, made by a specific individual or team in a contest. On the other hand, 'Solo' is used to denote the findings that were identified exclusively by a single warden, with no duplicates found by others. \n\nThese classifications play a crucial role in determining the rewards. For instance, a solo finding, which is one without duplicates, guarantees the entirety of the share for that particular finding. There may also be an added bonus of up to 30% for solo findings which amplifies the share to 1.3. \n\nThe rewarding formula also takes into account the severity of the findings and the occurrence of partial credits. For example, if two similar reports are submitted and one is marked as a duplicate, it could potentially influence the payout.\n\nIf you're part of a team but wish to make solo submissions, the platform allows for it. You can choose whether you're submitting your findings as an individual or as a team member via the submission form.\n\nQueries about the criteria for a report to be selected in a contest, how to know the reasons for findings rejection, and how to view others' findings after a contest concludes are common. An example spreadsheet is shared here for reference: https://docs.google.com/spreadsheets/d/1qTQ7PApFMwpUFikcHHtww7p1oncPLj_y-UY_SZq6qFg/edit#gid=0\n\nIn cases where you're unclear about submitting findings as separate issues or as one, it's best to seek clarifications.\n\nIt's important to note that the rewarding formula may vary for specific contests such as the mitigation contest or those involving gas optimizations. \n\nAlso, queries exist about whether judge payment and lookout/scout payment are included in leaderboard ranking calculations or the average payout for gas optimizations, non critical findings and low risk findings.\n\nPlease always ensure to check the specific guidelines and rules for each contest to understand the rewarding formula and how findings are calculated and evaluated.", "Question: How does CodeArena run its smart contract auditing contests?\n\nAnswer: CodeArena runs regular smart contract auditing contests, with new contests expected each week and month. The duration of these contests can vary, with some lasting up to 13 days. Each contest may have its unique scope, and specific queries about a contest's scope can be addressed to the respective sponsor. Some contests might even include web applications in their scope. \n\nAuditing contests require registration using a single wallet. There's a participation reward for a formal verification contest. The reward distribution can vary in each contest, for instance, there were questions about how the reward is divided in a contest where only one high and one medium issue are found. It is unclear if more than one high/medium bug report can be submitted per contest. \n\nContests can be public or private. Private contests are mentioned sometimes and participation in them depends on certain metrics or prerequisites. Possessing a certified status grants access to more contests, but certified contributors are not obligated to apply to every contest. For certain types of contests, like a versus contest, one needs to be certified.\n\nContests also have a 'judging pot', but the specifics of the judging process are ongoing and judges for a contest are not known ahead of time. For instance, the judging for the Trader Joe contest was a process. A solo finding in a contest means that only one warden found the issue. \n\nSubmissions are an essential part of these contests and a new submission mechanism is slated for implementation in upcoming contests. There were queries about whether citing similar findings from other contests is allowed to justify severity and validity within submissions. There are also inquiries about viewing all submissions after a contest.\n\nEach contest is unique and has its challenges, as was the case with a recent contest that was complex for the judges. The company makes announcements about specific contests such as the Stader Labs contest. If there are questions about a particular contest, like the 'steakhouse contest', it is advisable to read the relevant posts for more information. Contest-specific information, like the number of participants in a contest or the results of a specific contest like BASE, is also shared from time to time. \n\nFor more details on the contests, you can stay updated with the company's posts and announcements on the Discord chatroom.", "Question: How does CodeArena determine the reward distribution for audits, especially when there are gas optimizations, duplicates, and varying severity of findings involved?\n\nAnswer: CodeArena has a comprehensive system in place to calculate and distribute rewards for audits. The grading and sharing system for quality assurance (QA) and gas reports are divided into Grade A, B, C. Grade A reports, which are of the highest quality, count as 2 shares, while Grade B counts as one. The best report is also entitled to a 30% bonus. \n\nWhen it comes to gas optimizations, it's essential to note that not all gas optimizations are valid when the optimizer is enabled. There can be some confusion about what should be reported, but in general, all valid findings are weighted the same. Additionally, the gas optimizations are awarded from a separate award pool specified on the C4 website and each contest's page. Providing proof of how much gas the refactoring saves can also affect the grade of the submission. \n\nIn cases where multiple people identify a gas optimization, the reward split can be calculated using a formula present at https://docs.code4rena.com/incentive-model-and-awards#high-and-medium-risk-bugs. This is also the same formula used to calculate the reward for high and medium-risk bugs. \n\nFor the classification of findings, they are generally categorized as High, Medium, or QA based on the severity of loss caused by the issue. If all rewards can be lost, it's considered HIGH. If there's a risk of losing some rewards, it's probably medium. If rewards are lost due to roundings (a negligible amount of rewards), it's probably QA. \n\nDuplicates are also taken into account in reward distribution. For example, in a contest named \"Redacted Cartel\", gas reports G-04, G-05, G-06, G-07, G-08 were rewarded as duplicates, significantly reducing their value for each warden. Similarly, for QA reports, there were a set of 9 duplicates which also reduced the value for wardens. \n\nFor any further questions or confusion, participants are always welcome to ask for clarification on gas optimization or any other aspect related to audits. It should be noted that for gas and low/quality assurance, one issue and send all is sufficient; for medium and high risks, one issue for each finding is required. \n\nWe understand that this complex reward system might be confusing, but it is designed to ensure fairness and provide incentives for everyone involved in the audit.", "Question: What is the significance of \"Solo\" in the context of findings in a CodeArena contest and how does it apply to both individual participants and team members?\n\nAnswer: The term \"Solo\" in a CodeArena contest signifies that a particular finding was discovered solely by one warden or auditor, with no duplicates from other participants. This means that the issue was unique to their submission and not found by any other participant, be it an individual or a team. Participants have the option to submit their findings as solo findings, even if they are a part of a team. The submission form for each contest on our website allows participants to indicate whether they're submitting as an individual or as a team member. \n\nSolo findings, when accepted, secure the entire share of the reward for that finding since there are no other contributors. It's important to note that findings should not be discussed publicly until the contest is finalized and the report has been published to ensure that any solo findings remain unique. Participants can manage their solo findings under the 'Your Findings' section on the contest page where they can also edit their submissions if required. \n\nHowever, it should be mentioned that solo findings concern only one contest at a time. Citing similar findings from other contests to justify the severity and validity of a submission is allowed, but judges will consider the entire context when evaluating. Please remember that any findings, solo or otherwise, that are not submitted before the end of the contest will not be eligible for consideration. \n\nFinally, it's important to note that findings from contests, including solo findings, are reviewed by sponsors soon after the contest ends and then they proceed to judging. The entire review process includes sponsor review, judge review, sponsor confirmation, judge's final report, and announcement of the results. All findings, solo or otherwise, remain sealed until the competition is over. The results, including solo findings, are published in the section where Contests are posted on our website.", "Question: Can I change my handle on CodeArena without losing my leaderboard standings and submissions? How can I do this?\n\nAnswer: Currently, it is possible to change your handle on CodeArena, but it requires you to create a new registration or Discord handle. However, it's important to note that your leaderboard standings and any findings submitted under your old handle or username will not be transferred to your new account. This means you would essentially be starting over with your new handle in terms of leaderboard status. If you were to change your handle, your old and new handles might both appear on the leaderboard if you had previously made submissions or had leaderboard standing. Despite changing your handle, you can still reapply for certified status. \n\nIf there's a need to change anything related to your username in the leaderboard or contest results, you can submit a help desk request at [https://code4rena.com/help](https://code4rena.com/help). For example, to change a logo on the leaderboard, a helpdesk request with a link to the new logo needs to be submitted. \n\nHowever, changing your handle itself is not currently advised as it may cause issues with past or ongoing contests. Also, there are questions and concerns about the possibility of registering another account with the same email or Github address after changing a nickname. \n\nPlease follow the official announcements as a new submission mechanism is being planned for upcoming contests, which might affect this process. If you can, it might be a good idea to hold off on changing your handle until this new system is implemented.", "Question: Can I change my handle and wallet address on my Code4rena (C4) account?\n\nAnswer: Yes, it is possible to change both your handle and wallet address on your C4 account, but the process differs for each.\n\nFor changing your handle (username), you can create a help desk request, as you can for changing your Twitter username on C4. However, please note that leaderboard standings and submissions under the previous handle are not transferable to the new account. Therefore, changing the handle itself is currently not advised as it may cause issues with past or ongoing contests.\n\nAs for changing the wallet address associated with your account, you can follow the instructions provided at this link: [https://docs.code4rena.com/roles/wardens/warden-auth#can-i-change-the-wallet-address-i-log-in-with](https://docs.code4rena.com/roles/wardens/warden-auth#can-i-change-the-wallet-address-i-log-in-with). If your wallet is hacked and you change your payment address, you can create a help desk request if you logged in via the same wallet.\n\nIf you're looking to change your wallet address where you receive awards, more information about this can be found at this link: [https://docs.code4rena.com/roles/wardens/warden-auth#can-i-change-the-wallet-address-where-i-receive-awards](https://docs.code4rena.com/roles/wardens/warden-auth#can-i-change-the-wallet-address-where-i-receive-awards). \n\nPlease remember, current limitations mean that you cannot change your login wallet address, but if you use Metamask, you can link multiple addresses. More information can be found here: [https://docs.code4rena.com/roles/wardens/warden-auth#can-i-change-the-wallet-address-i-log-in-with](https://docs.code4rena.com/roles/wardens/warden-auth#can-i-change-the-wallet-address-i-log-in-with). \n\nLastly, any issues with logging into your C4 account can be addressed in the #auth-help channel on Discord.", "Question: How and when will I know if my finding has been accepted in a CodeArena contest?\n\nAnswer: The final acceptance of findings from a contest begins with a review process that starts immediately after the contest ends. This process includes a review by the sponsor, a review by the judge, a confirmation by the sponsor, the judge's final verdict, and finally, the announcement of the results. \n\nYou will be able to know if your findings have been accepted once the final report has been made public. This report will include both the Judge and Sponsor feedback on your submissions. To view this, you can check the 'Findings' tab on the respective C4 Contest page where you submitted your findings. \n\nPlease note that while findings get reviewed immediately after the contest ends, they are not made publicly available until the sponsor review and final judging have taken place. The specific duration before the findings become publicly available for discussion is not explicitly mentioned but it usually takes at least a month after the contest ends. \n\nProjects sponsors do not have access to the findings repo until the contest ends. But certified+ wardens get access to the findings repo immediately after a contest ends. After a contest is closed, those with the \"backstage\" role also get access to findings to help with triaging. \n\nIt is important to remember to submit your findings before the contest ends, as any findings that are not submitted before the contest's closing will not be eligible. You can edit your findings until the contest closes. Once submitted, you should expect a confirmation via email. Also, you can withdraw your findings under \"your findings\" on the contest page if needed. \n\nFor any further queries about whether your findings were accepted or rejected and why, or how to view others' findings after a contest finishes, you will need to wait until the reports are published. Until then, you can check /reports on our site to see what a high quality submission looks like. \n\nPlease note that findings submitted for contests may not always make it to the final report, and the reason might not be immediately known.", "Question: Can participants communicate with sponsors during the ongoing contest to discuss potential issues or concerns?\n\nAnswer: Yes, participants are allowed and even encouraged to discuss potential issues and concerns with the contest sponsors while the contest is ongoing. Each contest has a dedicated channel where general questions can be asked. In these channels, members of the sponsor team are tagged and available for question and discussion through direct messaging. This open communication allows for clarification on the scope of the contest and potential submissions. \n\nHowever, there are some guidelines and restrictions to keep in mind. It is suggested that specific potential submissions should not be discussed in the contest channel to prevent revealing potential findings to others. It's also important to remember that discussions about findings are not allowed just after a contest has ended to give sponsors adequate time to address the issues. Once a contest is completed, specific findings should be withheld until the official report for the contest is published. \n\nIf there is a disagreement about the scope of an issue, it is still recommended to report it. Contests are an opportunity to flag overlooked issues to judges and sponsors. Participants are advised to disclose any vulnerabilities they find directly to sponsors, but they also need to submit these via the contest submission form to be eligible for awards. \n\nKeep in mind that trust in the sponsors is vital, and open discussions about potential conflict of interest scenarios are encouraged. CodeArena encourages participants to reach out to the sponsor team during a contest if they think they've found something and want to ask questions. This also includes any concerns about the progress and schedule of final reports. Once the contest payouts have been sent, while the outcomes cannot be changed, any overlooked issues can be flagged to the judge and sponsor. \n\nFinally, it's worth noting that sponsors also play a part in contest delays, and they do not have access to the findings repo before the contest ends. They are given access to the findings repo either after the contest is over or one week after with triaged and deduped issues.", "Question: I'm having problems signing in to my account on Code4rena, I'm not getting a password reset email even though I've clicked on \"forgot password\". Can you help?\n\nAnswer: Yes, there are known issues with password resetting function for some users on Code4rena. When you first signed up, you were asked for a 16-digit password, but while resetting it, this condition may not apply. Furthermore, some users have reported not receiving password reset emails. \n\nIf you are logged in but the interface is not changing, or if you're encountering difficulties accessing the site altogether, it could be due to several issues. Make sure you're using the correct wallet or email associated with your account. If you believe your account has been compromised or if you're having trouble changing your wallet address, you should submit a help desk request with details and a mycrypto.com signed message. \n\nIf the issue continues, please open a help desk request detailing your issue at https://code4rena.com/help. Include your username, and any error messages you're seeing, and let us know what browser you're using. Our team will get back to you as soon as possible to resolve the issue and ensure you regain access to your Code4rena account.", "Q: I clicked on \"Forget password\" but I am not receiving a link to reset the password in my email. What should I do?\n\nA: There have been similar issues reported with our password reset function. If you are not receiving an email, there are several steps you can follow:\n\n1. Check your spam folder: Some of our users have reported that emails from us landed in their spam folder instead of the main inbox.\n2. Make sure you're using the correct email or wallet: Login issues may occur if the wrong email or wallet address is used.\n3. Open a help desk request: If you're still having trouble receiving the email, you can open a help desk request on our website [here](https://code4rena.com/help).\n\nRemember, when resetting your password, there is currently no requirement for a 16-digit password like there was at initial sign-up. \n\nPlease note, there is no mail notification for updates on issues, so you may need to check back on the help desk or your email periodically for updates. If your account has been compromised or you wish to change your login address, please submit a help desk request with details and a mycrypto.com signed message, as there's currently no support for changing the login address.\n\nWe appreciate your patience and are actively working to resolve such issues.", "Question: How does an understanding of Ethereum Virtual Machine (EVM) enhance the process of auditing and writing Solidity code?\n\nAnswer: Understanding the Ethereum Virtual Machine (EVM) is crucial in auditing and writing Solidity code. The EVM is the runtime environment for smart contracts in Ethereum. It is completely isolated from the mainnet, which makes the smart contracts safer and secure, preventing external manipulation. \n\nUnderstanding EVM helps auditors to better understand how smart contracts are executed, how gas is used, how storage is handled, and how much transaction cost will be incurred. This knowledge can be useful when trying to optimize gas usage in smart contracts. Resources like EVM.codes (https://www.evm.codes/) can be helpful in understanding opcodes and other EVM concepts.\n\nIn terms of auditing, understanding EVM helps in identifying vulnerabilities in smart contracts. Various tools and techniques like loan-to-value calculations, Solidity tests, fuzzing tools, static security testing, and even machine learning-based methods can be utilized. For instance, one idea shared in the chat was about converting a non-image task into an image task by converting a smart contract into respective shapes, training a model based on a dataset of vulnerable and non-vulnerable shapes, and then using that model to predict if a future contract is vulnerable or not. Related resources can be found here: https://github.com/DanielVF/evm-contract-draw.\n\nFuzzing tools were often used for auditing until the release of Solidity 8.0, which implemented an overflow/underflow check at the language level, reducing their usage. However, they might still be useful in some cases.\n\nUnderstanding EVM also enables auditors to leverage tools that can read on-chain storage slot value even private state, such as EVM.storage and Metadock chrome extension from BlockSec.\n\nLastly, understanding EVM and Solidity might be useful when participating in smart contract auditing competitions, especially if the competitions are on an EVM compatible chain and contracts are in Solidity.\n\nAs a beginner in the space of smart contract auditing, there are resources available to start learning, such as https://cmichel.io/how-to-become-a-smart-contract-auditor/ and https://docs.code4rena.com/roles/wardens/tools-and-resources. Some users have also found the #\ud83c\udfebeducation channel helpful for learning more about smart contract auditing.", "Question: What are the guidelines for submitting a Proof of Concept (PoC) on CodeArena, and can I link a GitHub repository for this?\n\nAnswer: Yes, you can link your GitHub repositories as proof of concept in your finding submissions on CodeArena. Participants often fill the Proof of Concept section when submitting a finding by providing direct links to all referenced code in GitHub and adding screenshots, logs, or any other relevant proof that illustrates the concept. \n\nIf the proof you're providing is long, you can either include it directly in the report under 'Proof of concept', or link to it on a private Github repo or external platforms such as Gist. When submitting a finding with a proof of concept, consider using a Gist file if the repository cannot be public due to the risk of exposing vulnerabilities. You can find more information on this at https://docs.code4rena.com/roles/wardens/submission-policy#how-to-include-a-proof-of-concept.\n\nMoreover, if you have code that runs a proof of concept for each bug, you may consider adding a zip file to your submission or sharing a private Github repository. Examples of how to present a PoC can be found on the CodeArena's Github repository (https://github.com/code-423n4/2022-12-caviar-findings/issues/376). \n\nRemember, while submitting an issue for any contest, it is beneficial to include a proof of concept and a case made for how an item can be exploited to avoid being marked as invalid. Proof of competency in this space can also be demonstrated through Github profiles. \n\nFor more guidelines on sharing vulnerability discovery PoCs, you can visit this link: https://github.com/code-423n4/code-contests/tree/main/contests/01-slingshot#sharing-vulnerabilitydiscovery-poc. Lastly, all past submissions can be found in any repository ending with '-findings' on the CodeArena GitHub: https://github.com/code-423n4.", "Question: What is the timeline and procedure for receiving contest rewards at CodeArena?\n\nAnswer: Contest rewards at CodeArena are typically distributed once per month, generally at the start of the month. However, the exact timing can vary based on several factors. After a contest has finished, the results usually take about 2 months to be announced. The payment of rewards is then typically made between 1-2 weeks after this announcement. \n\nThere may be instances where some rewards are still pending after the contest has finished, but the specific reasons for this are not typically disclosed in our chat. We are constantly working to process and distribute contest rewards as efficiently as possible, and we aim to clear multiple contest rewards by the end of a specified week, including during periods of high activity such as before the Christmas break or when numerous new contests are taking place. \n\nRewards for specific contests, such as the \"stakehouse-nov11\", \"llama-jun06\", or the Enso contest, are announced and distributed individually. You can view past contest awards on our website at https://code4rena.com/contests/2023-01-numoen-contest. \n\nThe reward amounts in contests are provided by the contest sponsor. In addition to the contest rewards, there may be bonus rewards given for the best reports. However, if no high or medium issues are found in a contest, it's unclear what happens to the sponsor reward pot. \n\nWe understand that there is a high interest in contest updates, results, and rewards among our users, and we endeavour to provide this information as promptly and transparently as possible. For the upcoming contests, more information will be shared prior to the contest start. You can keep yourself updated with our upcoming contests at https://code4rena.com/contests/2023-04-party-protocol-versus-contest.", "Q: I received an error message when I submitted my Quality Assurance (QA) report for the first time and after resubmitting, I got a prompt saying \"It looks like you've already submitted a Quality Assurance (QA) report for this contest\". How can I confirm if my report has been successfully submitted and can I edit the report if needed?\n\nA: After submitting a QA report, you should receive a confirmation email. If you didn't get this email or aren't sure if your submission was successful, you can check by clicking on View Context > Findings on the contest page. Here, you can view your submitted QA reports for both open and closed contests.\n\nIf you notice another error in your report after submitting, you can edit your submitted QA report by going to the contest page and selecting the \"My findings\" option. Please note you can only submit one QA report per contest, but it's possible to edit this original submission as needed.\n\nYou can also cancel a submitted report and create a new one by withdrawing the findings under \"Your Findings\" on the contest page. If, after submission, you realize something is a false positive, you can retract the submission by going to the contest page, clicking on the \"Findings\" tab, and following the prompts to withdraw your report.\n\nIf you're having trouble with online submission, you can send your QA report via email to report@code4rena.com. If you accidentally submitted your findings to the wrong contest, submit them to the correct contest and fill out a help request form to let us know about the incorrect submissions at https://code4rena.com/help/.\n\nRemember, judges consider both the quantity and quality of submissions when grading QA reports. A single item in a QA submission is unlikely to receive a high grade. For further clarification, you can read more about our judging criteria and incentive model here: [https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical](https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical) and [https://docs.code4rena.com/awarding/incentive-model-and-awards#qa-and-gas-optimization-reports](https://docs.code4rena.com/awarding/incentive-model-and-awards#qa-and-gas-optimization-reports).\n\nPlease note, it might take some time for a finding's submission to be confirmed via email, and the deadline for editing QA reports is until the audit deadline.", "Question: How am I expected to handle vulnerabilities that involve social engineering while writing a Proof of Concept (PoC) for the CodeArena audit?\n\nAnswer: When dealing with vulnerabilities that involve social engineering, it's crucial to consider attacks on the owner. Keep in mind that having a well-structured Proof of Concept (PoC) can significantly increase the chances of your finding being acknowledged and rewarded. You can write a PoC in any language as long as it effectively demonstrates the vulnerability. It's also acceptable to present your PoC in plain English.\n\nWhile writing a PoC, it's recommended to focus on one specific attack or issue and include a simple to understand specific example. Additionally, featuring the project's code and having a coded test that demonstrates the vulnerability can significantly enhance the quality of your report. The impact section of your submission should clearly explain the vulnerability and its effect on the protocol/code. You can include lines from code/Github or add a test which is written as an exploit in the PoC section. [Instructions on how to include a PoC](https://docs.code4rena.com/roles/wardens/submission-policy#how-to-include-a-proof-of-concept).\n\nIf you find a medium-risk or higher vulnerability, it's ideal to include test codes when writing your report. If you're unsure of the severity of a vulnerability, it's recommended to continue working on the PoC until its severity becomes clear. The estimation of risk for vulnerabilities is detailed at [Estimating Risk](https://docs.code4rena.com/awarding/judging-criteria#estimating-risk).\n\nRemember, without a PoC, a vulnerability finding could potentially be disregarded unless the issue is extremely obvious. However, a vulnerability without a PoC can also be rewarded if it's well-explained in bullet points.\n\nIf you've written a PoC script for a vulnerability, you simply need to include the link in your submission where relevant. Multiple submissions of the same finding can be acknowledged, though the award value can differ based on the detail and comprehensiveness of the PoC.\n\nBe aware that the severity of vulnerabilities identified by bots may potentially be rated lower than their actual severity. Hence, wardens can report the vulnerability again during the contest, potentially leading to a higher severity award. If you identify a potential vulnerability and have it confirmed by the sponsor, it may still count when submitting it, depending on the judgement.\n\nLastly, for reference, you can review past contest reports to learn about vulnerabilities. All these practices can increase the chances of your report being selected, potentially leading to a bonus.", "Question: What is the process and timeline for getting roles updated on CodeArena after approval from Provenance?\n\nAnswer: After sending your application to Provenance and receiving approval through the Know Your Customer (KYC) process, it typically takes a few days to a week for roles to be updated on CodeArena. Provenance typically responds to submissions within a week, but this may vary. Once Provenance has approved your application, the C4 team will update your certification status within 5 business days. \n\nThe initial email from Provenance in the Certified Warden verification process doesn't have a specified timeframe for delivery. However, the process after working with Provenance takes around 1-2 business days. There are instances where the KYC process can take a while, depending on the back and forth between the user and Provenance. It's important to note that it might take 2-3 weeks to receive the KYC email after submitting an application to become a certified warden. \n\nAfter registration with Provenance and KYC approval, there is a processing period. The team will process your role after receiving confirmation. If you do not receive a response after a few days, or if there's a delay, you can open a help desk request at [https://code4rena.com/help](https://code4rena.com/help). After a Provenance application is approved, you can expect to receive an email. Please also remember to check your spam folder as the email is sent from compliance@provenance.company. \n\nIt's also worth mentioning that the process of getting a 'certified' status confirmed and added takes roughly 2 days to 5 business days. It takes approximately 2 weeks to mark a warden as certified after approval from the KYC firm. The process of approving a team for contest participation can take up to a few business days. If you've completed a certification process with ProvenanceDAO and have participated in more than 3 contests, you might be awaiting the upgrade to Certified+. In any case, Provenance will inform the organization once you have been KYC'ed and will directly send the confirmation to process a private audit application. \n\nOverall, while the timeline can vary, you can generally expect the process to take from a few days up to a few weeks.", "Question: What factors affect the classification and acceptance of my findings during a smart contract audit?\n\nAnswer: The classification and acceptance of your findings during a smart contract audit on CodeArena depend on several factors. Firstly, the severity of the finding plays a crucial role. If the finding could lead to a significant loss of funds or other severe consequences without any pre-conditions, it's usually classified as high severity. If the impact is lesser and there are specific pre-conditions such as high attack difficulty, specific market conditions, or user unawareness, it's typically medium severity. If the issues are minor and don't have any significant impact, they are usually classified as QA. \n\nMoreover, it's important to provide a clear, detailed explanation of your findings. Our team may disregard an issue if there isn't enough detail or proof, or if the impact is extremely small. Including Proof of Concept (PoC) in your report significantly increases the credibility of your finding. However, an issue may still be accepted without PoC if it's extremely obvious.\n\nIt's also worth noting that an issue's severity can be upgraded. For instance, a low-impact QA report could potentially become a high-impact report if the auditor demonstrates an understanding of how the issue could be exploited. \n\nIn addition, our team does not penalize for incorrect severity assignment if your finding is valid. If a submitted medium report is deemed high severity, it could get raised to high unless there's a reason to penalize it, such as it being incomplete, lacking detail, or not as accurate.\n\nLastly, despite any uncertainty, always submit your findings. Even if you're unsure about the severity, submit the finding or reach out to our team for additional context. If your finding fits into multiple categories, our judges will decide where it best fits. \n\nFor more detailed guidance on classifying a finding, refer to our guidelines [insert link to guidelines]. For a better understanding of how your findings were judged, check the contest results [insert link to contest results] and the reasons for the acceptance or rejection of your findings.", "Question: Why haven't I received any rewards for my QA(low) bug and gas optimization submissions in the contest? \n\nAnswer: It's important to note that not all submissions in a contest are guaranteed to receive rewards. Submissions could be valid, but not satisfactory, or they could be deemed invalid. Rewards are typically focused on high, medium, and low severity vulnerabilities and gas optimizations. For QA and gas optimization reports, the amount of detail required is not as comprehensive as for high severity issues, which could affect reward eligibility. \n\nIf no high or medium vulnerabilities are discovered during a contest, the remaining funds may be distributed based on Quality Assurance (QA) reports. However, this is considered a rare occurrence. If no gas optimizations are found in a particular contest, such as in the case of the Duality Focus contest, there may not be any gas optimization rewards to distribute. \n\nRewards can sometimes be pending after a contest has finished, and in cases where multiple people, including team members, identify a gas optimization, the reward could be divided using a specific formula. \n\nFurthermore, the judges consider both the quality and quantity of submissions when grading QA reports. A single item in a QA report is unlikely to receive a high grade. You can find more detailed criteria for grading reports here: https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical and https://docs.code4rena.com/awarding/incentive-model-and-awards#qa-and-gas-optimization-reports.\n\nLastly, rewards for QA and gas optimization reports are given according to judges\u2019 scores, and duplicate submissions are disregarded. Please note that findings that are valid but non-critical, such as the presence of \"Open Todos\" or the \"use of Block.timestamp\", are not rewarded. \n\nFor more information, you can refer to the FAQ page on CodeArena's website at https://docs.code4rena.com/awarding/incentive-model-and-awards/qa-gas-report-faq#why-is-a-large-gas-or-qa-report-not-successfully-submitting-through-the-contest-submission-form.", "Question: How much storage space does a \"bytes\" variable consume in a Solidity struct?\n\nAnswer: In Solidity, state variables are stored in 32 bytes storage slots. Therefore, a \"bytes\" variable, which is an array of bytes32, would occupy 1 slot (32 bytes) in its default state. Keep in mind, however, that the actual size and cost in gas can vary depending on the size of the \"bytes\" array. \n\nFor instance, a variable such as \"address\", when casted to \"bytes20\", is still 160 bits, or 20 bytes, which fits into one slot with some space left over. However, a \"bytes\" variable with a length exceeding 32 would require more than one slot. Solidity packs variables into fewer slots if they are declared next to each other, a process which can reduce gas costs. \n\nIt's also worth noting that non-ASCII characters, such as emojis, may require more than one byte, thus increasing the storage size. \n\nMore information about Solidity's storage and gas efficiencies can be found here: [Solidity Storage Layout](https://docs.soliditylang.org/en/v0.8.17/internals/layout_in_storage.html) and [Dynamically-Sized Byte Array](https://docs.soliditylang.org/en/v0.5.12/types.html#dynamically-sized-byte-array).", "Question: How should I prepare and submit my Quality Assurance (QA) and Gas Optimization reports for a contest at CodeArena?\n\nAnswer: At CodeArena, it's recommended that you prepare and submit your Quality Assurance (QA) and Gas Optimization reports separately. Each contest requires the submission of one consolidated QA report, where ideally all issues are grouped together. Similarly, all findings related to Gas Optimization should be put together in one separate report. If a finding is relevant to both QA and Gas savings, it can be included in either report, and the judges will decide where it best fits. \n\nIn case your report does not fit in one submission request, you are allowed to split it into separate sends. Additionally, you are also allowed to edit existing findings. Medium and high severity findings should preferably be submitted as separate reports. For non-critical findings, you may compile them into one QA report or create one QA report for every finding, based on your preference. \n\nAs for the structure and formatting of your reports, you can refer to the [templates or guides](https://github.com/code-423n4) provided by us. Examples of the top QA/Gas reports for previous contests can also be found at [Code4rena](https://code4rena.com/reports). \n\nFurthermore, it's important to understand that the grading system for QA/Gas reports involves Grade A reports counting as 2 shares, Grade B as 1, and the best report receiving a 30% bonus. Grades are assigned based on the quality of your reports and the judges' scores, and duplicate findings are disregarded. There can be differences in scoring grade-A QA reports, and handling downgraded issues, which need to be paired up with wardens\u2019 QA reports, can be challenging.\n\nLastly, there are ongoing discussions around how QA and Gas reports handle duplicates and their formulae. There are also questions regarding whether specific code simplifications, such as combining two for loops into one or the use of storage instead of memory in the view function, fit into the category of gas report or QA report. This demonstrates that the classification of certain findings between QA and Gas can sometimes be unclear and is subject to judge discretion.", "Question: What should I include in my report when I find an issue and how will it be graded?\n\nAnswer: When you find an issue, it's important to put together a comprehensive report that includes a detailed explanation of the issue, its impact, mitigation suggestions where necessary, and a Proof of Concept (PoC) if applicable. Aim for a semi-professional report layout. Please remember that not every issue requires a PoC; however, without a PoC, a finding may be disregarded unless the issue is extremely clear-cut like a typographical error, a wrong parameter, or code that doesn\u2019t compile.\n\nGrading of the reports focuses on the correct identification of the highest severity impact of the bug, making a case for the severity and validity chosen with evidence, and clear and understandable writing. The specific severity doesn't matter as much as a good explanation of the finding. A low-impact report could potentially be upgraded to a high-impact report if the severity is misjudged. This requires a clear understanding of how the issue could be exploited.\n\nIn cases where you find an issue that fits into multiple categories or you're unsure about the severity, it's recommended that you still report it. Judges are responsible for deciding where the finding best fits and can reassign severity if necessary. The value of a bug is partly based on correctly assessing its severity and presenting evidence.\n\nRemember, the impact of a vulnerability will determine its severity, which should be reported based on the impact of the bug. High consequences generally involve substantial fund loss or other severe repercussions and don't require pre-conditions. Medium consequences usually have less impact and require specific preconditions such as high attack difficulty, specific market conditions, or user unawareness.\n\nShould you report a bug with multiple exploitation routes, or a bug in a contract that's in scope but impacts another contract that's out of scope, these specific situations are left up to the judge's discretion. \n\nFor more information on estimating the risk, please refer to our guidelines at https://docs.code4rena.com/roles/wardens/judging-criteria#estimating-risk-tl-dr.\n\nRemember, a well-structured report is more likely to be acknowledged and rated higher, even if the issue found has a smaller impact or is an automated finding.", "Question: \nWhat should we do if we identify a vulnerability in an out-of-scope contract during the auditing process, and how will it impact potential rewards?\n\nAnswer: \nIf a vulnerability is discovered in an out-of-scope contract, it's advised to report it, even if you're uncertain about potential rewards. You can include it in the C4 report as an unrewarded finding or directly message the project. If a bug is found in an in-scope contract that impacts an out-of-scope contract, it is up to the judge's discretion whether it's eligible for a reward. \n\nIf the vulnerability affects a main contract, it should be reported irrespective of where it was found. In some cases, a judge may decide to bring out-of-scope vulnerabilities into scope, particularly if they have a substantial impact, but this is not guaranteed.\n\nTo ensure eligibility for rewards, all vulnerabilities need to be reported through the contest submission form. It's also worth noting that while sponsors appreciate all vulnerabilities being reported, the focus is typically on high, medium, and low severity vulnerabilities and gas optimizations. Non-critical vulnerabilities, despite being beneficial to the sponsor, may not be considered for awards. \n\nIf you've written a Proof of Concept (PoC) script for a vulnerability, you should include the link in your submission. A vulnerability without a PoC can still potentially be rewarded as high if the process is clearly described in bullet points. \n\nIt's also important to note that if multiple auditors report the same bug, they may all receive a portion of the bounty. But, common findings that are usually picked up by the C4udit tool are typically considered out of scope. \n\nFor difficult-to-fix vulnerabilities, while recommendations are appreciated, they are not mandatory and won't affect the severity of the issue. If a vulnerability is found a few days after the contest ends, it is encouraged to responsibly disclose it to the development team, but it wouldn't be awarded by C4 outside the contest timeframe. \n\nIn all cases, CodeArena encourages participants to reach out to the sponsor team during the contest if they have any questions or believe they've found a significant vulnerability. Lastly, do remember the value of your work is not just in identifying the vulnerabilities but also in explaining them comprehensively.", "Question: How should 'on the fence' vulnerabilities be categorized in terms of risk rating - High or Medium?\n\nAnswer: The categorization of 'on the fence' vulnerabilities as High or Medium risk largely depends on a balance of the potential consequence and the likelihood of the vulnerability being exploited. High-risk vulnerabilities typically involve significant fund loss or other severe consequences and don't require specific pre-conditions for occurrence. On the other hand, Medium-risk vulnerabilities usually have a lesser impact and specific preconditions such as high attack difficulty, specific market conditions, or user unawareness. \n\nIt's important to note that the practice of rating everything as high risk is discouraged, as a user's credibility is a significant consideration. Therefore, in order to make a proper evaluation, users often rely on their experience and the severity of loss caused by the issue. For instance, if all rewards can be lost, it's likely to be considered HIGH, whereas if there's a risk of losing some rewards, it's probably medium. \n\nWhen submitting a report, it's also possible to include both high severity and medium/low severity issues in the same report, but the highest effort should be put into the high severity issues. If a vulnerability is difficult to fix without major changes to the protocol, it can still be reported, with recommendations being appreciated but not a must.\n\nAdditionally, if no Medium/High vulnerabilities are found, the full award pool would be divided based on the QA Report curve. However, this is considered a rarity as there have only been a few contests without high vulnerabilities and no contests without a medium vulnerability. More details on the estimation of risk for vulnerabilities can be found at https://docs.code4rena.com/awarding/judging-criteria#estimating-risk. \n\nIt's also important to highlight that the trust between wardens and sponsors is crucial, and there is a concern about the potential misuse of disclosed vulnerabilities. Therefore, transparency and integrity in vulnerability reporting are highly encouraged.", "Question: As a beginner looking to understand staking contracts and their implementation, what resources or practices would you recommend for learning and comparison?\n\nAnswer: Indeed, there are various ways staking functionality can be implemented, and understanding them can provide you with a broader perspective. \n\n1. Participate in staking platform contests: These can provide you with multiple designs and best security practices that you can learn from.\n\n2. Use comparison tools: Tools that allow you to compare differences between contracts can be beneficial in your learning process.\n\n3. Utilize online resources: Websites such as CryptoZombies.io and CaptureTheEther.com are recommended for beginners to understand the basics of smart contracts and solidity. Furthermore, if you're interested in bug bounty hunting, these resources can be helpful too.\n\n4. Self-study: There are materials available to learn about smart contract auditing such as https://cmichel.io/how-to-become-a-smart-contract-auditor/ and our own Warden handbooks at https://docs.code4rena.com/roles/wardens/tools-and-resources. You can also explore platforms like Ethereum StackExchange for deploying contracts: https://ethereum.stackexchange.com/questions/68519/creating-a-new-contract-specifying-a-sender-and-value-with-factory-pattern.\n\n5. Understand and analyze existing contracts: Some contracts you come across might be 'snapshots' of OpenZeppelin (OZ) contracts, knowing why this is the case can give you insights into implementation practices.\n\n6. Learn from Video Tutorials: Visual content can often make complex topics easier to understand. Here's a video explaining the main contracts in the Vault: https://youtu.be/D-hSiGeNpuY, and another explaining some aspects of contract auditing: https://www.youtube.com/watch?v=wCD3fOlsGc4.\n\n7. Partake in Online Challenges: To further your knowledge in advanced solidity and defi industry standards, engaging in challenges like The Ethernaut and Damn Vulnerable DeFi can be quite beneficial: https://ethernaut.openzeppelin.com/ and https://www.damnvulnerabledefi.xyz/.\n\nRemember, practice and continuous learning are key to mastering smart contract auditing and understanding different staking implementations.", "Question: \nIf I discover a vulnerability in a smart contract but am unsure of how to rectify it without considerable adjustments to the protocol, what is the recommended course of action? Is it acceptable to submit reports without a proposed solution or with open-ended questions?\n\nAnswer: \nIf you uncover a vulnerability, the primary responsibility lies in identifying and explaining the issue clearly. Submitting a report with a recommended fix certainly adds value to the report but is not obligatory in all instances. When a vulnerability is difficult to fix without major changes, it is still essential to report it. In cases where you cannot feasibly recommend a mitigation step, include an explanation as to why this is the case. However, the mitigation does not influence the severity of the finding.\n\nIn your report, aim to present a semi-professional format that includes the issue identified, a detailed description, and a Proof of Concept (PoC) where necessary. A PoC might not be required in scenarios where the issue is glaringly evident, for instance, due to a wrong parameter or typos. \n\nIt is also worth noting that if the same vulnerability is found across different components of the codebase, it could potentially be counted as separate findings, but the final decision lies with the judge to determine if they are duplicates. \n\nThere were cases where reports without a PoC were disregarded unless the issue was unequivocally obvious. If you are unsure about the severity of a vulnerability you have identified, it is advisable to read the discussion at [https://github.com/code-423n4/org/discussions/34](https://github.com/code-423n4/org/discussions/34) for more clarity.\n\nLastly, if a vulnerability is located in an out-of-scope contract, it can be mentioned in the C4 report as an unrewarded finding, or the project team can be messaged directly. Please remember that all findings, including those that seem insignificant or uncertain due to lack of specification in documents, should be reported or communicated to the sponsor team for further context.", "Question: How should a warden handle findings that might be submitted as either separate issues or as one report, and how does this impact the award value?\n\nAnswer: If there is uncertainty whether findings should be submitted as separate issues or as one, it depends on the warden's judgement. The issues in the published reports may or may not be the same as those reported, as they might be a summary of what was submitted by the wardens. It is not necessary to confirm findings with the project's developers before submitting them. The wardens are advised to assess the severity of the issues based on the guidelines mentioned at [CodeArena Judging Criteria](https://code423n4.com/judging-criteria/). \n\nLow and non-critical issues are usually grouped together as a single report by each warden. If an issue identified in an automated finding can lead to a high severity finding, it could be reported again during the contest by a warden and could be awarded with higher severity. \n\nIf the same vulnerability is reported by two or more wardens, it's important to note there's no advantage for the one who submits first and the order of submission does not matter. However, the more wardens find the same issue, the less money each warden receives for this issue. The level of detail in the submission, the inclusion of a Proof of Concept (PoC), and the way the issue is covered in as many aspects as possible can influence the award amount. More details can be found at [Code4Rena Incentive Model and Awards](https://docs.code4rena.com/incentive-model-and-awards).\n\nThe final decision regarding the risk level of an issue and where it best fits (e.g., QA or gas savings report) lies with the judges. Once findings are submitted, they are not disclosed to other competing wardens. If there are any concerns or issues with a report, clarification may be sought from \"wardens\". The submission policy is provided at [Code4Rena Submission Policy](https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues). \n\nPlease note that the final report for a contest doesn't include wardens whose submissions/findings are not accepted. If the judges and sponsors disagree with a proposed mitigation, it is advisable to present a compelling case for why the finding should be considered.", "Question: When and how can I access and discuss the findings report after a contest has concluded?\n\nAnswer: After the conclusion of a contest, there is a review and judging process that takes place before the findings report becomes publicly available for discussion. This process generally starts immediately after the contest ends and includes a sponsor review, judge review, sponsor confirmation, judge's final report, and the announcement of the results. The exact timeline can vary depending on the particular contest and the number of reports under review concurrently, but it typically takes anywhere between 3-6 weeks.\n\nOnce the report is published, the findings repository is made public and participants can review, discuss, and understand why specific submissions were or were not accepted. This allows participants to see the discussion among sponsors and judges on specific issues. Certified+ wardens have the ability to view the findings repo immediately after a contest ends, even before the final report is published.\n\nIt's important to note that the findings submitted for contests may not always make it to the final report, and the specific reasons might not be immediately known. To check, you would need to wait until the reports are published. Also, the submission rules prohibit discussing specific findings until the report has been posted for the contest in question.\n\nAccess to the findings report prior to its publication varies. Sponsors are given access to the findings repo either after the contest is over (for old contests) or one week after with triaged and deduped issues. However, sponsors may not have access to the findings repo before the contest ends.\n\nPlease keep in mind that the time taken for project findings to get reviewed varies with each contest and findings during a contest remain private until the report is published.", "Question: \nWhat are the requirements for obtaining the backstage role at CodeArena, and how are these requirements such as scores and findings determined and verified?\n\nAnswer: \nTo gain access to the backstage role at CodeArena, you need to satisfy several criteria. These include:\n\n1. A high severity finding, or three medium severity findings that are public.\n2. Participation in a minimum of three contests.\n3. Being a certified contributor to C4.\n4. The results from the contests you participated in must have been published on the leaderboard.\n5. Your QA or Gas report must have received a score of over 85. \n\nScores of these reports are visible to backstage role users and can be found in the \u2018score\u2019 column in findings.csv in the Code4rena site repo\u2019s _data folder. These reports are graded based on a relative score compared to other reports, with Grade A QA reports counting as 2 shares, Grade B as 1, and the best report receiving a 30% bonus. For instance, Quality Assurance (QA) reports are graded based on the number of low findings.\n\nOnce you've met these qualifications, you can submit a help desk request to have your status evaluated. The criteria for a top-3 finish in either the QA or gas report from past contests can be checked by the organization upon request. \n\nFurther details on backstage qualifications can be found at this link: [Backstage Wardens](https://docs.code4rena.com/roles/certified-contributors/backstage-wardens). Please note that the backstage+ role might require meeting additional criteria, which are detailed in the link provided.", "Question: Does writing an attack contract and explaining its effects in plain language count as a valid Proof of Concept (PoC) for smart contract audit submissions?\n\nAnswer: Yes. Writing an attack contract and explaining its effects in plain language can indeed serve as a valid Proof of Concept (PoC). A PoC is highly recommended for smart contract audits as it is an effective way to demonstrate the vulnerability. Users can provide their PoCs in any language or format, including code or plain English, as long as it adequately shows the vulnerability. \n\nA PoC can be submitted via a public Github repository or by providing a diff of an existing sponsor-supplied test or contract. For instance, an accepted PoC can involve copying the code with a detailed comment about the bug and its impact (Example - https://github.com/code-423n4/2022-12-caviar-findings/issues/343). \n\nHowever, it's important to note that unless the bug is very obvious, the absence of a PoC for a medium severity bug might lead to the finding being disregarded. For instance, a finding about an external function with the transfer of ERC20 tokens without reentrancy protection may not be regarded as of medium or high category unless there is a clear explanation of the exploit path.\n\nIf a PoC is too large to be embedded directly in the issue, you can provide a link, with external platforms such as gist being an acceptable option. \n\nThe best reports typically focus on one specific attack or issue, feature the project's code, offer a simple-to-understand POC or specific example, and include a coded test that demonstrates the vulnerability. \n\nTo learn more about including a PoC in your submission, you can visit the guide on https://docs.code4rena.com/roles/wardens/submission-policy#how-to-include-a-proof-of-concept. \n\nKeep in mind that a PoC is not only recommended but also could potentially increase the chances of the report being selected, which comes with a 30% bonus. But remember, even if a vulnerability is found in an out-of-scope contract, it can still be reported and may be brought in scope by a judge. \n\nPlease continue working on the PoC if the severity of the risk is not clear until it becomes evident.", "Q: How can a team effectively submit issues on CodeArena? Can they switch between individual and team accounts and how should they manage their wallet addresses for submissions? \n\nA: Teams are encouraged to participate in auditing contests on CodeArena. In order to submit issues as a team, you should first log into your CodeArena account as usual, which will be your individual Warden account. Once logged in, you can switch back and forth between your individual and team accounts before submitting any issues. \n\nWhen registering as a team for a contest, a single wallet address is used. However, if you find an issue as a team member and your teammate finds the same issue but with a different wallet, each person will get less than half of the reward. This is a part of CodeArena's incentive model and awards system, which you can learn more about at https://docs.code4rena.com/#incentive-model-and-awards. \n\nIn case you need to change your wallet address, you can update it after the issue has been submitted and before the reward payout by submitting a request through the CodeArena Help Desk at https://code4rena.com/help. This is particularly useful if your wallet has been compromised, and you've had to change your payment address. \n\nRemember that it is a requirement to connect your wallet to your account in order to submit findings. In fact, you might encounter issues if you're not signed in with MetaMask. Learn more about this requirement here: https://discord.com/channels/810916927919620096/810929015509483554/991410741678719278.\n\nIf you encounter any other issues or have further questions, you can seek assistance through the help desk or by emailing submissions@code4rena.com.", "Question: How does Solidity handle the storage of variables, specifically the 'bytes' variable, in terms of storage slots?\n\nAnswer: In Solidity, state variables are stored in 32 bytes storage slots. The 'bytes' variable is an array of bytes (bytes32), not just 32 bytes, thus it doesn't occupy just one slot in storage. It's important to note that the way arrays, such as the 'bytes' variable, are stored in storage differs from individual elements. If multiple variables are declared next to each other, Solidity has the potential to pack these into a single slot, which can reduce gas costs. However, this depends on the type and size of variables. For example, an \"address\" which can be casted to \"bytes20\" is 160 bits, and \"uint256\" is 32 bytes.\n\nBe aware that the use of storage, particularly for arrays, can have cost implications in terms of gas. Caching a storage pointer can be cheaper as it avoids re-computing the position. Also, using calldata for read-only arrays is cheaper because they don't need to be iterated and copied into memory.\n\nMore detailed information on how Solidity handles storage can be found in the official Solidity documentation [here](https://docs.soliditylang.org/en/v0.8.17/internals/layout_in_storage.html) and [here](https://docs.soliditylang.org/en/v0.5.12/types.html#dynamically-sized-byte-array).", "Question: What is the size of \"bytes\" data type in Solidity and how does it differ from \"byte1\", \"bytes20\" and \"uint256\"?\n\nAnswer: In Solidity, one byte consists of 8 bits. For instance, a \"byte1\" is 8 bits, an \"address\" which can be casted to \"bytes20\" is 160 bits, and \"uint256\" is equivalent to 32 bytes. Unlike these, the \"bytes\" data type is a dynamically-sized array of bytes, therefore its size isn't fixed to 32 bytes. It can increase based on the input, but it's important to note that each slot in the Ethereum Virtual Machine (EVM) is 32 bytes and Solidity stores state variables in these storage slots. Multiple variables can potentially be packed into a single slot if they are declared next to each other, which can help reduce gas costs.\n\nWhen a string goes beyond 32 bytes, a new word is added for the length, with each character taking one byte. However, non-ASCII characters, such as emojis, may require more than one byte.\n\nIt's also worth noting that the size of a \"bytes\" variable within a struct was a point of discussion observed in chat, but a clear conclusion wasn't reached. You can refer to the official Solidity documentation [here](https://docs.soliditylang.org/en/v0.5.12/types.html#dynamically-sized-byte-array) for more information on dynamically-sized byte array. \n\nFor the details about how Solidity stores state variables in 32 bytes storage slots and how packing variables into fewer slots can reduce gas costs, you can refer to the Solidity documentation [here](https://docs.soliditylang.org/en/v0.8.17/internals/layout_in_storage.html).", "Question: What are the implications of using storage in smart contracts, and how does it impact the amount of gas used?\n\nAnswer: In the context of Ethereum smart contracts, storage plays a significant role. As per Solidity's design, state variables are stored in 32 bytes storage slots. The way these variables are declared and arranged can have a direct impact on the gas used when executing contract functions. For example, when variables are declared next to each other, they can potentially be packed into a single slot, thereby reducing gas costs. \n\nArrays, on the other hand, do not take up just one slot in storage. Their storage representation differs from individual elements. Similarly, the storage of an enum type will occupy part of a slot, and if used as a literal, it will be equivalent to a uint8.\n\nThe choice between using 'storage' and 'memory' also plays into this. Caching a storage pointer in your smart contract can be cheaper as it avoids re-computing the position. However, using calldata for read-only arrays can be less costly as they don't need to be copied into memory.\n\nThere are tools like EVM.storage and the Metadock chrome extension from BlockSec that allow for reading on-chain storage slot values, including private states. These can be useful when analyzing gas usage and optimizing contracts.\n\nKeep in mind that the storage design can lead to technical issues like storage slot collisions. This was evident in the Alchemix contracts audits, where the absence of a storage gap in an upgradeable contract might lead to such a collision. \n\nMore about storage implications and gas usage can be read at [Solidity storage layout](https://docs.soliditylang.org/en/v0.8.17/internals/layout_in_storage.html) and in the audit reports at [Alchemix Audit Report](https://code4rena.com/reports/2022-05-alchemix/#m-05-no-storage-gap-for-upgradeable-contract-might-lead-to-storage-slot-collision) and [Upgradeable Contract Issue](https://code4rena.com/reports/2022-05-alchemix/#l-11-upgradeable-contract-is-missing-a-__gap50-storage-variable-to-allow-for-new-storage-variables-in-later-versions).", "Question: How are arrays stored in Ethereum's Solidity smart contracts and what are the considerations with regard to storage, memory, and gas usage?\n\nAnswer: In Solidity, arrays are stored differently in storage than individual elements and they do not occupy just one slot. Solidity stores state variables in 32 bytes storage slots, and multiple variables can potentially be packed into a single slot if they are declared next to each other, which can reduce gas costs. More about this can be read at [Solidity Storage Layout](https://docs.soliditylang.org/en/v0.8.17/internals/layout_in_storage.html).\n\nAlso, it's important to understand that the use of 'storage' or 'calldata' in a contract depends on their costs. For instance, caching a storage pointer avoids re-computing the position, thereby reducing the gas cost. On the other hand, using calldata for read-only arrays is cheaper as they don't need to be copied into memory for iteration. \n\nHowever, a noteworthy point is that copying an array to memory before processing it was tested and concluded to not be beneficial in terms of reducing gas usage.\n\nThere seem to be questions in the community about whether the use of 'storage' instead of 'memory' in the view function could be categorized under the gas report or QA report, and about how to use 'storage' and 'memory' when creating new instances. It is also important to note that one of the possible reasons for a test contract setup failure could be accessing an index that one did not define for an array.\n\nLastly, tools such as EVM.storage and the Metadock Chrome extension from BlockSec can read on-chain storage slot values, even for private state variables. Moreover, functions are automatically generated for public storage variables, constants, and immutables which aren't stored in storage. More information about state variable visibility can be found at [Solidity Contracts](https://docs.soliditylang.org/en/v0.8.13/contracts.html#state-variable-visibility).", "Question: How and when can I access the findings from a CodeArena contest?\n\nAnswer: The findings from a CodeArena contest are initially kept private and are made available in the findings repository after the contest report is published. The report publication typically happens after the contest is closed, however, the exact timing for this is not specified. \n\nThese findings are comprehensive and include all user submissions, valid or otherwise, and can be found in the associated GitHub repository. For example, a repository named \"2022-04-backed-findings\" can be found at https://github.com/code-423n4/2022-04-backed-findings. All past submissions can also be found in any repository ending with -findings on the CodeArena GitHub: https://github.com/code-423n4.\n\nThe findings repository becomes public after some time, with Certified+ Wardens being granted immediate access after a contest ends. Contest sponsors are given access either after the contest is over or one week after with triaged and deduped issues. This allows participants to review why their submission was not accepted or rewarded, as they can see the discussion among sponsors and judges on the specific issue.\n\nIn addition to the findings repositories, the public report page on the C4 website is updated mid-contest and the final report can be read by all participants. For each contest, the Readme Page also has a section titled \"Known Findings\" where automated findings not accepted in the contests are listed.\n\nFinally, a file containing all findings and payouts, which can be cross-referenced with the contest report, is available at https://raw.githubusercontent.com/code-423n4/code423n4.com/main/_data/findings/findings.csv. Please note that some links to the repositories in the contests have been reported as not working. If you find a broken link, please inform us so that we can correct it.", "Question: How does a keyword with \"()\" interact with variables and functions in Solidity, and what are the associated best practices and considerations for gas optimization?\n\nAnswer: In Solidity, a keyword with \"()\" is typically associated with calling a function. However, for public storage variables, constants, and immutables that aren't stored in storage, a function is automatically generated when they are called. This generated function can interact with these variables as if it was a method. \n\nIt's important to note that these automatically generated functions are subject to the same gas usage and optimization considerations as manually written functions. For instance, internal functions that are only called once can potentially be inlined to save gas. \n\nIn terms of coding practice, some developers prepend internal functions and function parameters with an underline, although this is a matter of personal preference and does not affect functionality. \n\nIn the context of smart contracts, constants are generally cheaper than immutable variables as constants are calculated and filled in at compile time, while immutable variables are read-only state variables.\n\nIf you are dealing with for loops in Solidity, it may be possible to optimize gas usage by omitting unnecessary initializations. For example, the initialization of the loop variable to 0 is not necessary and can lead to gas savings.\n\nWhen accessing the state variable of a different contract, you need to call the specific instance of the contract being queried. The visibility of your state variables can also impact how they can be accessed, more about state variable visibility can be found at https://docs.soliditylang.org/en/v0.8.13/contracts.html#state-variable-visibility\n\nLastly, Solidity stores state variables in 32 bytes storage slots, and multiple variables can potentially be packed into a single slot if they are declared next to each other, which can help in gas optimization. More about this can be read at https://docs.soliditylang.org/en/v0.8.17/internals/layout_in_storage.html\n\nRemember, any changes to the state variables in smart contracts have associated costs, and these costs can vary based on how the variables are declared and accessed. Always consider these factors when writing and auditing your smart contracts.", "Question: Is the Goerli faucet hosted by Mudit currently functioning, and if not, what alternatives are available?\n\nAnswer: We've had some inquiries about the functionality of the Goerli faucet hosted by Mudit. Users have had difficulties due to receiving \"insufficient funds for gas * price + value\" when they try to use it. Unfortunately, we don't have certain information about the current status of the Goerli faucet. As an alternative, if you're trying to obtain ETH in the Goerli testnet for ethernaut, a suggested solution is to use polygon/sepolia. For Rinkeby testnet tokens, a faucet is available at https://faucet.rinkeby.io. In case of future issues or general inquiries, we periodically hold office hours for GoGopool where users can ask questions. Please note that some users have reported issues with running contest repositories in certain environments, such as the GoGoPool contest in VSCode, and running foundry fork testing in the polygon POS network. We're working to resolve these issues and appreciate your patience.", "Question: How can I review the status of my submissions and understand the reasons for findings rejections in CodeArena's findings report repository?\n\nAnswer: After a contest has ended, a report will be published that includes analysis findings. The findings report repository, where these reports are stored, is made public once this report is published. If your submission to a contest was not rewarded, there is a process to review the reasons for the rejection of your findings. This process begins once the report is published and the findings repository is fully opened. \n\nYou can access the findings repository at https://github.com/code-423n4. Here, you'll find the entire repo made public, and you'll have the opportunity to review your submissions, understand why they were not accepted, and even view others' findings. If your submission was rejected, you can find information on the specific issues with your report and see the discussion between sponsors and judges.\n\nIf you want to check on reports that were labeled as invalid, you can access this information at https://github.com/search?q=org%3Acode-423n4+is%3Aissue+label%3Ainvalid. \n\nPlease note that the findings repository will remain private until the report is published and the exact timing for this is not specified. Findings submitted for contests may not always make it to the final report, and the reason for rejection might not be immediately known. You should ideally wait until the reports are published, which usually takes at least a month.\n\nIf you are a certified warden, you will find buttons labeled \"View Repo\" and \"Submit Findings\" for your use. Furthermore, feedback for your submitted findings can be found on Github from the report. \n\nIf, after all this, you still don't have access to the findings repo, you can request to be added to the backstage group on Github. To check the status of your submission, look out for an email and the ability to edit submitted findings. \n\nRemember, it's always possible to revise and resubmit your analysis reports.", "Question: How can I access and make use of the GitHub repositories provided by Code4rena?\n\nAnswer: GitHub repositories related to Code4rena's contests are conveniently located on the official Code4rena website, specifically within the section for live contests. Aside from the live contest repositories, you can also access user submissions for completed challenges on the respective repository once the contest report gets published. Notably, all past submissions and analysis findings can be found in repositories with the suffix -findings on CodeArena GitHub, such as https://github.com/code-423n4/2022-04-backed-findings.\n\nFor more in-depth discussions on specific issues, you might want to visit the GitHub page of CodeArena. For instance, an issue discussion can be found at https://github.com/code-423n4/2023-06-lybra-findings/issues/364#issuecomment-1689165295. If you are participating in the contest, remember to review and make a pull request for your handle at https://github.com/code-423n4/code423n4.com/tree/main/_data/handles.\n\nMoreover, the findings are typically posted as GitHub issues on a private repository and only become public after the contest concludes. However, if you are a sponsor of a contest, please note that you won't have access to the findings repo until the contest ends. If you have any issues or inquiries about the contest process and results, you can report them in the 'issues' section of the organization's GitHub repository: https://github.com/code-423n4/org/issues.\n\nLastly, you can conveniently find scoring breakdowns for past contests in the #\ud83d\udce2announcements channel, on each contest page of the CodeArena website or at https://github.com/code-423n4/code423n4.com/blob/main/_data/findings/findings.csv. And for the contest judging criteria, you can refer to https://github.com/code-423n4/code-contests/blob/main/JUDGING_CRITERIA.md.", "Question: Are there automatically generated or invisible functions in Solidity, and what are the best practices in terms of function visibility and optimization for gas usage?\n\nAnswer: Yes, in Solidity, functions are automatically generated for public storage variables, constants, and immutables that are not stored in storage. You can read more about state-variable-visibility from this [documentation](https://docs.soliditylang.org/en/v0.8.13/contracts.html#state-variable-visibility). \n\nAdditionally, it's worth mentioning that Solidity allows function inlining, which can be used to save gas in smart contracts. Function inlining refers to the practice of placing the body of a function in the place where the function is called for optimization purposes. This is especially useful for internal functions that are only called once, as they can be inlined to save gas. \n\nHowever, it's also crucial to note that declaring public functions as external could help optimize gas usage. Furthermore, it's generally considered a best practice to prepend all internal functions with an underline, but it doesn't necessarily apply to function parameters. Lastly, do note that calling a view/pure function from a non-view/non-pure function in the same contract does cost more gas. \n\nFor more advanced gas optimization techniques, such as the one labeled 'Use assembly to check for address(0)', you can refer to this [link](https://github.com/0xKitsune/solstat/blob/main/src/report/report_sections/optimizations/address_zero.rs). However, remember that this kind of optimization, while it could save a few gas, is not always valuable or interesting for all types of contracts. \n\nIt's important to always consider the context, the purpose of the contract, and the specific requirements of the project when deciding on the best practices for function visibility and gas optimization.", "Question: What is the correct pronunciation and meaning of C4 in relation to your company?\n\nAnswer: C4 is pronounced as \"Code Arena\" and it stands for Code4Arena. C4 is a platform that aids other companies in receiving audits of their smart contracts. It hosts a range of activities including audit contests and has worked with several protocols. For any help or issues, users can open a help desk request at https://code4rena.com/help. More information about Code4Arena can be found in its documentation at https://docs.code4rena.com/ and detailed contest information is available at https://code4rena.com/contests.", "Question: I'm looking for the totalSupply() function in the solmate ERC20 contract but can't find it. Can you explain why this is the case?\n\nAnswer: The totalSupply() function you are looking for is indeed present in the solmate ERC20 contract. However, it might not be visible in the traditional way you would expect. In the openzeppelin contract, _totalSupply is a private storage variable and needs a view function to view it, which is why a function with the same name is written. However, in the solmate ERC20 contract, totalSupply is a public storage variable. In such cases, a view function with the same name is automatically generated for public storage variables. \n\nYou can view the totalSupply by just calling contract.totalSupply(), similar to how you would call other public functions. Additionally, note that the ERC-20 standard allows contracts to optionally implement a decimals() function, although it is not required. This function is technically valid but other contracts should not expect these values to be present. \n\nTo view the solmate ERC20 contract, you can visit this [link](https://github.com/transmissions11/solmate/blob/main/src/tokens/ERC20.sol). For more information on the ERC-20 standard and the optional decimals() function, you can visit the EIP-20 documentation [here](https://eips.ethereum.org/EIPS/eip-20).\n\nRemember that a smart contract does not know if someone has sent ERC20 tokens to it, and ERC721 or ERC1155 contracts may know if tokens were sent there because it has a recipient contract call onReceive. \n\nFor more information on auditing smart contracts, there are various tools available for finding vulnerabilities and bugs in smart contracts. However, a specific tool or plugin similar to the functionality of the online Remix IDE was not mentioned in the chat excerpt provided. It's also worth noting that there is a request for a YouTube video on how to audit smart contracts, but it seems it hasn't been answered or fulfilled. \n\nWhen it comes to understanding the gas cost of contracts, the Foundry smart contract testing framework can be helpful, as it allows you to log the gas remaining after the state variable update. However, to send ether with the constructor while deploying a contract in Foundry, it seems you will have to look for further assistance.\n\nFor any other Solidity-related questions, you are welcome to ask them on our platform.", "Question: What happens to a Medium Finding that is marked as invalid and there are many duplicates? And what if the severity of the finding is misclassified?\n\nAnswer: When a Medium Finding is marked as invalid, irrespective of the number of duplicates, it gets marked as scrapped. However, if a finding is submitted with a certain severity level (e.g., Medium) and the judges determine it to be of a different severity (e.g., High), it's adjusted accordingly. This means, if you submit a Medium severity finding and it's deemed High, it gets upgraded to High unless there's a reason to penalize it, such as it being incomplete, lacking detail, or not as accurate. Conversely, a High severity finding that turns out to be only Medium still receives the reward for a Medium finding. \n\nHowever, all determinations and reclassifications are subject to the judges' discretion. If you classify a finding as Low in your QA report but the judges determine it's a Medium finding, it will be eligible for Medium rewards [as per the guidelines](https://docs.code4rena.com/awarding/incentive-model-and-awards/qa-gas-report-faq#what-happens-when-an-issue-submitted-by-the-warden-as-part-of-their-qa-report-an-l-or-n-does-get-bum). \n\nThis process relies on the findings' classifications (High, Medium, or QA) based on the severity of loss caused by the issue. For example, if there's a risk of losing some rewards, it's probably Medium. If the principal can be stolen without needing extra requirements, then it's probably High. \n\nFinally, even if a report's severity is incorrectly classified, participants will receive feedback from a judge. This is part of CodeArena\u2019s commitment to ensuring fair and accurate assessments of all findings.", "Question: Who can participate in a Mitigation Review and what does it involve?\n\nAnswer: A Mitigation Review is a follow-up process after a contest, where the top wardens from the initial contest are invited back to review the mitigation of bugs that were identified during the contest. Only wardens who participated in the original contest, specifically the top-ranking ones, are invited to participate in a Mitigation Review. For example, in the Caviar contest, the top 3 wardens from the open contest were involved in the Mitigation Review, which had a prize pool of $8,100 USDC.\n\nThis process allows wardens to assess the effectiveness of the implemented solutions. However, it is important to note that only certified wardens are allowed to participate in mitigation-review contests, and the certification process can be reviewed if you're interested to learn more. Also, it is uncertain if wardens are paid if no issues are found during the Mitigation Review.\n\nVersus contests, which are usually private and open only to top wardens, operate somewhat similarly, with opportunities given to wardens based on their rank in particular contests or during a recent time period. You can check out the judging criteria at https://code423n4.com/judging-criteria/ to understand how wardens go about assessing the severity of issues found during reviews.", "Question: How can I submit findings as a team on Code4rena, and what can I do if I encounter issues?\n\nAnswer: On Code4rena, you can submit findings as a team once your team is approved. Team members can make submissions on behalf of their teams, and have the flexibility to choose whether they're submitting as an individual or as a team member. This can be selected from a dropdown on the submission form. Remember, by submitting as a team, all members receive the bug stats. However, sometimes you may experience issues like a blank page appearing when trying to add members or open the submission form, or not seeing your findings on the \"Findings\" tab despite having submitted them. \n\nIf you encounter such issues, try refreshing the page or changing browsers. If the problem persists, you can open a help desk ticket: [https://code4rena.com/help](https://code4rena.com/help). Alternatively, you can send an email to submissions@code4rena.com for assistance. \n\nFor queries about submission rules or any other platform related concerns (like how prizes are split, how to manage team members who want to participate solo, issues with team registration visibility on user profiles, etc.), you can also reach out via the help desk. \n\nRemember, your submissions are only visible to your team before the contest ends. After the contest, those with the \"backstage\" role get access to findings to help with triaging. Also, the process of approving a team for contest participation can take up to a few business days. For managing the same team name but with different team members working on different contests, it can be challenging, so ensure you have good coordination within your team. \n\nAs for viewing all submissions after a contest, there are inquiries about this feature and we are looking into it. We appreciate your patience and welcome you to contact us with any other concerns or suggestions you may have.", "Question: Is it possible to add images to the report, and if so, how can we do it?\n\nAnswer: Yes, you can add images to your reports. This can be particularly useful when explaining a proof of concept. Reports are written in markdown, and the images can be added by using the syntax provided in this guide: https://www.markdownguide.org/basic-syntax/#images-1. \n\nTo upload an image, you can register a free account on https://cloudinary.com/, upload the image there, and then copy the image URL into your report. Alternatively, you can upload images to your Gist, submit the report with the gist link, and then delete the gist later. \n\nIf you are submitting a vulnerability report, you can attach screenshots in the vulnerability details section by copying the Github permalink and the lines of code for the affected code. \n\nPlease note that while images can be included in your report, there have been issues reported with the Analysis Report preview displaying embedded images. \n\nAlso, if you believe a larger image or multiple images are necessary, you can submit larger reports by email and then place a placeholder in your original submission. This method has been suggested for inclusion in our official documentation. \n\nFurthermore, if you have already submitted a report and want to add images later, you can do so by navigating to the contest page and clicking the 'Your Findings' button. This allows you to submit additional findings after an initial report was submitted.", "Q: Can you explain the structure of future contests, including the concept of \"Mitigation review contest\" and how the rewards are distributed?\n\nA: In future contests, we plan to continue the structure of an initial audit prize pool followed by a mitigation review pool. A \"Mitigation review contest\" is essentially a process where top wardens from the initial audit contest are invited back to review bug mitigations. For example, in the Caviar contest, the highest-ranking wardens from the open contest were assigned to the Mitigation Review which had a prize pool of $8,100 USDC.\n\nThe distribution of rewards varies contest by contest. For instance, the awards pool can include several categories: HM awards, QA report awards, Bot race awards, Gas report awards, Judge awards, Lookout awards, and Scout awards, as seen in a previous contest. The contestants are rewarded shares for bugs discovered based on their severity, allowing them to earn a pro rata piece of the pot.\n\nIf no Medium/High vulnerabilities are found in the smart contracts, remaining contest funds will be divided based on the Quality Assurance (QA) report curve. Further details on this distribution can be found in the corresponding contest post.\n\nThe mitigation review is generally limited to top wardens of the original invitational audit. However, there might be a ranking cutoff for auditing in private contests, and typically, the top 3 or 5 wardens are selected for mitigation review or invitational.\n\nWe understand that not everyone can participate in every contest due to various reasons such as time commitments or preferences for the scope of contests. Hence, there has been a suggestion to include the average percentage of pool awarded as a metric for reference. For any further discussion on this topic, please refer to our forum: https://forum.code4rena.com/t/rfc-certified-wardens-rulebook-scout-role-contest-qa-and-mitigation-review-services/123", "Question: How can I include images in my C4 report and what are the processes and guidelines around it?\n\nAnswer: You can definitely include images in your C4 report to enhance its clarity or explain a proof of concept. The report is done in Markdown, a popular markup language that can be used to format text and embed images. To add an image, you can upload it to a hosting site like https://cloudinary.com/ and then copy the image URL. More on how to add images to Markdown can be found on this GitHub guide: https://docs.github.com/en/get-started/writing-on-github/getting-started-with-writing-and-formatting-on-github/basic-writing-and-formatting-syntax#images.\n\nOnce you have the image URL, you can use the following syntax to embed the image in your report: `![Alternative text for the image](URL of the image)`. Please ensure the image is relevant and aids in understanding of your report.\n\nThe final report will be compiled with your image(s) if accepted by the judges. However, please note that there have been reports of issues with the Analysis Report preview failing to display embedded images. Hence, after embedding, verify if the images are properly displayed in the preview. \n\nPlease keep in mind that the quality of English used in your report will also influence its evaluation by judges. You can view previous reports to see what a high-quality submission looks like. \n\nSubmissions are confirmed via email and can be viewed on the C4 Contest page under the \"Findings\" tab. However, the final report of the contest may not immediately appear on the C4 site after the leaderboard is shown and rewards are sent. It's recommended to wait until the full public report is published before doing a write-up of some issue or bug found on a project. \n\nFinally, CodeArena has a policy of not discussing findings publicly until the report is published. If you need any further support or have questions, you can reach out on the C4 website for guidance.", "Question: How can I become a certified auditor at CodeArena and participate in private audits?\n\nAnswer: Currently, there are no general certifications available for becoming a \"professional certified\" auditor. However, at CodeArena, one can apply for a 'Certified' status to participate in private or invitational audits. This process involves competing in audit contests and making useful contributions. If you rank high in these contests or contribute significantly, you can apply to be certified by contacting CodeArena through their help desk form. \n\nOnce certified, you are recognized as a 'Certified Warden' and become eligible to participate in private audits. However, there might be other conditions to meet, such as the Know Your Customer (KYC) process. Certified wardens are usually given permission to audit private contests and may even rank on the leaderboard. Participation in restricted audits is also possible after certification.\n\nFor those looking to improve their auditing skills, it's recommended to read reports, audit codebases, and persistently learn from various resources such as https://cmichel.io/how-to-become-a-smart-contract-auditor/ and https://docs.code4rena.com/roles/wardens/tools-and-resources. You can also inquire about findings of past projects and participate in private competitive audits to further enhance your experience.\n\nMore detailed information about becoming a certified contributor and the associated processes can be found at https://docs.code4rena.com/roles/certified-contributors and https://mirror.xyz/c4blog.eth/Ww3sILR-e5iWoMYNpZEB9UME_vA8G0Yqa6TYvpSdEM0. Just bear in mind, for most audits, it's not necessary to be a certified contributor. But being certified certainly opens up more opportunities.", "Question: Will having more than three rejected reports in a competition prevent me from receiving any rewards and how does the reward distribution work?\n\nAnswer: Yes, if a participant submits more than three reports that are rejected in a competition, it will prevent him or her from receiving any payout for that competition. If you list any of the C4udit gas findings, that will void your report and count as three. The distribution of rewards works such that the best report typically receives the most money. Duplicate reports may not receive any money if they don't meet a certain threshold. It's worth noting that all types of accepted reports from high-level issues down to gas optimizations are eligible for payouts, as long as the report is of high quality, the findings are accurate, and it includes a working proof of concept. \n\nHowever, if multiple members of a team submit the same item separately, it decreases the overall value of the submission. Participants can submit more than one report, but they should refrain from submitting issues they are unsure about or that are invalid. Once the contest payouts have been sent, the outcome is final, but any overlooked issues can be flagged to the judge and sponsor. \n\nIf a participant's report is rejected, they can view the reasons for rejection once the report is published, and the findings repo is made public. For more details on the reward distribution, please visit https://docs.code4rena.com/awarding/incentive-model-and-awards.", "Question: I have some findings that I'm not entirely sure of their significance. Should I submit them? Also, what happens if I submit three incorrect findings in a contest?\n\nAnswer: We encourage users to submit all findings they come across during the process. When you are uncertain about the significance of your findings, you can either submit them or reach out to the sponsor team for additional context via direct message. \n\nYou can submit additional findings even after an initial low-risk finding, and it's not necessary to confirm these findings with the project's developers before submitting. If you're unsure whether to submit findings as separate issues or as one, it's alright to lean either way. \n\nWe appreciate users who report non-critical findings out of goodwill, despite the absence of an official incentive. High-risk findings are considered depending on the specific contest and the judge, and if you believe a high-risk finding should be significant, we advise making a case to the judge in your submission. \n\nIt's important to note that while there is currently no penalty for submitting incorrect findings, three rejected reports in a competition will prevent you from any payout for that competition. We recommend reading discussions about grading and awarding for a better understanding of the process. \n\nSubmissions can be updated through the \"Your findings\" button on the contest page, and feedback can be found on your submitted findings. It's acceptable to cite similar findings from other contests to justify the severity and validity within submissions. \n\nPlease note that the submission of analysis along with findings is not mandatory, but it could lend more weight to your report. If a submitted high-risk finding is judged as low-risk, you will still be rewarded and vice versa. \n\nRemember that all findings, whether from best or non-best, published or unpublished bot-generated reports, are still eligible for submission. Submissions made before the deadline are publicly available, and you can check your submission without modifying it. \n\nLastly, you can find out how your findings were judged, which findings were rejected and why, as well as view others' findings after a contest ends.", "Question: Will there be future contests structured with an initial audit prize pool and a mitigation review pool like the \"Mitigation review contest,\" and what does this entail?\n\nAnswer: Yes, CodeArena is planning more contests with a similar structure that features an initial audit prize pool and a mitigation review pool. This structure involves an initial contest to audit a smart contract, followed by a mitigation review contest. The mitigation review contest involves inviting the top wardens (judges) from the initial audit to review the bug mitigations proposed. It's important to note that only those who participated in the original contest are eligible for the mitigation review contest. It appears that the top three wardens, or auditors, are typically selected for this stage. For example, this was the case in the jul05 Chainlink contest. \n\nIn some cases, these mitigation review contests could be private, such as the Reserve mitigation review contest. This is different from the Ethos Reserve contest, which was an open public audit. For other contests, like the Caviar contest, the highest-ranking wardens from the open contest were assigned to the Mitigation Review, which had a prize pool of $8,100 USDC.\n\nThere is a rewarding formula for the mitigation contest, however, the specific details of it are not mentioned. For more information about mitigation review contests and how they work, you can visit this page: [https://code4rena.com/how-it-works](https://code4rena.com/how-it-works). \n\nIt's also noteworthy that there's a consideration to release all unverified submissions a few days after a contest ends for learning purposes. More details about this proposition can be found in this forum discussion: [https://forum.code4arena.com/t/rfc-certified-wardens-rulebook-scout-role-contest-qa-and-mitigation-review-services/123](https://forum.code4rena.com/t/rfc-certified-wardens-rulebook-scout-role-contest-qa-and-mitigation-review-services/123).", "Question: What is the timeline and process for reward distribution at CodeArena, particularly around holiday periods?\n\nAnswer: CodeArena aims to distribute rewards in the same week they are announced. However, delays can occur particularly around holiday periods. For example, rewards for certain activities, such as the \"arcade reward\" and \"pool together reward,\" are often distributed the following week. In some cases, rewards may be pending after a contest has finished, but the team always aims to process and distribute multiple contest rewards by the end of a specified week. \n\nThere are instances where rewards from previous private contests appear on the leaderboard, and bonus rewards in some contests are given for the best reports. We're also introducing a system of \"Karma Points\" as rewards for submitting a new detector. \n\nIt's important to note that the payment schedule of some rewards, like the Sherlock contest, has been a topic of discussion. Reducing turnaround times is a high priority for us, but in a worst-case scenario, participants might expect rewards two months after the end of the competition. \n\nOne important aspect to remember is that we're always working to make reward distribution smoother and more predictable. However, sometimes unforeseen circumstances can cause delays, such as the DAO employees being on holiday. Rest assured, our team is committed to resolving these hiccups and getting your rewards to you as swiftly as possible. Transparency is our goal, so any changes to reward distribution will be communicated promptly. Remember, you can stay updated on reward announcements by keeping an eye on our channels.", "Question: What are some recommended resources for studying regex, abstract syntax tree analysis, and other related areas for smart contract auditing?\n\nAnswer: There are several recommended resources for studying these topics. For regex and abstract syntax tree analysis, while we do not have specific resources, it would be beneficial to explore general programming resources or textbooks which cover these topics. As for smart contract auditing and related areas, here are some useful resources:\n\n1. Analysis Guidelines and FAQ by Code4rena: https://code4rena.notion.site/Analyses-Guidelines-and-FAQ-2808a71e08e44c81a985527194f5f118\n\n2. For beginners interested in smart contract bug bounty hunting, one can start with cryptozombies.io for learning solidity and capturetheether.com for Capture the Flag challenges. \n\n3. For the testing framework of Hardhat, the Codecademy Javascript testing module and the Alchemy University's Ethereum Bootcamp in week 4 are recommended.\n\n4. For strategies on auditing and gas optimization, you can start with resources such as cmichel.io/how-to-become-a-smart-contract-auditor and docs.code4rena.com/roles/wardens/tools-and-resources.\n\n5. The tools such as Mythril and Slither can be used for testing contracts downloaded from Github.\n\n6. For learning advanced solidity and defi industry standards, resources like The Ethernaut challenges and Damn Vulnerable DeFi are recommended: ethernaut.openzeppelin.com and www.damnvulnerabledefi.xyz/.\n\n7. For learning about solidity projects and how the accountings are done, this YouTube resource is beneficial: www.youtube.com/@smartcontractprogrammer.\n\nPlease note that these resources are recommended based on the queries and feedback of the users in our Discord chatroom. Always remember to use the guidelines and FAQ provided by Code4rena for any queries or confusion.", "Q: What is the process and timeline for receiving feedback on my submissions, and will I get penalized for too many unsatisfactory submissions?\n\nA: At CodeArena, we understand the concerns users have over receiving feedback and potential penalties for unsatisfactory submissions. Currently, there are no penalties in place for multiple unsatisfactory submissions. Feedback on your submissions is typically provided within a couple of months, once the contest has ended and the report is published. \n\nDuring the contest, only the team has access to submissions, but after the contest ends, those with the \"backstage\" role can access the findings repository to help with triaging. However, it is important to note that backstage access applications are currently suspended until further notice. \n\nIf a submission you made to a contest is not rewarded, there's a process to review why your submission was not accepted once the report is out and the repository is fully opened. This allows you to see the discussion among sponsors and judges on the specific issue you submitted. \n\nThere is a consideration to release all unverified submissions a few days after a contest ends for learning purposes to allow certified contributors to view submitted issues right after contest closure and to comment or give input on these issues during judging. More details on this can be found in this forum post: [https://forum.code4rena.com/t/rfc-certified-wardens-rulebook-scout-role-contest-qa-and-mitigation-review-services/123](https://forum.code4rena.com/t/rfc-certified-wardens-rulebook-scout-role-contest-qa-and-mitigation-review-services/123)\n\nPlease note that the judging process can take anywhere from 2-4 weeks depending on the number of submissions and the complexity of the code. Also, keep in mind that findings submitted for contests may not always make it to the final report, and the reason might not be immediately known. \n\nIn conclusion, while we aim to provide feedback as soon as possible, the process requires thorough reviews and can take time. We appreciate your patience and understanding in this matter.", "Q: I applied for a backstage warden role through a help desk request but haven't received an email confirmation. Did you receive my request?\n\nA: Yes, we have received your help desk request for a backstage warden role. Please note that our team reviews these requests and might not get back to you until the first week in January. The process for becoming a backstage warden involves certain qualifications and a review process. You can find more information about this process and the qualifications required at https://docs.code4rena.com/roles/certified-contributors/backstage-wardens. After your request has been reviewed, a notification will be provided. In some cases, it might take 2-3 weeks to receive the KYC email after submitting an application to become a certified warden. This email is sent from compliance@provenance.company and might appear in your spam folder. If you haven't received an email within this timeframe, please contact us again. We appreciate your patience and interest in becoming a backstage warden at Code4Arena.", "Question: After my application to become a Certified Contributor was approved, are there additional steps I need to take?\n\nAnswer: Yes, after your application has been approved, there are additional steps you may need to take depending on your specific circumstances. If you believe you meet the criteria for backstage access, you can confirm your eligibility by submitting a help desk request at https://code4rena.com/help. If you have had a high finding and wish to apply for Certified+ status, you'll need to complete KYC (Know Your Customer) verification. \n\nPlease note that you can sign up with multiple accounts, as long as you only participate with one account. If you have completed the certification process with ProvenanceDAO and participated in more than 3 contests, you might also be eligible for an upgrade to Certified+. \n\nYou can always check your certification status by clicking your name to see assigned roles or through email communication. \n\nFor more detailed information on becoming a certified contributor or the specific certification process and constraints, please refer to the guidelines at https://docs.code4rena.com/roles/certified-contributors. If you're interested in applying to become a Certified Contributor, you can do so at https://code4rena.com/certified-contributor-application.", "Question: What is the recommended process for finding and reporting bugs during my audit submissions in CodeArena?\n\nAnswer: When making submissions, you should ideally find all bugs before creating your final report. For the reporting process, every issue found should be categorized by their type and severity, and then reported accordingly. \n\nQuality Assurance (QA) and gas findings should be in separate reports. For QA findings, all non-critical issues can be grouped together in one report for each contest. If you encounter multiple instances of the same issue, it's acceptable to report them as a single occurrence.\n\nFor gas findings, they should also be grouped in one report. If you find optimizations, it's advisable to create separate issues for each, as they will be judged individually.\n\nMedium and high severity bugs, however, should each be submitted in separate reports. If a single line of code has multiple exploitations, there is some ambiguity on whether to report it as a single bug or multiple, so use your best judgment.\n\nPlease also note that you can only submit one QA issue per audit, but you can edit the existing submission if you discover another error. All bug reports must be submitted before the audit closure.\n\nIf you have code that provides a proof of concept for each bug, consider adding a zip file to the submission or sharing a private Github repository. \n\nRemember, after clicking \"CREATE ISSUE\" in \"SUBMIT FINDING\", your form data is turned into a submission in the findings repository for the given contest, which will be evaluated by judges after the contest ends.\n\nYou can view examples of past submissions at https://code423n4.com/reports to get a sense of what a high-quality submission looks like. After your submission, you can view or edit it on the site for open contests. Results of submitted bugs are revealed once the report is made public.\n\nPlease keep in mind it's possible to submit issues as a team, but the exact process may need further clarification. \n\nPlease hold write-ups of issues or bugs until the final report is published. If necessary, you can alter the severity of reported bugs after the audit closing time by contacting one of the judges. \n\nIn the future, the platform is considering adding the severity of bugs to the emails sent after issue submission.", "Question: How can I get access to participate in a private contest on the CodeArena platform?\n\nAnswer: In order to participate in a private contest on CodeArena, you need to first become a certified warden. The process to become a certified warden is detailed in the Code4rena documents. Upon certification, your access to contests increases but it doesn't automatically grant you access to all private contests. Some private contests have specific prerequisites or require you to have a certain ranking on the leaderboard. The RSVPs for private contests are typically available in a channel that is only visible to certified wardens. If you meet these criteria and still can't access a private contest, you may need to submit a help desk request. Even after getting your Know Your Customer (KYC) approval, you might not have automatic access to certain private contests, especially if they've already been assigned. It's also important to note that private contests are only open to certified members and qualifications are described in the #\ud83d\udd96rsvp-certified channel. Some contests may be open only to those who participated in the original audit. To know if a contest is private or public, you can check the #\u270brsvp channel. To access the private audit contest page, follow this link: https://mirror.xyz/c4blog.eth/Ww3sILR-e5iWoMYNpZEB9UME_vA8G0Yqa6TYvpSdEM0\n", "Question: What are the recommended resources for learning about proxies, upgradeable contracts, and smart contract auditing?\n\nAnswer: For learning about proxies and upgradeable contracts, https://proxies.yacademy.dev/ is a highly recommended resource. If you're just starting out in the realm of smart contracts, platforms such as CryptoZombies.io and CaptureTheEther.com are excellent for grasping the basics of smart contracts and Solidity. \n\nWhen you're ready to delve into smart contract auditing, resources such as https://cmichel.io/how-to-become-a-smart-contract-auditor/ and https://docs.code4rena.com/roles/wardens/tools-and-resources can be extremely helpful. For those seeking advanced training, The Ethernaut challenges (https://ethernaut.openzeppelin.com/) and Damn Vulnerable DeFi (https://www.damnvulnerabledefi.xyz/) are recommended. \n\nFurthermore, to learn about gas optimization in auditing contracts, understand blockchain forensics analysis, and gain an insight into smart contract security through books and certifications, you may need to research more specific resources or communities.\n\nIt's also important to stay updated with the latest tools that can assist in auditing contracts. For instance, Mythril and Slither are popular tools for testing contracts downloaded from Github, while Surya (https://github.com/ConsenSys/surya) provides a graphical interface for observing smart contract interactions.\n\nRemember, in this ever-evolving field, continuous learning through diverse resources is key. Be sure to engage in discussions and challenges related to smart contracts and auditing, as this can enhance your understanding and skills.", "Question: How should I handle submitting gas optimization reports for a contest on CodeArena?\n\nAnswer: When preparing and submitting a gas optimization report for a CodeArena contest, there are a few crucial points to keep in mind:\n\n1. You don't necessarily need to find all possible gas optimizations before submitting your initial report. You can edit and add to your findings on the contest page under 'Your Findings' even while the contest is still open.\n\n2. It\u2019s recommended to report all your gas optimizations in one consolidated report for each contest. So, even if you have multiple findings, you should compile them all into one report. \n\n3. If you discover a gas optimization that can be applied to more than one line of code, it should be reported as one finding, mentioning all the lines where it can be applied.\n\n4. If the same type of issue (like a Reentrancy attack or the same type of gas optimization) is found more than once, it should be reported all together. \n\n5. It's not mandatory to specify the amount of gas saved for each optimization in your report. However, including this information could potentially earn you more points, as it provides more insight into the benefits of the proposed optimization.\n\n6. If you're using an optimizer, be aware that not all gas optimizations are valid. You should check the accepted findings and gas optimizations at the [C4 common issues repository](https://github.com/byterocket/c4-common-issues/blob/main/0-Gas-Optimizations.md), and make sure not to include known or invalid issues in your report.\n\n7. Gas optimization reports should be submitted separately from Quality Assurance (QA) reports.\n\n8. While detail is important, the level of detail required for Gas Optimization reports is not as comprehensive as for high severity issues. You can refer to examples of top reports at the [CodeArena reports page](https://code4rena.com/reports) for guidance.\n\n9. Lastly, remember that high-quality, accurate reports from high severity down to gas optimizations are all eligible for rewards, providing there's a working proof of concept.\n\nIn short, your gas report should be consolidated, accurate, and as detailed as possible, and should be submitted separately from other kinds of reports.", "Q: What is the process for submitting an issue through the C4 website and how does it interact with GitHub?\n\nA: After locating an issue, you can report it using the C4 form on our website. Once you click on \"CREATE ISSUE\" in the \"SUBMIT FINDING\" section, the form data is converted into a submission that is then deposited into the findings repository for the particular contest you're participating in. \n\nDespite the fact that the C4 system automatically creates an issue on GitHub on your behalf, it's important to note that this is not linked to your personal GitHub account. However, you can still track the issue you've reported through GitHub from your own report. \n\nAfter your first issue is submitted, you need to edit it to see an ID at the end of the URL, which corresponds to the GitHub issue ID. However, your issue might not be immediately visible in the Issues in the repo created for the audit. \n\nIf you wish to submit an issue that involves various lines changed, you can send a git patch or a PR to the repo. If you have code that runs a proof of concept for each bug, you can consider either adding a zip file to the submission or sharing a private Github repository. \n\nYou can also submit issues as a team, although the exact process of doing so has not been clarified yet. If you\u2019re unsure about the severity of the issue you\u2019ve discovered, or if you believe your submitted bug severity needs to be increased, you can submit a help request to remove the original submission and then submit again via [code4rena.com/help](https://code4rena.com/help/). \n\nIf you accidentally submitted all your findings to the wrong contest, you should submit them again to the correct contest and fill out a form to let the C4 staff know about the incorrect submissions. The form can be found at [code4rena.com/help](https://code4rena.com/help/).\n\nFinally, the results of submitted bugs to the contests in Code4 are revealed once the report is made public. In the meantime, you can check previous reports at [code4rena.com/reports](https://code4rena.com/reports/) to see what a high-quality submission looks like. Each issue provides a link to the relevant Github issue.", "Question: How can I understand why a specific finding in the ArtGobblers competition was deemed unsatisfactory and how to improve my submissions in future contests?\n\nAnswer: In CodeArena competitions, findings are grouped and scored, with a 'C' score classified as unsatisfactory. The reasons for findings being rejected can vary, but these are usually provided in some form to assist participants in understanding areas for improvement. If you'd like to review previous competition findings, you can visit the dedicated Github page at https://github.com/code-423n4/2022-09-artgobblers-findings/issues/137. \n\nHere, you can also find the \"Known Findings\" section which lists automated findings not accepted in the contests. Remember, specific findings should not be discussed until the report for the contest in question is published.\n\nYou can also compare your findings with winning reports at https://code4rena.com/reports/2022-09-artgobblers#low-risk-and-non-critical-issues for further insights. High-quality and high-quantity findings tend to score better in competitions. \n\nPlease remember that while you're allowed to submit findings you are unsure about, getting more than three reports rejected in a competition will prevent you from receiving any payout for that competition. So, it's crucial to ensure the validity and severity of your findings. Lastly, all findings should remain confidential until the contest is finalized, as per the submission rules.", "Question: How can I successfully run the GoGoPool contest on Windows?\n\nAnswer: To run the GoGoPool contest on your Windows system, you need to follow specific instructions. However, some users have reported issues running the contest directly on Windows, even after cloning the repository and trying to run it in VSCode. \n\nOne workaround that has proven successful involves using VirtualBox to run Ubuntu. Alternatively, you can try altering the command \"REPORT_GAS=true hardhat test\" in package.json for Windows cmd, or use a docker image. If these solutions don't work, you can try installing 'npm install foundry', as suggested by one of our users. \n\nIf you still face issues, we recommend participating in the office hour for GoGoPool. During this session, you can ask your questions and get real-time assistance. \n\nAdditionally, you may also consider running tests in the existing test environment or writing new test cases, instead of setting up full environments. If there's no test setup in the C4 repository, you might want to check the sponsor's GitHub for a potential test setup or pull out the code to test it in isolation. \n\nRemember to check https://code4rena.com/reports for reports from past contests and https://github.com/sseefried/c4-stats for accessing contest-related information. For any details regarding open competitions or upcoming contests, you can always visit https://code4rena.com/contests.\n\nPlease remember that these are suggestions based on user experience and solutions may vary depending on individual system configurations or unexpected issues.", "Q: I haven't received my payout from an early October contest. Can you explain the payout process and what I can do to track it? \n\nA: Payouts at CodeArena are linked to your Discord username and associated wallet address. Once a contest has concluded and reward amounts are announced, distribution of the awards take place. The payout process is not immediate as we use multisignature (\"multisig\") wallets which require signatures from multiple parties before funds can be dispatched. Eventually, we plan to distribute awards via smart contract once more elements are in place. \n\nIt's also worth noting that contest awards are usually transferred once per month, typically at the beginning of the month, and can take between 1-2 weeks after the announcement to be sent out. If a contest is listed as 'awarding', it means the rewards are queued at the multisig and should be distributed within a week. There have been instances where there are delays in bounty payments, possibly due to holiday periods. \n\nTo track your payout, you can verify it by checking the wallet address you registered with on polygonscan.com or wallet trackers like debank.com. You can also check the announcement channel for updates on distribution. \n\nIf you need to update your wallet address, you can do so through the Help Desk at https://code4rena.com/help. Please note that if you change your wallet address, rewards will be sent to the wallet address on file at the time awards are calculated for an audit. \n\nIf your payout is still delayed after considering these factors, you can raise a request through the help desk for further assistance.", "Question: Are sandwich/front-running attacks considered as valid vulnerabilities and how are they evaluated and handled under CodeArena's competitions?\n\nAnswer: Yes, sandwich or front-running attacks are considered valid vulnerabilities and are within the scope of CodeArena's competitions. Various factors determine how these vulnerabilities are reported and evaluated.\n\n1. Sandwich/front-running attacks could be rated as Medium findings or QA, depending on the impact.\n2. If the same vulnerability is found in different components of the codebase, it might count as separate findings, although it's ultimately the judge's decision to determine if they're duplicates.\n3. A vulnerability in an out-of-scope contract that affects a main contract should be reported. It might be brought in scope by a judge or included in the C4 report as an unrewarded finding.\n4. If two separate vulnerabilities can combine to create a more powerful one, participants can submit a third finding explaining the proof of concept.\n5. Known issues can be leveraged to build a more complex exploit.\n6. If a vulnerability is found but hard to fix without significant changes to the protocol, it can still be reported. Recommendations for mitigation are appreciated but not required.\n7. Participants using automated tools for attack findings are required to provide a higher level of proof to demonstrate a relevant high or medium impact exploit path. More information on this can be found [here](https://github.com/code-423n4/org/discussions/50).\n8. There is a concern about fairness if sponsors have early access to vulnerability submissions, as they might use the information.\n9. Participants can learn from past contest reports, which reveal vulnerabilities. \n\nIt's important to note that the judgement on vulnerabilities may vary, and there can be instances where vulnerabilities are regarded as 'on the fence' in terms of their risk ratings. The severity of misjudging a vulnerability's severity is not explicitly answered, but for more insight, participants are recommended to read [here](https://github.com/code-423n4/org/discussions/34).", "Question: What does CodeArena's Mitigation Review process entail, and who is eligible to participate?\n \nAnswer: The Mitigation Review process at CodeArena is a stage where top participants from the original Invitational audit, known as \"wardens\", are invited back to review the mitigation measures for identified bugs. This process is often referred to as a \"Mitigation review contest\". Detailed information on this process can be found at https://code4rena.com/how-it-works and in this article: https://medium.com/code-423n4/a-look-at-code4rena-audits-mitigation-review-3e05f8b7acb7. \n\nParticipants are typically required to identify vulnerabilities and provide potential solutions or mitigation measures. These findings are then reviewed by the sponsor and a judge. If there's disagreement on the proposed mitigation between the participant, sponsor, and judge, the final decision lies with the sponsor. However, if a participant successfully identifies a bug or logical flaw that is approved by the judge, it's considered an achievement.\n\nOnly certified wardens are eligible to participate in the Mitigation Review process, and it is often limited to the top wardens from the initial audit contest. For example, in the Chainlink contest, the top three auditors were selected for the Mitigation Review. \n\nThe review process for findings begins immediately after the contest ends, involving a sponsor review, judge review, sponsor confirmation, judge's final report, and announcement of results. It's worth noting that mitigation recommendations from participants are not mandatory for the sponsors to follow. \n\nIn addition to this, participants have the ability to submit low-risk findings and report additional findings. They can also openly discuss issues with the sponsors before the contest is finished. There is a process established for participants to argue their case if their submission is rejected. \n\nIn future, CodeArena plans to have more contests featuring both an initial audit prize pool and a mitigation review pool. The review process is designed to ensure fairness and thoroughness in the evaluation of smart contracts submitted for auditing.", "Q: How can I improve my QA reports to achieve higher scores in CodeArena (C4) competitions? For example, my finding here was classified as valid and Non-critical but did not score high enough: https://github.com/code-423n4/2022-09-artgobblers-findings/issues/137. \n\nA: The grading of QA reports in CodeArena competitions is based on both the quantity and the quality of the findings. Judges tend to favor reports that have a high-quality and high-quantity of findings, with less emphasis given to single items in a QA submission. Make sure your QA report is comprehensive, covers significant functionality, and is well-documented. Unclear explanations or paths to the finding can result in a low-quality classification.\n\nIt's also important to classify your findings properly. For example, any mismatch between documentation and code is mostly classified as a QA if it has no impact. Meanwhile, obsolete code or tests lacking coverage of significant functionalities may be worth listing as non-critical (NC) issues. You can gather insights and compare your findings with top QA reports from recent competitions, such as these ones: https://github.com/code-423n4/2022-04-backd-findings/issues/182, https://github.com/code-423n4/2022-04-phuture-findings/issues/56, and https://github.com/code-423n4/2022-04-dualityfocus-findings/issues/33.\n\nUltimately, strive for a good balance of quantity and quality in your submissions. If you have many non-critical findings, consider whether to compile them into one QA report or create multiple reports. However, be mindful of not submitting a high volume of low-quality reports.\n\nFeedback and improvement suggestions can also be found on specific competition pages on GitHub, like this one for the ArtGobblers competition where your finding was listed: https://github.com/code-423n4/2022-09-artgobblers-findings/issues/137. You can also refer to the following links for more information on judging criteria and awarding: [https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical](https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical) and [https://docs.code4rena.com/awarding/incentive-model-and-awards#qa-and-gas-optimization-reports](https://docs.code4rena.com/awarding/incentive-model-and-awards#qa-and-gas-optimization-reports).\n\nFinally, note that incorrect findings in a QA report can affect the grade. If you notice any inconsistency in judging, you can report it on GitHub at https://GitHub.com/code-423n4/rulebook/issues.", "Question:\nHow are Quality Assurance (QA) reports evaluated and what factors contribute to a high scoring report at CodeArena?\n\nAnswer:\nQA Reports at CodeArena are evaluated based on a combination of quantity and quality of findings. It's not just about the number of issues reported, but also about the severity, relevance, and the detailing of each finding. An individual item in a QA submission is unlikely to receive a high grade on its own, unless it's very high quality and custom to the specific contest. \n\nFor instance, two reports graded \"A\", one with 2-3 low findings and another with 5-6 low findings, would receive the same award. This implies that the grading is not solely dependent on the quantity of the findings but also on the quality. A poor-quality report with a high quantity of findings might not necessarily achieve a high grade. \n\nAlso, take into account that incorrect findings can negatively affect the QA grade. Therefore, accuracy and detail in your findings are crucial. The severity of an issue can be categorized as high, low, or QA, and the judges have the discretion to downgrade or upgrade the severity of the issues in your report. \n\nWhen you categorize an issue as low and put it in a QA report, but it is judged as medium, the reward might vary. The grading of a QA report can range right down to a 0 if a judge decides it merits that grade.\n\nLastly, it's important to consolidate your non-critical and low severity findings into a single QA report. While you may wonder whether to include findings that seem minor or non-critical, remember that all potential issues are worth mentioning if they are accurate, relevant, and well-detailed.\n\nFor further details on judging criteria and incentive model, please refer to the following links: \n- [https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical](https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical)\n- [https://docs.code4rena.com/awarding/incentive-model-and-awards#qa-and-gas-optimization-reports](https://docs.code4rena.com/awarding/incentive-model-and-awards#qa-and-gas-optimization-reports)", "Question: What's the best practice for naming and submitting findings in CodeArena's competitions? \n\nAnswer: In CodeArena's competitions, you are encouraged to name your findings with a number, such as [HIGH-1], [HIGH-2], [GAS-1] etc., to help judges easily identify and assess them. For gas optimization findings, although it's not mandatory, including the amount of gas saved for every finding can potentially increase points, as it provides proof of the efficiency of your solution. \n\nIf your finding is about gas optimization, all your related ideas should be compiled into one report and submitted as one issue. This includes findings that can be applied in more than one line of code; these should be submitted as one finding and mention all lines where they can be applied. All valid findings for gas optimizations are weighted the same. Remember, only one gas report should be published for a contest and if there are additional findings, the existing report should be updated.\n\nFor low-level, non-critical findings, and quality assurance (QA), you can submit one report for all your findings. However, for medium and high risks, each finding requires a separate report. High-quality and high-quantity findings tend to score better in competitions. \n\nIt's important to remember that all findings should theoretically cover all types of issues, from high, medium, low, non-critical, to gas-related issues. You will find examples of winning reports at https://code4rena.com/reports/2022-09-artgobblers#low-risk-and-non-critical-issues, which can provide more insight on how to structure and submit your findings.\n\nIf you're still unsure whether to submit findings as separate issues or as one, consider the severity and the category of the findings. For instance, a finding that is relevant to both QA and gas savings can be included in either report, and judges will decide where it best fits.\n\nRemember, your aim is to provide clear, concise, and insightful findings that can help improve smart contract code. Happy auditing!\n", "Question: How can one effectively understand the purpose of a smart contract code base and spot potential bugs, particularly for larger codebases, and what tools or methods should be used for this purpose?\n\nAnswer: Understanding the purpose of a smart contract code base generally requires reading the documentation, examining the README.md file, and having prior experience with similar code. For larger codebases, a more meticulous review is needed, and more time might be necessary to ensure no bugs are overlooked. \n\nFor auditing purposes, you should always read the README.md file for each contest, as it outlines what is in scope for auditing and what is not. It's also important to understand the relationship of interfaces to smart contracts in the overall system, and the nuances of solidity syntax and programming. \n\nVarious tools can be used to test code coverage and to spot potential bugs. However, it's important to note that results from automated robots like ChatGPT should be carefully reviewed, as they may not always be useful without the full codebase input. A thorough understanding of the code is key in differentiating between valid and invalid issues, particularly when assumptions made in the code are not explicitly mentioned in the documentation or code comments.\n\nIf you come across a discrepancy between the documentation and code, in majority of the cases it would be considered a QA issue, unless it has a significant impact on the code functionality. \n\nWhen documenting bugs, reports featuring a Proof of Concept (PoC) are often more persuasive, although it's not necessary for a PoC to be exact code. Bugs can be reported directly in the 'Proof of Concept' section of the report or linked from a private repository on Github, depending on the length of the code. Detailed guidelines on this can be found at https://docs.code4rena.com/roles/wardens/submission-policy#how-to-include-a-proof-of-concept.\n\nLastly, when reporting bugs, it's good practice to reference the specific file and line number in the code. This makes it easier for others to locate the problem. However, be mindful of the difference between two distinct lines of code and the context in which they are used. \n\nRemember, understanding a codebase thoroughly might be a time-consuming process, but it's essential for a successful audit.", "Question: I've applied to become a warden on CodeArena's platform. How can I confirm that my profile was accepted and how can I edit my profile?\n\nAnswer: To confirm that you've successfully been given the warden role on CodeArena's platform, you can look for the wardens role on your profile. Moreover, if you are a Certified warden, your status can be marked as \"Available for Hire\". This can be done via the profile editing screen.\n\nHowever, only those who were certified when warden profiles were introduced have the ability to edit their warden profiles at this point. You can update your profile by adding a profile picture, twitter handle, etc., which can be requested via our help desk at https://code4rena.com/help.\n\nFor more information on how to become a Certified Warden and on how to participate in private contests, you can refer to the certification process at https://docs.code4rena.com/roles/certified-contributors#certification-process-and-constraints. Remember, in order to appear on the leaderboard, your warden registration needs to be fully completed.\n\nOnce you're a certified warden, you can participate in contests by logging into your account. For those who are new or returning to C4, you can sign up to be a warden using Github and submit your findings using a username and password.\n\nTo get additional roles like the OG Warden status or to add qualifications, you can visit the warden registration page and make the required updates. But please note, it may take 2-3 weeks after application to receive the KYC email from compliance@provenance.company confirming your certified status. Do check your spam folder as well to ensure you don't miss it. \n\nFor further queries or to submit a report or an update to your warden profile, you can refer to the guidelines at https://docs.code4rena.com/roles/wardens/certified-wardens.", "Question: What is the process and benefits of getting certified with CodeArena, and how can I use it for professional and personal growth?\n\nAnswer: CodeArena offers a certification process that opens up various opportunities for participants. As a certified individual, you will have the ability to participate in private competitive audits, apply for Certified+ status, and join contests that require KYC (Know Your Customer) verification. Certified team members are also eligible for payouts if any submissions are awarded in contests. Furthermore, certification can potentially speed up your access to certain opportunities if you provide necessary KYC documents promptly. \n\nIn addition to these engagement opportunities on the platform, certification serves as a tangible proof of competency in the field of smart contracts, which can be beneficial for your professional development and reputation. Certified individuals also have the opportunity to contribute to the community by building tools, such as a website to display audit results, and there's a possibility of receiving C4 grants for such initiatives.\n\nHowever, certification is not the only way to demonstrate your expertise. Github profiles also serve as a valuable tool for showcasing your skills and past projects. It's also encouraged to participate in discussions about past project findings and suggest improvements.\n\nIf you're interested in becoming a certified warden, you can start by submitting the necessary documentation for verification. However, please note that all team members need to be certified to receive funds from partners like OpenSea due to anti-money laundering laws. \n\nFor individuals looking to expand their knowledge base, CodeArena community often shares resources on smart contract security, including books and certifications, which can aid in preparing for the certification process.\n\nMore details about the certification process can be found here: [Link to specific certification process page]\n\nRemember, certification is more than just a title, it's a passport to opportunities and learning within the CodeArena community.", "Question: What steps should I follow after successfully installing Foundry with \"npm install foundry\"?\n\nAnswer: Once you've successfully installed Foundry with \"npm install foundry\", you're ready to start using it for a variety of tasks. Foundry is a powerful framework for writing tests and comes with tools for checking things like storage. If your aim is to deploy a contract that takes a struct as an argument in the constructor, Foundry can assist with this.\n\nIf you encounter any errors while installing Foundry, it might be helpful to know that it can also be installed with Docker, and the 'forge i' command can be used to install dependencies. \n\nFoundry can also be used in conjunction with Hardhat. For this, a base template can be found at [https://github.com/foundry-rs/hardhat-foundry-template](https://github.com/foundry-rs/hardhat-foundry-template). The console.log function from the default Foundry library and Hardhat can be used to print local variables that are declared inside a function.\n\nAdditionally, Foundry can be used to fork data from a live network such as a main or test net, which it runs locally. This eliminates the need to grab testnet tokens for transactions or wait time on blocks.\n\nIf you're interested in seeing Foundry in action or learning more about it, there are a few useful resources available. Two YouTube links were shared for understanding the Foundry framework: [https://www.youtube.com/watch?v=Rp_V7bYiTCM](https://www.youtube.com/watch?v=Rp_V7bYiTCM) and [https://www.youtube.com/watch?v=EHrvD5c93JU](https://www.youtube.com/watch?v=EHrvD5c93JU). Additionally, you can check out the Codecademy Javascript testing module and Alchemy University's Ethereum Bootcamp in week 4.\n\nRemember, using Foundry is a great way to test scenarios in a local environment, an excellent alternative to public testnet. However, if there are issues, like the \"Source from artifact has no AST.\" error when running forge debug on a hardhat project with foundry integration, you might need to troubleshoot. Likewise, difficulties logging gas remaining after state variable update within Foundry might require further investigation. \n\nGood luck using Foundry for your smart contract audits and testing purposes!", "Question: How can I successfully run the tests in Visual Studio Code after cloning the GoGoPool contest repo from CodeArena, especially when having trouble installing Forge?\n\nAnswer: Running tests for the GoGoPool contest can sometimes be challenging due to various dependencies and platform-specific issues. Here are some suggestions based on the discussions in the CodeArena Discord chatroom:\n\n1. Ensure that you have cloned the whole repository, including all submodules. You can use the command `git clone https://github.com/code-423n4/2023-01-astaria.git -j8 --recurse-submodules` to do this. Replace the URL with the specific repository you're working with.\n\n2. Install the necessary dependencies, including Forge. If you're having difficulties, try using the npm command `npm install foundry`. Remember, the forge installation relies on git submodules, so ensure they are not lost during cloning.\n\n3. Consider writing new test cases or running tests in the existing test environment, rather than setting up a full new environment. This approach may help you avoid potential setup issues.\n\n4. If you are still encountering difficulties running the contest on Windows, consider using a workaround like VirtualBox running Ubuntu.\n\n5. For testing contracts downloaded from Github, you can use tools like Mythril and Slither available online.\n\n6. If you're working with Remix, consider including the contracts manually from OpenZeppelin contract repo (https://github.com/OpenZeppelin/openzeppelin-contracts) and Solmate (https://github.com/transmissions11/solmate).\n\n7. For specific issue tracking and formatting, consider using the tool available at https://marketplace.visualstudio.com/items?itemName=yassh.copy-with-line-numbers.\n\nRemember, the setup process for contest repositories can be time-consuming due to multiple interrelated contracts and limited documentation. Keeping patient, diligent, and leveraging community discussions can be very helpful.", "Q: I have confirmed my first bounty in my Code4rena account but it has not yet appeared in my wallet. Could you provide further details on the bounty payout process and when I can expect to receive my bounty?\n \nA: Once a submission is confirmed and reward amounts are announced, the bounty will be transferred to the wallet address associated with your Code4rena account. The payout process may sometimes be delayed, for instance due to DAO employees being on holiday. It's also important to note that final reports of a contest might not appear immediately on the Code4rena site, so it is recommended to wait until the full public report is published.\n\nYou can update your payment address in your C4 account at any time before the reward payout as necessary. If you forgot your wallet address or need to check if you had submitted one for rewards, you can refer to the email sent when the bug report was submitted or use the help form at [Code4rena Help Desk](https://code4rena.com/help).\n\nIn the case of multiple auditors reporting the same bug, each auditor may get a portion of the bounty. Biconomy rewards usually take 1 to 2 weeks after the announcement to be sent out.\n\nFor further details on the process, refer to the [Code4rena documentation](https://docs.code4rena.com/). If you have any other questions or issues, for example, if your C4 wallet is hacked, you should submit a request via [Code4rena Help Desk](https://code4rena.com/help/) for assistance.", "Question: If I make a single valid and decent quality Quality Assurance (QA) finding, could it still be considered unsatisfactory and result in no payout?\n\nAnswer: Yes, it is possible for a single QA finding to be considered unsatisfactory and result in no payout. At Code4Arena, the quality and quantity of submissions both play a role in grading QA reports. A single item in a QA submission is less likely to receive a high grade. Additionally, incorrect findings can affect the QA grade. If a judge determines a submission merits a 0 grade, it is possible for that submission to receive no reward. However, if a finding is submitted as low in a QA report and judges determine it to be of medium risk, it could be eligible for medium rewards. It\u2019s also crucial to remember that all QA reports graded \"A\" receive the same award, regardless of the number of low findings. Ensure your findings are accurate and well-substantiated to increase your chances of achieving a satisfactory grade and reward. For more information, please refer to our judging criteria [here](https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical) and our incentive model and awards [here](https://docs.code4rena.com/awarding/incentive-model-and-awards#qa-and-gas-optimization-reports).", "Question: How can I use and troubleshoot Foundry in the context of smart contract testing?\n\nAnswer: Foundry is a versatile framework used for writing tests for smart contracts and it provides other tools to assist in checking aspects like storage. It can be installed with Docker, although some users have reported issues with this approach. If you encounter problems, the community may be able to provide assistance. \n\nFoundry allows you to write projects even if you use Brownie for testing. It can be used in a project that employs Hardhat, with a base template available at this [GitHub link](https://github.com/foundry-rs/hardhat-foundry-template). \n\nUsers can use Foundry to fork data from a live network such as a main or test net, and once forked, it runs locally. This provides an effective method for testing scenarios in a local environment, providing an alternative to public testnet. \n\nThere are some known issues with opcode support in Foundry and users have had trouble executing foundry fork testing in the polygon POS network. To help address these challenges, two YouTube links were shared that might help in understanding the Foundry framework: [video 1](https://www.youtube.com/watch?v=Rp_V7bYiTCM) and [video 2](https://www.youtube.com/watch?v=EHrvD5c93JU). \n\nIf you're having issues with the number of cases generated by Foundry fuzz, you can adjust this using the information provided [here](https://book.getfoundry.sh/reference/config/testing#fuzz). \n\nRemember, to use tools like 'slither' alongside Foundry's remappings, it's necessary to identify those remappings for Slither. If you're looking to log gas remaining after the state variable update using Foundry, you may encounter some difficulties, though Hardhat and Foundry can be used to print local variables that are declared inside a function using console.log. \n\nFor specific issues such as deploying a contract on Foundry that takes a struct as an argument in the constructor, or if you're trying to send ether with the constructor while deploying a contract in Foundry, you may need to seek out specific advice from the community, as these topics can get quite technical.\n\nLastly, when running forge debug on a Hardhat project with Foundry integration, if you happen to come across the \"Source from artifact has no AST.\" error, know that you're not alone as this issue has been reported before.", "Q: I'm facing issues with the installation and running of Foundry on my system. I don't have Brew or a Linux distribution. How do I get around this?\n\nA: There are several steps and alternatives you can consider. If you're running on a non-Linux system, you might want to consider using Windows Subsystem for Linux (WSL2) and switching to Ubuntu 20.04, which has been suggested as a reliable solution for running CodeArena (C4) contests and fixing certain software installation issues.\n\nYou can also consider using Docker to run Foundry. While we don't have specific instructions for this, there have been discussions in our chat about installing Foundry with Docker, so you might find helpful tips there.\n\nTo start with the installation, you could try the `npm install foundry` command which has been suggested as a possible solution in our chat. This should help you get Foundry installed, irrespective of your operating system.\n\nAfter installing Foundry, remember to use the `forge i` command to install dependencies, as this ensures your libraries aren't lost, considering that the forge install command relies on git submodules.\n\nFor automated findings, you can alter the command \"REPORT_GAS=true hardhat test\" in package.json for different operating systems. This, however, might require you to have a basic understanding of how to use terminal commands, such as 'git diff' and backticks in reports.\n\nIf you're still facing issues, you can consider running tests in the existing test environment or writing new test cases. If there's no test setup in the C4 repo, you could check the sponsor's GitHub for a potential test setup, or pull out the code to test it in isolation.\n\nRemember, if you're facing issues with software like 'Yarn', you can try reinstalling it to fix some of your problems. If you're using Windows, you might run into certain issues with installations, and switching to Ubuntu 20.04 via WSL2 is recommended.\n\nLastly, always ensure you've cloned the correct repository for the contest. For example, use a command like `git clone https://github.com/code-423n4/2023-01-astaria.git -j8 --recurse-submodules` to clone necessary files and avoid analyzing the wrong code.\n\nPlease remember, these are suggestions based on common solutions discussed in our chat. They may not work for everyone, and further online research might be necessary to find a solution tailored to your specific problem.", "Question: What methods can I use to run tests and troubleshoot issues with the CodeArena contest setup?\n\nAnswer: There are several approaches and tools you can employ to run tests and troubleshoot issues with the CodeArena contest setup. \n\nIf you are having difficulties running the contest with the provided instructions, you may consider using existing test cases in the current testing environment. Alternatively, you can write new test cases, especially when verifying if a bug is valid. \n\nIn case there is no test setup in the CodeArena repository, you might want to check the sponsor's Github for a potential test setup or isolate parts of the code to test in a separate environment. \n\nIf the contest involves the GoGoPool, there are specific instructions that need to be followed. For instances where projects are written in Brownie for testing, there was a question about whether they can be written in Foundry, a framework that offers tools to assist in checking things like storage. If you want to run the contest, installing Foundry by using 'npm install foundry' could potentially be a solution.\n\nConcerning automated findings, there is a tool that is run by the platform but it is not specified if this tool is available to run locally. In addition, there was a question about submitting the same issue that was found with the automated finding but in a different instance.\n\nIf you're working with contracts downloaded from Github, resources are available for testing these contracts with tools like Mythril and Slither. \n\nFor the Maple-core repo, HEVM tests are set to use 100 fuzz runs. Keep in mind that this could take hours for first-time test runs. It is recommended to use 1 fuzz run for the first test and increase to 10-100 fuzz runs for subsequent local tests.\n\nFinally, if you encounter issues related to submitting findings, you may want to modify your submitted findings. If you're having trouble submitting findings for the Escher contest and see 'No findings submitted for this contest' despite having submitted your findings, it would be worth reporting this issue for further investigation.\n\nNote: This information is derived from common queries and advice given by participants in the CodeArena Discord chatroom. Always refer to official documentation and instructions for definitive guidance.", "Question: What are the steps to follow after installing Foundry using \"npm install foundry\"?\n\nAnswer: After installing Foundry using \"npm install foundry\", you can consider several next steps based on your project requirements. Foundry is a framework for writing tests and provides tools for checking aspects such as storage. \n\nIf you're looking to deploy a contract that takes a struct as an argument in the constructor, you might need specific guidance. However, generally, you can use the `forge i` command to install dependencies as it relies on git submodules, ensuring the libraries are not lost.\n\nFor those implementing Foundry in a project that employs Hardhat, a base template can be found at https://github.com/foundry-rs/hardhat-foundry-template. Tools like Hardhat and Foundry can be used to print local variables that are declared inside a function using console.log. \n\nIf the project uses Brownie for testing, it is possible to write the project in Foundry as well. You can also use Foundry to fork data from a live network such as a main or test net, and once forked, it runs locally.\n\nFor better understanding, two YouTube links were shared in our community: https://www.youtube.com/watch?v=Rp_V7bYiTCM and https://www.youtube.com/watch?v=EHrvD5c93JU. The videos provide a comprehensive guide to understanding the Foundry framework.\n\nPlease note that specific issues have been reported about \"Source from artifact has no AST\" error when running forge debug on a hardhat project with foundry integration and executing foundry fork testing in the polygon POS network. If you encounter these, seek help from the community.\n\nRemember, Foundry is not just a testing tool; it can be used for testing scenarios in a local environment, providing an alternative to public testnet. This makes it an excellent tool for auditing smart contracts.\n\nFor those who want to learn more, recommendations for learning the testing framework of Hardhat include the Codecademy Javascript testing module and the Alchemy University's Ethereum Bootcamp in week 4. There's always more to learn, so don't hesitate to ask in the community if you need more specific guidance.", "Question: \nWhat is the relationship between gas optimization and gas reports, and how should they be compiled and submitted?\n\nAnswer: \nGas optimization and gas reports refer to the same process in contract auditing. It's the systematic identification and documentation of potential areas where the gas usage of a smart contract can be reduced. All relevant findings related to gas optimization should be compiled into one report, and multiple ideas or suggestions for gas optimizations can be documented separately but must be merged into this single report. \n\nWhile all valid findings for gas optimizations are weighed equally, it's not always necessary to specify the amount of gas saved for each optimization; however, including this detail can potentially increase points. The necessity for this specification depends on the judge's decision. The level of detail required for Gas Optimization reports is not as extensive as for high severity issues, but examples of highly rated reports can be found at https://code4rena.com/reports. \n\nIf a finding relates to both QA and gas savings, it can be included in either report, and ultimately, the judges will decide where it best fits. If you have more than one finding to report for gas optimization, these should be combined into one report. This can be done by visiting the contest page and clicking the 'Your Findings' button. \n\nIt\u2019s worth noting that not all gas optimizations are valid when the optimizer is enabled. This can create some confusion around what should be reported. In such cases, only those optimizations found in the generated report are considered invalid; all others can be found at https://github.com/byterocket/c4-common-issues/blob/main/0-Gas-Optimizations.md. \n\nLastly, for low and non-critical reports and gas optimizations for specific contracts like the Badger Citadel, these should also be submitted through the same form. If there's any confusion or need for clarification on gas optimization, users are encouraged to ask for help within the community.", "Question: What can I do if Foundry isn't functioning as expected, and what additional resources are available to understand and troubleshoot Foundry?\n\nAnswer: If Foundry isn't working as expected, you can try using a virtual box and Linux. Additionally, if you're facing opcode support issues, you can try using Hardhat for testing your project. Foundry is a powerful framework for writing tests and checking elements like storage. \n\nStill, there have been instances where users faced difficulties with installation, especially when trying to install Foundry with Docker. If you're encountering an error like \"Source from artifact has no AST\" when running forge debug on a Hardhat project with Foundry integration, you're not alone. It might be beneficial to consider using Hardhat in such cases.\n\nFoundry can be beneficial for testing scenarios in a local environment, offering an alternative to public testnet. It can also be used to fork data from a live network such as a main or test net, running locally once forked. If you're struggling with Foundry fork testing in the Polygon POS network or trying to log gas remaining after a state variable update, you might find utilising Foundry for local forking a more straightforward solution. \n\nFor projects using Hardhat, Foundry can be beneficial, and a base template for this integration can be found at https://github.com/foundry-rs/hardhat-foundry-template. \n\nIf you're new to Foundry, the following YouTube links can provide an understanding of the Foundry framework and how to use it effectively: https://www.youtube.com/watch?v=Rp_V7bYiTCM and https://www.youtube.com/watch?v=EHrvD5c93JU. \n\nRemember, while Foundry is a powerful tool, it isn't the only one. Hardhat and Truffle are also excellent frameworks for smart contract testing and development. It's also worth noting that the default Foundry comes with `console.log` in the library, and you can always use 'npm install Foundry' as a potential solution for running the contest.\n \nHowever, if you have any unique scenario such as deploying a contract on Foundry that takes a struct as an argument in the constructor or looking for an equivalent for \"upgrades.deployProxy\" from Hardhat in the context of Foundry, please refer to the GitHub link: https://github.com/chugsplash/chugsplash-foundry. \n\nIf you still encounter difficulties, don't hesitate to ask for help in the chat or open a help desk request at https://code4rena.com/help/.", "Question: I'm new to auditing and interested in Code4Rena's audit contests. Where can I find a recent report and learn more about participating in future contests?\n\nAnswer: Welcome to the world of smart contract auditing! You can find recent audit reports on the Code4Rena website at https://code4rena.com/reports, which are sorted by publication date. If you're new, it's suggested to start with reports from smaller bounty contests due to their less complex codebase.\n \nAdditional resources are available at https://docs.code4rena.com/ and for specific information about joining an audit contest, visit https://docs.code4rena.com/roles/wardens. To see examples of top-winning reports, you can check https://code4rena.com/reports. \n\nIn terms of upcoming contests, they are listed on the CodeArena website: code423n4.com and to register as an auditor, you can sign up at https://docs.code4rena.com/roles/wardens. If you're interested in participating in invitational or restricted audits, more information can be found at https://docs.code4rena.com/roles/certified-contributors.\n\nTo stay updated on new reports and contests, there's a suggestion to have an announcements-like channel named #audit-reports where a new message is posted whenever a new report gets published on the CodeArena website. \nFinally, if you need any further help, don't hesitate to ask at https://code4rena.com/help. Happy auditing!", "Q: How should I report gas optimizations in the CodeArena auditing contests?\nA: When participating in CodeArena auditing contests, you should document all your gas optimization findings and compile them into one single report. You can add more findings to this report by navigating to the contest page and selecting the 'Your Findings' button. \n\nIt's important to note that not all gas optimizations are valid, especially when the optimizer is enabled. Therefore, it's advised to only include those optimizations which you firmly believe to be valid in your report. Also, gas optimizations reported inside view/pure functions are acceptable. \n\nIf you discover a gas optimization that can be applied to multiple lines of code, you should still report it as one finding but remember to mention every line where it can be applied. Specifying the amount of gas saved for each optimization is not mandatory, but it could increase your points and make your report more informative. \n\nYou can find a list of valid and known gas optimizations on https://github.com/byterocket/c4-common-issues/blob/main/0-Gas-Optimizations.md. Be aware that known issues should be excluded from your report. \n\nPlease remember to only submit one gas optimization report per contest. If you encounter an error message when trying to submit your report, it might be because you've already made a submission. In such a case, you can edit your existing report to add new findings. \n\nFinally, if you're unsure about a certain gas optimization or the submission process, you can always ask for clarification in the chat. We're here to help!", "Question: Does 1inch, when executing the getRateToEth() method, retrieve the aggregated price in the native coin being called, or does it just get the rate to ETH for all chains?\n\nAnswer: Unfortunately, there isn't a clear answer available at the moment regarding whether 1inch retrieves the aggregated price in the native coin for the getRateToEth() method, or if it just gets the rate to ETH for all chains. However, we do know that 1inch is a DEX aggregator that is frequently recommended for the swapping of ERC tokens due to its cost-effectiveness (https://app.1inch.io). It's also worth noting that the specific chains accepted for payment from the sponsor side were not explicitly mentioned in our community discussions, which included Ethereum's L1, as well as other L1s/L2s. To gather more information, we recommend reaching out to 1inch directly or consulting their documentation for more specific details.", "Question: How do I receive and manage my USDC rewards in my wallet?\n\nAnswer: All rewards on CodeArena are distributed in the cryptocurrency USDC over the Polygon network. If you've won a contest or your report has been accepted, USDC will start flowing into your wallet. However, to manage your USDC, you'll need to ensure it's visible in your wallet; if using MetaMask, this might involve swapping networks to Polygon or manually adding USDC on Polygon to your wallet. Here's a link to a section of the USDT token code that might be relevant: [https://etherscan.io/token/0xdac17f958d2ee523a2206206994597c13d831ec7#code#L95](https://etherscan.io/token/0xdac17f958d2ee523a2206206994597c13d831ec7#code#L95). \n\nIf you choose to convert your USDC rewards to another cryptocurrency, such as BTC, you can do so via platforms like Coinbase. Also, remember to add your payment wallet to your CodeArena account to receive payouts. Despite some concerns raised about USDC that are discussed in this article: [https://taibbi.substack.com/p/the-financial-bubble-era-comes-full?utm_source=substack&%3Butm_campaign=post_embed&%3Butm_medium=email&utm_medium=email](https://taibbi.substack.com/p/the-financial-bubble-era-comes-full?utm_source=substack&%3Butm_campaign=post_embed&%3Butm_medium=email&utm_medium=email), CodeArena still uses USDC for its rewards system. \n\nIf you're having issues seeing your balance, it might be a wallet issue or a potential security concern, in which case, you should take appropriate measures to secure your wallet and keys. Regardless of wallet settings, funds will always be sent to the user's address and the user controls the key to that address. To move the funds, you'll need to send a transaction on Polygon.", "Question: What happens when I submit a support ticket through the CodeArena website and how can I follow up if I don't receive a response or notification?\n\nAnswer: When you submit a support ticket through CodeArena's website, the process includes a confirmation that your request has been received. However, note that you may not always receive an email notification upon submission. If you have any concerns or don't receive feedback, you can open a help desk request at [https://code4rena.com/help](https://code4rena.com/help) to track the status of your submission or report any issues. If you encounter difficulties while submitting the request via the support form, you can also forward your request to submissions@code4rena.com. Please bear in mind that help desk tickets usually get reviewed within a week. In case of critical issues where the 'Create Issue' button does not respond, or if you don't receive an email after submitting a finding or registering, please submit a Help Desk request as well. Rest assured, the support team responds to user requests and may even send friend requests to sort out the issues.", "Question: Can you provide a detailed explanation about [G-02] STATE VARIABLES CAN BE PACKED INTO FEWER STORAGE SLOTS and [L-05] CRITICAL ADDRESS CHANGES SHOULD USE TWO-STEP PROCEDURE in the context of smart contract audits?\n\nAnswer: \n1. The [G-02] regulation pertains to the concept of packing state variables into fewer storage slots in Solidity programming. Solidity stores state variables in 32 bytes storage slots. For instance, a single uint256 would occupy one slot, but if declared next to each other, four uint64s can fit into one slot. An interesting fact here is a bool variable, though only one byte, takes up a whole storage slot unless it is next to an address (which is only 20 bytes) allowing it to fit in one slot. The GSSET opcode is used to set the value of a storage slot, specifically when the storage value is set to non-zero from zero. When a function modifies both the bool and the address, it only has to call the GSSET opcode once, thereby reducing gas costs. You can learn more about this at https://docs.soliditylang.org/en/v0.8.17/internals/layout_in_storage.html. GSSET and GSRESET definitions, related to setting storage from 0 to non-0 and from non-0 to non-0, respectively, can be found at https://ethereum.github.io/yellowpaper/paper.pdf page 27. \n\n2. [L-05] advocates for using a two-step procedure for critical address changes. The potential error of passing in the incorrect address can be avoided using a two-step change, which is considered safer and better practice. Context is crucial when reviewing the severity of issues related to state variable changes in smart contracts. For example, in the case of upgradeable contracts and storage variables, adopting a two-step approach could be necessary. \n\nWhile the above answer provides high-level guidance, it's important to remember that the implementation can be context-specific and can also depend on the specific requirements of the smart contract.", "Question: If I create a support ticket on the CodeArena website, should I expect a notification via email confirming receipt of my ticket, and can I use this feature for queries about different issues?\n\nAnswer: When you create a support ticket at CodeArena through https://code4rena.com/help, you should typically receive an email confirmation indicating that your ticket has been successfully received. However, there are instances where a confirmation email might not be sent, so if you do not receive a confirmation, you can check the status of your request at the help desk. You can create a help desk request for different issues, such as assistance with registration, notifications about your submissions, discrepancies in reports, status updates, changes in account details, or requests for backstage access. If you have issues with your request, you can forward it to submissions@code4rena.com. Please note, however, that you may not receive an email notification for updates on issues. Also, you can submit QA reports via help tickets if they exceed the character count for regular submissions. If you do not get any reply to your KYC application within five business days, you can raise a help request through the form on the company's website. The CodeArena team is dedicated to responding to user requests and may even send friend requests to help sort out issues.", "Question: What is the procedure and potential consequences if we find and report a high or medium severity vulnerability after the CodeArena contest has ended? Will these late discoveries be rewarded?\n\nAnswer: At CodeArena (C4), if you uncover a high or medium severity vulnerability after the contest has ended, we highly encourage responsible disclosure to the development team. However, such vulnerability reports will not be rewarded by C4 outside of the contest timeframe. The decision to reward or acknowledge such contributions remains at the discretion of the individual development team. \n\nIf no high or medium vulnerabilities were discovered during the contest, the remaining funds from the contest are divided among participants based on the Quality Assurance (QA) report curve. This is an exception rather than the norm, as most contests yield at least medium vulnerabilities. \n\nIt is worth noting that all submissions from the contest, including potential exploits, may be made publicly available once they have been rectified. This openness serves the dual purpose of transparency and learning for all participants. \n\nIn the rare case where you believe a vulnerability has been incorrectly classified and may be more severe, such misclassifications can be addressed during the contest period either through the submission form or by contacting one of the judges. \n\nLastly, if you have concerns about potential misuse of early access to vulnerability submissions by sponsors, C4 addresses this fairness concern by restricting access to these submissions until after the contest results have been finalized. \n\nFor an example of a contest with only low vulnerabilities, you can refer to this previous contest report: [https://code4rena.com/reports/2021-11-fei](https://code4rena.com/reports/2021-11-fei)\n", "Question: How are public and private contests at CodeArena, such as the USDC reserve contest, conducted and how can one participate?\n\nAnswer: CodeArena hosts both public and private contests. Public contests, like the Frankencoin contest, Ethos Reserve contest, and the ENS contest, are open for all to participate. Private contests, such as the Reserve mitigation review contest and the Party Protocol, require you to be a certified warden. \n\nTo learn if a contest is public or private, you can check the #\u270brsvp channel. If the contest details are available in the public RSVP channel, it\u2019s a public contest, while private contests have their RSVPs posted in a channel visible only to certified wardens. \n\nThe contests are competitive, with the highest performing wardens being invited to the Versus contests. For instance, in the Caviar contest, the highest-ranking wardens from the open contest are assigned to the Mitigation Review. The details about the duration and the prize amounts for each contest are shared in the respective contest's details.\n\nPayments for contests are made in the cryptocurrency USDC on the Polygon network. An example was given of a contest that had a $67,500 USDC main award pot and a $7,500 USDC gas optimization award pot. Notably, the prize amounts for a contest also include a judging pot.\n\nWhile contests are announced regularly, the application for KYC approval does not automatically grant access to private contests. To participate in private contests, you need to meet certain prerequisites or metrics. Please note that despite the contest details being restricted, participation in a 'Versus contest' without an invite will not lead to receipt of rewards for findings.\n\nTo stay updated about upcoming contests, watch out for announcements in the chat room and on the website. As an example, the next public contest was scheduled to begin on February 16th. New contests are expected to take place in the coming month, some even with high prizes, similar to the $1M opensea contest. \n\nYou can find more details on CodeArena's official website [insert link].", "Question: What happens to the classification and potential rewards of a finding if it is submitted at one severity level but judges assess it differently?\n\nAnswer: If a finding is submitted at a certain severity level, but the judges assess it to be of a different severity, they have the discretion to adjust the classification as they deem fit. This means, for instance, if a submitted finding is classified as medium but is assessed by the judges to be high severity, it can be upgraded unless there's a reason to penalize it, such as the submission being incomplete, lacking detail, or not as accurate. However, if a submitted high severity finding is assessed as lower risk, the issue might be downgraded. Regardless of downgrading, you will still be awarded for the found issue, unless the judges invalidate it for overinflating severity. \n\nIt's also important to note that if a low severity finding is escalated to a high severity, it is not automatically invalid. However, strong evidence must be provided to demonstrate a relevant high or medium severity exploit path in order to be considered satisfactory. The criteria for judging such cases is explained at [https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues](https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues).\n\nIf your finding is selected for inclusion in the final audit report, you'll receive a 30% share bonus. This applies to each unique high or medium finding, as per [https://docs.code4rena.com/awarding/incentive-model-and-awards](https://docs.code4rena.com/awarding/incentive-model-and-awards). \n\nIf you're uncertain about the severity of your finding, it's recommended to make a case to the judge in your submission. Be mindful of the potential severity of loss caused by the issue, as this tends to guide the classification of findings: the risk of total reward loss often corresponds to medium or high severity, while the risk of some reward loss usually implies medium severity, and loss due to roundings (a negligible amount of rewards) generally points to QA severity. \n\nRemember, the judge's evaluation will take into consideration a variety of factors, including the specific contest and the severity of identified issues in submitted reports. You will receive feedback from the judge if your submitted finding is marked as invalid.", "Question: What happens to the rewards when the severity of a bug submitted in the QA report is re-evaluated by the judges? \n\nAnswer: Rewards for bug findings in the QA report are dependent on the re-evaluation by judges at CodeArena. If a bug is submitted as low severity but the judges determine it's medium, the finding will be eligible for medium rewards. The severity of the bug is determined by the potential loss caused by the issue. If all rewards can be lost, it's likely to be classified as Medium or High. If there's a risk of losing some rewards, it's probably Medium. If a negligible amount of rewards can be lost due to roundings, it's probably QA. If the principal can be stolen without needing extra requirements, it's likely High. If a High severity bug is downgraded to Medium, the reward for a Medium bug is still received unless the submission is invalidated for overinflating severity. \n\nOn the other hand, if a bug is submitted as Medium and it's upgraded to High, it will be eligible for High rewards unless there's a reason to penalize it (like if it's incomplete, lacking detail, or not as accurate). \n\nHowever, if no High or Medium severity issues are found, the entire reward pool will be divided based on the QA Report curve. For example, if a contest's bot report ranks an issue as low but a participant escalates it to high and provides strong evidence, the issue is not automatically invalid. Submissions based on automated tools must provide strong evidence to demonstrate a relevant High or Medium severity exploit path to be considered satisfactory. \n\nSimilarly, if a medium severity bug is actually deemed high, it gets raised to high unless there's a reason to penalize it. The reward for a Medium/High finding can be calculated using the formula provided in this link: https://docs.code4rena.com/incentive-model-and-awards#high-and-medium-risk-bugs. \n\nTherefore, the key point is to accurately identify and report the severity of the bug to maximize your potential rewards. Please refer to the guidelines on https://docs.code4rena.com/awarding/incentive-model-and-awards and https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues for further information.", "Q: How can I confirm that my Know Your Customer (KYC) process for becoming a certified warden at Code4rena (C4) has been completed successfully?\n\nA: Once you've completed the Know Your Customer (KYC) process for becoming a certified warden, the confirmation of its successful completion is communicated by Provenance to Code4rena (C4). However, it's important to note that the timing for receiving confirmation can vary. Typically, it can take 2-3 weeks to receive a KYC confirmation email after submitting your application. This email is sent from compliance@provenance.company and may appear in your spam folder. In case you're uncertain about the status of your KYC process, you can submit a help desk request to track its status. Moreover, keep in mind that not all KYC applications are approved, and reasons for rejection may not always be communicated.\n\nMore information about the application process to become a certified warden can be found at https://docs.code4rena.com/roles/certified-contributors and the application can be submitted at https://code4rena.com/certified-contributor-application/. Having a certified warden status will grant you backstage access to findings soon after an audit, among other benefits. However, this status also requires you to complete Non-Disclosure Agreement (NDA) procedures for security reasons.", "Question: How does the OFAC sanctions screening and the KYC process for becoming a certified warden at CodeArena work?\n\nAnswer: CodeArena (C4) employs a Know Your Customer (KYC) process as part of the certification for wardens. \"OFAC sanctions screening\" is often referred to in the context of this KYC process, which involves sending your identity for verification. C4 delegates this KYC task to Provenance, which is involved in the verification process. \n\nIf you wish to become a certified warden, you can apply for KYC certification. After your Provenance application is approved, you can expect to receive an email from Provenance and C4. If a user is certified and has applied for KYC, they will receive an invitation link via email from Provenance. \n\nThe specifics of the OFAC sanctions screening aren't entirely clarified. However, it's mentioned that there are certain restrictions in place for the KYC process, primarily OFAC sanctions and background checks. \n\nTo apply for Certified+ after a high finding, one must have completed KYC (Know Your Customer) verification. It is also worth noting that all wardens registered prior to the OpenSea contest announcement are eligible for certification.\n\nThe timeline for receiving KYC mail after submitting an application to become a certified warden has been a topic of discussion, but it has been stated that confirmations would be processed over the next couple of days. \n\nIf you wish to participate in an audit, KYC certification may be required. This information will be specified in the applicable channels. For additional help or inquiries about the KYC process, you can reach out in the relevant channels on the Discord chatroom. \n\nPlease remember, handle registration is mandatory to submit anything, and that a section for qualifications has been added to the warden registration page due to an increase in new warden registrations.", "Question: Can you explain what the OFAC sanctions screening process is in the context of the OpenSea contest run by CodeArena and how does one become certified to participate?\n\nAnswer: The OFAC sanctions screening is related to the Know Your Customer (KYC) process required for participation in the OpenSea contest held by CodeArena. This process is a part of the certification required to participate and receive prizes from the contest due to anti-money laundering laws. \n\nWhile the specifics of the OFAC sanctions screening aren't always clarified in detail, it includes ID verification and background checks, among other things. This is a crucial part of the certification process for wardens participating in the contest. \n\nTo become certified, participants need to complete the form at https://code4rena.com/certified-contributor-application and go through the ID verification process. This process is run on behalf of CodeArena by Provenance. \n\nIt's important to note that the OpenSea contest was a unique case where a larger than normal prize pool was involved, leading to an increased emphasis on these procedures. All wardens registered prior to the OpenSea contest announcement were eligible for certification, and it is expected that the qualifications section in the warden registration page was to return to normal following the conclusion of this contest. \n\nFor future contests and details on the process, you can refer to the Code4rena documents. The specific requirements might vary depending on the nature and scale of the contest, so always keep an eye out for specific instructions in contest announcements and make sure to familiarize yourself with the submission policy and judging criteria as outlined in the docs at: https://docs.code4rena.com/roles/wardens.", "Question: How does calling a contract's own function, such as \"InterfaceA(address(this)).functionA();\", affect the msg.sender value and the behavior of the contract in terms of gas optimization, internal function access, and contract interaction?\n\nAnswer: Calling a function in this manner-\"InterfaceA(address(this)).functionA();\" is considered an external contract call. This would indeed change the 'msg.sender' value inside the function, setting it to the contract itself because it's an actual call as opposed to a jump. \n\nThis call pattern can influence contract behavior in a number of ways. For instance, it may increase gas costs, especially when calling a view/pure function from a non-view/non-pure function within the same contract. \n\nAs for the access to internal functions, a child contract would need to be created and utilized like a wrapper to enable a user to directly call internal functions. Furthermore, if you're dealing with protocols that have more functions in the interface than are used in the code, it's worth mentioning as it can affect contract interaction on-chain.\n\nIn addition, you should consider the effect of calldata arguments. They are often used for external/public functions but can also send calldata data pointers to internal and private functions, broadening the scope of function interaction. This can be particularly useful when you need to access the state variable of a different contract by calling the specific instance of the contract being queried.\n\nBear in mind that the calling convention used in the web3 console might differ from what is actually called on the contract in the Ethereum Virtual Machine (EVM). Thus, the practical impact of these calls can vary, and any unusual behavior, even if seemingly inconsequential, should be reported for quality assurance.\n\nIt's important to understand these nuances when dealing with smart contracts, particularly when aiming for gas optimization, handling inheritance between contracts, and interacting with other contracts on-chain. More detailed information about these topics can be found on resources such as the Ethereum StackExchange (https://ethereum.stackexchange.com/questions/68519/creating-a-new-contract-specifying-a-sender-and-value-with-factory-pattern).", "Q: I've successfully completed KYC with CodeArena, but I'm unsure about the OFAC sanctions screening for the OpenSea contest. I've also not seen any role or anything attached to my KYC approval. What should I expect?\n\nA: After successfully completing the KYC (Know Your Customer) verification process, which is required for certain contests such as the OpenSea contest, there may be a delay before you see any changes. This is because KYC confirmations are processed over a period of a few days. \n\nThe term \"OFAC sanctions screening\" is related to the KYC process, primarily involving OFAC sanctions and background checks. This is part of the process to ensure compliance with legal regulations and is particularly important for certain projects like OpenSea, which is a public contest.\n\nIt's important to understand that even after KYC approval, this does not automatically grant you access to all private contests, such as those requiring certification. Some users may find that even after KYC approval, they can't access certain private contests. This could be due to not having certified status on their handle. In such cases, a help desk request can be created at https://code4rena.com/help\n\nFurthermore, being a warden does not mean that KYC has been passed. To join a private audit, there is an additional requirement of completing the KYC process and obtaining certification. More details are available at https://docs.code4rena.com/roles/certified-contributors#certification-process-and-constraints\n\nOnce you've completed the KYC process with our KYC provider Provenance, and received an email confirmation, your status will be processed on Code4rena's end. If you don't see any changes after a few days, it's advised to open a help desk request at https://code4rena.com/help.\n\nAlso, note that not all contests require KYC or certification to receive rewards. If a contest requires it, it will be stated clearly. More information on this can be found at https://docs.code4rena.com/roles/certified-contributors.", "Question: I've received the confirmation email that my KYC application was successful, but I don't see any role or status update on my account. How does the KYC process work and when can I expect the attached role?\n\nAnswer: The Know Your Customer (KYC) process is a required part of becoming a certified contributor at Code4rena (C4). Once you submit the KYC application and receive a confirmation email from Provenance, the KYC status is processed and updated usually over a few days, but it can sometimes take longer. During this time, the C4 team is informed and begins processing your role. It's important to understand that there may be delays in this process. In certain cases, users have reported waiting up to 10 days for their KYC to be fully processed.\n\nOnce your KYC is successfully processed, you will get your roles updated on the C4 platform and you will also receive an email from Provenance and C4. You can check your status by clicking on your name to see the assigned roles. If you don't see any updates after a few days, it is advisable to open a help desk request to track the status of your KYC confirmation at [https://code4rena.com/help](https://code4rena.com/help). \n\nAlso, do remember to check your spam email section for any communication from \"compliance@provenance.company\" as sometimes the KYC mail might land there. \n\nFor further details on the KYC process and the role of a certified contributor, refer to [https://docs.code4rena.com/roles/certified-contributors](https://docs.code4rena.com/roles/certified-contributors).", "Question: How does the classification and potential reclassification of issue severity work in CodeArena's auditing process, particularly in cases where the severity of the issue is ambiguous or could potentially be upgraded or downgraded?\n\nAnswer: In CodeArena's auditing process, issues can be classified as high, medium, low, or QA, based on the severity of the loss caused by the issue. If all rewards can be lost, it's typically categorized as MED/HIGH, if there's a risk of losing some rewards, it's usually medium. If rewards are lost due to roundings (a negligible amount), it's likely QA. If the principal can be stolen without needing extra requirements, then it's likely HIGH. The exact criteria for the classification of issues can be found at the official documentation [here](https://docs.code4rena.com/awarding/judging-criteria/severity-categorization).\n\nPost-submission, judges have the ability to potentially reclassify issues based on their evaluation. Issues may be upgraded or downgraded in severity, depending on the judges' assessment. For instance, if a medium severity issue is deemed high by the judges, it can be upgraded unless there's a reason to penalize it, such as it being incomplete or lacking in detail. Similarly, a high severity issue may be downgraded to medium and you would still be rewarded unless the judges invalidate it for overinflating severity.\n\nIf you come across an issue of uncertain severity, it's best to lean towards classifying it as high/medium, and putting in the highest effort to explain your finding, as good explanation generally carries more weight than the specific severity level. If a finding initially deemed as low risk (QA) is reassessed as medium risk by other wardens or judges, it can be automatically upgraded. However, if a finding is only related to gas savings, it could be downgraded from QA to Gas.\n\nIt's important to note that automated findings from a contest's bot report are not automatically invalid if escalated to a higher severity by a participant. However, strong evidence demonstrating a relevant High or Medium severity exploit path must be provided for it to be considered satisfactory, as explained in CodeArena's submission policy [here](https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues).\n\nFinally, while the number of issues in a Gas and QA report doesn't necessarily determine the grade, a good report could include one high-quality issue to achieve a grade B, or it could have multiple low-impact issues and still be a grade C.", "Question: What resources are available to learn about opcode, solidity, and smart contract auditing?\n\nAnswer: There are numerous resources available that cater to a range of experience levels. \n\nFor learning about opcode, you can refer to https://www.evm.codes/ and for information about gsset, gscoldsload, etc., you can visit https://github.com/wolflo/evm-opcodes/blob/main/gas.md. \n\nIf you are interested in learning about the solidity compiler, https://solidity-by-example.org/0.6 and https://docs.soliditylang.org/en/v0.7.5/ are recommended. \n\nFor beginners who want to understand solidity syntax, programming, or start smart contract bug bounty hunting, there are interactive coding platforms available such as https://cryptozombies.io/ for Solidity and https://capturetheether.com/ for Capture the Flag challenges.\n\nIf you are seeking to learn about smart contract auditing, resources like https://cmichel.io/how-to-become-a-smart-contract-auditor/ and https://docs.code4rena.com/roles/wardens/tools-and-resources are a good starting point. For more advanced training and to learn defi industry standards, you can try the Ethernaut challenges (https://ethernaut.openzeppelin.com/) and Damn Vulnerable DeFi (https://www.damnvulnerabledefi.xyz/).\n\nFor resources on proxies and upgradeable contracts, you can refer to https://proxies.yacademy.dev/. \n\nFor issues related to opcode support in foundry, you can use the foundry debug tool. \n\nFinally, you can also watch OpenZeppelin webinars, such as this one: https://youtu.be/6GaCt_lM_ak, which are very useful for auditors.", "Question: I'm new to smart contract security and auditing. Should I apply to Spearbit DAO? What resources can I use to get started and improve my skills?\n\nAnswer: Although Spearbit DAO has gained some attention, it's recommended that beginners in smart contract security and auditing consider starting with yAcademy. CodeArena, our platform, is also an excellent resource for beginners. \n\nIt's important to note that learning about smart contract security involves understanding a variety of concepts and techniques. Some useful resources include online platforms like CryptoZombies.io [https://cryptozombies.io/] for learning about Solidity, the language used to write smart contracts, and CaptureTheEther.com [https://capturetheether.com/] for Capture the Flag challenges related to smart contract security. These platforms are great starting points for beginners.\n\nAlso, you should check our #\ud83c\udfebeducation channel where you can learn more about auditing smart contracts and ask any questions you have about Solidity. We also host contests that can give you hands-on experience in analyzing smart contracts.\n\nIn addition to these, tools like Slither can be used for static analysis of smart contracts. Also, a good understanding of how the DAO voting system works and how smart contracts can be affected by DDOS attacks can also be beneficial.\n\nMoreover, many users in our community often discuss the challenges they face in understanding reports and concepts related to smart contracts, so you're not alone in your learning journey. The time it takes to learn the basics and start finding bugs in smart contracts greatly depends on your prior experience and learning capabilities.\n\nLastly, it's worth mentioning that while specializing in smart contract security can be lucrative, the best advice is to focus on what you enjoy and are interested in. Whether you want to focus solely on smart contract auditing, or continue with traditional hacking and Web2 security while doing smart contract auditing as a side gig, is really up to you. \n\nRemember, the road to mastering smart contract security may be steep, but with the right resources, dedication, and a supportive community, it's definitely achievable. Good luck!", "Question: Will CodeArena consider conducting audits for rust-based programs in the future?\n\nAnswer: Yes, CodeArena has an established history of performing audits with a focus on Rust-based programs and there's a possibility for future audits as well. In addition, CodeArena is also considering hosting Rust contests. If you are interested in having a Rust-based program audited, we can connect you with our booking team for further discussions. Completed audits can be checked via the C4 GitHub repo, and details about our audit contests, which are somewhat similar to bug bounty programs, can be found on our documentation page [https://docs.code4rena.com/]. Please note, our auditing tool, C4udit (current fork is Analyzer [https://github.com/Picodes/4naly3er]), generates automated findings for each contest, but these automated findings are ineligible for rewards. Our team is always available to answer any questions you might have about the auditing process or contest rules.", "Question: I have successfully completed my KYC process a few weeks ago. What is the next step and how can I confirm if I am certified?\n\nAnswer: After successfully completing the KYC process, you should receive an email confirmation from both Provenance and C4. This process typically takes a few days. Certification is required for certain activities such as participating in an audit that requires KYC or joining a private audit. However, it's important to note that you can still participate and receive payouts without certification for most contests unless otherwise stated. If you're unsure about your certification status, you can submit a help desk request to track it. As a KYC'ed participant, you may be eligible to apply for Certified+ after a high finding. For more information about the KYC process and certification, you can refer to the guidelines at https://docs.code4rena.com/roles/certified-contributors, and especially https://docs.code4rena.com/roles/certified-contributors#certification-process-and-constraints. If you haven't received any email, kindly check your spam folder or reach out to \"compliance@provenance.company\".", "Question: Can I view reports from other wardens after a contest has concluded, even if there isn't a table with results available?\n\nAnswer: Yes, it is possible to view reports from other wardens after a contest has ended on CodeArena. Findings reports become public once the final contest report has been published. However, if you are a Certified+ warden, you have the privilege of viewing the findings repository immediately after a contest ends. \n\nPlease note that contest findings cannot be shared by wardens until the contest report has been published. Also, the final report for a contest does not include wardens whose submissions or findings were not accepted. The number of wardens who participated in the contest is disclosed only after the contest ends.\n\nIf you wish to view reports from past contests, they are available at [CodeArena Reports](https://code4rena.com/reports). If you're interested in becoming a Certified+ warden, you can apply for the role which will give you access to findings shortly after contests end. \n\nKeep in mind that the findings submitted in a contest are not disclosed to other competing wardens. If you have any queries about the availability of specific reports, or how to view others' findings, you can raise them. As a warden, you can start the process within 48 hours of contest close. \n\nLastly, the public report page is usually updated mid contest and you'll need to wait until the reports are published to check if your findings made it to the final report, which can take at least a month. New participants are encouraged to look at the findings of other wardens once the findings repository becomes public.", "Question: Can you provide more details about the \"steakhouse contest\" and its subsequent events, including judging and payouts?\n\nAnswer: The \"Steakhouse Contest\" is one of the many contests organized by CodeArena. For detailed information about this particular contest, users are directed to check out the relevant posts on our Discord channels: [here](https://discord.com/channels/810916927919620096/810936719003090974/908760695712149515) and [here](https://discord.com/channels/810916927919620096/1040268281040359556/1055712214016868352).\n\nThe judging process of contests, including the Steakhouse Contest, can sometimes be complex and time-consuming. After a contest ends, the findings are reviewed by sponsors before proceeding to judging. If a judge is unable to complete their work in a timely manner, the contest is reassigned to another judge. It is also important to note that the judges involved in a contest are not known beforehand.\n\nRegarding the payouts, there were inquiries about the distribution of rewards for the Steakhouse Contest. It's important to note that the reward distributions can sometimes be delayed due to various factors. However, we can confirm that the rewards for the \"stakehouse-nov11\" contest have been distributed. \n\nChanges are continuously being made to the contest award calculation process, and the prize pool often includes a separate amount for judging services. If there are any concerns about the validity of the judgment, users have the opportunity to query issues marked as invalid by monitoring the backstage channel during the post-judging stage of the contest.\n\nPlease be aware that the schedules and statuses of contests can sometimes change, as was the case with the recent Vine Labs and Chainsafe contests. The best way to stay updated is to frequently check our Discord channels and website for the most current information.", "Question: Can I use Foundry in a project that employs Hardhat, and are there any resources or tools available that can assist me?\n\nAnswer: Yes, Foundry can definitely be used in a project that uses Hardhat. In fact, there is a base template available at https://github.com/foundry-rs/hardhat-foundry-template which can guide you in setting up Foundry in a Hardhat project. \n\nIn case you encounter issues, such as the \"Source from artifact has no AST.\" error when running forge debug on a hardhat project with foundry integration, consider using the tool available at https://github.com/HardlyCodeMan/audit_helper/ for assistance. \n\nFurthermore, Foundry can be beneficial for testing your smart contracts as Hardhat Foundry can fork its state from a public testnet or even the mainnet. This makes it a convenient option for testing your smart contracts. If you want to debug your hardhat tests or introspect contract execution at the EVM opcode level, you can use \"foundry debug\". \n\nPlease note, however, that users have reported issues with opcode support in Foundry. For more understanding on the Foundry framework, you can watch these YouTube tutorials: https://www.youtube.com/watch?v=Rp_V7bYiTCM and https://www.youtube.com/watch?v=EHrvD5c93JU.\n\nFoundry also provides tools for generating a gas report, printing local variables that are declared inside a function using console.log, and even impersonating an account as can be done in Hardhat using vm.prank(address) command. \n\nLastly, for projects using Brownie for testing, it's unclear whether they can be written in Foundry. We recommend checking out resources like the Codecademy Javascript testing module and the Alchemy University's Ethereum Bootcamp in week 4 to learn more about the testing framework of Hardhat.", "Question: What happens when a contract's own function is called and how does it change the msg.sender value inside the function?\n\nAnswer: When a contract's own function is called, such as \"InterfaceA(address(this)).functionA();\", it is considered an external contract call and changes the value of msg.sender inside the function. For example, if 'from: ' is used in a call, it causes 'msg.sender' inside the Solidity contract to be ''. \n\nThis could also be seen in the code snippet \"IERC20(USDT_TOKEN).transferFrom(msg.sender, address(this), _amount)\" where the USDT token is being transferred from the message sender to the contract address. \n\nIt's important to note a contract doesn't inherently know if someone has sent tokens to it. In the case of tracking a transaction, such as when a user gives allowance to a contract, you would need to filter the contract's logs and check topics for the specific address to find the transaction hash.\n\nWhen interacting or calling smart contracts, it's advised to check for the existence of an account before calling .call() on it. This can be done using OpenZeppelin's Address library or checking the length of the account's code. \n\nFurthermore, the usage of \"safeTransferFrom\" in calling a smart contract function is contingent on the token used and the expectation of the code. It's advisable to use safeTransferFrom particularly when the token is already wrapped inside IERC20 in order to prevent unexpected failures. \n\nFor more information about deploying contracts and using the constructor, you can refer to this [Ethereum StackExchange thread](https://ethereum.stackexchange.com/questions/68519/creating-a-new-contract-specifying-a-sender-and-value-with-factory-pattern). \n\nBefore deploying, it's recommended to get your smart contract audited even if automated tools have reported vulnerabilities. This ensures any potential issues or vulnerabilities are addressed, enhancing the security and reliability of your smart contract.", "Q: How are bounties distributed if multiple auditors report the same bug or gas optimization issue? Are all reporters rewarded equally, and how are duplicate reports handled?\n\nA: Yes, all auditors who report the same bug or gas optimization issue are eligible for a portion of the bounty. The overall value of the bug is reduced and split evenly among all reporters, regardless of who reported the bug first. However, only the best report typically receives more money, and duplicates below a certain threshold might not receive any funds. You can find more details about this in the Incentive Model and Awards section of the Code4rena documentation [here](https://docs.code4rena.com/awarding/incentive-model-and-awards). \n\nWhen it comes to submitting reports, all types of accepted reports from high severity to gas optimizations are eligible for payouts, provided they are of high quality, the findings are accurate, and there's a working proof of concept. Keep in mind that common findings are usually out of scope as they are picked up by the C4udit tool. If the tool doesn't pick up these issues, they should be reported. \n\nYou can submit one medium and one gas finding report per contest if the bug is of medium severity and affects gas. If a single line of code offers multiple ways of exploitation, it should be reported as one bug with multiple proofs of concept. When reporting the same type of issue more than once, like a Reentrancy attack or a gas optimization of the same type, they should be clubbed together in one report. \n\nRemember that you can submit one combined gas and one combined QA report per contest, and you can edit existing findings. It's essential to separate the Gas report from the QA report and compile all findings into single reports. \n\nLastly, if two people from the same team find the same issue but submit it with different wallets, the reward is shared between the two wallets.", "Question: Can you provide details on the timeline and process of award distributions for CodeArena contests, specifically referencing the Stakehouse contest?\n\nAnswer: The awards for CodeArena contests, such as the Stakehouse contest, are typically distributed between 1-2 weeks after the announcement of the winners. This timeline is due to the use of multisignature (\"multisig\") wallets which require signatures from multiple parties before funds can be released. For context, multisig wallets are a security measure ensuring that no single party has control over the funds. Payments for contest prizes are usually released after the signatures for the award distribution are rounded up in a standing Monday meeting, so any announced awards should usually get processed Monday or Tuesday of the following week. \n\nFor the specific case of the Stakehouse contest, rewards for the \"stakehouse-nov11\" contest have already been distributed. However, it is important to note that the payout process does not start immediately after the contest ends or the winners are announced. \n\nPayouts are linked to individual Discord usernames and specific wallet addresses, and are distributed to the user's registered wallet address only. It's worth noting that rewards are distributed to one address for one handle per contest. You can check the announcement channel for updates on distribution. \n\nRewards are received in USDC on the Polygon network. In the future, CodeArena plans to distribute awards via smart contracts, but more steps need to be implemented before this can happen. \n\nLastly, if there are any delays in bounty payments due to reasons such as DAO employees being on holiday or other unforeseen circumstances, participants will be informed. It's important to understand these processes and timelines to avoid any confusion or misunderstanding. If you have any further questions or concerns, feel free to reach out in the chatroom.", "Question: How does the page refresh work during and after a contest, and where can I view my submissions, updates, and contest results on Code4rena?\n\nAnswer: The Code4rena webpage does not automatically refresh when a contest has started. You will need to manually reload the page to see the contest details. The public report page gets updated mid-contest with any changes or new findings. After a contest has ended, you cannot view the findings immediately, but the leaderboard gets updated and users can see the number of overall issues they reported at https://code4rena.com/leaderboard. \n\nAdditionally, once a contest ends, the findings and reports from the contest are published and can be read by the participants. If you made a submission, you can edit it as long as the contest has not ended. To do this, head to the specific contest page on https://code4rena.com/contests. Users can also view their QA reports for contests that have already closed.\n\nIf you're interested in upcoming contests, they are listed on the Code4rena main page: https://code4rena.com. Please also note that there may be gaps in the schedule for live contests. To ensure participants do not miss the submission deadline, a countdown timer may be implemented in future contests. To keep track of contests you've participated in, the \"Past Contest Status Updates\" section provides a timeline of where contests are currently in the process. \n\nLastly, if you're curious about the number of participants in a contest or how to see previously available information, while these inquiries have been brought up, we don't currently have a mechanism to display this information. However, new features and improvements are always being considered and implemented.", "Question: How are rewards distributed for QA and gas reports in Code4Rena's smart contract auditing process, and under what circumstances can these rewards be shared or upgraded?\n\nAnswer: In Code4Rena's smart contract auditing process, the reward distribution for QA and gas reports is quite nuanced. These reports are graded into categories A, B, and C, based on the quality and the gas savings that they propose. Only reports that fall under categories A and B are eligible for rewards. \n\nThe reward distribution system uses a sharing mechanism where Grade A reports count as 2 shares and Grade B as 1 share. The best report receives an additional 30% bonus. If multiple participants, including members from the same team, identify a gas optimization, the reward split is calculated using a specific formula, which you can find [here](https://docs.code4rena.com/incentive-model-and-awards#high-and-medium-risk-bugs).\n\nIf no high or medium risk issues are found during a contest, the rewards are then divided based on the Quality Assurance (QA) report curve. More details on this can be found [here](https://docs.code4rena.com/awarding/incentive-model-and-awards/qa-gas-report-faq#what-happens-when-an-issue-submitted-by-the-warden-as-part-of-their-qa-report-an-l-or-n-does-get-bum).\n\nThere's also a possibility for an issue submitted as part of a QA report to be upgraded to a medium risk issue, based on the judges' determination. In such cases, the issue becomes eligible for a medium reward. More information about this can be found [here](https://docs.code4rena.com/awarding/incentive-model-and-awards/qa-gas-report-faq#what-happens-when-an-issue-submitted-by-the-warden-as-part-of-their-qa-report-an-l-or-n-does-get-bum).\n\nIn the context of gas optimizations, the reward pool is shared among the reporters based on the score of each gas report. More details on this can be found [here](https://docs.code4rena.com/awarding/incentive-model-and-awards/curve-logic).\n\nParticipants can submit one combined gas report and one combined QA report per contest, and they're also allowed to edit their existing findings.\n\nPlease note that all these rewards and upgrades are contingent on the fact that the reports are of high quality, the findings are accurate, and there's a working proof of concept.", "Q: What is the process to become a warden at Code4rena, can I join as part of a team, and what are the benefits of becoming a certified warden?\n\nA: At Code4rena, interested participants can join as wardens either individually or as part of a group or team. To do this, you need to sign up as a warden and register your team by following the process laid out here: https://docs.code4rena.com/roles/wardens#registering-a-team. \n\nIn addition to participating in open audit contests, becoming a certified warden allows you to access private contests to a certain extent. The requirements for certification may include participating in a certain number of contests and having a certain number of valid findings or reports. The certification process is detailed at https://docs.code4rena.com/roles/certified-contributors#certification-process-and-constraints. \n\nCertified wardens can also participate in specialized contests like the \"vs contest\" which involves only three wardens, and the Ambire and PolynomialFi contests, if they meet the eligibility requirements detailed at https://docs.code4rena.com/roles/wardens/certified-wardens#who-is-eligible-to-be-a-certified-contributor. \n\nYour ranking as a warden can affect your opportunities for participation in these contests. For instance, the 'vs contest' is invitational, and wardens are chosen based on their rank in specific contests or during a recent window. This is why getting on the leaderboard (https://code423n4.com/leaderboard/) can enhance your ability to qualify for private contests. \n\nPlease note, to access contest channels and previews, you need the warden role, which is obtained after registration. And keep in mind, there may be complexities to navigate if you wish to participate solo in a contest that your team is also auditing.", "Question: How does CodeArena award bounties for findings of varying risk levels, including medium, low, and high risk?\n\nAnswer: At CodeArena, all accepted reports from high to low risk findings, including gas optimizations, are eligible for payouts. The condition is that the report must be of high quality, with accurate findings and, where necessary, a working proof of concept. If a finding is submitted with a certain risk level (e.g., high-risk) but is evaluated differently by the judges (e.g., low risk), the submitter will still be rewarded according to the judges' evaluation. The classification of findings (High, Medium, or QA) is based on the severity of the loss caused by the issue. High severity usually involves significant fund loss, medium severity usually has a lesser impact, and QA severity is assigned when the loss is negligible or involves rounding errors. \n\nThere could be a bonus for each low finding selected for the report. If no Medium/High vulnerabilities are found, the full award pool would be divided based on the QA Report curve. The reward for a medium/high finding can be calculated using the formula provided at this [link](https://docs.code4rena.com/incentive-model-and-awards#high-and-medium-risk-bugs). For each unique High or Medium finding, the submission chosen for inclusion in the audit report receives a 30% share bonus. \n\nIn the rare case where no medium or high vulnerabilities are found during a contest, the remaining funds are divided based on the QA Report curve. For example, you can check a contest where only low vulnerabilities were found [here](https://code4rena.com/reports/2021-11-fei).\n\nYou can get more clarification about the classification of severity at this [link](https://docs.code4rena.com/roles/wardens/judging-criteria#estimating-risk-tl-dr) and you can check the amount of prize money paid to each Medium/High risk at this [link](https://raw.githubusercontent.com/code-423n4/code423n4.com/main/_data/findings/findings.csv). \n\nRemember, whether high-risk findings are considered or not depends on the specific contest and the judge's discretion.", "Question: Could you explain the process and rules of the Mitigation Review Contest at CodeArena?\n\nAnswer: A Mitigation Review Contest at CodeArena is a smaller, more focused contest where the top wardens, or auditors, of a previous contest are invited back to review the bug mitigations that have been put in place. Only certified wardens are allowed to participate in these private contests. Typically, the top 3 to 5 auditors from the initial contest are selected for the review. \n\nThe process begins with the end of the initial audit contest, which is then followed by a submission review period. Teams are allowed to participate and submit their analyses for the contests. After the contest ends, findings are reviewed by sponsors before moving to judging. Participants who did not receive rewards for their submissions can review the report to understand why their submissions were not accepted. \n\nParticipants also have the opportunity to edit their security findings for the contest. If a participant identifies a bug or logic flaw that is confirmed by a judge, it is considered an achievement. However, if a participant finds an issue but the judge and sponsor disagree with their proposed mitigation, the final decision lies with the sponsor.\n\nCodeArena is continually improving its review process and is considering implementing a new submission mechanism in future contests. There are also discussions on releasing all unverified submissions for learning purposes a few days after a contest ends. \n\nYou can learn more about the process in the article [here](https://medium.com/code-423n4/a-look-at-code4rena-audits-mitigation-review-3e05f8b7acb7) and on the CodeArena website [here](https://code4rena.com/how-it-works). It's also important to participate in the related discussions about the process on the CodeArena forum [here](https://forum.code4rena.com/t/rfc-certified-wardens-rulebook-scout-role-contest-qa-and-mitigation-review-services/123).", "Question: How does Code4rena handle and distribute rewards when multiple wardens submit the same or similar issue?\n\nAnswer: Code4rena uses a unique model to distribute rewards when multiple wardens spot the same issue. The system does not favor the first individual to report a bug as in a traditional bug bounty model. Instead, the overall value of the bug is reduced and split between all those who find it, irrespective of the order of submission. Notably, the best report for an issue generally receives more money, and duplicates that don't meet a certain quality threshold may not receive any reward. If an issue is found by a team, they receive a larger reward than if they had submitted the issue individually. Moreover, the judges select the primary issue based on the quality of the report, not the order of submission, promoting high-quality submissions. Sybil protection measures are in place to counteract duplicate accounts submitting the same issue for a larger share of rewards. For more details on the incentive model and awards, please visit the Code4rena documentation here: https://docs.code4rena.com/awarding/incentive-model-and-awards#duplicates-getting-partial-credit.", "Question: What is the typical timeline for a CodeArena contest, from start to finish?\n\nAnswer: A CodeArena contest typically takes 1-2 months from start to finish, with the contest itself running up to 13 days. However, this timeline can vary based on a few factors including the complexity of the code being audited and the number of reports under review. The review process for contest findings usually takes between 3-6 weeks on average, depending on the contest and the number of reports under review at the same time. Upon contest conclusion, there is a judging process which can take anywhere from 2-4 weeks, again depending on the number of submissions and the complexity of the code. Once judging is complete, the results are announced and award payouts are typically made between 1-2 weeks following the announcement. The audit reports for contests are then published after the stages of contest finish, sponsor reviews, judging, and awarding are completed. This process could take anywhere from 2 weeks to over 6 weeks. Please note that specific timelines can vary and the approval process for a team to participate in a contest can also take up to a few business days. All in all, while we strive to maintain consistency, the duration and timelines can fluctuate based on various factors.", "Question: How does the process of team auditing work at CodeArena, and what are the options for individual team members wanting to participate solo?\n\nAnswer: At CodeArena, once you register as a team, all audit findings become the team's property, and the funds earned go to a single team wallet. It's the team's responsibility to distribute these funds among the members. This process aims to foster collaboration, idea-sharing, and accelerated learning among team members. \n\nHowever, if you're part of a team but wish to participate solo in a specific audit, you have the flexibility to do so. When making a submission, you'll have the option to choose whether you're submitting as an individual warden or on behalf of your team.\n\nKeep in mind, though, that to participate in an audit, all team members need to complete the Know Your Customer (KYC) process for the team to get paid after participating in the Base audit.\n\nFor more detailed information on team audits, please refer to the official documentation at [CodeArena's Documentation](https://docs.code4rena.com/), specifically the section on teams.\n\nRemember, whether you're auditing as part of a team or as an individual, our community is here to assist and support you throughout the process. CodeArena also offers private and invitational audits for those who have achieved certification. You can learn more about certification and its benefits at [CodeArena's Certification Process](https://docs.code4rena.com/roles/certified-contributors).", "Question: What is the typical timeline for CodeArena's audit process and which parts might affect this timeline?\n\nAnswer: The timeline for CodeArena's audit process can vary depending on a number of factors. Here are the general steps and the time they typically take:\n\n1. The duration of a contest itself can range anywhere from a few weeks to a couple of months depending on the complexity of the project. For instance, a contest involving over 12k sloc was extended to 4 weeks.\n\n2. After a contest, the reports from the contest are typically reviewed within an average period of 3-6 weeks, with the precise time depending on the contest and the number of reports under review concurrently.\n\n3. The time taken for sponsor reviews and judging can vary significantly, sometimes taking as long as six weeks. Factors beyond the judge's control can contribute to delays.\n\n4. Reward distribution is another step that can affect the timeline. While it can sometimes take up to two months after the end of the competition for rewards to be distributed, this is a worst-case scenario. Reducing this turnaround time is a high priority for us.\n\n5. There can sometimes be a pause in contests around big conferences or other events, which may affect the overall timeline.\n\nPlease keep in mind that these are just average times and the actual timeline can vary depending on a variety of factors. The timeline for our process is also provided in our organization's docs which can be found at https://docs.code4rena.com/structure/our-process. We're continuously working to streamline our processes and reduce the time taken wherever possible.", "Question: What does \"judge + presort\" and \"scout\" mean in the context of bounties at CodeArena?\n\nAnswer: \"Judge + presort\" and \"scout\" are terms used by CodeArena specifically in the context of our bounty rewards system for smart contract audits. \n\nThe term \"judge + presort\" refers to a portion of the bounty that is set aside for the judges, who are selected based on their experience and reputation. This also includes a service for the sponsor where duplicates are sorted out for easier review, a process you can read more about on our discussion page [here](https://github.com/code-423n4/org/discussions/50). The judging process occurs after the contest concludes, where judges review the findings to determine their severity, validity, and quality. \n\n\"Scout\", on the other hand, refers to an independent role within the contest. Scouts are certified contributors who review code before the start of a contest to ensure it is ready for wardens. This ensures that the scope of the audit aligns with what was initially described when scheduling the contest. You can find more about this role on our documentation page [here](https://docs.code4rena.com/roles/certified-contributors).\n\nIt's important to note that the payments for the judges and scouts are not included in the leaderboard ranking calculations. Also, the judges or scouts for a contest are not disclosed before or during the contest to maintain impartiality.\n\nFor those interested in the specifics of our bounty rewards system, we have a comparison between bug bounties and C4 audit contests on our documentation page [here](https://docs.code4rena.com/).", "Question: I'm experiencing an error while making a submission or navigating the Code4rena platform, where can I find the error and what could the potential issues be?\n\nAnswer: While it's often the case that the error exists at the top of your .sol file, errors can also occur due to a variety of reasons on the Code4rena platform. \n\nFor example, a common issue is related to form validations not producing an error message. If you face such an issue, make sure to check if there is a space in your discord handle or a missing polygon address, which is required while trying to create an analysis report. Also, ensure that all the fields are filled out correctly.\n\nThere could also be issues with submitting reports. Users have reported difficulties in receiving confirmation emails for their submissions. If you don't receive a confirmation email or if the form returns an error, you can check the status of your submission through the \"View Context\" function on the platform. \n\nSometimes, the error could be due to the size limit of the submissions, or due to an issue with the domain, as observed when users tried emailing to submissions@code432n4.com and got an error due to the domain not being found. \n\nIt has been reported that users have also faced issues with links, such as the GitHub link (https://github.com/code-423n4/2023-07-axelar-findings), or with the Code4rena website itself, which was identified as a DNS issue.\n\nFurthermore, there might be errors returned while interfacing with the api (api.code4rena.com), or while trying to submit a Gas Optimization report for a contest if you have already submitted one. \n\nIn case you come across any other error or issue while making a submission or using the platform, please raise it on the discord chatroom so that it can be addressed.", "Question: \nWhat steps should I follow if I encounter missing imports or errors at the top of every .sol file?\n\nAnswer: \nErrors at the top of every .sol file might often be due to missing imports. To fix this, here are some steps you can follow:\n\n1. Install the necessary dependencies. This step is crucial if you're working on a CodeArena (C4) competition and you've followed the setup instructions. The dependencies should have been included as submodules in the git clone.\n\n2. Clone the entire repository and install dependencies with forge. This step is especially useful if you plan to compile the code on Remix.\n\n3. Manually include the contracts on Remix from the OpenZeppelin contract repository (https://github.com/OpenZeppelin/openzeppelin-contracts) and Solmate (https://github.com/transmissions11/solmate). Do this only if you have issues with the previous methods.\n\n4. If you're using VSCode for coding, be aware that there have been issues reported with solidity annotation syntax highlighting. \n\n5. If you need to check your Solidity code for syntax mistakes and similar checks, you can use online IDEs like Remix as they have built-in tools for these purposes.\n\nRemember, some files like \"FloatCapital_v0.sol\", \"Treasury_v0.sol\", and \"oracles/\" are not included in the scope for the bounty program. Make sure you're working on the right files.\n\nAlso, when reporting issues related to smart contracts, kindly follow the guidelines provided at https://github.com/code-423n4/code-contests/blob/main/SUBMISSION_POLICY.md.\n\nIf you still encounter issues after trying the steps mentioned above, feel free to reach out to the community on our Discord chatroom for further assistance.", "Question: How does the installation of forge and its dependencies work, specifically in relation to git submodules and foundry based repositories?\n\nAnswer: The installation of forge does indeed rely on git submodules, which means that libraries are retained and not lost. This is particularly useful when working with foundry-based repositories. \n\nA common way to install dependencies is to use the `forge i` command. However, it's also possible to clone the entire repository and install the dependencies with forge. An example command for this is `git clone https://github.com/code-423n4/2023-01-astaria.git -j8 --recurse-submodules`. \n\nWhen working with Foundry, you have the option to install it with Docker. This framework can be used for writing tests and it offers additional tools for tasks such as storage checking. Foundry can also be used to fork data from a live network to run locally, which can be handy for avoiding the need to acquire testnet tokens for transactions or waiting for block times.\n\nKeep in mind that the `forge init` command should ideally be run on clean directories. Also, if you encounter a 'Permission denied (publickey)' issue, this might be because the submodules for the maple-core repository don't update via public git.\n\nIf you want to use Foundry for a hardhat project, a base template can be found at https://github.com/foundry-rs/hardhat-foundry-template. Lastly, if you're using other contracts in your project, you can manually include them on remix from OpenZeppelin contract repo (https://github.com/OpenZeppelin/openzeppelin-contracts) and Solmate (https://github.com/transmissions11/solmate).", "Question: How can I resolve issues with missing imports on .sol files in CodeArena, and are there any tools to help with this?\n\nAnswer: Missing imports on .sol files can occur for a variety of reasons. If you get an error stating \"not found: File import callback not supported\", you may need to run `forge i` to install forge-std. For other dependencies, like openzeppelin/openzeppelin-contracts, you will need to install using the command `forge install creator/repo`. If the repository was made with hardhat, you can install the requirements and add node_modules to foundry.toml. \n\nTo compile your code on Remix, it is recommended to clone the whole repository and install the dependencies with forge. Alternatively, you can manually include the contracts on remix from OpenZeppelin contract repo (https://github.com/OpenZeppelin/openzeppelin-contracts) and Solmate (https://github.com/transmissions11/solmate).\n\nIf you're working with multiple smart contracts, it might be easier to start with libraries and interfaces that have the least dependencies. Furthermore, you can import console.sol inside the original Contract itself and not necessarily in the x.t.sol file. \n\nThere are also tools to help you navigate and fix errors in your codebase. For instance, an audit_helper tool can assist with initializing a freshly cloned audit repo. You might also find syntax checkers and highlighters useful, such as the online Remix IDE or the Solidity syntax highlighter in VSCode. \n\nHowever, please note that certain files like \"FloatCapital_v0.sol\", \"Treasury_v0.sol\" and \"oracles/\" are not in the scope for the bounty program. Make sure to check the guidelines before starting an audit.\n\nLastly, remember to format your Solidity code properly before submitting it. The company provides a way to format the Solidity code in the submissions to make it look better. You can add Solidity syntax to code blocks using the MD format, and you can submit issues in a specific format using a tool available at https://marketplace.visualstudio.com/items?itemName=yassh.copy-with-line-numbers.\n\nPlease note that all this information is based on user discussions in our Discord chatroom and may not be applicable in every situation.", "Question: When and how can I share, access, or modify the findings of a contest?\n\nAnswer: The findings of a contest are treated with utmost confidentiality until the competition is over and the final report is published. As a participant, you are not allowed to discuss or share your findings publicly until the final report has been released. This is to maintain the integrity of the contest and avoid any dishonest practices. The specific duration for when the findings repo becomes publicly available for discussion is not mentioned, but it is only after the report's publication.\n\nDuring the contest, you can review, modify, and even upgrade the risk level of your findings through the \"your findings\" button on the contest page. However, note that you cannot view or modify your findings after the contest ends but before the results are published. If you wish to track your report status, you can do so in the \"findings\" tab next to the contest description. \n\nAs for the project sponsors, they do not have access to the findings repo until after the contest ends. Once the contest concludes, the findings undergo a review by the sponsors and then proceed to final judging before being made public. After this process, the findings reports become public, and Certified+ wardens can immediately view the findings repo. All findings from the contest will also be posted in the section where Contests are posted. \n\nRemember, the aim is to ensure a fair and transparent process while safeguarding the sensitive information involved in smart contract audits.", "Question: What are the benefits and operational details of joining a team on CodeArena for smart contract audits?\n\nAnswer: Joining a team on CodeArena has several benefits, including the ability to collaborate, share ideas, and learn from each other, which can often lead to a faster learning curve. Teams are also considered in the leaderboard ranks to select people for RSVP certified jobs. \n\nOnce you join a team, you are not obligated to always participate as a team, giving you the flexibility to work solo or in collaboration as you see fit. You can make changes to teams, including removal or addition of members, and there is no technical limit to the number of members that can be on a team. \n\nWhen working as a team, all rewards from your findings go to the team, which the team is responsible for dispersing. Teams are incentivized, with rewards being split evenly among team members when a finding is made. However, it's worth noting that the reward is reduced semi-geometrically based on the number of people who find an issue when they are separate, meaning there can be a higher payoff when working as a team. \n\nSubmissions can be made either as an individual or a team, and if a team submits a non-duplicate finding, the team gets more rewards than if they had individually submitted the same finding. If a team submits 3+ Medium findings and they are accepted, all members become eligible for the backstage role. \n\nYou can find teammates in the team-building channel on the platform and the method for registering a team can be found here: https://docs.code4rena.com/roles/wardens#registering-a-team. \n\nHowever, there are some clarifications needed on the platform regarding how rewards are split for teams, especially concerning the incentive for team formation. Also, if you're competing with a team, remember that all members need to be certified to receive the payout. \n\nLastly, discussions are ongoing on how to manage teams where not all members participate in the same contest and how to distribute rewards among team members who contributed. You can follow this discussion here: https://github.com/code-423n4/org/discussions/43.", "Question: What is the process and purpose of running \"forge i\", and how does the Foundry framework assist in smart contract auditing in CodeArena?\n\nAnswer: Running \"forge i\" is a command used to install dependencies in a project. Specifically, it installs forge-std but to install other dependencies, you need to run the extended version of the command, i.e., forge install creator/repo. This command depends on git submodules to install libraries so they are not lost.\n\nFoundry, a framework used for writing tests and checking things like storage, works alongside the \"forge i\" command. It offers tools like \"foundry debug\" for debugging hardhat tests and introspecting contract execution at the EVM opcode level. Foundry can also fork data from a live network such as a main or test net and run the fork locally. This can be very beneficial as it allows you to test scenarios in a local environment, providing an alternative to a public testnet, and thus, avoiding the need to grab testnet tokens for transactions or wait time on blocks.\n\nAdditionally, Foundry features specific tools for transaction prioritization, allowing transactions to be run by calling functions in a desired order, and a tool for automated findings. Moreover, it provides useful functionalities for auditing smart contracts, such as checking opcode usage on-chain, logging gas remaining after the state variable update, and testing for gas optimization possibilities like the use of 'unchecked' command in loops.\n\nHowever, please note that it is recommended to run the \"forge i\" command in clean directories and if the repository was made with hardhat, you can install the requirements and add node_modules to foundry.toml. An auxiliary tool, audit_helper, simplifies this process when initializing a freshly cloned audit repo.\n\nIn case you face issues like \"Source from artifact has no AST.\" error when running forge debug on a hardhat project with foundry integration, or trouble executing foundry fork testing in the polygon POS network, you might want to consult the official Foundry documentation or the community for help. \n\nFor more insights into using Foundry, you can watch these tutorial videos: https://www.youtube.com/watch?v=Rp_V7bYiTCM and https://www.youtube.com/watch?v=EHrvD5c93JU. \n\nAnd for changing the number of cases generated by foundry fuzz, refer to https://book.getfoundry.sh/reference/config/testing#fuzz. \n\nPlease remember to always install the necessary dependencies with forge or manually include the contracts on remix from OpenZeppelin contract repo (https://github.com/OpenZeppelin/openzeppelin-contracts) and Solmate (https://github.com/transmissions11/solmate) for compiling code on Remix.", "Question: How does CodeArena handle reward distribution for its contests, such as \"stakehouse-nov11\", and what should participants expect?\n\nAnswer: At CodeArena, the rewards for contests, like the \"stakehouse-nov11\", are distributed to the user's registered wallet address. Each contest has one address for one handle and the reward amounts usually come from the sponsor of the contest. \n\nAfter the announcement of the awards, the rewards are sent manually in batches for multiple contests at a time and are not immediate. The precise timing for reward distribution varies, but the team aims to process and distribute rewards by the end of a specified week, though they are typically transferred once per month, often at the beginning. \n\nIf a contest is listed as 'awarding', it means the rewards are queued at the multisig and should be distributed within a week. This delay is due to the use of multisignature (\"multisig\") wallets which require signatures from multiple parties before funds can be released.\n\nFor team rewards in an audit contest, the prize is sent to a single address, and it's the team's responsibility to distribute it amongst themselves. Bonus rewards are also given for the best reports. Also, for certain contests, if no high or medium issues are found, there are questions about what happens to the sponsor reward pot. \n\nIn some instances, payouts for contest prizes are received in USDC on Polygon's Mainnet. For example, it was mentioned that awards from Fairside are distributed on the Polygon network.\n\nParticipants can check the announcement channel for updates on distribution. However, if there are queries regarding why some of the rewards are pending or why they weren't distributed immediately after the contest has finished, it's essential to note that the distribution plan is usually completed by the weekend and is likely to be sent out the next week. \n\nIn the future, awards will be distributed via smart contract once more pieces are in place. For now, once a submission is confirmed and the reward amounts are announced, participants have to wait for it to go to their wallet. \n\nParticipants can verify their identity after the contest ends to receive the payout. If you have any more queries, please feel free to ask.", "Question: How is the severity of a finding in a smart contract audit determined, especially when it could result in a loss of assets such as a large portion of the yields?\n\nAnswer: The severity of a finding in a smart contract audit is determined based on a balance of the potential impact or consequence and the likelihood of the issue occurring. For instance, a finding may be classified as 'High' if it could lead to a significant loss of assets such as a large portion of the yields, without requiring specific pre-conditions. This could include situations where the principal can be stolen or if all rewards can be lost. Alternately, if the loss is due to rounding or other negligible reasons, or if it only affects an end-user in rare situations, it would likely be classified as 'Medium' or 'QA'. \n\nAdditionally, the process of categorization considers factors like the difficulty of the attack, specific market conditions, user unawareness, and external conditions. A high-risk finding typically carries a higher burden of proof and if a report submitted as medium risk is deemed high, it can be upgraded unless there are reasons to penalize it such as it being incomplete, lacking detail, or not accurate. \n\nFindings that break the protocol but do not result in stolen funds could still be classified as high risk, as could potential user fund loss if an admin is involved. Vulnerabilities in staking pools may also be classified based on the maximum value lost and the likelihood of occurrence.\n\nIt is worth noting that for each unique High or Medium finding selected for inclusion in the audit report, a 30% share bonus is provided, as detailed in this guide: https://docs.code4rena.com/incentive-model-and-awards#high-and-medium-risk-bugs\n\nHowever, the final determination of risk severity can depend on the specific contest and the judge, so submitters are advised to make a clear case for their classification in their submission.", "Question: How long does it typically take to complete the Know Your Customer (KYC) process and become a certified contributor after submitting my application at CodeArena (C4)?\n\nAnswer: The Know Your Customer (KYC) process at CodeArena (C4), which is necessary for becoming a certified contributor or participating in Chainlink contests, usually involves a few steps and may vary in duration. After submitting your application, Provenance typically sends the KYC mail within one business day. However, it can take anywhere from a few days to 2-3 weeks to complete the KYC process and receive the KYC email. Furthermore, confirmation of successful KYC completion can take up to 2 weeks after approval from the KYC firm. This depends on the back-and-forth between you and Provenance, and you are advised to check your spam folder for any emails from compliance@provenance.company. Some users have reported waiting for up to 10 days or more for the process to be completed. Once KYC is approved, there's a processing period before the user's role is updated. If you do not receive a response or your application is still pending after a considerable amount of time, you can submit a help request through the form on the company's website, or directly at https://code4rena.com/help. Please note that there may be delays in the KYC process depending on a variety of factors.", "Question: What role does a Proof of Concept (PoC) play in the submissions and how does it affect the scoring in CodeArena contests?\n\nAnswer: The inclusion of a coded Proof of Concept (PoC) with your submission is highly recommended in CodeArena contests. This is because having a PoC can significantly increase the chances of your report being selected. Additionally, a selected report that includes a PoC can earn a 30% bonus. However, it's important to note that while PoCs can boost your score and improve your chances of selection, they are not mandatory and not having one won't necessarily negatively affect your awards or contest outcome according to C4 guidelines. Also, the inclusion of high-risk findings or potential medium findings in your PoC depends on the contest and the judge. It is advised to make your case to the judge in the submission if you think a certain finding should be considered. Finally, if there is any disagreement between a participant and the sponsor or judge regarding the findings or their mitigation, it's the sponsor's decision that prevails on the mitigation part. Alternatively, if a participant points out a bug or logic flaw that is approved by the judge, it's considered an achievement.", "Question: Are there any tools or plugins available for automated syntax checking and security testing of Solidity code, similar to the functionality of Remix IDE?\n\nAnswer: Yes, there are a number of tools and plugins available for automated syntax checking and security testing of Solidity code. One such tool is the Solidity linter which aids in static security testing. Static security testing involves analyzing the code without interacting with it. \n\nIn addition to this, for a more robust and automated approach to detect vulnerabilities and bugs in smart contracts, tools like Mythril and Slither can be used. These tools can be particularly useful when testing contracts downloaded from GitHub. \n\nAnother tool of significance is the static analyzer at https://github.com/byterocket/c4udit. However, it is unclear whether this is currently being used by CodeArena for quality assurance and gas optimization. \n\nFor on-chain contract viewing on etherscan in an IDE like remix, users can refer to this link: https://discord.com/channels/810916927919620096/810931711609143326/1012727690396176484. \n\nFor beginners who want to audit smart contracts, it is helpful to understand Solidity syntax and programming. You can learn about the Solidity compiler and how to properly format Solidity code in your submissions to CodeArena.\n\nFinally, Hardhat gas report plugin could be used to benchmark your code for gas savings. This is another level of optimization that becomes essential when dealing with smart contracts given the high transaction costs on the Ethereum blockchain.\n\nPlease note that it is also advisable to manually check and test the contracts for any potential issues or vulnerabilities. Automated tools may not catch every potential problem, particularly those that are context-specific. CodeArena also runs contests for analyzing smart contracts, which can be a great opportunity to learn and improve your auditing skills.", "Question: How does Code4rena distribute rewards among wardens who find the same issue in smart contracts, and why might there be discrepancies in reward amounts for the same finding?\n\nAnswer: Rewards for the same finding submitted by multiple wardens can vary greatly, depending on the depth of the submission and the comprehensiveness with which the issue is covered. The judges pay special attention to whether the submissions include a coded Proof of Concept (PoC) and whether the issue is discussed in detail.\n\nIf multiple wardens find the same issue, the reward for that issue is divided among them, which can result in lower amounts for each warden. However, the better the report, the larger the reward, and submissions that don't meet a certain quality threshold may not receive any reward at all. \n\nFurthermore, if two people submit the same issue using the same warden but different wallets, each person gets less than half of the reward, due to the way rewards are distributed. Similarly, if a team of two submits one finding, one payment is issued and the team has to decide how to split the reward.\n\nIt's also important to note that the order in which wardens report a duplicate bug does not impact how much they get paid. However, if wardens report the same vulnerability but with different severities, they are given the same severity for award calculation due to the deduplication process and the judging/determining severity that happens afterward.\n\nFurther details about Code4rena's incentive model and awards can be found at https://docs.code4rena.com/awarding/incentive-model-and-awards. A detailed list of rewards for each warden for each bug per contest is available at https://raw.githubusercontent.com/code-423n4/code423n4.com/main/_data/findings/findings.csv.", "Question: How is the bounty payout determined for a successful bug report submission?\n\nAnswer: The bounty for a successful bug report submission in CodeArena is determined based on a number of factors. Firstly, the quality of the submission is considered, with a higher quality submission potentially receiving a larger bonus. The severity of the bug reported also plays a crucial role; if a submitted high-risk finding is judged as low risk, the submitter will still be rewarded and vice versa. However, it's important to note that there is no reward increase for being the first one to submit a finding. \n\nThere's also a process in place for when multiple auditors report the same bug. In such scenarios, all auditors who reported the bug get a portion of the bounty. However, common findings that are usually picked up by the C4udit tool are generally out of the bounty scope. \n\nIf a submission is made but not rewarded, there's a process to review why the submission was not accepted once the report is out and the repo is fully opened. This allows the submitter to see the discussion among sponsors and judges on the specific issue and understand why their bug was not accepted, helping them improve their future submissions.\n\nLastly, participants should bear in mind that the bounty is not awarded immediately after a submission is recognized. You would need to wait for the payout to be processed. \n\nPlease note that each contest may have its own specific conditions and prize structure, but there isn't a specific bug-payout list for each contest. Also, the final report for a contest doesn't include wardens whose submissions/findings are not accepted. \n\nWe understand that the awarding process of the bug bounty can be difficult to understand. We are constantly working on improvements and clarity based on user feedback and queries. Please refer to the specific contest readme for detailed information on submissions and rewards.", "Question: Who is eligible to participate in mitigation-review contests and how can one become a certified warden?\n\nAnswer: Only certified wardens are eligible to participate in mitigation-review contests, private contests and certain other contests like the PolynomialFi. In some cases, participation may also be limited to the top wardens of the corresponding initial contest. \n\nTo become a certified warden, one has to participate in the audit contests and meet certain criteria such as encountering one high severity bug and competing in at least three contests. Additionally, there may be a requirement to participate in a certain number of contests and have a certain number of valid findings or reports. \n\nCertified wardens have certain benefits like getting earlier access to the findings repositories to assist with post-contest processes and viewing other submissions immediately after contests end, accelerating their learning process. They may also be invited back after contests to review bug mitigations in what is known as a \"Mitigation review contest\".\n\nHowever, even within certified wardens, there might be other conditions to meet for eligibility to join private auditing contests. For specific contests like the PolynomialFi, it's necessary to be a certified warden, even if participating as a team with a certified warden. \n\nYou can learn more about how to become a certified warden and participate in private contests at https://docs.code4rena.com/roles/certified-contributors#certification-process-and-constraints.", "Q: How do I create an invoice for the rewards I received from a Code4rena contest and where can I find the necessary details like postal address and email for creating it?\n\nA: To create an invoice for your contest rewards from Code4rena, you will need the information that can be found at the bottom of this page: https://docs.code4rena.com/awarding/incentive-model-and-awards/awarding-process#tax-and-legal-questions. The entity to be invoiced is the Code4rena UNA. \n\nIf you need to check if you have submitted your address for rewards, you can use the help form at https://code4rena.com/help. Remember that it's also possible to update your payment addresses from your Code4arena account screen: https://code4rena.com/account. If you forget your registration wallet address or if you don't receive an email after submitting a finding, you can seek help at https://code4rena.com/help. \n\nFor further information about the various rewards, the incentive model, and the awards, you can refer to this document: https://docs.code4rena.com/awarding/incentive-model-and-awards. If you have questions about the contest after it has closed or about the mechanism for prizes in contests, you may also submit a help desk request at https://code4rena.com/help. \n\nPlease note that for some contests, you might be required to complete KYC to receive prizes. More information about this can be found at: https://docs.code4rena.com/roles/certified-contributors.", "Question: What are the qualifications needed to gain backstage access at CodeArena (C4) and how can I apply for it?\n\nAnswer: To qualify for backstage access at CodeArena (C4), you must be a certified contributor and need to have participated in at least three contests. You can meet the qualifications by having either one high severity finding, three medium severity findings, or a QA or Gas report with a score of over 85. Once the findings are public and the contest results are published to the leaderboard, you can apply for backstage access. \n\nTo apply, you should submit a help desk request through this link: https://code4rena.com/help. Please provide all the relevant information pertaining to your contest participation and findings. \n\nOnce your request is submitted, it will be reviewed and you will receive a notification on its status. If a medium severity finding is deemed high, it will be raised unless there's a reason to penalize it (such as it being incomplete, lacking detail, or not as accurate). Furthermore, if a team submits 3+ medium severity findings and they are accepted, all members become eligible for the backstage role. \n\nMore detailed information about the certification process and backstage qualifications can be found at these links: \nCertification Process: https://docs.code4rena.com/roles/certified-contributors#certification-process-and-constraints\nBackstage Qualifications: https://docs.code4rena.com/roles/certified-contributors/backstage-wardens.", "Question: What is the process of gaining backstage access at CodeArena and do I need to be certified?\n\nAnswer: Yes, being a certified contributor is a prerequisite to gaining backstage access. The certification process details can be found at [here](https://docs.code4rena.com/roles/certified-contributors#certification-process-and-constraints). To apply for backstage access, you first need to meet certain qualifications, which include a certain number of findings in different areas or of different scores, and having a valid high rating. Once you believe you meet these criteria, you can confirm your eligibility by submitting a help desk request [here](https://code4rena.com/help). More details about these qualifications and the process of applying can be found at [this link](https://docs.code4rena.com/roles/certified-contributors/backstage-wardens). Please note, even if you are certified, it does not automatically grant you access to the backstage areas. Each request will be reviewed and a notification will be provided once it has been evaluated.", "Question: I noticed on https://github.com/code-423n4/code423n4.com/pull/6700/files that there's a large discrepancy in rewards between two wardens for H-02, with one receiving 4127 USDC and the other only 0.84 USDC. Could you explain how the reward distribution works and why such considerable differences might occur?\n\nAnswer: The discrepancy in rewards between wardens for the same finding is primarily due to how rewards are distributed in our incentive model. If more than one warden submits the same issue, the reward is divided amongst them, with each person receiving less than half of the total reward. However, the level of detail in the submission can also influence the award amount, for example, the inclusion of a Proof of Concept (PoC), and the way the issue is covered in as many aspects as possible.\n\nFurthermore, the reward distribution model allows for duplicates. If the same bug is found by multiple wardens, the reward is divided in such a way that the best report typically receives more, while duplicates might receive less. The order in which duplicate issues are reported does not affect the amount awarded.\n\nLeaderboards, like the one found at https://code4rena.com/leaderboard/, can give you a clearer picture of what wardens are earning. You can also review a detailed list of rewards for each bug per contest through the findings.csv file at https://raw.githubusercontent.com/code-423n4/code423n4.com/main/_data/findings/findings.csv.\n\nAs part of this distribution system, it's possible for some wardens to receive thousands of USDC, while others might only receive hundreds or less. Uncertainties or discrepancies are often discussed and addressed in our community, like in our Discord chatroom. For more details on the reward distribution and incentive model, please refer to https://docs.code4rena.com/#incentive-model-and-awards.\n", "Question: What is the process, timeline, and scope for participating in CodeArena's contests including the H-02 contest, and where can I find relevant information about it?\n\nAnswer: CodeArena (C4) hosts a variety of contests, both public and private, with different scopes including web applications. A specific contest named the H-02, part of the Biconomy Hyphen 2.0 series, is currently in review and its audit results are expected to be published in the coming weeks. \n\nThe timeline for a contest can vary, but generally, results are announced about two months after the contest ends. For larger contests, such as those involving over 12k sloc, the timeline could extend to 4 weeks. The company also runs week-long contests regularly. You can always inquire about the timing of the next audit event or contest on our Discord channel.\n\nTo participate in these contests, you need to be certified. The certified status grants you access to more contests. Teams are also welcome to participate in auditing contests. There's a new submission mechanism slated for implementation in upcoming contests; contestants can submit their findings using a form on the website dedicated to each contest.\n\nFor more specific questions about the scope of a contest, you can reach out to the respective sponsor. The amounts for a contest usually include a judging pot, and if your submission is related to gas reports or similar issues, we recommend confirming the validity of these issues before submitting.\n\nLastly, if you have a contest not showing up in the live section that was previously in the upcoming section, or you're interested in a contest referred to as a private contest, feel free to ask in our Discord channel for more clarity.\n\nTo access the detailed information about contests, including the H-02 contest, visit the Contests section on our website where we post the findings from contests, the number of participants, and other relevant information. You can also find updates about contests such as the FV contests, which are usually judged by Certora, in the same section.\n\nPlease note that more specific questions about contests, such as the \"steakhouse contest\", can often be answered by reading the relevant posts in our Contests section.", "Question: Can you explain the concept of a formal verification contest and how can one participate in it?\n\nAnswer: A formal verification contest, often referred to as an FV contest, is a type of competition that we at CodeArena run to analyze and audit smart contracts. Participants, including teams, are provided with opportunities to audit smart contracts in a competitive setting, similar to a bug bounty program. \n\nThese contests have a unique working mechanism, which may not always be visualized in status updates. Judgement is usually done by Certora, and the rules for the contests are framed by them. To participate, a KYC (Know Your Customer) verification is typically required. Some contests, such as the Versus contest or the PolynomialFi contest, require participants to be certified. Certified status grants access to more contests, and the certification requires encountering 1 high severity bug and competing in at least 3 contests.\n\nParticipants can submit their findings using a form on the website dedicated for each contest. The findings can include bug identification and even gas optimizations. The contests can sometimes be challenging due to their complexity, and tools like Echidna may be used for auditing.\n\nThere is a participation reward for each formal verification contest. The reward formula for some special contests like mitigation contests has been a topic of inquiry and discussion.\n\nTo get involved and stay updated about our contests, you can check our website and specific contest repositories. For the formal verification contest, you can get more information and participate by visiting the contest repository: [link](https://github.com/code-423n4/2023-01-blockswap-fv) and our website: [link](https://code4rena.com/contests/2023-04-party-protocol-versus-contest). \n\nPlease note that there's a consideration to release all unverified submissions a few days after a contest ends for learning purposes. You can find more details in this forum post: [link](https://forum.code4rena.com/t/rfc-certified-wardens-rulebook-scout-role-contest-qa-and-mitigation-review-services/123).", "Q: What is the best way to submit a Proof of Concept (PoC) that is too large to be embedded directly in the issue report? \n\nA: If your PoC is too large to be embedded directly in the issue, it is acceptable to provide a link to the PoC using external platforms such as Gist. This method is known and implemented by many wardens. When submitting the PoC, you can include the link in the submission wherever relevant. \n\nHowever, bear in mind that a finding might be disregarded without a PoC unless the issue is extremely obvious. Therefore, it is recommended to always provide a PoC, either directly in the issue or through a link, to ensure your finding is considered. \n\nIf you're using GitHub to share your PoC, it is recommended to use a private gist to avoid exposing vulnerabilities to the public. You can find more information about sharing vulnerability discovery PoCs on GitHub [here](https://github.com/code-423n4/code-contests/tree/main/contests/01-slingshot#sharing-vulnerabilitydiscovery-poc). \n\nAlso note, while submitting an issue, it is beneficial to include a case for how an item can be exploited to avoid being marked as invalid. For instance, you can copy paste the code with a detailed comment about the bug itself and its impact. Here is an [example](https://github.com/code-423n4/2022-12-caviar-findings/issues/343) of an accepted PoC that you could use as a reference. \n\nIf your PoC involves a lot of code, you might want to consider adding it directly to the report under 'Proof of Concept' or linking it on some private repo on Github. More information about this can be found [here](https://docs.code4rena.com/roles/wardens/submission-policy#how-to-include-a-proof-of-concept).\n\nFor additional guidance on how to provide a link on the finding form, this [link](https://docs.github.com/en/get-started/writing-on-github/working-with-advanced-formatting/creating-a-permanent-link-to-a-code-snippet#linking-to-code) may be helpful. When referencing code in reports, you could either leave direct links to the code on GitHub or refer to a specific file and line number. \n\nLastly, remember that you are allowed to present your PoC in either code or plain English.", "Question: In a contest, I submitted two findings: one High related to buying NFTs with zero amount or potential direct loss of funds and another Medium. However, I see only a Medium finding being accepted. How is the severity of a finding determined and what happens if my findings are misclassified?\n\nAnswer: The severity of a finding is determined based on several factors including the severity of loss caused by the issue, external conditions, attack difficulty, and the presence of any preconditions. High consequences generally involve sizeable fund loss or other severe consequences and don't require preconditions, while Medium consequences usually have lesser impact and may require specific conditions such as high attack difficulty, specific market conditions, or user unawareness. \n\nIn the context of your High finding related to buying NFTs with zero amount or potential direct loss of funds, if all rewards can be lost, it's usually categorized as MED/HIGH. If there's a risk of losing some rewards, it's probably medium. If rewards are lost due to roundings (a small amount of rewards), it's probably QA. \n\nRegarding the acceptance of your findings, please wait until the report is published and the findings repo is made public to check on your submissions. Misclassification of a bug's severity doesn't necessarily lead to penalty unless the submission is lacking in detail or accuracy. Specifically, even if a High severity bug turns out to be only Medium, you will still receive the reward for a Medium bug. \n\nIf an issue originally classified as low in a QA report is later determined by judges to be medium, it would be eligible for medium rewards. Similarly, if a medium finding is actually deemed high, unless there's a reason to penalize it, it gets raised to high.\n\nFor each unique High or Medium finding, the submission selected for inclusion in the audit report receives a 30% share bonus. So, if only one High and one Medium issue are found, the reward distribution information can be found at: https://docs.code4rena.com/awarding/incentive-model-and-awards. The specific amount of prize money paid to each Medium/High risk can also be checked at https://raw.githubusercontent.com/code-423n4/code423n4.com/main/_data/findings/findings.csv.\n\nOverall, to determine whether a finding is of high or medium severity, it is best to rely on experience and a careful balance of consequence and likelihood.", "Question: How can I review and validate my submissions, understand the status of my findings, and communicate with the judges in a contest?\n\nAnswer: Once you have submitted your findings to a contest on CodeArena, you can check the success of your submission by looking for a confirmation email. This email will also allow you to edit your submitted findings. You can view all your reports submitted during the competition at https://code4rena.com/reports after the contest ends.\n\nIf you notice 'No findings submitted for this contest' after submitting to a contest such as Escher, it's likely a temporary issue and your findings will be processed eventually. If your issues are not included in the award list, it might be because they've been rejected. The reason for rejection can be reviewed once the final report is published and the repository is fully opened. \n\nFindings and analysis of the reports are reviewed and triaged by judges immediately after a contest ends. They then await sponsor review, final judging, and Quality Assurance before being made public. This allows participants to see the discussion among sponsors and judges on the specific issue.\n\nParticipants will also get feedback from a judge if a submitted finding is marked as invalid. In some cases, the severity of reported bugs can be adjusted post-submission by judges. If an issue is marked as invalid, you can query this by monitoring the backstage channel for the post-judging stage of the concerned contest.\n\nPlease note that direct communication with judges is generally not advised. Instead, if you believe a high risk finding should be considered, you should argue your case in your submission. Judges' comments on contest submissions may also be visible, providing valuable insight into the judging process.\n\nWe are working on plans to allow certified contributors to view submitted issues immediately after a contest ends, and to comment or provide input on these issues during judging. This will help to increase the transparency of the judging process and provide participants with more immediate feedback.\n\nRemember, all participant queries about submission rules, findings validity, and contest details are welcomed and will be addressed as promptly as possible.", "Question: I have participated in multiple contests but only received results from one. How do these participations contribute to my standing in CodeArena, and what is the certification process like?\n\nAnswer: In CodeArena, participation in multiple contests contributes significantly to your standing within the community. For instance, if you've been part of three or more contests, it qualifies you for backstage access. However, to qualify for certification+, you not only need to participate but also need to have a substantial finding. For instance, either one high or three medium severity findings in three contests are required for a backstage pass, or meeting more stringent criteria such as being in the Top 3 in 3 contests or making a high finding could contribute towards your certification+.\n\nIt's important to note that while users are allowed to submit findings they are unsure about, getting more than 3 reports rejected in a competition will prevent the user from getting any payout for that competition. \n\nIf you're yet to receive results from your participation in a contest, it could be because the findings haven't been reviewed yet, as the time taken for project findings to get reviewed varies with each contest. It could also be due to potential issues while submitting findings for a contest. In such a case, despite submitting your findings you might see 'No findings submitted for this contest'. \n\nIf you have submitted issues for a contest but didn't make the award list, it's likely that your issues were rejected. You can confirm this by reviewing the available report. \n\nYou can track your past reports and cumulative results from contests on the leaderboard at https://code423n4.com/leaderboard/. \n\nShould you have any more questions or need further clarification on your contest participation or findings, you can raise your queries on our Discord chatroom where our community is actively engaged in helping each other. Remember, each participation counts towards your growth and standing in CodeArena.", "Q: I've noticed that the help page on the website shows an 'Out of Office' message. How can I access help resources and make help desk requests in the meantime?\n\nA: Apologies for the inconvenience and thank you for bringing this to our attention. We'll notify our development team about the 'Out of Office' message on the main help page. In the meantime, you can access our help resources and submit help desk requests through the alternative link https://old.code4rena.com/help/.\n\nIf you experience errors when submitting help requests or are having issues with site access, profile picture updates, or status updates, a help desk request can be opened at https://code4rena.com/help. Issues such as not receiving an email after registration or finding submission, changes to the leaderboard/contest results link, or corrections in report typos can also be addressed through a help desk request.\n\nPlease note that if you encounter an error when using the help form due to a space in your discord handle, or if you feel it's a security risk to make issue contents public, you can handle these by creating a help desk request. After submission, you will receive a confirmation that your request has been received. If required, you can also contact the Admin through a help desk request at this same link.\n\nHelpdesk requests are an important part of our process to ensure all user queries and issues are addressed promptly and efficiently. We appreciate your understanding and patience as we work to resolve the 'Out of Office' message issue on the main help page.", "Question: How can I effectively use Brownie for auditing and project testing?\n\nAnswer: Brownie is an Ethereum development and testing framework written in Python. It can be beneficial for mocking contract deployments which can be instrumental in auditing smart contracts. You can write your projects in Foundry and use Brownie for testing. However, while using Brownie, take note of certain stipulations such as project names are required to start with an alphabetical character. For more details on this, you can visit this link: [Brownie Project Naming Restrictions](https://github.com/eth-brownie/brownie/blob/0fa4477a178bd55b6683f60d077b7060df02b2c5/brownie/project/main.py#L740). \n\nPlease note that this information might not be exhaustive and there could be more specific instructions or rules involved during the process which will depend on the particularities of your project or audit. If you encounter any issues or have further questions, please feel free to ask for specific help.", "Question: How can I link my Code4rena profile with my Twitter account, and is this feature available only to certified auditors?\n\nAnswer: Users, whether certified auditors or not, can link their Code4rena profile to their Twitter account. This can be accomplished by submitting a help desk request with your warden name and Twitter URL at https://code4rena.com/help. This process is not exclusive to certified auditors, however, keep in mind that certified auditors have a few additional privileges such as the ability to participate in private audits and invitational audits. If you're interested in becoming a certified auditor you can find more information and apply at https://docs.code4rena.com/roles/certified-contributors and https://code4rena.com/certified-contributor-application. You can check your certification status by clicking your name to see assigned roles or through the email communication from Code4rena.", "Question: If an issue is submitted as a high severity issue but is downgraded to medium by a judge, will this be considered as an overinflated severity and therefore, be classified as invalid?\n\nAnswer: It's generally unlikely for the issue to be considered invalid simply because the severity was downgraded from high to medium by a judge. Code4Arena guidelines and judging criteria allow judges to adjust the severity of submitted issues based on their evaluation. The fact that an issue's severity was downgraded does not automatically mean it falls under the overinflated severity category and therefore is invalid. However, a crucial factor is the accuracy and completeness of the report. If a high severity issue is submitted without sufficient detail or evidence to demonstrate its impact, it may not only lead to a downgrade in severity but could also be deemed ineligible for awards.\n\nIn the case of misclassification, you'd still be awarded for the found issue unless the judges invalidate it, typically for reasons such as overinflating severity. If an issue is submitted with a low or QA severity, judges can elevate it to medium or high severity if the issue is described in detail and represents a considerable risk. The exact criteria for severity categorization can be reviewed at https://docs.code4rena.com/awarding/judging-criteria/severity-categorization.\n\nJudges have full discretion to determine the severity of identified issues in submitted reports and change severity levels as necessary. For instance, if a medium severity finding is submitted but the judges believe it is high, the judges can upgrade the severity. Similarly, an issue identified as low severity or included in a QA report could be escalated to a medium or high severity, provided it meets the criteria and there's strong evidence supporting the escalation.\n\nIt's advisable for participants to carefully review the judging criteria before making their severity assessments and to provide strong evidence that supports their chosen severity level. This evidence can be crucial in cases where there's a discrepancy between a participant's severity assessment and the judges' evaluation. The judging criteria can be found at https://docs.code4rena.com/roles/wardens/judging-criteria#estimating-risk. Keep in mind that the final severity determination made by a judge can impact award levels.", "Q: How should I categorize and report a low issue/non-critical (QA) bug that also reduces gas? Should I include it only in the QA report and mention the gas savings, or should it be included in both the QA and Gas report? \n\nA: If you discover a low issue or non-critical bug (QA) that also results in gas savings, you should categorize and report it under the QA category but also mention the gas savings. However, if the issue is solely related to gas savings, you could categorize it as a Gas issue. \n\nRemember that CodeArena requires you to submit one Quality Assurance (QA) report per contest where all the QA issues are grouped together, and the Gas report should be kept separate from the QA report. Ideally, you should submit one comprehensive report for gas savings and another for QA issues. \n\nPlease ensure your report includes all the relevant details. Although QA and Gas Optimization reports are not required to be as comprehensive as high-severity issue reports, judges do consider both the quantity and quality of submissions when grading QA reports. A single item in a QA submission is unlikely to receive a high grade. For more information about reporting guidelines and judging criteria, please refer to these links: https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical and https://docs.code4rena.com/awarding/incentive-model-and-awards#qa-and-gas-optimization-reports. \n\nWhile it's acceptable to express uncertainty about categorizing a specific issue in your reports, it's important to remember that the goal of these audits is to ensure the highest degree of quality assurance and optimization in smart contracts. You can always ask for specific guidance in the CodeArena chatroom, and the community and judges are there to help you.", "Question: How can I create and format code for my reports on CodeArena?\n\nAnswer: To create and format code for your reports on CodeArena, you can utilize various tools and practices. If you are comparing two different lines of code or wanting to highlight changes, you can use the 'git diff' command in your terminal. To format the code in your report, you can use the Markdown (MD) format which supports adding code blocks. This can be done by surrounding your code with three backticks (```), and you can further enhance this by specifying the language for syntax highlighting, for example, for Solidity code you'd use ```solidity. \n\nTo add code with line numbers, there's a VS Code extension called \"Copy With Line Numbers.\" Another trick on Github is to click on the starting line of code, hold down ctrl + shift, and click on the last line for highlighting. \n\nThe method of providing code for a test, either by adding it directly to the report under 'Proof of concept' or linking it on some private repo on Github, depends on the length of the code. If mitigations are involved, you can also use markdown to write the code in the report.\n\nFor further detailed steps on adding code blocks in MD format, visit: https://docs.github.com/en/get-started/writing-on-github/working-with-advanced-formatting/creating-and-highlighting-code-blocks. \n\nFor more information on how to include a proof of concept, visit: https://docs.code4rena.com/roles/wardens/submission-policy#how-to-include-a-proof-of-concept. \n\nRemember, understanding code usually requires reading documentation or having previous experience with similar code, so don't hesitate to learn and ask questions in our community.", "Question: \nCan you explain the award distribution and grading system for Quality Assurance (QA) and Gas reports at CodeArena?\n\nAnswer: \nSure, at CodeArena, the rewards for Quality Assurance (QA) and Gas reports are divided based on grades A, B, and C, which are assigned according to the quality and gas savings of the reports. \n\nFor the grading system, Grade A reports are regarded as having 2 shares, Grade B as 1 share, and the best report receives a 30% bonus. The number of issues reported in a Gas and QA report doesn't necessarily determine the grade. For instance, a report could have one high-quality issue to be a grade B, or it could have multiple low-impact issues and still be a grade C. Therefore, the judges consider both the quantity and quality of submissions when grading QA reports.\n\nParticipants are encouraged to submit one comprehensive report each for gas and QA. All A graded QA reports receive the same award, regardless of the number of low findings. For submissions, please bear in mind that the QA and Gas Optimization reports don't need to be as comprehensive as reports for high severity issues.\n\nFree to explore more details about our grading system and award distribution on our documentation: [Incentive Model and Awards](https://docs.code4rena.com/awarding/incentive-model-and-awards) and [Judging Criteria](https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical)\n\nPlease note, the awarding formula is subject to updates, and if a finding initially submitted as a low in a QA report is determined by the judges to be of medium severity, it will be eligible for medium rewards. You can find more about this on our [FAQ page](https://docs.code4rena.com/awarding/incentive-model-and-awards/qa-gas-report-faq#what-happens-when-an-issue-submitted-by-the-warden-as-part-of-their-qa-report-an-l-or-n-does-get-bum).", "Question: How can I link my Code4Arena profile to my Twitter account, and is this function exclusive to certified auditors?\n\nAnswer: No, linking your Code4Arena profile to your Twitter account is not exclusively for certified auditors, it's available for all users. You can achieve this by submitting a help desk request at https://code4rena.com/help. When creating the request, make sure to provide your warden name and the URL of your Twitter profile. If you wish to be a certified auditor and participate in restricted audits, you can apply for certification at https://docs.code4rena.com/roles/certified-contributors. Certified auditors can also participate in private audit contests after completing the KYC process. Bear in mind, changes to your Code4Arena profile, such as changing your avatar or Twitter username, can also be made by creating a help desk request.", "Question: I'm new to auditing and would like to improve my skills by studying old contests and reading previous C4 reports. Could you recommend any resources or contests to get started?\n\nAnswer: Welcome to the auditing world! If you're looking to improve your skills, you are on the right path by wanting to explore old contests and audit reports. Participating in contests and reading past audit reports are common steps successful auditors take to enhance their understanding of the process. CodeArena conducts audit contests which are somewhat similar to bug bounty programs, and these can be good learning sources. \n\nFor upcoming contests, you can check the CodeArena website [code423n4.com](https://code423n4.com), where ongoing and future contests are listed. If you are interested in private audits, you could become a certified warden and get access to private contests. More details about this can be found [here](https://mirror.xyz/c4blog.eth/Ww3sILR-e5iWoMYNpZEB9UME_vA8G0Yqa6TYvpSdEM0).\n\nIf you are interested in learning from resources, you could start with [cmichel.io](https://cmichel.io/how-to-become-a-smart-contract-auditor/) and [Code4rena's warden resources](https://docs.code4rena.com/roles/wardens/tools-and-resources). \n\nYou can find a comparison between bug bounties and C4 audit contests on our documentation page [here](https://docs.code4rena.com/). You could also reverse-engineer and understand old audit reports, which is another way contributors become auditors. \n\nThe #\ud83c\udfebeducation channel on our Discord server is a great place to start learning about C4 auditing, and we suggest keeping an eye on the #\u270brsvp and the potential #audit-reports channels for new announcements and updates. \n\nRemember, improving your auditing skills involves persistence and continually auditing codebases. Best of luck!", "Question: \nWhat is the distinction between the following two code lines: \"uint _last = lastUpdated[user]\" and \"uint last = lastUpdated[user]\" in the context of smart contract programming?\n\nAnswer: \nBased on the discussions observed in the chat, it seems the main difference between \"uint _last = lastUpdated[user]\" and \"uint last = lastUpdated[user]\" lies primarily in the naming of variable. The underscore before the variable name (_last) is a common naming convention used in Solidity for private or internal state variables. However, both of these lines of code essentially do the same thing - they declare a uint variable and assign it the value of lastUpdated[user]. The actual functionality and gas costs of these two lines should be identical, provided they are used in the same context.\n\nHowever, it's important to note that small changes in code can sometimes lead to significant gas saving differences. For example, there's a noticeable difference in gas costs between using 'for (uint256 i = 0; i < 1000; i++)' and 'for (uint256 i = 0; i < 1000; ++i)'. Also, constants can be cheaper than immutable variables as constants are calculated and filled in at compile time whereas immutable variables are read-only state variables. \n\nFor more information on Solidity and smart contract coding best practices, you may find the following resources helpful: Solidity Coverage (https://www.npmjs.com/package/solidity-coverage) and Solidity Metrics nSLOC (https://github.com/ConsenSys/solidity-metrics).", "Question: How can I effectively use 'git diff' and include code snippets in my report submission on CodeArena?\n\nAnswer: To effectively utilize 'git diff' in your report submission, you can create .orig files and run 'git diff' in the terminal of the project folder. This will give you a line-by-line difference between the original and modified text files, showing only the lines that have changed. If multiple lines have been altered, you can even send a git patch or a pull request to the repository for a more comprehensive view of the changes.\n\nWhen it comes to including code snippets in your report, it's important to note that simply adding a link to the sponsor's GitHub repo code will not automatically import the code snippet into the report. Instead, consider using markdown to add code blocks. Markdown and hackmd are tools known for enhancing report presentation and they support code block inclusion. To write code in markdown, you can use backticks (`). More on adding code blocks in markdown can be found in this guide: [Creating and Highlighting Code Blocks](https://docs.github.com/en/get-started/writing-on-github/working-with-advanced-formatting/creating-and-highlighting-code-blocks).\n\nFurthermore, you can include images or screenshots in your report, a feature that can be useful in presenting specific vulnerabilities. Information on how to do this can be found here: [Adding Images to Markdown](https://docs.github.com/en/get-started/writing-on-github/getting-started-with-writing-and-formatting-on-github/basic-writing-and-formatting-syntax#images).\n\nRemember, the format of your report is crucial, thus choosing a writing platform that supports markdown is essential. Platforms like GitHub, Joplin, VSCode, Notion, etc. are good examples. The preview tool in Visual Studio has also been suggested as a helpful tool for formatting reports.\n\nLastly, please note that HTML tags are not supported on the findings report page, so it's advised to use Markdown instead. If you encounter any discrepancies or issues while creating or submitting your report, please feel free to create a ticket for assistance.", "Improved Question: \nShould I compile all my non-critical findings into one Quality Assurance (QA) report, or should I create separate QA reports for each finding, and how do I differentiate this from gas reports?\n\nImproved Answer: \nFor non-critical and low severity findings, it is recommended that you consolidate them all into one combined Quality Assurance (QA) report. Similarly, all findings related to gas optimization should be put under one separate report. This means you should ideally have one comprehensive report for QA issues and another for gas issues. \n\nIn cases where a finding is relevant to both QA and gas savings, it can be included in either report, and our judges will decide where it best fits. However, for medium and high-risk findings, each finding should be detailed in a separate report. \n\nKeep in mind that the evaluation of QA reports is based on both the quantity and quality of findings. Despite the number of low findings, all A graded QA reports will receive the same award. Also note that incorrect findings in a QA report can affect your QA grade. \n\nRemember, you are allowed to edit existing findings for more detail. If you are unsure about how to categorize certain findings, consult the following links for further guidance: [https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical](https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical) and [https://docs.code4rena.com/awarding/incentive-model-and-awards#qa-and-gas-optimization-reports](https://docs.code4rena.com/awarding/incentive-model-and-awards#qa-and-gas-optimization-reports).", "Q: How do I check the status of my report submission and view or edit my findings on CodeArena?\n\nA: When you submit a report for the first time on CodeArena, there are several ways to check your submission status or report. You should initially receive an email verifying your submission. If you don't receive this, or you encounter an error during submission, don't worry. All your submitted reports can be viewed or edited through the \"Findings\" tab on the contest page. To get there, click on \"View Contest\" on the C4 Contest page and then select the \"Findings\" tab. \n\nYou should see a list of all your submissions for the respective contest. You can edit your findings if needed by clicking on the 'your finding' button on the contest page. If you submitted your report during a contest, it may take some time for your submission to be confirmed via email. If the submission fails, the form should ideally return an error. \n\nAfter a contest has ended and the judging process is in progress, you will not be able to see the status of your submissions until the report is published and the findings repo is made public. You can also check whether your submissions were accepted at https://code4rena.com/reports. \n\nPlease note that if you submitted issues for a contest but did not make the award list, it's likely that your issues were rejected. In such cases, you can review the available report to confirm this. \n\nFor further examples of how to make a high-quality submission, check previous reports at https://code423n4.com/reports. If you encounter any challenges during this process, you are welcome to submit a Helpdesk request. \n\nRemember, your findings and submissions are crucial to the function of CodeArena. Thank you for your participation and engagement.", "Q: How can I report a spammer on CodeArena and check the status of my report?\n\nA: If you spot a spammer on CodeArena, you can report them by providing a detailed description of the issue. You can provide your reasons for flagging the issue directly in the report itself. Your report will then be evaluated by our team, who will take necessary actions based on the severity of the issue. Remember, there's no penalty for wrong reasoning as long as your report is not spam itself. \n\nAfter submitting a report, you will receive an email confirmation regarding the successful submission. If you do not receive this email, we recommend checking your spam folder. This email might be sent from \"compliance@provenance.company\" or another official CodeArena email, so be sure to add us to your trusted contacts list. \n\nTo check the status of your report, you will need to follow the instructions provided in the confirmation email. If you encounter any difficulties, such as the error \"API rate limit exceeded for user ID...\", or are unsure about the severity of an issue you've reported, please reach back out to us so we can assist you further. \n\nKeep in mind that if there's a centralization risk you feel should be flagged, you can report it and let our judges make the final call. If you disagree with a sponsor about the scope of an issue, we encourage you to still report the issue. \n\nWe value the contributions of our community in maintaining a healthy and spam-free platform. Your help in reporting spam and other issues is greatly appreciated. \n\nNote: If you're receiving unwanted direct messages or suspect a potential scam, consider using Hashbot (https://Hashbot.io) to detect potential scammers. You can also report potential scams to us, following the same reporting procedure as for spammers.", "Q: What is the process for submitting, viewing, and discussing findings in CodeArena?\n\nA: At CodeArena, when you submit a finding during a contest, only you (or your team) and the sponsor can see the submitted findings. The findings remain private until the final report is published. It's important to note that the submitted findings may not be editable by the original author, though you can update the format of your findings. \n\nOnce the final report comes out and the findings repository becomes public, all the findings will be visible to everyone. The findings repositories are held private until then to facilitate learning from others. New participants are particularly encouraged to look at the findings of other wardens.\n\nYou can find feedback for your submitted findings and check your submission without modifying it. If you have a question about the reasons your findings were rejected, you can check the findings report repositories. However, the location of these repositories might not be clear to all participants. \n\nYou don't need to confirm your findings with the project's developers before submitting them. It's up to you as the warden to believe a point is a valid finding and submit it. Discussing potential findings with a sponsor over Discord or other private messages does not invalidate the finding. However, specific findings should not be discussed until the report has been posted for the contest in question. \n\nIt's also worth mentioning that there have been instances of privilege abuse involving sharing information about findings for judging in progress with others who did not have backstage access. Access to certain resources, such as the findings page, seems to be restricted based on certain user privileges. \n\nWhile there is no official incentive, users often report non-critical findings out of goodwill. Even after a contest is over, participants are discouraged from discussing their findings publicly if the final report has not yet come out.", "Q: What are the recommended resources and tools for learning and applying the testing framework of Hardhat and Foundry for auditing smart contracts?\n\nA: We recommend using a combination of resources and tools to understand and apply the testing framework of Hardhat and Foundry for auditing smart contracts. For learning the framework, you could start with the Codecademy JavaScript testing module and the Alchemy University\u2019s Ethereum Bootcamp in week 4. Both of these resources provide a comprehensive understanding of the testing process in the Ethereum ecosystem. \n\nIf you're planning to use Hardhat for testing, remember it's capable of forking its state from a public testnet or even the mainnet, which can be convenient for testing smart contracts. If you're interested in testing code coverage, you may find the Hardhat gas report plugin useful to benchmark your code for gas savings. It can be activated using the command \"REPORT_GAS=true hardhat test\" in package.json.\n\nFor those who are considering Foundry, keep in mind you can use it in conjunction with Hardhat. Foundry is a versatile testing framework that offers tools to assist in checking things like storage. It can be used in a project that employs Hardhat. A base template can be found at [Foundry Hardhat Template](https://github.com/foundry-rs/hardhat-foundry-template). If you need an equivalent for \"upgrades.deployProxy\" from Hardhat in the context of Foundry, you can refer to this [GitHub link](https://github.com/chugsplash/chugsplash-foundry).\n\nFor testing contracts downloaded from Github, you may find tools like Mythril and Slither helpful. There's also a tool named \"foundry debug\" to debug hardhat tests/introspect contract execution at the EVM opcode level.\n\nIn the context of learning and practicing, resources such as Ethernaut challenges and Damn Vulnerable DeFi are recommended: [Ethernaut](https://ethernaut.openzeppelin.com/) and [Damn Vulnerable DeFi](https://www.damnvulnerabledefi.xyz/). For beginners interested in smart contract bug bounty hunting, resources like [Cryptozombies](https://cryptozombies.io/) for Solidity and [Capture the Ether](https://capturetheether.com/) for Capture the Flag challenges can be beneficial. \n\nFurthermore, for beginners in the space of smart contract auditing, you can start learning from resources such as [cmichel.io](https://cmichel.io/how-to-become-a-smart-contract-auditor/) and [Code4rena](https://docs.code4rena.com/roles/wardens/tools-and-resources).\n\nRemember, the process of learning and applying a testing framework can be complex and may require an understanding of advanced solidity, developer experience, and even an understanding of web2 security in the context of web3 security. However, with time, practice, and the right resources, you can become proficient in auditing smart contracts.", "Q: Do potential medium findings need to include a Proof of Concept (POC)? \n\nA: Yes, it is highly recommended that medium findings include a Proof of Concept (POC). POCs are used to demonstrate the feasibility of an approach or concept in relation to identified vulnerabilities. A well-constructed POC provides clarity regarding the issue and can significantly increase the chances of the report being selected. In some cases, providing a POC might lead to a 30% bonus. It is acceptable to provide a POC in either code or plain English. If a participant cannot provide a POC for a medium severity bug, their finding may be disregarded unless the bug is extremely obvious. If the severity of a finding is unclear, it is advised to continue working on the POC until it becomes clear. \n\nIf the POC is lengthy, it can be submitted using external platforms such as Gist, or by creating a public GitHub repository or providing a diff of an existing sponsor-supplied test/contract. Images can also be included as part of the POC by linking them externally. POCs can also be included in the report submission. If you have written a POC script for a vulnerability, you can include the link in the submission where relevant.\n\nHowever, it's important to note that providing a coded POC, while beneficial, won't directly affect awards or contest outcomes as per C4 guidelines. You can find more instructions on how to include a POC at [https://docs.code4rena.com/roles/wardens/submission-policy#how-to-include-a-proof-of-concept](https://docs.code4rena.com/roles/wardens/submission-policy#how-to-include-a-proof-of-concept).\n\nLastly, if you're unsure about the specification of a finding, it's advised to submit your findings or direct message the sponsor team for additional context.", "Q: I'm encountering an error when running the `forge init` command in CodeArena, what could be the cause and how can I fix it?\n\nA: The `forge init` command is designed to run only on clean directories. Therefore, one possible cause of the error could be the presence of other files or directories in the location you're trying to initialize. To resolve this, create a new, empty folder, run `forge init` within it, and thereafter manually copy the files you need into the freshly initialized project directory.\n\nHowever, it's worth noting that other factors might be contributing to the error. For instance, there have been reports of the error message \"Source from artifact has no AST\" when running `forge debug` on a hardhat project that has foundry integration. If this is the case, remember that Foundry can be used in a project that employs Hardhat, and a base template for this integration can be found at https://github.com/foundry-rs/hardhat-foundry-template. \n\nAnother potential solution could be installing dependencies using the `forge i` command or 'npm install foundry', especially if the error is related to a lack of certain dependencies. The `forge install` command relies on git submodules, so your libraries are not lost.\n\nRemember that Foundry can also be installed with Docker, which could resolve some dependency issues. If you're having trouble with this, there have been questions raised about the installation of Foundry with Docker in our Discord chat, and you may find further help there.\n\nIf your error persists, you may want to seek additional assistance. Despite the occasional report of errors when submitting help requests, we encourage you to report your issue so we can provide further assistance.", "Q: Can you elaborate on the significance and best practices concerning the two-step procedure for critical changes in smart contracts?\nA: The two-step procedure refers to a process where changes to critical variables in smart contracts are executed in two stages. Initially, the change is proposed and subsequently, the change is executed. This practice is notably used in OpenZeppelin's Ownable2Step contract. \n\nThe two-step procedure is considered safer and a better practice when dealing with critical addresses as compared to a one-step change, as it can help prevent errors such as passing in the wrong address. This practice is particularly important for changes involving access controls where the severity level for not using a two-step transfer pattern is classified as low, as per the link: https://github.com/byterocket/c4-common-issues/blob/main/2-Low-Risk.md#l004---use-two-step-transfer-pattern-for-access-controls\n\nIt's important to note that when reporting issues related to a two-step procedure in smart contracts, the severity should be assessed based on its impact. Guidelines for estimating risk and the potential severity are provided at https://docs.code4rena.com/roles/wardens/judging-criteria#estimating-risk-tl-dr. The risk estimation process ranges from non-critical to high risk, and it's crucial to provide evidence in support of chosen severity. \n\nIn cases of uncertainty about the severity of a reported issue, it's advised to review the judging criteria and make a case for the chosen severity using evidence. If medium or high-risk vulnerabilities are identified, it's recommended to add test codes as Proof of Concepts when writing reports. \n\nRemember, if a two-step process is not followed in making critical changes, it can potentially lead to vulnerabilities categorized under different severity levels depending on their impact. Therefore, implementing a two-step change procedure is a recommended best practice for making changes to critical variables in smart contracts.", "Q: I'm new to Code4rena. How can I effectively read and understand smart contract audit reports, particularly those related to reentrancy?\n\nA: Understanding and interpreting smart contract audit reports, especially those related to complex vulnerabilities such as reentrancy, can be challenging at first. Here are some suggestions to help you navigate through this process:\n\n1. Start Small: As a beginner, it is beneficial to start with reports from smaller bounty contests. These typically involve smaller codebases and have less complexity, making it easier for you to comprehend. \n\n2. Read and Explore: Regularly read reports on our website https://code4rena.com/reports. By going through multiple reports, you would not only understand the structure and the level of detail required but also get exposure to various kinds of issues and their solutions. \n\n3. Learn from the Winners: High quantity and high-quality reports usually win in CodeArena contests. For better understanding and benchmarking, you can compare your findings with winning reports such as this one: https://code4rena.com/reports/2022-09-artgobblers#low-risk-and-non-critical-issues.\n\n4. Understand the Codebase: You must have a basic understanding of the codebase before diving into the reports. This often involves reading the documentation or having prior experience with similar code.\n\n5. Learn from Mistakes: code4rena releases both valid and invalid issues when reports are out. You can learn a lot by understanding why certain findings were rejected.\n\n6. Participate Actively: Actively participate in contests and try to create your own reports. Even if you face challenges initially, persistence will help you improve your auditing skills.\n\n7. Seek Help: If you're still having trouble, don't hesitate to ask questions in our chatroom. Our community is always ready to assist!\n\nRemember, mastering smart contract auditing is a process. Don't be discouraged if you don't understand everything at once. With time and practice, you'll get there!", "Question: How can I submit, revise, or resubmit a gas report for a CodeArena contest, and what are the restrictions and guidelines I need to be aware of?\n\nAnswer: Within a CodeArena contest, you are allowed to submit one combined gas report and one combined QA report. It's recommended that you compile all findings into a single, consolidated report for each of these areas. If you need to add or revise your findings, you can do so by visiting the contest page and clicking on the 'Your Findings' button. This enables you to edit existing findings and add more details to your report while the contest is still open.\n\nIf an issue arises where your report exceeds Github's max character limit for issue descriptions (~65k characters), you may submit a placeholder and send the full report via email to submissions@code423n4.com. More information on what to do if your report is too large can be found [here](https://docs.code4rena.com/roles/wardens/qa-gas-report-faq#why-is-a-large-gas-or-qa-report-not-successfully-submitting-through-the-contest-submission-form).\n\nWhen submitting a gas optimization report, it's recommended to include snapshots of how much gas would be saved via the refactored code. However, the necessity to specify how much gas is being saved for each optimization can be based on the judge's decision.\n\nRemember, the aim is to ensure that all your findings are included and clearly stated in your report. If you initially submitted a report from a personal account by accident, you can resubmit it from the team's account. \n\nFor more detailed information on how to submit reports for contests, you can visit CodeArena's report submission policy [here](https://docs.code4rena.com/roles/wardens/submission-policy#report-format).", "Q: After completing my registration with Provenance and receiving approval for my KYC, what are the next steps I need to follow to get the designated role on Code4rena?\n\nA: Upon completion of your registration and KYC approval with Provenance, they will notify us and we will process your role on Code4rena. The role processing typically takes a few days. If you have received a confirmation email from Provenance regarding your KYC, please note there may be a waiting period before your role is updated. \n\nKeep an eye on your email, including your spam folder, for a KYC confirmation from either \"kobus@provenance.company\" or \"compliance@provenance.company\". If you don't hear anything within a few days, feel free to open a help desk request at https://code4rena.com/help. \n\nIn the meantime, you can check the status of your application and learn more about the process and requirements for becoming a Certified Contributor or a Certified Warden in the Code4rena community at https://docs.code4rena.com/roles/certified-contributors.\n\nPlease be patient as the KYC process can sometimes take a while, depending on the communication between you and Provenance. It's also important to be aware that joining a private audit requires the completion of the KYC process and obtaining certification. \n\nRemember, the selection of Provenance as a KYC provider was based on recommendations from other Cayman-based vendors. At Code4rena, we will always strive to ensure the process is as smooth and efficient as possible for you.", "Question: I am new to auditing and would like to start reading past reports to understand them better. Which reports should I begin with and how can I keep track of new reports being published?\n\nAnswer: As a beginner, it's a good idea to start with reports from smaller bounty contests due to their smaller codebase sizes and less complexity, these can be found at https://code4rena.com/reports. Reading these past reports can help you to understand how issues are reported and graded, as well as how to categorize findings. It's important to note that the issues in the published reports might be the same as those reported initially, but this point is not entirely clear. \n\nTo improve your auditing skills, you should also look at how similar issues were judged in the past, and make the best and clearest case possible for your findings. Participating in contests is also suggested as a way to gain a better understanding of audit reports.\n\nA batch of reports is expected to be published soon, and users have expressed interest in being notified when a new report is published. The process for this is not yet defined, but we recommend regularly checking our reports page for updates. Also, once the findings repository becomes public, you will be able to look at the findings of other wardens as well. \n\nRemember, a high-quality report should aim to include the issue, a description, proof of concept (where necessary), and mitigation (where necessary) in a semi-professional report format. Even if you have no significant findings, you can still submit an analysis report to provide advice on things to take into account for the future of the project. And finally, remember that not all reports or findings are guaranteed a reward. Reports are graded based on a relative score compared to other reports and must meet quality standards to be considered valid and satisfactory.", "Question: When might a warden receive a score of 0 and therefore, no award for reporting a medium severity issue in Code4Rena contests?\n\nAnswer: A warden might receive a score of 0, thus no award, for reporting a medium severity issue in a few instances. This might happen if the issue was also discovered by multiple other wardens, leading to a diminished reward due to the distribution of rewards based on the number of discoverers. Also, if the issue was initially reported as low severity in a Warden's QA report but was later evaluated and upgraded to medium severity by the judges, it could result in no reward. \n\nFurthermore, although it's unclear from the chat records, if a warden reports a medium severity issue that gets downgraded to low severity or dismissed altogether due to a lack of evidence, judges discretion, or other reasons, they might also receive no reward. It's crucial to note that the judging is done based on specific criteria available at https://code423n4.com/judging-criteria/, and it's recommended for wardens to review these guidelines before assessing the severity of issues. \n\nLastly, if the reported issue turns out to be a mistake on the warden's part, based on previous instances, no penalty is applied but it might result in a zero score. It's always advisable for wardens to seek clarification when in doubt, to maximize their chances of receiving an award.", "Question: I have forgotten the wallet address I used to register on CodeArena or wish to change it, what steps should I follow?\n\nAnswer: If you have forgotten the wallet address you used to register or want to change your wallet address on CodeArena, you have several options. Firstly, if you have submitted reports before, you might be redirected to a confirmation page instead of the registration page when you connect your wallet. \n\nIf you are looking to change your registered wallet address, you can do so by following the instructions at https://docs.code4rena.com/roles/wardens/warden-auth#can-i-change-the-wallet-address-i-log-in-with. \n\nIf your wallet was compromised, it is also advisable to generate a new private key and use a new wallet to prevent further attacks. \n\nAdditionally, it's possible to update the wallet address used in a finding after the finding has been submitted and before the reward payout by submitting a request through the Help Desk at https://code4rena.com/help. Please note due to the complexity of changing wallet addresses, participants are requested to DM only if the change is extremely important, such as when the old wallet was hacked. \n\nLastly, participants can also use a new wallet address in reports going forward and rewards for the report will then be distributed to the new address. \n\nRemember, if you lose the seed phrase from your wallet, follow the steps mentioned here: https://docs.code4rena.com/roles/wardens/warden-auth#what-if-my-wallet-was-hacked. You can confirm your updated wallet by checking the wallet address with which you registered, using polygonscan.com or wallet trackers like debank.com. \n\nAlways ensure you have registered your correct handle and ETH address to receive shares. For any additional assistance, please visit: https://code4rena.com/help.", "Question: I've received a confirmation email for my application, but the further process seems to be delayed. How long should I expect to wait for the next steps?\n\nAnswer: The time for processing applications can vary based on various factors, but it usually takes a few business days. For instance, the Know Your Customer (KYC) process is generally completed in a few days, although some users have reported waiting up to 10 days in certain cases. Similarly, the approval of teams for contest participation, or the updating of roles after approval from Provenance, also often takes a few business days. The status of your application process, whether it's the KYC, Certified Warden verification, or other, is typically updated via an email confirmation. \n\nPlease keep in mind that there can be delays due to data processing or other unforeseen situations. In case you haven't received an update after a reasonable period, you are encouraged to follow up on the status of your application, and you should get a response within a week. Also, remember that receiving a confirmation email does not necessarily mean that the process has been completed, as there may be further steps or additional correspondence needed. \n\nIt's important to consider the back-and-forth communication that may be required between you and Provenance, which can extend the time required for the process. If you experience significant delays or encounter other issues, please submit a help desk request, which is typically reviewed within 1-2 business days. You will also receive a confirmation that the request has been received.\n\nWe understand the waiting period can be frustrating at times, but rest assured that we are doing our best to process all requests as quickly as possible. We appreciate your patience and understanding in this matter.", "Question: How do I update or change the wallet address associated with my CodeArena account?\n\nAnswer: You can update or change your wallet address in your CodeArena account by following these steps:\n\n1. Go to the Manage Account section on your C4 account screen. You can access this directly at https://code4arena.com/account.\n\n2. Within your account settings, you have the option to update two different types of wallet addresses: the login wallet and the payment wallet. The login wallet is set up when creating the account and the payment wallet is where your rewards for audit reports are distributed. Make sure to update the correct wallet based on your needs.\n\n3. If you want to update your payment address, you can do so in the user profile section. If you intend to use a new wallet address in your reports moving forward, the rewards for these reports will be distributed to the updated address.\n\n4. If you are unsure whether you have already submitted your address for rewards, you can check this by submitting a help form at https://code4rena.com/help.\n\n5. After updating your wallet address, you can verify the change by checking the address you registered with, using polygonscan.com or wallet trackers like debank.com.\n\n6. If you encounter issues or require further assistance, such as receiving an unexpected email regarding the updating of your payment address, please contact the help desk.\n\nRemember that using a two-step change process with critical addresses is considered safer and better practice than a one-step change to help prevent errors. Always keep your private keys secure to prevent future attacks on your wallet.", "Q: I won a contest on CodeArena and I'm unsure of how and when I will receive my award. Can you provide the details?\nA: Yes, congratulations on your win! After the contest results are announced, the awards are manually distributed in batches for multiple contests at a time. The rewards are sent to the wallet address you provided at the time of participation. If you need to update your wallet address, you can do so following the guide here: https://docs.code4rena.com/roles/wardens/warden-auth#can-i-change-the-wallet-address-where-i-receive-awards.\n\nThe distribution process can take between 1-2 weeks post announcement, so please be patient. They are typically transferred once a month, usually at the beginning of the month. You can keep an eye on the announcement channel for updates regarding distribution.\n\nPlease note that in some instances like in the Chainlink contest, you may need to verify your identity after the contest to receive the payout. Also, while most contests do not require you to be KYC'd or certified to receive awards, some do. It's always clearly stated if a particular contest has such a requirement. More information on this can be found here: https://docs.code4rena.com/roles/certified-contributors.\n\nIn some cases, the awards are distributed on a different network, like the Polygon network for Fairside awards. If you have participated as a team, the award is sent to the single wallet used during registration. If there's an issue regarding KYC, it's not entirely clear whether the award will be on hold or forfeited, so it's best to complete the KYC process if required.\n\nLastly, if you need to create an invoice for your awards, you can find the necessary information at the bottom of this page: https://docs.code4rena.com/awarding/incentive-model-and-awards/awarding-process#tax-and-legal-questions.", "Question: I noticed that \"Looksrare\" and \"lsd-network-stakehouse\" reports which were previously available have disappeared from the report page. Is this a known issue and should I raise a ticket regarding this?\n\nAnswer: Yes, it appears there have been updates to the result list, including reports being removed. This could be due to a variety of reasons such as accepted findings not being merged or potential issues with GitHub. If you notice any discrepancies or issues with the reports, you are encouraged to create a ticket - this also applies to links to the repositories in contests not working or any other errors. \n\nYou can view reports from other wardens even after contests have ended on our platform. However, visibility might be compromised if there's no table with results. Reports are usually sorted by publication date and can be found here - https://code4rena.com/reports. \n\nThere were queries about specific reports not being available, such as the \"Blockswap FV contest\" in the \"Past competition status updates\" or some reports not being featured on the homepage after February \u2013 this was due to changes in our report and rewards calculation system. \n\nPlease note that project owners cannot see the findings as they are reported to protect the integrity of the process. If funds are at risk on mainnet, it's advisable to reach out to the staff via a help request. \n\nWe appreciate users' patience as we continue to improve our platform and process. We also understand the need to track the status of past reports and are working towards making this process more efficient. \n\nIf you experience issues with the visibility of your reported issues on the Issues page or do not receive a response after sending a ticket, please let us know. We appreciate your assistance in helping us improve our system.", "Question: I've seen my name in the award list, but it's not reflecting on the leaderboard. How long does it take for the leaderboard to update and what factors might affect this update?\n\nAnswer: The leaderboard typically updates when the awards are announced, however the exact timeline can vary. This delay might be due to a number of factors. For instance, not all contest types are currently supported on the leaderboard. Furthermore, the leaderboard ranking takes into account both the current contest and your total participation in other events. \n\nThe leaderboard also gets updated once certain processes are completed. For example, the judges need time to review the findings, which can take about 8 weeks, and there may be delays if there are issues with the award list or if there are several pending contests whose awards need to be calculated. Moreover, there might be adjustments made to the leaderboard to correct any inconsistencies, such as items being double counted.\n\nIf your name is not mentioned in the report, it does not affect your future submissions, but it might have a minor impact on your leaderboard ranking. Please note that there can also be a delay in publishing the final report on the C4 website after the leaderboard is shown and the rewards are sent. \n\nKeep in mind that the default setting for the leaderboard shows the last 60 days' results, but you can adjust the settings to view results for a specific timeframe. Once the data has been reviewed and the leaderboard has been updated, you can apply for backstage access.\n\nWhile we strive for accuracy and timeliness, we appreciate your patience and understanding as we work to ensure all information is correct and up-to-date.", "Question: How does the leaderboard update process work at CodeArena?\n\nAnswer: The leaderboard at CodeArena is typically updated every time awards for a contest are announced. However, it's important to note that not all contest types are currently supported for leaderboard updates, such as Versus or bot races. \n\nThe leaderboard updates are carried out once several of the process pieces have been put together. The leaderboard ranking is impacted by the current contest and the total participation of a contestant. The points for the 60-day leaderboard are calculated from the day of the contest announcement and may expire 60 days after the contest ends.\n\nOne key issue observed in the past was rewards being announced before the leaderboard was updated. Also, there were instances of items being double-counted in the leaderboard. Such issues are addressed promptly, and updates are scheduled as soon as they are identified.\n\nA participant can earn the \"leaderboard\" tag in their profile by placing in the top 5 in a contest and receiving the reward. After each contest ends, users can check the number of overall issues they reported at [CodeArena Leaderboard](https://code4rena.com/leaderboard). \n\nThe leaderboard primarily shows the last 60 days of results by default, but settings can be adjusted to view results for a specific time period. An individual's name can appear twice on the leaderboard, once individually and once as part of a team. \n\nIt is also worth noting that the final report of a contest might not immediately appear on the CodeArena site after the leaderboard is updated and rewards are sent. It is recommended to wait until the full public report is published before doing a write-up of some issue or bug found on a project.\n\nThere have been suggestions for improvements to the leaderboard, like introducing different timelines (all-time, last 3 months, etc.), adding badges for various achievements, and creating leaderboard seasons. However, these are still under consideration.\n\nIn case of any issues or requests for changes to the leaderboard, contact can be made through the help desk at [CodeArena Help](https://code4rena.com/help). Please note that while efforts are made to ensure accuracy, there may be occasional discrepancies or delays in leaderboard updates. \n\nFor more detailed information on the leaderboard, please visit the [GitHub page](https://github.com/code-423n4/code423n4.com/issues?q=leaderboard).", "Question: How can I qualify for and obtain the backstage role at CodeArena?\n\nAnswer: To qualify for the backstage role at CodeArena, you must first become a certified contributor. This requires identifying a certain number of significant findings in different areas or of different scores. Once you believe you meet these criteria, you can apply for the backstage role by submitting a help desk request. Keep in mind that the backstage role allows you to view issues reported for a contest on the website and reports of past contests. The detailed process and requirements for obtaining the backstage role can be found at https://docs.code4rena.com/roles/certified-contributors/backstage-wardens. Please note that the availability of backstage functions may vary, and the process to get the backstage role can be requested through the help desk once all criteria are met.", "Question: How can I, as a warden, find and understand how my findings were judged?\n\nAnswer: As a warden, your findings are judged based on specific criteria and you can review this process by following a few steps. Every finding you submit creates a JSON file, which is linked to an issue. To find this, you need to check the data folder in the findings repository for JSON files named as [your-warden-handle]-[issue number]. \n\nWhile the findings reports become public once the final contest report has been published, you have the privilege to see the judging results even before they are published. If you see any issues or have concerns, you can raise them to the judge for reconsideration. However, this privilege is only for certified wardens who can view the findings repository immediately after a contest ends. \n\nTo assess the severity of the issues, it's recommended that you review the judging criteria at https://code423n4.com/judging-criteria/. If there is any uncertainty about the severity of a reported issue, make a case for the chosen severity using evidence, reviewing guidelines, or looking at how similar issues were judged in the past. \n\nRemember, all findings have to be treated as private and confidential until the contest report is made public, according to the professional conduct guidelines for certified wardens at https://docs.code4rena.com/roles/wardens/certified-wardens#certified-warden-professional-conduct-guidelines. \n\nFor any concerns or issues, you can seek clarification from wardens. If you want to get more involved, wardens can apply for Certified+ status, which allows early access to findings immediately after contests end. You can learn more about this at https://docs.code4rena.com/roles/wardens/sub.\n\nPlease note, the judges have the authority to mark an issue to have a higher or lower risk than the proposed risk by wardens if they deem it necessary. If a finding is classified as low risk in QA but is judged and confirmed as medium risk by other wardens, the judge will usually upgrade it automatically.", "Question: What is the process and timeline for the calculation and announcement of contest results, leaderboard updates, and reward distribution at CodeArena (C4)?\n\nAnswer: The process of announcing contest results, updating the leaderboard, and distributing rewards at CodeArena involves several stages, including the review of findings, the calculation of awards, and various forms of publication and announcement. \n\nThe timeline for this process can vary, but typically it takes about 8 weeks for the judges to review the findings and create the leaderboard after an audit contest ends. Once sponsor review and judging are complete, getting awards and reports out can take less than a week.\n\nAwards are typically announced in the #\ud83d\udce2announcements channel on our Discord server, and the leaderboard gets updated every time these awards are announced. However, there might be a delay in the update or announcement due to various reasons, such as changes in the award calculation process, or delays in judging or report publication.\n\nIt's important to note that not all contest types are currently supported on the leaderboard and the findings submitted for contests may not always make it to the final report. If a participant's name isn't mentioned in the report, it doesn't affect future submissions, but it may have a minor impact on the leaderboard ranking. \n\nThe final report and the leaderboard are made publicly available on the C4 website, but there could be a delay in their availability. It's recommended to wait until the full public report is published before doing a write-up of some issue or bug found on a project.\n\nWhile participants can apply for backstage access as soon as the contest results are published on the leaderboard, they cannot view the findings of a contest after it finishes but before the results are published. The process of getting findings reviewed varies with each contest.\n\nLastly, there is an ongoing effort to improve our leaderboard system to accurately reflect a user's accomplishments, including fully accounting for a user's participation in all contests. We appreciate your patience and understanding as we work on these enhancements.", "Question: How can I request backstage access at CodeArena (C4) and what criteria do I need to meet?\n\nAnswer: To obtain backstage access at CodeArena, you must first be certified as a contributor. There are specific qualifications that must be met, which can include a high severity finding, three medium severity findings, or a QA or Gas report with a score of over 85. If you have participated in three contests and have either one high or three medium findings, you're also eligible. \n\nOnce you've met the qualifications, you can submit a help desk request for backstage access. If you believe you meet the criteria or would like to verify your eligibility, please submit a request at https://code4rena.com/help. \n\nThe backstage role at CodeArena has additional minimum criteria. For detailed information about backstage access, its prerequisites, and the certification process, please refer to the documentation at https://docs.code4rena.com/roles/certified-contributors/backstage-wardens and https://docs.code4rena.com/roles/certified-contributors#certification-process-and-constraints.\n\nApplications are reviewed and notifications are provided once the review is completed. Please note that backstage access was previously based on a trust model, but future access may incorporate constraints or consequences.", "Q: How can I understand the judging process for my findings, modify them if needed, and know the reasons if they were rejected in the CodeArena contests?\n\nA: If you have submitted findings in a contest and aren't clear on how they were judged, you can seek feedback from judges to understand the reasoning behind the decision. This can aid your learning and show you areas for improvement. If a finding is marked as invalid, you'll receive additional feedback from a judge. \n\nIn case you need to modify a submitted finding, a help desk request can be made including all the necessary details and updates before the contest ends. Please note, after the contest closes, editing of findings is not possible and any required changes need a help desk request. To edit a finding or to withdraw a wrongly submitted analysis, visit the help desk at https://code4rena.com/help. \n\nIf you're unsure about the severity of an issue or you disagree with its assessment, you can make a strong case to escalate it. You can also cite similar findings from other contests to justify your argument. \n\nIn the event of a disagreement with the judge's or sponsor's decision, there is an appeal process in place for valid findings that have been classified as invalid. This process is detailed in the section at https://docs.code4rena.com/awarding/fairness-and-validity#if-you-disagree-with-a-judges-decision. \n\nTo understand why certain findings were not accepted, you can check the findings report repositories. The reasons for rejection are usually provided. However, if your report isn't mentioned in the responses, this could be due to being listed as automated findings which are not awarded or being rated as grade-c in the judgment procedure.\n\nRemember, participants are encouraged to submit findings even if unsure due to lack of specification in documents. The advice is to submit these findings or direct message the sponsor team for additional context.", "Q: When submitting gas reports for smart contract audits in CodeArena, is it necessary to provide a Proof of Concept (PoC) for the gas saved, or is simply describing and citing the amount of gas saved enough?\n\nA: The requirement for exhibiting a Proof of Concept (PoC) or simply stating the amount of gas saved in your gas reports often depends on the judge\u2019s decision. However, it is widely recommended to provide as much detail as possible to enhance the quality of your report. \n\nIn the context of gas optimization reports, while it is possible to submit these without specifying the amount of gas saved, including this detail could potentially augment your points. Therefore, it is beneficial to mention how much gas would be saved via the refactored code. If you have made multiple gas optimization efforts, these can be written separately but should be consolidated into a single report for submission.\n\nFindings that are relevant to both QA and gas savings can be included in either report category, as judges will decide where they best fit. However, if a low severity or non-critical issue is discovered that also reduces gas, it should be reported under the QA category with mention of the gas savings. If the issue pertains only to gas savings, it could be downgraded from QA to Gas. \n\nRegarding the Proof of Concept (PoC), if you're unable to provide it for a medium severity bug, the finding might be overlooked unless the bug is very apparent. Hence, it is advised to always write a PoC to ensure the importance of your finding is recognized.\n\nLastly, remember to update your original report with any additional findings instead of publishing multiple reports for a contest. Known issues should be excluded from gas reports. Ensure your reports conform to the standard formatting guides or templates, if available. If your PoC is too large to be embedded directly in the report, you may provide a link to it.", "Question: What is the process and expected timeframe to receive an email from Provenance during the Certified Warden verification process?\n\nAnswer: The process to receive an email from Provenance varies and there isn't a specified timeframe for delivery. Typically, after submitting a Certified Warden application or a Know Your Customer (KYC) request, Provenance may take from one business day to 2-3 weeks to respond. \nUpon approval of your application, you should expect to receive an email from Provenance. The emails are generally sent from the addresses kobus@provenance.company or compliance@provenance.company, so it's advised to check your spam folder to ensure you haven't missed it. \nOnce Provenance has approved your application, your certification status should be updated within 5 business days by the Code4rena team. If you don't receive a response or see an update to your status within these timeframes, you can open a help desk request at [Code4rena Help](https://code4rena.com/help). \nIt's important to note that some users have reported issues with receiving emails from Provenance. If you've received a confirmation email regarding your KYC, please be aware that you may have to wait for a certain period for the role to be reflected on your profile. After Provenance and KYC approval, there is a processing period during which your role will be processed by the Code4Arena team. \nLastly, please remember to always verify the validity of the emails you receive from Provenance, as they are related to your platform activities.", "Question: How can I change my profile picture or update other profile details on Code4Arena?\n\nAnswer: To change your profile picture, Twitter handle or username on Code4Arena, you need to submit a help desk request. You can do this by visiting https://code4rena.com/help and providing the necessary information such as a link to the new profile picture or the new Twitter handle. If you would like to change your profile icon on Code4Arena's leaderboard or request a logo change, this can also be done through the same help desk request. \n\nPlease note that profile editing is only available for Certified wardens, and change requests are typically addressed within a week. If you're having trouble with your request or need further assistance, you can use the #profile-help channel on our Discord server. \n\nRemember, changes to your email, Discord, GitHub username, or wallet address need to be made through the account settings and may require re-registration. For uploading an image when submitting a report, you can register a free account on https://cloudinary.com/, upload the image, and copy the image URL.", "Q: What does the \"C4 output\" signify for the contest? And how are issues of varying severities handled within the report?\n\nA: The \"C4 output\" is a comprehensive report generated after contests conducted by CodeArena. Generally available within an hour of contest opening, it includes information about all the submitted issues, inclusive of their severity classifications such as high, medium, low, non-critical, and gas-related. Participants can include both high and medium/low severity issues in a single report, but they must focus on high severity issues. \n\nHowever, it's important to understand that the final inclusion of all reports is at the discretion of C4 judges. In some cases, submissions that seem like copy-pastes or ones highlighting the same underlying risk may be considered out of scope or already known. \n\nMoreover, there are provisions for adjusting the severity classification of the submitted reports. If a report is incorrectly classified as medium, it can be upgraded to high by C4 judges. Similarly, if an issue is initially submitted as a low in a QA report but is later judged as medium, it will be eligible for medium rewards [as per the CodeArena awarding model](https://docs.code4rena.com/awarding/incentive-model-and-awards/qa-gas-report-faq#what-happens-when-an-issue-submitted-by-the-warden-as-part-of-their-qa-report-an-l-or-n-does-get-bum). \n\nIt's also noteworthy that even if a high severity bug turns out to be only medium, the reward for a medium bug is not forfeited. The reward distribution in a scenario where no high or medium issues are found is based on Quality Assurance. \n\nParticipants must strive to submit high-quality reports. The results of the submitted bugs are revealed once the report is made public. In the interim, participants can refer to previous reports to understand what a high-quality submission resembles.", "Question: How can I add or update my Twitter handle to my CodeArena profile?\n\nAnswer: To add or update your Twitter handle on your CodeArena profile, you need to submit a help desk request. Here's how you can do it:\n\n1. Visit https://code4rena.com/help\n2. Provide your warden name and the Twitter URL you'd like to attach to your profile.\n3. Submit the request.\n\nOnce this is done, we will update your profile with your Twitter handle. Please note, you can also modify other account details like your username and avatar through a similar process. However, if you're considering changing your handle or registering another account with the same email/GitHub address, it's important to understand that leaderboard standings and submissions linked to the previous handle will not be transferred to the new account.\n\nIn addition to this, you can also link your handle to the Code4Arena leaderboard and to our repository at https://github.com/code-423n4/code423n4.com/tree/main/_data/handles by making a pull request for your handle.\n\nIf you also want to change your registered wallet address or have any other queries, don't hesitate to reach out to us through the help desk.", "Question: Can I use a new wallet address in my reports and will the rewards for the report then be distributed to this new address? How can I improve the structuring and presentation of my reports?\n\nAnswer: Yes, you can use a new wallet address in your reports going forward and rewards for the report will be distributed to the new address. The report should ideally compile all QA findings into one combined report for ease of understanding and review. \n\nFor improving report structuring and presentation, consider using tools like Markdown or hackmd. Embedding code in your reports can enhance comprehension for technical audiences. Also, try to consolidate all detected vulnerabilities from your last 10/15 reports into a database for future audits as it can help identify recurring issues and patterns. \n\nAdditionally, you can consider categorizing your findings that fit into more than one category for better clarity. And if there are any gas optimization findings, it would be beneficial to provide snapshots showing how much gas would be saved via the refactored code. \n\nRemember, while the use of assembly to check for address(0) is an optimization that could save a few gas, as described [here](https://github.com/0xKitsune/solstat/blob/main/src/report/report_sections/optimizations/address_zero.rs), it's not necessarily interesting or valuable for sponsors. \n\nTo obtain transaction hashes, access the findings.csv file ([here](https://github.com/code-423n4/code423n4.com/tree/main/_data/findings)) which can be parsed to create a table with all wardens and their deduplicated findings. Also, feel free to utilize the opt-in ID and address verification process if needed.\n\nFinally, if the report is larger than the platform's limit, you could submit the report via email and then place a placeholder in the original submission. Have this method added to the official documentation for future reference. Note, however, that using storage instead of memory in the view function might be more suitable for a gas report than a QA report.", "Question: How can I understand the audit report better, specifically the part about converting it to a mapping of address/id to a struct, and how does this relate to the automated gas optimization labelled 'Use assembly to check for address(0)'?\n\nAnswer: One of the common challenges in understanding audit reports and concepts related to smart contracts is the interpretation of complex issues such as the conversion of data entities. In the case of an audit report, a mapping of address/id to a struct may not always be applicable. For example, you mentioned an instance where one was for Orders, and the other was for Wallets. These two cases represent different data models and may not be coherently consolidated into a single mapping.\n\nAs for the 'Use assembly to check for address(0)' optimization, this is a technique that can save a few gas but might not necessarily be interesting or valuable for sponsors. You can refer to the detailed description of this issue on this [GitHub page](https://github.com/0xKitsune/solstat/blob/main/src/report/report_sections/optimizations/address_zero.rs). This optimization is one of the efficiencies that automated audit tools might recommend. Still, its application should be considered within the context of the specific smart contract structure, purpose, and the acceptable trade-offs.\n\nUnderstanding these elements requires a comprehensive grasp of the codebase and the architecture of the smart contract. Moreover, it's crucial to be aware that smart contract auditing can be a non-image task, which means it relies on reading and interpreting lines of code rather than visual recognitions and transformations.\n\nTo get a better idea of the structure of other audit reports and findings, you may want to refer to the [findings.csv](https://github.com/code-423n4/code423n4.com/blob/main/_data/findings/findings.csv#L9336-L9434) file on GitHub, which can be parsed to create a table with all wardens and their deduplicated findings. Note that a thorough understanding of smart contract auditing and its related reports also requires knowledge about gas optimizations, storage and memory in view functions, and more. Other resources such as the [CodeArena report](https://code4rena.com/reports/2022-11-non-fungible/#gas-optimizations) could also be useful to understand more about gas optimizations in smart contracts.", "Question: When can I expect to receive a confirmation from Provenance after sending a KYC request? \n\nAnswer: After sending a Know Your Customer (KYC) request to Provenance, it may take some time to receive a confirmation. The initial email from Provenance doesn't have a specified delivery timeframe, however, once you start working with Provenance, the process usually takes around 1-2 business days. On average, it might take 2-3 weeks to receive the KYC email after submitting an application to become a certified warden. Please note, it is not uncommon for emails from Provenance to end up in your spam folder, so it's worth checking there. The KYC email is typically sent from compliance@provenance.company. If you've not received an email after this time period, you can submit a help desk request to track the status of your KYC confirmation [here](https://code4rena.com/help). Once Provenance has KYC'ed you, they will communicate this to Code4rena and your role will be processed. Please be aware that Provenance, as a KYC provider, may require more detailed documentation than what is outlined in Code4rena's guidelines.", "Q: How does the 'C4 output' work in the CodeArena contests? Does it include all types of issues, and how are these classified and rewarded? What happens if an issue I report is judged differently, or if no high or medium issues are found?\n\nA: The 'C4 output' is published within an hour of a contest opening and includes all issues reported, including high, medium, low, non-critical, and gas-related issues. However, the final inclusion of issues is at the discretion of the judges. Reports that look like copy-pastes or use the same underlying risk may be deemed out of scope or already known and excluded.\n\nThe classification of issues is based on their severity. High, medium, low, and non-critical issues are classified based on the severity of loss they can cause. For example, if they pose a risk of losing all rewards, they're classified as high or medium. If they risk causing only a negligible amount of loss, they're classified as non-critical or quality assurance (QA) findings. Gas-related issues refer to inefficiencies in the code that lead to unnecessary use of gas, or computational power, on the blockchain. \n\nIf you report an issue and it's judged differently - for instance, you report it as a low severity issue in a QA report, but the judges determine it's medium severity - it will be eligible for medium rewards. You can find more information on this process [here](https://docs.code4rena.com/awarding/incentive-model-and-awards/qa-gas-report-faq#what-happens-when-an-issue-submitted-by-the-warden-as-part-of-their-qa-report-an-l-or-n-does-get-bum). \n\nSimilarly, if you submit a report as medium severity and it's judged as high, unless there's a reason to penalize it (such as it being incomplete, lacking detail, or not as accurate), it gets raised to high severity and rewarded accordingly. If you incorrectly categorize the severity of a report, the C4 judges can also update it.\n\nIf no high or medium issues are found in a contest, the rewards are divided based on Quality Assurance. The distribution of rewards in different scenarios can be found [here](https://docs.code4rena.com/awarding/incentive-model-and-awards). \n\nNote that while all types of accepted reports can be eligible for payouts, this assumes the report is of high quality, the findings are accurate, and there is a working proof of concept. Rewards for different types of findings can be calculated using the formula provided [here](https://docs.code4rena.com/incentive-model-and-awards#high-and-medium-risk-bugs).", "Question: How is the context determined for findings in a CodeArena Report?\n\nAnswer: The context in a CodeArena report involves several factors. Judges determine which reports get featured in the client report based on set guidelines. These guidelines help in grouping different reasons why a function might not work, and the format of the report can influence its evaluation. \n\nIn terms of report creation, users can share their reasons directly in the report itself, with the option to include screenshots, embedded code or even images for clearer understanding. But without backstage access, there is no way of providing additional context on reported issues.\n\nWhen a Quality Assurance report is submitted for the first time, you can confirm its successful submission by checking your email for confirmation or through the \"View Context\" function. If there is an error, the user may wish to consult the findings report repositories to understand why certain findings were not accepted. \n\nReports are graded based on a relative score compared to other reports and the unique findings they contain. The issues in the published reports might be the same as those reported initially, but this point is not entirely clear. Only one low-severity report among all submitted is chosen to be included in the final report. \n\nA report should ideally contain the issue, description, proof of concept (if necessary), and mitigation (if necessary) in a semi-professional format. If mitigation steps cannot be feasibly included, an explanation should be provided. \n\nIn CodeArena, wardens who report a certain finding first, as well as those who also found the same finding, are recognized in reports such as the Olympus report. However, the user is allowed to categorize findings that could fit into two categories in an analysis report. Incorrect findings in a QA report can affect the QA grade. \n\nIn cases where users are unsure whether to submit a finding due to lack of specification in documents, the advice is to submit these findings or directly message the sponsor team for additional context.\n\nFor more information, please visit [relevant link].", "Question: Can I directly message CodeArena staff or other participants in the Discord chatroom, and what are the guidelines for this?\n\nAnswer: Yes, direct messaging (DM) is actively encouraged within the CodeArena community. Participants can send direct messages for a variety of reasons. This could be to ask specific questions, discuss potential vulnerabilities or issues with the project or contest, seek guidance on more sensitive aspects of the system, or even request updates to their profile or withdrawal of a submission. Here are some important guidelines to keep in mind:\n\n1. You can direct message CodeArena staff members or specific identified individuals for general queries or to update your submissions.\n\n2. Direct messaging with sponsor team members is also allowed. Each contest has a designated channel for general questions, and sponsor team members are available for direct messages.\n\n3. To discuss potential submissions or issues with the project's dev team during a contest, you can either utilize the contest channel or engage through private messaging.\n\n4. If you discover a potential vulnerability, you're allowed to directly message the project team.\n\n5. For assistance with account issues, users have been asked to use direct messaging.\n\n6. If you would like to withdraw a submission, you can do so by directly messaging an administrator or a moderator.\n\n7. For profile related queries or to make a request such as linking your Twitter handle to your CodeArena profile, you should direct your messages to the #profile-help channel or send a helpdesk request.\n\n8. If it's related to a specific protocol, you may direct message the identified contact. For example, for any questions around the Vader protocol, DMs can be sent to @strictly-scarce.\n\nPlease note that while direct messaging is encouraged, you need to maintain the decorum of the CodeArena community. Any reports of scams or inappropriate behavior in direct messages will be taken seriously.", "Question: Can I directly message (DM) the CodeArena team or other users for assistance or to discuss potential issues?\n\nAnswer: Absolutely. Direct messaging is encouraged within the CodeArena environment. You can DM CodeArena staff members, users, or even sponsor team members during contests for specific questions, assistance with account issues, or to discuss potential vulnerabilities. Each contest also has a designated channel where you can ask general questions, and the sponsor's team members are available for direct messaging. If you identify a potential vulnerability and have it confirmed by the sponsor via private DMs, this may still count when submitting it, depending on their judgement. \n\nUsers can also DM certain identified individuals to update their submissions or directly message an administrator to withdraw a submission. For more complex issues, like changing wallet addresses, we request you to DM only if the change is extremely important (like if your old wallet was hacked). \n\nFor collaboration and investment issues, you can consult with project team members who are listed in a specific discord channel. Should you need to change account details (like a Twitter username) or request to be added to specific rooms, you can submit a help desk request. However, please be aware that there have been reports of scams in direct messages, so always double-check the identity of the person you are messaging. \n\nRemember, the goal is to promote a collaborative and interactive community, and we're here to help facilitate that.", "Question: How do I find and participate in contests related to specific protocols such as the Quests Protocol on CodeArena's Discord server?\n\nAnswer: CodeArena's Discord server hosts specific channels for each contest, including ones related to different protocols such as the Quests Protocol. Each contest has its own dedicated channel, where you can ask general questions and participate in code walkthroughs. Contest details are typically provided on the contest page (example: https://code4rena.com/contests/2021-11-streaming-protocol-contest).\n\nTo find out about upcoming contests, including the Quests Protocol ones, you can check the #\u270brsvp channel on Discord. Information about both public and private contests is posted in this channel. If a contest is public, it will be visible in the public RSVP channel. Private contests, on the other hand, have their RSVPs available in a channel only visible to certified wardens.\n\nSometimes, specific questions can be asked directly to the sponsor team members via Direct Messaging (DM) or in the open discussion. During a contest, you are allowed to discuss potential submissions with the project's dev team. \n\nNew contests are announced on the RSVP channel and the results are posted in the contest channel once judging is complete. Additionally, contest-related videos are often uploaded on Code4Arena's YouTube channel for further insights and guidance.\n\nLastly, please note that some contests are only open to those who participated in the original audit and qualification details for these are described in the #\ud83d\udd96rsvp-certified channel.", "Question: How long does it typically take to receive confirmation for my KYC request to Provenance and what should I expect during this process?\n\nAnswer: After you submit your Know Your Customer (KYC) request to Provenance, you can typically expect to receive an email confirmation within one business day. However, the overall KYC process, which includes back and forth communication with Provenance, may take longer, possibly up to a week or more. Please note that this is a general timeframe and might vary depending on individual circumstances. Additionally, the confirmation email is sent from \"compliance@provenance.company\" or \"kobus@provenance.company\", so it's suggested to check your email inbox as well as your spam folder.\n\nOnce Provenance approves your application and communicates the successful KYC completion to Code4rena, our team will process your role. The certification status update from Provenance is generally processed by the C4 team within 5 business days. If you do not receive a response after a few days, you can open a help desk request at [https://code4rena.com/help](https://code4rena.com/help) to track the status of your KYC confirmation. Following confirmation, you can participate in a private audit. Please note that Provenance, our KYC provider, may have more detailed requirements for documentation than what is outlined in C4's guidelines.\n\nRemember that the completion of your certification process and participation in several contests does not automatically grant you Certification+. For additional queries on your certification status or other related issues, please raise a ticket at our help desk.", "Question: \nI participated in the OpenSea contest on CodeArena, what steps should I follow to receive my rewards?\n\nAnswer: \nYes, you can definitely receive your awards. Please note that you are required to initiate the process within 48 hours of contest close. For the OpenSea contest, due to its unique structure of scaling up the reward pool and higher amount prizes, we have implemented additional steps to ensure compliance with Anti-money laundering laws. This includes going through the ID verification process. \n\nTo start, you need to complete the form at [https://code4rena.com/certified-contributor-application](https://code4rena.com/certified-contributor-application). Your ID verification will be handled by Provenance on behalf of CodeArena. Please be aware that due to the public nature of the OpenSea contest and its high prize pot, the certification process was mandatory for all wardens and team members involved. \n\nOnce you've completed these steps, we will be able to distribute your award. If you are unsure about your certification status, you can check it on CodeArena's platform. We appreciate your participation and encourage you to stay tuned for future high prize contests like the OpenSea contest. \n\nWe also want to point out that the OpenSea contest was an exception in our protocol, as it required KYC, which is not usually necessary for other contests. We expect our warden registration page and qualifications section to go back to normal once the OpenSea contest ends. \n\nThank you for your understanding and cooperation. If you have any more queries, feel free to reach out.", "Question: How does the certification process work in CodeArena and when can I expect to be assigned the \"certified\" role after I am approved?\n\nAnswer: After your application for certification is approved by ProvenanceDAO, it generally takes about 2 to 5 business days for the \"certified\" role to reflect on your profile. You will receive an update on the status of your certification process via email. Once certified, you will have access to more contests including certified contests, and you can even edit your profile. \n\nTo check if you are certified, you can click on your name to see your assigned roles. You can also refer to the email communication you receive from us after your certification is finalized. \n\nIf you have completed the certification process with ProvenanceDAO and participated in more than 3 contests, you can apply for the upgraded Certified+ status. To apply, you can follow the application guidelines available at [this link](https://docs.code4rena.com/roles/certified-contributors). \n\nThe severity requirement is now applicable for the Certified+ status. Being a certified user is a prerequisite to get backstage access, which requires meeting certain qualifications and creating a help desk request to have your status evaluated. \n\nYou can also begin the certification process by reading the document at [this link](https://docs.code4rena.com/roles/certified-contributors). If you receive a confirmation email from Provenance regarding your KYC, there might be a waiting period for the role to reflect on your profile. If you have changed your username, you can reapply for certified status. \n\nPlease note that some users might experience a delay in being marked as certified, even after approval. We are working on formalizing this process to offer a better user experience. If you have any queries regarding this, you can reach out to us through the help desk form.", "Question: If an automated finding categorizes an issue as low severity, but a participant escalates it to medium or high, how does this impact the eligibility of the issue and what is the impact on rewards?\n\nAnswer: If an automated finding ranks an issue as low severity but a participant escalates it to a medium or high severity, the issue isn't automatically ineligible. However, participants must provide strong evidence to demonstrate a relevant medium or high severity exploit path for their submissions to be considered satisfactory. This process is outlined in our submission policy [here](https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues).\n\nIf a participant categorizes an issue as low in their QA report but the judges determine it to be of medium severity, the issue will be eligible for medium rewards as outlined [here](https://docs.code4rena.com/awarding/incentive-model-and-awards/qa-gas-report-faq#what-happens-when-an-issue-submitted-by-the-warden-as-part-of-their-qa-report-an-l-or-n-does-get-bum). \n\nMoreover, if a participant submits an issue as high severity but it is downgraded to medium by a judge, the issue isn't invalidated but is considered a medium severity issue. The participant would receive a reward for a medium severity issue as clarified [here](https://docs.code4rena.com/awarding/incentive-model-and-awards#satisfactory-unsatisfactory-submissions).\n\nIf no medium or high vulnerabilities are found, the full award pool would be divided based on the QA Report curve. Please note that while it's possible to submit a medium or high severity report without recommended mitigation steps, an explanation as to why it cannot be feasibly mitigated should be included.\n\nLastly, it's important to remember that a query regarding a vulnerability finding requires a clear explanation of the exploit path to be eligible for medium or high categorization; without this, such a finding may be downgraded to QA.\n", "Question: What is the process for submitting gas optimization findings in Code4rena audits, what are potential earnings, and how are these earnings calculated?\n\nAnswer: By identifying gas optimizations during Code4rena's smart contract audits, users can earn rewards. However, the earnings depend on the user's proficiency and the importance of the gas savings to the specific project. \n\nTo report gas optimizations, you should provide clear details including the amount of gas saved for each finding. This information can be submitted in a contest, with each gas optimization report usually receiving around 5% of the prize pool. However, the exact percentage may increase or decrease depending on the project's specific needs. All findings related to gas optimization should be grouped into a single report, and it's recommended to include gas savings from refactored code.\n\nFor cases where multiple people, including team members, identify a gas optimization, the reward is split using a formula outlined in the Code4rena documentation [here](https://docs.code4rena.com/incentive-model-and-awards#high-and-medium-risk-bugs). All valid findings are weighted the same, and the gas optimization pool is shared among the reporters based on the score of each gas report. The method for award calculation is also explained in detail [here](https://docs.code4rena.com/#incentive-model-and-awards).\n\nInformation about the average payout for gas optimizations, non-critical findings, and low-risk findings can be found in the findings.csv file on the C4's website repository. An example spreadsheet for reference is provided [here](https://docs.google.com/spreadsheets/d/1qTQ7PApFMwpUFikcHHtww7p1oncPLj_y-UY_SZq6qFg/edit#gid=0).\n\nRemember, only one report of gas optimization can be submitted per contest, but you can add more findings to the report by going to the contest page and clicking the 'Your Findings' button. The judgment criteria for gas optimizations relies on the judge's decision, but generally speaking, it's worth showing significant improvements in important functions.", "Q: As a warden, how can I find out how my findings were judged, calculate points and rewards, and understand the implications of duplicate findings?\n\nA: To find out how your findings were judged, you can check the data folder in the findings repo and look for json files named as [warden-handle]-[issue number]. The findings are sealed to other wardens but are visible to C4 staff, sponsors, and the judging team for assessment. Certified+ wardens can view these findings immediately after a contest ends. The findings reports become public when the final contest report is published. \n\nIn terms of calculating points and rewards, there's no specific open-source tool mentioned. However, you can understand the reward distribution by referring to the incentive model and awards section of the Code4rena documentation. The distribution of rewards takes into account multiple wardens finding the same issue, with the best report typically receiving more money, and duplicates below a certain threshold possibly not receiving any money. \n\nWhen it comes to duplicate findings, it's important to note that the order in which they are reported does not impact the amount of reward. The more the number of wardens finding the same issue, the less money each warden receives for the issue. The level of detail in the submission can also influence the award amount. \n\nFor more clarity on how an issue's severity is determined or if you want to check the rewarding formula for findings of different severity, refer to the judging criteria and the awarding policies. If you are unsure about the severity of an issue you reported, you should review these criteria and make a case for the chosen severity using evidence.\n\nFinally, for detailed information regarding the rewards for each warden for each bug per contest, you can check out this comprehensive list at: https://raw.githubusercontent.com/code-423n4/code423n4.com/main/_data/findings/findings.csv \n\nJudging criteria: https://docs.code4rena.com/roles/wardens/judging-criteria#estimating-risk \n\nAwarding policies: https://docs.code4rena.com/awarding/incentive-model-and-awards \n\nFindings Repo: https://github.com/Picodes/4naly3er \n\nGuidelines for submission: https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues\n\nIncentive Model and Awards: https://docs.code4rena.com/awarding/incentive-model-and-awards#duplicates-getting-partial-credit", "Q: What are Scout awards and how does the Scout role function in CodeArena contests? \n\nA: Scout awards are a part of CodeArena's contest reward structure, and are specifically given to those who serve in the \"Scout\" role. A Scout is a certified contributor who reviews a code repository ahead of the contest launch to ensure everything is in order, that the provided files by the sponsor are correct, and that there are no security vulnerabilities in the test files. \n\nScout awards amount to $500 USDC in the reward pool, which also includes other categories such as Lookout, Judge, and various report awards. Scouts play a key role in preparing for a contest and their contribution is valued. The awards are typically sent out 1-2 weeks after they have been announced. \n\nThe process after a contest includes Sponsor Review, Judging, Awarding, and then Reporting. The leaderboard is updated when the awards are announced, and participants can find the awards list in the announcements channel.\n\nIt is important to note that Scouts, similar to Lookouts and Judges, are chosen for their experience and reputation. They provide valuable services for CodeArena and the smart contract auditing process.\n\nFor further information on this role and reward, please refer to our documentation [here](https://docs.code4rena.com/roles/certified-contributors).", "Question: What are the most common types of vulnerabilities in smart contract architectures, and how can they be mitigated?\n\nAnswer: The vulnerabilities in smart contract architectures can vary widely, but some common types include upgradeable contract findings, centralization risks, and scenarios where a user can push to the array arbitrarily causing a Denial of Service (DOS) to break system functionality. \n\nUpgradeable contract findings often involve medium-risk vulnerabilities that could potentially affect the system's functionality if not addressed. These findings are typically addressed by making necessary changes to the protocol, even if those changes are difficult and may require significant changes.\n\nCentralization risks are a valid concern when the centralization does not match the protocol's claims/guarantees in their documentation, poses a threat to all types of users of the protocol and the protocol itself, or if it is not listed as an issue. In such cases, the centralization risk must be addressed to ensure the security and integrity of the protocol.\n\nIn scenarios where a user can push to the array arbitrarily and cause a DOS for everyone else, the severity of the issue can range from medium to high. This kind of vulnerability can break the system's functionality and should be addressed promptly. If it affects an end-user in a rare situation, it's a medium severity issue but if it locks all the protocol assets it's a high severity issue. \n\nWhen a vulnerability is found, it's crucial to report it, even if the fix is complex or requires major changes. It's also worth noting that if a line of code has multiple ways of exploitation, all of the bugs should be reported, but priority should be given to the one that has the biggest impact. \n\nIt's also important to remember that smart contract auditing is not a one-size-fits-all solution. Every contract and protocol has unique architectures and vulnerabilities, so auditors need to have a deep understanding of solidity and the project's code to find and address vulnerabilities effectively. Even when automated tools report vulnerabilities, human auditors are still needed to interpret the results, provide context, and suggest fixes.\n\nLastly, although not directly related to vulnerabilities, but worth noting, is the need for robust documentation and clear communication. Findings should be clearly categorized and explained, ideally by providing a URL to the repository with a line inner in the text, or by providing a solidity code block. This can help in understanding the vulnerabilities better and in developing effective solutions.", "Q: I have submitted a QA issue for a contest but came across an additional error. Can I edit my existing QA submission or do I need to submit a new one?\n\nA: Yes, you can edit your existing QA submission if you have found an additional error. Each participant is allowed to submit one QA issue per contest. However, you have the ability to edit this submission as many times as needed until the audit deadline. \n\nTo edit your submission, navigate to the contest page and select the \"Findings\" tab. Here, you'll see the option to edit your QA issue submissions. You may also find the \"My findings\" option which will allow you to view and edit your submissions. \n\nIf you've submitted a bug with an incorrect proposed solution, you can update the submission provided the contest hasn't ended. In circumstances where the severity of a submitted bug needs to be increased, you can submit a help request to remove the original submission and then submit again via code4rena.com/help.\n\nIf you're unable to submit via the regular method due to the character count, you can submit your QA reports via help tickets. If your QA/Gas report is extensive and doesn't fit in a single submit request, it can be split into separate sends.\n\nPlease note that if you wish to withdraw your findings and create a new submission, you can cancel the existing one under the \"your findings\" on the contest page. \n\nIn case you encounter an error while submitting your QA report, you can verify if it has been successfully submitted by checking your email for confirmation or viewing the findings through the \"View Context\" function. \n\nRemember, all submissions, edits, and withdrawals must be made before the contest deadline. If you miss the deadline, you will be unable to submit or edit your QA reports. \n\nFor more details, please visit code4rena.com/help.", "Question: Can a bug discovery that is of medium severity and also impacts gas consumption be submitted in both medium and gas findings categories?\n\nAnswer: Yes, participants can submit a bug discovery in both medium and gas findings categories if the bug is of medium severity and affects gas consumption. However, it's important to note the distinction between categories: QA findings and gas findings should be submitted separately. If you have a low issue/non-critical finding that also reduces gas consumption, it should be included in the QA category with mention of the gas savings, unless it solely pertains to gas savings, in which case it may be downgraded from QA to Gas. If a finding is initially submitted as a low in the QA report, but the judges deem it a medium, it will be recognized for medium rewards according to the company's guidelines on the matter [https://docs.code4rena.com/awarding/incentive-model-and-awards/qa-gas-report-faq#what-happens-when-an-issue-submitted-by-the-warden-as-part-of-their-qa-report-an-l-or-n-does-get-bum]. Please note that each issue, be it of high, medium, or low severity, should be submitted as separate reports. If you discover a gas optimisation that can be applied in more than one line of code, it should be submitted as one finding and all relevant lines should be mentioned. If you come across issues submitting, such as if your gas report is larger than ~65k characters, please email your findings to submissions@code423n4.com due to Github's max character limit for issue descriptions. Always refer to the submission policy for more detailed instructions [https://docs.code4rena.com/roles/wardens/submission-policy].", "Question: \n\"What impacts gas optimization in the ordering of checks from storage and calldata in a function and how can it be optimized?\"\n\nAnswer:\nThe order of checks from storage and calldata in a function can indeed influence gas usage. However, optimizing gas usage depends on various factors including how these features are utilized within the function. \n\nFor instance, using calldata for read-only arrays can be cheaper because they don't need to be iterated and copied into memory. Calldata arguments can be used for external/public functions and can also send calldata data pointers to internal and private functions. So, placing calldata checks before storage checks could potentially optimize gas usage if the calldata check fails, as the function wouldn't proceed to the potentially more expensive storage check.\n\nOn the other hand, caching a storage pointer can also be cheaper as it avoids re-computing the position. So if a function frequently accesses the same storage location, storing the location in a local variable and reusing it might save some gas.\n\nAdditionally, packing state variables into fewer slots can reduce gas costs. Solidity stores state variables in 32 bytes storage slots. Multiple variables can potentially be packed into a single slot if they are declared next to each other, thus reducing gas costs. More information about this can be found in the Solidity documentation [here](https://docs.soliditylang.org/en/v0.8.17/internals/layout_in_storage.html).\n\nIt's also important to note that function inlining can be used to save gas in smart contracts. Function inlining involves placing the body of a function in the place where the function is called, instead of jumping to the function, executing it, and then jumping back. However, this only provides a gas saving if the function is only called once. \n\nLastly, there was an interesting suggestion to use the 'unchecked' command in loops as a way to further optimize for gas. This command is used to disable overflow/underflow checks in Solidity, which might lead to some gas savings. \n\nHowever, as always, it's important to thoroughly test any changes to ensure they don't introduce bugs or security vulnerabilities.", "Question: \nWhat is \"The C4audit output\" and how does it function in the audit process offered by CodeArena?\n\nAnswer:\nThe \"C4audit output\" refers to an automated tool used by CodeArena to generate findings for each audit contest. The tool currently being used is known as \"Analyzer\" and it can be found at https://github.com/Picodes/4naly3er. \n\nThis tool plays a crucial role in identifying \"Publicly Known Issues\" during the audit process. It's worth noting that automated findings, as per CodeArena's policy, are ineligible for rewards - more details on this can be found at https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-ineligible. \n\nThe output from this tool is typically available within an hour of contest opening and includes issues reported. However, at the Judge's discretion, any reports that appear as copy-pastes or seem to carry the same underlying risk may be deemed out of scope or already known. For each contest, a warden runs the C4audit tool and posts the output in the contest channel. If an issue is mentioned in the channel, it's considered a known issue and thus, falls outside the contest scope.\n\nIt should be noted that users have sought explanations or references regarding specific findings from the automated c4udit tool, such as the first automated gas optimization detected, labelled 'Use assembly to check for address(0)'. There has also been curiosity about the use of other static analyzers for QA and gas optimization. CodeArena is consistently working on improving their tools and procedures to address these needs and speed up the audit process.", "Question: How does the grading and award system work for grade-B QA reports at CodeArena?\n\nAnswer: At CodeArena, QA reports are graded based on quality, the number of low findings, and gas savings. Grade-B QA reports are eligible for awards. If a submission is downgraded from medium to QA, it will still be rewarded unless it's downgraded to grade-C. All A graded QA reports receive the same award, regardless of the number of Low findings.\n\nThe grading and sharing system for QA/GAS reports is as follows: Grade A reports count as 2 shares, Grade B as 1, and the best report receives a 30% bonus. If no high/medium (H/M) issues are found in a contest, the entire rewards may move down to QA. If a finding is submitted as a low in QA report, but the judges determine that it's a medium, it will be eligible for medium rewards.\n\nJudges consider both the quantity and quality of submissions when grading QA reports. A single item in a QA submission is unlikely to receive a high grade, and incorrect findings in a QA report can affect the grade. It is also possible for a submission to receive a 0 grade if a judge decides it merits that grade.\n\nIt's important to note that the number of issues reported in a Gas and QA report doesn't necessarily determine the grade; it could have one good issue to be a grade B, or it could have multiple low-impact issues and still be a grade C. Judges have the ability to downgrade medium issues to QA and consider them alongside your QA report when grading. They also have the ability to upgrade items from your QA report if they feel severity should be higher.\n\nFor further details on the grading and awarding system, as well as the judging criteria, please refer to the following links: \n- [https://docs.code4rena.com/awarding/incentive-model-and-awards](https://docs.code4rena.com/awarding/incentive-model-and-awards)\n- [https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical](https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical) \n- [https://docs.code4rena.com/awarding/incentive-model-and-awards#qa-and-gas-optimization-reports](https://docs.code4rena.com/awarding/incentive-model-and-awards#qa-and-gas-optimization-reports) \n- [https://docs.code4rena.com/awarding/incentive-model-and-awards/qa-gas-report-faq#what-happens-when-an-issue-submitted-by-the-warden-as-part-of-their-qa-report-an-l-or-n-does-get-bum](https://docs.code4rena.com/awarding/incentive-model-and-awards/qa-gas-report-faq#what-happens-when-an-issue-submitted-by-the-warden-as-part-of-their-qa-report-an-l-or-n-does-get-bum).", "Q: I've submitted my findings for an audit but I can't see them on the Findings tab to edit them. How can I edit my submissions?\n\nA: If you've submitted your findings but can't see them in the \"Findings\" tab, it's possible that there might be a delay in the update or a potential issue with the platform. Submissions are usually confirmed via email, so please look out for a confirmation email. To edit your submitted findings, you need to navigate to the contest page, where you'll find a \"Your Findings\" button. Clicking on this button will allow you to view and edit your submissions. For example, if you participated in the Ethos Reserve contest, you'd navigate to: https://code4rena.com/contests/2023-02-ethos-reserve-contest. If you're still having trouble, try refreshing the page or switching browsers. For further assistance, feel free to reach out to our team through the chatroom or the provided support channels.", "Question:\nWhat happens to the severity categorization of an issue in my Quality Assurance (QA) report once it is reviewed by a judge, and does this impact the rewards I receive from Code4Rena?\n\nAnswer:\nWhen you submit an issue in your QA report, judges have the discretion to either elevate or downgrade its severity. This is largely dependent on the detailed description of your issue: a well-described issue may be upgraded from QA to Medium (M) or High (H) severity. Conversely, if an issue is overestimated in severity, it may be downgraded, but you will still receive a reward for the found issue unless it's invalidated for overinflating the severity. The same applies if you categorized an issue as high severity and it's downgraded to medium: you'll still receive a reward corresponding to a medium bug. \n\nIn addition, if no H/M severity issues are found in a contest, all rewards may be moved down to the QA category. Also, if a finding is initially rated as low in your QA report but the judges determine it to be of medium severity, it can be upgraded and you'll be eligible for medium rewards. You can find more information about this in the Code4Rena Help Page: [https://docs.code4rena.com/awarding/incentive-model-and-awards/qa-gas-report-faq#what-happens-when-an-issue-submitted-by-the-warden-as-part-of-their-qa-report-an-l-or-n-does-get-bum](https://docs.code4rena.com/awarding/incentive-model-and-awards/qa-gas-report-faq#what-happens-when-an-issue-submitted-by-the-warden-as-part-of-their-qa-report-an-l-or-n-does-get-bum)\n\nFor an issue that is considered high severity in a contest's bot report but you escalate it to be of high severity, it's not automatically deemed invalid. However, you must provide strong evidence to demonstrate a relevant high or medium severity exploit path for it to be considered satisfactory. More information regarding this policy can be found here: [https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues](https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues)\n\nPlease note that judges consider both the quantity and quality of submissions when grading QA reports, and a single item in a QA submission is unlikely to receive a high grade. Be sure to check [https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical](https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical) and [https://docs.code4rena.com/awarding/incentive-model-and-awards#qa-and-gas-optimization-reports](https://docs.code4rena.com/awarding/incentive-model-and-awards#qa-and-gas-optimization-reports) for more information. \n\nIn conclusion, the decision on how to reward severity escalations in a contest report is up to the judge. It's advisable to describe your findings as accurately as possible and provide strong evidence where necessary.", "Question: How can I incorporate images or screenshots into my vulnerability report?\n\nAnswer: To include images or screenshots in your report, you can follow these steps.\n\n1. You can register a free account on [Cloudinary](https://cloudinary.com/) and upload your image there. After uploading, copy the image URL. \n\n2. You can also upload the image to your Github Gist, submit the report with the Gist link, and later delete the Gist if you wish.\n\n3. Once you have the image URL, you can create an image link in your report using the Markdown compatible format: `![image title](image URL)`. \n\n4. You can test your link to ensure the image displays correctly. \n\nRemember, your report is compiled in Markdown format, so the image will be integrated into your report if accepted. You can find more information on adding images to Markdown in the official [Markdown Guide](https://www.markdownguide.org/basic-syntax/#images-1) or the [Github Document](https://docs.github.com/en/get-started/writing-on-github/getting-started-with-writing-and-formatting-on-github/basic-writing-and-formatting-syntax#images) on basic writing and formatting syntax.\n\nIt's worth noting that attaching images or screenshots can be particularly useful in explaining a proof of concept (PoC) for the vulnerabilities you've detected. Also, if your report exceeds the character limit on the submission form, you might consider submitting a placeholder and then emailing the entire report. You can find the details at the [Code4Rena FAQ](https://docs.code4rena.com/roles/wardens/qa-gas-report-faq#why-is-a-large-gas-or-qa-report-not-successfully-submitting-through-the-contest-submission-form).\n\nAfter submitting your report, you should receive an email confirmation. If you encounter any errors or issues during the submission process, you can submit a help desk request, or check the \"View Context\" function to see if the report has been successfully submitted. Please remember, you also have the ability to update your submissions if necessary.", "Question: What should I expect after submitting my first finding and how can I manage my submission?\n\nAnswer: Once you've submitted a finding, you should expect a confirmation via email. This email serves as the sole confirmation for your submission. After submitting the finding, you can manage it by navigating to the contest page and clicking on the 'Your Findings' button. Here, you can edit your findings, add more findings to your report, or even withdraw them if you wish to cancel a submission and create a new one. \n\nPlease note, the submission process follows a documented process available at https://docs.code4rena.com/roles/wardens/sub. \n\nYou can also check the success of your report submission by looking out for the email confirmation and the ability to edit submitted findings. Examples of past submissions can be found at https://code423n4.com/reports.\n\nIf you've submitted a finding and haven't received a confirmation email after some time, don't panic. There can be a delay in the confirmation email. If the submission fails, the form should return an error. \n\nFor those curious about the visibility of their findings, findings submitted before the deadline aren't publicly available. You can check your submission in the 'Your Findings' tab without modifying it. Please wait until the report is published to review the categorization of your findings. If there are any concerns about your finding being categorized incorrectly, such as a high finding related to buying NFTs with zero amount being categorized as medium, these can usually be addressed after the reports are published.\n\nIf you receive two identical confirmation emails after submitting a finding, it doesn't require any specific action from your side. \n\nRemember, we're always here to help if you encounter any issues related to the submission or loading of your findings.\n", "Question: How are points, rewards, and duplicate findings handled in CodeArena's reward distribution system, and are there any open-source tools that I can utilize for this purpose?\n\nAnswer: CodeArena uses a complex incentive model to distribute points, rewards, and handle duplicate findings. If you are interested in analyzing this data, you can parse the findings.csv file, which contains detailed information about all wardens and their deduplicated findings. You can access this file [here](https://github.com/code-423n4/code423n4.com/tree/main/_data/findings).\n\nIn this system, the severity, validity, and quality of a finding are determined by experienced judges who also receive a share of the prize pool as rewards. Duplicate submissions or submissions that look like copy-pastes or use the same underlying risk may be deemed out of scope/already known. Value of a finding might be reduced if more of the same finding are submitted during the open submission period. However, if multiple auditors report the same bug, they all get a portion of the reward, with the best report typically receiving more. Duplicates below a certain threshold might not receive any reward.\n\nYou can calculate the reward split for a case where multiple people, including members of the same team, identify a gas optimization using a formula present at [Code4rena's incentive model and awards page](https://docs.code4rena.com/incentive-model-and-awards#high-and-medium-risk-bugs). The level of detail in the submission, including the inclusion of a Proof of Concept (PoC), and the way the issue is covered in as many aspects as possible can influence the award amount. \n\nFor automated findings, CodeArena uses a tool called \"C4audit\" which can be found [here](https://github.com/Picodes/4naly3er). Automated findings are ineligible for rewards, as detailed [here](https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-ineligible). \n\nAll these findings are kept confidential until the contest is over and the judging process has been completed. You can read more about the incentive model, awards, and how duplicates get partial credit on the [Code4rena documentation](https://docs.code4rena.com/awarding/incentive-model-and-awards). \n\nFor further details on contest-related data, you can use the tool found [here](https://github.com/sseefried/c4-stats).", "Question: Is KYC/certification required to receive rewards or participate in audits, especially private ones, at CodeArena?\n\nAnswer: The need for KYC (Know Your Customer) verification or certification largely depends on the nature of the audit or contest you're participating in at CodeArena. For most contests or audits, being KYC'd or certified is not a requirement to participate or to receive rewards. However, certain activities like private audits do necessitate complying with these requirements. \n\nIf you wish to participate in a private audit or an audit that specifies KYC certification, then you must complete the KYC process and receive certification. All members of a team are required to be KYC'd in order for the team to receive payment after participating in certain audits. You can apply for KYC certification and gain more insights regarding the certification process and constraints at https://docs.code4rena.com/roles/certified-contributors#certification-process-and-constraints. \n\nAdditionally, to receive payment for certain audits like the upcoming arbitrum audit, or to participate in invitational or private audits, you must become a Certified Contributor by successfully completing KYC. Certified Contributors, who have done KYC, are eligible to participate in private contests and for backstage access, which permits access to the contest repo post closure and pre-public report release given certain minimum submission requirements have been met. \n\nDo note that if a team wins an audit but cannot claim the prize due to KYC issues, there may be concerns regarding whether the reward will be put on hold or lost. Lastly, participants must complete certification within 30 days of the end of the audit in order to receive their payout.\n\nIn summary, while certification and KYC are not universal requirements, they are crucial for certain audits and are required for receiving payments in those instances.", "Q: How is the reward distributed if the same issue is found and reported by multiple participants in a CodeArena contest? \n\nA: At CodeArena, if the same issue is discovered and reported by multiple participants, the reward is divided among them, irrespective of who found it first. The reward distribution follows a specific grading system: Grade A reports count as 2 shares, Grade B as 1, and the best report receives a 30% bonus. Although, it is pertinent to note that duplicate issues below a certain threshold might not receive any rewards. The reward is also not guaranteed for all reports or findings, as they need to meet quality standards to be considered valid and satisfactory. \n\nIf a team submits a non-duplicate finding, they receive more rewards than if they had individually submitted the same finding. However, if a team of two submits the same finding, one payment is issued and the team will decide how to distribute the reward among its members. In the case of duplicate findings, the reward value for each participant decreases. \n\nMore detailed information on the incentive model, including calculations for high and medium risk bugs, duplicates getting partial credit, and how findings count value changes in the case of partial credit, can be found at [https://docs.code4rena.com/awarding/incentive-model-and-awards](https://docs.code4rena.com/awarding/incentive-model-and-awards). \n\nReward distribution also depends on the severity of the reported issue. If multiple participants report the same vulnerability but with different severities, they are all given the same severity level for the award calculation.\n\nThe overall process seeks to incentivize fair competition and thorough audits. It's important for participants to provide detailed reports, including a Proof of Concept (PoC) when possible, as this can influence the award amount.", "Question: Can I make multiple submissions of the same issue if I wish to update my bug report, revise the severity, propose a different solution, or add more detail to my previous findings?\n\nAnswer: Yes, if you feel your earlier bug submission wasn't detailed enough, you can withdraw your old issue and make a new submission. It's important to note that in the case of incorrect proposed solutions, bug severity changes, or additional details discovered during a contest, you can submit a help request to remove your original submission and then submit again via [code4rena.com/help](https://code4rena.com/help). This includes the need to increase the severity of a bug report. \n\nRemember, you can edit your own submissions for open contests on the site. If you plan to submit multiple findings, it is recommended to make separate submissions based on the type and severity of the bugs found. A single report of all occurrences of the same issue is also acceptable.\n\nFor further details about submissions, please refer to the submission policy at [https://docs.code4rena.com/roles/wardens/submission-policy](https://docs.code4rena.com/roles/wardens/submission-policy). This policy also provides guidance in case two participants submit the same bug at the end of the contest.\n\nIn addition, please ensure your submissions follow quality criteria which include correct identification of the highest severity impact of the bug, making the case for the severity and validity chosen with evidence, clear and understandable writing.\n\nPlease note that while participants can only submit one QA issue, they can edit the existing submission if another error is found. The platform also allows you to update the severity of reported bugs after the closing time of a contest either through a PR or by contacting one of the judges. \n\nFor reference, you can check past submissions at [https://code423n4.com/reports](https://code423n4.com/reports) to see what a high-quality submission looks like.\n\nFinally, if you have questions about the impact of automated findings on your submission, or if you want to cite similar findings from other contests to justify the severity and validity of your submissions, please don't hesitate to reach out to us for guidance. We're here to help ensure that your submissions are as accurate and comprehensive as possible.", "Question: How do I fill out the Proof of Concept section when submitting a finding on CodeArena?\n\nAnswer: In the Proof of Concept section, your aim is to illustrate the bug and its impact clearly. You can do this by providing direct links to all referenced code in GitHub. This can be done by either referencing the code in your reports or linking to a private repository on GitHub, depending on the length of your code. More information can be found [here](https://docs.code4rena.com/roles/wardens/submission-policy#how-to-include-a-proof-of-concept).\n\nAdditionally, you can include the Proof of Concept in a gist file for easy referencing. To illustrate your finding more effectively, you can add screenshots, logs, or any other relevant proof. If your Proof of Concept is too large to be embedded directly in the issue, you can provide a link to it, and it is also acceptable to use external platforms such as gist for very long proofs of concept. \n\nIf you've written a Proof of Concept script for a vulnerability, feel free to include it wherever relevant in your submission. It's important that your report contains the issue, description, Proof of Concept, and mitigation (where necessary). You can also attach screenshots in the vulnerability details section by copying the Github permalink and the lines of code for the affected code. \n\nIt's recommended to include a proof of concept and a case for how an item can be exploited to avoid being marked as invalid when submitting an issue for any contest. Remember, in the 'Links to Affected Code' section of high/medium findings, only the GitHub permalink for the respective code block should be added. Markdown can be added in the finding body.\n\nAn example of how to present a proof of concept for a bug and its impact can be found [here](https://github.com/code-423n4/2022-12-caviar-findings/issues/376). A detailed example of an accepted POC, involving copy pasting the code with a comment about the bug itself and its impact can be found [here](https://github.com/code-423n4/2022-12-caviar-findings/issues/343).\n\nIn case your 'Proof of Concept' is in a private Github repository, it does not have to be made public to protect from exposing vulnerabilities. Alternatively, a private gist can be used. You can also submit a PoC by uploading the result of the git diff command. \n\nNote that adding a link to a sponsor's Github repo code in a findings report does not automatically pull in that code snippet to the report, and images can be included as part of the Proof of Concept by linking them externally. It's important to know that without a Proof of Concept, a finding may be disregarded unless the issue is extremely obvious.", "Q: After a reward amount for a submission is announced, what's the process for it to get into my wallet?\n\nA: Once a reward amount for a submission is confirmed and announced, you simply need to wait for it to be transferred to your registered wallet address. The process can take between 1-2 weeks, or up until a month, depending on the contest. Once the rewards are announced, they are sent out manually in batches for multiple contests at a time. \n\nPlease remember that rewards are linked to your Discord username and the specific wallet address you provided when you submitted your report. If you want to update your wallet address after submitting a report and before the reward payout, you can do so by submitting a request through our Help Desk at https://code4rena.com/help. If you choose to use a new wallet address in future reports, the corresponding rewards will be distributed to the new address.\n\nThe reason rewards aren't distributed immediately after they're computed is due to the use of multisignature (\"multisig\") wallets, which require signatures from multiple parties before funds can be released. We're working towards distributing awards via smart contract once more pieces are in place.\n\nIt's also worth noting that rewards for submissions could be paid partially, or fully, and they're generally aimed to be paid out in the same week they are announced. Once a report is accepted, the reward payment is usually made within 1-2 business days of the announcement. You will receive email confirmations upon successful submission of entries in the contest, and you're able to check all the reports you've submitted during the competition. If a report is accepted, USDC will start flowing into the contributor's wallet.\n\nFor any further questions or concerns, we encourage you to reach out to our Help Desk.", "Question: What is the significance of a Proof of Concept (PoC) in CodeArena smart contract audits and how should it be constructed?\n\nAnswer: A Proof of Concept (PoC) is an essential part of smart contract audits in CodeArena. It provides a concrete demonstration of the vulnerability, making the issue more understandable and tangible. A good PoC can increase the chances of the report being selected for a 30% bonus.\n\nPoCs can be written in any language and should ideally demonstrate the vulnerability effectively. They do not necessarily need to be executable in the context of CodeArena, and can be written in plain English or in the form of an attack contract. It is important to explain the effects of the contract in understandable terms.\n\nThe recommended length for each PoC is about 50 lines, although this can change depending on the complexity of the bug. It can be run using a hardhat project and submitted either by including it directly in the bug report under the 'Proof of Concept' section or linking it from a private repo on Github or Gist if the code is too long.\n\nWhen submitting a PoC, ensure to provide direct links to all referenced code in GitHub and include any relevant screenshots, logs, or other proofs that illustrate the concept. For example, a PoC can be presented against a block number known to work on a testnet fork with state changes.\n\nFailure to provide a PoC for medium severity and higher bugs may result in the finding being disregarded unless the bug is extremely obvious. For medium risk vulnerabilities (Risk 2), test codes as PoCs are ideally required. In the case of precision-loss issues, a PoC should always be provided to support submissions.\n\nMore information on how to include a PoC in a bug report is available in CodeArena's submission policy [here](https://docs.code4rena.com/roles/wardens/submission-policy#how-to-include-a-proof-of-concept). Example of a well presented PoC for a bug and its impact can be found [here](https://github.com/code-423n4/2022-12-caviar-findings/issues/376).\n\nIn case of potential exposure risks, when submitting a PoC with Github, it is not necessary to make the repository public. Instead, a private Gist can be used. If you have written a PoC script for a vulnerability, you can include the link in the submission wherever relevant. \n\nFinally, consider the difficulty of setting up certain contract environments with limited documentation, no test cases, and no deployment scripts. With this in mind, your efforts in writing a comprehensive PoC can be seen as value-adding and potentially rewarded accordingly.", "Question: How does Code4Arena handle the disclosure of vulnerabilities, and what is the process for participants to report these vulnerabilities to sponsors or the Code4Arena team?\n\nAnswer: Code4Arena encourages participants in its audit contests to disclose any potential vulnerabilities they've found. If you believe you've identified a vulnerability, you are encouraged to contact the sponsor's team directly during the contest. Sponsor representatives available to answer questions are typically tagged in the welcome message in the contest channel. You can also directly communicate any vulnerability to the sponsors. However, to be eligible for awards, the vulnerability must also be submitted via the contest submission form.\n\nIn the case of vulnerabilities impacting Code4Arena's web application, these should be reported either by sending a direct message to a specific individual or emailing the issue to security@code4rena.com. Remember that trust between wardens and sponsors is of utmost importance. Concerns around potential misuse of disclosed vulnerabilities have been raised, such as sponsors hiding bugs in the code base, but these are often discussed and handled on a case-by-case basis to ensure fairness.\n\nOnce vulnerabilities have been submitted, they are kept confidential until the contest is over and the judging process has been completed. After this, valid and invalid issues are released when reports are published on the Code4Arena website. For high or medium severity vulnerabilities found a few days after the contest ends, they should be responsibly disclosed to the development team even though they won't be awarded by C4 outside the contest timeframe. Similarly, if a vulnerability is found in an out-of-scope contract, it can be included in the C4 report as an unrewarded finding or the project can be directly messaged.\n\nIf you have any issues with submitting vulnerabilities, or other questions about contest security, you can submit a help request at [https://code4rena.com/help](https://code4rena.com/help). More specific information on the estimation of risk for vulnerabilities and the rewards system can be found on our documentation site at [https://docs.code4rena.com/awarding/judging-criteria#estimating-risk](https://docs.code4rena.com/awarding/judging-criteria#estimating-risk) and [https://docs.code4rena.com](https://docs.code4rena.com) respectively. \n\nIn essence, Code4Arena operates similarly to a bug bounty platform, where vulnerabilities are carefully audited, evaluated, and reported through a process that encompasses both the Code4Arena team and the sponsors.", "Question: What is the importance of creating a Proof of Concept (PoC) in submissions for smart contract audits at CodeArena, and what guidelines should be followed?\n\nAnswer: Creating a Proof of Concept (PoC) is highly recommended when submitting findings for smart contract audits at CodeArena. Doing so increases the chances of the report being accepted and can even potentially result in a 30% bonus. The PoC does not necessarily have to be exact code; it can be presented in plain English if preferred. However, if a PoC is coded, it does not necessarily need to be executable in the context of CodeArena. \n\nSpecifically, a Proof of Concept (PoC) script should demonstrate the vulnerability in any language. If the script is too large to be embedded directly in the issue, a link to an external platform like Gist can be provided. Instructions on how to submit a PoC are detailed here: https://docs.code4rena.com/roles/wardens/submission-policy#how-to-include-a-proof-of-concept. \n\nRemember that a higher level of detail in the PoC submission, such as fully explaining each step or covering the issue in as many aspects as possible, can influence the award amount. PoCs can also be submitted through a public Github repository or by providing a diff of an existing sponsor-supplied test/contract.\n\nWhile, in general, a finding without a PoC may be disregarded unless the bug is extremely clear, a vulnerability without a PoC can still potentially be rewarded as high if the process is clearly described in bullet points. However, for uncertainties in classification, such as whether a finding is QA or Medium, it should be filed as QA unless the PoC is coded.\n\nExamples of accepted PoCs which include copy-pasting the code with a detailed comment about the bug itself and its impact are provided on the CodeArena Github: https://github.com/code-423n4/2022-12-caviar-findings/issues/343 and https://github.com/code-423n4/2022-12-caviar-findings/issues/376. \n\nBear in mind that the severity of a precision-loss issue can be submitted as medium, so long as the damage done by it justifies it, but a Proof of Concept (PoC) that proves the case is always needed. If the severity of an issue is not clear, you should continue working on the PoC until it becomes clear. \n\nOverall, while creating a PoC can be challenging, it is critical to demonstrate the vulnerability and enhance the understanding of your findings in the smart contract audit process.", "Question: How can I seek help regarding a security-related question about a contest, and can I privately discuss potential vulnerabilities with the sponsors?\n\nAnswer: If you have a question related to a security issue in any of our contests, you can submit a help request at [https://code4rena.com/help](https://code4rena.com/help). Each contest has a dedicated channel where you can ask general questions. Moreover, during a contest, you can directly message (DM) sponsor team members with your queries or potential vulnerabilities. It's important to note that even if a potential vulnerability is confirmed by the sponsor via private DMs, you need to officially submit it through the contest submission form for it to be eligible for awards. For more sensitive matters, you can also request to withdraw a submission by directly messaging an administrator. In any case, we encourage open communication and discussion during the contests to facilitate a productive and secure auditing environment.", "Q: I've applied for the Know Your Customer (KYC) process, submitted a help desk request, and am waiting for updates on my approval status and the progression of my backstage application. Can you provide any updates or timelines on these?\n\nA: We understand your concern. As per our process, KYC approvals can sometimes take longer than expected due to various factors, some users have had to wait up to 10 days. If your KYC process is still pending after this period, we recommend creating a help desk request to follow up on your status. Regarding your backstage application, unfortunately, there's currently no ETA available as applications are paused due to an issue, but we anticipate an update about this within the next two weeks. Role updates after approval from Provenance typically take a few days. Keep in mind, there is no mail notification for updates on issues, and help desk requests should get a response within a week. If you've submitted a report for the first time, you can check the status of your submission in the \"Past Contest Status Updates\" section which provides a timeline of where the contests are currently in the process. We're continuously working on improving our procedures and timelines, and we appreciate your patience.", "Question: In the context of code simplification, such as merging two for loops into one, should this be classified as a Quality Assurance (QA) report or a Gas Optimization report in CodeArena?\n\nAnswer: Code simplification, particularly when it involves merging two loops into one, can be a matter of both QA and gas optimization. When such simplification improves the readability, maintainability, and overall quality of the code, it falls under the QA category. However, if this change also results in noticeable gas savings, it can be considered a gas optimization.\n\nIn CodeArena, you can submit both a QA report and a gas optimization report for each contest. It's recommended to combine all related findings into one comprehensive report for each category. If a finding is relevant to both QA and gas savings, it can be included in either report depending on where it fits best. Judges will decide the appropriate category. \n\nFor gas optimization reports, it's best to include how much gas would be saved by the refactored code. A reference example of such a report can be found at [CodeArena Gas Optimizations](https://code4rena.com/reports/2022-11-non-fungible/#gas-optimizations). \n\nFor QA reports, it's beneficial to group all issues together, even if they are low level or non-critical, but also result in gas savings. An example of a top QA report can be found at [CodeArena QA Reports](https://code4rena.com/reports).\n\nPlease note that it's still an open question on how to handle duplicates and their formulae in both QA and gas reports. There's also ongoing discussion on the use of static analyzer at [https://github.com/byterocket/c4udit](https://github.com/byterocket/c4udit). If a single line of code has multiple ways of exploitation, it might be reported as one bug or multiple, depending on the context.", "Question: What happens if I classify an issue as low in my Quality Assurance (QA) report, but it is later judged as medium or high? Will I still be eligible for a reward? Moreover, can issues be upgraded or downgraded after they have been submitted?\n\nAnswer: Yes, you will still be eligible for a reward if an issue you reported as low severity in your QA report is later judged as medium or high severity. The judges at Code4Rena have the ability to reclassify the severity of reported issues. If a finding you submitted as a low-risk issue in your QA report is determined to be of medium or high severity by the judges, it will be upgraded accordingly, and you will be eligible for the corresponding reward as per the guidelines outlined in [our documentation](https://docs.code4rena.com/awarding/incentive-model-and-awards/qa-gas-report-faq#what-happens-when-an-issue-submitted-by-the-warden-as-part-of-their-qa-report-an-l-or-n-does-get-bum). \n\nSimilarly, if you submitted an issue as high or medium severity and the judges decide to downgrade it, you will still be rewarded unless the submission is overinflated and thus invalidated. Please note that overinflation of an issue's severity can lead to invalidation of the submission as per [our guidelines](https://docs.code4rena.com/awarding/incentive-model-and-awards#satisfactory-unsatisfactory-submissions). \n\nIf no High/Medium (H/M) issues are found in a contest, the entire reward pool may move down to Quality Assurance (QA). Therefore, if no medium or high vulnerabilities are found during a contest, the remaining funds are divided based on the QA Report curve. It's important to remember that judges consider both the quantity and quality of submissions when grading QA reports, and a single item in a QA submission is unlikely to receive a high grade on its own. For more information on how QA reports are graded, please refer to [our documentation](https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical).", "Question: What is the best way to add colored text, code snippets, and images to my CodeArena reports?\n\nAnswer: CodeArena reports largely utilize Markdown format. To add colored text and code snippets, you can use presets while creating a code block. Typically, JavaScript is used for solidity and diff for diff.\n\nYou can achieve syntax highlighting in a code block in your report by using three backticks and specifying the language (for instance, ```solidity).\n\nFor adding images to your report, Markdown can be used as well. The final report will compile with the image(s) if they are accepted. For information on adding images to your markdown, you can refer to this guide: https://docs.github.com/en/get-started/writing-on-github/getting-started-with-writing-and-formatting-on-github/basic-writing-and-formatting-syntax#images\n\nFor formatting your reports and seeing a preview, Visual Studio's preview tool is recommended. Additionally, you should note that adding a link to a sponsor's Github repo code in a findings report doesn't automatically pull in that code snippet to the report.\n\nTo add code blocks in Markdown format, here's a guide that can help: https://docs.github.com/en/get-started/writing-on-github/working-with-advanced-formatting/creating-and-highlighting-code-blocks\n\nPlease ensure that you use an accepted tool for writing your reports, such as GitHub, Joplin, VScode, or Notion. These tools should support Markdown format to ensure your report is correctly formatted.", "Question: How can I add, format, and color text and code snippets in my audit reports at CodeArena?\n\nAnswer: At CodeArena, you can add, format, and color text and code sections in your audit reports using Markdown (MD) format. This is especially useful when you want to include a code block in your report, as Markdown supports syntax highlighting. To add a code block, you can use three backticks (```) followed by the language identifier. For instance, for Solidity, you would use ```solidity. \n\nYou can format your Solidity code using presets commonly used for JavaScript. This helps ensure the code in your report is easily readable. It's also possible to include line numbers with code snippets, although it's not clear if judges have a specific preference regarding this. A useful tool for this purpose is the VS code extension \"Copy With Line Numbers\". \n\nWhen referencing a sponsor's GitHub code in your report, be aware that adding a link will not automatically pull in the code snippet. Instead, you may need to manually format and include the relevant code section using Markdown. \n\nFor more detailed instructions on creating and highlighting code blocks using Markdown, you can visit this GitHub guide: https://docs.github.com/en/get-started/writing-on-github/working-with-advanced-formatting/creating-and-highlighting-code-blocks\n\nLastly, if you have large text that doesn't fit within the textbox or need to embed images, you can use a Gist link or embed the images directly using Markdown respectively. \n\nPlease refer to the official CodeArena documentation for more information: https://docs.code4rena.com/. You can also propose changes to the documentation at github.com/code-423n4/docs if needed.", "Question: What is the procedure for address approval and how can I modify it if needed?\n\nAnswer: At CodeArena, our address approval process is generally straightforward. Upon registration, participants are required to submit their handle and Ethereum (ETH) address to receive their share of rewards. For payments, you can submit your Binance or Polygon address, but please remember that these addresses may change, and owning the keys to these addresses is crucial to claim ownership of your coins. Once your Provenance application is approved, you will receive a confirmation email.\n\nIf you're unsure about the status of your address submission, you can check using the help form located at https://code4rena.com/help. For modifying your wallet address, it's essential to know that two-step changes with critical addresses are considered safer and better practice than one-step changes, this can help prevent errors such as inputting the wrong address.\n\nPlease note that the process to approve a team for CodeArena contests may take a few business days. Should there be any unexpected issues, such as receiving an email about a change to your payment address without your knowledge, you can report this to our team for further investigation. \n\nBear in mind that even after passing the KYC approval, certain private contests may still be inaccessible if they've already been assigned. All modifications and submissions, including those made through GitHub, need to be approved by a member of the C4 team before they can be merged or enacted.", "Question: How can wardens access the past information from \"_data/contests/contests.csv\"?\n\nAnswer: While the \"_data/contests/contests.csv\" might be removed after the contest, wardens can still refer to the historical information through different ways. Firstly, wardens, particularly those with Certified+ status, are able to view the reports from other wardens even after the contest has ended. They can access this information immediately after the contest ends, helping to accelerate their learning process. \n\nIn addition, a detailed list of rewards for each warden for each bug per contest is available at https://raw.githubusercontent.com/code-423n4/code423n4.com/main/_data/findings/findings.csv. This findings.csv file can be parsed to generate a detailed table with information about all wardens and their deduplicated findings. \n\nFor those who wish to review their own findings, they can refer to the data folder in the findings repo on GitHub. Here, JSON files are named as [warden-handle]-[issue number], allowing them to look up the findings directly.\n\nAdditionally, wardens can apply for backstage access. This allows them to observe the report submission and triage process, and they can see judging results before they are published, providing an opportunity to raise any issues to the judge for reconsideration.\n\nIn order to gain Certified+ status or backstage access, wardens can refer to the guidelines and information available at https://docs.code4rena.com/roles/certified-contributors#certification-process-and-constraints and https://docs.code4rena.com/roles/certified-contributors/backstage-wardens respectively. \n\nLastly, it's worth noting that there's an ongoing effort to move to authenticated warden accounts which will provide more secure and comprehensive access to historical information.", "Question: Can the 'safeTransferFrom' function of an ERC-777 token contract be called within another smart contract, causing the function in the latter contract to be executed? \n\nAnswer: Yes, it is possible to call the 'safeTransferFrom' function of an ERC-777 token contract within another smart contract. However, whether it's safe or not to use the function depends on the specific token used and the expectation of the code. For example, in a case where the token is already wrapped inside an IERC20, determining the level of safety can depend on several factors. It might also necessitate the need to review the specific code snippet in question.\n\nSafeTransferLib is commonly used for safely transferring funds to a user. It checks whether the operation of sending funds is successful by checking the return status of the call. \n\nRecall that trading callbacks in solidity can be activated by several methods, including 'safeTransferFrom' on 'onERC721Received', 'onERC1155Received' of ERC1155, and 'tokensReceived' 'tokensToSend' of ERC777. \n\nIt's worth noting that ERC721 or ERC1155 contracts may be aware if tokens were sent to them because they have a recipient contract call onReceive. However, a smart contract does not know if an ERC20 token was sent to it. \n\nIn some cases, testing certain functions from a smart contract may require a mocked token to have the safeTransfer and safeTransferFrom function. \n\nBefore using this function, it's advisable to verify the token contract on Etherscan for more information: https://etherscan.io/token/0xdac17f958d2ee523a2206206994597c13d831ec7#code#L95. \n\nRemember, it's crucial to be cautious about potential risks such as depositing funds in an uninitialized contract or transferring ERC20 tokens without reentrancy protection, as these could lead to vulnerabilities. \n\nLastly, ensure you understand the context in which the function is being called as calling a contract's own function like \"InterfaceA(address(this)).functionA();\" is considered an external contract call and would change the msg.sender value inside the function.", "Q: What is the process for KYC certification, how it affects the bounty payouts and whether C4 or Provenance assists with tax reporting for the C4 bounty earnings?\n\nA: The KYC (Know Your Customer) certification process involves applying for certification and providing necessary documentation. Provenance, the KYC provider, may require more detailed documents than outlined in C4's guidelines. You can apply for KYC certification using the form available at [https://docs.code4rena.com/roles/certified-contributors](https://docs.code4rena.com/roles/certified-contributors). After submitting, you will receive an email from Provenance and C4. \n\nWhile you can participate in audits and submit reports without being certified, some contests require KYC certification to receive prizes. All team members should be KYC'ed to receive payments after participating in a Base audit. Uncertified participants can still receive bounty payouts, but in case of multiple auditors reporting the same bug, the bounty is divided amongst them. \n\nIf a team wins a prize but can't claim it due to KYC issues, it's unclear whether the prize will be put on hold or lost forever. If there are changes to your wallet address, there is no clear guideline on whether the rewards will be distributed to the new address. \n\nRegarding tax reporting, while efforts are underway to streamline tax reporting for C4 wardens, currently, neither C4 nor Provenance handles tax reporting for bounty earnings. It is the individual's responsibility to handle tax issues related to their earnings from C4. More information on invoicing and tax-related questions can be found here: [https://docs.code4rena.com/awarding/incentive-model-and-awards/awarding-process#tax-and-legal-questions](https://docs.code4rena.com/awarding/incentive-model-and-awards/awarding-process#tax-and-legal-questions).", "Question: Can I share or forward updates and announcements from the #\u270brsvp and #\ud83d\udce2announcements channels on my private server, and are there any plans to make these into official \"announcement channels\"?\n\nAnswer: At this time, the sharing or forwarding of posts from the #\u270brsvp and #\ud83d\udce2announcements channels to private servers is not explicitly addressed in our policy. However, we appreciate your feedback and encourage you to add this suggestion to our #\ud83d\udce5suggestion-box so it can be appropriately considered and discussed.\n\nThese channels are a crucial part of our communication process. The #\u270brsvp channel is used to announce upcoming public audits, contests, bot registration openings, and RSVPs for future qualifiers. You can react to indicate your interest in participating in these events. Here's the link to the channel: https://discord.com/channels/810916927919620096/958800160870240286/1142165149050998784.\n\nOn the other hand, the #\ud83d\udce2announcements channel is where we post updates and results of contests. It's also suggested that we create a similar channel named #audit-reports to publish new reports from the CodeArena website. Check out the updates at this link: https://discord.com/channels/810916927919620096/810936719003090974/1098620465897021490\n\nRemember, some contests are private and only open to certified members. The RSVPs for these contests are found on a separate channel that's only visible to certified wardens. If a contest is public, it will be posted in the public #\u270brsvp channel. We hope this information helps, and we look forward to hearing your suggestions!", "Question: Can I submit an issue that was found in the automated findings, but appears in a different instance or has greater impact than initially stated?\n\nAnswer: Generally, the submission of an issue already identified in the automated findings but appearing in a different instance or with greater impact than initially designated is subject to the judge's discretion. Automated findings are typically considered known issues and are therefore out of scope for the contest. However, there are exceptions:\n\n1. If the issue identified in the automated findings can potentially lead to a high severity finding, it may be reported again during the contest by a warden and could be rewarded with higher severity.\n2. If the issue found falls under the same category as a bot report but isn't included in the bot report, it could be considered a valid finding.\n3. If a contest's bot report ranks an issue as low severity but a participant escalates it to high severity, the submission isn't automatically invalid. Submissions based on automated tools must provide strong evidence to demonstrate a relevant High or Medium severity exploit path to be considered satisfactory.\n\nBear in mind that a single report with all occurrences of the same issue is acceptable when submitting findings. Also, if you've made an initial low-risk finding, you can edit your finding at any time during the contest. If you want to submit a new issue, you can withdraw your old issue. \n\nWhile findings listed in the best bot-generated report are out of contest\u2019s scope, findings in non-winning bot-generated reports that remain unpublished are still eligible for submission.\n\nFor more details on the submission policy related to automated findings, please refer to: https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues.", "Question: How should I proceed if I'm uncertain whether a finding should be classified as QA or as a Medium risk issue?\n\nAnswer: If you're uncertain about categorizing a finding as either QA or Medium risk, it's generally better to file it as QA, unless the proof of concept (POC) is coded and of high quality. Remember, front-running possibilities could fall into either of these categories depending on the impact. The severity of the loss caused by the issue can also guide your classification. For instance, if all rewards can be lost, it's considered MED/HIGH risk. If there's a risk of losing some rewards, it's probably medium. If rewards are lost due to roundings (a negligible amount), it's probably QA. Misclassifications can happen, but even if a High severity bug turns out to be only Medium, the reward for a Medium bug is still received. Judges at CodeArena have the ability to change the severity of the issue from QA to Medium or from Medium to High. If a finding is classified as low risk in QA but is judged and confirmed as medium risk by other wardens, the judge will usually upgrade it automatically. You can find more details about this in our [Code4Rena help page](https://docs.code4rena.com/awarding/incentive-model-and-awards/qa-gas-report-faq#what-happens-when-an-issue-submitted-by-the-warden-as-part-of-their-qa-report-an-l-or-n-does-get-bum). If you're still unsure, it's advisable to review the guidelines, look at how similar issues were handled in the past, and present the most robust case possible.", "Q: How can I review my submissions and their feedback, especially for contests that have already been judged?\n\nA: Once a contest is over, a report is published and the respective repository on GitHub is made public. This allows participants to review their submissions as well as any discussions among sponsors and judges about their findings. Even if your submission wasn't rewarded, you can find out why by checking this repository. \n\nTo locate your feedback and the judges' comments, go to the specific repo that ends with \"-findings\" on the CodeArena GitHub page, like this example: https://github.com/code-423n4/2022-12-prepo-findings/issues/335. \n\nIn the repo, you can also review others' findings and identify potential areas for improvement by checking the feedback they received. For instance, the findings from the ArtGobblers competition can be found at https://github.com/code-423n4/2022-09-artgobblers-findings/issues/137. \n\nIn some cases, you may experience issues with viewing your submissions, such as getting a 'No findings submitted for this contest' message despite having made a submission. If such an issue arises, please report it on the CodeArena's issues page: https://github.com/code-423n4/org/issues. \n\nPlease note that there are plans to allow certified contributors to view submitted issues right after contest closure and to comment or give input on these issues during judging. However, as of now, you cannot see the status of your submissions until the report is published and the repo becomes public. \n\nFor open contests, you can view or edit your submissions on the site itself. The submission process also includes a form on the website for each contest. If you disagree with a decision about a contest judgment, you can review the related issues and join the discussion by adding comments or opening a new issue. \n\nRemember to use the 'Submit finding' button on the specific contest page for each finding separately while making your submissions. We no longer use or update the old GitHub templates for submissions. \n\nYour findings and the feedback to them are crucial to improving audit quality, and we encourage you to review them carefully.", "Question: How should I determine and label the risk level of a vulnerability if I'm unsure of its severity?\n\nAnswer: If you are unsure of the risk associated with a finding, the initial approach would be to classify it as medium risk and then make a clear case on why it may be raised or lowered. \n\nTo help determine the risk level, review the judging criteria (https://docs.code4rena.com/roles/wardens/judging-criteria#estimating-risk) and the historical judgement of similar issues. High-risk vulnerabilities generally involve significant fund loss or other severe implications that don't require preconditions. Medium-risk issues usually have a lesser impact and specific preconditions such as high attack difficulty, specific market conditions, or user unawareness. If all rewards can be lost, it's MED/HIGH; if there's a risk of losing some rewards, it's probably medium; and if the principal can be stolen without needing extra requirements, it's likely HIGH.\n\nIf your finding is classified as low risk but is judged and confirmed as medium risk by other wardens, the judge will usually upgrade it automatically, and vice versa. You are allowed to include both high severity and medium/low severity issues in the same report. However, you should focus more effort on high severity issues. \n\nWhen submitting Medium/High reports, you can do so without recommended mitigation steps, but you should include an explanation as to why it cannot be feasibly mitigated. \n\nRemember, the final judgement of the risk level will depend on the specific contest, the judge, and the quality and accuracy of your submission. If your submission is incomplete, lacking in detail, or not as accurate, it may be penalized. \n\nFinally, your credibility plays a role in judging the risk level. Consistently rating all findings as high risk may be seen as a strategy and could be discouraged. Instead, strive for accurate risk assessment based on the evidence and clear logical arguments. \n\nFor the reward calculation of medium/high risk findings, refer to https://docs.code4rena.com/incentive-model-and-awards#high-and-medium-risk-bugs, and for a complete list of previous rewards, you can check https://raw.githubusercontent.com/code-423n4/code423n4.com/main/_data/findings/findings.csv.", "Question: I forgot my password and didn't receive a reset email. How can I regain access to my CodeArena account?\n\nAnswer: If you've forgotten your password and haven't received a password reset email, this can be due to a few reasons. First, please double-check your spam mail, as some users have reported email correspondences from CodeArena landing there. \n\nIf you still can't find the reset email, it could be due to issues with our password reset function that some users have experienced - we are aware of these issues and are actively working on resolving them. You can still regain access to your account by using your wallet, provided you registered it during account creation. In case you have also forgotten your wallet address, you can refer to the email you received when you submitted a bug report.\n\nYou can also switch to using a username and password for login, and even change your username if necessary by re-registering. If none of these steps work, please seek help through our Help Desk by creating a ticket at https://code4rena.com/help/. \n\nIf your account has been inactive for a long time and you still can\u2019t access it, you can also seek assistance in the #auth-help channel or directly message us for assistance with account issues. Please note that during the new registration process, if your username isn't found on the list, our team is already investigating the issue. \n\nRemember, if, unfortunately, your wallet was hacked and you lost your seed phrase, follow the steps mentioned here: https://docs.code4rena.com/roles/wardens/warden-auth#what-if-my-wallet-was-hacked. \n\nWe sincerely apologize for any inconvenience caused and appreciate your patience and understanding.", "Question: If any user can call a function on a smart contract and it generates internal tokens on behalf of any address multiple times, with minimal impact other than creating random tokens, should this be reported in a CodeArena audit?\n\nAnswer: Yes, it should be reported. Even though it may seem that this action has minimal impact and appears only informational, it is worth mentioning in your QA report. Every function call and its effects, even if they appear insignificant, can contribute to a bigger exploit. It's even important to note if a function is called with address(0) as a parameter and only results in a mapping being filled with random entries. Additionally, it's important to understand that the validity and severity of a finding may depend on a clear explanation of the exploit path. Therefore, an issue like this could potentially be downgraded to a QA finding if there's no clear exploit path. As a general rule, if there's a bug in a contract that's in scope, but it impacts another contract that's out of scope, the impact might count, and this decision is generally up to the review judge. If you find the same type of issue more than once, report them all together. For further reference, consider looking at previous reports like [this one](https://code4rena.com/reports/2022-11-non-fungible/#gas-optimizations).", "Question: Can I ask specific questions or seek guidance on sensitive aspects of the system through a private message (Direct Message)?\n\nAnswer: Absolutely! CodeArena encourages users to use the direct messaging function for more specific or sensitive inquiries. You can ask for guidance on topics like Yield v2, the new functionality of Warden profiles, private contests such as Party Protocol, and findings of past projects. You can also seek help on participating in private audits, making changes to your submissions, or even withdrawing a submission by directly messaging specified individuals or staff members. In case of account issues, scam reports, or collaboration and investment issues, you're encouraged to reach out via direct message as well.\n\nHowever, for questions related to general aspects of a contest, it's best to ask on the forum post of the contest itself as the chat can be ephemeral. And if you have questions that need to be addressed by the sponsor team members, they are available for DMs. For private inquiries to a member of the Code4rena team, you can make a Help Desk request. \n\nPlease note that we value user safety and maintain a strict policy against misuse of direct messaging, such as spamming or scamming attempts. If you need to report such issues, don't hesitate to contact us. \n\nKeep in mind that some specific information or processes, like the KYC (Know Your Customer) process or the address of the C4 token, might not be readily available in chat excerpts or might require specialized guidance. For these instances, we recommend reaching out directly to the Code4rena team.", "Question: If a user can call a specific function on the contract with address(0) as one of the parameters, leading to a mapping being filled with random entries but no direct impact, should this be reported as informational or is it generally accepted as a known risk?\n\nAnswer: Yes, this issue should be reported as QA - Informational. It is significant because it can cause the contract mapping to be filled with random entries. However, it is important to note that the severity of this issue may vary depending on the context. If the function call always reverts or if the issue relies on a user making a mistake in interaction with a contract, it might not have the same severity as if it doesn't require a mistake. \n\nAdditionally, even if the vulnerability is tied to an out-of-scope contract, it should still be reported. If the vulnerability is found in an out-of-scope contract, it can be included in the C4 report as an unrewarded finding or the project can be directly messaged. Furthermore, if there's a bug in a contract that's in scope, but it impacts another contract that's out of scope, the impact might count, this decision is generally up to the judge.\n\nAn important factor to consider in the context of smart contract vulnerabilities is the potential for loss of funds. For example, a middle vulnerability like missing zero address check can lead to loss of funds and is still valid. An example of a reported vulnerability for reference can be found [here](https://code4rena.com/reports/2022-06-canto#m-01-missing-zero-address-check-can-set-treasury-to-zero-address).\n\nLastly, it's worth mentioning that there is no performance overhead on EVM execution regardless of the size of the mapping due to its constant complexity.", "Question: Can sponsors view the contest submissions before it ends, and what happens with the submissions after a contest?\n\nAnswer: Sponsors usually do not see the submissions before the contest ends. Submissions are typically confidential to the participating team until the contest concludes. After the contest ends, the submissions are reviewed and triaged by our judging panel. Sponsors are then granted access to the findings repository to review these triaged issues. \n\nDuring this stage, sponsors play a vital role in reviewing, confirming, and making final judgments on the submissions. This process also includes a Quality Assurance step before the results are released to the public. Participants can then view the final published report to see the results of their submissions, and any discussions that took place regarding their submissions between the sponsors and judges.\n\nThere are future plans to allow certified contributors to view and comment on the submitted issues right after the contest closure during the judging phase. It's also crucial to note that contestants are allowed to discuss potential issues with the sponsor during the contest, and can edit their submissions until the contest ends. However, any findings not submitted before the end of the contest will not be eligible. \n\nLastly, sponsors are responsible for deciding the scope of their contests, and these details are typically listed in the contest info. Please refer to the contest information for scope or other contest-specific queries.", "Question: How should I handle gas optimization issues and known issues in my reports for the CodeArena contest?\n\nAnswer: When handling gas optimization issues and known issues for the CodeArena contest, it's recommended to separate the Quality Assurance (QA) and Gas reports. All gas-related findings, whether they are of high, medium, or low severity, should be compiled into a single gas report. It's important to note that known issues should be excluded from these reports. \n\nIf you discover a low issue or non-critical issue that also reduces gas, it should be included in the QA category, and you should mention the potential gas savings in your report. If the issue is only related to gas savings, it could be downgraded from QA to Gas. You should also mention the amount of gas saved for each finding in your gas optimization report. \n\nAll your findings should ideally be grouped into a single consolidated report for each contest. If additional findings need to be added later, you should update the existing report rather than submit a new one. This is because there are restrictions on submitting more than one report of gas optimization in a contest. \n\nFor gas optimization, only the findings included in your report will be considered. The rest should be submitted via the following link: https://github.com/byterocket/c4-common-issues/blob/main/0-Gas-Optimizations.md. \n\nPlease note that not all gas optimizations are valid when the optimizer is enabled, so some findings may not need to be reported. If you are uncertain, it is best to ask for clarification. \n\nLastly, listing any of the C4udit gas findings will void your report and count as 3 rejected reports. For examples of quality QA/Gas reports, you can visit: https://code4rena.com/reports.", "Question: What is the structure and role of judges at CodeArena (C4) and how can one become a judge?\n\nAnswer: At CodeArena (C4), the estimated number of judges is around 10, with approximately 5 additional lookouts. The primary responsibility of the judges is to assess the bugs during a contest, while the judging of rules is handled by Certora. Judges are perceived as fair and have even been known to upgrade the severity of reports. For instance, if a report is initially categorized as medium severity, it can be upgraded to high by C4 judges. \n\nMost judges balance their responsibilities at CodeArena with full-time jobs and other commitments. The process of judging is complex and requires the findings to be visible to C4 staff, sponsors, and the judging team while keeping them sealed from other wardens. The judges for a contest are not disclosed ahead of time.\n\nAnyone interested in becoming a judge can find relevant information on [C4's official documentation](https://docs.code4rena.com/roles/judges). Although being a certified warden makes one eligible for a judge role, certification may not always be required. It's important to note that the number of contests and availability of judges can fluctuate, leading to potential backlogs.\n\nFor further insights into the judging process at C4, a thread on Twitter can be helpful: [C4 judging process explained](https://twitter.com/sayan_011/status/1629011044516655104?t=DJz16iE54QkwLxkc3MrQtw&s=19).", "Q: How can a high risk vulnerability be defined in the context of smart contract audits, especially when no principal is involved or users can't interact with the underlying principal? Should a finding that breaks the protocol always be classified as medium risk if no funds are lost?\n \nA: A vulnerability can be classified as high risk even if it doesn't directly result in funds loss but disrupts the protocol. The severity of a vulnerability is generally determined by a balance of its potential consequences and the likelihood of its occurrence. High risk vulnerabilities typically involve substantial fund loss or other severe consequences, and usually don't have pre-conditions. If the principal can be stolen without additional requirements, then it's likely it would be classified as high risk. Medium risk vulnerabilities, on the other hand, usually have less severe impact and specific pre-conditions such as high attack difficulty, specific market conditions, or user unawareness. \n\nFor example, if a function call in a smart contract always reverts but does not put assets at risk, it could be classified as Medium or High severity depending on the context. Similarly, if a finding affects end-users under rare circumstances or has the potential to lock all protocol assets, it's typically considered a medium or high severity issue respectively.\n\nThe loss of rewards could potentially be considered as a \"loss of assets\", and whether such a vulnerability is classified as high or medium risk depends on external conditions or attack difficulty. For instance, if all the rewards can be lost, it's likely a medium or high risk vulnerability. If there's a risk of losing some rewards, then it's probably medium risk. If rewards are lost due to rounding errors (a negligible amount), then this is likely classified as a QA issue.\n\nHowever, it's important to note that the classification of vulnerabilities is not always straightforward and can be subject to debate. For example, there are discussions about whether failing to check for account existence could be considered a medium risk vulnerability, or whether a finding regarding an external function with the transfer of ERC20 tokens without reentrancy protection could be downgraded to a QA issue without a clear demonstration of an exploit path. \n\nIn some rare cases, if no medium or high vulnerabilities are found during a contest, the remaining funds are divided based on the QA report curve. This situation is considered rare as most contests generally reveal medium or high vulnerabilities. There is an example of a contest with only low vulnerabilities at https://code4rena.com/reports/2021-11-fei.\n\nUltimately, determining the severity of a vulnerability relies heavily on experience, understanding of the complex smart contract ecosystem, and a nuanced analysis of each individual case. When reporting a vulnerability, it's recommended to provide a Proof of Concept (PoC) whenever possible, unless the vulnerability is extremely obvious. \n\nIt's also crucial to remember that the primary aim of a smart contract audit is to identify and explain vulnerabilities - providing a recommended fix is appreciated but not strictly necessary and does not affect the severity of the vulnerability. If you find a vulnerability that's difficult to fix without major changes to the protocol, it should still be reported, and if no feasible mitigation steps can be identified, an explanation as to why should be included.\n\nFor more information on standard risks and their classifications, you may refer to this link: https://github.com/byterocket/c4-common-issues/blob/main/2-Low-Risk.md#l004---use-two-step-transfer-pattern-for-access-controls.", "Question: What does the \"edited-by-warden\" tag on my submitted issue in CodeArena mean, and what implications does it have?\n\nAnswer: The \"edited-by-warden\" tag on a submitted issue indicates that the submitter or 'warden' has utilized the CodeArena website to modify the issue post-submission. This is done by certified wardens who have a certain level of contribution established. Wardens can view their submission, along with the comments on it, following the announcement once the repository is set to public. \n\nThis tag is not indicative of any error, but merely serves as a tracking mechanism to note that a submission has been edited. The practice of editing submissions after they have been sent is permissible. There are facilities like the \"View Repo\" and \"Submit Findings\" buttons exclusively for certified wardens to use.\n\nIn case of concerns or queries regarding a report, wardens can seek clarification. Post judging, there is a QA phase where wardens can comment on the judges' decisions. However, this feature is only available to backstage wardens, more details on which can be found [here](https://docs.code4rena.com/roles/certified-contributors/backstage-wardens).\n\nThe guidelines for submitting issues can be found at this [link](https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues). If wardens encounter issues with registration or bug submission, they are encouraged to communicate directly with the CodeArena staff.\n\nRemember, the order of submitting issues does not impact the contest, but if multiple wardens find the same issue, the reward each warden receives for this issue decreases. You can refer to more details [here](https://docs.code4rena.com/incentive-model-and-awards). \n\nIf you believe you qualify for '+backstage' status, you can submit a request at this [link](https://docs.code4rena.com/roles/certified-contributors/backstage-wardens). If you are a '+backstage' warden, you get to see other submissions immediately after contests end, which can greatly accelerate your learning process.", "Question: How does Code4Arena handle the disclosure of vulnerabilities to sponsors and what are the potential concerns?\n\nAnswer: At Code4Arena, we understand that trust between us, our wardens and our sponsors is crucial. However, we also recognize potential conflict of interest scenarios that may arise. This includes situations where a sponsor might hide bugs in the code base, report them, and hope no one else finds them. We have a fairness principle in place to prevent such scenarios. If sponsors get early access to vulnerability submissions, they could potentially exploit this information. To maintain fairness, we have decided that only the sponsor, not the judges, see the findings early. But sponsors do not have access to the findings repository before the contest ends. These repositories are kept private until they are made public after the issues have been mitigated and cleared for publication by the sponsors.\n\nParticipants are encouraged to reach out to the sponsor team during the contest if they think they've found a vulnerability and want to ask questions. They can disclose it directly to them, but they need to submit it via the contest submission form or it won't be eligible for awards. If a participant identifies a potential vulnerability that is confirmed by the sponsor via private DMs, it may still count when submitting it, depending on the judgement.\n\nWe are aware of concerns about possible misuse of disclosed vulnerabilities. For instance, there's the chance that a dishonest project might clone white-hat reports to cut down on their payouts. Or if our mail server gets compromised, a hacker could potentially read all findings and submit them as their own. We are actively working to prevent such scenarios and ensure the utmost transparency and fairness in all our contests.\n\nWe have also noted concerns about how vulnerabilities are handled if reported by multiple people, and the process for reporting vulnerabilities to Code4Arena is being established and documented. We incentivize wardens to submit non-critical vulnerabilities as this benefits the sponsor, even though these are not considered for awards. If a vulnerability is found in an out-of-scope contract, it can be included in the C4 report as an unrewarded finding or the project can directly be messaged.\n\nPlease note that past contest reports reveal vulnerabilities, and these can be used for learning purposes. Also, if a vulnerability is found and reported a few days after the contest ends, it would most likely involve responsible disclosure to the development team, and it would not be awarded by C4 outside the contest timeframe. \n\nPlease do reach out if you have further questions or concerns. We're always here for our community and we do our best to uphold the principles of fairness, transparency, and security.", "Q: How does Code4rena handle the issue of trust between wardens and sponsors? What happens when a vulnerability is discovered and reported by multiple wardens?\n\nA: Trust between wardens and sponsors is of paramount importance to Code4rena. Wardens are encouraged to reach out to the sponsor team during a contest if they've found a vulnerability or want to ask questions. While wardens can disclose a vulnerability directly to the sponsor, they must also submit it via the contest submission form to be eligible for awards [https://docs.code4rena.com/roles/wardens/certified-wardens#certified-warden-professional-conduct-guidelines]. \n\nRegarding the handling of vulnerabilities reported by multiple wardens, there is a criterion followed. If the same vulnerability is reported, all wardens receive the same share. This is part of the deduplication process and subsequent judging/determining of severity. There is no advantage for a warden who submits first. However, the level of detail and coverage of the issue in the submission, for example, inclusion of a proof of concept, can influence the award value.\n\nIf wardens report the same vulnerability but suggest different severities, they are all attributed the same severity for award calculation. In case of non-critical vulnerabilities, wardens are still incentivised to submit them as it benefits both them and the sponsor.\n\nConcerns regarding potential conflict of interest scenarios, such as sponsors exploiting early access to the information or hiding bugs, have been raised. However, Code4rena maintains a professional conduct guideline for wardens that requires all findings to be treated as private and confidential until the contest report is made public.\n\nAs for backstage access, only certified wardens with an established level of contribution are allowed access to see submitted reports on Github during the triage process. Additionally, certified+ wardens get earlier access to findings repositories to assist with post-contest processes.\n\nWhile there is a potential for conflict and misuse, there are also systems in place to ensure fair and honest communication and dealings between all parties involved.", "Q: What can I do if I am having trouble signing into my Code4arena account? \n\nA: If you are experiencing issues with logging into your Code4Arena account, the first step is to verify whether the problem is on your end or is a site-wide issue. You can use services like https://downforeveryoneorjustme.com/code4rena.com to check if the site is down for other users as well. \n\nIf the site is operational and you still can't log in, you might want to try a few things: \n- Ensure you're using the correct username and password combination. \n- If you have not used your account for a long time, particularly if you were involved in contests like the 2022-11-looksrare-aggregator-contest, you may face difficulties accessing your account. In such scenarios, you might need to reset your account or password. \n\nNo matter what your issue is, you can always open a help desk ticket at https://code4rena.com/help. We've noticed some users have had difficulties submitting requests via this form, if this happens to you, please email your request to submissions@code4rena.com. Please note, it may take some time to receive a response.\n\nAs an additional tip, users can also bind their Twitter accounts to their Code4Arena profiles by creating a help desk request. This could be a useful alternative if you're having trouble with your regular login. If you are a team account user facing issues, opening a help desk ticket is also advisable.\n\nFor any security related concerns, including vulnerabilities impacting Code4Arena's webapp, please email the details to security@code4rena.com. We take all such reports very seriously and will act on them promptly.\n\nRemember, Code4arena is here to help and we'll do our best to resolve your issue as soon as possible.", "Question: \nAs a beginner, I'm having trouble understanding certain code instances and distinguishing between valid issues and assumptions. What approach should I take?\n\nAnswer: \nIf you're new to understanding and auditing smart contracts, it can be a bit overwhelming. Firstly, it's important to familiarize yourself with the codebase and its documentation as it provides the essential context about the project. Reading the README/code comments will often help clarify the purpose and certain aspects of the code. \n\nWhen you come across code instances that cause issues or are not clear, it's recommended to make one report and reference all the related issues in it. Issues could range from differences in lines of code, formatting issues, to understanding the use of variables. \n\nIf you're unsure about what constitutes a valid issue, consider this: A valid issue is something that could potentially impact the functionality, security, or performance of the contract. Unstated assumptions in the code that aren't obvious from the documentation could potentially be valid issues.\n\nLearning the differences between code instances, understanding the syntax and programming, and knowing how to create and format code are all part of the learning curve. Tools like 'git diff' in the terminal and using backticks in the report can be helpful in tracking and demonstrating changes or differences. \n\nFurthermore, there are lots of resources and discussions available on our [Discord server](https://discord.com/invite/code-423n4). Here, you can ask for guidance, share your struggles, or simply learn from the challenges others are experiencing. \n\nIt's also worthwhile to participate in code contests, which can help you gain practical experience and feedback. For example, you may find [#arcade-jul21](https://github.com/code-423n4/2023-06-lybra-findings/issues/549) interesting.\n\nLastly, don't be discouraged if you're having difficulty in catching vulnerabilities during CTFs (Capture The Flags) or understanding the intricacies of languages like Solidity. It takes time, and more exposure to Solidity fundamentals and developer experience will definitely help. \n\nRemember, learning to audit smart contracts effectively is a journey, not a destination. Good luck!\n", "Question: Is there a table or resource available that provides an overview of the rewards for each contest, detailing how they are calculated and distributed?\n\nAnswer: Yes, CodeArena provides detailed information on the reward division for each contest. This information includes how rewards are distributed, the criteria for a report to get selected, and how the reward for gas optimization is distributed. A table with an overview of the rewards can be found at [CodeArena's Incentive Model and Awards page](https://docs.code4rena.com/awarding/incentive-model-and-awards/curve-logic). \n\nAdditionally, CodeArena provides a CSV file which contains all rewards based on each finding, which can be accessed at [CodeArena Community Resources](https://code4rena.com/community-resources/findings.csv). This file includes terms like \"score\", \"pie\", \"split\", and \"slice\", which are ways the funds are divided between ranked findings. \n\nMoreover, for a more detailed list of rewards for each warden for each bug per contest, you can refer to the [Findings CSV](https://raw.githubusercontent.com/code-423n4/code423n4.com/main/_data/findings/findings.csv). \n\nIf you have questions about the grading system, such as how submissions are categorized into grades A, B, C, the difference between \"primary issue\" and \"selected for report\", and what bonuses each category receives, you can refer to the [Curve Logic page](https://docs.code4rena.com/awarding/incentive-model-and-awards/curve-logic). \n\nIf you are a participant and want to know the process for creating an invoice for the rewards you received from a contest, please refer to the [Awarding Process page](https://docs.code4rena.com/awarding/incentive-model-and-awards/awarding-process#tax-and-legal-questions). \n\nFinally, if you have any other questions related to incentive model and awards, you can visit the [QA Gas Report FAQ page](https://docs.code4rena.com/awarding/incentive-model-and-awards/qa-gas-report-faq#why-is-a-large-gas-or-qa-report-not-successfully-submitting-through-the-contest-submission-form) on CodeArena's website.", "Q: What is the process and timeline for discussing findings and viewing reports after the conclusion of a CodeArena competition? \n\nA: Once a contest at CodeArena concludes, the findings are immediately reviewed and triaged by our judges. These findings, however, are not made publicly available right away; they remain private to give sponsors the time to review and act on the feedback. After the review, the findings undergo a process that includes sponsor confirmation, final judging by our team, and Quality Assurance. \n\nThe timeline for this process is not fixed, but it generally takes at least a month. The findings are published in a report, post which they are made public and participants can review the results of their submissions. It is important to note that not all findings submitted during the contest may make it to the final report, and the reasons for this might not be immediately known. \n\nParticipants are advised to refrain from discussing their findings publicly until the final report is published, even if they are aware of the outcomes. This is to ensure the integrity of the process and to allow sponsors adequate time to fix the issues found during the contest. After the report is published, participants can check on the status of their submissions and discuss the findings.\n\nPlease note, the final report might not immediately appear on the CodeArena site after the leaderboard is shown and rewards are sent. We recommend waiting for the full public report to be published before discussing or writing up any issues or bugs found during the project. \n\nIn summary, the process following a contest includes: Sponsor Review, Judging, Awarding, and Reporting. The findings are sealed until all these steps are completed and the final report is published.", "Question: How is the reward distribution system structured for each contest on Code4Arena?\n\nAnswer: Code4Arena uses a comprehensive reward distribution system for each of its contests. The rewards are allocated based on various factors, such as the severity and nature of the issues found, as well as the grading of submissions into categories A, B, or C. Specific information on the prize mechanism, grading system, and bonuses applicable to each category can be found in our documentation at https://docs.code4rena.com/awarding/incentive-model-and-awards and https://docs.code4rena.com/awarding/incentive-model-and-awards/curve-logic.\n\nWe employ a curve formula for our award system, where the rewards are structured for each Low/N finding selected for the report. In contests where only one High and one Medium issue are found, there are rules for distributing the rewards. Detailed information on the reward division and the use of score, pie, split, and slice in the findings file can be found at https://docs.code4rena.com/awarding/incentive-model-and-awards/curve-logic. \n\nFor gas optimizations, we have a unique reward calculation method outlined in our documentation at https://docs.code4rena.com/#incentive-model-and-awards. The gas optimization pool is shared among the reporters and is awarded based on the score of each gas report.\n\nFurthermore, each team participating in the contest determines how to split their portion of a contest's reward amongst themselves. You can also find information about the rewarding formula for the mitigation contest and the rules for awarding shares or rewards to wardens who found a certain issue in our awarding policies at https://docs.code4rena.com/awarding/incentive-model-and-awards.\n\nPlease note that all the bugs found during the competition are kept confidential until the contest is over and the judging process has been completed. To get more information about awarding process, judging and payout timelines after a contest ends, please visit our documentation at https://docs.code4rena.com/structure/our-process.\n\nFor any questions regarding invoicing for the rewards received, you can refer to this document: https://docs.code4rena.com/awarding/incentive-model-and-awards/awarding-process#tax-and-legal-questions.", "Question: Where can I find information about upcoming contests?\n\nAnswer: You can find information about upcoming contests on the CodeArena main page https://code4rena.com. The website is updated regularly and lists all contests, both public and private. Upcoming audit contests are specifically listed on this page: code423n4.com. The \"Past Contest Status Updates\" section provides a timeline of where contests are currently in the process. It's worth noting that some contests might not be updated in the specific channels immediately, but will be listed as soon as details are finalized. For further updates, you can check the #\u270brsvp channel. \n\nIn addition to this, sponsors determine the scope of their contests and list it in their contest info. Please keep in mind that while we have many contests expected in the coming month, the number of participants in a given contest is also being considered. There is a possibility of running multiple contests simultaneously, with the aim to handle up to 20 contests a week. \n\nFor more specific information about contests, you can always reach out to the team which is regularly in contact with various projects about upcoming audits.", "Question: How does Code4rena handle the distribution of rewards when multiple wardens report the same issue, and does the order of reporting impact the payout?\n\nAnswer: At Code4rena, the order in which wardens report a duplicate issue does not directly impact the distribution of the reward. Instead, the total reward for an issue is divided among the wardens who found it, regardless of who reported it first. However, the amount each warden receives can vary, as it is influenced by the quality of their report. For instance, more detailed submissions, such as those including a Proof of Concept (PoC) or covering the issue in more aspects, may receive more money. Additionally, duplicate reports below a certain threshold might not receive any reward. Also, if the same vulnerability is reported by multiple wardens but with different severities, they are all given the same severity for the award calculation. This is due to the deduplication process and the severity determining process that takes place afterward. All these rules are supported by the incentive model and awards section of the Code4rena documentation, which can be found at [https://docs.code4rena.com/awarding/incentive-model-and-awards#duplicates-getting-partial-credit](https://docs.code4rena.com/awarding/incentive-model-and-awards#duplicates-getting-partial-credit). It's essential to note that at Code4rena, unlike a traditional bug bounty model, wardens who report the same finding are recognized and can still receive a portion of the reward, rather than it being solely awarded to the first reporter.", "Q: What is the process and timeline for gaining +backstage access after submitting a request at CodeArena?\n\nA: To gain +backstage access at CodeArena, you must first be a certified contributor and meet certain qualifications. The qualifications include participation in at least three contests, having at least one high or three medium confirmed findings. More information about the certified contributor role and qualifications can be found at https://docs.code4rena.com/roles/certified-contributors/backstage-wardens.\n\nOnce the contest results are published on the leaderboard and you believe you meet the criteria for backstage access, you can submit a help desk request at https://code4rena.com/help. This request will be reviewed and once admitted, the processing of backstage access typically takes around 24 hours. However, it's important to note that the backstage processing was paused at the time of the chat, and the processing time may vary. You will be notified when your request has been reviewed. \n\nPlease be aware that the process for applying and gaining backstage access is subject to change as it's still in progress. Backstage access allows contributors to have access to the findings repo after the end of a contest, helping with triaging. You can find more detailed information about how to request backstage access at https://docs.code4rena.com/roles/certified-contributors/backstage-wardens#to-request-+backstage-access.", "Question: How are front-running possibilities classified in CodeArena's audits and what are the possible implications?\n\nAnswer: In the context of CodeArena audits, front-running possibilities are typically classified as either Medium findings or QA, depending on the impact. The severity of loss caused by the issue plays a crucial role in determining the classification. For instance, if there's a risk of losing some rewards, it's probably classified as medium. However, if the principal can be stolen without needing extra requirements, then it's probably classified as high. If rewards are lost only due to roundings which means a negligible amount of rewards, then the findings are probably considered QA. \n\nDoubts about whether a finding is QA or Medium should be filed as QA unless a proof of concept (POC) is coded. Remember that findings that are relevant to both QA and gas savings can be included in either report, and judges may decide where it best fits. \n\nIt's also important to note that if a finding is submitted as a low in QA report, but the judges determine that it's a medium, it will be eligible for medium rewards as per the guidelines ([here](https://docs.code4rena.com/awarding/incentive-model-and-awards/qa-gas-report-faq#what-happens-when-an-issue-submitted-by-the-warden-as-part-of-their-qa-report-an-l-or-n-does-get-bum)). \n\nIf no High/Medium issues are found in a contest, the entire rewards may move down to Quality Assurance (QA). Quality Assurance (QA) reports at CodeArena are graded based on the number of low findings. Judges consider both quantity and quality of submissions when grading QA reports, with further information found [here](https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical) and [here](https://docs.code4rena.com/awarding/incentive-model-and-awards#qa-and-gas-optimization-reports). \n\nFinally, remember that incorrect findings in a QA report can affect the QA grade, and judges have the power to downgrade medium issues to QA and consider them alongside your QA report when grading. They can also upgrade items from your QA report if they feel the severity should be higher.", "Question: What occurs when there are no High or Medium vulnerabilities discovered in a contest? How is the reward pool for the contest distributed in such cases?\n\nAnswer: If no High or Medium vulnerabilities are discovered during a contest, the entirety of the contest's rewards move to Quality Assurance (QA). This means the full pool of prizes for vulnerabilities will be distributed based on the Quality Assurance report curve. This distribution system is designed to ensure that even if no major issues are found, participants who contribute quality analyses are still rewarded. \n\nWhile this situation is possible, no contest has run to date with zero valid submissions. For each contest, specific rewards are allocated for various categories such as High/Medium (H/M) awards, QA report awards, Bot race awards, Gas report awards, Judge awards, Lookout awards, and Scout awards. For instance, you can refer to the distribution for a past contest here: https://code4rena.com/reports/2022-04-dualityfocus.\n\nThere have been instances where the H/M reward pool for certain contests has been adjusted, like in the Caviar contest. It's important to note that the distribution of these rewards requires signatures from multiple parties due to the use of multisignature wallets, which can cause a delay in the distribution of rewards after the contest ends.\n\nLastly, there have been cases where participants were unable to claim their reward due to KYC issues. It remains uncertain what happens to the reward in such instances. For those who cannot obtain their private keys, the best recourse is to participate in future contests.", "Question: How should I report findings during an audit, especially when there are multiple instances, combinations of issues, or potential duplicates?\n\nAnswer: When you discover vulnerabilities during an audit, each unique finding should be reported separately. If you find a single line of code that can be exploited in multiple ways, you should report each exploit separately but note that they originate from the same root cause. If two separate vulnerabilities can be combined to create a more powerful one, you can submit a third finding explaining the proof of concept. If the same vulnerability is found in multiple components of the codebase, it might count as two separate findings, but ultimately it is the judge's call to determine if they're duplicates.\n\nIf you uncover non-critical findings, you can compile them into a single report. However, if an issue found is in the same category as a bot report but not included in the bot report, it can be considered a valid separate finding. You can also submit more than one high-risk finding in the same audit, but if the root causes are the same, they would be counted as one. \n\nIf you find an issue that could belong to two categories (e.g. mechanism and architecture), you should categorize your findings based on your best judgment. If you're unsure whether to submit findings as separate issues or as one, lean towards providing more detailed information rather than less. \n\nFor users utilizing automated tools for attack findings, there is a higher burden of proof to demonstrate a relevant High or Medium (HM) exploit path to be considered satisfactory. More information on this can be found at https://github.com/code-423n4/org/discussions/50.\n\nRemember, you're able to edit your security findings submissions for a contest and multiple instances of the same vulnerability should be reported as one issue. If an issue identified in an automated finding can lead to a high severity finding, it could be reported again during the contest by a warden and could be awarded with higher severity.\n\nUltimately, the specific severity of an issue does not matter as much as a good explanation of the finding. Examples of past submissions can be found at https://code423n4.com/reports to help guide you.", "Q: How are Quality Assurance (QA) and Gas reports graded in CodeArena?\n\nA: The grading of QA and Gas reports in CodeArena is a meticulous process based on the quality and quantity of findings. Each individual report is graded on a relative scale, with the potential for a single good issue to receive a high grade, or multiple low-impact issues to result in a lower grade. However, a single item in a submission is unlikely to garner a high grade. \n\nEach QA report, regardless of the number of low findings, is assigned a grade from \"A\" to \"C\", with \"A\" being the highest quality. Grade A and B reports are eligible for awards, with Grade A reports earning twice the shares of Grade B reports. The best report can also receive a 30% bonus. \n\nIt's worth noting that the severity of findings can influence the grading. Issues can be categorised as high, low, or QA, and judges have the discretion to downgrade or upgrade the severity of issues, which can impact the final grade. Incorrect findings can negatively affect the grade.\n\nAs for submissions, it's recommended to submit one comprehensive report for Gas and one for QA. All the non-critical and low severity findings should be consolidated into a single QA report. In the absence of High/Medium issues in a contest, rewards are distributed based on the quality of QA reports. \n\nJudges\u2019 scores determine the amount of awards given for QA and Gas reports, and duplicates are disregarded. However, when handling downgraded issues, they need to be paired up with wardens\u2019 QA reports, which can be challenging. \n\nFor more detailed information on the grading criteria and awarding system, please check here: [https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical](https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical) and here: [https://docs.code4rena.com/awarding/incentive-model-and-awards#qa-and-gas-optimization-reports](https://docs.code4rena.com/awarding/incentive-model-and-awards#qa-and-gas-optimization-reports)", "Question: How critical is it to include a Proof of Concept (PoC) for findings in CodeArena's smart contract audits, and what is the acceptable format for these PoCs?\n\nAnswer: Including a Proof of Concept (PoC) significantly strengthens a finding during a smart contract audit at CodeArena. If a finding is of medium or high severity, it is preferred that a PoC accompanies the finding, as it could be disregarded if it's without a PoC, unless the bug is extremely obvious. \n\nA PoC can be written in any language (for instance, Solidity, Python, or JS) as long as it clearly demonstrates the vulnerability. It's also acceptable to present the PoC in plain English or in a bullet-pointed process. Uncertainty in the severity of a finding should drive an auditor to work on the PoC until the severity becomes clear. \n\nThe PoC can be submitted in various ways such as creating a public Github repository or providing a diff of an existing sponsor-supplied test/contract. If the PoC is lengthy, it's acceptable to use external platforms like gist. \n\nThe presence of a detailed PoC can also affect the award amount of a finding, as the level of detail in the submission and the way the issue is covered in as many aspects as possible can influence this. However, the creation of a coded PoC does not directly affect awards or the contest as per C4 guidelines.\n\nIt is suggested to include PoCs for precision-loss issues and medium or high findings in the report submission. It might be possible for a vulnerability without a PoC to be rewarded as a high severity issue if the process is clearly described in bullet points. \n\nKeep in mind that the inability to provide a PoC for a medium severity bug may result in the finding being disregarded, unless the bug is exceptionally obvious. Thus, it's always advisable to include a PoC to strengthen your report. Remember, a well-documented PoC in your report can increase the chances of the report being selected, which could come with a 30% bonus.", "Q: What are the guidelines for submitting a Proof of Concept (POC) for a bug in CodeArena audits?\n\nA: A Proof of Concept (PoC) is an important part of the bug submission process in CodeArena. While it's not strictly required, the lack of a PoC can lead to a bug report being dismissed unless the issue is extremely clear. It's recommended that users include a PoC to increase the chances of their report being accepted and potentially receive a 30% bonus. \n\nUsers can submit their PoCs in either code or plain English. The PoC doesn't need to be an exact code. In fact, it doesn't need to be executable at all. However, it should clearly illustrate the issue and its impact. You can submit the PoC by creating a public Github repository or providing a diff of an existing sponsor-supplied test/contract. If the PoC is too large to submit directly, you can link to it. This is common practice and generally accepted.\n\nThe best PoCs are focused on one specific bug or issue, feature the project's code, are easy to understand, and have a coded test that demonstrates the vulnerability. In some cases, a well-explained PoC can even allow a high severity reward without actual code. If you're uncertain about the severity of a bug, continue working on the PoC until it becomes clear.\n\nHere are two examples of accepted POCs: [Example 1](https://github.com/code-423n4/2022-12-caviar-findings/issues/343), [Example 2](https://github.com/code-423n4/2022-12-caviar-findings/issues/376).\n\nFor more information on how to include a PoC in your submission, you can visit CodeArena's [submission guidelines](https://docs.code4rena.com/roles/wardens/submission-policy#how-to-include-a-proof-of-concept).\n\nRemember, the quality and depth of your PoC can significantly influence your award amount. Thus, endeavor to cover the issue from as many aspects as possible.", "Question: How is the prize distribution handled for QA and Gas findings in CodeArena contests and what strategies should be used for submission?\n\nAnswer: The prize distribution for QA and Gas findings in CodeArena contests follows an award formula that considers both the quality and quantity of the submissions. The formula plans to be updated to promote fair competition, but participants should still strive to submit comprehensive reports. The grades for these findings are categorized as A, B, C, with Grades A and B receiving rewards. Notably, Grade A reports count as 2 shares, Grade B as 1, and the best report receives a 30% bonus.\n\nParticipants are recommended to submit one comprehensive report for QA and one for Gas findings. These submissions can be edited after their initial submission. The judges will then decide where a finding best fits if it's relevant to both QA and Gas savings. As such, it is advisable to show significant improvements in important functions for gas findings. It's also important to note that duplicates are disregarded in the judging process.\n\nFor gas optimization reports, the award is typically 5% of the prize pool, but this may be altered by sponsors depending on the importance of gas savings to their project. If no Medium/High vulnerabilities are found, remaining contest funds are divided based on the Quality Assurance (QA) report curve. However, if a finding is submitted as a low in the QA report, but judges determine it's a medium, it will be eligible for medium rewards.\n\nWhile there isn't a definitive answer on which has a higher prize margin between QA and Gas findings, the decisions largely depend on the quality of the findings and the discretion of the judges. Participants are encouraged to view examples of top QA/Gas reports from past contests for better understanding at https://code4rena.com/reports. \n\nFor more details about the awarding and judging criteria, participants can visit https://docs.code4rena.com/awarding/incentive-model-and-awards and https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical.", "Q: How can I track, edit and understand the status of my reported vulnerabilities on CodeArena?\n\nA: After you've reported a vulnerability by submitting a report, you can track, edit and understand the status of your submissions in several ways. \n\nFirstly, for a broad overview, you can visit the leaderboard at https://code4rena.com/leaderboard after each contest ends to see the number of overall issues you've reported. \n\nFor a more detailed look, you can check your Analysis Report. This will include all of your submissions, and you can find feedback for each of them. You can also check whether your submissions were accepted by visiting https://code4rena.com/reports.\n\nIf you wish to edit your reported vulnerabilities, you can do so by navigating to the specific contest page and clicking on the 'Your Findings' button. You can also attach additional details such as screenshots and Proof of Concept (POC) scripts to your vulnerability report to further substantiate your findings. For POC scripts, you can simply drop the link into the submission where it's relevant. \n\nIf you're wondering about whether your report has been successfully submitted, you can check this by looking out for a confirmation email from us. You should also be able to view your findings through the \"View Context\" function. \n\nIf you've reported a vulnerability that was also spotted by other users, the handling of such cases depends on the judgment of the contest sponsor. Even if the vulnerability has been confirmed via private DMs, it might still count when you submit it. \n\nTo view your submitted findings and the replies to them, you can use the 'Findings' tab where you can also edit your submissions. If you're wondering about the openness of your findings, rest assured that your findings submitted before the contest deadline are not publicly available, and you can check your submission without modifying it.\n\nPlease note, if you've written and submitted a report for the first time and encounter an error, don't worry. Check your email for confirmation or use the \"View Context\" function to verify if the submission has been successfully made. \n\nLastly, to understand if your vulnerabilities have been rewarded, you can refer to the results of the contest. Do note that rewards are distributed based on the severity and validity of the vulnerabilities, so not all reported vulnerabilities may receive a reward.", "Question: What is the schedule and process for the upcoming contests after the Popcorn contest at CodeArena, and what are some important points to remember about these contests?\n\nAnswer: The schedule for the upcoming contests after the Popcorn contest can be found in the #\u270brsvp channel on our Discord server. We have a number of contests planned for the coming months, with two contests already queued up for next week, and the next public contest is scheduled to begin on February 16th. Please note that there might be some contests that have not yet been updated in the specific channels, and there can sometimes be gaps in the schedule for live contests.\n\nFurthermore, there are a few important points to remember about the contests: \n\n1. Sometimes, a contest will not immediately appear in the live contest section even though it was previously in the upcoming contest section. This is a normal part of the process.\n\n2. If there are no high or medium issues found in a contest, the rewards will still be distributed as per the contest rules.\n\n3. If a contest is mentioned but it is unclear whether it is a private or public contest, please wait for it to be posted in the relevant channel for confirmation.\n\n4. There is a chance that a contest could run without any valid submissions, although this is a rare occurrence.\n\n5. After a contest closes, it takes a certain period of time for the findings to become publicly available for discussion in the #audit-findings channel. \n\n6. If you have queries about rewards remaining in pending status after a contest, please reach out to us on our Discord server for clarification.\n\n7. We are considering changing our leaderboard from tracking the last number of days to the last number of contests to provide a more accurate representation of our contestants' performance.\n\n8. We also have plans to implement a new submission mechanism in our upcoming contests.\n\nOverall, we are continuously working to improve the contest experience at CodeArena and we appreciate your patience and support as we implement these changes.", "Question: I'm experiencing issues with submitting my findings, how can I successfully submit, modify, and track the status of my findings?\n\nAnswer: It appears several users have experienced difficulties while submitting their findings to the contests. To submit your findings, you'll need to use the form provided on the website for each contest. After you have filled in your details and clicked \"CREATE ISSUE\" in \"SUBMIT FINDING\", the form data is then turned into a submission that goes into the findings repository for the given contest. Once the contest ends, your submission will be evaluated by the judges.\n\nSome users have reported an error message stating 'No findings submitted for this contest' despite their submission. Sometimes, these issues can be related to using certain browsers like Firefox and Chrome. If you encounter this issue, you may want to try submitting from a different browser. Also, there may be a size limit to submissions, so if you're encountering errors, you might want to check the size of your submission.\n\nIt's also important to note that it can take some time for your submission to be confirmed via email, so don't panic if you don't see an immediate confirmation. If your submission fails, the form should return an error. \n\nOnce your findings are submitted, you can modify them by navigating to the contest page and clicking on the 'your findings' button. If you have trouble seeing your submission in the findings tab, it could be due to an intermittent issue, and you might want to try again later. You can track your report status and see and edit your findings in the \"findings\" tab next to the contest description. \n\nRemember, you can always check the success of your report submission by waiting for the confirmation email, and you should also be able to edit your submitted findings. \n\nIf you have any other queries or continue to experience difficulties, don't hesitate to reach out to us through the chatroom or contact support.", "Question: How can I efficiently use and format code blocks in the reporting section using Markdown?\n\nAnswer: CodeArena's reporting section fully supports Markdown (MD) format, which you can use to effectively format and highlight your code blocks. To create a code block, enclose your code within three backticks (`). For additional clarity and readability, you can specify the language after the opening backticks, such as ```solidity for Solidity syntax highlighting. \n\nIf your report includes mitigations or test codes, these can be added directly to the report under the 'Proof of Concept' section or linked from a private repo on GitHub, depending on the length of the code. When referencing vulnerable code, it is recommended to provide both the GitHub permalink for the respective code block and a code block within the report itself. This applies to the 'Links to Affected Code' section in high/medium findings. \n\nRemember that adding a GitHub link to the code in your report does not automatically pull the code snippet into the report. You have to manually input the code block using MD format. \n\nYou can also enhance the details of your report by embedding images and using color presets for code when creating a code block. Images can be added in .md format in the vulnerability details section, enhancing the report's overall clarity and information depth. \n\nFor more in-depth guidance on creating and highlighting code blocks, referencing specific lines of code, and adding images using MD, refer to the following GitHub guides: \n\n- [Working with Advanced Formatting](https://docs.github.com/en/get-started/writing-on-github/working-with-advanced-formatting/creating-and-highlighting-code-blocks)\n- [Creating a Permanent Link to a Code Snippet](https://docs.github.com/en/get-started/writing-on-github/working-with-advanced-formatting/creating-a-permanent-link-to-a-code-snippet#linking-to-code)\n- [Basic Writing and Formatting Syntax for Images](https://docs.github.com/en/get-started/writing-on-github/getting-started-with-writing-and-formatting-on-github/basic-writing-and-formatting-syntax#images).", "Question: How can I submit, edit, track, and confirm my findings for a contest on CodeArena?\n\nAnswer: To submit your findings for a contest on CodeArena, navigate to the specific contest page on our website and fill out the form provided. Once submitted, you should receive a confirmation via email. You can also view your submitted findings on the C4 Contest page under the \"Findings\" tab.\n\nYou have the freedom to edit or withdraw your submitted findings. To do this, go to the contest page and click on the \"Your Findings\" button. Here you can modify your submissions or withdraw them entirely if needed. \n\nShould you encounter issues such as seeing 'No findings submitted for this contest' despite having submitted your findings, please review the available report or reach out to our support for clarification. Please note that if you had submitted issues for a contest but did not make the award list, it's possible that your issues were rejected.\n\nAfter a contest finishes, the findings are posted in the section where contests are posted, and the report is published, which usually takes about a month. Once the report is made public, you can review your submissions and view others' findings as well. \n\nRemember that findings submitted for contests may not always make it to the final report, and the reason might not be immediately known. Also, citing similar findings from other contests is allowed to justify the severity and validity within submissions. For examples of past findings, visit https://code423n4.com/reports.\n\nFor each contest, the Readme Page has a \"Known Findings\" section where automated findings not accepted in the contests are listed. Be sure to check this before you make your submission. \n\nIn summary, you can submit, edit, track, and confirm your findings on the contest page of CodeArena. We encourage you to participate and make your submissions as detailed as possible.", "Question: I submitted an issue to a CodeArena contest, but my submission didn't appear in the report. Does this affect my future submissions, and how can I understand why my submission wasn't accepted or rewarded?\n\nAnswer: Your submission not making it into the report does not affect your future submissions, although it may have minor implications for your leaderboard ranking. If your submission was not rewarded, it's likely because your issue was rejected for some reason. To understand why, you can review the report once it's published and the repo is made publicly available. You'll be able to see discussions among sponsors and judges about the specific issues. The judging process considers both the quantity and quality of submissions, and even a single item in a QA submission is unlikely to receive a high grade unless it is of high quality. More detailed information about the judging criteria can be found here: [https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical](https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical) and [https://docs.code4rena.com/awarding/incentive-model-and-awards#qa-and-gas-optimization-reports](https://docs.code4rena.com/awarding/incentive-model-and-awards#qa-and-gas-optimization-reports). Remember, the more detailed and accurate your submission, the higher the chances it will be accepted and rewarded. If you're unsure about the fate of your submission, it's advisable to wait until the final report is out and the findings repo is opened to the public.", "Question: How and where can I find information about new and upcoming contests at CodeArena?\n\nAnswer: CodeArena announces new and upcoming contests on several platforms. The primary method is through our Discord server, particularly the #\u270brsvp channel where all confirmed public contests are posted. You can also keep an eye on the 'Past Contest Status Updates' section to understand where the contests stand in the process, and the 'Contests' section on our website (https://code4rena.com/contests) where open competitions are listed. We've also discussed creating a notification system, such as a Telegram bot, for announcing new contests. \n\nPlease note that there might be upcoming contests that have not been updated on the specific channels yet. There are instances of private contests, access to which might require specific permissions or invitations. \n\nThe duration of contests can vary, sometimes lasting up to 13 days, and we've considered the potential to run multiple contests simultaneously. The results of a contest generally take about 2 months to be announced, and award payouts are usually made between 1-2 weeks after the announcement. \n\nFor any additional information or inquiries, please don't hesitate to reach out to our team, which maintains regular contact with various projects about upcoming audits.", "Question: I'm new to CodeArena, could you guide me on how to navigate through the Discord chatroom and its various features related to smart contract audits?\n\nAnswer: Sure, our Discord chatroom is a valuable resource for all your queries and discussions related to smart contract audits. Here are some key points to guide you:\n\n1. If you wish to understand a certain update, you can find information at this link: [Update Information](https://discord.com/channels/810916927919620096/1111666431050919996).\n\n2. For queries about reporting multiple issues found in the codebase, check out the guidance here: [Reporting Issues](https://discord.com/channels/810916927919620096/810936719003090974/1134472653437145149).\n\n3. If you're interested in becoming 'certified' or understanding the role of a 'mason', these links can help: [Becoming Certified](https://discord.com/channels/810916927919620096/810931711609143326/1092758105646960711), [Role of a Mason](https://discord.com/channels/810916927919620096/810956862609424414/964680554509377577).\n\n4. If you come across issues that you think are invalid, you can understand the penalties at this link: [Penalties for Invalid Issues](https://discord.com/channels/810916927919620096/810931711609143326/1134522735507292230).\n\n5. We often host contests and you can stay updated about upcoming ones like the Aragon contest or Steakhouse contest using these links: [Aragon Contest](https://discord.com/channels/810916927919620096/958800160870240286/1078269625395056680), [Steakhouse Contest](https://discord.com/channels/810916927919620096/810936719003090974/908760695712149515).\n\n6. You can edit your submissions and steps for this are outlined at: [Editing Submissions](https://discord.com/channels/810916927919620096/810929015509483554/1002648649135824906).\n\n7. For any clarification, the best option is to reach out in the contest channel in Discord or you could consider contacting someone on the streams' protocol team.\n\n8. You can find information about future qualifiers on the #\u270brsvp channel: [Future Qualifiers](https://discord.com/channels/810916927919620096/958800160870240286/1142165149050998784).\n\nRemember, if you ever need help with your profile, #profile-help channel is there for you. If you're having issues connecting your Discord account with your Code4Arena account, feel free to reach out for help. Happy Coding!", "Question: What is the process and timeline for report reviews after I submit my findings to CodeArena?\n\nAnswer: After you submit your report with your findings following a contest, it gets reviewed and triaged by our judges immediately. The report then undergoes sponsor review, final judging, and Quality Assurance before being made public. \n\nWhile the exact timeline can vary depending on the contest and the number of reports in the review queue, it typically takes between 3 to 6 weeks on average. However, in some cases, it can take up to 8 weeks or more. \n\nPlease be advised that not all findings submitted for contests may make it to the final report. To check the status of your submission, you need to wait until the reports are made public. \n\nYou will receive an email confirmation upon successful submission of your reports. If there's an error in submission, the form will return an error message. \n\nFor queries related to report submissions, you can submit help desk requests which are usually reviewed within 1-2 business days. You can also track the status of your past reports and check your submission's status through your participant account. \n\nRemember, the review process requires care to ensure the validity and quality of findings, and efforts are constantly being made to decrease the turnaround time from audit competition to the release of reports. \n\nThank you for your patience and understanding during this process.", "Question: What can we expect in terms of upcoming contests on CodeArena and how can we stay updated on them?\n\nAnswer: Yes, there are many new contests scheduled in CodeArena. These include both public and private contests, the specifics of which can be found in the #\u270brsvp channel on Discord. A few contests are even queued up for the next week, with their starting dates and other details announced on the RSVP channel. The structure of these contests often includes an initial audit prize pool and a mitigation review pool. There can sometimes be a pause in contests around times of big conferences. \n\nPrivate contests may require certain qualifications like a certified status which grants access to more contests. Some future contests may require an RSVP, which is a system of indicating your interest in attending or participating in an event. There might be a possibility of running multiple contests simultaneously in the future, potentially handling up to 20 contests a week. \n\nKeep in mind, if you notice a contest not showing in the live contest section that was previously in the upcoming contest section, it's likely that the contest was delayed. Any changes, delays or updates can be checked on the RSVP channels. A new submission mechanism is also slated for implementation in upcoming contests. \n\nAlso, watch out for high-prize contests, similar to the $1M opensea contest which has been held in the past. Please keep checking the #\u270brsvp channel on Discord regularly to stay updated about all upcoming contests.", "Question: How can I include visuals like screenshots in my report, and how can I update it on CodeArena?\n\nAnswer: While screenshots are generally not recommended to be included in the findings due to potential security issues, they can be used if they help explain the proof of concept. You can include images in your report by providing direct links to all referenced code or screenshots in GitHub. You can also upload images to your report submissions by uploading it to your Gist, submitting the report with the gist link, and later deleting your gist. \n\nWhen it comes to updating your submitted findings or analysis report, you need to go to the contest page on our platform. There you will find a \"Your Findings\" button that lets you edit your submissions, whether it's to add more findings to your gas report or to modify your proof of concept. For example, if you want to edit a submission for the Ethos Reserve Contest, you can visit this link: https://code4rena.com/contests/2023-02-ethos-reserve-contest\n\nRemember you can track the status of your report and see and edit your findings in the \"findings\" tab next to the contest description. Do expect a follow-up after you submit a finding. It's also important to note that all submissions and edits should be made while the audit is still open.", "Question: How does participation in contests affect my ranking on the CodeArena leaderboard, and what changes are being considered for the leaderboard?\n\nAnswer: Your ranking on the CodeArena leaderboard is influenced by both your participation in the current contest and your overall participation. Each time you participate in a contest, it shows that you did not find any valid findings, but this won't significantly impact your total leaderboard standing in the long-term, as the leaderboard primarily depends on the total number of valid findings of all severity levels by a specific individual or team.\n\nYour participation in a contest does affect your contest leaderboard standing more directly. Upon the conclusion of each contest, the leaderboard is updated to reflect the number of overall issues reported by users (https://code4rena.com/leaderboard). If you place in the top 5 in a contest and receive a reward, the \"leaderboard\" tag gets updated in your profile roles.\n\nThere is ongoing discussion about making changes to the leaderboard. These changes include transitioning from tracking the last number of days to tracking the last number of contests, as well as primarily showing current year statistics while still keeping all-time stats visible. There is also a suggestion to create a separate leaderboard displaying the best contestants after each contest.\n\nCodeArena is aware of concerns that the leaderboard might not accurately reflect a user's accomplishments, especially with results potentially not being counted for the full duration. The team is also considering adding features such as the number of participants in a given contest and position numbers. Please note that not all contest types are currently supported on the leaderboard, but the development team is actively working on updates to address this and improve the leaderboard system.\n\nYou can view the cumulative results from contests and the leaderboard at https://code423n4.com/leaderboard and https://github.com/code-423n4/code423n4.com/issues?q=leaderboard respectively. Remember, the default setting for the leaderboard shows the last 60 days' results, but you can adjust the settings to view results for a specific time period.", "Question: How can I properly format and add the solidity syntax to my code blocks when submitting an issue through CodeArena?\n\nAnswer: CodeArena supports the use of Markdown (MD) format in the reporting sections. This feature allows you to add and format your Solidity code blocks in your submissions to make it look more presentable and easier to comprehend.\n\nTo add the Solidity syntax to your code blocks, you should use three backticks (```) and specify the language. For example: \n\n```\n```solidity\n\n```\n```\n\nThis method highlights your Solidity code syntax within the code block. Some users opt to use javascript presets for code when creating a code block, even for Solidity. However, it's important to clarify that the code inside is Solidity.\n\nIn addition to this, users often indicate the areas of vulnerability in their submissions in two ways: \n\n1. By providing a URL to the repository and specifying the line in the text.\n2. By providing a Solidity code block.\n\nTo copy code from Github with the contract file name and line numbers, you can utilize tools like the one available at [VS Code Marketplace](https://marketplace.visualstudio.com/items?itemName=yassh.copy-with-line-numbers). \n\nFor a comprehensive guide on how to add and format code blocks in MD, you can refer to the following [link](https://docs.github.com/en/get-started/writing-on-github/working-with-advanced-formatting/creating-and-highlighting-code-blocks).\n\nLastly, remember that mathematical expressions will be displayed on the GitHub findings repo, and the submission preview also supports mermaid syntax. If you are submitting longer code, you might want to consider linking it to a private repo on Github. More information on this can be found [here](https://docs.code4rena.com/roles/wardens/submission-policy#how-to-include-a-proof-of-concept).\n\nBear in mind that the procedures for disclosing issues related to smart contracts can also be found [here](https://github.com/code-423n4/code-contests/blob/main/SUBMISSION_POLICY.md).", "Question: How does a warden receive notifications and participate in new contests?\n\nAnswer: While there isn't a direct notification system for wardens about new contests, wardens can routinely log into their accounts to check for upcoming contests. The contest details are typically available in the #\u270brsvp channel where wardens can decide if they want to compete. Some contests are only open to certified wardens, and wardens with + certification get access to see other submissions immediately after contests end. \n\nThere are also specific contest types such as the Versus contests, which are private and only top-ranking wardens are invited. In these contests, a limited number of the highest performing wardens who RSVP get competitive access. There is also an Ambire Contest, for which wardens can follow a specific method to participate.\n\nIf wardens wish to participate in private contests, they need to be certified, and this can involve a requirement to participate in a certain number of contests and have a certain number of valid findings or reports. Private contest RSVPs are available in a channel only visible to certified wardens. \n\nPeople can also join as wardens in the contest as groups or teams. The method of registering a team can be found at https://docs.code4rena.com/roles/wardens#registering-a-team.\n\nIt's important to note that the number of wardens participating in a contest is disclosed only after the contest ends, and the findings reports become public once the final contest report has been published. Certified+ wardens can view the findings repo immediately after a contest ends, and they can raise any issues they see with the judging results to the judge for reconsideration.\n\nIf a user has been absent from C4 for a while and wishes to become a warden for a contest, they can simply log into their account to compete in the audit.", "Q: How can I access information about current, upcoming, and past contests on CodeArena?\n\nA: All current, upcoming, and past contests are listed on the CodeArena website. To see ongoing and upcoming contests, you can visit the main page at https://code4rena.com. Information about the start of new contests is also regularly updated on the #\u270brsvp channel on our Discord. Additionally, for each contest, specific details and scope can be directed to the respective sponsor.\n\nTo view past contests and their outcomes, you can check the \"Past Contest Status Updates\" section on the website which provides a timeline of where contests are currently in the process. The detailed reports from these contests are available at https://code4rena.com/reports. \n\nFor contests you've participated in, you can view your submission replies and QA reports. To submit findings to a contest, there is a form available on the website. \n\nRemember, both public and private contests are listed on the website, and new contests are expected to be announced on the RSVP channel. There are also contests related to various topics like staking platform contracts. We host week-long contests each week and have a couple of contests lined up for the upcoming week. \n\nFor any queries about the progress and schedule of final reports for the contests you've participated in, feel free to reach out to us.", "Question: Do I need to spend money to participate in CodeArena's smart contract auditing contests, and if not, how do I test smart contracts?\n\nAnswer: No, money is not necessary for testing or participating in CodeArena's smart contract auditing contests. Participants can use public testnets or local forking to test smart contracts, particularly for complex scenarios involving many users and states. A private testnet may be more suitable for simpler contracts or exploratory development. Tools like Mythril and Slither can be used to test contracts downloaded from Github. In contests like the Chainlink contest, you can participate and verify your identity after the contest ends to receive the payout. If no Medium/High vulnerabilities are found in the smart contracts, remaining contest funds are divided based on the Quality Assurance (QA) report curve. However, it's important to note that all auditing contests require a single wallet for registration. While a login with a wallet is not necessary to participate in contests, a payment wallet is required. For more detailed information about a specific contest, like the one referred to in this link, https://code4rena.com/reports/2022-04-dualityfocus, please visit the official CodeArena website.", "Question: Where can I find information about the upcoming contests and their schedules at CodeArena?\n\nAnswer: Details about upcoming contests at CodeArena are regularly updated on the RSVP channel in our Discord community. You can check this channel to know when a new contest is set to begin. For example, our next public contest is scheduled to begin on February 16th, with several other contests lined up for the coming weeks and months. We typically host week-long contests each week, and there are times when we may even discuss the possibility of running multiple contests simultaneously. \n\nIn addition, you can find a list of upcoming audit contests on our website, code423n4.com, which includes contests like Reality Cards and Pool Together. Specific contests, such as the Aragon contest, may also be directly linked in the chat, like this one here: https://discord.com/channels/810916927919620096/958800160870240286/1078269625395056680. \n\nWe also have a main page on Code4rena, https://code4rena.com, where upcoming contests are listed. \n\nOnce a contest has ended, the findings are reviewed by sponsors and then it goes to judging. Results are typically announced about 2 months after a contest's conclusion, with winnings being paid out between 1-2 weeks after the announcement. Please note that specific inquiries about the scope of a contest can be addressed to the respective sponsor.", "Q: Why isn't my name appearing on the CodeArena leaderboard and how can I ensure my leaderboard status reflects my achievements accurately?\n\nA: The CodeArena leaderboard is designed to reflect the achievements of participants based on the audits of smart contracts submitted. However, it is important to note several factors that could affect your presence or ranking on the leaderboard.\n\nBy default, the leaderboard displays the results of the last 60 days. If your name is missing, you may need to adjust the settings to view results from a specific period beyond this timeframe.\n\nThe leaderboard is updated each time rewards are announced, but do note that there have been concerns about rewards being announced before the leaderboard is updated. If you recently won or placed in a contest, it might take some time for your name to appear. \n\nIf you have changed your handle or team name, please be aware that leaderboard standings and submissions under your previous handle or team are not transferable to the new one. Changing a handle or team name requires a new registration, and with it, a reset of your leaderboard status.\n\nThere have been instances where specific contests, like the Sublime and FactoryDAO, were not reflected on the leaderboard. These are usually resolved by the CodeArena team. \n\nThe leaderboard also counts individual participation as well as team efforts. Therefore, your name may appear twice - once for your individual achievements and once as part of your team's collective efforts. \n\nThere may also be minor discrepancies due to certain contest types not currently being supported or items being double counted. The CodeArena team is always working to resolve these issues.\n\nIf you believe your leaderboard status does not accurately reflect your accomplishments, you can make a help desk request at https://code4rena.com/help. It's also worth noting that there's a discussion about updating the leaderboard to primarily show current year statistics while keeping all-time stats visible, so you may see changes in the future.\n\nLastly, to get the \"leaderboard\" tag in your profile, you need to place in the top 5 in a contest. If you've achieved this and received the reward, the \"leaderboard\" tag should be updated in your roles.\n\nRemember, even if your name isn't currently showing up on the leaderboard, it doesn't affect future submissions. It will only have a minor impact on your current leaderboard ranking.", "Question: When and how do wardens interact with reports during the auditing process in CodeArena?\n\nAnswer: The role of wardens in interacting with reports during the auditing process is multi-faceted. Wardens primarily submit findings during the contest and these are reviewed and triaged immediately after the contest ends by the judges. The reports then await sponsor review, final judging, and Quality Assurance before they are made public. However, wardens do not typically communicate directly within the report. The comments in reports are generally between judges and sponsors, though occasionally there are comments from \"backstage wardens\", which are added after an audit closes if it is an open audit.\n\nWardens are also involved in report review. Certified+ wardens can view the findings repo immediately after a contest ends and they can see the judging results before they are published. If wardens see issues, they can raise them to the judge for reconsideration. Furthermore, they can also view the reports from other wardens even after contests have ended. Findings reports become public once the final contest report has been published, and new participants are encouraged to look at the findings of other wardens at this stage. During the contest, however, once findings are submitted, they are not disclosed to other competing wardens in order to maintain the integrity of the contest.\n\nIt's also important to note that backstage wardens, who are added after an audit closes if it is an open audit, and wardens who report a certain finding first, as well as those who also found the same finding, are recognized in reports. Contest findings, however, cannot be posted and shared by wardens until the contest report has been published.\n\nFor more information on warden roles and guidelines, refer to the following links:\n- Warden Roles: https://docs.code4rena.com/roles/wardens/certified-wardens#certified-warden-professional-conduct-guidelines\n- Warden Report Submission Process: https://docs.code4rena.com/roles/wardens/sub\n- Judging Criteria: https://code423n4.com/judging-criteria/.", "Q: How does being a certified warden with completed KYC impact participation in contests and placement on the leaderboard?\nA: Being a certified warden with completed Know Your Customer (KYC) verification gives you access to a wider range of opportunities within CodeArena's ecosystem. Certified wardens are eligible to participate in private and versus contests, which are invitational and usually prioritize the highest ranked wardens from the 90-day leaderboard found at https://code423n4.com/leaderboard/. Getting on this leaderboard can enhance your ability to qualify for these private contests. Furthermore, wardens with a \"+\" certification are given the advantage of viewing other submissions immediately after contests end. \n\nBecoming certified involves an application process and may require participation in a certain number of contests and having a number of valid findings or reports. More details on this process can be found in the Code4rena documents. There's also an RSVP process for some contests such as the \"vs contest\", which only involves three wardens, with the best performing wardens getting the first choice. \n\nThe impact of required-KYC contests on the leaderboard is a matter of ongoing discussion and opinions vary on its fairness for non-KYC wardens. However, most contests don't require KYC. Bear in mind that the number of wardens participating in a contest is only disclosed after the contest ends, and the platform allows viewing reports from other wardens even after contests have ended. \n\nPlease note that uncertified wardens are still welcome to contribute to code contests and can participate in upcoming contests by logging into their account. We're open to new wardens indefinitely, although there are queries regarding whether this would dilute the prize funds.", "Q: What does the label 'old-submission-method' mean in reports, and how are findings currently submitted and updated on CodeArena?\n\nA: The label 'old-submission-method' refers to the period during the introduction of wallet-based authentication on the CodeArena website and submission form. During this transition, non-logged-in users were still supported to allow time for re-registrations. This label was used to track which version of the submission form was used, in case that data became relevant in the future.\n\nAs of now, findings are submitted via the \"Submit finding\" button on the specific contest page on the main site, with each finding submitted separately. An outdated GitHub template for submissions exists, but it is no longer updated. The link to this old template is: https://github.com/code-423n4/code-contests/blob/4db2720312f0958f2e89f6207a6774c9e5360655/SUBMISSION_TEMPLATE.md\n\nOnce a finding has been submitted, it can be updated or modified using the \"Your Findings\" button on the contest page. In case a larger report needs to be submitted, you can send it by email and place a placeholder in the original submission. However, please note that it may take some time for a submission to be confirmed via email. If the submission fails, the form should return an error. In addition, once submitted, a separate submission can be linked during the submission of an issue by referring to its number on the \"Your Findings\" page.\n\nThe submission guidelines and policies, including ones related to automated findings, can be found at: https://docs.code4rena.com/roles/wardens/submission-policy. Please consult these policies before submitting your findings. If unsure about the correctness or relevance of a finding, it's advisable to submit it or direct message the sponsor team for additional context. Keep in mind that findings, even in non-best, unpublished bot-generated reports, are still eligible for submission.\n\nLastly, keep an eye out for new submission mechanisms that are slated for implementation in upcoming contests.", "Question: I've noticed there is no Blockswap FV contest in the \"Past competition status updates\". Can you explain why that is?\n\nAnswer: That's a common query. Due to its unique working mechanism, the Blockswap FV contest, a category of formal verification contests, does not follow the typical progression of contests shown in the \"Past competition status updates\". This deviation is why it might not be visualized in that section. It's also important to note that these FV contests are usually judged by Certora. For more information about what a formal verification contest entails, you can visit the contest repository here: https://github.com/code-423n4/2023-01-blockswap-fv. On another note, you may sometimes see delays in seeing status updates or rewards distribution for certain contests due to various reasons. Our team is continuously working to streamline this process and provide timely updates.", "Q: Is it necessary to provide a Proof of Concept (PoC) for medium-risk vulnerabilities (Risk 2) during report writing, similar to high-risk vulnerabilities? \n\nA: Yes, it is highly recommended to provide a Proof of Concept (PoC) for medium-risk vulnerabilities while writing reports. Although not strictly required, a well-documented PoC can increase the credibility of your report and potentially lead to a 30% bonus if selected. This can be done in any language that adequately demonstrates the vulnerability. \n\nA vulnerability may be disregarded without a PoC unless the vulnerability is extremely obvious. Even when there's uncertainty about the risk rating of a vulnerability, such as when it's on the fence between high and medium risk, or between QA and medium, providing a PoC can make a crucial difference. \n\nIn a situation where no medium or high vulnerabilities are found, the remaining funds are divided based on the QA Report curve. However, this is an uncommon scenario as contests usually reveal medium or high-risk vulnerabilities. An example can be seen in this contest with only low vulnerabilities: https://code4rena.com/reports/2021-11-fei. \n\nWhen submitting an issue, the impact of the vulnerability on the protocol/code should be explained, and the PoC section should contain the code or Github lines, or a written test that exploits the vulnerability. \n\nAlthough it's not obligatory to provide mitigation steps for medium/high reports, including an explanation as to why it cannot be feasibly mitigated is advised. In the audits, besides identifying vulnerabilities, it is generally expected to propose solutions or mitigations. \n\nIn summary, a coded PoC not only raises the chance of a report being acknowledged but also contributes to a comprehensive and high-quality vulnerability report, whether it's a medium or high-risk finding.\n", "Question: What does the yellow icon represent on CodeArena and how can I change my profile icon?\n\nAnswer: The yellow icon on CodeArena serves various purposes depending on its context. For instance, in Ethereum, the Beige Paper is mentioned as a more digestible version of the Yellow Paper, hence a yellow icon might relate to that. However, for a definitive explanation, you're encouraged to refer to the specific context where the yellow icon is used within the platform. \n\nTo change your current profile icon on CodeArena's leaderboard, you would need to submit a help desk request. This can be done through the following link: https://code4arena.com/help. Once there, you can follow the prompts to submit your request. Please note that there might be some issues with the form, such as a purple screen appearing when a dropdown is clicked. If you encounter such issues, it's recommended to refresh the page and try again. \n\nRemember, to see your new profile icon and check your status, you can click on your name to see assigned roles. You'll also receive notification updates via email.", "Question: Does Code4rena accept volunteer assistance or have a way for individuals to offer their help?\n\nAnswer: While it's unclear if Code4rena directly accepts volunteers, the platform has a robust help desk system where users can submit requests for various purposes, including offering assistance, handling submission issues, or even inquiring about joining as a team member. The help desk can be accessed at https://code4rena.com/help. If someone believes they are eligible for a backstage role or wants to check their eligibility, they can open a help desk request as well. Additionally, teams can make changes to their membership and resolve these changes through a help desk request. If someone needs assistance, whether it's with creating a new team, submission errors, or linking a Code4rena profile to a Twitter account, they can utilize this system. It's important to note that any inquiries, even those of a private nature, should be made through a help desk request rather than directly contacting a Code4rena team member.", "Q: Can you provide more information on the 'Use assembly to check for address(0)' automated gas optimization detected by the c4udit tool in Code4rena auditing reports?\n\nA: Code4rena uses a tool called C4udit for generating automated findings during each contest, and one of these is 'Use assembly to check for address(0)'. This particular optimization is part of the automated gas optimization report generated by the tool. Although it could save a few gas, it's not necessarily considered valuable by all sponsors. \n\nYou can find detailed information about this issue at https://github.com/0xKitsune/solstat/blob/main/src/report/report_sections/optimizations/address_zero.rs. \n\nFor further insights into how Code4rena uses gas reports and the full list of optimization issues considered in audits, you can visit https://github.com/Picodes/4naly3er/tree/main/src/issues. \n\nKeep in mind that all automated findings, including gas optimizations, are ineligible for rewards according to Code4rena's submission policy, which you can review at https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-ineligible. \n\nFor the details of a recent Code4Arena gas optimization report, you can refer to https://code4rena.com/reports/2022-11-non-fungible/#gas-optimizations. \n\nIt's worth noting that if you find a gas optimization that can be applied in more than one line of code, it should be submitted as a single finding, with all applicable lines mentioned. \n\nLastly, you may be interested in a talk by Quantstamp's Sebastian Banescu, where he discusses Code4Arena's auditing process, which aims to consistently find more bugs faster than other methods: https://www.youtube.com/watch?v=O1rKwDv5kLQ.", "Question: I submitted a ticket a few days ago but haven't received a response. How does CodeArena handle these support requests?\n\nAnswer: When a support ticket is created on the CodeArena homepage, you may not receive an immediate email notification. However, rest assured that your ticket has been received. Our help desk system, located at https://code4rena.com/help, is designed to receive and address all requests. Normally, tickets are reviewed within a week. If you don't receive a response after this period, or if you have any other issues such as not receiving an email after registration or submitting a finding, you can open a new help desk request. For persistent difficulties with submitting a request through the form, you can forward these to submissions@code4rena.com. You can also direct message our staff members on Discord. Remember, we're here to assist you, and your concerns are our priority.", "Question: Do medium risk vulnerabilities require test codes as proofs of concept (PoCs) when writing reports, in the same way as high risk vulnerabilities?\n\nAnswer: Ideally, medium risk vulnerabilities, classified as Risk 2 in our system, do require test codes as proofs of concept (PoCs) when writing reports, similar to high-risk vulnerabilities. There isn't a strict requirement to provide an exploit for medium severity bugs, but it's common practice and highly recommended to do so. This is especially important as a finding that lacks a PoC might be disregarded unless the bug is extremely evident. Keep in mind that the best reports focus on a specific issue or attack, feature the project's code, include an understandable PoC or particular example, and have a test code that illustrates the vulnerability. \n\nAlso, remember that if you are unsure whether a finding is a QA or a medium vulnerability, it is better to file it as QA unless the PoC is coded. If two separate vulnerabilities can combine to create a more potent one, you may submit a third finding explaining the PoC. \n\nIf you discover a vulnerability but find it difficult to fix without significant changes to the protocol, it can still be reported. Recommendations for mitigations are appreciated but not mandatory. Medium/High reports can be submitted without suggested mitigation steps, even if no feasible mitigation steps are available.\n\nWhen identifying the severity of a finding, it's often a balance of consequence and likelihood, relying on experience. Medium risks usually have lesser impact and require specific preconditions for an attack, such as high attack difficulty, specific market conditions, or user unawareness. \n\nIf you have written a PoC script for a vulnerability, you can include the link in your submission where relevant. If your report involves automated tools for initial findings, there is a higher burden of proof required to demonstrate relevant high or medium severity exploit paths to be considered satisfactory. Further clarification on this expectation can be found at this [link](https://github.com/code-423n4/org/discussions/50). \n\nIf no medium or high vulnerabilities are found throughout a contest, the remaining funds are divided based on the QA Report curve. However, this scenario is rare as there are usually at least medium vulnerabilities found. \n\nFinally, it's essential to understand that if a vulnerability is found in multiple components of the codebase, it may count as separate findings, but the final decision on whether they're duplicates is up to the judge. And if the same vulnerability is reported by multiple people, the handling of these vulnerabilities will need to be reviewed on a case-by-case basis.", "Question: Can you elaborate on what is meant by a Versus Mitigation contest and how it operates within CodeArena (C4)?\n\nAnswer: A Versus Mitigation contest in CodeArena (C4) is a highly specialized and competitive event that is typically private and invitational. These contests involve a selected group of top-performing wardens - participants who hold the title of \"warden\" are certified and highly skilled individuals in the CodeArena community. \n\nThe term \"Versus\" denotes a challenge or comparison between the invited entities. Versus contests could include mitigation reviews or regular contests but with a limited number of participants. In the context of a \"Mitigation review contest,\" it is understood as an event where projects invite these top wardens back after the contests to review bug mitigations.\n\nParticipants in these contests examine and propose solutions to identified vulnerabilities within smart contracts. However, it's worth noting that if a participant's findings and proposed mitigation are disagreed upon by the judge and sponsor, the final decision lies with the sponsor. On the other hand, if a participant successfully identifies a bug or logic flaw that receives judge approval, this is considered an achievement.\n\nThese contests often have a specific structure - an initial audit prize pool followed by a mitigation review pool. While the exact rewarding formula may vary, the opportunity to participate in these contests usually goes to wardens based on their rank in either specific contests or a recent performance window.\n\nYou can read more about Versus contests and Mitigation Reviews at the following links: https://medium.com/code4rena/a-look-at-code4rena-audits-versus-6c55d57939ef, https://code4rena.com/how-it-works.", "Question: \nWhat exactly is a Versus (vs) contest in CodeArena?\n\nAnswer: \nA Versus (vs) contest at CodeArena is a special type of contest that involves a comparison or challenge between high-performing wardens. These contests are typically smaller and more invite-only, often limited to only 3 wardens. To be eligible for a versus contest, a warden needs to be certified. The opportunity to participate is often granted to wardens based on their rank either from specific contests or their recent performance record. \n\nVersus contests are also characterized by an RSVP process, where the best performing wardens get first choice. These contests, however, are often private and open only to top wardens. Additionally, it's important to note that even if the contest details are restricted, payment won't be received for findings as it's an invite-only contest. \n\nIt's also worth noting there's another category of contests called \"FV contest\" but it operates differently and its status updates are not usually visualized. \n\nMore information about Versus contests can be found at this link: https://medium.com/code4rena/a-look-at-code4rena-audits-versus-6c55d57939ef.", "Question: Does Code4Arena participate in external events and conventions, and are there any planned in the future?\n\nAnswer: Yes, Code4Arena is actively involved in various industry events and conventions. Most of our growth team attends events like ETH.NYC and ETH.Denver and various gatherings such as ETH CC Paris and ETH Belgrad. In addition, we have expressed interest in hosting our own events. For instance, we are planning an event at devcon, as can be seen from our Tweet: https://twitter.com/code4rena/status/1577405876952272896?s=21&t=YjWD5aNJCZKKN9jXrRDh7A. For more information about our future participation and events, stay updated by visiting our main page where we list upcoming contests and events: https://code4rena.com. You can also learn more about us and our teams on our official documentation: https://docs.code4rena.com/. Please note that the specific members from our team attending these events may vary.", "Question: How can I get information about upcoming public contests and access private contests at CodeArena?\n\nAnswer: For information about upcoming public contests, you should check the #\u270brsvp channel on our Discord chat. All contests, be it public or private, are also listed on our website [CodeArena](https://code4rena.com). If you are interested in private contests, they have their RSVPs available in a channel accessible only to certified wardens. Your certification status determines the contests you can access. To become a certified warden and gain access to more contests, you need to meet certain prerequisites. If you are uncertain whether a contest is private or public, refer to the contest details as mentioned in the #\u270brsvp channel or on our website. Remember, if a contest is listed in the public RSVP channel, then it is a public contest.\n", "Question: \nCan anyone explain the section [M-02] PRICE WILL NOT ALWAYS BE 18 DECIMALS, AS EXPECTED AND OUTLINED IN THE COMMENTS from the Caviar report, specifically in relation to the calculation of optimal tokens using the automated market maker's price formula?\n\nAnswer: \nThough we don't have a direct answer in the provided chat excerpt, understanding this issue would likely involve understanding the calculations and functionality of an automated market maker (AMM). In an AMM, the price of tokens is determined by a formula that takes into consideration the amount of each token in a liquidity pool. In some AMM models, this is known as the constant product formula (xy = k), where x and y are the quantities of the two tokens in the pool, and k is a constant value. \n\nIt may be possible that the discrepancy in the decimal places is resulting from these calculations, particularly if token quantities are large or small enough to impact the precision of the resulting prices. \n\nFurthermore, in some implementations of AMM, it seems that there are two options for performing the calculations, referred to as option 1 and option 2. It's unclear from the chat excerpt provided how these options differ, but it's possible that the choice between options could also impact the precision of the pricing calculation. \n\nFor concrete examples of these calculations, refer to this link: https://github.com/code-423n4/2023-04-caviar/blob/main/src/PrivatePool.sol#L699. It's important to note that these are highly technical concepts and understanding them may require a solid grasp on smart contract code and AMM mechanisms. \n\nAs this is only a speculation based on the provided chat excerpt, it's advisable to consult further resources, or perhaps reach out for clarification from the report's authors or other knowledgeable parties.", "Q: How can I change my avatar or other profile details such as Twitter username on the Code4rena site?\nA: Users can change their avatar, twitter username, or other user details on Code4rena by submitting a help desk request. This includes changes to the profile picture, account details, and links associated with their profile. If you wish to change your avatar on the leaderboard, provide a link to your chosen avatar in your request. The help desk request can be made at [https://code4rena.com/help](https://code4rena.com/help). These requests are typically addressed within a week. Please note, if you are a certified user or a warden, you may have additional options for editing your profile.", "Question: How can I find an equivalent of \"upgrades.deployProxy\" from Hardhat in the context of Foundry for smart contract testing and auditing?\n\nAnswer: While there isn't a direct Foundry equivalent of \"upgrades.deployProxy\" from Hardhat, you have several options to achieve similar results. One approach is to create your own solution suited to your needs. However, if this seems daunting, you can refer to this GitHub repository [link](https://github.com/chugsplash/chugsplash-foundry) for guidance. \n\nFurthermore, you could upgrade your proxy to the implementation you deployed and use a library to wrap the contract type around your proxy. It's important to mention that pre-written libraries are available for this purpose. \n\nFoundry can be used in a project that employs Hardhat. A base template for this integration is provided [here](https://github.com/foundry-rs/hardhat-foundry-template). For debugging Hardhat tests or inspecting contract execution at the EVM opcode level, you can use the \"foundry debug\" tool. However, there might be issues with opcode support in Foundry based on some user experiences. \n\nYou can also use Foundry to fork data from live networks like mainnet or testnet, making it a convenient alternative to public testnets. A point of interest is the ability to 'impersonate' an account in Foundry using vm.prank(address), similar to Hardhat. \n\nWhile the above information should help, please be aware that users have reported difficulties with conducting fork testing in the Polygon POS network using Foundry. \n\nLastly, if you want to understand more about proxies and upgradeable contracts, you can find resources [here](https://proxies.yacademy.dev/).", "Question: How can I find out why several of my smart contract audit issues submitted in a CodeArena contest were considered invalid?\n\nAnswer: If you find that your submitted issues in a CodeArena contest are not accepted or rewarded, it is likely that they were rejected. Once the contest has ended, the submitted issues are reviewed and triaged by judges, then await sponsor review, final judging, and Quality Assurance before the report is made public. This process may take at least a month. \n\nYou will need to wait until the reports are published to understand the reasons behind the rejection of your submissions. Once the report is out, you can access the repository which will be fully opened for review. This will allow you to see the discussion among sponsors and judges regarding the specific issues. \n\nEach issue is evaluated strictly based on what was submitted, without \"multiplying\" an issue. It's worth noting that if you submit more than three invalid issues per contest, you may not receive any payout for that competition. \n\nBy monitoring the 'backstage' channel for the post-judging stage of the concerned contest, you can also query an issue marked as invalid. This process will give you insights into why a bug was not accepted and how you can improve your future submissions.\n\nPlease note that the 'Findings' submitted by other participants for contests are listed in the 'Known Findings' section of the Readme Page of each contest. This page provides a comprehensive list of findings that were not accepted in the contests, which could provide further insights to help you understand the reasons for rejection.\n\nFor more information on submission rules and how to submit findings for a contest, please refer to the specific contest page on the CodeArena website. \n\nRemember, if you have experienced any issues when submitting findings, such as not receiving email receipts for your contest findings, please contact our support team for assistance.", "Question: How can I verify the status and reasons for the invalidation of my issues submitted in a CodeArena contest?\n\nAnswer: When your issues submitted to a contest are not awarded, it's likely that these have been deemed invalid or rejected. To verify this, you can follow these steps:\n\n1. Monitor the backstage channel for the post-judging stage of the relevant contest. This is where discussions about issue validity take place.\n\n2. Review the official report released after each contest. This report includes the bugs found and reasons for any changes to the severity of reported bugs. Detailed feedback from the judges can be found here.\n\n3. Check the 'Known Findings' section on the Readme Page for each contest. If your finding is listed here, it was likely disqualified. \n\n4. For further clarification, you can view your QA reports for contests that have already closed, or see the discussion among sponsors and judges on the specific issue on the contest's repository once it's fully opened.\n\n5. If you still have concerns or specific questions, you can reach out to the respective sponsor or contact one of the judges directly. \n\nRemember that to avoid having your issue marked as invalid, it's beneficial to include a proof of concept and a case for how an item can be exploited when submitting it. If you end up with more than three invalid issues in one contest, you may be penalized. \n\nVisit our help page for more support: https://code4rena.com/help/ \n\nPlease note that if you accidentally submitted your findings to the wrong contest, you should resubmit them to the correct contest and fill out a form to let the C4 staff know about the incorrect submissions.", "Question: What is a Versus contest at CodeArena and how can someone participate in it?\n\nAnswer: In CodeArena, a Versus contest denotes a small, invitational competition limited to a certain number of high-performing wardens, typically only three. The term \"versus\" signifies a challenge between entities. It could include mitigation reviews or regular contests with a limited number of certified participants, selected based on their recent performance or rank in specific contests. \n\nTo participate in a Versus contest, one needs to be a certified warden. Certified status is achieved through a specific process and grants access to more contests, including these smaller invitational ones. The best performing wardens get the first choice to participate through an RSVP process. \n\nPlease note that the contests are processed in a specific order, representing the order of contest progression. The scope for the contests is decided by the sponsors and is listed in their specific contest information. If you have specific questions about the scope for a contest, you can connect with the sponsor via their contest channel or Direct Message (DM). \n\nThe findings and results of contests are posted in the section where Contests are posted, and the time it takes to judge submissions can affect the results timeline. \n\nFor more comprehensive information on Versus contests, please visit https://medium.com/code4rena/a-look-at-code4rena-audits-versus-6c55d57939ef.", "Question: Does CodeArena conduct audits on projects/contracts that have implemented Fairlaunch and anti-bot measures?\n\nAnswer: CodeArena specializes in auditing smart contracts, and this could include projects that have implemented Fairlaunch or anti-bot measures. However, the specific type of projects we've audited varies greatly. Some of these contracts might already be deployed, while others may not be. The smart contract scanning tool we use can detect a multitude of vulnerabilities, including potential price manipulation concerns (check out more about the tool here: https://app.metatrust.io/project). \n\nIt's important to note that while our auditing process is comprehensive, it doesn't entirely eliminate the possibility of undetected bugs. In fact, there have been debates on whether sponsors could potentially hide bugs in the code base and report them, hoping that no one else finds them. We also acknowledge the fairness concern that if sponsors gain early access to vulnerability submissions, they might exploit this information.\n\nWe also have a system for bot participation in Code4rena's context where bots sometimes identify issues and propose fixes. However, it should be noted that fixes proposed by bots might inadvertently introduce more damaging exploits. We're aware of the issue and take it seriously, striving for transparency and fairness in all our operations. \n\nFinally, while we do focus on auditing, queries have been raised about whether we also undertake smart contract development gigs. Currently, our main focus is on auditing smart contracts for various projects.", "Question: How can I qualify for private contests and gain backstage access at CodeArena?\n\nAnswer: To qualify for private contests and gain backstage access at CodeArena, you need to meet certain criteria. Firstly, you must become a certified contributor - this requires encountering 1 high severity bug and participating in at least 3 contests. Top performers, such as those who rank in the top 3 of 3 contests or submit high-impact findings, may have a higher chance of getting certified.\n\nBackstage access is granted to certified contributors who have participated in a minimum of 3 contests and have at least three medium findings and four total findings. Once these results are published on the leaderboard, you can apply for backstage access. \n\nBeing on the leaderboard and having backstage access enhances your ability to qualify for private contests, as it allows you to view and learn from other submissions after contests end. Access to these private contests typically requires certification and a good ranking on the leaderboard. \n\nKeep in mind that more than 3 rejected reports in a single competition can prevent you from receiving any payout for that competition, and the submission rules prohibit making findings \"public\" until a contest is finalised. \n\nFor more detailed information on how to become a certified contributor and gain backstage access, visit: https://docs.code4rena.com/roles/certified-contributors.", "Question: The repo link at https://code4rena.com/contests/2023-02-gogopool-versus-mitigation-contest isn't working anymore. Where should I go to access the content and what should I do if I encounter similar issues in the future?\n\nAnswer: It seems that you're experiencing difficulties with accessing some of our repositories. This could be due to a variety of reasons such as the contest has ended, the repository has been moved, or there is an issue with the website. If you're trying to access details about upcoming contests, please note that the next public contest begins on Feb 16th and you can get more details in the #\u270brsvp channel. \n\nIf you are trying to access a specific repository for a contest that has already ended, please note that not all repositories may be accessible after the contest has ended. In such cases, you can review past contest reports available at https://code4rena.com/reports.\n\nFor ongoing contests, if you encounter issues such as a 404 error or difficulties in setting up the repository in your development environment, please submit a help request at https://code4rena.com/help. Our team is always ready to assist you with your concerns. \n\nAdditionally, if you encounter any errors while browsing our website or have questions about security issues, contest rules, results, or any other concerns, you can submit a help request at the same link: https://code4rena.com/help. An alternative help desk link in case the main one fails is https://old.code4rena.com/help/. \n\nIt's important to remember that Code Arena hosts repositories ending with suffix -findings, like https://github.com/code-423n4/2022-04-backed-findings. These repositories often contain valuable insights from past contests. \n\nWe hope this information helps you navigate our platform and participate in the contests. Feel free to reach out if you have any more questions, we're here to help!", "Q: How can I distinguish between public and private contests on CodeArena, and what are the eligibility requirements for participating in them?\nA: Public and private contests are both listed on the CodeArena website and on the #\u270brsvp Discord channel. Public contests are open to all, with details freely available for everyone to view and participate in. Private contests, on the other hand, require certain prerequisites for participation. To access these, you need to complete the KYC process and become a certified warden. Once certified, you can view private contest RSVPs in the #\ud83d\udd96rsvp-certified channel. The specific eligibility criteria for each private contest may vary; some are open only to those who participated in the original audit, while others may depend on your leaderboard ranking. Keep in mind that the scope for the contests is decided by the sponsors and is listed in their contest information. If you have specific questions about a contest's scope, you're encouraged to connect with the sponsor directly. Once a contest finishes, all findings, whether from a public or private contest, are published and can be viewed by participants. More details about the process can be found at https://mirror.xyz/c4blog.eth/Ww3sILR-e5iWoMYNpZEB9UME_vA8G0Yqa6TYvpSdEM0.", "Question:\nWhat are the rewards and privileges for a warden in CodeArena, particularly for solo findings?\n\nAnswer:\nA warden in CodeArena, especially a certified warden, enjoys various privileges and rewards. For solo findings, a warden might receive a 30% bonus, leading to a 1.3 share. A solo finding specifically means that only one warden found the issue. If the same vulnerability is reported by multiple wardens, they each get the same share. However, in instances where duplicate reports were rewarded, this could lower the value for each warden as the reward money for that issue is divided among them.\n\nBeing a certified warden, which requires encountering one high severity bug and competing in at least three contests, allows wardens to participate in private contests to an extent and certain contests that are only open to certified wardens. Top wardens are further prioritized for contests and eligible to compete in invitation audits. \n\nWardens' earnings can vary significantly, with some getting thousands of USDC while others receive hundreds. The leaderboard at [https://code4rena.com/leaderboard/](https://code4rena.com/leaderboard/) offers a sense of what wardens are earning. \n\nIt's important to note that all these privileges and rewards are subject to change and may have different applications in different contexts. For more specific details, it's recommended to check the official CodeArena documentation or reach out to the CodeArena team.", "Question: How can I participate in upcoming audits, both public and private, at CodeArena?\n\nAnswer: CodeArena conducts both public and private audits. You do not need to register for public audits as they are open to everyone. You can view upcoming public audits in the #\u270brsvp channel on our Discord server and signal your interest to participate.\n\nFor private audits, you need to become a certified warden. Details on how to register as an auditor and start auditing can be found on our documentation page [https://docs.code4rena.com/roles/wardens]. After becoming certified and confirmed by provenance, you can participate in private audits. More details about participating in a private audit contest as a certified warden can be found [https://mirror.xyz/c4blog.eth/Ww3sILR-e5iWoMYNpZEB9UME_vA8G0Yqa6TYvpSdEM0].\n\nYou also have the option to join teams and participate in the audits. While registering for a contest as a team, a single wallet is used. Active audit contests and details of upcoming audit contests are listed on the CodeArena website [code423n4.com]. Please note that future audit events or contests are dependent on sponsors confirming details and dates.\n\nIf you are interested in running an audit contest for your company's contracts, you can contact our booking team who can assist with setting up audits, pricing, and operational details. If you have queries about auditing projects, you can reach out to us online. \n\nRemember, participating in contests is a great way to gain a better understanding of audit reports. After finishing the audit, you have 30 days to complete the process. You may also be interested to know that we have a feature called Activity Stream on user profiles, which becomes available based on the number of audits you participate in.", "Question: What is the \"Scout\" role in CodeArena, and how is it related to the contest process and rewards?\n\nAnswer: In CodeArena, the \"Scout\" role refers to a category of certified contributors who serve as technical reviewers. They peruse the repositories before contest launch to ensure they are ready and prepared for the wardens' scrutiny. Scouts are tasked with confirming that the files supplied by the sponsor are in order and that no security vulnerabilities are introduced via the test files. \n\nScouts are crucial in the audit process as they set the stage for wardens, who are the primary participants in the audit contests. The Scout role is closely tied to the CodeArena reward system, with specific \"Scout\" awards given to individuals who effectively perform this role. This role shares some similarities with other roles such as \"Judge\" and \"Lookout\", with the latter also pre-sorting repos and providing summary documents to the sponsor.\n\nThe \"Scout\" role has a unique place in the bounty system, with \"Scout\" and \"judge + presort\" related to the portion of rewards allocated for work performed by judges and Scouts. The precise division of these roles and their rewards can be further explored on the CodeArena documentation page: https://docs.code4rena.com/roles/certified-contributors.\n\nIt's important to note that the roles within CodeArena, like the \"Scout\" role, are designed to foster collaboration and improve the quality of audits. Different team members might excel at different aspects of the process, including identifying potential attack paths, which is a vitally important part of the process.", "Question: \nCan I apply to be a Judge at CodeArena, and what is the process and timeline for judging contests?\n\nAnswer: \nThe judge application window is announced on Discord, but you can submit an application to be a judge at any time. More information about how to be a judge and the application process can be found on the Code4Rena website [link: https://docs.code4rena.com/roles/judges]. Please note that the identity of the judges for a specific contest is not disclosed ahead of time to maintain fairness. \n\nJudging of contests at CodeArena could take a lengthy period due to various factors beyond the judge's control, including increased number of contest submissions and the judges' other commitments as most of them have full-time jobs. If a judge cannot complete their work in a timely fashion, the contest is reassigned to another judge. Despite these challenges, administrators are actively working to clear out lagging contests from the backlog by increasing offers for judging compensation.\n\nIt's also important to note that only the contest sponsor, not the judges, see the findings early. However, Judges can see findings immediately upon contest closure [link: https://docs.code4rena.com/roles/certified-contributors]. Feedback from judges on contest submissions may also be visible which can be beneficial for participants to understand the reasoning behind the ruling and see what could be improved. \n\nDespite the confidential nature of the judging process, if a user disagrees with a judge's decision on an issue, a discussion can be opened and the case can be submitted for a judge to weigh in. This process ensures transparency and fairness in the CodeArena community. \n\nIn case there is a delay in judging contests, there is no stated penalty for judges. However, CodeArena is actively working on strategies to reduce such delays and improve the overall efficiency of the contest process. One such strategy is the implementation of a new submission mechanism for upcoming contests. \n\nFinally, please be aware that the audited reports validated by judges will be received in approximately 4 to 6 weeks. Patience and understanding are appreciated in these matters.", "Q: What resources are available for training and improving skills in spotting vulnerabilities during smart contract Capture The Flag (CTF) challenges like the latest version of damn vulnerable defi CTF, and where can I find explanations or solutions for these challenges?\n\nA: There are several resources available to help you train and improve your skills in spotting vulnerabilities during smart contract CTF challenges. To learn advanced solidity and defi industry standards, you can refer to resources like The Ethernaut challenges and Damn Vulnerable DeFi: https://ethernaut.openzeppelin.com/ and https://www.damnvulnerabledefi.xyz/. For beginners who want to start smart contract bug bounty hunting, https://cryptozombies.io/ for solidity and https://capturetheether.com/ for Capture the Flag challenges are recommended. \n\nFor finding vulnerabilities and bugs in smart contracts, you can peruse GitHub repositories that implement proofs of concepts for hacks: https://github.com/Crypto-Virus?tab=repositories, https://github.com/transmissions11/solcurity and https://github.com/Tomosuke0930/C4-report-categolized. We also have a link that provides instructions on sharing vulnerability discovery PoCs: https://github.com/code-423n4/code-contests/tree/main/contests/01-slingshot#sharing-vulnerabilitydiscovery-poc. \n\nIf you want to learn about exploiting smart contracts, a post on FEG token flashloan exploit analysis can be found at https://www.certik.com/resources/blog/w6AxRmf6l2ow4zL884gr8-feg-token-flashloan-exploit-analysis. \n\nPast contest reports also reveal vulnerabilities and can be used for learning purposes. If you are struggling with catching vulnerabilities during Capture the Flag exercises, we encourage you to practice and improve your skills using these resources. \n\nAs for the solutions or explanations for the latest version of damn vulnerable defi CTF, we currently do not have a specific source for that. However, findings from past bug hunts can be submitted, and examples of past submissions can be found at https://code423n4.com/reports. These may offer some insight into the process of identifying and addressing vulnerabilities. \n\nLastly, remember that the process for reporting vulnerabilities to Code4Arena is being established and documented. If you think you've found a vulnerability during a contest, please reach out to the sponsor team or submit it via the contest submission form to be eligible for awards.", "Question: How does Code4rena handle rewards distribution for duplicate findings in their smart contract audits?\n\nAnswer: Code4rena operates on a rewards system that encourages quality and thoroughness in the auditing process. For each unique High or Medium finding, the submission chosen for inclusion in the audit report receives a 30% share bonus, irrespective of the order in which the issue was reported by different wardens. This bonus may also apply to a solo finding, leading to a 1.3 share for the finding. \n\nIn cases of duplicate findings, each submission is subject to some sybil resistance and is awarded a share of one point, depending on the number of duplicates. However, the overall value of the bug is reduced and split based on how many people find it, reducing by approximately 10% for each duplicate submission. If a duplicate report does not surpass a certain quality threshold, it might not be awarded any share. \n\nTo get the 30% share bonus for a duplicate finding, the report needs to be of a high quality, often supported by a coded Proof of Concept (PoC). Being selected for report garners the bonus and secures a larger share of the finding. If a team submits a non-duplicate finding, the team gets more rewards than if they had individually submitted the same finding. \n\nThe grading and sharing system also applies to other reports including QA/GAS reports, with Grade A reports counting as 2 shares, Grade B as 1, and the best report receiving a 30% bonus.\n\nFor low findings, there may be a bonus for inclusion in the report, but this is less certain. You can find more details on the rewards distribution system on Code4rena's official documentation [here](https://docs.code4rena.com/awarding/incentive-model-and-awards). If you\u2019re interested in duplicate reports and their associated information, you can check out the source code 'findings.csv' available [here](https://github.com/code-423n4/code423n4.com/blob/main/_data/findings/findings.csv#L9336-L9434).\n", "Question: \nHow are rewards distributed for High and Medium risk findings in Code4rena audits, and what factors affect the distribution of these rewards?\n\nAnswer: \nRewards for High and Medium risk findings in Code4rena audits are distributed based on a number of factors. For each unique High or Medium risk finding, the submission that is selected for inclusion in the final audit report receives a bonus of 30% of the reward for that finding. This equates to 1 High or Medium reward + 0.3 of the same reward for solo findings, leading to a total of 1.3 shares. \n\nIf multiple auditors report the same bug, they all receive a portion of the bounty. However, common findings which are usually picked up by the C4udit tool are often out of scope and are linked in each contest readme. If they are not identified by the tool, they should be submitted separately. The reward for a finding reduces by approximately 10% for each duplicate submission.\n\nThe grading system for QA/Gas reports also plays a part in the reward distribution. Grade A reports count as 2 shares, Grade B reports as 1 share, and the best report receives a 30% bonus. \n\nThe severity of the issue also affects the classification of findings as High, Medium or QA. If all rewards could potentially be lost due to an issue, it's classified as a Medium or High risk finding. If there's a risk of losing some rewards, it's probably a Medium risk finding. If rewards are lost due to roundings - a negligible amount of rewards - it's probably a QA finding. If the principal can be stolen without needing extra requirements, then it's likely a High risk finding.\n\nQuality of submission and having a coded proof of concept (PoC) along with the report can also increase the chances of the report being selected, which comes with a 30% bonus. \n\nIf a finding is submitted as a low in a QA report, but the judges determine that it\u2019s a medium, it will be eligible for medium rewards. Conversely, if a high-risk finding is deemed to be of a lower risk, the submitter will still be rewarded appropriately. \n\nLastly, when a team submits a non-duplicate finding, the team gets more rewards than if they had individually submitted the same finding. \n\nPlease refer to the following link for more details: [https://docs.code4rena.com/incentive-model-and-awards#high-and-medium-risk-bugs](https://docs.code4rena.com/incentive-model-and-awards#high-and-medium-risk-bugs).\n", "Question: Can you explain the bonus system at CodeArena, particularly for the 'Selected for Report' and how it relates to the quality of submissions and findings?\n\nAnswer: At CodeArena, a bonus is typically awarded for each unique high or medium finding that has been selected for inclusion in the audit report. This bonus is often a 30% share of the finding's share, leading to an increased total share of 1.3. The 'Selected for Report' bonus is given to the user who submits the best report. In fact, the quality of a submission is a significant factor when distributing bonuses, with higher quality submissions potentially receiving larger bonuses. This means that, for example, having a coded Proof of Concept (PoC) along with your report could increase your chances of being selected and hence receive the 30% bonus. \n\nIn addition, in a case where multiple people, including members of the same team, identify a gas optimization, the reward split can be calculated using a specific formula. This formula, along with other details regarding the rewarding system, can be found at this document: https://docs.code4rena.com/incentive-model-and-awards\n\nPlease do note, reward amounts in contests come directly from the sponsor, and they can vary from contest to contest. For example, there are instances where the best advanced analysis report in a competition receives a 30% bonus. Participation rewards are also available in certain contests like formal verification contests.\n\nIt's also worth mentioning that there are often questions about the rewarding formula in terms of findings count and partial credits, as well as the rewards for submitting a new detector - for the latter, 'Karma Points' are typically awarded.", "Question: How can I format strings in my audit reports in a manner that appends user-provided arguments at the end of a string, for example: xy a,b,c and the output is xya, xyb, xyc?\n\nAnswer: This question relates to the formatting of strings in coding, specifically in the context of smart contract audits. To append user-provided strings at the end of a string, you can use various string concatenation methods available in your chosen programming language. \n\nFor instance, in Python, you can use the + operator or the .format() function to concatenate strings. However, the best method may depend on the specific context of your smart contract code, the language used, and the structure of audit reports.\n\nThe discussion about the use of underlines in internal functions and function parameters may be relevant, depending on the coding conventions used in your project. It's generally considered good practice to clarify the role of functions and parameters through naming conventions, which can include the use of underlines. \n\nAdditionally, if your string represents a JSON and you're looking to enhance readability, you may want to implement a custom print logic for each element.\n\nRegarding the size of the string, be aware that a string goes above size byte32 when it reaches 33 bytes, with one byte per character. This should be kept in mind when dealing with large strings or text that might not fit in certain textboxes. In such cases, you can link a gist, which is a simple way to share snippets of text or code.\n\nRemember, the quality of the audit report is not just about the code, but also about how the findings are presented. If you're submitting findings for an audit, consider providing the context and triage for any tool output, rather than just pasting the output directly. Tools like 'git diff' can be used to highlight changes in code, and the 'Copy With Line Numbers' extension for VS Code can help provide code snippets with line numbers.\n\nFor further assistance with string formatting and code analysis, you might find these resources helpful: \n- String formatting in Python: https://realpython.com/python-string-formatting/\n- More on bytes and strings in Ethereum: https://ethereum.stackexchange.com/questions/11556/use-string-type-or-bytes32\n- Public script for code analysis: https://github.com/Picodes/4naly3er. \n\nRemember to consider the specific context and requirements of your project when applying this advice. If you're uncertain about how to improve your code, don't hesitate to ask further questions in the Discord chat.", "Question: How does CodeArena calculate and distribute awards for smart contract audits, and can we confirm the exact method of these calculations including if they are public?\n\nAnswer: CodeArena uses a complex model for award calculations and distribution, which includes multiple factors such as gas usage, QA, and the level of detail in submissions. While the award calculation script isn't public, the formula used for awarding gas and QA is public, though it's planned to be updated. Details about the method of award calculation and the variables considered for calculating these awards can be found within CodeArena's documentation at their [Incentive Model and Awards page](https://docs.code4rena.com/#incentive-model-and-awards). \n\nThe current award system employs curve logic of distribution. However, there are plans to design a new method for distributing awards based on the observed scoring of initial contests. The finalized distribution of awards can be viewed on the blockchain, as they are distributed publicly from the same awards address without any masking of wallet addresses. \n\nFurthermore, the award value can be influenced by the quality of your submission, such as whether you included a Proof of Concept (PoC) or covered the issue in depth. There is also a provision for partial credits to cater for duplicate findings, with detailed guidelines available [here](https://docs.code4rena.com/awarding/incentive-model-and-awards#duplicates-getting-partial-credit). \n\nAn estimation of risk for vulnerabilities is also a part of the awarding process, more on which can be found [here](https://docs.code4rena.com/awarding/judging-criteria#estimating-risk). \n\nWhile all these factors contribute to the final award, it should be noted that the process for calculating awards is still undergoing changes and improvements based on community feedback and experiences from past contests. Some changes are pending implementation due to ongoing contests.", "Question: How does CodeArena (C4) determine the award calculation for smart contract audits?\n\nAnswer: The exact award calculation for CodeArena's smart contract audits is not public knowledge. However, it is understood that the award is determined based on several factors such as the level of detail in the submission, the inclusion of a Proof of Concept (PoC), and thorough coverage of all aspects of the issue. Gas optimizations are awarded from a separate pool, and each contest's page on the C4 website provides specific details. \n\nIt's also important to note that the judging team at CodeArena does not revise the payment amount after the payout. If there are any discrepancies or questions regarding the award calculations, it's advised to address them before the contest's conclusion. \n\nRegarding duplicate submissions, if two similar reports are submitted, one could be marked as a duplicate, which might affect the payout. But the same finding submitted by multiple Wardens can result in a significantly different award value based on the quality and completeness of the submission.\n\nFinally, the way the award is divided amongst a team of auditors is determined by the individual team, as per the awards information provided on the C4 website [https://docs.code4rena.com/incentive-model-and-awards]. \n\nThis answer incorporates information from a variety of sources and chat discussions, and it may not cover every aspect of the award calculation process. For the most accurate information, please refer to the official C4 documentation or contact CodeArena directly.", "Question: What happens to the reward distribution in a CodeArena contest if a user finds a unique High/Medium vulnerability and there are no duplicates? \n\nAnswer: In a CodeArena contest, if a user discovers a unique High or Medium risk vulnerability and there are no duplicates, the user will receive all the shares of that finding. Additionally, the submission selected for inclusion in the audit report is eligible for a 30% share bonus. This means the user gets 1.3 times the original share for a solo finding. \n\nIt's important to note that duplicate submissions of the same vulnerability are subject to CodeArena's sybil resistance policy which splits a share of one point across all duplicates. The best report among these duplicates will also receive a 30% share bonus. If no High/Medium vulnerabilities are found, the full award pool would be divided based on the Quality Assurance Report curve.\n\nThe reward for a medium/high finding is calculated using the formula provided at https://docs.code4rena.com/incentive-model-and-awards#high-and-medium-risk-bugs. The value of the finding reduces by approximately 10% for each duplicate submission. Having a coded Proof of Concept (PoC) along with the report can increase the chances of the report being selected, which comes with the 30% bonus.\n\nPlease refer to the official CodeArena documentation for more detailed information on the incentive model and awards system: https://docs.code4rena.com/incentive-model-and-awards.", "Question: What is the nature and calculation of the 30% bonus in Code4rena's audit process, particularly in relation to solo findings?\n\nAnswer: In Code4rena's audit process, a 30% bonus may apply to solo findings, making it a 1.3 share. 'Solo' refers to findings that were found only by a particular auditor, with no duplicates. If a finding is unique with no duplicates, it secures all shares of that finding. \n\nHowever, the 30% bonus is not exclusive to solo findings. If a report, including a duplicate finding's best report, is selected for inclusion in the audit report, it receives a 30% share bonus as well. This applies to each unique High or Medium finding. There may also be a bonus for each low finding selected for the report. \n\nHaving a coded Proof of Concept (PoC) along with the report can increase the chances of the report being selected for this bonus. Yet, it must be noted that only the 'Selected For Report' gets a bonus.\n\nThe reward for a medium/high finding can be calculated using the formula provided in this link: https://docs.code4rena.com/incentive-model-and-awards#high-and-medium-risk-bugs\n\nThere is no difference in payout between the first to find a bug and anyone else who finds the same bug. The overall value of the bug is reduced and split based on how many people find it. The prize for a finding reduces by approximately 10% for each duplicate submission.\n\nFurther details about rewards and duplicity of findings can be found here: https://docs.code4rena.com/awarding/incentive-model-and-awards#duplicates-getting-partial-credit", "Question: Why is there a bonus in Code4rena's contests and how is it determined if a solo bug report can be considered the best?\n\nAnswer: The bonus in Code4rena's contests is a reward mechanism for the best reports. This includes solo bugs, which are bugs that are only identified by a single individual. If it's a solo bug, it means no one else found it and thus the report of this bug could receive a bonus. The bonus serves to incentivize quality and thoroughness in bug reporting and is not solely based on the timing of a bug discovery, as per Code4rena's model which differs from a first-come, first-served bug bounty model. \n\nThe best report typically receives more money, and a duplicate finding's best report can be eligible for a 30% share bonus. This is calculated based on assessing a bug's severity and presenting evidence, and taking into account the value of the bug, which is reduced and split based on how many people find it. \n\nIt's important to note that this bonus is not automatically given to the first person who finds a bug; instead, everyone who reports the same bug gets a portion of the bounty, provided the bug report meets a certain quality threshold. This is detailed in the incentive model and awards section of the Code4rena documentation: [https://docs.code4rena.com/awarding/incentive-model-and-awards](https://docs.code4rena.com/awarding/incentive-model-and-awards)\n\nLastly, the process is transparent, as every contest releases a report about the bugs found, which can be used for learning and improving future submissions.", "Q: How can I participate in the private audit contests at CodeArena (C4) and what are the prerequisites?\n\nA: To participate in the private audit contests at CodeArena, you need to be a certified warden. The process of becoming a warden requires the completion of the KYC verification. Once certified, you are eligible to participate in most private contests. However, some contests have additional prerequisites, such as participation in the original audit. \n\nYou can also join as a team, using a single wallet during registration for the contest. It's worth noting that eligibility criteria for each private contest can be found in the #\ud83d\udd96rsvp-certified channel. Certified wardens and teams can check the upcoming audit contests on the CodeArena website [code423n4.com](https://code423n4.com). \n\nRemember, certified wardens are not only eligible for private contests. They can ask questions about findings of past projects, edit their findings while an audit is still open, and also have access to the \"Your Findings\" button on the contest page. Moreover, participating in contests is a great way to gain a better understanding of audit reports.\n\nFor more information on the process of becoming a certified warden and participating in private audit contests, you can check out this [link](https://mirror.xyz/c4blog.eth/Ww3sILR-e5iWoMYNpZEB9UME_vA8G0Yqa6TYvpSdEM0).", "Question: I have completed my Know Your Customer (KYC) process, but I am still unable to participate in private contests on CodeArena. Can you explain why this might be happening?\n\nAnswer: Completing the KYC process doesn't automatically grant you access to all private contests on CodeArena. Some contests may already be assigned, and therefore inaccessible, even after KYC approval. To join a private contest, you are required to be a certified warden, which involves more than just KYC. These processes are explained in detail in our documents at https://docs.code4rena.com/roles/certified-contributors#certification-process-and-constraints. If you've passed the KYC process and earned approval but still can't access private contests, please ensure you have certified status on your handle. If not, you can submit a request at our help desk at https://code4rena.com/help. Please note, the KYC process can take a week or longer to complete, and there may be delays or potential rejections. The reason for rejection may not always be communicated. Also, note that not all contests require KYC, but the ones that do will clearly state this requirement. If you have any further issues or uncertainties, don't hesitate to reach out to our team.", "Q: I've passed the KYC process and received approval, but I'm still unable to access private contests. What could be the issue and what should I do next?\n\nA: Approval of KYC (Know Your Customer) doesn't automatically grant you access to all private contests. It could be because you do not have a certified status on your handle. Certified status requires passing the KYC process and meeting certain criteria such as past contest participation and leaderboard ranking. To upgrade your status to a certified warden, you can follow the process outlined in the Code4rena documents at [https://docs.code4rena.com/roles/certified-contributors#certification-process-and-constraints].\n\nIn some cases, even with certified status, you might not be able to access certain private contests if they have already been assigned to other auditors. Also, make sure to keep in mind that participation in certain contests, such as the Chainlink contests, requires KYC verification prior to submission to be eligible for rewards.\n\nIf you have completed all of these steps and are still experiencing issues, we recommend creating a help desk request at [https://code4rena.com/help]. It may also be worth noting that some contest rewards might be pending due to KYC issues, and access to the contest repository after closure requires backstage access, which is a different process and could take up to 24 hours to process after KYC admission.", "Question: Where can I find information about upcoming RSVP contests at CodeArena?\n\nAnswer: Information about upcoming RSVP contests at CodeArena can be found in the #\u270brsvp channel on our Discord server. This includes information about the timing, details, and the number of contests such as audit and versus contests. Be aware that details of top-tier projects can appear suddenly in the channel, and we sometimes run multiple contests simultaneously. The RSVP process is important for contests like the \"vs contest\" which prioritize the highest performing wardens who RSVP. Also, note that being certified grants you access to more contests. For updates about non-KYC (Know Your Customer) contests, continue monitoring the #\u270brsvp channel. Future contests may require an RSVP, and these updates can be checked on this channel. We have also noted a desire among users for more high prize contests and are considering this for future planning. Please follow the provided Discord link to access the #\u270brsvp channel.", "Question: How can I participate in a private audit at CodeArena?\n\nAnswer: To participate in a private audit at CodeArena, you need to be certified. Certification typically involves completing a KYC process. Once certified, you are known as a \"warden.\" As a certified warden, you are eligible to join private auditing contests, though there may be other conditions to meet for specific opportunities. For instance, some private contests are only open to those who participated in the original audit, and others may require a specific rank on our leaderboard. \n\nFurther, you can also join teams and participate in audits collectively. If you are interested in becoming a certified auditor, you might want to know that inquiries about auditing projects can be made online and some users have asked about the duration of the process. \n\nMore information on how to become certified and participate in private audits can be found [here](https://docs.code4rena.com/roles/certified-contributors#certification-process-and-constraints) and [here](https://mirror.xyz/c4blog.eth/Ww3sILR-e5iWoMYNpZEB9UME_vA8G0Yqa6TYvpSdEM0). Please note that while certification is usually sufficient for private audits, invitational audits are a different category where only specific wardens are invited. \n\nRemember, your certification can also allow you to access the #\ud83d\udd96rsvp-certified channel, where qualifications for specific audit opportunities are listed. RSVP is a way for participants to signal their interest in audit opportunities. It's good to know that private audit contests are not strictly open to only top-ranking wardens, so it's worth checking the criteria for each opportunity.", "Question: What is the process and timeline for the announcement of contest results at CodeArena?\n\nAnswer: The timeline for announcing contest results at CodeArena varies, usually taking anywhere from 2 weeks to over 2 months. The process involves several phases starting immediately after the contest ends. These phases include sponsor review of the findings, judging, confirmation by the sponsor, preparation of the judge's final report, and then the announcement of the results. The duration of these stages can depend on several factors, including the specific contest, the number of reports under review, and factors beyond the judge's control which may cause delays. \n\nOnce the review process is complete, the results are posted in the contest channel. After the announcement, the payouts for contest awards are usually made between 1 to 2 weeks. It's important to note that findings submitted for contests may not always make it to the final report, and the reason might not be immediately known. Participants will need to wait until the reports are published, usually within 2 to 6 weeks or even longer, to see the results of their submissions. \n\nParticipants can inquire about the progress and schedule of final reports, and the findings from the contest are confirmed and discussed after the contest ends. The certification process can be started within 48 hours of the contest, and upon completion, a participant might be awarded if they are eligible for an amount. Please note that the judges for a contest are not known ahead of time. For further details, please follow the updates on our official Discord chatroom.", "Q: What is the Know Your Customer (KYC) process, how long does it usually take, and what should I expect during this process to become a certified contributor at CodeArena?\n\nA: The Know Your Customer (KYC) process is an identity verification step required to become a certified contributor at CodeArena. It involves a few important steps including identity verification by Provenance and checks for OFAC sanctions and backgrounds. \n\nThis process typically takes a few days to complete, but some users have reported waiting for up to 10 days or even a week or longer in certain circumstances. The time taken varies and depends on the back and forth between the user and Provenance, so please be patient during this process. If your application has been pending for an extended period, you can submit a help request. \n\nAfter completing the KYC process, you will receive a confirmation email from Provenance. However, please note that there can still be a waiting period before you obtain the certified contributor role. Even with KYC approval, certain private contests may not be accessible if they have already been assigned. \n\nIt's important to consider that a successful KYC application does not automatically grant access to all private contests. Access to certain contests, like the Chainlink contests, or to audit tasks which require KYC, are separate and would necessitate you to be a certified contributor. If a team wins a prize but is unable to claim it due to KYC issues, the procedure for holding or forfeiting the prize is not clear cut.\n\nMoreover, not all activities require KYC verification, and it's possible to participate and receive payouts without being certified. For instance, bot crews need to be KYC'ed to receive payments for some audits, but not all. \n\nCertified contributors, who have completed KYC, can participate in private contests and become backstage wardens (access the contest repo post closure and pre-public report release) if they meet the minimum requirements of submissions. \n\nTo start the KYC application process, you can visit [https://docs.code4rena.com/roles/certified-contributors](https://docs.code4rena.com/roles/certified-contributors) and follow the instructions provided.", "Question: What does \"versus\" signify in a CodeArena contest, and what are the prerequisites and conditions for participation?\n\nAnswer: The term \"versus\" in a CodeArena contest title signifies a competitive challenge between a limited number of participants, often referred to as wardens. These \"Versus\" contests are typically invitational and the opportunity to participate goes to wardens based on their rank in either specific contests or during a recent timeframe.\n\nIt's important to note that these Versus contests can include a variety of different audits, such as mitigation reviews or regular contests, but always have a limited number of participants. To qualify for a Versus contest, you need to be a certified warden. Certification details can be found in the respective documents provided by CodeArena.\n\nVersus contests are typically private and only open to top-performing wardens. For instance, a \"vs contest\" usually involves only three wardens, has an RSVP process, and the best-performing wardens get first choice. Even though you might be able to see the contest details, you won't receive payment for findings as it's an invite-only contest.\n\nIf you're interested in learning more about Versus contests, you can read this article: [https://medium.com/code4rena/a-look-at-code4rena-audits-versus-6c55d57939ef](https://medium.com/code4rena/a-look-at-code4rena-audits-versus-6c55d57939ef). This link provides additional information on the topic and can answer further queries.\n\nWe want to note that the scope of each contest, including Versus contests, is decided by the sponsors and listed in their contest information. If you have specific questions about the scope of a contest, you are encouraged to reach out to the respective sponsor directly.", "Question: When and how can I view and track my submitted findings in a contest?\n\nAnswer: After submitting your findings in a contest, they can be tracked and edited under the \"Findings\" tab next to the contest description on the contest page. It's important to note that the findings can be modified or withdrawn through this tab until the contest closes. However, these findings are not immediately made public. The findings repository, which includes all submissions, is only made public after the final contest report has been published. This publishing process can take anywhere from 2 to 8 weeks after the contest ends, depending on the complexity of the audit. In some cases, it may take longer. It's also important to note that all submitted findings might not make it to the final report. Certified+ wardens can view the findings repo immediately after a contest ends. If you want to check the success of your report submission, one way is to look out for an email from CodeArena or check whether you can edit your submitted findings.\n\nIn the case of wondering why a finding was rejected or did not make it to the final report, this information becomes available when the report is published and the findings repo is made public. Users can also find feedback for their submitted findings at this stage. \n\nIt's crucial to understand that the reward distribution after a competition might take up to two months or longer after the end of the competition. This timeline is a worst-case scenario, and efforts are always made to reduce turnaround times. \n\nAfter a contest is closed, there is a certain period of time before the findings repo becomes publicly available for discussion, however, the specific duration is not always mentioned. When the findings repo is made public, participants can view their submissions, the reasons for their rejection, and also the findings of others.\n\nIt's important to monitor contest announcements and updates, for instance, Biconomy Hyphen 2.0's contest audit results are currently being reviewed and are expected to be published in the coming weeks.\n\nFor additional queries regarding the judging process or specific types of findings such as gas findings, it's recommended to reach out to the CodeArena team directly or ask in the discussion channel.", "Question: What benefits and roles does the $ARENA token provide within the CodeArena community?\n\nAnswer: The $ARENA token serves as a minimum-viable-governance token, bestowing the holder with sovereignty over the DAO treasury. This means users holding the token have voting rights, allowing them to participate in important decisions regarding CodeArena's operations and the use of the treasury. This approach reflects CodeArena's commitment to transparency and effectiveness in their operations. \n\nThe token can also play a role in participant rewards, though the specifics of distribution and rewards can vary and are often tied to specific contests or events. It is important to note that rewards are distributed by the CodeArena team and cannot be withdrawn via a smart contract. \n\nMore information about the governance and usage of $ARENA token can be found at the DAO constitution link: https://github.com/code-423n4/org/blob/main/CONSTITUTION.md. You can also obtain Arena tokens using the contract address 0x6847D3A4c80a82e1fb26f1fC6F09F3Ad5BEB5222. Do remember that participating in CodeArena involves conducting all related activities in a timely and professional manner.", "Question: Is it possible to change the Login Address to my CodeArena account and how can it be done?\n\nAnswer: Currently, CodeArena does not directly support changing the login wallet address associated with an account. However, if you're using Metamask, you can link multiple addresses. Should you want to change your login wallet address, consider linking a new address using Metamask. \n\nPlease note, if your account has been compromised, you are advised to submit a help desk request with the relevant details and a signed message from mycrypto.com. \n\nAdditionally, users can change their payment wallet addresses and can also switch back and forth between individual and team accounts. \n\nFor more detailed instructions on how to change your wallet addresses, visit the following link: https://docs.code4rena.com/roles/wardens/warden-auth#can-i-change-the-wallet-address-i-log-in-with. \n\nIf you encounter any issues during this process, consider reaching out for support via the CodeArena help desk at: https://code4rena.com/help.", "Question: What should I do if I find an issue/bug on a project during a contest, and when can I write up and share my findings?\n\nAnswer: If you find an issue or a bug during a contest, we encourage you to submit it using the C4 form. You can find examples of high-quality submissions at https://code423n4.com/reports. After the contest, you can check your issue for the finding you've sent on Github from the report. If necessary, you can also adjust the severity of your submitted bugs after the contest closing either through the PR or by contacting one of the judges.\n\nHowever, please note that we advise holding back on sharing or writing up your findings until the final report is published on the C4 site. Although the leaderboard and rewards for a project might have been shown and sent, the final report may not immediately appear on the C4 site. It's important to wait until the full public report is made available before writing up your findings for sharing.\n\nShould you encounter discrepancies or issues with the reports, or if you need to adjust the severity of a submitted bug, you can create a ticket or submit a help request via https://code4rena.com/help. It's also possible to edit your submitted QA report until the audit deadline, and view or edit your own submissions on the site for active contests.\n\nRemember, it's critical to ensure your bug reports are complete and well-documented to be considered seriously. A bug report without Proof of Concept (PoC) might be disregarded unless the issue is extremely obvious.\n\nLastly, after submitting an issue on the C4 website, there's no need to also create an issue on GitHub - our system will automatically do this for you. Please remember that bug reports cannot be submitted after the contest has ended, all findings have to be submitted prior to the audit closing.", "Q: How can I participate in C4 auditing contests, including private ones, and what are the steps to become a certified warden?\n\nA: To participate in C4 auditing contests, you can start by checking out the #\ud83c\udfebeducation channel on our Discord for resources and specific inquiries about getting started. Detailed instructions to register as an auditor and start auditing can be found at our documentation page: https://docs.code4rena.com/roles/wardens.\n\nTeams can also participate in auditing contests, and if you're part of a team that is already in a contest, but you want to participate solo, that's possible too. Do note that details about team participation and management can be found at the same link above.\n\nIf you're interested in private auditing contests, you need to be a certified warden. To become one, you have to compete in the audit contests and meet certain criteria, like the number of findings and contest participations. Once you're certified, you may be able to join private auditing contests and get access to invitational audits. More details on certification can be found at https://docs.code4rena.com/roles/certified-contributors.\n\nFor information on upcoming contests, you can visit our website at code423n4.com. You can also find information about the timing of the next audit event or contest on our Discord chat platform, as our team is regularly in contact with various projects about upcoming audits.\n\nIf you're new to auditing and looking for recommendations on past contests to practice on or to read old reports, participating in contests can be a great way to gain a better understanding of audit reports. \n\nFinally, if you're interested in running an audit contest for your company, feel free to reach out to us for more operational details and pricing inquiries.", "Question: I've participated in a CodeArena contest and the leaderboard has been posted along with the rewards, but I can't find the final report on the C4 site. Is it appropriate for me to publicly discuss the bugs/issues I discovered during the contest, or should I wait for the official report?\n\nAnswer: It's paramount to wait until the final report is published before publicly discussing or writing about any bug or issue you found during the contest. After a contest ends, the leaderboard is updated and rewards are sent out, but the final report may not be immediately available on the C4 site. The reason for this delay is that submitted bugs and issues are reviewed and triaged immediately after the contest, but they await sponsor review and final judging. These processes can take time and the report goes live only after CodeArena receives approval from the involved projects.\n\nDuring this period, it's crucial not to publicly discuss bugs and exploits related to the contest. This is a part of responsible disclosure to maintain the integrity of the contest and the projects involved. The findings submitted for the contests can be reviewed after the report is published and the findings repository is made public. If you've submitted a finding that wasn't rewarded, you can review why it wasn't accepted once the report is published and the repository is fully opened.\n\nPlease also note that there are some restrictions on altering the severity of reported bugs after the contest has ended. If necessary, this can be done either through the PR or by contacting one of the judges. If you have further queries about the progress and schedule of final reports, you can inquire within the community. You can also learn from previous reports which are available at https://code423n4.com/reports. This can give you an idea of what a high-quality submission looks like and the process for the announcement of results.", "Question: How do private, versus, and mitigation audits impact the CodeArena leaderboard, and what are the prerequisites to participate in these audits?\n\nAnswer: Currently, private, versus, and mitigation audits do not impact the leaderboard. However, there are ongoing discussions about the possibility of including them in future. To participate in these audits, one typically needs to be certified and rank on the leaderboard. This is particularly the case for private contests - the eligibility to audit these usually requires certification and ranking on the leaderboard. Certified contests, like the upcoming 225, do have an impact on the leaderboard. \n\nThere has also been a conversation regarding required-KYC contests and their influence on the leaderboard. There are differing opinions on whether this is fair to non-KYC wardens. \n\nFor Mitigation Review, participation is usually open to those who took part in the original invitational audit. If a participant points out a bug or logic flaw that is approved by the judge, this is considered an achievement. However, if there are disagreements between the participant, judge and sponsor about a finding, the final decision on the mitigation part lies with the sponsor. \n\nThere is potential for ranking cutoffs for auditing private contests, with usually the top 3 or 5 wardens taken for mitigation review or invitational. Also, one can get into the list for private contests by becoming a certified warden, and ranking on the leaderboard can boost the chances of qualifying for these.\n\nIt's worth mentioning that private contests are not strictly open to only top-ranking wardens. The eligibility criteria for each opportunity can be found in #\ud83d\udd96rsvp-certified. \n\nFinally, remember that teams can also participate in auditing contests and users can join these teams to participate in the audits.", "Question: How can I participate in an audit contest at CodeArena, both individually and as a team?\n\nAnswer: Whether you are an individual or a team, you can participate in audit contests at CodeArena. Firstly, visit the contest page at https://code4rena.com/contests to view open competitions. As an individual, you can join the contests after signing up as a warden. To do so, you need to log into your account. \n\nIf you\u2019re part of a team, you can also participate in the audits. All team members can join the contest using a single wallet during registration. \n\nParticipating in these contests can provide a better understanding of audit reports and the criteria for becoming a certified warden. Certified wardens have further access to private audit contests which require certification and sometimes a ranking on the leaderboard. To become a certified warden, you can find more details at https://mirror.xyz/c4blog.eth/Ww3sILR-e5iWoMYNpZEB9UME_vA8G0Yqa6TYvpSdEM0.\n\nSome contests are invitation-only and you have to participate in the original audit to be eligible. Also, remember that ongoing contests and specific details can be found on the CodeArena platform or in the #\u270brsvp and #\ud83d\udd96rsvp-certified channels.\n\nCompanies interested in running an audit contest can reach out for more information on operational details and pricing. We regularly conduct audit contests, so keep an eye out for upcoming ones. \n\nLastly, remember that there's a process to submit and edit your findings while an audit is open. Visit the contest page and click on the \"Your Findings\" button to submit your reports. Happy auditing!", "Question: What are the prerequisites and steps to participate in private contests after becoming certified at CodeArena?\n\nAnswer: Once you've achieved certified status at CodeArena, you can participate in a wider range of contests, including private ones. To participate in private contests, you need to RSVP in the rsvp-certified channel and ensure you hold a high rank on the leaderboards from the last 90 days. Certification also gives you access to private repositories after a contest is finished, where you can view other submissions and learn more quickly.\n\nPlease note, some contests might have specific requirements such as KYC procedures to receive prizes. If you're competing with a team, all members must also be certified to receive payouts. Some contests may be open only to individuals who participated in the original audit. For more detailed information, visit https://docs.code4rena.com/roles/certified-contributors#certification-process-and-constraints.\n\nWhile becoming certified does not automatically grant access to previous contests' judging repositories, obtaining backstage access can provide this.\n\nFinally, participation in contests is not only for winning but also recommended for improving your skills.", "Question: How long does the certification process take at CodeArena and what are the steps I need to follow to become a certified contributor?\n\nAnswer: The certification process at CodeArena involves sending your identity for verification. The process begins with you submitting an application to become a certified contributor. Provenance is typically responsible for sending the Know Your Customer (KYC) mail within one business day after the application is submitted. However, it might take 2-3 weeks for you to receive the KYC email after submitting an application, so please check your spam folder as well. \n\nThe KYC process involves providing documentation for proving your identity and possibly address verification. This might include a passport or a certified copy of your identity. Some users have completed the process with a photo ID and a selfie. There is a 48-hour deadline for response after providing all documents for KYC to Provenance. \n\nOnce your application is approved, it generally takes between 2 to 5 business days for your 'certified' status to reflect on your profile. You will receive an email update about the status of your certification process. You can also check your assigned roles by clicking on your name. \n\nPlease note that becoming a certified contributor does not require a full-time commitment; it simply indicates that your identity has been verified by the organization. If you find a high finding, you can apply to be certified by contacting the organization through the help desk form. \n\nRemember, the certification process can move more quickly if the necessary documents are supplied promptly to the KYC provider. For more detailed instructions on how to begin the certification process, please visit https://docs.code4rena.com/roles/certified-contributors.", "Q: What is the process for becoming a certified auditor with CodeArena, what documentation is required, and how long does it typically take?\n\nA: To become a certified auditor with CodeArena, you must undergo a verification process, often referred to as the KYC (Know Your Customer) process. This involves submitting your identity for verification. Acceptable forms of identification may include passports, national identification cards, or a driving license. In some cases, a selfie or a certified copy of an individual's identity may be sufficient, and proof of residence may not be necessary. \n\nOnce you submit your identification, the certification process is approved by Provenance. This process typically takes between 2 to 5 business days, with an overall timeline of approximately 2-3 weeks to become certified after filling up the necessary forms. However, the process can potentially be started within 48 hours of a contest and upon completion, you might be awarded if eligible.\n\nAfter approval, it may take a few more days for the 'certified' status to reflect on your profile. You can check your status by clicking on your name to see assigned roles, or through the status updates sent via email.\n\nIf you have any issues with the process or if your 'certified' status isn't reflected even after approval, you can contact CodeArena through the help desk form to expedite the process or to request Certified+ status. To receive your payout after an audit, you need to complete the certification process within 30 days of the end of the audit.\n\nPlease keep in mind that the certification process can move more quickly if the necessary documents are supplied promptly to the KYC provider and that there's a 48-hour deadline for response after providing all documents for KYC to Provenance. \n\nPlease note, being certified does not require a full-time commitment; it merely indicates that your identity has been successfully verified.", "Question: What is the process and incentive model for Code4rena's issue submissions, especially in cases of duplicate issue submissions, team reporting, and the timing of issue discovery?\n\nAnswer: Code4rena operates under an incentive model that doesn't prioritize the timing of issue discovery; there are no additional rewards for being the first to discover an issue. Instead, the process is designed to encourage high-quality submissions. If multiple wardens (those who submit issues) find and report the same bug, each receives a portion of the allocated reward. However, the reward for a given issue is divided among the wardens who report it, meaning the more wardens discover the same issue, the smaller each individual's share becomes. You can find more details about this at the following link: https://docs.code4rena.com/incentive-model-and-awards.\n\nFurthermore, it's important to know that the order in which issues are reported doesn't necessarily align with submission times. Judges choose the primary issue based on the quality of the write-up, not the order of submission. Therefore, a well-documented submission might receive greater recognition and potentially a larger bonus. \n\nIn terms of team submissions, if a team submits a unique finding, it receives more rewards than if individual members had submitted the same finding separately. However, the specific process for team submissions is not detailed in the observations.\n\nLastly, it's crucial to understand the treatment of duplicate submissions. If submitting two similar reports results in one being marked as a duplicate, it could affect the payout. You can find the judging criteria for duplicate submissions at https://github.com/code-423n4/code-contests/blob/main/JUDGING_CRITERIA.md#duplicate-submissions.\n\nRemember, the goal is to encourage quality over speed. The best report typically receives more money, and duplicates below a certain threshold might not receive any. Your work's quality and the details you include in your report are what truly matter in this process.", "Question: How can I distinguish between private and public contests on CodeArena's Discord server, and gain access to participate in these contests?\n\nAnswer: CodeArena hosts both private and public contests for auditing smart contracts. Announcements about these contests are made in the #\ud83d\udce2announcements channel on our Discord server. However, there might be some confusion between these two types of contests.\n\nA public contest is open to all users and its information can be found on the #\u270brsvp channel. When new public contests are confirmed, they are posted in this channel. The results and findings of public contests are also announced in the #announcements channel. \n\nPrivate contests, on the other hand, are only for certified wardens. Information about private contests and how to participate in them is available in a channel that's only visible to these certified members. The qualifications required to participate in private contests are described in the #\ud83d\udd96rsvp-certified channel. Some private contests are open only to those who participated in the original audit.\n\nEach contest, private or public, has a dedicated channel where you can ask general questions, discuss potential submissions with the project's dev team, or find automated findings in the pinned messages. If you have specific questions about the scope of a contest, you're encouraged to connect with the sponsor via their contest channel or Direct Message (DM).\n\nMoreover, you can check CodeArena's website and our Discord server for notifications about new contests. And we're considering a notification system like a Telegram bot for announcing new contests. \n\nPlease note that there might be some contests that are not updated on specific channels immediately. So it's advisable to regularly check the #\u270brsvp channel and the announcements channel for the latest information.", "Question: I have received approval for my KYC application but I'm unable to access private contests. What steps should I take next?\n\nAnswer: \nKYC (Know Your Customer) approval does not automatically grant access to private contests. Even after KYC approval, certain private contests may not be accessible if they have already been assigned or if you do not have a certified status on your handle. \n\nTo access private contests, you need to complete KYC and become a certified warden. Detailed information on the process can be found in the Code4rena documents [here](https://docs.code4rena.com/roles/certified-contributors). \n\nIf you have done these yet still facing issues, it's recommended to raise a help desk request [here](https://code4rena.com/help). Generally, the company responds to these requests within five business days.\n\nIt's important to note that backstage access is required to access the contest repository post-closure and pre-public report release. However, this access is provided only to those who have certified status and have met minimum submission requirements.\n\nIf your KYC application is rejected or still pending after a considerable time, you can also raise a help request. \n\nPlease note, for some contests, completion of the KYC process might be required to receive prizes. This will be stated in the contest requirements. If a team wins a prize but cannot claim it due to KYC issues, it's unclear whether the prize will be on hold until the team completes the KYC or if it won't be claimable. \n\nFinally, remember that not all contests require you to complete KYC, only those that specifically state this requirement.", "Q: How does CodeArena handle findings generated by bots like ChatGPT in smart contract audits? How can these be reported and do they impact the contest?\n\nA: CodeArena acknowledges automated findings generated by tools like ChatGPT. However, these findings might not be as insightful without analyzing the full codebase, which could be large and span across different files. Automated findings are run through a specific bot tool and participants can include such findings in their reports. When doing so, it's important to clearly indicate to the judge that the finding is related to a bot finding. \n\nFor submission guidelines related to automated findings, please refer to our [submission policy](https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues). If a low severity finding in a contest's bot report is escalated to a high severity, it isn't automatically invalidated. The criteria for judging these cases are also explained in our submission policy. High-quality and high-quantity findings generally score better in CodeArena competitions.\n\nSome automated findings might be out of a contest's scope and are accordingly listed under \"Known Findings\" on each contest's Readme Page. If you find an issue in the same category as a bot report but not included in the bot report, it can be considered a valid finding. For example reports and how they are judged, you may refer to our past submissions at [CodeArena Reports](https://code423n4.com/reports).\n\nIn addition to this, we also have competitions known as bot races, where users are recognized for findings made with AI. There's ongoing discussion about the presence of unique vulnerabilities or their number, as well as whether accuracy (no false positives) would be an advantage in these races. Finally, please note that bot-proposed fixes should be scrutinized carefully, as they could potentially introduce other vulnerabilities.\n", "Question: What are some effective methods and resources for studying the Compound codebase?\n\nAnswer: The Compound codebase can be studied directly from the compound repo. However, understanding the purpose of a codebase generally requires reading the documentation or having previous experience with similar code. If you are new to this, resources like https://cryptozombies.io/ for learning solidity and https://capturetheether.com/ for Capture the Flag challenges can be beneficial.\n\nSeveral GitHub resources were also mentioned in our discussions, such as https://github.com/transmissions11/solcurity and https://github.com/Tomosuke0930/C4-report-categolized. Reports from previous audits, particularly from smaller bounty contests, might be helpful to begin with due to their smaller codebase sizes and less complexity. These reports can be found at https://code4rena.com/reports. \n\nYou can also reference the CodeArena repositories ending in suffix -findings, like https://github.com/code-423n4/2022-04-backed-findings for more specific examples. Top QA reports from recent audits can be found at the following links: https://github.com/code-423n4/2022-04-backd-findings/issues/182, https://github.com/code-423n4/2022-04-phuture-findings/issues/56, and https://github.com/code-423n4/2022-04-dualityfocus-findings/issues/33.\n\nFor learning about the solidity compiler, opcode, regex, abstract syntax tree analysis, and testing contract download from GitHub, the following resources could be useful: https://www.evm.codes/, https://library.dedaub.com/decompile, and tools like Mythril and Slither.\n\nWhile studying the codebase, make sure to reference your sources appropriately if you are planning to write reports or audits. When citing vulnerabilities, it is recommended to include both the URL to the repository with the line number and a code block. All past submissions can be found in any repository ending with -findings on the CodeArena GitHub: https://github.com/code-423n4.\n\nLastly, remember that understanding a large codebase might require more time for a thorough review, otherwise bugs may be missed. Engaging in code contests on CodeArena could be a practical way to start contributing and learning.", "Question: What is the process of detecting bugs using automated tools like ChatGPT in smart contracts and how are these findings treated in Code4Arena contests?\n\nAnswer: The process of finding bugs using robots such as ChatGPT typically involves running the tool on the full codebase to generate a report of potential issues. However, these automated findings sometimes can be considered not very useful without the context of the full codebase. Additionally, there's a concern that the fixes proposed by bots might introduce more damaging exploits. \n\nIn the context of Code4Arena, automated findings do have a role, but the use of such tools doesn't qualify for individual rewards in the regular contest. If participants wish to use AI tools for auditing, they're advised to enter the bot races at https://code4rena.com/register/bot. In these bot races, findings made with AI are rewarded. \n\nIt's also worth noting that there may be some ambiguity about how to treat automated findings. For example, it's unclear whether bug reports should assume that automated findings will be fixed, particularly if the proposed mitigation introduces a new bug. It's recommended to treat bot mitigations similarly to wrong fixes proposed in the chat. \n\nIf you still wish to include findings related to a bot in your report, make sure to clarify to the judge that the finding is related to a bot finding. Examples of past submissions can be found at https://code423n4.com/reports. \n\nHowever, please be aware that receiving a warning indicating the invalidation of your submission due to the use of ChatGPT tools might occur. Proving innocence in such a case may require additional discussion. \n\nIf you're curious about the use of other tools for finding potential issues, such as fuzzing tools like Echidna, they also play a role in auditing during contests. \n\nRemember, Code4Arena uses a process that consistently finds more bugs faster than other methods, as highlighted by Quantstamp's Sebastian Banescu in his talk https://www.youtube.com/watch?v=O1rKwDv5kLQ. The mantra \"More auditors, more findings\" emphasizes this approach. \n\nUltimately, the goal is to discover as many bugs as possible, and every contest releases a report about the bugs found, which can be used for learning and improving future audits.", "Question: What is the nature of the ARENA token, and does it support staking?\n\nAnswer: The ARENA token is a minimum-viable-governance token with sovereignty over the DAO treasury of CodeArena, a company that conducts audits for smart contracts. As of now, there is no token staking for the ARENA token. Despite not having the volume to be listed on CoinGecko, the ARENA tokens can be obtained using the contract address 0x6847D3A4c80a82e1fb26f1fC6F09F3Ad5BEB5222. There is ongoing consideration for a proposal to list the ARENA project on one of the top ranking 40 exchanges. However, please beware of phishing scams involving links to purchase ARENA tokens from untrustworthy URLs. More information about the ARENA token can be found in the DAO constitution at https://github.com/code-423n4/org/blob/main/CONSTITUTION.md.", "Q: How does CodeArena handle findings generated by automated tools or robots, and how should I report them?\n\nA: CodeArena uses automated tools to generate certain findings, also known as bot-generated findings. These include a broad range of issues from high-risk vulnerabilities to gas optimizations. \n\nWhen it comes to contests, findings listed in the best bot-generated report are considered out of the contest\u2019s scope, that is, they are known issues and are not accepted in the contest. However, findings from non-best, unpublished bot-generated reports are still eligible for submission. If your finding correlates with an automated finding, you should include it in your report and clarify this connection for the judge. \n\nIf a low severity finding in a contest's automated report is escalated to high severity, it's not automatically invalid. The specifics for judging such cases are explained in our submission policy, which you can read at [the submission policy page](https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues).\n\nIf your finding could fit into two categories, such as mechanism and architecture, or QA and gas savings, you can include it in either report, and the judges will decide where it best fits. If you encounter a variety of findings based on different combinations of issues, it is acceptable to report these in different attacks. Non-critical findings can be compiled into one combined QA report.\n\nWhile the exact tool used for automated findings is not specified, some auditors may use tools like ChatGPT to automate the process of finding potential issues. We also encourage participants to join in our bot races, where users are rewarded for findings made with AI.\n\nThe impact of your findings on your contest score and potential payouts can be influenced by the quality and quantity of your findings. For a deeper understanding of what we're looking for, you may compare your findings with winning reports found at [the reports page](https://code4rena.com/reports/2022-09-artgobblers#low-risk-and-non-critical-issues).\n\nFor each contest, the Readme Page includes a \"Known Findings\" section where we list automated findings that are not accepted in the contest.\n\nRemember, all types of accepted reports from high-risk to gas optimizations are eligible for payouts, assuming the report is of high quality, the findings are accurate, and there is a working proof of concept. Proof of Concept (POC) may be needed for medium findings. If you're uncertain about the reasons for findings rejection, or how to submit additional findings, don't hesitate to reach out for clarification.", "Question: Can I discuss potential issues or submissions with the sponsor's dev team during a contest, and if so, what are the guidelines?\n\nAnswer: Yes, discussing potential issues with the sponsor's dev team during the contest is allowed and encouraged. You can reach out to them either in the contest channel or through direct messaging. However, to maintain fairness, it's suggested not to discuss potential submissions directly in the contest channel as it might reveal your findings to others. To ask specific questions about the scope of a contest, you can address them to the respective sponsor. If you believe you have found a vulnerability, you are able to disclose it directly to the dev team, although you must remember to also submit it through the contest submission form to be eligible for awards. After you've made a submission, if it's not rewarded, you can review the discussion among sponsors and judges on your specific issue once the report is out and the repository is fully opened. Please note that there are restrictions on discussing bugs and exploits after submissions for a contest are closed and before contest results are out. You can read more about the rules at: https://forum.code4rena.com/t/rfc-certified-wardens-rulebook-scout-role-contest-qa-and-mitigation-review-services/123", "Question: How does CodeArena recognize and categorize findings generated by participants and how are they judged?\n\nAnswer: Findings in CodeArena are generated by participants, often termed as wardens, who report specific issues they've identified during the audit. These findings can range from bugs discovered by automated bots like ChatGPT to individual and team discoveries. When such findings are reported, they are to be clearly stated in the report submitted to the judge.\n\nEach submission undergoes a review process. After submitting a finding, participants can expect a follow-up. The judges determine the attribution of the findings IDs in the findings.csv file at their discretion. The process to find out how findings were judged typically involves checking the data folder in the findings repo and looking for JSON files named as [warden-handle]-[issue number].\n \nThe judges and the contest sponsor have a say in the acceptance and categorization of findings. If a participant has findings, but the judge and sponsor disagree with their proposed mitigation, the final decision on the mitigation part rests with the sponsor. \n\nEach finding can be categorized into various types based on the issue found. A user asked where to categorize findings that could fit into two categories such as mechanism and architecture in an analysis report. Similarly, a finding that is relevant to both QA and gas savings can be included in either report, and judges may decide where it best fits. Front-running possibilities could be considered either Medium findings or QA, depending on the impact. \n\nParticipants are advised to make a strong case to escalate a known low from the automated findings to a high, if they believe that high-risk findings should be considered. The rewarding formula for findings of different severity and how the finding count value changes in the case of partial credit is determined based on the specific contest and judge's decision.\n\nFeedback for findings is provided, and the reasons for any findings rejections are communicated in some form. It's important to note that if a team submits a non-duplicate finding, the team gets more rewards than if they had individually submitted the same finding. \n\nFinally, to avoid dishonest practices, the findings are revealed to the project only when the contest is over. The findings repo is made public once the report is published. Participants can edit their submitted findings by navigating to the contest page and clicking on the 'your finding' button. \n\nFor more detailed information on this process, participants can refer to the [Contest Guidelines](insert link) and the [Findings Repository](insert link).", "Q: How is the accessibility and structure of future contests determined and where can I find information about these contests, particularly the ones with higher prizes or specific requirements such as KYC verification?\n\nA: The accessibility of future contests, whether they are public (open to all) or private (restricted) is determined by a variety of factors, including the sponsors of the contest. For real-time updates, you can constantly check the #\u270brsvp channel on our Discord where all new public contests are posted. If you become Certified, you'll also be privy to information about upcoming private contests. \n\nHigh-prize contests, like the $1M opensea contest, are also announced in this channel. However, please note that even after KYC approval, some private contests may not be accessible if they've already been assigned. The specific requirements for each contest, including KYC (Know Your Customer) verification, are stated in the contest information. More details about KYC can be found at: https://docs.code4rena.com/roles/certified-contributors. \n\nPlease note, if a team wins a prize but can't claim it due to KYC issues, it's unclear whether the prize will be held until KYC completion or lost. This depends on the individual contest rules. \n\nFor specific questions about a contest's scope, you should contact the respective sponsor. Payments for contests are usually made in the cryptocurrency USDC on the Polygon network. \n\nInformation about current and upcoming contests can also be found on our website. We are in regular contact with various projects about upcoming audits, and we're considering indicating the number of participants in a given contest to help users gauge competition. We plan to run more contests with an initial audit prize pool and a mitigation review pool structure, so stay tuned!\n\nLastly, if you're interested in seeing multiple designs and best security practices or running an audit contest for your contracts, our platform hosts a variety of contests related to different aspects of smart contracts, including staking platform contracts. You can reach out to us for operational details and pricing.", "Question: What are the limitations and considerations when using automated tools, like ChatGPT, for bug reporting in smart contracts, and how does CodeArena handle such reports?\n\nAnswer: Although automated tools like ChatGPT can be helpful in identifying potential issues in smart contracts, they possess certain limitations. For instance, when a smart contract project involves large codebases with thousands of lines of code across multiple files, it is not feasible to import the entire project into ChatGPT. \n\nMoreover, a bug report generated by such tools may not be considered very useful without encompassing the complete codebase, and there's a risk of missing bugs if a thorough review is not done over larger codebases. There may also be cases where a bot may report a problem but not cover all the relevant parts of the codebase where the problem exists. \n\nIn terms of handling these reports, CodeArena does not differentiate the treatment of bot-generated findings from other types of findings. If the bot-generated remediation introduces a new bug, it is treated equally as a wrong fix proposed by human participants. \n\nWhat's important to note is that the validity of these findings is often subject to their clarity, detail, and substantiation. For example, a bug report without a Proof of Concept (PoC) may be disregarded unless the issue is extremely obvious, such as a wrong parameter, typo, or code that doesn't compile. \n\nUsers are encouraged to provide a PoC for each bug they find and they have the option to add this as a zip file to the submission or share it via a private Github repository. CodeArena's bug submission process allows for understanding why a bug report was not accepted, aiming to improve future submissions. \n\nRemember, in the context of CodeArena, a bug report can be submitted with a Gist link, but it's important to be cautious about whether to leave direct links to the code on GitHub or to refer to a specific file and line number, as there's ongoing debate on referencing code in the reports. \n\nOn a final note, there are certain restrictions and guidelines on discussing bugs and exploits after submissions for a contest are closed and before contest results are out, and findings from bug hunts can be submitted as shown in the examples found at https://code423n4.com/reports.", "Question: Why are there fewer upcoming contests on CodeArena and how can I stay updated about future contests?\n\nAnswer: The number of contests on CodeArena can fluctuate based on the timing and needs of our customers. It's normal for the contest number to decrease at times as we process them in a specific order representing contest progression. Additionally, top-tier projects can suddenly appear in the #rsvp channel, which we allocate time for. We have several new contests expected in the coming months, including two already queued for next week. Upcoming contests are listed on the CodeArena main page at https://code4rena.com and on our website at code423n4.com. We advise contestants to regularly check these sites, as some contests might not be immediately updated on all channels. We're also considering the inclusion of participant numbers for each contest for better transparency. Please note that there may be a delay in updating contest results due to an increase in issues or limited judge availability. Thanks for your patience and we look forward to your continued participation in our contests.", "Q: Why is the bug report generated by automated tools like chatGPT often considered incomplete or not very useful without the full codebase input?\n\nA: Automated tools like chatGPT can assist with identifying potential bugs in smart contracts. However, their reports are often considered incomplete or less useful without the full codebase input. These tools might fail to provide a comprehensive overview of the issue, often lacking in context or missing out on specific areas in the codebase where the problem exists. \n\nThis limitation is particularly relevant in scenarios where a bug report lacks a Proof of Concept (PoC). Without a PoC, a bug report might be disregarded unless the issue is extremely clear, such as a wrong parameter, a typo, or code that fails to compile. For instance, in the context of Code4Arena, submitting a high severity issue without working code that demonstrates the impact could lead to a high severity issue being downgraded or even deemed ineligible for awards.\n\nFurthermore, there's a significant difference between findings by humans and those generated by automated tools. The latter might sometimes suggest fixes that could introduce new bugs. It's therefore crucial not to treat automated fixes differently from wrong fixes proposed by human users. \n\nAlso, if an automated tool reports a problem without indicating all actual parts of the codebase where that problem exists, it might be necessary for the user to add them. However, including instances of the same issue reported by a bot in the reports is generally not considered worth the effort.\n\nFor a bug report to be useful, especially in larger codebases, it should provide sufficient context, capture the impact of the bug, and propose viable mitigation steps. While filling the \"Recommended Mitigation Steps\" in the bug template is not strictly required, doing so can significantly enhance the value of the report. \n\nLastly, it's worth mentioning that while automated tools can be useful, human expertise and manual review are still essential aspects of a thorough smart contract audit process. For example, beginners in the Code4arena community are advised to submit one report and reference related issues in it, demonstrating an understanding of the overall codebase. They can even check out previous reports at https://code423n4.com/reports to get an idea of what a high-quality submission looks like. \n\nRemember, the goal is to make a report useful to the reader, so providing relevant context and clear explanations is critical.", "Question: Is it beneficial to attend blockchain events like ETH.Denver, and what opportunities can I expect there?\n\nAnswer: Attending events like ETH.Denver can be very beneficial, especially if you're interested in the blockchain and smart contract industry. CodeArena (C4) regularly attends these events, with most of the growth team being present. Other events like ETH.NYC, ETH CC Paris, and ETH Belgrad are also frequented by our team. These events provide an excellent opportunity to meet and network with our team members, learn from industry professionals, and immerse yourself in the blockchain community. For instance, at ETH.Denver, you would have the opportunity to see talks by our team members, like Sock. You can also utilise these events to get better at your skills. For instance, if you're looking to learn advanced solidity and defi industry standards, resources like The Ethernaut challenges (https://ethernaut.openzeppelin.com/) and Damn Vulnerable DeFi (https://www.damnvulnerabledefi.xyz/) would be recommended. It's important to consider the financial cost of attending these events, but the knowledge, networking opportunities, and exposure you gain could be invaluable for your career in the blockchain industry.", "Question: How can I access, view, or modify my findings after a contest has ended and is in the judging process?\n\nAnswer: After a contest at CodeArena ends, there is a review process that takes place which includes a sponsor review, judge review, sponsor confirmation, judge's final report, and announcement of results. During this time, you will not be able to view the status of your submissions. The \"Findings\" tab next to the contest description allows participants to track their report status and edit their findings while the contest is still open. You can also withdraw or modify your submissions by going to the contest page and clicking the \"Your Findings\" button. However, you can't access the findings once the contest ends and it goes into the judging process. \n\nAfter the judging process, a final report is published and the findings repo becomes public. This stage allows you to see the results of your submissions and understand why some findings might have been rejected. Please note that the exact timeframe for when the findings repo becomes publicly available is not specified and it usually takes at least a month after the contest ends. \n\nFor any further inquiries about the submission or review process, you can always refer to the C4 Contest page (insert link). Note that all submissions are confirmed via email, and certified+ wardens can view the findings repo immediately after a contest ends. Keep in mind that not all submitted findings may make it to the final report.", "Question: What is the process and guidelines for submitting a high or medium severity issue which is found during the contest to CodeArena?\n\nAnswer: There is no specific timeframe for submitting high or medium severity issues to CodeArena. Issues can be submitted at any time during the contest including on the last day, however, they should not be submitted too close to the contest close time. The process for submitting an issue involves using the C4 form which can be found within the contest guidelines.\n\nIn case you're unsure if your findings should be submitted as separate issues or as one, it is recommended to review the submission guidelines or direct message the sponsor team for additional context. More than one high/medium bug report can be submitted per contest, and you can edit your findings on the C4 page while the contest is open. \n\nIf an issue is found a few days after the contest ends, it should most likely involve responsible disclosure to the development team, and it would not be awarded by C4 outside the contest timeframe.\n\nIn terms of the severity of issues, if you submit a medium report and it is deemed high, unless there's a reason to penalize it such as it being incomplete, lacking detail, or not as accurate, it gets raised to high. There's no penalty for incorrect medium/high submissions. If a High severity bug turns out to be only Medium, the reward for a Medium bug is still received. \n\nIf a finding is submitted as a low in the QA report, but the judges determine that its a medium, it will be eligible for medium rewards. More details can be found in the submission policy at https://docs.code4rena.com/roles/wardens/submission-policy.\n\nUsers are typically unsure if they can contact judges directly to ask if they should submit something. It is recommended to follow the guidelines and if there's a lack of clarity, you can reach out to the sponsor team.\n\nLastly, the results of submitted issues to the contests in CodeArena are revealed once the report is made public. In the meantime, users can check previous reports to see what a high-quality submission looks like.", "Question: How can I modify my Code4Arena profile including changing the profile icon, username, and linking my Twitter account?\n\nAnswer: Users can modify their Code4Arena profile, change their profile icon, username, or link their Twitter account, by submitting a help desk request at https://code4rena.com/help. When submitting a request, ensure to provide a link to your new profile picture if you wish to change it. If you want to link your Twitter handle to your profile or to change it, include your Twitter URL in your request. Remember to provide your warden name, if applicable. After each contest, the leaderboard is updated, and any changes made to your profile will be reflected there. Note that to change your username, you might need to re-register on Code4Arena. Please also note that some profile editing features, such as adding a profile picture or Twitter handle, might require certification. If you encounter any issues or require further adjustments, you can report the fixes via the help desk.", "Question: Can we expect more contests on CodeArena, particularly with high prizes like the $1M OpenSea contest?\n\nAnswer: Yes, CodeArena is actively planning to increase the number of contests. We have a series of new contests expected to take place in the coming month, with two already lined up for the next week. There's also a possibility of running multiple contests simultaneously, with an aim to handle up to 20 contests a week. This includes both public and private contests. However, it's important to note that access to certain contests might require a certified status. We understand the excitement around high-prize contests like the $1M OpenSea contest, and we're also considering more such contests in the future. As a side note, we also plan on enhancing the contest experience with new features, such as indicating the number of participants in a given contest, creating a leaderboard, and implementing a new submission mechanism. We encourage all users to actively participate in these contests to improve their skills. Make sure to stay updated with the contest schedule and other related information via our Contests section.", "Question: How can I view, edit, and understand the status of my findings submitted to a CodeArena contest, and when will they become publicly available?\n\nAnswer: After submitting your findings to a CodeArena (C4) contest, you can view and edit them through the \u201cYour Findings\u201d button on the contest page. A confirmation email will also be sent upon submission. If you cannot see your submission in the \u201cFindings\u201d tab, it could be due to it not being accepted or published in the final report yet.\n\nYou or your team can view only your own findings until the final report is published and the findings repository is made public, at which point all findings become visible to all participants. The timeline for report publication can range from 2 to 6 weeks or even longer in some cases, so you would need to wait till then to know the status of your findings.\n\nIf your findings were rejected, the reasons for their rejection will be available in the published report. It's important to note that not all submitted findings will make it to the final report, and the reason might not be immediately known. \n\nFor contests that have ended, even if there is no table with results, you can still view reports from other wardens. However, findings of a contest cannot be viewed after it finishes but before the results are published. \n\nIf you wish to modify or withdraw your findings, you can do so by navigating to the contest page and clicking on the 'Your Findings' button. \n\nPlease note, there is currently a discussion about whether findings can be edited by the original author after submission. Also, note that findings in non-winning bot-generated reports that remain unpublished are still eligible for submission. \n\nLastly, if you wish to submit additional findings after an initial low-risk finding was submitted, you can do so through the contest page. \n\nGenerally, participants are advised to wait for the report to be published and the findings repo to be made public to check on their submissions. For more details, you can refer to our [link to relevant help page].", "Question: Can the storage of the implementation contract be exploited in any way to influence the delegate caller contract when dealing with upgradeable contracts?\n\nAnswer: Generally, it should not be possible for the implementation contract's storage to affect the delegate caller contract when using delegatecall. The delegatecall function operates in such a manner that the code of the target contract is utilized by the Ethereum Virtual Machine (EVM), without granting access to the target's storage or its contents. The specifics of how delegatecall interacts with storage can be found in the [Solidity documentation](https://soliditydeveloper.com/differences-between-call-callcode-and-delegatecall) and the Geth source code on [GitHub](https://github.com/ethereum/go-ethereum/blob/master/core/vm/evm.go#L302).\n\nHowever, in context-specific scenarios, certain vulnerabilities can arise. For instance, in the discussion about upgradeable contracts and storage variables, a medium-risk vulnerability was mentioned in relation to Alchemix contracts where a lack of storage gap for the upgradeable contract might result in a storage slot collision ([refer](https://code4rena.com/reports/2022-05-alchemix/#m-05-no-storage-gap-for-upgradeable-contract-might-lead-to-storage-slot-collision)). This indicates that while generally, the storage of an implementation contract should not affect the delegate caller contract, in certain cases and when not properly managed, it might lead to significant issues.\n\nNote that the severity of such a vulnerability can depend on different factors, including the specific context of the contract or function in question. In situations where a bug in a contract is found to affect another contract, the decision to count the impact would typically lie with the judge. In addition, it's also important to understand that some of the contracts under discussion could already be deployed, while others might not be. Therefore, the implications of such vulnerabilities and the appropriate response would depend on the specific circumstances.", "Question: What is the process to access the findings repository after a contest ends on CodeArena, and when are the findings made available to different stakeholders?\n\nAnswer: The findings repository contains analysis results from CodeArena contests. After a contest is closed, there is a period of time before the findings repo becomes publicly available for discussion. The specific duration is not specified, but it usually becomes public when the final contest report is published. \n\nDuring the contest and judging phase, only the CodeArena team has access to the submissions. Certified+ wardens can view the findings repo immediately after a contest ends to assist with post-contest processes. However, please note that the immediate access to the findings repo for Certified+ wardens has not yet been rolled out to all. \n\nParticipants can track the status of their report and view and edit their findings in the 'findings' tab next to the contest description. If a submission to a contest is made but not rewarded, participants can review why their submission was not accepted once the report is out, and the repository is fully open. \n\nSponsors of the contests do not have immediate access to the findings repository. They are given access to the findings repo either after the contest is over (for older contests) or one week after the contest has ended, once the issues have been triaged and deduplicated. \n\nBackstage access, which is based on the certified contributor role, can be applied for once the results are published to the leaderboard. It allows the user to access the findings repo immediately after a contest ends, but the applications for backstage access are currently suspended until further notice. \n\nFor more information, you can visit the Docs section on the CodeArena website: https://code4rena.com/docs.", "Question: Can you clarify the differences between a Versus contest and a Reserve contest?\n\nAnswer: A Versus contest and a Reserve contest are two different types of contests you might see at CodeArena. \n\nA Versus contest is a competitive access contest that is typically open only to the highest performing wardens who have RSVP'd. The word \"versus\" signifies a comparison or challenge between entities. This type of contest is typically invitational, with opportunities granted to wardens based on their rank in either specific contests or a recent performance window. To participate in a Versus contest, wardens need to have a certified status, which grants access to more contests. These contests often include a limited number of participants and may involve mitigation reviews or regular contests.\n\nOn the other hand, a Reserve contest is typically specific to a sponsor or an individual project. For instance, the Reserve mitigation review contest is a private contest, while the Ethos Reserve contest is an open public audit. \n\nIt is important to note that the contest details for both types of contests are available in the #\u270brsvp channel for wardens to decide if they want to compete. Also, the results of contests are dependent on how long judging takes, which may result in delays. \n\nTo learn more about Versus contests, you can read more at this link: https://medium.com/code4rena/a-look-at-code4rena-audits-versus-6c55d57939ef\n\nThe key difference between these two types of contests is that Versus contests are typically more competitive and restricted to certified wardens, whereas Reserve contests can be either public or private, depending on the sponsor's preference.", "Question: Who should I contact for on-boarding an entire blockchain ecosystem similar to what CodeArena is doing with Cosmos?\n\nAnswer: You can reach out to any of our co-founders or representatives from partner projects like Lion's Mane, Tracer DAO, and Gro for detailed discussion on the on-boarding process. They are available for communication via specific Discord channels. CodeArena has experience with on-boarding ecosystems like the Cosmos project, which is an ever-expanding ecosystem of interconnected apps and services, built for a decentralized future. For more details about the Cosmos project, you can check out these links: https://code4rena.com/cosmos, https://cosmos.network, https://academy.terra.money/courses/cosmwasm-smart-contracts-i, and https://github.com/Anchor-Protocol.\n\nCodeArena is also keen to expand beyond EVM and Cosmos chains, so discussions related to onboarding other ecosystems are encouraged. As for resources, most of our learning resources currently focus on Solidity, but we're open to creating or sharing additional resources for other blockchains. Please note that the on-boarding process may involve setting up contests specific to the chain, similar to how we accept ETH or Polygon for EVM league contests and Cosmos for Cosmos contests.", "Question: How can I use remix or other static analyzer tools like slither with the forge build for smart contract auditing?\n\nAnswer: To use static analyzers like slither with CodeArena's forge build, you will need to identify the remappings for slither. This can be done using the command `slither sec/Pair.sol --solc-remaps 'solmate/=path/to/solmate\\nopenzeppelin/=path/to/openzeppelin'`.\n\nRemix could be an alternative for checking solidity code for syntax mistakes and checks, similar to the functionality of the online Remix IDE. To compile code on Remix, you would need to clone the entire repository and install the dependencies with forge using the `forge i` command, or manually include the contracts on remix from OpenZeppelin contract repo (https://github.com/OpenZeppelin/openzeppelin-contracts) and Solmate (https://github.com/transmissions11/solmate).\n\nIf you're facing issues like the 'Source from artifact has no AST' error when you run forge debug on a Hardhat project with Foundry integration, it might be helpful to know that Foundry is a framework used to write tests and check things like storage. You can also use tools like Hardhat and Foundry to generate a gas report.\n\nThere are other static security testing tools like solidity linter and C4udit [https://github.com/byterocket/c4udit] which are used for finding Publicly Known Issues and its newest fork is called Analyzer [https://github.com/Picodes/4naly3er]. You can also test contracts downloaded from Github with tools like Mythril and Slither.\n\nThere was a tool mentioned for viewing on-chain contracts of etherscan in an IDE like remix, which might be of interest: https://discord.com/channels/810916927919620096/810931711609143326/1012727690396176484.\n\nIf you are looking for tools to test code coverage or want to know more about the tools used in audits, CodeArena runs contests for analyzing smart contracts and they use a process that consistently finds more bugs faster than other methods. You can connect with the booking team for a conversation.\n\nThis information should give you a good start for auditing smart contracts with CodeArena's tools. If you have more questions, please feel free to ask.", "Question: Will the CodeArena's office hour sessions or community calls be recorded and where can I watch them?\n\nAnswer: Yes, CodeArena's office hour sessions and community calls are recorded for future reference. The recordings are typically uploaded to our YouTube channel in the early part of the following week. If you are interested, you can submit questions for these recorded sessions. For more information on how to record a community call on a Discord voice channel, you can check out this guide: https://www.howtogeek.com/677198/how-to-record-discord-audio/. Always check the #\u270brsvp channel for announcements on upcoming events and opportunities to participate in public audits or contests. If you are a member of the CodeArena community, you also have the option to ask questions leading up to these events in our monthly call chat.", "Question: I'm trying to compile https://github.com/code-423n4/2022-12-caviar :src/Pair.sol on Remix, but I'm facing issues with missing external imports. Could you guide me on how to resolve these problems?\n\nAnswer: When trying to compile code on Remix, the first step is to clone the whole repository and install the dependencies using forge. You can do this by running 'forge build', and it should install the necessary contract dependencies for you. Alternatively, you can manually include the contracts on Remix. The external imports are usually from OpenZeppelin contract repo, which you can find here: https://github.com/OpenZeppelin/openzeppelin-contracts, and Solmate, found here: https://github.com/transmissions11/solmate.\n\nIf the error \"not found: File import callback not supported\" appears, it's related to these missing imports at the top of every .sol file. To help avoid syntax mistakes, you may want to consider using tools or plugins that check solidity code. However, we are uncertain if such a tool that functions similarly to the online Remix IDE exists.\n\nIt's also important to note that the number of lines of code (LOC) mentioned in the README.md might not match the actual lines in the contract files, as observed in the Sherlock finance's repo found here: https://github.com/code-423n4/2022-01-sherlock. \n\nYou can also make use of the static analyzer at https://github.com/byterocket/c4udit for QA and gas optimization, but we are not certain if Code4rena currently uses this. Moreover, for static security testing, tools such as solidity linter can be used, and Remix can check contract code for compilation warnings.\n\nIf you're a beginner in smart contract auditing, do not hesitate to seek help on our platform. You may find the resources for learning the solidity compiler and understanding solidity syntax useful. We also offer resources for testing contracts downloaded from Github with tools like Mythril and Slither. \n\nFor a visual understanding of smart contract interaction, you might consider using a graphical tool, such as the deprecated Surya tool: https://github.com/ConsenSys/surya. Decompiling solidity code can be done on https://library.dedaub.com/decompile. \n\nRegarding reporting issues related to smart contracts, you can refer to our guidelines at https://github.com/code-423n4/code-contests/blob/main/SUBMISSION_POLICY.md. \n\nRemember, CodeArena hosts contests for analyzing smart contracts, and we aim to build a community where everyone is learning and helping each other. Good luck!", "Question: How does the certification process work at CodeArena and what are its benefits?\n\nAnswer: To become certified, you need to follow the guidelines detailed at [https://docs.code4rena.com/roles/certified-contributors](https://docs.code4rena.com/roles/certified-contributors). The certification process involves completing a form and sending your identity for verification. After your application is approved, it generally takes 2-5 business days for your certified status to reflect in your profile, although it can take up to 2-3 weeks in some cases. In addition, the status of your certification process will be updated via email.\n\nBeing certified has many benefits. It grants you the ability to participate in private audits, Versus contests, and access to backstage roles. To get a backstage role, you must meet certain qualifications in addition to being certified, after which you can create a help desk request to have your status evaluated. Certified users can also edit their profile, and have the chance to participate in all contests, including those exclusive to certified members. \n\nPlease note, however, that while some contests allow participation without certification, certification is required for payouts if any submissions are awarded. You can check your certification status by clicking on your name to see assigned roles or through email communication.", "Question: Is a line of code such as 'require(abc<123)' considered a valid low finding due to the presence of a \"magic number,\" and would declaring a constant value improve the code's readability?\n\nAnswer: Yes, in relation to smart contracts, a line of code like 'require(abc<123)' is considered a valid low finding due to the use of a \"magic number.\" It is recommended that a constant value be declared to enhance the code's readability. However, it's important to note that certain checks, such as \"x != 0\" can be cheaper than \"x > 0\" only in require statements and only prior to 0.8.13. This can be influential in optimizing gas usage in your smart contracts. \n\nIf a gas optimization finding is discovered that can be applied to more than one line\u2014including those with 'require' statements\u2014it should be reported as a single finding, with all applicable lines mentioned. An example of such an optimization could be excluding the increment (++i) in a for loop, which can significantly reduce gas costs.\n\nRemember that the consideration for readability and gas efficiency might change in certain cases. There are instances where immutable may cost less gas than constants. You can see an example in relation to this on [this issue](https://github.com/code-423n4/2021-11-overlay-findings/issues/111). \n\nWhen reporting your code findings, it may be helpful to include line numbers in your code snippets to clarify your points, though there is no strict consensus on this in the community. Some prefer to leave direct links to the code on GitHub or to refer to a specific file and line number. \n\nAlso, beginners may face difficulty in understanding certain code instances. In such cases, it is advised to make one report and reference the related issues in it. If you notice assumptions made in the code that are not explicitly mentioned in the README/code comments, do raise it as a valid issue. \n\nIn summary, while it is considered a best practice to avoid \"magic numbers\" for the sake of readability, there are several facets to consider in audit reporting, including gas efficiency and meaningful issue descriptions.", "Question: What tools are available for creating visual diagrams of Solidity, checking its syntax, and auditing its contracts?\n\nAnswer: There doesn't seem to be a specific tool for generating sequence diagrams for Solidity, other than the UML diagram tool Sol2uml. For syntax checking, the online Remix IDE is often mentioned for its checking functionality. However, it was not clear from the chat whether there are any plugins or other tools that provide similar functionality. The tool Surya is mentioned as a potential graphical interface for observing smart contract interactions, but it may be outdated [https://github.com/ConsenSys/surya]. Another tool for visualizing smart contracts is found on Github at [https://github.com/DanielVF/evm-contract-draw]. For on-chain contracts, a tool used for viewing in an IDE like Remix was mentioned, and a link was shared [https://discord.com/channels/810916927919620096/810931711609143326/1012727690396176484]. Several tools for auditing contracts, such as Mythril and Slither, can test contracts downloaded from Github. There is a tool called \"foundry debug\" that can debug hardhat tests or introspect contract execution at the EVM opcode level. Static security testing can be done using tools like solidity linter and checking contract code in Remix for compilation warnings. The platform Sherlock is another option for auditing, but it requires strong competence in the field.", "Question: How can I register and participate in contests at CodeArena?\n\nAnswer: To register and participate in contests at CodeArena, you need to sign up as a warden by logging into your account and filling out the form on the website. You can find detailed instructions on how to register a team at [here](https://docs.code4rena.com/roles/wardens#registering-a-team) if you wish to participate as a team. Once signed up, you can access contest channels and submit your findings using the form specific to each contest.\n\nFor private contests such as the Party Protocol, access can depend on certain prerequisites like certification. Being certified grants you access to more contests and allows you to join any contest including certified ones. However, some contests allow participation without certification, with payouts for any awarded submissions subject to the contest rules.\n\nYou can find all contests, both public and private, listed on the [Contest page](https://code4rena.com/contests) on the CodeArena website. For updates on upcoming contests, check the #\u270brsvp channel on our Discord.\n\nRegarding the scope of a contest, this is decided by the contest sponsors and is listed in the contest information. If you have specific questions about a contest, you can get in touch with the sponsor via their contest channel or through a direct message.\n\nPlease note, you may need to complete KYC to receive prizes for some contests, the form for which can be found [here](https://docs.code4rena.com/roles/certified-contributors).\n\nRemember, participation in contests is not only a chance to win prizes, but is also a great opportunity to improve your skills. So, just do it!", "Question: What resources and roadmaps can one use to learn about web2 security in the context of web3 security and smart contract auditing?\n\nAnswer: Web2 and Web3 security share a common mindset and some overlapping topics, so understanding web2 security can be beneficial when transitioning into web3 security. For those looking to specialize in smart contract auditing, it's good to start with some fundamental resources. \n\nTo learn smart contract auditing, beginners can start with resources like [this guide](https://cmichel.io/how-to-become-a-smart-contract-auditor/) and CodeArena\u2019s own resources found [here](https://docs.code4rena.com/roles/wardens/tools-and-resources). For smart contract bug bounty hunting, [CryptoZombies.io](https://cryptozombies.io/) is a great resource for learning Solidity, and [CaptureTheEther.com](https://capturetheether.com/) offers Capture the Flag challenges related to smart contracts. \n\nFor blockchain forensics analysis specifically for hacks and incidents in smart contracts, the tools used to find vulnerabilities and bugs are crucial. OpenZeppelin's webinars can also be very helpful for auditors, with the first video in their series found [here](https://youtu.be/6GaCt_lM_ak). Two additional resources shared include the GitHub repositories: [solcurity](https://github.com/transmissions11/solcurity) and [C4-report-categolized](https://github.com/Tomosuke0930/C4-report-categolized). \n\nFor an advanced level, training for the Paradigm CTF and learning advanced solidity and DeFi industry standards can be achieved through resources like The Ethernaut challenges and Damn Vulnerable DeFi: [Ethernaut](https://ethernaut.openzeppelin.com/) and [Damn Vulnerable DeFi](https://www.damnvulnerabledefi.xyz/). Also, abide by responsible disclosure standards, which can be found [here](https://github.com/RD-Crypto-Spec/Responsible-Disclosure#the-standard). \n\nFor math-related aspects of solidity projects, [this YouTube channel](https://www.youtube.com/@smartcontractprogrammer) could be beneficial.\n\nRemember that this is a field where continuous learning and adaptation are crucial. Whether to focus on smart contract security or web2 security should be based on your interest and enjoyment, not just potential earnings. Even if you are an undergraduate IT student or are facing a bear market, opportunities in this field are abundant if you are passionate and willing to learn.", "Q: Why would one prefer to use storage or calldata instead of memory in smart contracts, and how does this impact gas optimization?\n\nA: The decision to use storage, calldata, or memory in smart contracts is often influenced by gas optimization considerations. \n\nCaching a storage pointer can be beneficial as it avoids the need to re-compute the position, thus saving on gas costs. It is important to note that Solidity stores state variables in 32 bytes storage slots, and packing variables into fewer slots can further reduce gas costs [More about this can be read at the Solidity documentation](https://docs.soliditylang.org/en/v0.8.17/internals/layout_in_storage.html).\n\nCalldata, on the other hand, is preferred for read-only arrays as it does not need to be copied into memory, thereby leading to gas savings. Calldata arguments can be used for both external/public functions and can also send calldata data pointers to internal and private functions.\n\nThere was a discussion regarding the order of functions that first check from storage, then checks the calldata, and it was suggested that swapping this could potentially optimize gas usage. However, the practical impact of such adjustments may vary based on the specific contract and function under consideration.\n\nIn the context of view functions, the use of storage instead of memory was brought up. Whether this falls into the category of a gas report or a QA report would likely depend on the specific impact on gas usage.\n\nIt's also worth noting that the copying of arrays to memory before processing them, which was thought to reduce gas usage, was tested and found to not be beneficial. \n\nIn addition to these factors, the understanding of how delegatecall works with storage can be beneficial for gas optimization. More information can be found in the [Solidity documentation](https://solidity.readthedocs.io/) and the [Geth source code](https://github.com/ethereum/go-ethereum/blob/master/core/vm/evm.go#L302).\n\nRemember, the optimization of smart contracts to reduce gas costs is a complex process and the best approach can vary depending on the specific contract and function under consideration. It\u2019s always recommended to conduct thorough audits and testing to ensure the best possible outcome.", "Question: What constitutes a Quality Assurance (QA) issue in the context of CodeArena audits, and how does their categorization and grading work?\n\nAnswer: In the context of smart contract audits at CodeArena, Quality Assurance (QA) issues are primarily classified as \"Low\" severity issues and \"Non-critical\" findings. These findings are then consolidated into a single QA report. The QA report is graded by judges who consider both the quantity and quality of the findings. However, it should be noted that a single item in a QA report is unlikely to receive a high grade. Specific grading criteria can be found here: [Grading Criteria](https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical) and here [Incentive Model and Awards](https://docs.code4rena.com/awarding/incentive-model-and-awards#qa-and-gas-optimization-reports).\n\nObservations suggest that low-impact findings related to gas optimization, obsolete code, documentation mismatches, and front-running possibilities may be included in the QA category, although the exact classification may depend on factors like potential impact and severity. Judges also have the authority to upgrade or downgrade issues based on their assessment of severity. \n\nFor example, if a QA report includes a low issue, but the judges decide it's a medium severity issue, it may be upgraded and be eligible for medium category rewards. All these decisions depend on the judge's understanding of the issue's exploitability and impact. Detailed information regarding this can be found on the Code4Rena help page: [QA Gas Report FAQ](https://docs.code4rena.com/awarding/incentive-model-and-awards/qa-gas-report-faq#what-happens-when-an-issue-submitted-by-the-warden-as-part-of-their-qa-report-an-l-or-n-does-get-bum).\n\nIf no High/Medium issues are found in a contest, the entire rewards may be shifted to Quality Assurance. All \"A\" graded QA reports receive the same award, regardless of the number of Low findings within them. \n\nIt's worth noting that the term \"low quality\" in the audit contest guidelines doesn't necessarily mean low risk or non-critical. Clarity on this can be found here: [Github Discussion](https://github.com/code-423n4/org/discussions/34). \n\nOverall, the categorization and grading of QA issues at CodeArena are a nuanced process, involving careful consideration of the issue's severity, impact, and potential exploitability.", "Question: How can I effectively compile and submit a Gas Optimizations report for a contest at CodeArena?\n\nAnswer: To effectively compile a Gas Optimization report for a CodeArena contest, you should combine all your findings related to gas optimization into one report, as there are restrictions on submitting more than one report per contest. It's recommended to report each gas optimization separately within your single report. \n\nFor each optimization, you might need to specify how much gas is saved. This is often determined by the judge\u2019s decision, but providing this detail can be beneficial. If a gas optimization finding can be applied in more than one line of code, it should be submitted as one finding and mention all lines where it can be applied. \n\nParticipants can use tools like the Hardhat gas report plugin to benchmark their code for gas savings. When submitting your report, you can add more findings by going to the contest page and clicking on the 'Your Findings' button. \n\nRemember, the Gas report should be separate from the Quality Assurance (QA) report. The amount of detail required for QA and Gas Optimization reports is generally not as comprehensive as for high severity issues. \n\nThere are templates or guides on how gas/qa reports should look in terms of formatting, and examples of top reports can be found at https://code4rena.com/reports. More information on gas optimizations can be found at https://github.com/byterocket/c4-common-issues/blob/main/0-Gas-Optimizations.md.\n\nThe gas optimization pool is shared among the reporters and is awarded based on the score of each gas report (https://docs.code4rena.com/awarding/incentive-model-and-awards/curve-logic). Further information about the average payout for gas optimizations can be found in the findings.csv file on C4's website repository. \n\nIf you have any confusion or need further clarification on gas optimization, feel free to ask in the Discord chatroom.", "Q: How can I participate and keep track of upcoming audit contests in CodeArena, and what should I know about the role and benefits of being a warden?\n\nA: CodeArena frequently hosts audit contests in collaboration with sponsors. The exact scheduling of these contests is not within our control and largely depends on the sponsors. However, you can always stay updated on upcoming contests by checking our website at code423n4.com, or by visiting the #\u270brsvp channel on our Discord. \n\nAs a participant, you'll be referred to as a \"warden\". Wardens play a key role in auditing smart contracts. If you've been away from C4 for a while and wish to become a warden for a contest, you simply need to log into your account to compete. Teams are also encouraged to participate.\n\nThere are several benefits to being a warden. For instance, certified wardens get earlier access to the findings repositories, helping with post-contest processes. You can become a certified warden by actively competing in our audit contests. On top of this, there are ongoing efforts to facilitate tax reporting for wardens.\n\nIt's also worth noting that certified wardens may be eligible to join private auditing contests. To access these private contests, you need to be a certified warden. More details can be found here: https://mirror.xyz/c4blog.eth/Ww3sILR-e5iWoMYNpZEB9UME_vA8G0Yqa6TYvpSdEM0. \n\nRemember to follow the guidelines for submission and discussion of findings for smooth participation. These policies can be found here: https://docs.code4rena.com/roles/wardens/submission-policy#audit-contest-guidelines. \n\nIf you're interested in running an audit contest for your company, feel free to reach out to our team for further discussions. Please note that all these details are subject to change, and the final specifics of the contests will be shared closer to the start date.", "Question: Can you provide information about the reward formula for the Mitigation Review Contest at CodeArena, including the distribution process for findings of different severity, partial credits, and the role of the contest structure and participant submissions?\n\nAnswer: The Mitigation Review Contest at CodeArena is a process where top wardens are invited back to review bug mitigations after the main contests. The rewarding formula for findings of different severity and partial credits is available on our website at [Code4rena website](https://docs.code4rena.com/incentive-model-and-awards#high-and-medium-risk-bugs). \n\nThe award system is based on a curve formula, which will be designed after observing the scoring of initial contests. If multiple people, including members of the same team, identify a gas optimization, the reward split can be calculated using this same formula. \n\nTo make a successful submission and maximize your reward, it's beneficial to include a proof of concept and outline how an issue can be exploited. This will avoid the submission being marked as invalid. Detailed submissions can result in a significantly different award value. The level of detail and the thoroughness of the issue coverage can influence the award amount. \n\nIf a participant has findings but the judge and sponsor disagree with their mitigation, it is ultimately the sponsor's decision on the mitigation part. However, if a participant points out a judge-approved bug or logic flaw, it is considered an achievement and is rewarded accordingly. \n\nIt is worth noting that a formal verification contest also includes a participation reward. There is also a potential for bonus rewards for the best reports, along with rewards for each bug found per contest which are available [here](https://raw.githubusercontent.com/code-423n4/code423n4.com/main/_data/findings/findings.csv). A table with an overview of the rewards can be found at [this link](https://docs.code4rena.com/awarding/incentive-model-and-awards/curve-logic). \n\nIn the event that no issues are found in a contest, the disposition of the sponsor reward pot is a topic of curiosity. In such a case, contestants are given shares for bugs discovered based on severity, giving the owner a pro rata piece of the pot. However, if no high or medium issues are found, the procedure for contest rewards is not clarified, and may be subject to the sponsors' discretion. \n\nAs for upcoming contests, they will feature a structure of an initial audit prize pool and a mitigation review pool. Participants are encouraged to reach out to the sponsor team during the contest if they think they've found something and have questions. But remember, participants need to submit their findings via the contest submission form to be eligible for awards. \n\nLastly, there is an option to edit submitted security findings for a contest, allowing for adjustments and refinements after the initial submission.", "Question: Should all immutable addresses in a smart contract be verified against zero addresses?\n\nAnswer: Not necessarily. It's a common practice to check for zero addresses in smart contracts. However, whether a \"missing 0 address check\" constitutes a valid finding can be a matter of debate. It's important to note that even a mid-level vulnerability like a missing zero-address check can lead to loss of funds, and such issues should be reported. An example of this vulnerability can be found here: https://code4rena.com/reports/2022-06-canto#m-01-missing-zero-address-check-can-set-treasury-to-zero-address.\n\nFor gas optimization, it is typically recommended not to initialize default variables to 0. This also applies to for-loops in Solidity, where initializing the loop variable to 0 is unnecessary and may lead to gas savings. However, an automated gas optimization technique called 'Use assembly to check for address(0)' has been detected by some automated audit tools. This technique could save a few units of gas, but it's not necessarily of interest or value to all users. You can read more about it here: https://github.com/0xKitsune/solstat/blob/main/src/report/report_sections/optimizations/address_zero.rs.\n\nIt's also worth noting that depositing funds in an uninitialized contract carries certain risks. For instance, the contract could potentially become the target of a ransom attack, where an attacker takes ownership and demands a ransom for its release.\n\nDespite these factors, it's ultimately the responsibility of the contract developer to ensure the safety and efficiency of their contract, including deciding whether to use address(0) checks, and this decision should be made in the context of the specific contract and its uses.", "Question: When and where can I find the recorded sessions of CodeArena office hours?\n\nAnswer: The CodeArena office hour sessions are recorded and typically uploaded to our YouTube channel [https://www.youtube.com/@code4rena] in the early part of the following week. However, the actual upload time might vary depending on the internet connection. You can also submit questions for these recorded community calls via the C4 website, where you can also find support and other relevant updates. For real-time notifications on when a new video or report is published, there is a suggestion to follow our #audit-reports announcements channel. Lastly, other videos such as contest post mortems can also be found on the same YouTube channel.", "Question: I'm encountering a problem with my test contract setup. It keeps failing with the error message [FAIL. Reason: Setup failed: Index out of bounds]. What does this mean and how can I troubleshoot this?\n\nAnswer: The error message you're encountering usually indicates that you're trying to access an index in an array that has not been defined. This commonly happens if you attempt to access an element at a certain index before initializing it. Your problem may be resolved by accessing a defined index, for example, array[0] if your array has at least one element.\n\nWhen dealing with contract tests and setups, you may encounter several challenges. These could include setting up certain contract environments, especially with limited documentation, no test cases, and no deployment scripts. In such cases, if there's no test setup within the C4 repo, it may be useful to check the sponsor's GitHub for a potential test setup, or you might want to pull out the code to test it in isolation. \n\nYou could also consider running your tests in an existing test environment or perhaps writing new test cases. There are tools available for testing contracts, such as Mythril and Slither, which you can use to test contracts downloaded from Github. \n\nIf you're working with Foundry, remember that it can be used to deploy contracts and perform other tasks. One user mentioned an issue with testing in the polygon POS network using foundry, so ensure your network configurations are set correctly. \n\nConsequently, if your contract takes a struct as an argument in the constructor, you might be looking for guidance on how to deploy such a contract on Foundry. Or, you could be trying to log the gas remaining after a state variable update within Foundry, a smart contract testing framework. \n\nAdditionally, you could use tools like \"foundry debug\" to introspect contract execution at the EVM opcode level, or the tool eth-brownie can be helpful for mocking contract deployments. \n\nFinally, if you're encountering difficulties understanding the issues you're facing, you might find it helpful to study testing frameworks such as Hardhat. Here's a requested tutorial on Hardhat's testing framework that might be helpful: [Insert Link to Hardhat tutorial here].\n\nRemember, setting up the environment for contest repositories can be time-consuming due to multiple interrelated contracts and limited documentation. Therefore, it's crucial to be patient, persistent, and utilize all available resources when debugging and testing smart contracts.", "Question: I've forgotten my username or am experiencing login issues on CodeArena. How can I retrieve my information or get help?\n\nAnswer: If you are having issues logging into your CodeArena account, it's important that you confirm that you are using the right username and password or wallet address that you used during registration. If you've forgotten your username or wallet address, or you're having trouble accessing an inactive account, assistance is available. You can reach out to our community on the #auth-help channel on Discord. If you don't receive a resolution, consider submitting a help desk request at [https://code4rena.com/help](https://code4rena.com/help) for further assistance. Please note that usernames on CodeArena are currently immutable and cannot be changed. However, if you wish to change associated email addresses or Twitter handles, or have concerns about a compromised account, you can also use the help desk request system. Please be aware that changing a username would require re-registering on the platform.", "Q: What happens when an audit finding's severity is incorrectly classified in my submission? For example, what if I classify a finding as medium, but judges determine it to be high or low? And is there any strategy I should adopt when uncertain about a finding's severity?\n\nA: If there's a mismatch between a finding's severity as classified by you and as determined by the judges, the judges have the authority to upgrade or downgrade the severity accordingly. For instance, if you submit a finding as medium severity but it's judged to be high risk, it can be upgraded unless there's a reason to penalize your submission, such as it being incomplete, lacking detail, or not being as accurate. If a finding you submitted as high risk is judged as low, you will still be awarded for the issue found, unless the judges invalidate it for overinflating severity.\n\nOn the other hand, if you classify a finding as low risk in a QA report and a judge upgrades it to a medium risk, your submission will be potentially eligible for medium rewards. \n\nRegarding strategy when uncertain about a finding's severity, you should review the judging criteria at https://docs.code4rena.com/roles/wardens/judging-criteria#estimating-risk and make a case for your chosen severity using evidence. It's crucial to provide a clear explanation or path to the finding to avoid your submission being labelled as low quality. Be aware that 'low quality' in this context doesn't necessarily mean 'low risk' or 'non-critical'; it refers more to the quality of the explanation and evidence provided. More clarity on this can be found at https://github.com/code-423n4/org/discussions/34.\n\nIf you're uncertain and the issue lies between QA and Medium, or between High and Medium risk, judges have the authority to downgrade or upgrade the severity as they deem fit. If you're reporting an issue based on automated tools, you must provide strong evidence to demonstrate a relevant High or Medium severity exploit path to be considered satisfactory, as explained at https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues. \n\nMoreover, if an audit contest's automated bot report ranks an issue as low, and you escalate it to high, the issue isn't automatically invalid. However, you'd need to make a strong case for the escalation. \n\nPlease note that the classification of findings as High, Medium or QA also depends on the severity of loss caused by the issue, as per this guide: If all rewards can be lost, it's considered MED/HIGH; if there's a risk of losing some rewards, it's probably medium; if rewards are lost due to roundings (a negligible amount of rewards), it's probably QA; and if the principal can be stolen without needing extra requirements, then it's likely HIGH. \n\nIn the end, if any uncertainty still exists, it's advisable to work on your Proof of Concept until the severity of the issue becomes more apparent.", "Question: How can I link my Twitter account to my Code4rena (C4) profile?\n\nAnswer: To link your Twitter account to your Code4rena profile, you need to complete a help desk request. You can do this by visiting https://code4rena.com/help and submitting a request that includes your C4 handle, your Twitter handle, and your Twitter URL. Also, if you want to change your Twitter username or your profile photo on Code4rena, you can submit another help desk request through the same process. Note that this process may be particularly relevant for certified auditors and leaderboard participants who want their Twitter handle to be associated with their C4 activities. However, it's important to be aware that some users have reported issues with logging in to the C4 website. If you face any such issues, you can seek help in the #auth-help channel or direct message the C4 staff members.", "Question: What is the process during the post-judging stage and can a contested decision be reopened in case of fact-based evidence?\n\nAnswer: The post-judging stage is an important part of the contest process at CodeArena (C4). It involves a Quality Assurance (QA) period where participants can comment on the judge's decisions. If a participant disagrees with a finding, they can leverage their backstage access to speak with the judge and request a re-evaluation of the decision, provided they can substantiate their claims with purely fact-based evidence. However, it's important to note that this access is dependent on the specific contest and its processes.\n\nThe judges are responsible for updating the severity of issues even after the submission. They are also expected to provide reasons for classifying an issue as invalid or disputed. This allows participants to understand the reasoning behind the ruling and see what they can improve. If a submitted finding is marked as invalid, participants can expect feedback from the judge.\n\nIn case a participant disagrees with a judgment decision, and the contest has already been judged, unfortunately, there is no recourse. However, they can review why their submission was not accepted once the report is out and the repository is fully opened. This provides an opportunity to see the discussion among sponsors and judges on that specific issue. \n\nFor further queries or disagreements with a judge's decision, participants can refer to the policy at [CodeArena\u2019s Policy on Fairness and Validity](https://docs.code4rena.com/awarding/fairness-and-validity#if-you-disagree-with-a-judges-decision). Please note, the judge has the final say on findings and any discussion on this matter should observe the guidelines set out in the policy link provided.", "Question: How should I add code blocks and references in my report submitted to CodeArena?\n\nAnswer: For CodeArena reports, it is recommended to use Markdown to add code blocks, ensuring they are displayed correctly in the report. The guide on how to add code blocks using Markdown can be found [here](https://docs.github.com/en/get-started/writing-on-github/working-with-advanced-formatting/creating-and-highlighting-code-blocks).\n\nWhen referencing specific areas of code for high or medium findings, provide the GitHub permalink for the respective code block in the 'Links to Affected Code' section. This can be done by creating a permanent link to a code snippet as described [here](https://docs.github.com/en/get-started/writing-on-github/working-with-advanced-formatting/creating-a-permanent-link-to-a-code-snippet#linking-to-code). \n\nYou can also add the code block directly to the report using Markdown. However, there's been some debate about whether to include direct links to the code on GitHub or refer to a specific file and line number. In any case, it's a good practice to show the places of vulnerability by including both the URL to the repository with the line number and a code block.\n\nIn addition to code blocks, images and other media can be embedded in the report using Markdown, as per the instructions found [here](https://docs.github.com/en/get-started/writing-on-github/getting-started-with-writing-and-formatting-on-github/basic-writing-and-formatting-syntax#images). \n\nWhen submitting your report through the CodeArena interface, a Markdown template is proposed which you can use as a guide. Various platforms such as GitHub, Joplin, VScode, and Notion support Markdown and can be used to write reports. To simplify the process, some users find it helpful to create issues in Notion, format them, and copy-paste the formatted text when submitting, as it maintains the necessary markdown formatting.", "Q: I can't log into my Code4rena account. When I try to use the same wallet it asks me to register again. What should I do? \n\nA: Several users have reported similar issues when trying to sign into Code4rena. This could occur due to various reasons like forgetting your registration wallet address or not using the exact wallet or email used during registration. You can sign into Code4rena using your username and password. If you're having issues with your Metamask wallet, remember that Code4rena does not currently allow users to change their login wallet address, but you can link multiple addresses if you have Metamask. More information on changing the wallet address used to log in can be found [here](https://docs.code4rena.com/roles/wardens/warden-auth#can-i-change-the-wallet-address-i-log-in-with).\n\nIf you have forgotten your registration wallet address, or need to change your login wallet address, you can submit a help request at [Code4rena Helpdesk](https://code4rena.com/help). Similarly, if your C4 wallet has been hacked, you should submit a help desk request for assistance immediately.\n\nFor better management of submissions, Code4rena is considering implementing a system for using different wallets for different submissions in a single contest. \n\nRemember, if you want to change your username, you will need to re-register on CodeArena. Also, you can link your Twitter account to your Code4Arena profile by creating a help desk request. \n\nFor any other issues or questions related to login, warden registration, changing the wallet attached to your account, or other FAQs, please visit the [FAQ troubleshooting page](https://docs.code4rena.com/roles/wardens/warden-auth#faq-troubleshooting) or submit a help request at [Code4rena Helpdesk](https://code4rena.com/help).", "Question: How should I add code to my reports in CodeArena (C4)?\n\nAnswer: In CodeArena (C4), code should be added to your report by using Markdown format. This ensures that the code will appear correctly in the report. You can use Markdown to include code blocks in your report, as well as images if necessary. \n\nTo format your code using Markdown, you can surround your code with ``` (three backticks) on each side. You can also specify the language for syntax highlighting by adding it after the opening backticks, for example, ```solidity. This is particularly useful when you want to highlight parts of your code. More details on creating and highlighting code blocks, as well as adding images, can be found in Github's Markdown guide [here](https://docs.github.com/en/get-started/writing-on-github/working-with-advanced-formatting/creating-and-highlighting-code-blocks).\n\nIn the section of your report for \"Links to Affected Code\", you should only add the GitHub permalink for the respective code block. Direct linking to the code on GitHub or referring to a specific file and line number are both acceptable methods of referencing code in reports. Please note that adding a link that points to the sponsor's GitHub repo code will not automatically pull in that code snippet into the report.\n\nIf you have long code, consider providing it either by adding it directly to the report under 'Proof of Concept' or linking it on some private repository on Github. More information about this can be found [here](https://docs.code4rena.com/roles/wardens/submission-policy#how-to-include-a-proof-of-concept).\n\nLastly, when creating your reports, you can use any writing tool as long as it supports Markdown. Platforms such as GitHub, Joplin, VScode, and Notion are often used to write reports.", "Question: How should I classify and submit low issues, and what happens if my report's severity classification is adjusted by judges?\n\nAnswer: Low issues, also referred to as Quality Assurance (QA) issues, should be submitted in your QA report. All low/non-critical (NC) issues should be brought together and submitted in one QA report, which can include findings categorized as Low, Non Critical (NC), and Refactoring. It's important to note that judges have the ability to adjust the severity classification of reported issues. If an issue you've submitted as low in your QA report is determined to be medium by the judges, it will be eligible for medium rewards as per Code4Rena's awards policies [here](https://docs.code4rena.com/awarding/incentive-model-and-awards/qa-gas-report-faq#what-happens-when-an-issue-submitted-by-the-warden-as-part-of-their-qa-report-an-l-or-n-does-get-bum). Conversely, judges can also downgrade medium issues to QA, considering them alongside your QA report when grading. If no High/Medium issues are found in a contest, the rewards can be moved down to Quality Assurance (QA). While there isn't a direct incentive for reporting QA type submissions, quality and quantity of submissions are considered during grading, and a well-prepared QA report can help in securing rewards. This information is further explained [here](https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical) and [here](https://docs.code4rena.com/awarding/incentive-model-and-awards#qa-and-gas-optimization-reports). Furthermore, the criteria for classifying severity of issues can be found at [this link](https://docs.code4rena.com/awarding/judging-criteria/severity-categorization).", "Question: If I discover a potential vulnerability for a project during the contest, is it appropriate to discuss it with the sponsor in a private DM, and if they confirm it, will it still count when I submit it?\n\nAnswer: Yes, Code4rena encourages open communication between participants and sponsors. If you identify a potential vulnerability, you can discuss it with the sponsor via a private Direct Message (DM) or in the contest channel. This does not invalidate your finding. However, to ensure your discovery is eligible for awards, you must submit it via the contest submission form. You could also provide a Proof of Concept (POC) script, if available, by including a link to it in your submission. Please remember that even if multiple people report the same vulnerability, each submission is evaluated individually for its quality and clarity. Discussing potential findings with the sponsor doesn't automatically result in exploitation of the information, as all submissions are reviewed and awarded based on the judgement of Code4rena. Even if you're unsure about the validity of a finding due to lack of specification, it's advisable to submit it or seek clarification from the sponsor. Note that all submissions, including high severity issues, should be reported within the contest timeframe to be eligible for awards. If you find vulnerabilities a few days after the contest ends, they should be responsibly disclosed to the development team directly. Lastly, while submitting an issue, including a proof of concept and making a case for its exploitability helps avoid having it marked as invalid. You can also update your submissions by direct messaging identified individuals or emailing to security@code4rena.com. Regardless of whether your submission is valid or not, you should expect a confirmation email about your submission.", "Question: What is the recommended method for submitting multiple Low issues spotted in a contest at CodeArena? \n\nAnswer: \nCodeArena recommends participants to compile all low and non-critical (NC) issues into a single Quality Assurance (QA) report per contest. This includes multiple instances of the same issue. If you find additional issues after submitting the initial report, you have the ability to edit and update your existing submission. However, high and medium severity issues should be reported individually. \n\nRemember that the QA report is separate from the gas report and you should therefore submit one combined report for each. If your report exceeds the character limit for normal submissions, you can submit it via a help ticket. \n\nConcerning the grading of QA reports, judges consider both the quantity and quality of submissions. A single item in a QA submission is unlikely to receive a high grade unless it's a high-severity issue. If an issue initially submitted as a low in a QA report is later determined by judges to be of medium severity, it may be eligible for medium rewards. For further information on this, you can refer to this documentation: [https://docs.code4rena.com/awarding/incentive-model-and-awards/qa-gas-report-faq#what-happens-when-an-issue-submitted-by-the-warden-as-part-of-their-qa-report-an-l-or-n-does-get-bum](https://docs.code4rena.com/awarding/incentive-model-and-awards/qa-gas-report-faq#what-happens-when-an-issue-submitted-by-the-warden-as-part-of-their-qa-report-an-l-or-n-does-get-bum)\n\nDetailed grading criteria are also available here: [https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical](https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical) and here: [https://docs.code4rena.com/awarding/incentive-model-and-awards#qa-and-gas-optimization-reports](https://docs.code4rena.com/awarding/incentive-model-and-awards#qa-and-gas-optimization-reports).", "Question: How are low issues and QA issues defined and treated in the context of CodeArena?\n\nAnswer: In CodeArena, the term 'Low issue' is often used interchangeably with 'Quality Assurance' (QA) issue. These are non-critical issues or vulnerabilities discovered in the smart contracts which have a low impact. QA reports include both Low and non-critical vulnerabilities. Moreover, if a low issue/non-critical bug that also reduces gas is discovered, it should be included in the QA category and should mention the gas savings. \n\nJudges have the ability to change the severity of reported issues; they can downgrade medium issues to QA or upgrade items from the QA report if they feel severity should be higher. For example, if an issue is reported as low in a QA report but the judges determine it to be medium, it will be eligible for medium rewards as per the guidelines ([link](https://docs.code4rena.com/awarding/incentive-model-and-awards/qa-gas-report-faq#what-happens-when-an-issue-submitted-by-the-warden-as-part-of-their-qa-report-an-l-or-n-does-get-bum)).\n\nQA reports at CodeArena are graded based on the number of low findings. However, the number of issues reported in a QA report doesn't necessarily determine the grade; a report could have one good issue to be a grade B, or it could have multiple low-impact issues and still be a grade C. All A graded QA reports receive the same award, regardless of the number of Low findings. \n\nJudges consider both quantity and quality of reported issues when grading QA reports. A single item in a QA submission is unlikely to receive a high grade. If no High/Medium issues are found in a contest, the rewards are divided based on Quality Assurance.\n\nFinally, all non-critical and low severity findings of a given auditor are consolidated into a single QA report. There has been a discussion about whether all non-critical findings should be put in one QA report or create one QA report for every finding. But as of now, all low/NC issues are to be submitted in one QA report. It's worth noting that while the uniqueness of Low issues used to be a ranking factor, it is no longer relevant in the grading process. \n\nMore details about grading criteria can be found on CodeArena's documentation page: [Judging criteria](https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical) and [Incentive model and awards](https://docs.code4rena.com/awarding/incentive-model-and-awards#qa-and-gas-optimization-reports).", "Question: I've contributed to several contests, including gas and Quality Assurance (QA) reports. Despite following all the rules, my contributions were not acknowledged in the results. Can you help me understand why this might have happened?\n\nAnswer: There could be several reasons why your contributions weren't acknowledged in the contest results. Here are some possibilities:\n\n1. **Automated Findings:** Your reports might have been considered automated findings. These findings are not typically awarded. \n\n2. **Grade-C Judgement:** Your contributions could have been rated as grade-c in the judgment process. \n\nTo confirm either of these possibilities, you would need to review the contest report, which is usually published a month after the contest ends. You can access these reports from the `Reports` page on the CodeArena website. \n\nPlease note that participants are required to submit only one QA report and one report of gas optimization per contest. If you have multiple findings, group these together in the same report, and separate the Gas report from the QA report. You can add more findings to your gas report by going to the contest page and clicking the `Your Findings` button.\n\nIf you're facing issues with report submission, such as receiving a 'No findings submitted for this contest' message despite having submitted your findings, or if your report exceeds the character limit of the submission form, you can refer to our FAQ page on the CodeArena website for guidance: [https://docs.code4rena.com/awarding/incentive-model-and-awards/qa-gas-report-faq](https://docs.code4rena.com/awarding/incentive-model-and-awards/qa-gas-report-faq). If necessary, you can submit a placeholder in the form and send a detailed report via email.\n\nLastly, please note that some contests might not have a gas pool, meaning there won't be any gas optimizations in the final report. To check the criteria for a top-3 finish in either the QA or gas report from past contests, you can request the organization to provide this information. \n\nWe hope this provides some clarity. If you have more questions or need further assistance, feel free to reach out to us.", "Q: How can I apply for the Backstage+ role at CodeArena and what's the current status of applications?\n\nA: To apply for the Backstage+ role at CodeArena, you must first meet certain criteria as a certified contributor. This includes having over 3 mediums confirmed or participating in at least 3 contests. You can refer to the official documentation here: https://docs.code4rena.com/roles/certified-contributors/backstage-wardens for more details about eligibility and application process. \n\nOnce you meet these qualifications, you can submit a Help Desk request here: https://code4rena.com/help for your status to be evaluated. This request will also allow you to verify if you meet the qualifications based on the published contest results. Remember, the leaderboard is usually updated shortly after the contests and their awards have been announced. \n\nIf your request is accepted, you will be notified and given access to the backstage findings repo. However, please be informed that as of recent, there was a pause in the processing of backstage access requests due to an ongoing change in the application process. We are currently reviewing previous application requests. There's no confirmed timeline for when the application process will resume, but we anticipate updates to be released within the next two weeks. \n\nPlease note that while the confirmation of whether issues submitted got accepted or not for closed contests is known when the report is generated, the final decision about the backstage role is made as per the plans in place and subject to evaluation. The process to become a backstage warden generally takes about a week if all qualifications are met and nothing is pending, but due to the pause, this might vary.", "Question: I am researching smart contract scanning tools and came across one that seems superior. Can it identify a price manipulation vulnerability?\n\nAnswer: Even though specific tools have not been mentioned in your question, there are indeed smart contract scanning tools that can detect vulnerabilities such as price manipulation. A notable example is the tool available at https://app.metatrust.io/project. \n\nIt's important to remember that while automated tools can be very useful, they should not replace a comprehensive smart contract audit process. Other tools mentioned in our discussions include fuzzing tools, and Slither, which is a static analysis tool for smart contracts. \n\nYou might also be interested in exploring the use of machine learning in smart contract auditing. One creative approach discussed involves converting a smart contract into respective shapes, training a model based on these shapes, and then predicting the vulnerability of future contracts. You can find more on this at https://github.com/DanielVF/evm-contract-draw. \n\nOther platforms exist for smart contract audits such as Sherlock, but they require a certain level of expertise. CodeArena also runs contests for analyzing smart contracts. \n\nAs an auditor, you might need to verify if a contract has been initialized on the Ethereum mainnet, or you might want to download all the smart contracts being deployed at a specific address. There are tools available for these tasks too. \n\nIf you're new to smart contract auditing, resources are available at https://docs.code4rena.com/roles/wardens/tools-and-resources. You can also explore other websites to get rewarded for auditing smart contracts like https://immunefi.com/, https://spearbit.com/, and https://hats.finance/.\n\nPlease remember, while these tools can provide valuable insights, they may not account for all potential vulnerabilities. It's essential to have a deep understanding of the underlying code and potential security issues to perform a thorough audit.", "Question: Can you explain the use of calldata and memory in smart contracts, particularly in relation to external and internal calls, and the effect on gas optimization?\n\nAnswer: In smart contracts, calldata and memory are used to handle data in different contexts. Calldata is an input data to Ethereum that is immutable and is mainly used in external and public functions. However, it's not limited to these; calldata arguments can also send data pointers to internal and private functions. In an internal function, a calldata argument is just a pointer. \n\nMemory, on the other hand, is a temporary space where data can be stored and modified during execution and it gets erased between (external) function calls. \n\nThe decision of using calldata or memory depends largely on their costs and the specific use case. For read-only arrays, using calldata can be cheaper because they don't need to be iterated and copied into memory. On the other hand, caching a storage pointer helps in avoiding the re-computation of the position, making it cheaper for that reason.\n\nThere are also ways to optimize gas usage, for example, by swapping the order of a function that first checks from storage, then checks the calldata. Additionally, packing variables into fewer slots can help reduce gas costs, as Solidity stores state variables in 32 bytes storage slots. More details about this can be found in the Solidity documentation [here](https://docs.soliditylang.org/en/v0.8.17/internals/layout_in_storage.html).\n\nFurthermore, understanding how functions like delegatecall work with storage may also be beneficial in optimizing gas usage. You can find more information about this in the Solidity docs and the Geth source code [here](https://github.com/ethereum/go-ethereum/blob/master/core/vm/evm.go#L302).\n\nPlease note that the above information is based on our understanding and observations from various discussions and queries, and may not cover all intricacies and use cases of calldata and memory. For a comprehensive understanding, please refer to the official Ethereum and Solidity documentation.", "Question: What does 'Low' or 'QA' represent in our audit reports and how are they evaluated?\n\nAnswer: In CodeArena's audit reports, \"Low\" or \"QA\" represents the classification of an audit finding based on its severity. This category includes low severity issues and non-critical vulnerabilities. The term 'Low issue' is often used in reference to QA reports. \n\nThe severity of an issue is generally categorized as high, medium, or low/QA, based on the potential risk or loss associated with it. For instance, if all rewards could potentially be lost due to an issue, it's classified as medium or high. If there's a risk of losing some rewards, it's probably medium. If rewards are lost due to roundings (a negligible amount of rewards), it's probably QA. If the principal can be stolen without needing extra requirements, then it's probably a high severity issue.\n\nIn the grading of QA reports, some of the factors considered include the number of low findings, the quality of the submissions, and the risk level of the findings. QA reports are graded based on the number of low findings, however, two reports graded \"A\", one with 2-3 low findings and another with 5-6 low findings, would still receive the same award. A large volume of low-quality reports, defined as having no clear explanation or path to the finding, is discouraged. \n\nJudges have the ability to upgrade or downgrade issues based on their determinations of severity. For instance, if a finding is submitted as low severity in a QA report, but the judges determine that it's a medium severity issue, it will be eligible for medium rewards as per [this link](https://docs.code4rena.com/awarding/incentive-model-and-awards/qa-gas-report-faq#what-happens-when-an-issue-submitted-by-the-warden-as-part-of-their-qa-report-an-l-or-n-does-get-bum). Conversely, issues can also be downgraded from medium to QA, and these are added to the warden's QA report.\n\nPlease note that the grading process considers both the quantity and quality of submissions, and a single item in a QA submission is unlikely to receive a high grade. More information on this can be found at [here](https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical) and [here](https://docs.code4rena.com/awarding/incentive-model-and-awards#qa-and-gas-optimization-reports).\n\nIt's important to note that incorrect findings in a QA report can negatively affect the QA grade. The QA and Gas awards are given according to judges\u2019 scores, and duplicates are disregarded. \n\nIf no High/Medium issues are found in a contest, the rewards are typically divided based on Quality Assurance. In such cases, the entire rewards may shift down to Quality Assurance (QA). The uniqueness of Low issues was once a ranking factor, but is no longer relevant. \n\nWhile classifying an issue, if there is a doubt whether a finding should be categorized as QA or Medium, it should be filed as QA unless the proof of concept (POC) is coded. Obsolete code could also be considered a QA issue.\n", "Q: I submitted findings for several contests but haven't been recognized or rewarded. What could be the possible reasons and how can I confirm?\n\nA: There could be several reasons why your findings might not have been recognized or rewarded in the contests you participated in:\n\n1. Your findings could be classified as 'automated findings', which are typically not awarded. 'Automated findings' are issues that are already known and listed under the \"Known Findings\" section of the contest's Readme Page.\n\n2. Your findings might have been graded as 'Grade-C' during the judging process, which might not qualify for an award.\n\n3. There may be delays in the payout of rewards for a contest. It's not uncommon for rewards to remain pending even after a contest has ended.\n\n4. If you participated in the Escher contest or Caviar contest, there have been reports of issues with submissions. You might have encountered similar problems, which could explain why your findings haven't been acknowledged.\n\n5. Your findings might not have been included in the final report, which doesn't necessarily mean they were invalid. The final report is usually published a month after the end of the contest, so it's worth waiting for it to confirm whether your findings were accepted or not.\n\n6. The leaderboard may not accurately reflect all your accomplishments, especially if the results of the contests you participated in are not counted for the full duration.\n\n7. The contests you participated in might have been private, in which case, only certified participants who have been part of 3 or more contests would have backstage access.\n\nTo confirm the reasons for your situation, you can review the contest's report, which is usually published a month after the contest ends. You can also raise your concerns in the GoGopool office hour. For more details on the judging process, you can refer to the C4 judging process thread [here](https://twitter.com/sayan_011/status/1629011044516655104?t=DJz16iE54QkwLxkc3MrQtw&s=19).\n \nRemember, even if you are not recognized or rewarded, participation in contests is a great way to improve your skills and learn more about smart contracts.", "Question: What is CodeArena (C4) and how can I interact with it?\n\nAnswer: CodeArena, also known as C4, is a company that assists other businesses with auditing their smart contracts. This platform provides opportunities for participants to submit issue reports and request support through the C4 website. The website has been reported to have some access issues, but users can report these problems using the C4 form. Additionally, users can change their profile photo through a help desk request [https://code4rena.com/help]. \n\nThere's also a process to bind a C4 profile to a Twitter profile, which is particularly useful for certified auditors. For any discrepancies or queries, participants can direct message the C4 staff members. However, please note that C4 is not usually staffed over weekends.\n\nThe C4 team actively works on improving their tools and procedures. They have even introduced changes to allow invoicing, considering C4 operates as a DAO. They're also open to granting funds for building tools, like a website to showcase results for job hunting.\n\nFor insights into their judging process, you can review this Twitter thread: [https://twitter.com/sayan_011/status/1629011044516655104?t=DJz16iE54QkwLxkc3MrQtw&s=19]. Also, you can find a comparison between bug bounties and C4 audit contests on their documentation page [https://docs.code4rena.com/].\n\nPlease note, it's normal for the number of contests to fluctuate in C4. In case of bugs during a contest, they are evaluated by a C4 judge, while the rules are assessed by Certora. \n\nLastly, trust in C4 staff and projects, as well as the English level of C4 reports, are areas acknowledged for improvement. The team is open to enquiries and actively seeks feedback as part of their Warden Outreach. Some of the team will be present at ETH.Denver for further discussions.", "Question: What is the recommended practice for referencing code in reports for CodeArena contests, specifically regarding the use of line numbers in code snippets for h/m issues?\n\nAnswer: While we don't have a definitive answer, there's been ongoing discussion among our participants about the best way to reference code in reports. While some participants have discussed leaving direct links to the code on GitHub or referring to a specific file and line number, others have suggested using tools such as the VS code extension \"Copy With Line Numbers\" (available at https://marketplace.visualstudio.com/items?itemName=yassh.copy-with-line-numbers) to include code snippets with line numbers in their report. Regardless of the method you choose, the judges prefer more detailed, well-structured reports over one-line summaries. They appreciate when similar submission issues are grouped together and when the code is presented in a readable format, which can be achieved by using Markdown formatting. Beginners especially are advised to make one report and reference related issues within it, making it easier for judges to understand the context. Keep in mind, the order of reported issues doesn't necessarily go according to submission time; judges pick the primary issue based on the best write-up, not the order of submission. So, it's important to ensure the clarity and quality of your report. If in doubt about submitting separate issues or one combined issue, it's better to err on the side of more detail.", "Question: Are deficiencies in test coverage categorizable as non-critical issues in the Quality Assurance (QA) report? If so, how should these issues be reported and what factors should be considered?\n\nAnswer: Test coverage deficiencies, particularly those that overlook significant functionality or fail to fully exercise code paths, could be considered non-critical issues to be included in QA reports. However, the severity of an issue can vary and is categorized as High, Low, or QA based on its impact. QA issues, also known as non-critical or low issues, are typically consolidated into a single QA report. \n\nThe QA report is also used to document 'Low issues' such as obsolete code, mismatches between documentation and code (if the impact is minimal), and suggestions for code simplification. A single finding in a QA submission is unlikely to secure a high grade; judges consider both the quantity and quality of submissions in their evaluation. \n\nIt's worth noting that providing a Proof of Concept (PoC) can help underscore the relevance of a finding. While a bug report without a PoC may be accepted, it's likely to be disregarded unless the issue is glaringly evident. Therefore, if a PoC can be coded for the uncovered test cases, it is encouraged. However, a PoC is not expected to show every step in code, especially for low-impact issues. \n\nMoreover, the discussion about how much effort a certain scope will require does take into account comments lines. Therefore, when considering whether to list a lack of test coverage, it may be worth considering the level of effort involved in creating these additional tests.\n\nIf you're unsure whether a finding is QA or of medium severity, it's advisable to file it as QA, unless there's a PoC. \n\nFor further details, please refer to the Judging Criteria and Incentive Model and Awards pages:\n\n- [https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical](https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical)\n- [https://docs.code4rena.com/awarding/incentive-model-and-awards#qa-and-gas-optimization-reports](https://docs.code4rena.com/awarding/incentive-model-and-awards#qa-and-gas-optimization-reports)\n\nLastly, remember that the best QA/Gas reports from past contests can serve as useful examples and are available at [https://code4rena.com/reports](https://code4rena.com/reports).", "Question: What is the current status and process for Backstage applications at CodeArena (C4)?\n\nAnswer: As of now, applications for backstage access at CodeArena have been temporarily paused due to an identified issue. Although there is no set ETA for the resumption of backstage applications, an update regarding this matter is expected within the next two weeks. Backstage access allows you to access the findings repository when a contest ends. \n\nTo apply for a backstage role once applications resume, you should submit a help desk request if you meet the qualifications based on published contest results. Contest results are usually published on the leaderboard shortly after the awards are announced. You can find more information about requesting backstage access at https://docs.code4rena.com/roles/certified-contributors/backstage-wardens#to-request-+backstage-access. \n\nAdditionally, you can apply to be a Backstage Warden. The processing of these requests was paused at the time of the chat, and it could typically take up to 24 hours after KYC (Know Your Customer) is admitted. \n\nPlease note that a change to the process of granting backstage access is currently in progress. In the past, the process was based on a trust model, but in the future, there may be additional constraints or conditions implemented. You will be notified once your request for backstage access has been reviewed.", "Question: How can I change my login and payment wallet addresses on Code4rena as a safety measure?\n\nAnswer: Currently, CodeArena does not permit users to change their login wallet address. Users who have linked multiple addresses via Metamask can log in with any of those addresses. Further details can be found at: https://docs.code4rena.com/roles/wardens/warden-auth#can-i-change-the-wallet-address-i-log-in-with. \n\nHowever, it's possible to change the payment wallet address within your user profile on Code4rena. To do so, simply go to the Manage Account section and update your payment address. It's advised to use a new wallet address as a preventative measure against future attacks.\n\nIn a scenario where your wallet has been compromised and you need to change your login address, you should submit a help desk request providing the details of the issue and a signed message from mycrypto.com. This can be done at https://code4rena.com/help. Please bear in mind that due to the complexity of changing wallet addresses, participants are only advised to submit a request if the change is extremely crucial, such as in cases where the old wallet has been hacked.\n\nIn cases where you have changed your payment address to a new wallet, rewards for your reports moving forward will be distributed to the new address. If you experience unexpected emails about updating your payment address, we recommend reporting the issue so that our team can investigate. \n\nParticipants are always encouraged to add their payment wallets to their account and to double-check that they are using the correct wallet or email to avoid login issues.", "Question: Can I direct message (DM) a member of the CodeArena team for specific inquiries?\n\nAnswer: Yes, you can certainly get in touch with CodeArena team members using the direct message (DM) feature in our chatroom. We encourage personal contact and direct messaging for specific questions. This could include questions related to specific contests, account issues, or even potential collaborations. Each contest also has a dedicated channel where you can ask general questions. Additionally, sponsor team members are available to answer questions via direct messaging. You may also send queries related to specific topics like the Vader protocol or FairSide via DM. For issues around your profile, you can direct your questions to the #profile-help channel. If you want to privately discuss more delicate aspects of the system, feel free to do so. If you want to propose a collaboration, investment, or have questions around the KYC process, you can also send a DM. However, if your question is general or something that could benefit other users, please consider asking it publicly in the appropriate channel or on our forum, as the chat is ephemeral. Please be aware that our community also reported possible scams via direct messages. Always ensure you're messaging a verified CodeArena staff member.", "Q: If contract A inherits from contract B, and contract C inherits from contract A, can C access the internal functions of B? Also, how does this impact the smart contract audit process?\n\nA: Yes, contract C can access the internal functions of B because in solidity, a child contract can be used like a wrapper to allow calls to internal functions. However, it's important to consider how this affects the auditing process. When a contract is in the scope of an audit and it inherits from another contract, both contracts should ideally be audited. This is because if there's a bug in one contract that impacts another, whether or not the impacted contract is in scope, it might affect the validity and integrity of the audited contract. The decision on whether the bug's impact counts towards the audit report would be up to the audit judge. \n\nFurthermore, internal function calls do not change the msg.sender value in the function. However, a contract's own function call, like \"InterfaceA(address(this)).functionA();\", would be considered an external contract call and would change the msg.sender value. \n\nUnderstandably, this can make the process complex, especially if the contracts involved have a lot of functions or state variables. It's worth noting that best practices often suggest prepending all internal functions with an underline to differentiate them. Additionally, vulnerabilities found in out-of-scope contracts but affecting the main contract should also be reported. \n\nFor a more comprehensive understanding about inheritance and its impact on smart contract audits, you can refer to these resources/tools like Mythril and Slither, which are widely used in the community for testing and auditing contracts.", "Question: What is the status of the backstage applications at CodeArena and when can we expect them to resume?\n\nAnswer: At present, applications to our backstage feature are on hold due to an identified issue. We don't have a specific estimated timeline for the resumption of this feature, but we intend to provide an update within the next two weeks. When a contest ends, backstage access can potentially be granted to access findings repo. Please note that the processing of backstage access requests may take up to 24 hours after KYC is admitted. For future updates on the issue, you can follow the organization's docs [here](https://docs.code4rena.com/structure/our-process). Additionally, please be aware that there may be minor delays in our response times due to events like the ethcc event, holidays, or an increase in help requests. Thank you for your patience and understanding.", "Question: How can I ensure my submission isn't invalidated due to suspected use of chatGPT tools and what steps can I follow if it gets marked as invalid?\n\nAnswer: At CodeArena, we prioritize the quality of findings over their source of origin. However, if you received a warning indicating that your submission may have been invalidated due to the use of chatGPT tools, there are a few things you can do to ensure your submission is considered valid. \n\n1. Include a thorough Proof of Concept and a case outlining how an item can be exploited while submitting an issue. This helps demonstrate the severity and validity of your findings. \n\n2. If you have cited similar findings from other contests to justify the severity of your issue, ensure they are relevant and add value to your submission. \n\n3. If you are concerned about the validity of your submission, monitor the backstage channel for the post-judging stage of the concerned contest. \n\n4. If your submission has been marked as invalid, you are advised to resubmit the issue and create a help desk request to withdraw the invalid submission. \n\n5. You will receive feedback from a judge if a finding is marked as invalid. You have the right to discuss or argue your case if your submission is rejected.\n\nSubmissions based on automated tools like chatGPT must provide strong evidence to demonstrate a relevant High or Medium severity exploit path to be considered satisfactory. The policy regarding this can be found at https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues.\n\nRemember, CodeArena does not provide rewards for findings made with ChatGPT. If you wish to use AI in auditing, we suggest you enter the bot races instead. You can always contact us directly for any additional queries or concerns. It's also beneficial to review other warden's submissions on GitHub to learn from marked and invalid cases. Our aim is to ensure a fair and learning-centric environment for all our participants.", "Question: \nWhat strategies can be employed for mitigating against unbounded loops in Solidity, and how do these strategies also relate to gas optimization?\n\nAnswer:\nThere are several recommended mitigation strategies against unbounded loops in Solidity. Firstly, you could check out this blog post which provides an in-depth explanation on the topic: https://blog.b9lab.com/getting-loopy-with-solidity-1d51794622ad.\n\nAdditionally, to save gas cost while mitigating unbounded loops in Solidity, you could consider the following techniques:\n\n1. Use the 'unchecked' command in loops. This can further optimize for gas.\n2. Avoid unnecessary initialization of the loop variable to 0, which can lead to gas savings.\n3. Excluding the increment (++i) in a for loop is reported to reduce gas costs significantly.\n4. Function inlining is another technique you could use to save gas.\n\nIt's important to note that gas savings are a crucial aspect of smart contract optimization. Each mitigation strategy can vary in effectiveness depending on the specific context of the contract, so it is recommended to create different issues for different optimizations in your smart contracts.\n\nHowever, it's also important to understand that while certain mitigations may save gas, they could potentially introduce other risks such as reentrancy attacks. For instance, handling flashloans in the context of smart contracts might require the use of a flag similar to a reentrancy guard, which would have a gas overhead. \n\nLastly, auditing tools also play a crucial role in finding vulnerabilities and bugs in smart contracts which can help in improving the overall code quality and achieve gas optimization. Until Solidity 8.0, fuzzing tools were extensively used for auditing. Their usage has however decreased after Solidity 8.0 due to the implementation of an overflow/underflow check at the language level.", "Question: If a report is submitted as medium severity but is actually high, how is it handled by Code4Rena judges?\n\nAnswer: At Code4Rena, if a report is initially submitted as a medium severity finding but the judges consider it to be high, the severity status can be upgraded. This is, however, subject to the quality and completeness of the report. Should the report be incomplete, lack detailed information, or be inaccurate, it could be penalized which would affect its upgrade eligibility. This policy is in alignment with the submission guidelines outlined on the Code4Rena website (https://docs.code4rena.com/roles/wardens/submission-policy).\n\nMoreover, it's also important to note that the grading criteria for quality submissions include correct identification of the highest severity impact of the bug, making the case for the severity and validity chosen with evidence, clear and understandable writing. Even if a High severity bug turns out to be only Medium, the reward for a Medium bug is still received. \n\nAlso, if a finding is submitted as a low in a quality assurance (QA) report but the judges determine that it is a medium, it could be eligible for medium rewards depending on the circumstances (https://docs.code4rena.com/awarding/incentive-model-and-awards/qa-gas-report-faq#what-happens-when-an-issue-submitted-by-the-warden-as-part-of-their-qa-report-an-l-or-n-does-get-bum). This also applies to submissions where both high severity and medium/low severity issues are included in the same report - the highest effort should be put into the high severity issues. \n\nEqually, if a finding from an automated report is escalated to a high severity, it is not automatically invalid. Participants who base their submissions on automated tools are required to provide strong evidence to demonstrate a relevant High or Medium severity exploit path for the submission to be considered satisfactory. \n\nIn the case of severity misclassification, participants are encouraged to make a case to the judge in their submission if they believe a high risk finding should be considered. The final decision on the severity ranking and subsequent reward will be based on the judge's assessment.", "Question: How can I review, edit, or withdraw my submitted findings for a contest on CodeArena?\n\nAnswer: To review or edit your submitted findings for a contest on CodeArena, you can navigate to the specific contest page on our website. From there, you can click on the \"Your Findings\" button, which is typically located next to the contest description. This is where you can view the status of your report, add more findings, modify existing ones, or even withdraw your findings if necessary. For example, if you participated in the Ethos Reserve contest, you could go to https://code4rena.com/contests/2023-02-ethos-reserve-contest to access your findings. Please be aware that you can edit your findings until the contest officially closes. After this period, your findings will be reviewed and you will not be able to make further edits. If you've submitted a report and do not see the \"Your Findings\" option, please reach out to us in the chat as the dev team is consistently working on these features.", "Question: What is a zero-day exploitable bug and how does it relate to smart contract auditing?\n\nAnswer: A zero-day exploitable bug, often known as a '0-day', is an exploit that is discovered after being used 'in the wild', which means on production software. In the context of smart contract auditing, it could refer to a vulnerability that has been exploited before being detected and reported. If a line of code has multiple ways of exploitation, all bugs should be reported, but priority should be given to the one that has the biggest impact. Moreover, known issues can be used to build a more complex exploit. \n\nIt's important to note that the severity of a vulnerability is determined by its potential impact on the code. If two separate vulnerabilities can be combined to create a more powerful one, users can submit a third finding explaining the proof of concept. This can include vulnerabilities that are discovered by automated tools, but there is a higher burden of proof required to demonstrate a relevant high magnitude (HM) exploit path. More information on this can be found in the discussions on our GitHub page: https://github.com/code-423n4/org/discussions/50.\n\nFor users interested in learning more about such exploits, past contest reports revealing vulnerabilities can be used as a learning resource. In some cases, vulnerabilities identified by bots can potentially be rated lower than their actual severity. This means that the vulnerability can be reported again during the contest by a warden and awarded with the higher severity. However, a vulnerability without a proof of concept (PoC) can still potentially be rewarded as a high severity issue, if the process is clearly described.", "Question: How can I verify the status and success of my report submission with CodeArena?\n\nAnswer: After successfully submitting your report at CodeArena, you will receive a confirmation email providing the initial indication that your report has been received. You can also check the status of your submissions at https://code4rena.com/reports. Additionally, you have the ability to view and edit your submitted findings in the \"Findings\" tab found next to the contest description on the C4 Contest page. However, please be aware that it might take some time for the confirmation email to arrive, and if your submission fails, the form should return an error.\n\nFor more detailed information such as whether your submission was accepted, this will only become apparent once the report is published and the findings repository is made public. This process can take anywhere from 2 to 6 weeks or even longer, following the completion, sponsor review, judging, and awarding stages of a contest. If you submitted issues for a contest but didn't make the award list, it's likely your issues were rejected. To review these, wait until the report is published and the findings repository is made public. \n\nPlease note that after a contest has ended and while it is in the judging process, you won't be able to see the status of your submissions until the report is published and the findings repository becomes public. In the meantime, you can check previous reports to see what high-quality submissions look like. \n\nFinally, it is possible to update your submissions by selecting the \"My findings\" option on the contest page.", "Question: What does the probability of 2^96-1 = 7.9e28 represent in the context of finding the same Ethereum address using a different private key?\n\nAnswer: The probability 2^96-1, which is roughly equivalent to 7.9e28, signifies the vast number of different private key combinations that can be generated to create a unique Ethereum address. As the Ethereum address is the hashed output of the public key, which in turn is derived from the private key, this vast number represents the near-impossible odds of generating the same Ethereum address from a different private key. \n\nIn the context of Ethereum, addresses are 160 bits long, generated from the elliptical curve cryptography formula. This formula uses a prime number for the modulo operation, ensuring a more normal distribution than the use of a composite number. \n\nUsers who want to change their Ethereum wallet address are advised to generate a new private key, which will result in a new public key and hence a new address. The new address can then be used for subsequent transactions or reports. However, it's considered safer and better practice to use a two-step change process to prevent errors.\n\nNote that each slot in Ethereum Virtual Machine (EVM) is 32 bytes, and if an address field doesn\u2019t fill up a slot, the extra space will be filled with left padding filled with zeroes. \n\nAs a reminder, the address of the C4 token is 0x6847D3A4c80a82e1fb26f1fC6F09F3Ad5BEB5222. If you want to verify the payout for vulnerability issues, check the wallet address with which you registered using polygonscan.com or wallet trackers like debank.com. \n\nFor additional context on related issues, you can refer to these links:\n- On the issue of \"missing 0 address check\": [Link](https://github.com/code-423n4/2021-10-badgerdao-findings/issues/5)\n- On a code implementation using the large number representation in Solidity: [Link](https://github.com/code-423n4/2023-04-caviar/blob/main/src/PrivatePool.sol#L699)\n- On the issue of \"Use assembly to check for address(0)\": [Link](https://github.com/0xKitsune/solstat/blob/main/src/report/report_sections/optimizations/address_zero.rs)\n- On the brief explanation of elliptical curve cryptography and how prime numbers are preferred for modulo operation: [Link](https://docs.soliditylang.org/en/v0.8.15/types.html#rational-and-integer-literals)\n\nRemember, the enormity of this number (7.9e28) is a testament to the security of the Ethereum network. It is virtually impossible to generate the same Ethereum address from different private keys due to the immense possibilities.", "Question: How can I know when new audit reports are published on the CodeArena website?\n\nAnswer: Currently, there is no specific timeline for when findings are posted or reports are published on CodeArena. However, you can find the existing reports sorted by the publication date on our reports page at https://code4rena.com/reports. To stay updated, there has been a suggestion to create an announcements channel named #audit-reports on our Discord server, where a new message would be posted whenever a new report gets published on our website. This feature is expected to be introduced soon. \n\nAlso note that after a contest is closed, there is a period of time before the findings repository becomes publicly available for discussion. The exact duration is unspecified, but it typically takes at least a month for reports to be published. You can also check on your submissions after the report is published and the findings repository is made public. In terms of visibility, even after contests have ended, the platform allows viewing of reports from other wardens.\n\nAs a participant, you are advised to wait for the findings repository to be made public before having any public discussions about the contests. We are working on procedures for sensitive disclosures and updates on this will also be announced soon. For any queries or suggestions, you are welcome to check the reported findings via a link on our Discord channel.", "Question: What email address does CodeArena use for communication, and what should I do if I encounter issues with receiving emails?\n\nAnswer: CodeArena mainly uses the email address submissions@code423n4.com for communication. However, there have been instances of our emails being flagged as spam or users having to switch to different email addresses. If you happen to face such an issue, or any other like not receiving an email confirmation after registration or submitting a finding, you can open a help desk request at https://code4rena.com/help. This is our dedicated platform for users to report issues and concerns. Our team will reach out to confirm receipt of your submission and address your queries. If you still encounter difficulties in submitting a request through this form, you can forward your request directly to submissions@code4rena.com. For reporting vulnerabilities impacting the CodeArena's webapp, the issue should be emailed to security@code4rena.com. We are committed to providing efficient support to our growing community.", "Question: What happens to the reward if I misclassify the severity of a bug in my submission?\n\nAnswer: The severity classification of your bug submission (High, Medium, Low, or QA) is important as it determines the reward you receive. However, if you submitted a bug as High severity but it's judged to be Medium, you will still receive a reward, albeit for a Medium bug. Likewise, if a submitted Medium severity bug is deemed to be of High severity, the severity of the finding can also be upgraded, unless there's a reason to penalize it. \n\nClassification of severity mainly depends on the loss caused by the issue. If all rewards can be lost, it's probably considered High or Medium severity. A risk of losing some rewards qualifies an issue as Medium, and if only a negligible amount of rewards are lost due to roundings, it's likely classified as QA. In cases where the principal can be stolen without additional requirements, it's typically classified as High severity. \n\nYou can use the formula provided here to calculate the reward for a Medium/High finding: https://docs.code4rena.com/incentive-model-and-awards#high-and-medium-risk-bugs\n\nIf no Medium/High vulnerabilities are found, the full award pool will be divided based on the QA Report curve. \n\nYou should note that if an issue you submitted as low severity in a QA report is judged as Medium, you will be eligible for Medium rewards as per Code4Rena's policy: https://docs.code4rena.com/awarding/incentive-model-and-awards/qa-gas-report-faq#what-happens-when-an-issue-submitted-by-the-warden-as-part-of-their-qa-report-an-l-or-n-does-get-bum.\n\nRemember, when categorizing the severity of a bug, you should consider the balance of consequence and likelihood, relying on your experience and understanding of the potential impact. High consequences usually involve sizeable fund loss or other severe impacts and don't require pre-conditions, whereas Medium consequences typically have a lesser impact and specific preconditions such as high attack difficulty or specific market conditions.\n\nFinally, for each unique High or Medium finding, the submission selected for inclusion in the audit report receives a 30% share bonus.", "Question: What wallet options and functionalities does CodeArena support? \n\nAnswer: CodeArena primarily interacts with MetaMask for a range of functionalities. Users can submit findings, receive payments, and log in to CodeArena using their MetaMask wallets. Although some issues have been reported with MetaMask, such as hacking and login problems, a potential resolution suggested was creating a new MetaMask wallet on a device not connected to the internet. \n\nAnother option discussed on our platform was utilizing hardware wallets like Trezor or Ledger. However, do note that users have expressed interest in using different wallets and changing their wallet addresses on the platform. You can also change your wallet details in your reports, and the rewards will be distributed to the new address. \n\nFor rewards, participants can receive them on Polygon, which can be connected to MetaMask for conversion and withdrawal. The process of converting Polygon Tokens to EUR can be done through the MetaMask bridge and Coinbase. If you are unable to see the tokens, they can be manually added to MetaMask by swapping networks to Polygon. \n\nFor Ethereum transactions, it's important to note that MetaMask charges a fee of 0.743% for token swaps. Other smart contract wallets like Gnosis and Argent were discussed, but it's unclear how these integrate with CodeArena. \n\nWhile MetaMask is extensively used, participants are encouraged to explore other options for exchanging to fiat currency and consider other web3 wallets like Zerion. We also want to note that users can switch the network in their MetaMask to Polygon Mainnet, copy their public keys, and paste them into Code4rena. Always remember to add your payment wallets to your account.", "Question: What are the guidelines for citing similar findings from other contests to justify the severity and validity of my submission in CodeArena?\n\nAnswer: Yes, citing similar findings from other contests to justify the severity and validity of your submission is allowed at CodeArena. However, the judges will take into account the entire context when evaluating submissions. While linking to other contests in a report to demonstrate findings is allowed, citing examples from Code4rena could be more compelling due to our rigorous judging and Quality Assurance process. Remember that whether high-risk findings are considered depends on the specific contest and the judge, so it\u2019s advisable to make a clear case in your submission if you believe a high-risk finding should be considered. If two participants submit the same bug at the end of the contest, the judging criteria for duplicate submissions can be found at https://github.com/code-423n4/code-contests/blob/main/JUDGING_CRITERIA.md#duplicate-submissions. Detailed submission guidelines are available at: https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues and https://docs.code4rena.com/roles/wardens/submission-policy#audit-contest-guidelines.", "Question: Why is a specific line of code in smart contracts important and how can I reference it effectively?\n\nAnswer: A line of code in a smart contract can be important for a variety of reasons. For instance, the 'initialize function' is crucial as it might be susceptible to 'frontrunning'. Some lines of code can have multiple ways of exploitation, and when encountered, all the bugs should be reported, prioritizing the ones with the most significant impact. Certain lines, like 'require(abc<123)', are considered a valid low finding as a \"magic number\" and it's suggested that declaring constant value will improve code readability.\n\nTo reference a specific line of code effectively, there are several methods. If the code is hosted on Github, you can highlight the code by clicking on the starting line, then holding down CTRL + SHIFT and clicking on the last line. This will change the URL to link directly to those lines. You can also utilize a VS code extension called \"Copy With Line Numbers\", which provides a code snippet with line numbers. Either way, when reporting vulnerabilities, it's recommended to include both the URL to the repository with the line number and a code block.\n\nHowever, understanding the purpose of a specific line of code generally requires reading the documentation or having previous experience with similar code. Furthermore, when looking at larger codebases, more time might be necessary for a more thorough review, otherwise, bugs can be missed.\n\nWhen discussing the significance of a line of code in a smart contract, it's not necessary for a Proof of Concept (PoC) to be the exact code, but the impact of a vulnerability found in the code will determine its severity. It's also beneficial to include any gas savings from refactored code in submissions, and if a gas optimization finding can be applied in more than one line, it should be submitted as one finding, mentioning all lines where it can be applied.\n\nBear in mind that beginners might face difficulties in understanding certain code instances, and they are advised to make one report and reference the related issues in it. If you observe a yellow icon while reviewing the code, an explanation is usually available at a specified location.\n\nUltimately, while assessing the importance of a line of code, it's necessary to consider assumptions made in the code that are not explicitly mentioned in the README/code comments and if these assumptions lead to any valid issues.\n\nFor more information, you may refer to the discussion on the CodeArena Discord server.", "Q: If there is an external function with the transfer of ERC20 tokens without reentrancy protection, can it be classified as a medium or high vulnerability? If not, what factors would allow it to be categorized in such way? \n\nA: In general, an external function with the transfer of ERC20 tokens without reentrancy protection may not be eligible for a medium or high categorization. This primarily depends on whether there is a clear explanation of the exploit path that could potentially lead to a significant vulnerability. If there isn't, it's likely to be downgraded to a Quality Assurance (QA) finding. \n\nHowever, it's important to note that various factors can influence this. For example, if a function call in a smart contract consistently reverts, even though assets are not at risk, it can be considered as a medium or high finding based on the context. \n\nAlso, a vulnerability like missing zero address check which could lead to loss of funds can be considered valid. For instance, you can refer to this vulnerability for reference: https://code4rena.com/reports/2022-06-canto#m-01-missing-zero-address-check-can-set-treasury-to-zero-address.\n\nWhen you're dealing with tokens, whether to use \"safeTransferFrom\" or not depends on the token used and the expectations of the code. Some tokens, like ZRX, do not revert on failure but just returns false. You can learn more about such tokens here: https://github.com/d-xo/weird-erc20#no-revert-on-failure. \n\nMoreover, it's crucial to remember that smart contracts do not automatically know if someone sent ERC20 tokens to it, and ERC721 or ERC1155 contracts may know if tokens were sent there because it has a recipient contract call onReceive. \n\nA potential reentrancy risk without an actual vulnerability was marked as low here: https://code4rena.com/reports/2022-12-caviar#l-01-missing-reentrancy-guard-to-withdraw-function. But this doesn't mean that all potential reentrancy risks will be treated the same. The context and potential impact are important factors to consider. \n\nIn terms of smart contract development, please note that reentrancy is a common issue in both web2 and web3 sectors, and it's important to conduct thorough testing before deployment. This may involve using mocked tokens that have safeTransfer and safeTransferFrom functions. \n\nFinally, it's worth mentioning that there is an ongoing discussion about the feasibility of demonstrating an actual re-entrancy attack on a public testnet. This could provide valuable insights into how such vulnerabilities could be exploited in a real-world scenario.", "Q: How and where can I create a help desk request to address issues or request changes on Code4rena?\n\nA: If you are experiencing issues at Code4rena or need to request changes such as altering your team membership, updating your Discord username, profile image or Twitter URL, you can create a help desk request on our website. Simply visit the help desk request form at [https://code4rena.com/help](https://code4rena.com/help). You can also use this form for any private inquiries to the Code4rena team. Once submitted, your request will be received and you can expect it to be processed in a timely manner. Please ensure to outline the issue or request clearly in your submission.", "Question: How can I link my Twitter account to my Code4Arena profile and leaderboard?\n\nAnswer: To link your Twitter account with your Code4Arena profile and appear on the leaderboard, you need to submit a help desk request. Include your Warden name and Twitter URL in the request. You can also request changes to your profile icon or the link associated with your username in the leaderboard. If you wish to change your Twitter username on Code4Arena or add a Twitter handle to your profile page, this will also require a help desk request. Please note, the ability to edit a user profile on Code4Arena requires certification. You can submit your help desk request at https://code4arena.com/help.\n \nFor further instructions on how to attach your Twitter handle and profile picture to your CodeArena profile, you can follow the guidelines available on GitHub at https://github.com/code-423n4/code423n4.com/tree/main/_data/handles and make a pull request for your handle. \n\nPlease remember, your profile name in Code4Arena should match with your name in the chat. If you encounter any problems while linking your Twitter account or have any issues related to rewards distribution, you can submit a Help Desk request through the same link.", "Question: What should I do if the 'Create Issue' button doesn't respond and there are no console errors found on Code4rena?\n\nAnswer: If you notice that the 'Create Issue' button isn't responding and there are no console errors on Code4rena, there might be some difficulty with the platform. This issue has been reported, especially by mobile users. In this case, it's advisable to check if your GitHub account is logged in and it's the same account you provided for use on C4. \n\nIf you are still experiencing issues, you can seek assistance by creating a detailed help desk request on our help page, https://code4rena.com/help, outlining the issue you're experiencing. If you encounter difficulties with the main help page, you can use the alternative help link, https://old.code4rena.com/help/. \n\nIn situations where submitting a help request form persistently fails, you can forward your request to submissions@code4rena.com. Always check your email for confirmation after making a submission, as this can help you verify if your request has been successfully processed. If you haven't received a confirmation email, you can open another help desk request at https://code4rena.com/help.\n\nIt's also worth mentioning that if you are trying to submit a Quality Assurance report for the first time and encounter an error, you can check if it has been successfully submitted by viewing the findings through the \"View Context\" feature.\n\nFrom our observations, some participants have had issues with logging in, viewing the repo, or making submissions on the CodeArena platform. We appreciate your patience as we work towards resolving these issues.", "Question: How is the grading and scoring system applied to grade-A QA reports at CodeArena?\n\nAnswer: Grade-A QA reports at CodeArena are evaluated based on both the quantity and quality of findings. Two reports graded \"A\", one with 2-3 low findings and another with 5-6 low findings, would receive the same award, as all A graded QA reports receive the same award regardless of the number of Low findings. \n\nHowever, it is important to note that not all findings or reports are guaranteed a reward. Reports are graded on a relative scale, so the number of issues reported doesn't necessarily determine the grade. Additionally, incorrect findings in a report can affect the grade, and judges have the ability to downgrade or upgrade items when grading. \n\nIn terms of sharing, Grade A reports count as 2 shares, Grade B as 1, and the best report receives a 30% bonus. Rewards for QA and Gas reports are divided into grades A, B, and C, based on quality and gas savings, with Grades A and B receiving rewards. \n\nIt's recommended to submit one Quality Assurance (QA) report per contest, ideally grouping all issues together, and separating the Gas report from the QA report. Participants can compare their findings with winning reports for more insights. \n\nFor further information on the grading system and rewards, you can refer to CodeArena's documentation at https://docs.code4rena.com/awarding/incentive-model-and-awards and https://docs.code4rena.com/awarding/incentive-model-and-awards/curve-logic.", "Question: I am experiencing issues with submitting findings on CodeArena, including not being able to edit them or see them on the Findings tab, despite having tried multiple browsers. What can I do to resolve this?\n\nAnswer: There have been reported issues related to submitting findings, viewing submitted findings, and even editing them. This could potentially happen on various browsers and in various contests. If you're encountering such issues, here are some steps you could take:\n\n- Check your browser's console for any errors.\n- Ensure you are not hitting any API rate limits when you try to submit reports.\n- Be patient as it can sometimes take a while for a submission confirmation to arrive via email. The form should return an error if your submission fails.\n- If you can't see your submissions in the Findings tab, try navigating to the specific contest page and click on the 'your findings' button to view or edit your submissions.\n- Check the permalink, as some issues have been related to it, especially when using Firefox or Chrome.\n- Verify if your issue was related to the automated findings, following the guidelines provided here: https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues.\n\nPlease be aware that after clicking \"CREATE ISSUE\" in \"SUBMIT FINDING\", your data gets turned into a submission that goes into the findings repository for the given contest. It is then evaluated by judges after the contest ends. After you've submitted a finding, you can expect a follow-up and even find feedback for your submissions. \n\nRemember, this platform requires authentication for the submission of findings. If you're waiting for warden verification, or looking for alternatives to submit findings, please reach out to our support team. If you're unable to submit findings due to an unforeseen circumstance, like a power cut right before a contest deadline, please contact us as soon as possible. \n\nWe're aware that users would appreciate an easier feature to edit submissions and we're considering this in our updates. Your understanding and patience are greatly appreciated.", "Question: After clearing out local storage as suggested, if the issues persist, how do I seek further assistance?\n\nAnswer: If issues persist after clearing out local storage, you can create a help desk request for further assistance. Help desk requests can be made on https://code4rena.com/help. This process includes confirmation of the receipt of your request. You can use help desk requests to check on status updates, request backstage application assistance, request profile picture updates, or to report unresolved issues among other things. Help desk requests are usually fulfilled in a timely manner and you should expect a response within a week. However, please remember that after contests close, it is not possible to edit findings directly, so any required changes need a help desk request. If you feel there's a security risk with making issue contents public, you can specify this in your help desk request.", "Question: When is the Neotokyo contest starting and what are some details about the upcoming contests at CodeArena?\n\nAnswer: The Neotokyo contest is scheduled to start within the week of this chat. It's one of several new contests expected in the coming month, which details can be found in the #\u270brsvp channel on our Discord server. For example, the Overlay Protocol contest has been rescheduled to start on 11/16 at midnight UTC and the streaming protocol contest was postponed to 11/30. Also, there are two more contests lined up for the following week. You can check the status and awards of past contests at https://code4rena.com/contests/2023-01-numoen-contest. Please be aware that some contests might not have been updated on the specific channels yet, and there can be gaps in the schedule for live contests. Upcoming audit contests are listed on our website, code423n4.com. We also run week-long contests each week and some contests can last up to 13 days. Lastly, we're planning to implement a new submission mechanism in upcoming contests and considering creating a notification system, such as a Telegram bot, for announcing new contests.", "Q: What should I do if the \"Create Issue\" button doesn't trigger a form submission on CodeArena's platform?\n\nA: If you're experiencing trouble with the \"Create Issue\" button, there might be various reasons, including a form validation issue not producing an error message or potential issues with GitHub affecting the form. \n\nFirst, try refreshing the page or changing browsers. If the problem persists, it could be linked to an API limitation or form submission size. For instance, if a gas report is larger than ~65k characters, it might exceed GitHub's limit for issue descriptions, preventing the form from being submitted. In such cases, you can email your submission to submissions@code423n4.com.\n\nIt's important to note that after you submit an issue, it may not be immediately visible in the Issues in the repository created for the audit. But don't worry, after clicking \"CREATE ISSUE\" in \"SUBMIT FINDING\", your form data is converted into a submission that goes into the findings repository for the specific contest. This submission will be evaluated by judges after the contest ends. \n\nIn case you don't see your submissions in the Findings tab or experience issues editing them, it could be due to visibility problems potentially caused by GitHub issues or limitations. To report any issues related to the submission process or to check on the status of your submissions, you can create a help desk request. \n\nAlso, you don't need to create the same issue on GitHub after submitting it on the CodeArena website, as our system does this automatically. There's currently no email notification for updated issues, so you might need to check back for updates manually.\n\nLastly, submitting issues as a team is possible but the exact process might need clarification. If you encounter any technical issues like a blank page when selecting team members, please report them so we can address them as soon as possible.", "Question: What validation checks are performed on the submission form, and how can I manage issues with my submission?\n\nAnswer: The CodeArena submission form validates that all fields are filled and that code references are present and formatted correctly. If you encounter any issues with these validations or face a situation where the form is not producing an error message, we recommend you back up your findings, clear local storage, and try again with a fresh submission. \n\nAdditionally, it is important to include valid links to code fields in your submissions. If you've filled out a form incorrectly, currently, there isn't a direct way to edit it. In this case, you may need to resubmit the form. For those who are waiting for warden verification, there may be options to submit findings outside of the website form. \n\nFor checks like Oracle validations such as checking for stale values and checking for the answer in the same roundid issue, these validations are considered as one issue if missing. \n\nIf you're unsure about the validity of your submissions, you can request feedback from a judge if your submitted finding is marked as invalid. If you're wondering how to submit additional findings after an initial low-risk finding, this can be done through the same submission process. \n\nYou can check if you've submitted an address for rewards through the help form at [https://code4rena.com/help](https://code4rena.com/help). It is not strictly necessary to fill the \"Recommended Mitigation Steps\" in the bug template, but doing so can improve the value of your report. \n\nLastly, please note that you should receive an email about the status of your submission, whether it is valid or not. We are aware of some issues with the submission form that replaced the page with a purple screen when a dropdown was clicked, and are actively working to resolve them. We appreciate your understanding and patience.\n", "Question: How can I find out who the judge will be for an ongoing contest such as the Aragon contest, and can I contact them directly?\n\nAnswer: At CodeArena, the identity of the judge for an ongoing contest is not disclosed ahead of time by design to maintain fairness and impartiality in the judging process. This also means that contacting a judge directly ahead of time is not possible. Judges for a contest are chosen based on their experience and reputation and their decision on a bounty is shared only after the contest concludes. \n\nTo understand the role and responsibilities of judges, you can visit our documentation at https://docs.code4rena.com/roles/judges. The review process for contest findings involves a sponsor review, judge review, sponsor confirmation, judge's final report, and announcement of the results. This process begins immediately after a contest ends and you can find more information on our process at https://docs.code4rena.com/structure/our-process.\n\nParticipants can ask judges for feedback on issues to understand the reasoning behind the ruling and to see what could be improved after the results have been announced. If you're interested in the ongoing contests, or want to find more information about a specific one such as the Aragon contest, you can visit our contest page at https://code4rena.com/contests. Specific questions about the scope for a contest should be addressed to the respective sponsor.", "Question: What does CodeArena mean by 'code references' in the reports, and how should I reference code in my report submissions?\n\nAnswer: Code references in CodeArena pertain to how you highlight or point to specific sections or lines of code in your report submissions. Usually, these references are a combination of two elements: \n\n1) A URL link to the specific code section on GitHub. This can be created by clicking on the line number(s) in the file in the GitHub repository. If you wish to reference a range of lines, you can do so by holding the SHIFT key as you click on the line numbers. This URL should be included in the 'Links to Affected Code' section for high/medium findings. Only the permalink for the respective code block should be added here.\n\n2) A block of the referenced code itself, formatted for readability using Markdown syntax. This can be useful to provide context without requiring the reader to navigate away from your report. For languages like Solidity, you can add syntax highlighting to your code block using three backticks and specifying the language (e.g., ```solidity). The body of your report can include Markdown formatting, but only links should be placed in the 'Links to Affected Code' box. \n\nFor more information on how to format code blocks with Markdown, you can refer to this guide: [Creating and Highlighting Code Blocks](https://docs.github.com/en/get-started/writing-on-github/working-with-advanced-formatting/creating-and-highlighting-code-blocks). \n\nFurthermore, be aware that adding a link to a sponsor's Github repo code in a findings report doesn't automatically pull in that code snippet to the report. You would need to manually include the relevant code snippets in the report. \n\nFor newcomers, it may be beneficial to make just one report and reference other related issues within that. This can make it easier to understand the interactions between different parts of the code and the larger impact of the vulnerabilities found. \n\nFinally, please note that understanding the purpose of a codebase can often require reading the documentation or having previous experience with similar codebases. Always aim to provide as much clear and relevant information as you can to paint a cohesive picture of the code's vulnerabilities and potential impacts.", "Question: How can I edit my submitted findings for a contest on the Code4rena platform?\n\nAnswer: You can edit your submissions by navigating to the contest page. Once there, look for the \"Your Findings\" button. Under this section, you can modify your submitted findings. You can continue to edit your findings until the contest ends. However, please note that after the contest has ended, you will not be able to edit your submissions. For instance, if you submitted an entry for the Ethos Reserve contest, you could edit your findings by visiting this page: https://code4rena.com/contests/2023-02-ethos-reserve-contest. Additionally, you will receive an email confirming the successful submission of your report. If you are unsure about the submission status of your report, you can check this email or view your submissions on the contest page. However, please be aware that some users have reported not being able to see their submissions under the \"Findings\" tab, which may prevent them from editing. Also, please be aware that we are currently working on implementing a new submission mechanism for future contests.", "Question: How can I copy code from GitHub and include the contract file name and line numbers in CodeArena reports?\n\nAnswer: Copying code from GitHub with the contract file name and line numbers can be done by using a few tools and methods. First, you can use an extension such as \"Copy With Line Numbers\" on VS Code to get code snippets with line numbers, or you can use a tool available at [https://marketplace.visualstudio.com/items?itemName=yassh.copy-with-line-numbers](https://marketplace.visualstudio.com/items?itemName=yassh.copy-with-line-numbers).\n\nTo link to a specific line or range of lines on GitHub, click on the line number on the left tab of the code on GitHub, which will change the URL. For a range of lines, click on the first line and then hold SHIFT while clicking on the last line of the range. You can then use this URL in your report.\n\nWhen showing places of vulnerability in reports, it's generally recommended to include both the URL to the repository with the line number and a code block for context. You can create and highlight code blocks in your report by following the instructions at [https://docs.github.com/en/get-started/writing-on-github/working-with-advanced-formatting/creating-and-highlighting-code-blocks](https://docs.github.com/en/get-started/writing-on-github/working-with-advanced-formatting/creating-and-highlighting-code-blocks). \n\nIf the code is too lengthy, consider using a 'Proof of concept' link to a private repo on Github instead of adding it directly to the report. More information can be found at [https://docs.code4rena.com/roles/wardens/submission-policy#how-to-include-a-proof-of-concept](https://docs.code4rena.com/roles/wardens/submission-policy#how-to-include-a-proof-of-concept).\n\nAdd Solidity syntax to code blocks using the Markdown (MD) format for readability. In reports, text color can be added using presets for code when doing a code block, usually JavaScript is used for Solidity. \n\nPlease be aware that there may be discrepancies between the number of lines of code (LOC) mentioned in README.md files and the actual lines in the contract files. As such, double-check the line numbers before referencing them in your report.", "Question: What are the guidelines and rules for drafting, submitting, and reporting findings in a contest for Code4rena?\n\nAnswer: Reports in Code4rena are prepared by wardens, and these can be drafted, edited, and reviewed before submission. Wardens are only allowed to submit one Quality Assurance (QA) report and one gas report per contest. Additional findings should be added to an existing report rather than creating new reports. \n\nWhen reporting bugs, the severity to be reported depends on the impact of the bug, and guidelines for estimating risk are provided [here](https://docs.code4rena.com/roles/wardens/judging-criteria#estimating-risk-tl-dr). If the same vulnerability is reported by two or more wardens, there is a criterion followed to determine the recognition in the final report. However, if a duplicate report is not beyond a certain threshold, there might be no money awarded for it. \n\nReports are graded based on a relative score compared to other reports and the best report will receive more money than others. Bonus rewards are also given for the best reports. Once the report is submitted, participants can check the success of their submission by looking out for an email confirmation and the ability to edit submitted findings. \n\nParticipants should wait for the report to be published and the findings repo to be made public to verify their submissions. Queries, modifications, or withdrawal of findings can be done by seeking clarification from the wardens. Note that any concerns or issues related to input checks from governance variables are restricted from being reported in contests. \n\nThe final report for a contest doesn't include wardens whose submissions/findings are not accepted. The decision on how to reward severity escalations in a contest report is up to the judge. For more information on report submission, refer to [this link](https://docs.code4rena.com/roles/wardens/submission-policy#report-format).", "Question: How can I edit my submitted findings in CodeArena?\n\nAnswer: To edit your submitted findings in CodeArena, you can follow these steps:\n\n1. Navigate to the contest page of the respective audit.\n2. Click on the 'Your Findings' button.\n\nYou can add more findings to your report or modify the existing ones using these steps. You can also retract a submission if you realize something is a false positive. \n\nAfter submitting a finding, you should expect a follow-up. Users usually receive a confirmation email after submitting findings. You can verify the success of your report submission by checking for this email or by viewing your submitted findings.\n\nPlease note, only one report of gas optimization can be submitted per contest. However, you can add more findings to the report using the steps mentioned above.\n\nIf you are unsure whether to submit findings as separate issues or as one, please note that it's still unclear which way to lean. When there are issues related to submitting findings and loading submitted findings, you may need to clear your local storage. \n\nTo know the reasons for findings rejection, you can find feedback for your submitted findings. More details on finding which findings of a contest were rejected and why can be found here: https://code4rena.com/contests/2023-02-ethos-reserve-contest. \n\nRemember, your findings are essential to the audit process and can be tracked and edited from the 'findings' tab next to the contest description. \n\nIf you encounter any issues during this process, feel free to reach out for assistance.", "Question: Could you provide some guidance on how to better understand the relationship between interfaces and smart contracts? Would using a diagrammatic tool, like Surya or sol2uml, be helpful for this?\n\nAnswer: Understanding the relationship between interfaces and smart contracts is indeed a key aspect of smart contract auditing. A good practice mentioned in our discussions is to start with libraries and interfaces that have the least dependencies. This approach should give you a clearer view of the overall system.\n\nAs for visualization tools, they can certainly be helpful. The Surya tool (https://github.com/ConsenSys/surya) has been mentioned in our chat, but it may be outdated. Another tool worth considering is sol2uml, which generates UML diagrams from Solidity code. \n\nIf you're looking for alternatives, a user shared a Github repository about smart contract visualization, which might be useful (https://github.com/DanielVF/evm-contract-draw). \n\nIn addition to tools, discussions in our community about understanding solidity syntax and programming, comparing differences between contracts, and the categorization of severity related to state variable changes in smart contracts could also be beneficial.\n\nRemember, when auditing, understanding the context of issues within smart contracts, particularly in relation to slot collisions and the inheritance of upgradeable contracts, is critical. You might also want to take note of whether there are more functions in an interface than are used in the code during a protocol interaction with a contract on-chain.\n\nFinally, our team is consistently adding videos explaining smart contracts to a playlist and is always available to answer questions. You're also welcome to seek advice from other users in the community, from beginners to experienced auditors.", "Question: Why has backstage access at CodeArena been disabled and when can we expect it to resume?\n\nAnswer: Backstage access at CodeArena was temporarily disabled due to incidents of privilege abuse, where specific users improperly shared information about findings for judging in progress with others who did not have backstage access. As a result, new backstage applications are currently paused and the process of backstage access is being reviewed and modified. The decision about the backstage role will be based on a carefully formulated plan. \n\nPreviously, backstage access was based on a trust model, however, future access may include certain constraints or conditions to prevent misuse. This change is still in progress and there's no definite ETA for when new applications will be accepted, but an update is expected to be posted within the next two weeks. \n\nPlease note that backstage access can be extremely valuable as it grants access to certain resources like the findings page. It can also be requested through a help desk request once all the criteria are met. More information about backstage access and its changes can be found at these links: \n\n1. https://discord.com/channels/810916927919620096/810936719003090974/1098620465897021490\n2. https://discord.com/channels/810916927919620096/810931711609143326/1082437741586960485\n\nWe appreciate your understanding and cooperation during this period of change. Rest assured that once the decision is made, a notification will be provided once your request for backstage access has been reviewed.", "Q: How do I submit a finding for a contest on CodeArena?\n\nA: To submit a finding for a contest on CodeArena, navigate to the specific contest page on the CodeArena website and click the \"Submit finding\" button. Each finding should be submitted separately via the submission form on the website. You can access this process [here](https://github.com/code-423n4/code-contests/blob/4db2720312f0958f2e89f6207a6774c9e5360655/SUBMISSION_TEMPLATE.md).\n\nIt's important to note that while a GitHub template for submissions exists, it's outdated and is not updated anymore. You're encouraged to include a proof of concept and a case for how an item can be exploited to avoid having your submission marked as invalid. You can also use the template of a gas report from a previous contest, but you'll need to adapt it to fit the current contest. \n\nCode can be formatted in the submission form using Markdown. After clicking \"CREATE ISSUE\" in \"SUBMIT FINDING\", the form data will be transformed into a submission that goes into the findings repository for the given contest. This submission is then evaluated by judges after the contest ends. \n\nIf you need to edit your submission, you can do so on the site for open contests. If you disagree with a decision about a contest judgement, you can review issues at [this link](https://github.com/code-423n4/org/issues), where you can comment on existing issues, support existing suggestions, or open a new issue if your concern is not already addressed. \n\nIf you find issues outside of the contest scope, specific questions should be addressed to the respective sponsor. In case you and another participant submit the same bug at the end of the contest, the judging criteria for duplicate submissions can be found [here](https://github.com/code-423n4/code-contests/blob/main/JUDGING_CRITERIA.md#duplicate-submissions). \n\nPlease be aware that a new submission mechanism is being planned for implementation in upcoming contests, so these processes may change in the future.", "Question: How can one understand and navigate the relationship between interfaces and smart contracts in a blockchain system?\n\nAnswer: The relationship between interfaces and smart contracts is a critical aspect of blockchain systems. An interface defines a contract's behavior, while the smart contract implements this behavior. This relationship becomes especially important when dealing with multiple smart contract files. A useful approach is to start with libraries and interfaces that have fewer dependencies. \n\nWhen auditing smart contracts, it's important to be aware that the number of functions present in an interface might exceed those used in the contract during a protocol interaction. This can be essential information during the auditing process.\n\nThe understanding of smart contracts can be enhanced through various tools. Although not a direct tool for interfaces, Surya (https://github.com/ConsenSys/surya) can be useful for understanding interactions among smart contracts. It provides a graphical representation, but it's important to note that this tool is deprecated and may not offer up-to-date information.\n\nFor beginners in smart contract auditing, resources like CryptoZombies.io and CaptureTheEther.com can be helpful for understanding the basics of smart contracts and the Solidity programming language. \n\nLastly, it's important to remember that each smart contract is independent and can function separately from any backend system. Understanding the relationship between interfaces and smart contracts is a foundational step towards effectively finding vulnerabilities and optimizing smart contracts. For further guidelines on how to report issues related to smart contracts during an audit, visit https://github.com/code-423n4/code-contests/blob/main/SUBMISSION_POLICY.md.", "Question: After submitting an issue at CodeArena, how can I check the status of my submission, receive feedback, and understand the evaluation process?\n\nAnswer: After you submit an issue, you can expect to receive feedback typically within a couple of months, once the contest has closed and the report is published. Confirmation of issue submission is usually through an email which will inform you whether your submission is valid or not. If you're unsure about the severity of your findings, note that CodeArena is considering adding the severity of bugs to the emails sent out after issue submission. \n\nYou can also view and edit your submissions for open contests on the site. If you submitted an issue as part of a team, please note that the exact process for team submissions has not been clarified yet, but you can direct message the sponsor team for additional context if needed. \n\nIf you have submitted a bug and are unsure about whether it should be one issue per report or if all bugs should be found before creating a final report, there is not strict guideline for this- use your best judgement.\n\nAfter submitting an issue, it might not be immediately visible in the Issues in the repo created for the audit, but once the contest ends, the findings are evaluated by our judges and the report becomes public. If your submission to a contest was not rewarded, you can review the discussion among sponsors and judges on the specific issue once the report is out and the repository is fully opened. This will help you understand why your bug was not accepted and improve future submissions. \n\nIf you disagree with a decision about a contest judgement, you can review issues at https://github.com/code-423n4/org/issues. You can add comments on existing issues, support existing suggestions, or open a new issue if your concern is not already addressed. \n\nIf you face any technical issues while submitting, such as if your gas report is larger than ~65k characters and can't be submitted through the form due to Github's max character limit for issue descriptions, you can email your submission to submissions@code423n4.com. \n\nLastly, you can check previous reports to see what a high-quality submission looks like. The results of submitted bugs to the contents in CodeArena are revealed once the report is made public.\n\nPlease remember that your contributions are valuable and we appreciate your efforts in helping companies ensure the quality of their smart contracts.", "Question: Why is the backstage feature currently disabled and what was the violation that caused this?\n\nAnswer: The backstage feature, which provides privileged access to resources such as the findings repo, was disabled due to an instance of misuse. The violation involved an individual sharing information about ongoing audit findings with others who did not have backstage access. This breach of trust resulted in a pause of all new applications for backstage access. At CodeArena, we take the integrity of our backstage access seriously, which was previously based on a trust model. It's important to note that backstage access isn't intended for wardens to dispute judges on their submissions but can be granted to access findings repo once a contest ends. \n\nThe process for granting backstage access is currently under revision, and future access might involve certain constraints or consequences to prevent such violations. As of now, we do not have a clear ETA for when backstage applications will resume. However, when we are ready, users can apply for the backstage role through a help desk request, provided all criteria are met. \n\nWe have received some requests for backstage access, and these are being reviewed. Notification will be provided once a request has been reviewed. For more information on the situation, please refer to the following link: https://discord.com/channels/810916927919620096/810936719003090974/1098620465897021490. \n\nWe appreciate your understanding as we work on improving this feature to better serve our community.", "Question: What is the current status and process of backstage access in CodeArena?\n\nAnswer: Backstage access in CodeArena is a privilege that allows certain users, known as \"backstage wardens\", to interact with judges to re-evaluate findings and provide comments on them. However, this feature was temporarily disabled due to an instance of abuse where a user shared information about ongoing judgements with unauthorized individuals. \n\nThe backstage access was previously based on a trust model but due to this incident, the process of granting access is undergoing changes with possible constraints or consequences for future violations. The exact nature of these changes is still under development. \n\nAs of now, applications for backstage access are paused and it's uncertain who committed the violation that led to its suspension. The backstage feature is not intended for wardens to dispute judges on their submissions, but rather to provide additional context on reported issues. \n\nAccess to certain resources, such as the findings page, seems to be restricted based on certain privileges like being a part of the \"backstage\" group. Backstage access is not granted for every contest and is broader than just where the wardens have submitted issues. \n\nCertification is a prerequisite to apply for backstage access, and once all criteria are met, you can raise a help desk request for the same. Once your request is reviewed, you will be notified of the decision. \n\nMore information about backstage access is available [here](https://discord.com/channels/810916927919620096/810936719003090974/1098620465897021490). Please note that this information is subject to change as the process is currently under review.", "Question: What is the level of access given to backstage wardens in contests and how can one become a backstage warden?\n\nAnswer: Backstage wardens at CodeArena are certified wardens with an established level of contribution. They do not have access to every contest finding but their access is broader than just where they have submitted issues. They get to observe the report submission and triage process and can view the findings repositories after a contest ends, assisting with post-contest processes. \n\nBackstage wardens can also participate in a post-judging QA period where they can comment on the judges' decisions. However, they do not have access to submissions before a contest ends, and access to findings for judging in progress is not permitted to be shared with others who do not have backstage access. \n\nTo become a backstage warden, the user needs to meet certain criteria such as having at least three medium findings and four total findings and participation in contests. Once the results are published to the leaderboard, they can apply for backstage access. There is also a certification process that involves Know Your Customer (KYC) and Non-Disclosure Agreement (NDA) procedures for security reasons. However, applications for backstage access are currently suspended until further notice.\n\nMore information on becoming a backstage warden can be found at the following link: https://docs.code4rena.com/roles/certified-contributors/backstage-wardens", "Question: I have just submitted a help desk request but did not receive any notifications confirming it. Can I get updates here on Discord, or is there another way to track the status of my request?\n\nAnswer: When you submit a help desk request on CodeArena at https://code4rena.com/help, your submission is received and usually reviewed within 1-2 business days. While it has been observed that some users might not receive a notification via email confirming their submission, please be assured that your request has been received once you complete the submission process. If you do not hear back within a week, it is suggested to reach out to us again via our help desk or send us an email at submissions@code4rena.com. Although we understand your convenience to communicate via Discord, it is advised to track the status of your request and communicate further clarifications through our help desk. This way we ensure that all your concerns are addressed in a systematic and timely manner by our team.", "Question: How does backstage access work in Code4Arena and why was it disabled?\n\nAnswer: Backstage access is a privilege granted to certified users at Code4Arena, enabling them to interact closely with the judging process including the ability to speak with a judge and comment on a finding. Specifically, backstage access permits certain users to gain access to the findings repo when a contest ends. However, it's important to note that this access is not provided for every contest but applies more broadly where the wardens have submitted issues.\n\nThe process to acquire backstage access typically involves a trust model; users need to be certified, meet certain qualifications, and then request backstage access via a help desk request. More information on how to apply and the prerequisites can be found at [this link](https://docs.code4rena.com/roles/certified-contributors/backstage-wardens#to-request-+backstage-access). \n\nHowever, it's worth noting that backstage access was temporarily disabled due to instances of privilege abuse. An individual shared information about findings for judging in progress with others who did not have backstage access, which was a violation of the confidentiality agreement associated with backstage privileges. Unfortunately, it was unclear who had committed this violation. While the backstage feature has been reopened for applications, it's still under review and the process of backstage access is also evolving. Future access may involve further constraints or consequences to prevent such incidents. Notifications will be provided once a request for backstage access has been reviewed. \n\nPlease note that without backstage access, users can still provide context on reported issues by sharing their reasons in the report itself. In the absence of backstage privileges, access to certain resources may be restricted. Users with inquiries about the backstage role, or any other roles, can reach out for assistance through the help desk.", "Question: I've recently submitted a help desk request but didn't receive any email notifications acknowledging my submission. How can I confirm that my request has been received and track its progress?\n\nAnswer: When you submit a help desk request at CodeArena, you should receive a confirmation of its receipt even if you may not receive an immediate email notification. Delays in receiving email confirmations can happen occasionally. However, if you haven't received any confirmation through email within a reasonable amount of time, you can submit another help desk request to check on the status of your previous submission. \n\nFor any unresolved issues or inquiries regarding your submission status, KYC confirmation, specific audit participation outside of the leaderboard showings, or issues during the analysis submission process, you can open a help desk request at https://code4rena.com/help. \n\nPlease be aware that it generally takes up to a week to receive a response to a help desk request. But don't worry, your submission will be reviewed and addressed in a timely manner. If needed, you can create another help desk request to follow up on the status of your previous one.\n\nRemember that submitting multiple help desk requests is completely fine, and they have been successfully fulfilled in the past. Please ensure that you provide all necessary details when creating a help desk request to expedite the resolution process. If you need to apply for a backstage role, or feel it's a security risk to have issue contents made public, or if you wish to be certified after a high finding, you can also contact us through the help desk form.", "Question: Could you provide more information about the backstage access feature, who may have abused it, and the implications of this abuse?\n\nAnswer: The backstage access is a feature available on our Discord channel which, when granted, allows users such as certified wardens to observe specific processes like report submissions or triage. However, the backstage privilege has been abused in the past, involving incidents where information about ongoing judgments was shared with unauthorized individuals. As a result, the backstage access feature has been temporarily disabled and its granting process is under review. The precise individual or individuals who committed this violation are currently unknown. \n\nBackstage access is not simply granted for every contest, but rather operates on a broader scope. It permits users to engage directly with judges to re-assess and comment on findings. Certified wardens with significant contributions were previously permitted backstage access to view submissions and provide factual comments at the pre-judging stage. Now, the practice has been discontinued. \n\nApplications for backstage access are currently on hold, but previously, users could apply for backstage access through a helpdesk request if they met certain prerequisites such as being certified. Whenever it reopens, wardens will have access to findings shortly after an audit, but this role demands compliance with certain protocols like Know Your Customer (KYC) and Non-Disclosure Agreements (NDA) for security purposes. \n\nEven though backstage access has been closed temporarily, backstage+ access has been reopened and previous applications are under review. Further information about backstage access can be found [here](https://discord.com/channels/810916927919620096/810936719003090974/1098620465897021490). \n\nThe system of granting backstage access is evolving, with future permissions potentially involving restrictions or consequences to prevent misuse. A decision regarding the revision of the backstage role will be made in accordance with a plan that's been formulated. For now, without backstage access, there is no other way for users to provide additional context on reported issues except within the report itself.", "Question: What is the backstage feature, how has it been abused, and what changes are being made in response to this abuse?\n\nAnswer: The backstage feature in CodeArena is a privilege that allows users to communicate with the judge for re-evaluating a finding or comment on it, especially during the post-judging stage. The feature is also used to query issues marked as invalid by monitoring the backstage channel for the concerned contest. Users can apply to be a backstage warden and share their reasons in the report for additional context on reported issues. \n\nHowever, there have been instances where this privilege was abused, such as sharing information about findings for judging in progress with those who did not have backstage access. Due to these violations, backstage access has been disabled and applications for new backstage wardens have been paused. \n\nPreviously, backstage access was based on trust, but following the abuse, the process is undergoing changes. While the changes are still in progress, future access may involve some constraints or consequences, and it might not be intended for wardens to dispute judges on their submissions. Despite the uncertainty about who committed the violation, the goal is not to punish but to identify the violator and address the issue.\n\nTo qualify for the backstage role, users are required to identify a certain number of findings in different areas or of different scores, including finding a high vulnerability. More details on this can be found at https://docs.code4rena.com/roles/certified-contributors/backstage-wardens. Applications to backstage can be made through a help desk request once all criteria are met, and applicants will be notified upon review of their request. The status of the feature and applications will be updated as per a plan that's been made. \n\nThere has also been a concern about the need for an editing feature for submitted findings to unburden the team handling tickets, suggesting further potential improvements to the platform. Please note that the backstage feature is closed without exception until further notice.", "Question: What is the status and nature of backstage access at CodeArena?\n\nAnswer: Backstage access at CodeArena has traditionally been based on a trust model, granting users additional privileges such as communicating with judges to re-evaluate findings, and viewing and commenting on the submissions at the pre-judging stage. However, due to instances of this privilege being abused through unauthorized sharing of information about ongoing judgements, applications for backstage access have been paused. The backstage function is currently closed, and previously submitted applications are under review. \n\nWe are in the process of changing how backstage access is granted. The updated process may involve some additional constraints and prerequisites, such as certification and/or a certain number of findings in different areas or of different scores to qualify for the backstage role. The backstage access is not limited to every contest but extends to where the Wardens have submitted issues. \n\nThere is no current ETA for when the new backstage access process will be implemented or when applications will reopen. However, a plan is in place, and updates are anticipated in the near future. Notification will be provided once a request for backstage access has been reviewed. Information on how to request backstage access can be found [here](https://docs.code4rena.com/roles/certified-contributors/backstage-wardens#to-request-+backstage-access). \n\nPlease note that this information may change, and the most recent updates can be found on our Discord server or website.", "Question: I've submitted findings to a contest but they didn't appear in the final report. How and when can I understand why they were not considered?\n\nAnswer: After submitting findings to a contest, they might not always make it to the final report. This could be due to various reasons such as the submission of issues after the contest end, or the specific contest terms and the judge's decision on certain high-risk findings. \n\nTo understand why your findings were not considered, you need to wait until the reports are published, which usually takes at least a month after the contest end. After the report is published and the relevant findings repository is made public, you can review the discussions among sponsors and judges on your specific issue. In some cases, you might not see your findings immediately submitted for the contest; this could be due to technical issues experienced on our platform.\n\nFor each contest, there's a section titled \"Known Findings\" on the Readme Page where automated findings not accepted in the contest are listed. You can compare your findings with the listed ones to get a better understanding. \n\nRemember, all findings remain private until the report is published. You can always edit your submitted findings under the \"Your Findings\" button on the contest page before the contest end. In case you face any issues while submitting or editing your findings, kindly reach out to our support team. \n\nPlease note, it's always beneficial to make a compelling case to the judge in the submission if you believe a high risk finding should be considered. And keep in mind that findings not submitted before the end of the contest will not be eligible. \n\nBy understanding why certain findings were rejected, this can help you to improve for future submissions. \n\nYou can access the submission form and the \"your findings\" button on our website [insert link to website]. If you have further queries, feel free to ask in our Discord chatroom.", "Question: How can I check the status of my findings that were submitted for a contest, and find out the reasons if they weren't included in the final report?\n\nAnswer: After a CodeArena (C4) contest concludes, the findings are reviewed, triaged, and await sponsor review and final judging before they are made public. If your findings were submitted but didn't make the award list, it's likely that they were rejected. \n\nTo review your submission, you'll need to wait until the final report is published, usually about a month after the contest ends. Once the report is published and the findings repo is made public, you can review your own findings and see the discussion among sponsors and judges about specific issues, including rejections.\n\nTo do this, open any C4 report in Github. Inside, you'll find a data folder where you can check your submission status. Keep in mind that the final report does not include wardens whose submissions were not accepted. \n\nIf you want to modify your findings, you can do so by going to the 'Your Findings' button on the contest page. Make sure your findings are submitted before the deadline as currently, findings cannot be seen after the contest finishes but before the results are published.\n\nRemember, findings remain private until the report is published. If you see 'No findings submitted for this contest' it may be due to an issue with the submission process. If you're experiencing issues with the submission process, please reach out to us for help. \n\nHere's the link to the reports on GitHub: [Insert Github link]\n\nPlease note that the process after a contest includes Sponsor Review, Judging, Awarding, and then Reporting. Each stage is crucial for maintaining the integrity and fairness of the process. Thank you for your patience and understanding.", "Question: How can I understand the validity of my findings and make necessary modifications, if any?\n\nAnswer: The validity of your findings in a contest is determined by a judge. Not all reports or findings are guaranteed a reward as they are graded and must meet quality standards to be considered valid and satisfactory. You'll receive feedback from the judge if your finding is marked as invalid. Some findings, such as the presence of \"Open Todos\" or the \"use of Block.timestamp\", although valid, are considered non-critical and hence, not rewarded.\n\nYou can view your submitted findings and make modifications through the \"Your Findings\" button on the contest page. However, please note that once submitted, findings may not be editable by the original author, although we are considering implementing this feature. \n\nIf you believe your valid findings have been classified as invalid, there is an appeal process in place, which is detailed in the fairness and validity section of our documentation [here](https://docs.code4rena.com/awarding/fairness-and-validity#if-you-disagree-with-a-judges-decision).\n\nPlease note, it is not necessary to confirm findings with the project's developers before submitting them, and discussing potential findings with a sponsor over Discord or other private messages doesn't invalidate the finding. \n\nAlso, findings submitted for contests may not always make it to the final report, and the reason might not be immediately apparent. To check, you'll have to wait until the reports are published, which usually takes at least a month. Your C4 profile findings can be updated for visibility even if the finding was deemed invalid. \n\nSubmissions that the user isn't sure of due to lack of specification in documents can also be submitted, or you can direct message the sponsor team for additional context. Remember, the submission of analysis along with findings is not mandatory.", "Question: What is the process and format for creating and submitting a Quality Assurance (QA) report in CodeArena?\n\nAnswer: Quality Assurance (QA) reports in CodeArena are a vital part of smart contract audits. You can create a QA report and edit it for more details. It is recommended to compile all findings into one report per contest, separating the Gas report from the QA report. You can access templates or guides for the formatting of these reports on the [CodeArena Github](https://github.com/code-423n4). \n\nWhen preparing your report, remember that the grading system for QA reports takes into account both the quality and quantity of your findings. Non-critical and low severity findings should be consolidated into a single QA report, while high severity issues require more comprehensive detail. Reports or Proof of Concepts (POCs) may also be linked for QA reports. \n\nOnce you've prepared your report, it can be submitted through the contest page under the \"My findings\" option. If you encounter an error during the submission process, you can check its status by checking for an email confirmation or viewing the findings through the \"View Context\" function. \n\nRemember, the grading and sharing system for QA/GAS reports is explained, with Grade A reports counting as 2 shares, Grade B as 1, and the best report receiving a 30% bonus. Examples of top QA/Gas report from each of these contests can be found at [Code4Arena](https://code4rena.com/reports). \n\nFeel free to ask for clarifications or further assistance in the chatroom, if needed.", "Question: What is the current status, process, and qualifications for applying for the backstage function at CodeArena? \n\nAnswer: The backstage function at CodeArena is currently closed. This decision was made due to instances of backstage privilege abuse, involving sharing information about findings for judging in progress with others who did not have backstage access. We are in the process of changing the backstage access process, with a plan in place, but no specific timeline for implementation has been released yet.\n\nIn the past, access to backstage was based on a trust model. However, the future process may involve some constraints or consequences to prevent misuse. Once the new process is established, you can apply for the backstage role through a help desk request. However, please note that all new applications for backstage access have been paused until further notice.\n\nTo qualify for the backstage role, you are required to have a certain number of findings in different areas or of different scores. Additionally, certification is a prerequisite to get backstage access. Detailed information regarding the backstage role, qualifications, and process can be found at [this link](https://docs.code4rena.com/roles/certified-contributors/backstage-wardens). \n\nOnce your backstage access request has been reviewed, you will be notified. Also, backstage access can grant you access to the findings repo when a contest ends. \n\nFor any assistance with backstage applications, you can approach the help desk. Stay tuned for updates on the reopening of backstage applications through our Discord channel [here](https://discord.com/channels/810916927919620096/810931711609143326/1082437741586960485).", "Question: What should I do if my submission exceeds the character limit or if I encounter an error while trying to submit my report?\n\nAnswer: If your submission exceeds the character limit, or if you're experiencing errors during submission, you have several options. First, you can attempt to edit your submission to fit within the character limit. You can do this by going to the contest page and viewing your own submissions. It's worth noting that you can only submit one QA issue, but there's no problem with editing an existing submission if you notice another error. \n\nIf your gas report is larger than ~65k characters, it won't be able to be submitted through the form due to Github's max character limit for issue descriptions. In such cases, you can submit a placeholder and send the larger report via email to submissions@code423n4.com. Alternatively, you can submit your QA reports via help tickets. \n\nHowever, please be aware that there may be intermittent issues with the submission process and potential limitations with the API. If you're still having trouble, you might want to try refreshing the page or changing browsers. If all else fails, you can forward your reports or requests to submissions@code423n4.com. \n\nAdditionally, you can edit your submissions until the contest close and any edits made will be tagged to track that it's been edited. For more details on how to go about this, you can visit: https://docs.code4rena.com/roles/wardens/qa-gas-report-faq#why-is-a-large-gas-or-qa-report-not-successfully-submitting-through-the-contest-submission-form. \n\nRemember, there's no harm in asking for help if you're still having difficulties. We're here to assist, so don't hesitate to reach out if you need to!", "Question: How can I submit, modify, and ascertain the validity of my findings for a contest on CodeArena?\n\nAnswer: Once you have identified a finding for a contest, you can submit it through the form available on the contest page. If you have submitted a finding but wish to modify it, you can do so by navigating back to the contest page and clicking on the 'your findings' button. Please be aware that once a finding has been submitted, it will undergo a review process, and you may not immediately know the outcome. \n\nThe review process includes a judge who may provide feedback if a finding is marked as invalid. Please check the comments, as some judges do provide feedback while some may just close the issue. If cited from other contests, similar findings require justification of their severity and validity within your submission. It is not necessary to confirm your findings with the project's developers before submitting them; however, the warden has the final word on what is considered a valid finding. \n\nIf you have submitted a finding but are seeing 'No findings submitted for this contest', it may be due to a delay in the verification process. Please be patient as it may take some time for a submission to be confirmed via email. If the submission fails, the form should return an error. \n\nOnce the contest has concluded and reports are published (typically a month post-conclusion), you can check whether your submitted findings made it to the final report. If your finding is not included, it could mean that it was judged as invalid, was a duplicate of another finding, or that it didn't make it to the final report for other reasons. \n\nPlease remember the submission of analysis, along with findings, is not mandatory but can help bolster your claim. Lastly, if you have received a warning indicating the invalidation of your submission due to the use of certain tools, you can raise the issue with the contest admin for clarification. \n\nPlease refer to our [submission guidelines](http://www.codearena.com/guidelines) and [FAQs](http://www.codearena.com/FAQ) for further details.", "Question: How is the severity of a bug, specifically a medium severity bug, determined and categorized in the Code4rena platform?\n\nAnswer: In the Code4rena platform, the severity of a bug is determined based on the impact of the bug and is categorized as high, medium, low, or QA. Medium severity bugs typically have a lesser impact than high severity bugs and usually have specific preconditions such as high attack difficulty, specific market conditions, or user unawareness. For instance, if a bug affects an end-user in a rare situation, it can be considered a medium severity issue. Precision-loss issues can be submitted as medium issues as long as the resulting damage justifies it. \n\nWhen submitting a bug finding of medium severity, participants can include it alongside high and low severity issues in the same report, but the highest effort should be put into the high severity issues. Participants can also submit a bug finding in both medium and gas findings if it affects gas. \n\nHowever, when reporting a bug, it's essential to correctly assess its severity and provide evidence to support the claim. A good explanation of the finding is equally important. Judges may choose not to increase the bug's severity level if it's a duplicate or hasn't been well explained. If a participant can't provide a Proof of Concept (PoC) for a medium severity bug, it may cause their finding to be disregarded unless the bug is extremely obvious. Therefore, it's recommended to always write a PoC. \n\nIn cases where a bug can be exploited in multiple ways, all bugs should be reported but priority should be given to the one with the highest impact. Also, user error can affect the grading of bug reports. For instance, misclassifying a bug's severity won't result in a loss of reward, as even if a high severity bug turns out to be only medium, the reward for a medium bug is still received. \n\nFor more detailed information, please refer to the judging criteria guidelines on the Code4rena website: https://code4rena.com/judging-criteria/ and https://docs.code4rena.com/roles/wardens/judging-criteria#estimating-risk-tl-dr. For any specific queries, you can ask and get answers in the chat.", "Q: What counts as a valid finding in a CodeArena audit if the code is different from the project's documentation? How should such findings be categorized and reported?\n\nA: A valid finding, in this context, can include instances where assumptions are made in the code that are not explicitly mentioned in the README or code comments. It is important to note that not all differences between documentation and code are considered issues. For example, a mismatch between the documentation and the code can be categorized under Quality Assurance (QA) if there is no significant impact. \n\nWhen auditing, it's essential to distinguish between advice and a valid issue. An advice could be a suggestion for improvement, while an issue depicts a potential vulnerability or problem in the smart contract. Suggestions can be left in the non-critical findings section of the report. \n\nIf you encounter a finding that fits into multiple categories, such as mechanism and architecture, contact the sponsor team for further guidance. Remember that it's crucial to provide Proof of Concept (PoC) whenever possible, as bug reports without them may be disregarded unless the issue is extremely obvious.\n\nWhen submitting a finding, provide a thorough PoC by giving direct links to all referenced code in GitHub, adding screenshots, logs, or any other relevant proof. Be aware that just adding a link that points to the sponsor's GitHub repo code does not automatically pull in that code snippet to the report.\n\nIf you're unsure of a finding due to lack of specification in the documents, it's advised to submit these findings or directly message the sponsor team for additional context. Also, if the same vulnerability is found in different components, it might count as separate findings, but this is up to the judge's discretion.\n\nFor larger codebases, more time might be required for thorough reviews. Beginners may face issues in understanding certain code instances and they are advised to make one report and reference related issues in it. Further understanding of the codebase generally requires reading the documentation or having previous experience with similar code.\n\nFor reference, you can check the 'findings.csv' file in the CodeArena's website repository for information about issue finding and duplicate reports [Link](https://github.com/code-423n4/code423n4.com/blob/main/_data/findings/findings.csv#L9336-L9434). Examples of past submissions can be found at https://code423n4.com/reports. \n\nLastly, if you're unsure why certain findings were not accepted, you can check the findings report repositories or raise a query about it. Information about what types of findings are no longer valid can be found in the conversations here [Link](https://github.com/code-423n4/org/issues?q=is%3Aissue+is%3Aopen+label%3Arules).", "Q: How can I submit, edit, and confirm the receipt of my QA report for a contest on CodeArena if it exceeds the character limit for regular submissions?\n\nA: If your QA report exceeds the character limit for regular submissions, don't worry, there are several ways to handle this situation. Firstly, you have the option to submit your report via a helpdesk ticket. You can also send an email to report@code4rena.com with your report if there are issues with the online submission. \n\nIf your QA/gas report doesn't fit in a single submit request, you can split it into separate sends. Ensure though that you only submit one combined gas report and one combined QA report for each contest, and ideally, group all your issues together. \n\nYou have the capability to edit your existing findings, even after submission. To do this, navigate to the contest page and select the \"Your Findings\" button. You can access this page here: https://code4rena.com/contests/2023-02-ethos-reserve-contest\n\nOnce your report is submitted, you will receive an email confirmation. If you have any difficulty or need to add an issue that was missed in your initial report, please fill out a help form available at https://code4rena.com/help for further assistance. \n\nAdditionally, you can check the status of your submission in the email confirmation that you receive. Remember, the confirmation email will not include the Ethereum address provided by you during the submission.\n\nFor more detailed instructions and guidelines, please refer to the following documentation: https://docs.code4rena.com/roles/wardens/qa-gas-report-faq#why-is-a-large-gas-or-qa-report-not-successfully-submitting-through-the-contest-submission-form\n\nRest assured, we have a process in place for submitting help desk tickets, which includes confirming the receipt of your request.", "Q: How can I improve my warden skills and get immediate access to issues from other wardens after a contest has ended at CodeArena?\n\nA: To improve your skills as a warden, consider becoming a certified warden. Achieving the Certified+ status allows wardens to see other submissions immediately after contests end, thus accelerating their learning process. Wardens can apply for the certified warden role, which will give them access to findings shortly after contests end. The certification process and constraints can be found at [here](https://docs.code4rena.com/roles/certified-contributors#certification-process-and-constraints). \n\nAs a certified warden, you also get earlier access to the findings repositories, so you can assist with post-contest processes. This includes viewing reports from other wardens even after contests have ended. Furthermore, you can see the judging results before they are published and raise any issues to the judge for reconsideration during a post-judging QA period. \n\nBecoming a certified warden also opens up opportunities to participate in private contests and receive backstage access, which allows you to observe the report submission and triage process. To participate in private contests, you can check your acceptance as a warden on the CodeArena's platform and sign up to join a competition. Information about participating in private contests and earning backstage access can be found [here](https://mirror.xyz/c4blog.eth/Ww3sILR-e5iWoMYNpZEB9UME_vA8G0Yqa6TYvpSdEM0).\n\nPlease note, for each contest, a warden is asked to post the c4udit output in the contest channel within 48 hours of contest close. Any issues posted in the channel are considered known and are out of scope. \n\nFinally, getting your name on the leaderboard can enhance your ability to qualify for private contests, and findings reports become public once the final contest report is published. This will allow you further opportunity to learn from other wardens and improve your skills.", "Question: Can you guide me through the process of reporting a bug, understanding its severity level and what happens thereafter on the Code4rena platform?\n\nAnswer: Certainly. Once you've detected a bug on the Code4rena platform, you should submit your findings. Please make separate submissions depending on the type and severity of the bugs found. The severity of a bug is typically categorized as high, medium, low, or QA and there are specific criteria for each, which can be found here [https://docs.code4rena.com/awarding/judging-criteria/severity-categorization](https://docs.code4rena.com/awarding/judging-criteria/severity-categorization). \n\nYour submission should accurately identify the severity impact of the bug, provide evidence to support your assessment, and be written clearly and understandably. The value of the bug is partly based on correctly assessing its severity and presenting supporting evidence. \n\nEven if you misclassify a bug's severity in your submission, you will still receive a reward corresponding to the confirmed level. For instance, if a high severity bug turns out to be a medium, the reward for a medium bug will still be received. Judges may choose not to increase the level of severity of a bug if it is a duplicate of other bugs and has not been well explained or proven.\n\nAfter submission, the bugs you've reported will be evaluated and the results will be revealed once the report is made public. In the meantime, you can check previous reports to see what a high-quality submission looks like [https://code423n4.com/reports](https://code423n4.com/reports).\n\nIf you are unsure about the severity of a bug after reporting it, you may ask about it in the chat or through designated contact points. If there are changes to the severity of a reported bug after the contest ends, such changes can be passed on to the judge through the designated contact points.\n\nAwards for bug findings are calculated using a specific formula which can be found here: [https://docs.code4rena.com/incentive-model-and-awards#high-and-medium-risk-bugs](https://docs.code4rena.com/incentive-model-and-awards#high-and-medium-risk-bugs). You are eligible for a certificate if you encounter at least one high severity bug and compete in at least three contests.", "Question: How is the severity of a bug or vulnerability determined and what impact does this have on the reward in the Code4rena contests?\n\nAnswer: The severity of a bug or vulnerability found in a smart contract during a Code4rena contest is determined based on the consequence and likelihood of the bug occurring, as well as the severity of loss caused by the issue. This includes considerations such as the potential for fund loss, the difficulty of the attack, specific market conditions, and user unawareness. For example, a high severity issue typically involves substantial fund loss or other serious consequences without the need for pre-conditions, while a medium severity issue usually has a lesser impact and specific preconditions, like high attack difficulty or specific market conditions. Precision-loss issues and front-running possibilities can also be classified as medium issues if the damage justifies it.\n\nThe classification of a bug's severity impacts the reward a participant receives. Even if a high severity bug is later classified as medium, the reward for a medium bug is still granted. The reward can be calculated using the formula provided in the Code4Arena documentation (https://docs.code4rena.com/incentive-model-and-awards#high-and-medium-risk-bugs). \n\nParticipants can submit both high and medium severity bugs in the same report, but the highest effort should be put into the high severity issues. If no medium or high vulnerabilities are found during a contest, the remaining funds are distributed based on the QA Report curve, an example of which can be found in this report (https://code4rena.com/reports/2021-11-fei).\n\nPlease keep in mind that the value of a bug is partly based on correctly assessing its severity and presenting evidence to support this. The guidelines for estimating risk can be found here (https://docs.code4rena.com/roles/wardens/judging-criteria#estimating-risk-tl-dr). If you are unsure about the categorization of a finding, provide a detailed explanation and the issue can be evaluated accordingly.", "Question: How can I track, modify, and understand the validity of my findings submitted to CodeArena (C4)?\n\nAnswer: After submitting your findings to CodeArena (C4), you can track the status and modify your submissions by navigating to the contest page and clicking on the 'Your Findings' button. Here, you can view, edit, and update your findings as needed. If you want to understand the validity of your findings, you can check the comments for feedback from the judges. Some judges give feedback on whether a finding is valid or not, and may also provide reasons for the rejection of a finding. \n\nIf you receive an invalidation warning or if your valid finding has been classified as invalid, there is an appeal process available as detailed in this section of our documentation: https://docs.code4rena.com/awarding/fairness-and-validity#if-you-disagree-with-a-judges-decision. \n\nIf you have reported an issue but are unsure about the severity, or if you struggle with classifying a finding between QA and Medium, it might be helpful to review similar findings from other contests to justify the severity and validity of your submissions. \n\nPlease note, not all findings are guaranteed a reward as they are graded based on quality standards. You can also expect a follow-up after submitting a finding. \n\nRegarding the submission of findings outside of the form on the website, currently we only accept findings through the official submission process. \n\nFor first-time users submitting a Quality Assurance report, if you receive an error, you can check if it has been successfully submitted by checking your email for confirmation or viewing the findings through the \"View Context\" function. \n\nRemember, your C4 profile findings can be updated for visibility even if the finding was deemed invalid. In fact, feedback from judges on the invalid findings can serve as a valuable learning experience. \n\nAlso, if you're interested in how gas findings are judged or whether it's worth showing significant improvements in important functions, you are encouraged to submit your questions or concerns for clarification. \n\nWhile the use of chatGPT tools is discouraged, if you receive a warning indicating the invalidation of your submission due to its use, it's best to reach out directly for a discussion on proving your innocence.", "Question: When and where can I access the reports for my submitted findings in a Code4Arena contest?\n\nAnswer: The reports for submitted findings in a Code4Arena contest get reviewed and triaged immediately after the contest ends. However, they will not be publicly available until they are published. The timing for publishing these reports can vary, based on the sponsor's review and final judging. Once the report goes live, you will be able to review your submissions and the findings repository will be made public. Please note that it's against Code4Arena's policy to discuss findings publicly until the report is published. You can access these reports on the Code4Arena website. If you want to get notified when a new report is published, you may have to look for ways within the platform. Keep in mind that even if you've submitted your findings, you cannot see the issues found until the report is live. The visibility of the reports from other wardens is also allowed even after the contests have ended.", "Q: I'm having trouble creating an issue on CodeArena, what steps can I take to troubleshoot this issue?\n\nA: If you are unable to create an issue, first ensure that the links to code fields are correct. If this doesn\u2019t help, you might want to back up your finding and clear localStorage, then start again with a fresh submission. If the problem persists with the 'Create Issue' button not responding without any console errors, try refreshing the page or changing your browser. It's also recommended to review your issues before reporting, which can be submitted in a specific format using a tool available at https://marketplace.visualstudio.com/items?itemName=yassh.copy-with-line-numbers. \n\nAdditionally, if you are working as a team, be aware that the process for team submissions is not clearly defined and there may be technical issues like a blank page opening when selecting members. \n\nIf you're unsure about the severity of an issue you've found, or have concerns about inconsistency, process, or lack of clarity in rules, you can review and comment on existing issues or open new ones at https://github.com/code-423n4/org/issues. \n\nAfter submitting an issue through the form provided on the C4 website, your issue should automatically appear in the Issues in the repo created for the audit. However, there can be a delay in visibility due to GitHub issues. \n\nIf you continue to have issues or find discrepancies in the reports, please create a help desk request. Note that you will not receive mail notifications for updates on issues, so it's important to regularly check back. \n\nFinally, remember that there is no incentive for being the first to submit an issue. Take your time to ensure your issue is fully examined and reported accurately.", "Question: What should I do if I submit a high or medium severity finding that doesn't work as expected and I discover a different issue later? Can I modify the existing submission or should I withdraw it and create a new one?\n\nAnswer: If you submit a finding and later realize that it doesn't work as intended or find an entirely different issue, you have the option to either modify your submission or withdraw it and create a new one. You can modify or withdraw your findings via the \"your findings\" button on the contest page. If a finding is submitted as medium severity but judges believe it is high, the severity of the finding can be upgraded unless there is a good reason to penalize it, such as lack of detail or accuracy. Even if a high severity bug turns out to be only medium, the reward for a medium bug is still received. It's important to note that if a contest's bot report ranks an issue as low but a participant escalates it to high, the issue isn't automatically invalid. However, submissions based on automated tools must provide strong evidence to demonstrate a relevant high or medium severity exploit path to be considered satisfactory [Submission Policy](https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues). For severity classification, if all rewards can be lost, it's MED/HIGH. If there's risk of losing some rewards, it's probably Medium. If rewards are lost due to roundings, it's probably QA. If the principal can be stolen without needing extra requirements, then it's probably HIGH. It is also possible to submit a report without recommended mitigation steps, but an explanation as to why it cannot be feasibly mitigated should be included. There are no negative consequences for accidentally reporting something that turns out not to be an issue, although it is recommended to withdraw such reports to save the judges' time.", "Question: What steps can I take if I'm experiencing issues while creating a submission on the CodeArena platform?\n\nAnswer: \nFirstly, be aware that the browser you are using might impact the functionality of the platform. If you are experiencing trouble while creating a submission or finding the 'Create Issue' button unresponsive, try refreshing the page or switching your browser. While some users have reported issues with Firefox and Chrome, the Opera browser has been suggested as a more reliable alternative.\n\nIf you are experiencing issues while using the mobile version, please send your requests to submissions@code4rena.com. If your concerns are related to visibility issues of reported issues on the Issues page, this may be due to GitHub issues.\n\nIf you are still facing issues after trying the above solutions, please create a help desk request on https://code4rena.com/help outlining the issue you are experiencing. For issues relating to inconsistency, process or lack of clarity in rules, you are encouraged to visit https://github.com/code-423n4/org/issues where you can add fact-based comments, support suggestions, or open new issues.\n\nWhen creating submissions, keep in mind that you can make one report and reference the related issues in it. If you're finding it difficult to understand certain code instances, try referencing related issues in a single report. For team submissions, although there isn't a specific process outlined, it is possible to submit as a team.\n\nRemember, if you feel it's a security risk to make issue contents public, a help desk request can be submitted. For submitting issues in a specific format, you can use the tool available at https://marketplace.visualstudio.com/items?itemName=yassh.copy-with-line-numbers. Also, issues can be browsed at https://code4rena.com/reports, each issue here provides a link to the relevant Github issue.", "Question: What happens if two or more wardens submit the same vulnerability? How is the reward distributed?\n\nAnswer: If two or more wardens submit the same issue, the order of submission does not give any advantage or influence the award. However, the rewards are distributed differently based on the quality of the report and the number of wardens who found the same issue. \n\nThe reward for an issue found by multiple wardens is divided among them, with the judge picking the primary issue based on the quality of the write-up, not the order of submission. This encourages wardens to focus on high-quality submissions, covering the issue in as many aspects as possible. The inclusion of a Proof of Concept (PoC) could significantly influence the award amount. If wardens report the same vulnerability but with different severities, the same severity is given to all for award calculation. \n\nIf a large number of wardens find the same issue, the reward per warden decreases. This is supported by the incentive model and awards section of the Code4rena documentation. If the same vulnerability is reported by multiple wardens, duplicates below a certain threshold might not receive any money, with the best report typically receiving more. \n\nParticipants are also allowed to edit their submissions after sending them, and in case of any confusion or issues, they can seek clarification from other experienced wardens or staff. \n\nMore details on the incentive model, the submission policy, the judging process, and other related information can be found in the Code4rena documentation:\n- https://docs.code4rena.com/incentive-model-and-awards\n- https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues\n- https://docs.code4rena.com/awarding/incentive-model-and-awards#duplicates-getting-partial-credit.\n", "Question: Can you guide me on how to edit or remove a finding submission I mistakenly submitted?\n\nAnswer: Yes, absolutely. You can edit or remove a submitted finding by navigating to the contest page and clicking on the 'Your Findings' button. If you realize a finding is a false positive after submission, you can retract it under this same tab. This is also where you're able to withdraw any findings if you want to cancel a submission and create another one. \n\nIf a mistake was made in which the findings were submitted to the wrong contest, you can resubmit them to the correct contest and fill out a form to inform the C4 staff about the incorrect submissions. The form is available at https://code4rena.com/help/.\n\nYou can also directly message the moderators to withdraw a submission if needed. If there's a need to edit a finding and you're having trouble, a helpdesk request can be made providing all the details and the updates needed before the contest ends. \n\nTo check your submission without modifying it, or to check the status of your report, you can look out for a confirmation email from CodeArena. There might be some delay in receiving the confirmation email, but if the submission fails, the form should return an error. \n\nHere's an example of where to find the \"Your Findings\" button on a contest page: https://code4rena.com/contests/2023-02-ethos-reserve-contest. Remember, each contest will have its own unique URL. \n\nPlease note that duplicate submissions could reduce the value of a finding if more of the same finding are submitted during the open submission period. Therefore, it's essential to ensure the accuracy of your submissions.", "Question: How can I obtain the Certified and Leaderboard roles within the CodeArena community?\n\nAnswer: To obtain the Certified role within the CodeArena community, you need to follow the certification process detailed on our website at: https://docs.code4rena.com/roles/certified-contributors. This process involves sending your identity for verification. Once approved, the Certified role will reflect on your profile within a few days. You can check your Certified status by clicking your name to see assigned roles or via email updates. This certification allows you to edit your user profile, participate in more contests, and apply for the Certified+ status if you wish.\n\nAs for the Leaderboard role, this is achieved by performing well in contests and placing on the leaderboard. Specifically, if you rank in the top 5 of a contest and are rewarded, your \"leaderboard\" tag should be updated in the roles. You can check this leaderboard at https://code423n4.com/leaderboard/. \n\nBeing Certified and on the Leaderboard enhances your eligibility to audit private contests and RSVP for certified jobs. If you're competing as a team, remember that all members need to be certified to receive the payout. Please note that improvements to the leaderboard are being considered, such as different timelines, addition of badges for achievements, and the introduction of leaderboard seasons.", "Question: What are the key factors that increase the quality and value of a report in a CodeArena competition?\n\nAnswer: The quality and value of a report in a CodeArena competition is influenced by several factors. \n\n1. Detailed Description: The judges prefer detailed reports over one-line summaries. A clear and comprehensive explanation of your findings adds value to your report. You can look at winning reports at https://code4rena.com/reports/2022-09-artgobblers#low-risk-and-non-critical-issues for more insight.\n\n2. Severity Assessment: Correctly assessing the severity of an issue and presenting solid evidence is crucial. Judges can elevate the severity of a QA issue if it's well-described.\n\n3. Language Quality: Improving the general level of English can increase the quality of C4 reports. A well-articulated report with proper grammar and syntax can make a significant difference.\n\n4. Gas Optimization: There are queries about how gas findings are judged. If a significant improvement is found in an important function, it's worthwhile to highlight it.\n\n5. Evidence and Proof of Concept: A vulnerability without a PoC can potentially be rewarded as high if the process is clearly described in bullet points. \n\n6. In-depth Analysis: For larger codebases, in-depth and thorough review might be necessary. It's better to take more time to prevent missing out on potential bugs.\n\n7. Format and Presentation: The readability and format of your code also matter. Make sure your code is formatted in a way that's easy to understand.\n\n8. Clear Classification: It's essential to clearly classify your findings between QA and Medium or other categories as this can affect the reward.\n\nRemember that the value of a bug is partly based on correctly assessing its severity and presenting evidence. And while the specific severity of an issue doesn't matter as much as a good explanation of the finding, you still need to make a strong case to escalate a known low from the automated findings to a high. It's also worth noting that the reward formula for findings of different severity and how the finding count value changes in the case of partial credit is a subject of interest.", "Question: How can I include images or screenshots in my report at CodeArena (C4) and what tools or methods can I use to improve my report presentation?\n\nAnswer: Yes, it is possible to include images in your report. Images can be beneficial when explaining a proof of concept or demonstrating an issue identified during the smart contract audit. You are allowed to embed images in the report using Markdown, a lightweight markup language for creating formatted text. Here's a guide on how to add images to Markdown: https://www.markdownguide.org/basic-syntax/#images-1. \n\nTo include an image in your report, you can upload that image on a platform like https://cloudinary.com/. After uploading it, copy the image URL and use it as a reference in your report. Alternatively, you can also upload the image to your Gist, submit the report with the Gist link, and later delete your Gist. \n\nRegarding the tools you can use to improve report presentation, Markdown and HackMD have been suggested in the chat. Visual Studio's preview tool may also help you in formatting your report. \n\nWhen adding code blocks in reports, use markdown to ensure it shows in the report. For larger reports, a method has been suggested to submit by email and then place a placeholder in the original submission. \n\nYour report should generally include the issue, description, proof of concept (where necessary), and mitigation (where necessary) in a semi-professional report format. If mitigations are involved, you can use markdown to write the code in the report. \n\nPlease note, issues with the Analysis Report preview displaying the embedded images have been reported but are being looked into. It would be best to cross-check the final report for any discrepancies.\n\nLastly, remember to compile all your QA findings into one combined report, even if they have no significant findings, to provide advice on things to take into account in the future of the project. You are allowed to edit the report for more details, making it easier for the client to review.", "Question: How can I locate a report of the findings from a contest I participated in, and when will it be available?\n\nAnswer: The CodeArena (C4) findings reports aren't immediately available after a contest ends. The reports remain private to allow sponsors sufficient time to mitigate any issues found during the contest. The platform doesn't specify when exactly a report will be published, but it usually takes at least a month. After a contest concludes, there's a certain unspecified period before the findings repository becomes publicly available for discussion. \n\nThe specific report you are looking for will be posted in the findings repository once it goes live. Until then, the findings - even those you've submitted - cannot be viewed. This includes the paraspace report and reports for other contests like JPEG'd and the Maia contest. Also, note that not all findings submitted for contests make it to the final report, and the reason might not be immediately known. \n\nYou can check the status of your report submission by waiting for the report to be published. Once it's live, you can view your submissions and those from other wardens, even after the contest has ended. If there's no table with results, visibility could be unclear. \n\nC4 has a policy of not discussing findings publicly until the report is released. As such, participants and users are advised to wait for the report to be published and the findings repo to be made public before discussing submissions. Until the report is live, specific findings should not be publicly discussed. \n\nIf you're interested in getting notified when a new report is published, currently our platform does not provide automatic notifications, but we are working on improving this aspect. \n\nPlease note that while waiting for a report to be published, the platform allows for no modifications to submitted findings. If you're facing particular issues, such as waiting for warden verification or sponsor's non-responsiveness, we advise patience and understanding as we navigate these processes. \n\nYou can find all published reports in our findings repository at [insert repository link here], which shows only unique findings. We appreciate your participation and patience in waiting for the report to be published.", "Question: How do I initiate the certification process and what does it entail at CodeArena?\n\nAnswer: To start the certification process, you can read the document at https://docs.code4rena.com/roles/certified-contributors which contains the necessary information about the certification. You can also initiate the process directly by applying through this link: https://code4rena.com/certified-contributor-application. The certification process involves sending your identity for verification and fulfilling some prerequisites. It can be started within 48 hours of the contest, and upon its completion, you may be eligible for an award. Users can also apply for Certified+ status if they have achieved high findings. The process for becoming a certified warden or a certified auditor is also defined in the document. To participate in private audits, certification is required. Once your certification is approved, usually a few days are required for the role to reflect on your profile. You will receive an email when the certification has been finalized. You can check your certification status by clicking your name to see assigned roles. Please note the certification process is subject to the approval of Provenance and any issues with the process have been fixed.", "Q: I see only contest numbers in the leaderboard file. How can I determine what number corresponds to each contest and track my progress?\n\nA: The leaderboard file indeed only contains contest numbers and not the corresponding contest names. To find out what number corresponds to which contest, you can refer to the \"_data/contests/contests.csv\" file. To track your progress, look at your report status and edit your findings in the \"findings\" tab next to the contest description. Participants can also name their findings with a number to help judges. \n\nAfter each contest ends, the leaderboard gets updated and you can view the number of overall issues you reported at [Code4Rena Leaderboard](https://code4rena.com/leaderboard). You can see the results from the first two contests on the leaderboard, and all findings are posted in the section where Contests are posted. \n\nHowever, please note that not all contest types are currently supported on the leaderboard, as we are still working on adding certain features and contests. Changes and requests can be made through the help desk at [Code4Rena Help](https://code4rena.com/help). \n\nIf you finish in the top 5 in the contests, you will receive the \"leaderboard\" tag in your profile. Contestants with high ranks have the opportunity to audit private contests after certification. The leaderboard is updated every time awards are announced, and the number of participants in a contest is disclosed only after the contest ends. The progression of the contest can be tracked in the \"Past Contest Status Updates\".\n\nBear in mind that the leaderboard might not accurately reflect all your achievements, as contest results might not be counted for the full duration. Rest assured, we are continuously working on improving this system.", "Question: What is the procedure to ask questions, verify compliance with community rules, and submit relevant content or issues on CodeArena?\n\nAnswer: CodeArena encourages open communication and collaboration. If you have any questions or concerns, including whether the content you wish to share is in line with the community rules, you can follow these steps:\n\n1. Check the Submission Policy: It's advisable to familiarize yourself with our submission policy at https://docs.code4rena.com/roles/wardens/submission-policy before making any submissions. This will provide specific guidelines on what is acceptable.\n\n2. Use the Forum: If you have a question, it is best to ask it directly on the forum post itself. This is because chat can be ephemeral and questions asked on forum posts are more easily trackable.\n\n3. Become a Certified Contributor: You can sign up as a certified contributor with multiple accounts, but remember to participate only with one.\n\n4. Contact the Judges: If you're unsure about the submission rules or the validity of your finding, you can privately ask the judges. They can provide guidance on more fragile aspects of the system.\n\n5. Reach out to Sponsors: For specific questions about the contest scope or if you think you've found a vulnerability, you can reach out to the respective sponsor. However, any issues found should also be submitted via the contest submission form to be eligible for awards.\n\n6. Submit Questions for Community Call: You can also submit questions for the recorded community call.\n\n7. Use the Correct Channels: If you have concerns regarding spamming, potential anonymity, the severity of issues, or reporting a vulnerability reported by multiple people, these can also be submitted for the judge or admin's review.\n\nRemember, engaging in constructive discussions and problem-solving is highly encouraged, but there are certain restrictions on commenting on issues outside the Q/A. Always ensure your actions align with the community rules and ethical guidelines.", "Question: What are the requirements to participate in a PolynomialFi contest or other private contests at Code4rena, and can I join if I am part of a team that includes a certified warden?\n\nAnswer: In order to participate in a PolynomialFi contest or other private contests at Code4rena, each individual, including those forming part of a team, needs to be a certified warden. To become a certified warden, you need to compete in audit contests and you may have to participate in a certain number of contests and have a certain number of valid findings or reports. Getting on the leaderboard can enhance your ability to qualify for private contests. Certified wardens are eligible to access private contests and may also be eligible to take up a judge role. Certain contests are exclusively open to certified wardens, such as Versus contests and mitigation-review contests. \n\nHowever, being a certified warden may not be the only requirement for some contests, and there might be other conditions to meet depending on the contest. For example, for certain opportunities, you may need to complete KYC to access private contests. Additionally, some contests like private audit contests are not strictly open to only top-ranking wardens, so the specific eligibility criteria for each opportunity should be checked in #\ud83d\udd96rsvp-certified.\n\nTo become a certified warden, you can refer to the certification process and constraints at [https://docs.code4rena.com/roles/certified-contributors#certification-process-and-constraints](https://docs.code4rena.com/roles/certified-contributors#certification-process-and-constraints). For detailed information on how to register a team, you can visit [https://docs.code4rena.com/roles/wardens#registering-a-team](https://docs.code4rena.com/roles/wardens#registering-a-team). \n\nFinally, if you've been absent from C4 for a while and wish to compete in an audit, you can log back into your account to do so. Remember that the higher certification level, Certified Plus Warden, has additional entry requirements but also grants earlier access to the findings repositories which can assist with post-contest processes.", "Question: How should multiple instances of a medium vulnerability be reported in CodeArena? \n\nAnswer: Multiple instances of the same vulnerability should be reported as one issue. However, if the same vulnerability is found in different components of the codebase, it might be treated as separate findings, although this is at the judge's discretion to determine if they're duplicates. If a single line of code has multiple ways of exploitation, all bugs should be reported but priority should be given to the one with the most significant impact. \n\nIn the case of two separate vulnerabilities that can be combined to create a more potent one, you can submit a third finding explaining the proof of concept. You can include both high severity and medium/low severity issues in the same report, but you should focus most on the high severity issues. \n\nIf the same type of issue is found more than once, they should be reported together. For gas and low/quality assurance, you can report one issue and include all instances; however, for medium and high risks, each finding is required to be reported individually. \n\nIt's important to note that when multiple participants report the same vulnerability but with different severities, they are given the same severity for award calculation. If you're unsure whether findings should be submitted as separate issues or as one, it's unclear which way to lean. \n\nDuplicate submissions of the same vulnerability are subject to some sybil resistance, with each instance being awarded a share of one point depending on the number of duplicates. If a vulnerability is hard to fix without significant changes to the protocol, it can still be reported. Recommendations are appreciated but are not mandatory. \n\nFor more clarity on how to handle the same vulnerabilities on separate functions and the complete discussion, you can refer to: https://github.com/code-423n4/org/issues/8 \n\nRemember, the most effective reports focus on a specific attack or issue, feature the project's code, have a simple to understand Proof of Concept or specific example and include a coded test that demonstrates the vulnerability.", "Question: How can I add screenshots or images to my report submissions on Code4rena, and can I edit those submissions if necessary?\n\nAnswer: Yes, you can add screenshots or images to your report submissions on Code4rena, and you are also allowed to edit your submissions. To add images, you have two main options. First, you can upload the image to your Gist, submit the report with the gist link, and later delete your gist. Alternatively, you can register a free account on https://cloudinary.com/, upload the image and copy the image URL. If you're using images to illustrate a proof of concept, you can add these images directly in the Proof of Concept section when submitting a finding by providing direct links to all referenced code in GitHub. \n\nRemember that the report is done in markdown, so you can add images directly into the markdown, and the final report will be compiled with the image(s) if accepted. For more on adding images to markdown, visit: https://docs.github.com/en/get-started/writing-on-github/getting-started-with-writing-and-formatting-on-github/basic-writing-and-formatting-syntax#images. \n\nAs for editing submitted reports, you are allowed to do so on the Code4rena platform, particularly if you need to submit additional findings after an initial low-risk finding was submitted. You can also update your submissions by direct messaging certain identified individuals. Please note that a new submission mechanism is slated for implementation in upcoming contests that might further streamline this process.", "Question: I've submitted a finding for a CodeArena audit contest but haven't received a confirmation email. What should I do?\n\nAnswer: After you submit a finding for an audit contest, you should typically receive a confirmation email, which serves as your only proof of submission. However, if you do not receive this email, it doesn't necessarily mean your submission has failed. It may take some time for a submission to be confirmed via email, and if your submission fails, the form should return an error. \n\nIf you still haven't received a confirmation email after a reasonable amount of time, you can open a help desk request at https://code4rena.com/help/ for further assistance. Please note, it's crucial to submit your findings to the correct contest. In case you accidentally submit findings to the wrong contest, you should re-submit them to the correct contest and fill out a form to let CodeArena staff know about the incorrect submissions.\n\nPlease be aware that not all findings from contests make it to the final report. If your findings are not accepted, they won't be included in the final report. It's also important to note that the review of findings occurs at the end of the audit period and you can edit your findings until the contest closes. To edit a submitted finding, you can visit the contest page on our website. \n\nLastly, you can view your submissions and check the status under the \"Findings\" tab on the related CodeArena Contest page. For more information regarding submission policies and guidelines, please visit: https://docs.code4rena.com/roles/wardens/submission-policy#audit-contest-guidelines.", "Question: How are smart contract audit reports submitted, sorted, and accessed on the Code4Arena website?\n\nAnswer: Audit reports on the Code4Arena website are submitted by registered teams participating in the contests. After submission, these reports go through an initial sorting process before publication to ensure a better experience for the sponsors. Once this process is complete, the reports are published on the Code4Arena site and are primarily sorted by their publication date. However, finer sort/filter options are currently under development.\n\nThe results of each contest, inclusive of both findings and awards, can be accessed at [Code4Arena Reports](https://code4rena.com/reports). This page lists all reports, both from public and private contests. High-quality and high-quantity findings tend to score better in competitions, as evidenced in the winning reports - an example of which can be viewed [here](https://code4rena.com/reports/2022-09-artgobblers#low-risk-and-non-critical-issues).\n\nFor beginners, it's recommended to start by reviewing reports from smaller bounty contests due to their less complex codebase sizes. Any queries or issues regarding the reports can be addressed to the CodeArena help desk at [Code4Arena Help](https://code4rena.com/help).\n\nPlease note that all findings are kept private until the final report is published, to allow sponsors adequate time to act on the feedback. After each contest, the leaderboard gets updated, and users can see the number of overall issues they reported at [Code4Arena Leaderboard](https://code4rena.com/leaderboard). All this information can also be found in the findings.csv file in CodeArena's website repository.", "Question: What is the process and timeline for becoming a certified warden at CodeArena?\n\nAnswer: The process of becoming a certified warden at CodeArena involves submitting an application on our site at https://code4rena.com/certified-contributor-application/. After submitting the application, the estimated response time is approximately 2 business days. Once the application is approved, you will undergo the KYC (Know Your Customer) process, which is handled by Provenance. It may take 2-3 weeks to receive the KYC email, which will be sent from compliance@provenance.company, and it could appear in your spam folder, so please check it regularly. After the KYC process, wardens are typically certified within 2 weeks. Please note that there may be requirements to participate in a certain number of contests and have a certain number of valid findings or reports to be a certified warden. More detailed information about the certification process can be found at https://docs.code4rena.com/roles/certified-contributors#certification-process-and-constraints. Certified wardens get earlier access to the findings repositories, which can accelerate their learning process and assist with post-contest processes.", "Question: Why does my CPU usage spike to over 90% when I open the CodeArena landing page on Chrome, but not on Firefox or Brave?\n\nAnswer: Based on user observations, it appears there is an issue specific to the Chrome browser that causes high CPU usage when the CodeArena landing page is accessed. This issue doesn't seem to occur on Firefox or Brave. The exact cause of this problem is not yet clear but it may be related to how the website and the Chrome browser interact with each other, or how the browser handles the website's content, such as JavaScript or multimedia elements.\n\nWhile our developers are investigating this issue, you might want to try a few troubleshooting steps. Clearing your browser cache, disabling unnecessary Chrome extensions, or updating your browser to the latest version might help resolve the issue. However, it's important to note that these are just potential solutions and may not work for everyone.\n\nIf you're experiencing difficulties with other functionality on the site, such as logging in, submitting reports, or accessing certain resources, consider changing your browser or refreshing the page. If these issues persist, you can submit a help request at Code4rena.com/help.\n\nRemember, some users have reported difficulties with submitting findings through Firefox and Chrome due to an error related to the permalink. Similarly, mobile users may face challenges performing tasks such as viewing the console. Additionally, certain resources, like the findings page, may be accessible based on your user privileges.\n\nLastly, please be aware that your requests can sometimes be intercepted by Cloudflare, which could result in errors. If you're experiencing such issues, please report them through our help page so we can further investigate. We appreciate your patience and cooperation as we work to resolve these issues.", "Q: How can I improve my submissions for future contests, view my past submissions, and understand the judging process at CodeArena?\n\nA: You can take various steps to improve your submissions and gain insights into the judging process. Firstly, you can view your past submissions and compare them with those chosen for the Gas Optimization Report. To do so, click on the name of the report and look at the corresponding GitHub issue. You can also search for your report and others using the GAS tag in the issues. \n\nYou can enhance your learning by examining the reports and discussions available once a contest finishes. The reports are reviewed and triaged by judges, await sponsor review, final judging, and Quality Assurance before being made public. It is at this point that you can review your submissions, understand why some of them were not accepted, and learn from the ones that were accepted. \n\nMoreover, the quality of your submission is critical when distributing bonuses. High-quality and high-quantity findings generally score better. You can view winning reports for more insights [here](https://code4rena.com/reports/2022-09-artgobblers#low-risk-and-non-critical-issues).\n\nAfter submitting a bug for a contest, you can view or edit your own submissions on the site for open contests. To edit your findings, go to the contest page, click on \"Your Findings\", and make necessary adjustments. \n\nIt's important to check the rules of submission for each contest. If your submissions are not rewarded, there will be a process to review why they were not accepted once the report is out and the repo is fully opened. This gives you a chance to see the discussion among sponsors and judges on the specific issue.\n\nRemember, having a Certified+ status allows you to see other submissions immediately after contests end, speeding up your learning process. Also, your participation in contests is an excellent way to hone your skills. \n\nYou can track your report status and see and edit your findings in the \"findings\" tab next to the contest description. Additionally, you can confirm your submission by looking out for an email and checking the ability to edit submitted findings. \n\nFinally, if you submitted issues for a contest but did not make the award list, it is likely that your issues were rejected. You can confirm this by reviewing the available report. In the meantime, you can check previous reports to learn what a high-quality submission looks like.", "Question: What approach should I take as a beginner to get started with CodeArena - participating in competitions directly, completing Capture the Flags (CTFs) and audit reports, or focusing on other areas like traditional hacking and web2 security?\n\nAnswer: The choice to participate in competitions, complete CTFs, or audit reports ultimately depends on your individual preferences and areas of interest. However, as a beginner, participating in competitions is a great way to gain a better understanding of audit reports and to practice spotting vulnerabilities in code. If you're finding it hard to catch vulnerabilities, strengthening your solidity fundamentals, developer experience, and auditing skills may help. This can be done by reading old reports, auditing codebases, and persisting in your efforts. You can find example reports at: https://chainsecurity.com/audits/. \n\nBesides, you might consider joining a team to participate in the audits, which will allow you to learn in a collaborative environment. If you want to take part in private competitive audits or become a certified warden, competing in the audit contests is part of the criteria. High-quality and high-quantity findings tend to score better in CodeArena competitions. For more insights, you can compare your findings with winning reports found at https://code4rena.com/reports/2022-09-artgobblers#low-risk-and-non-critical-issues. \n\nMoreover, if you're interested in contributing to the project, you might want to consider becoming an auditor. This can be achieved through reverse engineering and reading old audit reports among other methods. If you are curious about the use of specific tools like Echidna for auditing in contests, feel free to ask in our community. Always remember, there\u2019s no reward for submitting findings first, but it\u2019s important to submit before the audit closes. \n\nLastly, if you're looking for information on the timing of the next audit event or contest, please stay tuned to our communication channels for updates. Currently, there are no upcoming competitions, but discussions are ongoing for potential audits. If you're interested in running an audit contest for your company, you can get in touch with our team for further guidance. \n\nGetting started with CodeArena, learning about C4 auditing, or starting a contest can be done via our #\ud83c\udfebeducation channel on Discord.", "Q: What is the timeline and process once I submit my findings to CodeArena?\n\nA: After you submit your findings to CodeArena, there are several steps before you receive feedback. Here's a general timeline, but please note that the exact timing can vary based on the contest and the number of reports under review:\n\n1. **Submission Confirmation**: You should receive an email confirmation of your submission within a few minutes. If your submission fails, the form will return an error message. If you don't receive an email confirmation, please double check your spam folder or contact our help desk.\n\n2. **Review Process**: The review process typically starts within a week of your submission. Our team at Provenance takes about a week to respond, and the full review process for reports can take between 3 to 6 weeks or even longer. This timeframe can vary depending on the complexity of the code, the number of submissions, and the specific contest rules.\n\n3. **Feedback and Results**: Feedback for submitted issues typically comes within a couple of months, once the contest has closed and the report is published. The results of your submission can be viewed once the report is published. \n\n4. **Reward Distribution**: After the competition, there may be a delay in the distribution of rewards. This is typically within two months after the end of the competition. Please note this is a worst-case scenario and we strive to reduce turnaround times.\n\nAlso, please note that queries regarding the submission rules, how to submit additional findings, or how to check the status of your submission can be directed to our help desk. We typically respond to help desk requests within 1-2 business days.", "Q: What happens if no high or medium-risk issues are found in a CodeArena contest and has this ever occurred?\n\nA: Yes, although it's rare, there have been occasions where no high or medium-risk issues have been identified during a CodeArena contest. Most notably, this happened during the JPYC Contest, which didn't reveal any high or medium-risk findings due to the simplicity of the codebase being a fork of an already mature project.\n\nWhen no high or medium-risk vulnerabilities are found, remaining funds from the contest are divided based on the QA Report curve, ensuring that the reward pot is still distributed despite the lack of major findings. An example of how this works can be found at: https://docs.code4rena.com/awarding/incentive-model-and-awards.\n\nWhile it's uncommon, there have been instances, like the contest detailed at https://code4rena.com/reports/2021-11-fei, where only low vulnerabilities have been identified. Also, there have been no known cases where a contest has run with zero valid submissions.\n\nIn general, high-quality and high-quantity findings tend to score better in CodeArena competitions. Contest participants are encouraged to compare their findings with winning reports to get an idea of what is expected, as seen in the following report: https://code4rena.com/reports/2022-09-artgobblers#low-risk-and-non-critical-issues.\n\nDespite the rare occasions of such outcomes, it's important to note that no code is perfect, and it's highly unlikely for a contest to have no high or medium issues discovered.", "Question: How can I modify team details such as team name, addition or removal of members, and logo on CodeArena?\n\nAnswer: Modifying team details on CodeArena, like changing the team name or logo, adding or removing team members, requires different processes. \n\nTo change the team name, you'd need to create an entirely new team. Unfortunately, this means your new team will not retain any previous leaderboard positioning. You can create a new team at code4arena.com/register-team. \n\nIf you want to change your team logo, you can do so by submitting a help desk request with a link to the new logo at https://code4arena.com/help. \n\nFor changes such as the addition or removal of team members, these can be managed by submitting a request through the help desk. Please note, some users have reported challenges when managing the same team name but with different team members working on different contests at the same time or at different times. \n\nIn addition, an individual's name can appear twice on the leaderboard, once individually and once as part of their team. Finally, to update team information, a PR needs to be created. \n\nPlease note, if you're facing technical issues like a blank page when selecting team members, trying again on a different day may resolve the issue. If not, please reach out to our help desk at https://code4arena.com/help for further assistance.", "Question: What happens to the contest rewards at CodeArena if no medium or high-risk vulnerabilities are found in the smart contracts audited?\n\nAnswer: If no medium or high vulnerabilities are found during a contest at CodeArena, the remaining prize pool is redistributed based on the Quality Assurance (QA) Report curve. This is a rare scenario, as most contests usually uncover at least medium vulnerabilities. For instance, you can find an example of a contest where only low vulnerabilities were discovered [here](https://code4rena.com/reports/2021-11-fei). \n\nThe QA report is a critical component in judging a contest, and it includes findings categorized as low risk or non-critical. In some cases, if a participant submits a finding as low-risk (QA category) but the judges deem it medium, the finding becomes eligible for medium rewards. This decision is as per Code4Rena's guidelines, which you can view [here](https://docs.code4rena.com/awarding/incentive-model-and-awards/qa-gas-report-faq#what-happens-when-an-issue-submitted-by-the-warden-as-part-of-their-qa-report-an-l-or-n-does-get-bum). \n\nHowever, it's important to note that judges consider both the quantity and quality of submissions when grading QA reports, and a single item in a QA submission is unlikely to receive a high grade. You can find more details [here](https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical) and [here](https://docs.code4rena.com/awarding/incentive-model-and-awards#qa-and-gas-optimization-reports). \n\nWhile the classification of findings (High, Medium, or QA) is typically based on the severity of loss caused by the issue, the final decision lies with the judges. They can downgrade medium issues to QA or upgrade items from the QA report if they feel the severity should be higher. All of these factors are taken into consideration when distributing rewards in the event that no medium or high-risk issues are found during a contest.", "Question: Given that I have a 9-year-old i3 with 2 cores, should I upgrade it for better performance in tasks such as smart contract auditing or building contests?\n\nAnswer: While an upgrade to a newer PC, such as Ryzen 5700g or 7600x, might speed up tasks, the necessity of an upgrade is largely dependent on the specific tasks you are planning to undertake. For example, the minimum PC requirements for auditing DeFi protocols are relatively low, and even a 10-year-old PC should be capable of handling the task. However, more complex tasks such as fuzzing can benefit significantly from a faster computer. Therefore, you need to take into account the specific demands of the tasks you are undertaking and the level of patience you have for slower processing speeds. If you are an undergraduate IT student considering whether to focus primarily on smart contract auditing, the use of older PCs might be acceptable for a side project. However, if you're planning to participate in building contests or handle large codebases, you might need more time for a thorough review with an older PC, and an upgrade could be beneficial to improve efficiency. Keep in mind, any hardware issues such as with the power supply unit (PSU) or motherboard power module could also affect your PC's performance.", "Question: What are the hardware requirements and best practices for starting with smart contract auditing for DeFi protocols?\n\nAnswer: The hardware requirements for auditing DeFi protocols are relatively low. If your PC can run Discord, it should be more than capable of handling the task, with even a 10-year-old PC expected to do the job. However, if you are planning on performing fuzzing, a faster PC could prove beneficial as it would simply speed up the process, but it isn't necessary. \n\nAs a beginner in smart contract auditing, you can seek help on the platform and start learning from resources such as [How to Become a Smart Contract Auditor](https://cmichel.io/how-to-become-a-smart-contract-auditor/) and [Tools and Resources](https://docs.code4rena.com/roles/wardens/tools-and-resources).\n\nIn terms of practices, creating a Proof of Concept (PoC) is highly recommended for smart contract audits. You might also want to become familiar with tools that can aid in your audits, like fuzzing tools and others like Hardhat, Truffle, and Foundry. Further, if you're interested in exploring other platforms for audits, Sherlock is an option, but note it requires a high level of competence in the field. \n\nOne thing to remember is that the importance of mathematics for auditing depends on the smart contract project being audited\u2014some require basic math while others may require advanced financial mathematics. \n\nYou can also participate as a team in auditing contests, using a single wallet for registration. If you're looking to expand your knowledge, consider delving into reverse engineering and reading old audit reports, like the ones available at [ChainSecurity](https://chainsecurity.com/audits/). \n\nLastly, it's worth noting that auditing is possible without focusing on the frontend of the blockchain and that it doesn't depend on the type of laptop or PC you have. Whether you're an IT student considering focusing on smart contract auditing or someone curious about taking it up as a career, auditing is a valuable and rewarding skill to learn and apply.", "Question: Can I build and participate in zksync era contests on CodeArena utilizing an older PC, and what challenges might I face?\n\nAnswer: Yes, you can participate in zksync era contests such as the GoGoPool or zk contest using an older PC. CodeArena contests involve auditing DeFi protocols and smart contracts which generally have relatively low PC requirements. A decade-old PC should suffice for most tasks involved in these contests. However, there are some challenges you might face due to the slower performance of older PCs. \n\nCertain tasks, such as fuzzing for instance, could benefit from a faster PC due to the intensive processing demands. Fuzzing tools like Echidna are commonly used for auditing in contests. If you're running the contest software on Windows, you might need to employ workarounds like using VirtualBox with Ubuntu for smoother operation as suggested in our chat discussions.\n\nFurthermore, while building for contests, you might face difficulties following provided instructions, or have queries regarding specific aspects like gas optimization issues, contest status, contest scope or using a testnet fork for proof of concepts. In such cases, you can seek help in our open discussions on the Discord chatroom or directly ask questions related to ongoing contests like the Spartan Protocol contest. \n\nRemember, regardless of your equipment, patience will be key due to the slower operational speeds. Also, note that both individual developers and teams can participate in our contests. For teams, a single wallet is used during registration. Refer to this link for more details: https://code4rena.com/contests/2023-08-arbitrum-foundation#top.", "Question: What are the computer requirements for smart contract auditing and are there any resources available to learn about this?\n\nAnswer: The computer requirements for auditing smart contracts, including DeFi protocols, are relatively minimal. Even a computer that's a decade old should be able to handle the task. However, specific tasks like fuzzing, which is a software testing technique often used in smart contract auditing, can benefit from a faster computer. There's no need for a particular type or model of computer for this process. \n\nIf you're new to smart contract auditing, you'll find several resources available to help you learn. CodeArena provides resources for beginners, such as this guide on [how to become a smart contract auditor](https://cmichel.io/how-to-become-a-smart-contract-auditor/) and this list of [tools and resources](https://docs.code4rena.com/roles/wardens/tools-and-resources). Our Discord channel (#\ud83c\udfebeducation channel) is also a good place to start. \n\nOther websites like [Immunefi](https://immunefi.com/), [Spearbit](https://spearbit.com/), and [Hats.finance](https://hats.finance/) offer rewards for auditing smart contracts. Sherlock is another platform for auditing but requires a high degree of competence. \n\nFor further learning and exploring, there are discussions on the application of machine learning and graph neural networks for smart contract auditing in our community. Additionally, users interested in contributing to the project are advised to consider becoming auditors, learning through reverse engineering, reading old audit reports etc. Here's an example set of [reports](https://chainsecurity.com/audits/). \n\nKeep in mind that auditing is not only limited to smart contracts. Auditing security without focusing on the frontend of the blockchain is also possible. Furthermore, there's potential for CodeArena to expand into other areas of auditing in the crypto space, like website and infrastructure pentesting.", "Question: What does the certification process entail and when should I start it in relation to a contest?\n\nAnswer: The certification process at CodeArena can be started within 48 hours of the contest. However, please note that the process of approving a team for contest participation can take several business days. Certain contests allow participation without certification, but if you wish to be eligible for payouts if your submissions are awarded, you need to be certified. After certification, you can participate in any contest including certified contests. \n\nTo participate in private contests after certification, RSVP in the rsvp-certified channel and ensure a high position on the leaderboards from the last 90 days. A certified status not only grants you access to more contests but also accelerates your learning process as Certified+ wardens get earlier access to the findings repositories to assist with post-contest processes. However, being certified does not automatically grant backstage access to the previously participated contest in progress judging repository.\n\nLastly, participants need to complete certification within 30 days of the end of the audit to receive their payout. Be aware of a 48-hour deadline for response after providing all documents for KYC to provenance for getting certified. \n\nFor more details on the certification process and its benefits, refer to this forum post: [https://forum.code4rena.com/t/rfc-certified-wardens-rulebook-scout-role-contest-qa-and-mitigation-review-services/123](https://forum.code4rena.com/t/rfc-certified-wardens-rulebook-scout-role-contest-qa-and-mitigation-review-services/123).", "Question: How does Foundry impact PC requirements for smart contract auditing, and what are some key features and issues associated with its usage?\n\nAnswer: Foundry, an application used for smart contract auditing, can benefit from a faster computer as it tries combinations more quickly than on a slower processor. Foundry is a framework used to write tests and offers tools to assist in checking elements such as storage. It can also be used for testing scenarios in a local environment, providing an alternative to public testnet. \n\nInstalling Foundry can be done with Docker, although some users have reported issues. You can also install it using 'npm install foundry'. There have been opcode support issues reported with Foundry. If a project uses Brownie for testing, it can still be written in Foundry. \n\nFoundry can be utilized in a project that employs Hardhat too, and a base template for this can be found at https://github.com/foundry-rs/hardhat-foundry-template. It is also worth noting that Hardhat can be an alternative to Foundry for testing.\n\nIt also offers specific benefits like forking data from a live network such as a main or test net. Once forked, it runs locally, avoiding the need to grab testnet tokens for transactions or wait time on blocks. However, some users have trouble executing Foundry fork testing in the Polygon POS network.\n\nRegarding gas cost, Foundry's gas cost is measured in units of gas. There are also features for transaction prioritization where transactions can be run by calling functions in a desired order.\n\nHowever, for users looking to learn more about the Foundry framework, some useful resources include https://www.youtube.com/watch?v=Rp_V7bYiTCM and https://www.youtube.com/watch?v=EHrvD5c93JU. \n\nIn terms of PC requirements, auditing DeFi protocols are relatively low and even a 10-year-old PC should be capable of handling the task. However, tasks such as fuzzing can benefit from a faster computer. Note that some users have debated about the benefits and drawbacks of using older PCs for building contests, citing slower processing speeds as a potential challenge.", "Question: How can I edit, update, or withdraw my submitted findings on Code4Arena?\n\nAnswer: To edit, update, or withdraw your findings after submission, you need to navigate to the contest page on the Code4Arena website. There you will find a \"Your Findings\" button. This button allows you to change your findings, submit additional findings, update the format of your findings, and withdraw your findings if you decide to cancel your submission. You can also monitor the status of your submissions and receive feedback on your findings through this page. For example, you can check your submission's success by looking out for an email. The \"Your Findings\" button is only active while the audit is open. Here is an example contest page: https://code4rena.com/contests/2023-02-ethos-reserve-contest. It's important to note that there has been some discussion about potential changes to this feature, so if you're unable to edit your submission, stay tuned to the relevant chat channels for updates from the dev team.", "Question: How are the rewards distributed in a CodeArena contest, especially when only one high and one medium issue are found, or if no high or medium issues are found at all?\n\nAnswer: CodeArena has a detailed incentive model to handle different kinds of scenarios in the contests. \n\n1. If only one High and one Medium issue are found in a contest, the rewards are distributed according to the information available at https://docs.code4rena.com/awarding/incentive-model-and-awards. Each unique High or Medium finding is rewarded, and the submission selected for the audit report receives a 30% share bonus. The reward for a medium/high finding can be calculated using the formula provided in this link.\n\n2. In the rare case where no High/Medium issues are found during a contest, the remaining funds are divided based on the Quality Assurance (QA) Report curve. This situation is considered a rarity, but an example of such a contest can be found at https://code4rena.com/reports/2021-11-fei. \n\nIt's also important to note that if a participant evaluates an issue as low and includes it in the QA report, but it's judged as medium, it's unclear if they will receive a reward.\n\nMoreover, if a participant submits a report for a Medium issue, but it's deemed to be High, they will still receive a reward unless there's a reason to penalize them (such as the report being incomplete, lacking detail, or not as accurate).\n\nFinally, even if multiple contestants find the same issue, there's no difference in payout between the first person to find a bug and any subsequent person who finds the same bug. The overall value of the bug is reduced and split based on how many people find it.\n\nFor more information on the reward distribution, especially for cases like duplicate issues and mitigation contests, please refer to https://docs.code4rena.com/incentive-model-and-awards.", "Question: How are QA reports structured, graded, and categorized in CodeArena (C4)?\n\nAnswer: QA reports in CodeArena are categorized based on the severity and type of findings. These include Low, Non Critical (NC), and Refactoring issues. The severity of an issue can be categorized as high, low, or QA. A single report can include both high severity and medium/low severity issues, but the highest effort should be put into high severity issues. The grading of these reports is based on both the quantity and quality of the findings. Judges consider both these aspects when grading QA reports. Incorrect findings can affect the QA grade. \n\nIn terms of structure, it is recommended to have one big report for gas and one big report for quality assurance (QA). This is because the amount of detail required for QA and Gas Optimization reports is not as comprehensive as for high severity issues. Users are allowed to edit their reports for more clarity and detail. \n\nThe grading of QA reports also considers the correct identification of the highest severity impact of the bug, making a case for the severity and validity chosen with evidence, and clear and understandable writing. Reports are graded based on a relative score compared to other reports. Furthermore, a report with even one good issue can receive a decent grade.\n\nIn case of uncertainty about the severity of a finding, judges have the ability to downgrade medium issues to QA or upgrade items from your QA report if they feel severity should be higher. If the issue is relevant to both QA and gas savings, judges may decide where it best fits.\n\nYou can find more details about grading and issue categorization at these links: [Judging Criteria](https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical) and [Incentive Model and Awards](https://docs.code4rena.com/awarding/incentive-model-and-awards#qa-and-gas-optimization-reports). Examples of top QA/Gas reports can be found [here](https://code4rena.com/reports).", "Question: Where can I find and how can I use the findings.csv file on CodeArena?\n\nAnswer: The findings.csv file contains all findings, payouts, and useful information related to each contest. This file can be found at several locations. The main link is: https://github.com/code-423n4/code423n4.com/blob/main/_data/findings/findings.csv. Alternatively, you can access it directly at: https://raw.githubusercontent.com/code-423n4/code423n4.com/main/_data/findings/findings.csv or through our community resources page at: https://code4rena.com/community-resources/findings.csv.\n\nThis file can be parsed to create a table with all wardens and their deduplicated findings. You can cross-reference this data with the contest reports for verification. Additionally, once the final contest report is released, the issue numbers will correspond with those in the findings.csv file. \n\nYou can also find information about the average payout for different types of findings such as gas optimizations, non-critical findings, and low-risk findings in this file. A detailed list of how much each finding was worth in a contest is also available. \n\nPlease note that the findings.csv file is made public when the report is published on the CodeArena website, and links to it are provided in each report. The entire findings repository, which includes the findings.csv file, is publicly accessible.\n\nIf you're a warden and want to review or edit your findings, navigate to the contest page and click on the 'Your Findings' button. You'll also receive a confirmation email every time you submit a finding. \n\nRemember, the findings.csv is a valuable resource for understanding and reviewing your and others' contributions to the CodeArena's audits.", "Question: If an issue occurs in two different parts of the code that are not related but carry the same meaning in the same smart contract, how should it be reported? \n\nAnswer: When an issue occurs in two different places of a smart contract code but carries the same meaning, they are generally considered as separate issues. However, if these two different issues can be resolved by fixing the same root cause, they would typically be considered as one issue. If fixing the root cause without considering both issues will still lead to one of them remaining active, then they might be treated as separate issues. \n\nMoreover, if the same vulnerability is found in multiple different components of the codebase, it might count as two separate findings, but the final judgement is up to the reviewer. It's important to note that multiple instances of the same vulnerability should be reported as one issue. \n\nAdditionally, if a bug impacts another contract that's out of scope, the impact might count, this decision is generally up to the judge. Similarly, vulnerabilities affecting a main contract, even if found in an out-of-scope contract, should still be reported. \n\nWhen reporting the same type of issue more than once, such as a Reentrancy attack or gas optimization of the same type, they should be reported together. For more information on handling multiple occurrences of the same issue, refer to the discussion at https://github.com/code-423n4/org/issues/8.", "Q: How do I receive my rewards from the CodeArena contests, and what are the steps to convert my USDC rewards to BTC on Coinbase?\n\nA: After participating in contests on CodeArena, your rewards for winning or finding issues are sent in the form of USDC on the Polygon network. The rewards are transferred to your registered wallet address, so ensure you've provided the correct details. Typically, these rewards are distributed once per month, usually at the beginning of the month. \n\nFor updates on reward distribution, keep an eye on the announcement channel. Remember that the amounts of these rewards can vary significantly, depending on the contest and the issues found.\n\nTo convert your USDC rewards to BTC on Coinbase, you first need to transfer your earnings from the Polygon network to your Coinbase account. You can do this by connecting your Polygon wallet to MetaMask and using the MetaMask bridge to transfer your USDC rewards. Once your rewards are in your Coinbase account, you can easily convert them to BTC or any other cryptocurrency of your choice.\n\nIf you wish to change your wallet address, for future contests, simply use the new address in your reports, and the rewards will be distributed to the new address. \n\nIf you have questions about the invoice process for your rewards, refer to the \"Tax and Legal Questions\" section of our Awarding Process page: https://docs.code4rena.com/awarding/incentive-model-and-awards/awarding-process#tax-and-legal-questions. \n\nLastly, do note that if no issues are found in a contest, the sponsor reward pot's distribution method can vary and will generally be communicated by the contest organizers.", "Question: How can I earn and understand the distribution of Scout rewards in CodeArena?\n\nAnswer: Scout rewards in CodeArena are awarded to certified contributors who serve in the Scout role. As a Scout, your primary responsibility involves reviewing code before the launch of a contest to ensure its readiness for wardens. This involves making sure that the files provided by the sponsor are in order and that the test files don't pose any security vulnerabilities. \n\nThese rewards are part of several types of contest rewards offered on the platform, which also include Lookout and Judge awards. Bonus prizes are given for the best reports. Detailed information about the Scout role and reward distribution can be found in the Certified Contributors section of the CodeArena documentation at: https://docs.code4rena.com/roles/certified-contributors.\n\nThe reward amounts for contests are sponsored and a detailed list of rewards for each warden for each bug per contest can be found at: https://raw.githubusercontent.com/code-423n4/code423n4.com/main/_data/findings/findings.csv. The reward for a finding can be calculated using the formula provided in this link: https://docs.code4rena.com/incentive-model-and-awards#high-and-medium-risk-bugs.\n\nKeep in mind that while users can submit reports without being certified, certification is necessary to receive rewards. If a team submits a non-duplicate finding, they can receive more rewards than if they had individually submitted the same finding.\n\nLastly, once you earn some rewards and appear on the leaderboards, you can obtain the \"leaderboard\" discord role. To get this role, you need to place on the leaderboard. \n\nFor further details about the incentive model and awards, you can refer to https://docs.code4rena.com/awarding/incentive-model-and-awards.", "Question: How is the payout calculated for gas optimizations, non-critical, and low risk findings in audits, and what is the process for reporting them?\n\nAnswer: The payout for gas optimizations, non-critical, and low risk findings can be found in the findings.csv file on CodeArena's website repository. The reward for gas optimizations is typically 5% of the prize pool, but this may be increased or decreased based on the importance of the gas savings to the project. For all types of accepted reports, from high risk down to gas optimizations, the quality of the report, the accuracy of the findings, and a working proof of concept are considered. The reward split in a case where multiple people identify a gas optimization can be calculated using the formula present at [this link](https://docs.code4rena.com/incentive-model-and-awards#high-and-medium-risk-bugs).\n\nWhen it comes to gas optimization, it is suggested that the report includes the amount of gas saved for every finding. All findings related to gas optimization should be put under one report. If you have a finding that is relevant to both QA and gas savings, it can be included in either report, and the judges may decide where it best fits. The level of detail required for QA and Gas Optimization reports is not as comprehensive as for high severity issues. Examples of the top QA/Gas reports can be found on the CodeArena website at [this link](https://code4rena.com/reports).\n\nFor low and non-critical findings, there might be a bonus for each finding selected for the report. All valid findings for gas optimizations are weighted the same. However, please note that the current focus is on high/medium/low severity vulnerabilities and gas optimizations. There is no direct incentive to report non-critical findings. If you have any questions about the criteria for a report to be selected in a contest and how the reward for gas optimization is distributed, you can refer to [this example spreadsheet](https://docs.google.com/spreadsheets/d/1qTQ7PApFMwpUFikcHHtww7p1oncPLj_y-UY_SZq6qFg/edit#gid=0).\n\nRemember, you can only submit one report of gas optimization per contest, but you can add more findings to the report by going to the contest page and clicking the 'Your Findings' button.\n\nIf you are unsure about anything or need clarification, feel free to ask for it. And finally, an issue can be non-critical and also be included in gas optimizations. We recommend reporting any gas optimizations separately to ensure they are properly evaluated and rewarded.", "Question: How are reward amounts determined and distributed in CodeArena contests?\n\nAnswer: The reward amounts for contests on CodeArena are primarily derived from the contest sponsor. The distribution of these rewards largely depends on the findings of the contest participants. If no issues are found in a contest, the sponsor's reward pot remains unaffected. In cases where only one high and one medium issue are found, the rewards are distributed accordingly. \n\nFor team rewards in an audit contest, the prize is sent to a single address, and it is the team's responsibility to distribute it amongst themselves. Each team determines how to split their portion of a contest's reward amongst themselves. More information on the award distribution can be found on our [incentive model and awards page](https://docs.code4rena.com/incentive-model-and-awards).\n\nIt's worth noting that the reward process isn't immediate; once the awards are announced, the rewards are sent out manually in batches for multiple contests at a time. Some rewards might show as pending after the contest has finished due to the time taken by sponsors to compute and distribute the rewards. \n\nFor contests focused on gas optimization, the award is usually 5% of the prize pool. However, this percentage can be adjusted by sponsors based on the importance of gas savings to their project. \n\nIf duplicate issues are found, the reward and recognition is typically split between the finders, irrespective of who found it first. \n\nAll rewards are subjected to the specific rules and guidelines set by the contest sponsor. Any specific questions about the scope for a contest should be addressed to the respective sponsor. \n\nLastly, trust in the sponsors is vital and potential conflict of interest scenarios, such as sponsors hiding bugs, have been discussed and considered in our community.\n\nFor the most up-to-date and detailed information regarding reward distribution and calculations, please refer to the [incentive model and awards page](https://docs.code4rena.com/incentive-model-and-awards) on our website.", "Question: How does the fee structure work for fee-on-transfer and rebasing tokens, and can you provide examples?\n\nAnswer: Fee-on-transfer tokens are a type of token that deduct a small fee from every transaction made. This means that the amount of tokens received by the contract might be less than the transferred amount. A notable example of a fee-on-transfer token is PAXG. You can review its source code [here](https://etherscan.io/address/0x74271f2282ed7ee35c166122a60c9830354be42a#code). \n\nRebase tokens are those that adjust their supply in response to price variations, aiming to provide stability. Examples of such tokens' code can be found at [ButtonToken.sol](https://github.com/buttonwood-protocol/button-wrappers/blob/main/contracts/ButtonToken.sol#L126) and [ElasticReceiptToken.sol](https://github.com/pmerkleplant/elastic-receipt-token/blob/main/src/ElasticReceiptToken.sol).\n\nIn general, the fees associated with these tokens can vary based on the specific token used and transactional context. For instance, ERC tokens can be swapped via Uniswap, which has a minimum fee of 0.05%. Notably, not all tokens are fee-on-transfer, and the expectation of the code is essential when considering different tokens. \n\nAdditional information about tokens that do not revert on failure can be found at this [GitHub Repository](https://github.com/d-xo/weird-erc20#no-revert-on-failure). Furthermore, whether to use \"safeTransferFrom\" or not during a transfer depends on the token used and the expectation of the code. You can review more about how tokens are received by a contract in this report [here](https://github.com/code-423n4/2022-04-axelar-findings/issues/5). \n\nHowever, it's crucial to understand your specific token's dynamics and keep in mind potential costs such as gas fees for transactions. For instance, transferring tokens from a Metamask wallet charges a fee of 0.743% for token swaps.", "Question: If a function like getSomeValue(uint256 objectId) in a smart contract requires an objectId to be within a certain range, say 10-20, and it's not checked if the input is within this allowed range, causing the function to revert when an out of range input, like 21, is used, is this considered a bug? If so, is it categorised as informational, Not Critical (NC), or Low severity?\n\nAnswer: Yes, this is considered a bug. Although the bug relies on the user making a mistake in interaction with the contract, it is valid because it could lead to unexpected behaviours or function reverts. Depending on the context, such as whether it puts assets at risk or disrupts major functionalities, the severity of this bug could range from Low to Medium. In general, constraints on input values, especially for public or external functions, are important for smart contract security. They help prevent potential misuse, unexpected behaviours, and manipulation.\n\nHowever, this particular issue of not checking an input within the allowed range, leading to a revert when an out-of-range input is used, could be considered a Low severity bug. This is because it doesn't pose an immediate risk to the assets or the contract\u2019s state, but it could potentially disrupt user interactions and lead to function reverts. It's similar to a function call that always reverts but doesn't put assets at risk, which is identified as a Medium or High finding depending on the context (as observed from the chat).\n\nIn addition, to make the code more readable and prevent such issues, it is advisable to declare a constant for the range of acceptable values rather than hardcoding them, which is considered a magic number and can lead to misunderstandings and errors.\n\nIt's also worth noting that the severity of bugs in smart contracts is determined by judges on a case-by-case basis, taking into account various factors such as the exploitability of the bug, the assets at risk, and the context of the bug within the contract. So, the categorization of this bug could potentially change based on these factors.", "Question: What happens to the rewards in a CodeArena contest if no High or Medium severity issues are found?\n\nAnswer: If no High or Medium (H/M) severity issues are found in a CodeArena contest, the entire reward pot is not wasted. Instead, it moves down to Quality Assurance (QA) and is divided accordingly. This scenario, however, is unlikely as no code is always perfect and the general consensus is that there will be some issues found. Furthermore, if a finding is mentioned in the 'Known Findings' section of each contest Readme Page, it will likely be disqualified, affecting the distribution of rewards. \n\nWhile users may have queries about the reward distribution in cases where only one high and one medium issue are found, or if they could view the findings of a contest after it finishes, it is to be noted that there is no reward for submitting findings first, and the overall value of an issue is reduced and split based on how many people find it. Sponsors do not have access to the findings repository until the contest is over, and findings must be submitted before the contest end to be eligible. \n\nDiscussions in the chat also hint that there isn't a specific bug-payout list for each contest, and any invalid issues could be penalized if more than three are submitted per contest. If a participant did not make the award list despite submitting issues, it indicates that their issues were likely rejected. \n\nIn the rare case that no valid submissions are made during a contest, it would make the task of judging much more challenging as judges would have to identify duplicate submissions if sponsors do not fulfill their duties. After a contest is closed, the findings repo becomes publicly available for discussion after a certain period of time, although the duration is not specified. \n\nPlease note that this information is based on current observations and practices at CodeArena and could be subject to change.", "Question: How do I receive and convert my USDC rewards from CodeArena over Coinbase, and can these rewards be converted to BTC?\n\nAnswer: All contest rewards at CodeArena are paid out in USDC on the Polygon network. Once you have earned the reward, it will be sent directly to your registered wallet address based on your Discord username. To check updates on distribution, please keep an eye on our announcement channel. \n\nIf you want to convert these rewards to BTC or another cryptocurrency, you can do so on your preferred crypto trading platform such as Coinbase, Binance, etc. These rewards can be deposited into Coinbase from Polygon. \n\nIf you are using MetaMask, you can connect it to Polygon to receive rewards and subsequently convert and withdraw them. The conversion process from Polygon Token to another currency can be done through the MetaMask bridge and Coinbase. \n\nNote that the amount of rewards can vary significantly based on the findings of your smart contract audit. If your wallet address changes in the future or you want to use a different address for receiving rewards, make sure you update this on our platform.\n\nWe encourage participants to explore other options for exchanging to fiat currency if they have difficulties converting crypto to fiat in their country. If you need additional help regarding the rewarding process or how to create an invoice for the rewards received, you can refer to our help page at https://code4rena.com/help and the awarding process guide at https://docs.code4rena.com/awarding/incentive-model-and-awards/awarding-process#tax-and-legal-questions.", "Q: I'm trying to create a team on CodeArena and select members, but I'm encountering a blank page even when trying different browsers. What should I do?\n\nA: We're sorry to hear that you're experiencing issues with our team creation process. This is a known issue that some users have reported while trying to add members to their teams. The issue may occasionally result in a blank page or even a purple screen replacing the page when a dropdown is clicked. \n\nFirstly, you may want to try refreshing the page or changing your browser. If the problem persists, you could also attempt to create the team on a different day, as some technical issues might resolve themselves during this time.\n\nIf none of these options work, the best course of action is to submit a help desk request. Our team at CodeArena is ready to assist with issues regarding team creation, member addition, team name changes, and other related concerns. Just open a request at https://code4rena.com/help and we'll work on it as soon as possible.\n\nRemember, once your team is approved, members can log in and submit findings as a team. They also have the option to submit findings individually if they choose. Please note that access to certain resources may be restricted, such as the findings page, which is limited to certain user privileges like being a part of the \"backstage\" group.\n\nWe appreciate your patience as we work to resolve your issue and your participation in our audits.", "Q: What is the role and rewards of a Lookout in Code4rena?\n\nA: A Lookout in Code4rena plays a crucial role in the auditing process by pre-sorting the repository and providing a summary document to the sponsor, a process integral to the preparation stage of a contest. There is typically one Lookout assigned per contest. The Lookout role not only involves the identification of audit concerns but also the detailed documentation of these concerns in a Medium finding format which includes details on impact, proof of concept, and mitigation strategies.\n\nLookouts are rewarded for their contributions to the contest. Although these rewards are not included in the leaderboard ranking calculations, they form part of the overall contest rewards alongside Scout and Judge awards. Specific details about the Lookout role and its associated rewards can be obtained from Code4rena's official documentation here: https://docs.code4rena.com/roles/certified-contributors/lookouts. \n\nLookout applications can be submitted at any time, even though specific contest information such as the opening of the lookout application window is generally announced on Discord. Users can apply for the Lookout role using findings that do not yet have reports. \n\nIt's worth noting that information about judges or Lookouts is kept confidential to maintain a bias-free competition. The platform allows viewing of reports from other wardens even after contests have ended, fostering a collaborative environment that values transparency.", "Question: How can I apply for a Lookout role at CodeArena and when can I submit my application?\n\nAnswer: You can apply for a Lookout role at CodeArena at any time. Even though we announce specific periods for reviewing applications through our Discord channel, applications are always welcome. To apply, you can use any findings, even those that don't have reports out yet. As a Lookout, your role is to pre-sort the repo and provide a summary document to the sponsor. Typically, there is one Lookout per contest. Please note that right now, there is no set timeline for receiving your KYC mail after submitting your application. For detailed information about the Lookout role, please visit our documentation page at [https://docs.code4rena.com/roles/certified-contributors/lookouts](https://docs.code4rena.com/roles/certified-contributors/lookouts). Please be aware that applications to backstage at CodeArena are currently paused due to an identified issue, and no ETA is currently available for resumption. If you have any query about your application, you can create a help desk request for status updates.", "Q: I have successfully submitted my findings but I'm unable to view my report. What should I do?\n\nA: First, ensure that you are logged into your GitHub account - the same one associated with your CodeArena (C4) profile. If you're still unable to view your report after checking your login status, there could be several reasons for this. \n\nFirstly, the findings repository remains private until the report is published. After publication, you can view the findings repo and understand the reasons for any rejections or feedback on your submissions. You can also check your submitted findings and their status through the 'Your Findings' button on the contest page. This provides an option to revise and re-submit your analysis reports.\n\nYou should also receive an email confirmation after your report has been submitted. If you didn't receive an email confirmation, or received an error message during submission, there may have been an issue with the submission process. In some cases, issues have been reported when submitting findings through certain browsers, like Firefox and Chrome, due to a permalink error.\n\nPlease also note that the processing of submissions may take some time, and the confirmation email may not be immediate. If you believe your findings submission has failed, but you have not received an error message, consider reaching out to our team for assistance.\n\nAs a first-time submitter, you may also want to consult the warden submission guide at https://docs.code4rena.com/roles/wardens/sub for a detailed explanation of the process. For further reference on what constitutes a successful submission, you can view examples of past submissions at https://code423n4.com/reports.\n\nRemember, you can always edit your submissions if necessary, by navigating to the contest page and clicking on the 'Your Findings' button. Lastly, if you are encountering difficulties associated to a specific contest - for example, the Escher contest - please notify us to enable us to address the issue.", "Question: How can I gain access to the Polynomial project and other private audits as a certified or Certified+ user on CodeArena?\n\nAnswer: To gain access to the Polynomial project or any private audit contest, you need to be a Certified Warden. Information on becoming certified can be found at https://docs.code4rena.com/roles/certified-contributors. Once you are certified, you can view the project repository and submit findings. \n\nIn addition, if you qualify for Certified+ status, you will get access to private repositories after a contest is finished, where you can see what others have submitted and accelerate your learning process. However, being Certified+ does not automatically grant you access to the previously participated contest in progress judging repository, you would need backstage access for that. \n\nThe immediate access to findings repo for Certified+ users has not yet been rolled out. To apply for a Certified+ status, a more formal process is recommended. This typically involves completion of the certification process with an entity such as ProvenanceDAO and participation in more than 3 contests.\n\nHowever, some users have reported that they did not receive an invitation link to Github despite being certified. In case of such issues, or if you believe you qualify for Certified+ but can't find the correct submission form, please contact CodeArena through the help desk form. \n\nKeep in mind that being certified not only allows you to access more contests but also gives you the ability to edit your profile on Code4Arena. For more details, you may refer to https://mirror.xyz/c4blog.eth/Ww3sILR-e5iWoMYNpZEB9UME_vA8G0Yqa6TYvpSdEM0.\n\nPlease note that access to the source code of certain protocol files, like the Nouns DAO protocol, may still be restricted. For any inquiries about auditing projects, you can reach out online. \n\nRemember that getting certified allows you to participate in more high level audits and gives you access to a wealth of learning resources, such as those for the solidity compiler. Therefore, it's a valuable step in progressing your skills and opportunities within CodeArena.\n", "Question: How can I manage, edit, and submit findings on Code4Arena? \n\nAnswer: You can manage your submitted findings by navigating to the contest page and clicking on the \"Your Findings\" button. This page allows you to view, edit, update the format of, or add more findings to your report. You can even link a separate submission during the submission of an issue by referring to its number on this page. \n\nTo submit a new finding, locate the \"Submit Finding\" button on the contest page. When clicked, this will lead you to a form wherein you can input your findings. After clicking \"CREATE ISSUE\", your form data is turned into a submission that is sent to the findings repository for the given contest. This submission will then be evaluated by judges after the contest ends.\n\nPlease note some contests are only open to certified wardens, and buttons such as \"Submit Findings\" and \"View Repo\" will only show for them on these specific contests. You can learn more about becoming a certified warden here: https://docs.code4rena.com/roles/certified-contributors. \n\nAfter submitting a finding, you should receive a follow-up email. You can also check the success of your report submission by looking out for this email and reviewing your ability to edit submitted findings. If you're uncertain about the status of your submission or you want to view it without making modifications, you can track the report status under the \"Findings\" tab next to the contest description.\n\nFor example, here's how to navigate to the \"Your Findings\" button on the Ethos Reserve contest page: https://code4rena.com/contests/2023-02-ethos-reserve-contest. Be aware that an outdated GitHub template for submissions exists, but users are primarily advised to submit findings using the specific contest's \"Submit finding\" button on the main page, each finding separately.", "Question: How can I make changes to an uploaded gas report for a contest on CodeArena?\n\nAnswer: Users can make changes to their submitted gas report while a contest is open. To do so, navigate to the contest details page and click on \"your findings\" where you can edit your submitted details. You can also edit the 'test' command in the 'package.json' file to affect the 'REPORT_GAS' function.\n\nPlease note that you are allowed to submit one combined gas report and one combined QA report per contest, and you have the ability to edit existing findings. If you have additional findings related to gas optimization, you should update your existing report instead of creating a new one. \n\nIf your report exceeds the maximum number of characters allowed (~65k characters due to Github's limit for issue descriptions), you can submit a placeholder and email the report to submissions@code423n4.com. For more details on this, you can visit: https://docs.code4rena.com/roles/wardens/qa-gas-report-faq#why-is-a-large-gas-or-qa-report-not-successfully-submitting-through-the-contest-submission-form. \n\nIt's recommended that your gas optimization report includes the amount of gas saved for every finding, although this requirement may vary based on the judge's decision. If you need assistance on how to prepare your report, you can refer to this guide: https://www.youtube.com/watch?v=nady250cNo4. \n\nLastly, do not import screenshots into your submissions, instead paste your gas report directly. And remember to report any gas optimizations separately.", "Question: What is the process to become a certified warden at Code4rena and participate in private contests?\n\nAnswer: Becoming a certified warden at Code4rena involves several steps. It's necessary because only certified wardens are allowed to participate in private contests, including the PolynomialFi contest. To become a certified warden, you need to apply and meet specific criteria which may include participating in a certain number of contests and having a certain number of valid findings or reports. Particularly, having at least 3 top finishes in either the QA or gas report from past contests could be beneficial. Once you have achieved the certified warden status, you can enter private contests which may also require completion of KYC. You can find detailed information about the process and constraints on certification at [this link](https://docs.code4rena.com/roles/certified-contributors#certification-process-and-constraints). Potential wardens can apply for certification using [this application form](https://code4rena.com/certified-contributor-application). Remember, being a certified warden also allows you to join mitigation-review contests and Versus contests. Certification can also enhance your ability to qualify for private contests and gain access to findings shortly after contests end.", "Question: What does the term \"Versus\" signify in a CodeArena contest name like \"KUMA Protocol - Versus Mitigation\"?\n\nAnswer: The term \"Versus\" in a CodeArena contest name signifies a small invite contest which could be a mitigation review or a regular contest involving a limited number of participants, usually the top-performing wardens. These contests are typically a comparison or challenge between entities. \n\nIn a mitigation review contest, projects may invite top wardens back after the contests to review bug mitigations. Notably, the rewarding formula for this type of contest may vary based on a number of factors. For instance, if a participant has findings but the judge and sponsor disagree with their proposed mitigation, the final decision on the mitigation part rests with the sponsor. However, if a participant points out a bug or logic flaw that was approved by the judge, it's considered an achievement and could influence the final award.\n\nTo participate in a Versus contest, one needs to be certified. The number of wardens participating in a given contest might be indicated, providing a competitive access for a limited number of the highest performing wardens who RSVP. \n\nFor more information about the structure and details of Versus contests, you can visit this link: https://medium.com/code4rena/a-look-at-code4rena-audits-versus-6c55d57939ef. Additional details on Mitigation Reviews are available at https://code4rena.com/how-it-works.", "Question: What tools and methods are recommended for including code snippets with line numbers in the reports for CodeArena audits?\n\nAnswer: Several tools and methods are recommended for including code snippets with line numbers in the reports. \n\nOne of the tools suggested is the Visual Studio Code extension \"Copy With Line Numbers\", which allows you to copy code snippets with line numbers included. You can find this extension on the Visual Studio marketplace [here](https://marketplace.visualstudio.com/items?itemName=yassh.copy-with-line-numbers).\n\nTo link to specific lines of code on GitHub, you can click on the code line on the left tab which will change the URL. Holding SHIFT can capture a range of lines. Additionally, code can be highlighted on Github by clicking on the starting line of code, then holding down ctrl + shift and clicking on the last line to highlight.\n\nThe reports for CodeArena support Markdown (MD) format, which can be used to add code blocks to your report. Syntax highlighting in a code block in a finding report can be achieved using three backticks and specifying the language (e.g., ```solidity). More information on this can be found at the GitHub documentation page [here](https://docs.github.com/en/get-started/writing-on-github/working-with-advanced-formatting/creating-and-highlighting-code-blocks).\n\nWhile it's recommended to include both the URL to the repository with the line number and a code block when showing places of vulnerability, it's important to note that adding a link to the sponsor's GitHub repo code does not automatically pull that code snippet into the report. \n\nThe tool 'cloc' is used to calculate LOC (Lines of Code) and the term Sloc means Source Lines of Code, which is the number of Lines of Code minus the number of lines that are comments.\n\nPlease note that the preference for including line numbers in code snippets may vary among judges and there has been some debate on how best to reference code in reports. It's always a good idea to ask specific preferences in the chat.", "Question: What is the policy and guideline on submitting a Proof of Concept (PoC) for vulnerabilities found during a contest? \n\nAnswer: A Proof of Concept (PoC) can greatly enhance the quality and comprehensiveness of your vulnerability report. PoCs can be presented either in code or plain English, and can be written in any language as long as it clearly demonstrates the vulnerability. It is not necessary for a PoC to be exact code, nor does it need to be executable in the context of CodeArena. For large or complex PoCs that cannot be embedded directly in the report, users can submit these using external platforms like Gist or create a public Github repository. Instructions on these methods can be found [here](https://github.com/code-423n4/code-contests/tree/main/contests/01-slingshot#sharing-vulnerabilitydiscovery-poc) and [here](https://docs.code4rena.com/roles/wardens/submission-policy#how-to-include-a-proof-of-concept). \n\nWhile submitting a PoC is not mandatory, it is highly recommended. A report without a PoC may be disregarded unless the issue is extremely obvious. It is particularly advised to include a PoC and a case made for how an item can be exploited to avoid your findings being marked as invalid. \n\nFurthermore, auditors can use tools like Echidna for auditing during contests, and if a PoC script is created for a vulnerability, the link can be included in the submission. However, creating a coded POC will not have an effect on awards or the contest results as per C4 guidelines. \n\nIf there are any doubts or if you believe you have found something and want to ask questions, Code4rena encourages reaching out to the sponsoring team during the contest. Please remember to submit your findings via the contest submission form to be eligible for awards.", "Question: What are the best ways to learn and improve my skills in between CodeArena contests?\n\nAnswer: There are several ways to optimally learn and enhance your skills in between CodeArena contests. \n\n1. Participating in contests is one of the best ways to improve your skills. CodeArena recommends this approach as it provides real-time experience and the opportunity to interact with experienced auditors and sponsors.\n2. Reviewing past contests is beneficial. You can practice on them and read old reports to understand the common issues found and how they were resolved. This will give you a better understanding of what to look for in future contests.\n3. Certified Plus members get access to private repositories after a contest is finished, where they can see what others have submitted and learn from them. To obtain Certified Plus status, you must meet specific entry requirements.\n4. Stay updated with contest updates, results, team information, and rewards. You can do this by visiting the official CodeArena website and joining the Discord community.\n5. You can also learn by reading the post-contest report about the bugs found which can be used for studying and improving.\n6. Information on judging and payout timelines after a contest ends is documented at https://docs.code4rena.com/structure/our-process. This will give you a better understanding of the process and what to expect after participating in a contest.\n7. For more specific knowledge, you can read about Versus contests at this link: https://medium.com/code4rena/a-look-at-code4rena-audits-versus-6c55d57939ef.\n\nRemember, the most crucial part of learning is participating and gaining experience, so don't hesitate to \"just do it\".", "Question: I've recently been approved to become a warden, but how long does it typically take to achieve certified status, and what does the process entail?\n\nAnswer: Typically, it takes around 2 weeks to become a Certified Warden after your approval from the KYC (Know Your Customer) firm. However, the initial email from Provenance, which is part of the verification process, doesn't have a specified delivery timeframe. This period may be slightly shorter, around 1-2 business days, once you have begun working with Provenance. In some cases, it might take 2-3 weeks to receive the KYC email, which is sent from compliance@provenance.company, and could end up in your spam folder. \n\nOnce you are a Certified Warden, you'll have the privilege to attend private audits, be marked as \"Available for Hire\", and other perks, although the specifics have not been detailed. You might also need to participate in a certain number of contests and have a certain number of valid findings or reports to maintain your certified status. \n\nPlease note that there are certain requirements for the verification process. For instance, you might need to provide a passport or a certified copy of your ID and a selfie. Also, as part of the process, there's an application queue.\n\nYou can find more details about the process to become a certified member at [this link](https://docs.code4rena.com/roles/wardens/certified-wardens).\n\nKeep in mind, the ability to edit your warden profile to reflect this status is currently only available to those who were certified when warden profiles were introduced. If you have any issues with the process, such as not receiving an email from Provenance, we recommend checking your spam folder and patiently waiting as the process might sometimes take longer than usual.", "Question: Can I participate in the KUMA Protocol - Versus Mitigation contest and what are the rules, rewards, and requirements?\n\nAnswer: The KUMA Protocol - Versus Mitigation contest is specifically designed as a review event for those who participated in the original contest. The \"Versus\" term denotes a small invite contest, which could include mitigation reviews or regular contests with a limited number of participants. \n\nYou may participate in the mitigation review contest if you have taken part in the initial audit, are a certified warden, and have found bugs or logic flaws that are approved by the judge. If you have findings, but the judge and sponsor disagree with your mitigation, the final decision rests with the sponsor. \n\nThere is a rewarding formula for this contest, and top three auditors are generally selected in the mitigation review. The participation rewards for a formal verification contest are also applicable here. Please keep in mind that if you believe that you have found something significant, you should reach out to the sponsor team or submit it via the contest submission form to be eligible for awards.\n\nYou have the ability to submit an analysis for these contests, and even upgrade the risk level of your submitted findings if the contest is still open. Participants can also openly discuss issues with the sponsors before the contest is finished, including severity and in-scope/out of scope questions.\n\nWhile the contest is ongoing, participants can ask questions directly or in the open discussion. A link to the upcoming contest can be found here: https://code4rena.com/contests/2023-04-party-protocol-versus-contest. \n\nFinally, please note that some contests require KYC (Know Your Customer) verification, while some do not require certification for payouts if any submissions are awarded. That being said, the need for KYC and other specific requirements are normally stated in the contest's specific page.\n\nFinally, it's essential to remember that the impact of automated findings on the contest is still under discussion, as are rules about whether bugs introduced through mitigation efforts should be reported.", "Question: Can you provide more details about the existence and functionality of the Arena token?\n\nAnswer: Yes, the ARENA token does exist, but it doesn't have the kind of volume that gets it listed on major exchanges like CoinGecko. The ARENA tokens can be obtained using the contract address 0x6847D3A4c80a82e1fb26f1fC6F09F3Ad5BEB5222. This token acts as a minimum-viable-governance token with sovereignty over the DAO treasury and there is currently no token staking feature for the ARENA token. \n\nHowever, it's important to be cautious of scams and only purchase ARENA tokens from trusted sources. URLs like invst.icu, for instance, have been linked with phishing scams. \n\nYou can explore more intricate details about this token and its governance in the DAO constitution on our GitHub page: https://github.com/code-423n4/org/blob/main/CONSTITUTION.md. \n\nPlease note that while we aim to provide as much information as possible, some aspects about the token might still be ambiguous, so feel free to raise any specific queries you have.", "Question: Is the absence of a zero address check in a smart contract considered a medium-level vulnerability, and if so, why?\n\nAnswer: The lack of a zero address check in a smart contract can indeed be considered a medium-level vulnerability. This vulnerability, if exploited, may lead to loss of funds since the zero address cannot transfer out any incoming funds due to its inability to sign transactions. The severity of such a vulnerability is determined by its potential impact, and in this case, the inability to recover funds from the zero address can make it a medium-level issue. However, there are debates about the validity of this finding, as referenced in https://github.com/code-423n4/2021-10-badgerdao-findings/issues/5. \n\nMoreover, it's important to note that the inability to fix this on the initializer increases the severity of the vulnerability. In such cases, it's generally safer to use a two-step change process with critical addresses, which can help prevent errors like sending funds to the wrong address. \n\nAn example of this type of vulnerability can be found at https://code4rena.com/reports/2022-06-canto#m-01-missing-zero-address-check-can-set-treasury-to-zero-address. \n\nPlease note that while the severity of a vulnerability is often determined by its potential impact, the final classification may also depend on other factors such as the likelihood of exploitation or the degree of user interaction required.", "Question: What happens when the same issue is submitted by multiple accounts or teams? Are there advantages to submitting first or using multiple accounts? \n\nAnswer: There are no benefits to creating an alternate account and submitting the same issue from both accounts. In fact, such a practice could decrease your share due to CodeArena's sybil protection measures designed to prevent misuse. If two people are part of a team and they find the same issue, but submit it with different wallets, each person will get less than half of the reward. \n\nMoreover, there is no advantage for the one who submits an issue first. If the same vulnerability is reported by multiple wardens or teams, everyone gets the same share; the reward money for that issue is divided among them. However, the level of detail in the submission, such as the inclusion of a Proof of Concept (PoC), and covering the issue in as many aspects as possible, can influence the award amount. \n\nDuplicate submissions of the same vulnerability are subject to some sybil resistance; each instance is awarded a share of one point depending on the number of duplicates. However, the best report will receive more money than other reports. If a duplicate report is not beyond a certain threshold, there might be no money awarded for it. \n\nAdditionally, users are allowed to submit findings they are unsure about, but note that having more than 3 reports rejected in a competition will prevent the user from getting any payout for that competition. \n\nIf an analysis is accidentally submitted from a personal account instead of a team account, it can be re-submitted from the team's account, and a help desk request can be submitted to withdraw the other one at https://code4rena.com/help. \n\nFor more details on the incentive model and awards, please visit https://docs.code4rena.com/#incentive-model-and-awards.", "Q: Is there a way to download all the smart contracts being deployed at a specific address that we can see using etherscan.io?\n\nA: Yes, it is possible to download all the smart contracts deployed at a specific address that can be viewed using etherscan.io. You can convert a contract address into a separate solidity file through a service available on Etherscan. You can do this by changing .io to .deth.net in the URL. For example, if the address is 0x27f461c698844ff51b33ecffa5dc2bd9721060b1, you would change the URL to https://etherscan.deth.net/address/0x27f461c698844ff51b33ecffa5dc2bd9721060b1/advanced#code. \n\nAfter obtaining the solidity file, you can view the on-chain contracts of etherscan in an IDE like remix using this tool: https://discord.com/channels/810916927919620096/810931711609143326/1012727690396176484. \n\nOnce you have the contract, you can test it using tools like Mythril and Slither, which are particularly useful for auditing smart contracts. For beginners who need help auditing smart contracts, CodeArena offers resources and runs contests for analyzing smart contracts. You can find more resources for auditing smart contracts here: https://docs.code4rena.com/roles/wardens/tools-and-resources. \n\nFor more visual users, there is a Github repository for smart contract visualization: https://github.com/DanielVF/evm-contract-draw. For those interested in blockchain forensics analysis, you can monitor your address on the polygon network at https://polygonscan.com/address/. \n\nThis process can be complex for beginners and understanding reports and concepts related to smart contracts can be a challenge. However, getting hands-on experience and using the above resources can significantly help you in your journey to understanding and auditing smart contracts.", "Question: Are the CodeArena office hour sessions recorded and when can I expect them to be uploaded on the YouTube channel?\n\nAnswer: Yes, all office hour sessions at CodeArena are recorded and then uploaded onto our YouTube channel. Typically, videos from these sessions are posted early in the following week after the office hour was held. You can also submit your questions for the upcoming recorded community calls. Updates about these sessions, along with other important announcements, are shared in the C4 rollup in the announcements channel on our Discord. You can also find contest-related videos, post mortems, and helpful webinars such as those by OpenZeppelin on our YouTube channel. Here is the link to our YouTube channel for your convenience: https://www.youtube.com/@code4rena.", "Q: How does CodeArena handle duplicate submissions and what factors affect the value of such findings?\n\nA: CodeArena manages duplicate submissions by decreasing the value of a particular finding if more of the same kind are submitted during the open submission period. This is implemented as a sybil resistance measure where each instance of the same vulnerability is awarded a share of one point depending on the number of duplicates.\n\nPlease note that the order of reported issues doesn't necessarily follow the submission time. The judges select the primary issue based on the quality of the write-up rather than the order of submission. This policy encourages high-quality submissions. \n\nAlso, if two participants submit identical bugs at the end of a contest, the criteria for judging duplicate submissions can be found at [CodeArena Judging Criteria](https://github.com/code-423n4/code-contests/blob/main/JUDGING_CRITERIA.md#duplicate-submissions). \n\nIn the case of multiple submissions by team members, it decreases the overall value of the submission. Also, a submission is considered duplicate not only because it was not the first, but because another similar report was selected to be published in the report. \n\nIf you have submitted an issue to the wrong contest or if there are any submission errors, please resubmit to the correct contest and inform the C4 staff by filling out a form at [CodeArena Help](https://code4rena.com/help/). \n\nAlthough a confirmation of your submission is sent via email, please note that there may be delays. You can also view your submissions on the C4 Contest page under the \"Findings\" tab. \n\nWhile this information covers the general handling of duplicates, it's always recommended to refer to the specific rules and processes for each contest as they may vary.", "Question: What tools and methods does CodeArena use for smart contract audits and how can I get started with using them?\n\nAnswer: CodeArena utilizes a variety of tools and methods for auditing smart contracts. Some of the tools include Hardhat, Foundry, and our own in-development tool available at https://github.com/HardlyCodeMan/audit_helper/. Hardhat and Foundry are often used to generate a gas report, while Foundry can also be used to write and conduct tests. A base template for using Foundry in a project that employs Hardhat can be found at https://github.com/foundry-rs/hardhat-foundry-template.\n\nFuzzing tools such as Echidna are also discussed in the context of auditing in contests and can be considered. To assist in finding vulnerabilities and bugs in smart contracts, CodeArena runs a tool for automated findings.\n\nAs a beginner, you can learn more about smart contract auditing from resources like https://cmichel.io/how-to-become-a-smart-contract-auditor/ and https://docs.code4rena.com/roles/wardens/tools-and-resources. More detailed information on how to approach auditing, especially large projects, can be found at https://blog.bytes032.xyz/p/audit-like-a-pro-my-3-step-game-plan.\n\nAdditionally, CodeArena is not only focused on auditing. We also provide opportunities for smart contract gigs and can connect you with the booking team for a conversation. If you're interested, you can ask questions about the findings of past projects or even participate in private competitive audits. \n\nFinally, while the platform does offer resources for smart contract auditing, it is also important to note that we can run audits with a Rust focus and we're open to hosting more web2 whitebox audits.", "Question: How can I connect my wallet to my account and submit findings on CodeArena (C4)?\n\nAnswer: To submit findings on CodeArena, both individual users and teams need to connect their wallet to their account. This process usually occurs when you sign in. The wallet you'll use for logging in, usually set up when creating your account, may differ from the payment wallet used for submitting findings, but both can be updated in your profile.\n\nTo submit findings, navigate to the contest page and use the 'Submit Findings' button. Each contest's submission form includes a field for your wallet address. In case you have submitted findings before, you should be redirected to a confirmation page instead of the registration page when you connect your wallet. Wallet addresses used in a finding can be updated after the finding has been submitted and before the reward payout by submitting a request through the Help Desk at [https://code4rena.com/help](https://code4rena.com/help).\n\nUsers can also edit their submitted findings by navigating to the contest page and clicking on the 'Your Findings' button. Adding more findings to your gas report can be done by clicking the 'Your Findings' button on the contest page. \n\nOnce a submission is confirmed and reward amounts are announced, you just need to wait for it to go to your wallet. If you are part of a team, once your team is approved, you can log in and submit findings as a team. \n\nSubmissions can be under review, which may affect the ability to submit findings. Furthermore, CodeArena is considering implementing a system for using different wallets for different submissions in a single contest. \n\nRegarding Metamask, it's functional for submitting findings in C4 payments. \n\nFor more detailed information on submitting findings, please refer to our documented process at [https://docs.code4rena.com/roles/wardens/sub](https://docs.code4rena.com/roles/wardens/sub).", "Q: Where can I find more information about the warden-application-reviewers role at CodeArena, and what is the process to apply for it?\n\nA: You can find detailed information about the warden-application-reviewers role at CodeArena, including the eligibility requirements and certification process, on our documentation page: [Warden Certification Process](https://docs.code4rena.com/roles/certified-contributors#certification-process-and-constraints). \n\nTo apply for this role, you need to go through an application process which involves submitting necessary documentation and passing a Know Your Customer (KYC) process. The application for becoming a certified warden can be made through this link: [Certified Contributor Application](https://code4rena.com/certified-contributor-application). \n\nRemember that upon getting certified, you will also gain access to participate in private contests and apply for the backstage role with specific qualifications, as described here: [Backstage Wardens](https://docs.code4rena.com/roles/certified-contributors/backstage-wardens). \n\nBefore starting, it would be beneficial to familiarize yourself with the submission policy and judging criteria as outlined in our docs here: [Wardens Guidelines](https://docs.code4rena.com/roles/wardens). If you still have any questions about the process, feel free to ask in our chatroom or reach out to our team.", "Question: How can I explore multiple designs and best security practices for completing contracts for a staking platform through CodeArena?\n\nAnswer: CodeArena hosts various contests that allow participants to explore multiple designs and best security practices for smart contracts, including those relevant to staking platforms. These contests are an excellent opportunity to learn about different ways staking functionality can be implemented, as well as gain insights into contract security. \n\nTo participate, you can register as a team using a single wallet. Rewards for these contests come in various types, such as Scout, Lookout, and Judge awards. For specific details about ongoing and upcoming contests, you can check the CodeArena platform (https://code4rena.com/contests), or contact our team, which regularly provides updates about upcoming audit contests. \n\nCodeArena also encourages learning by offering resources on smart contract security and has a dedicated community ready to assist beginners in smart contract auditing. You can find information about the submission policy and review audit contest reports at https://docs.code4rena.com/roles/wardens/submission-policy and https://code4rena.com/reports respectively. \n\nAdditionally, we are planning to host more contests in the future that will feature an initial audit prize pool and a mitigation review pool. If you're interested in specific contests, such as the Stakehouse contest or the streaming protocol contest, you can address your questions to the respective sponsor or check out the contest details on our platform. You can also participate in discussions about tools for comparing differences between contracts, as well as the best practices for submitting bugs and gas optimizations. \n\nPlease note, while our primary focus is on smart contract audits, users have raised queries about our scope extending beyond just auditing, such as website audits and smart contract gigs. We recommend staying tuned for updates on these topics.", "Question: What are the wallet and certification requirements for participating in Code4rena's contests?\n\nAnswer: \nTo participate in Code4rena's contests, you do not need to log in with a wallet. However, you must ensure that you've added your payment wallet during registration so that any rewards can be transferred to you. The submission form for each contest includes a field for your wallet address.\n\nYou can participate individually or as a team during auditing contests and a single wallet is used for registration. Currently, Code4rena is considering the implementation of a system that allows the use of different wallets for different submissions in a single contest.\n\nIn terms of certification, many contests do not require participants to be Know Your Customer (KYC) verified or certified to receive rewards. However, some contests do require KYC verification or certification, particularly private contests such as Party Protocol or the Chainlink contest. For these special cases, you will need to go through a KYC process before submitting or verify your identity after the contest ends to receive the payout. More information on this can be found at https://docs.code4rena.com/roles/certified-contributors.\n\nPlease note that it is possible to participate and receive payouts without being certified, but some activities do require certification or KYC verification. Once a submission is confirmed and reward amounts are announced, you just need to wait for the reward to be transferred to your wallet.\n\nWhile signing in, you only need to connect your wallet once, not every time you submit findings. However, wardens need to connect their wallet to their account to submit findings. Remember to use the correct wallet and email to avoid login issues. \n\nAlthough not all contests require KYC verification or certification, we encourage participants to add their payment wallets to their account and register their handle and ETH address to receive their shares of the rewards.", "Question: Why are there no upcoming competitions listed and what might cause a delay in the scheduling or progress of contests?\n\nAnswer: At CodeArena (C4), the number of contests can fluctuate due to a variety of reasons. There may be instances where there are gaps in the schedule for live contests or there are no upcoming competitions listed. This can happen due to a number of factors:\n\n1. New Contests: The C4 team is often in discussions with various parties about potential audits, and these talks can lead to new contests. There may be some delay in updating these on the specific channels, so it's likely there are upcoming contests that haven't been updated yet.\n\n2. Event Timing: Sometimes, a pause in contests happens around big conferences or other events.\n\n3. Judging Delays: With an increase in contest submissions, the workload for judges has significantly increased, leading to potential delays in judging and progressing contests. It's important to note that the judging of contests may take a lengthy time period, with factors beyond the judge's control contributing to delays.\n\n4. Sponsorship: Sponsors also play a part in contest delays. While no specific lead time was provided, the involvement of sponsors can impact the timing and scheduling of contests.\n\n5. Contest Status: If you're specifically looking for a contest that was previously listed, it might be that it's moved to the \"Past competition status updates\" or the contest could be delayed due to various reasons.\n\n6. Submission Issues: On some occasions, users may experience issues when submitting findings to a contest, which might result in delays or changes in contest status. \n\n7. Private Contests: There are occasions when a contest is private, and these might not be visible to all participants.\n\nDespite these potential delays, please be assured that a number of new contests are expected to take place in the coming month. Keep an eye on the \"Past Contest Status Updates\" section for a timeline of where contests are currently in the process. If you're experiencing issues with contest submissions or rewards, please get in touch with the C4 team for assistance.", "Question: How can I link my Twitter handle to my CodeArena profile?\n\nAnswer: You can link your Twitter handle to your CodeArena profile by submitting a helpdesk request. To do so, please visit the following link: https://code4rena.com/help. In the request, include your warden name and the URL of your Twitter profile. You can also update your profile picture and Twitter link at the same time. It's important to note that linking your Twitter handle might be especially beneficial for certified auditors. \n\nIf you experience any issues with logging in or other technical difficulties, feel free to reach out to our support team in the #auth-help channel or direct message the C4 staff members. In the case of account security issues, such as your wallet being compromised, please immediately submit a help desk request for assistance. \n", "Question: What resources can CodeArena provide me in terms of contests, to help me understand multiple designs and best security practices for auditing smart contracts, especially for a staking platform I'm constructing?\n\nAnswer: CodeArena offers a variety of contests that can help you understand multiple designs and best security practices for auditing smart contracts. These contests focus on providing value from a security perspective and are a great way to improve your auditing skills. \n\nAs a beginner, you can look at past contests to practice on and read old reports for a deeper understanding. Current ongoing contests can be found on our platform. We also recommend communicating with our team as we are regularly in contact with various projects about upcoming audits. \n\nCertified status grants access to more contests. To be certified, you need to encounter at least one high severity bug and compete in at least three contests. Once certified, you can join any contest including certified contests. \n\nFurther, there are specific contests like the Mitigation Review Contest in which top wardens are invited back to review bug mitigations. For Versus contests, you need to be certified. Teams are also welcomed to participate in auditing contests. \n\nMoreover, tools like fuzzing tools such as Echidna are often used in our contests for auditing. While submitting an issue for any contest, we advise you to include a proof of concept and a case made for how an item can be exploited to avoid being marked as invalid. \n\nYou could also opt for Certified Plus status which allows you access to private repositories after a contest is finished. Here you can see what others have submitted and learn more quickly. \n\nLastly, we offer several types of contest rewards like Scout, Lookout, and Judge awards to encourage participation. \n\nFor more information, you can always check our contest-related documentation or reach out to our team directly.", "Question: I am struggling to set up and run the picode 4naly3er globally, can anyone provide a detailed guide or direct me to necessary resources to troubleshoot the issue?\n\nAnswer: It seems that you're not alone in encountering issues while trying to run the picode 4naly3er globally. This could be due to a variety of factors. If you're getting an error about missing files, for instance, you need a remappings.txt in the project you are running it against. \n\nAdditionally, for the correct setup and running of 4naly3er, you might want to refer to the public script available at https://github.com/Picodes/4naly3er. This script has been used in various contests and could provide guidance on how to run the tool properly. \n\nHowever, keep in mind that some users have reported difficulties even after following the provided instructions. If this is the case for you, it might be worth considering to run tests in the existing test environment or writing new test cases, rather than setting up a full environment. You can check for a potential test setup in the sponsor's GitHub or perhaps consider isolating the code for testing. \n\nIf you're still encountering issues, please don't hesitate to submit a help request at Code4rena.com/help. The community is here to support you and provide assistance when needed.", "Question: How is the process managed if an issue is overlooked by the wardens and is later discovered by a judge or other wardens after the contest has ended?\n\nAnswer: The order of submitting issues does not greatly impact the proceedings as the discussion is not necessarily dependent on it. If an issue which was missed initially is found by the judge or other wardens, it can be raised to the judge for reconsideration even before the judging results are published. Multiple wardens finding the same issue does impact the reward distribution, with each warden receiving less money for that issue. More details can be found [here](https://docs.code4rena.com/incentive-model-and-awards).\n\nIf a previously identified issue can lead to a high severity finding, it can be reported again during the contest by a warden and could receive a higher severity rating. Judges have the authority to mark an issue with a higher or lower risk than what was proposed by the wardens, if they deem it necessary.\n\nIf an issue is queried as invalid, the process can be monitored using the backstage channel for the post-judging stage of the concerned contest. These queries need to be raised within 48 hours of contest close. This allows the wardens and judges to discuss and clarify any issues that may arise. \n\nIf a judge is unable to complete their work in a timely manner, the contest is reassigned to another judge. Once the final contest report is published, the findings reports become public. Certified+ wardens can view the findings repo immediately after a contest ends to assist with post-contest processes.\n\nIn case of any concerns or issues with a report, clarification may be sought from the wardens. The final report for a contest, however, does not include wardens whose submissions/findings are not accepted. The number of participating wardens in a contest is only disclosed after the contest ends.\n\nLastly, for each contest, a warden is asked to run c4udit and post the output in the contest channel. If an issue is posted in the channel, it is considered a known issue and these are out of scope. \n\nThe platform does allow viewing of reports from other wardens even after contests have ended. However, if there is no table with results, the visibility could be limited.", "Question: Why can't I see a specific contest in the live contest section on the CodeArena website?\n\nAnswer: This could be due to several reasons. Firstly, there might be a gap in the schedule for the live contests. The specific contest that you're looking for may have moved from the upcoming contest section but has not started yet - the page doesn't automatically reload when a contest starts. Secondly, the contest might be live but the updates may not have been posted on the specific channels yet. It's also important to note that the website issues relating to contest visibility are typically resolved by our team and are not user-related. Remember, all contests, both public and private, are listed on our website - code423n4.com. If you're looking for information on a specific contest such as the Livepeer contest, you can directly access the contest page using the provided link (For example: https://code4rena.com/contests/2022-01-livepeer-contest). Lastly, if you're having issues submitting findings or viewing reports, please note that it's a known issue and our team is working on it. In the meantime, you can use the form on our website to submit your findings for each contest. If you're facing difficulty running the contest with provided instructions, please let us know and we'll assist you.", "Question: Can you explain the meaning and implications of the \"bug\", \"grade-C\", and \"unsatisfactory\" labels on my issue?\n\nAnswer: The labels \"bug\", \"grade-C\", and \"unsatisfactory\" are used on our platform to classify the quality of issues reported by users. Specifically, these labels indicate issues that are not eligible for rewards due to various reasons such as incorrect submissions, user error, or low-quality reports. These labels also play a significant role in our grading system.\n\nA \"bug\" label simply means that an issue has been identified in a smart contract. The severity of this bug can be high, medium, or low, and the severity level can influence the eventual grade given to the report. For more details on severity categorization, you can check out our guidelines at https://docs.code4rena.com/awarding/judging-criteria/severity-categorization.\n\nThe \"grade-C\" label indicates a submission that did not meet the necessary requirements for a higher grade. This could be due to multiple low-impact issues or even a single but poorly reported high-impact issue. Importantly, a grade-C is considered unsatisfactory, and hence, not eligible for rewards. For more insight into the grading system, please visit https://code4rena.com/judging-criteria/.\n\nThe \"unsatisfactory\" label is given to submissions that have not met the required standards set by our judges. This can be due to a variety of reasons, including incomplete submissions, poorly defined bugs, or user error.\n\nIt's important to note that a good report isn't solely about identifying as many issues as possible. The quality of the submission also relies heavily on the correct identification of the bug's severity, providing evidence to back up the chosen severity, and clear and understandable writing.\n\nWhen submitting your findings, it's recommended to make separate submissions depending on the type and severity of the bugs found to avoid confusion and improve the clarity of your report. If you're unsure about the severity of a bug, consider the impact of the bug and refer to our guidelines for estimating risk at https://docs.code4rena.com/roles/wardens/judging-criteria#estimating-risk-tl-dr.\n\nFinally, remember that even if a high severity bug turns out to be medium, you'll still receive the reward for a medium bug as long as the submission was satisfactory. It's not considered overinflated severity unless it violates the guidelines provided at https://docs.code4rena.com/awarding/incentive-model-and-awards#satisfactory-unsatisfactory-submissions.\n\nIn any case, it's always good to understand why a bug was not accepted or downgraded to improve your future submissions. We're also considering adding bug severity to the emails sent out after issue submission to provide more clarity for our users.", "Question: How can I view, check the status, or edit my submission for a completed or ongoing challenge on CodeArena?\n\nAnswer: After you have submitted your findings to a challenge on CodeArena, there are several ways to view, check the status, or edit your submission. \n\nDuring an ongoing contest, you can view or edit your own submissions through the contest page. You'll find a \"Your Findings\" button where you can modify your submitted findings if necessary. For example, if you're participating in the Ethos Reserve contest, you can go to the contest page using this link: https://code4rena.com/contests/2023-02-ethos-reserve-contest. If you wish to cancel a submission and create a new one, you can do so by withdrawing your findings under the \"your findings\" tab on the contest page.\n\nOnce a contest has ended and is in the judging process, you will not be able to see the status of your submissions until the contest report is published and the relevant GitHub repo becomes public. When the contest report is published, you can view your submissions at https://code4rena.com/reports. \n\nAdditionally, you will receive a confirmation via email when your submissions are confirmed. If your submission was not rewarded, you will be able to review the reasons why it was not accepted once the report is out and the repository is fully opened. This will allow you to see the discussion between sponsors and judges regarding the specific issue.\n\nPlease note that wardens with + certification get to see other submissions immediately after contests end, and there are plans to allow certified contributors to view submitted issues right after contest closure and to comment or give input on these issues during judging.", "Question: Can I use Hardhat for testing instead of Foundry in my smart contract project, and if so, how should I proceed?\n\nAnswer: Yes, you can indeed use Hardhat for testing instead of Foundry in your smart contract project. Both tools are highly recommended for generating gas reports and running tests, and can also be used together in a project. \n\nHardhat and Foundry can be used to print local variables that are declared inside a function by using console.log. Hardhat even provides a framework for you to write tests and offers other tools to assist in examining aspects like storage. \n\nSpecifically, to utilize Hardhat alongside Foundry, you can refer to a base template available at [https://github.com/foundry-rs/hardhat-foundry-template](https://github.com/foundry-rs/hardhat-foundry-template). \n\nAdditionally, the Hardhat Foundry can fork its state from a public testnet or even the mainnet, making it a convenient choice for testing smart contracts. This feature also allows you to avoid the need to gather testnet tokens for transactions or wait for blocks. \n\nFor learning the testing framework of Hardhat, resources like Codecademy's JavaScript testing module and Alchemy University's Ethereum Bootcamp in week 4 come recommended. \n\nFor debugging Hardhat tests and introspecting contract execution at the EVM opcode level, you can use the tool named \"foundry debug\". However, please note there have been issues reported about the \"Source from artifact has no AST.\" error when running forge debug on a Hardhat project with foundry integration. \n\nIf you're looking to use features like \"upgrades.deployProxy\" from Hardhat in the context of Foundry, you can refer to a GitHub link at [https://github.com/chugsplash/chugsplash-foundry](https://github.com/chugsplash/chugsplash-foundry). \n\nImpersonating an account in Foundry, similar to how it can be done in Hardhat, is possible using vm.prank(address). \n\nFoundry can be installed with Docker, and its setup instructions can be found in their official documentation. If you encounter errors during installation, it may be advisable to seek assistance from the community or official support channels. \n\nFinally, if you wish to modify the number of cases generated by Foundry's fuzz testing, you can follow the instructions at [https://book.getfoundry.sh/reference/config/testing#fuzz](https://book.getfoundry.sh/reference/config/testing#fuzz). \n\nIt's important to note that while Hardhat and Foundry provide extensive tools and options for smart contract testing, selecting the most effective setup depends on your project's unique requirements.", "Question: I completed a certification process 3 days ago and also participated in more than 3 contests, yet I do not see Contest 225 on the website. I am expecting to be granted Certified+ status. What should I do?\n\nAnswer: It's great to hear that you've completed the certification process with ProvenanceDAO and participated in several contests. Your Certified+ status, which will grant you access to more contests, should be reflected on your profile soon. The process of updating the 'certified' status typically takes 2 to 5 business days after approval. You should receive an email confirming the finalization of your certification. You can also check if you are certified by clicking your name to see assigned roles.\n\nAs for Contest 225, it should be live on the website soon. Please note that once certified, you can join any contest, including certified contests. However, being certified does not automatically grant access to the previously participated contest in progress judging repository. You would need backstage access for that.\n\nAlso, it is possible to experience some delays in receiving submission confirmation emails due to potential technical issues. If you have submitted findings for contests but have not received any email confirmations, it is recommended to review the available report under the 'Findings' tab on the C4 Contest page. If your issues were rejected, they may not appear in the final report. Additionally, please make sure to check your spam folder and ensure that you can receive emails from submissions@code423n4.com. \n\nIf you have further inquiries about the next audit event or contest or need assistance with the certification process, feel free to reach out to us. We're here to assist you.", "Question: I'm having trouble with Slither, regardless of the Python version I use it seems to fail. Has anyone else encountered this issue and how can I resolve it?\n\nAnswer: Slither, a static analysis tool for smart contracts, can be a bit problematic for some users as reported in our chats. There are several potential reasons for Slither to fail, and they may stem from the environment setup, version compatibility, or even related to specific use-cases like bug finding or output generation.\n\nUsers have noted that Slither can have limited success as a bug finding tool, but it's commonly used to generate output. If you're using Slither for these purposes, it might be worth reevaluating its efficacy for your specific needs. It is also possible to write custom checks for Slither which might help you to overcome the issue you're facing. \n\nIf your issue is related to environment setup, such as running the GoGoPool contest or using slither alongside Foundry's remappings, make sure to properly identify and set those remappings for Slither. This could be the source of your problem.\n\nThere are available resources for testing contracts downloaded from Github with tools like Mythril and Slither, which you might find helpful. If your issue continues, you might want to consider other tools or reach out to the community for specific help with your error.\n\nAs a final note, there have been some instances when issues were raised and failed to be taken in by GitHub or during the submission process. If this is causing your problem with Slither, please refer to this submission example that had a similar issue: https://github.com/code-423n4/2021-10-slingshot-findings/issues/82 \n\nPlease note that this is a general advice and the specific solution may vary based on the exact error message you're seeing with Slither.", "Q: How can I stay updated about any new contest announcements and participation details at CodeArena?\n\nA: CodeArena provides several platforms for you to stay updated about upcoming contests. For the most immediate updates, you can check our Discord server. Each contest will have its own dedicated channel where all the contest details and relevant information such as the lookout application window opening and automated findings will be announced, and you can find these details in the #\u270brsvp channel, accessible via [this link](https://discord.com/channels/810916927919620096/958800160870240286/1078269625395056680). \n\nIf a contest becomes open to the public, you will find the details in the #\u270brsvp channel as well as the contest channel. We also provide other platforms for information such as the CodeArena website and announcements channel on Discord, so be sure to check them regularly. If there are updates to the contest structure, like the bot race reward structure for the Maia contest, those will also be communicated through our various channels. \n\nCurrently, we are considering the addition of a notification system like a Telegram bot for announcing new contests due to user interest. This is not confirmed yet, but any updates will be announced on our platforms. \n\nRemember, during a contest, participants are allowed to discuss potential submissions with the project's dev team either in the contest channel or through private messaging. Once a contest is over and judging is complete, the results and awards distribution updates can be found in the #\ud83d\udce2announcements channel and the contest channel. \n\nLastly, we value user feedback and have a suggestion box for users to share ideas on how to improve the website, leaderboard systems, contest processes, and Discord setup. We hope this information helps you stay connected and informed about our contests.", "Question: How can a user obtain the \"leaderboard\" role on the CodeArena Discord?\n\nAnswer: To obtain the \"leaderboard\" role on the CodeArena Discord, users must first earn a reward by participating in contests, which allows them to appear on the leaderboards. Frequently, it's necessary to rank within the top 5 in these contests to qualify for this role. Once a user has achieved this, their Discord profile is updated with the \"leaderboard\" tag. Please note, if a user changes their Discord handle, they must update it on their profile on the site to ensure continuity. You can view the leaderboards at [https://github.com/code-423n4/code423n4.com/issues?q=leaderboard](https://github.com/code-423n4/code423n4.com/issues?q=leaderboard) and request changes to profile icons on the leaderboard via a help desk request at [https://code4arena.com/help](https://code4arena.com/help). Please be aware that leaderboard updates are typically carried out when awards are announced.", "Question: I'm having issues with opcode support in Foundry and it happens every time I use it. Can you provide any guidance?\n\nAnswer: Yes, we've noticed that some users have reported issues with opcode support in Foundry. Foundry is a framework that allows you to write tests and has tools to check things like storage. It also allows you to introspect contract execution at the EVM opcode level through the \"foundry debug\". It seems you're not alone in experiencing difficulties, as some users have also reported problems when executing foundry fork testing in the Polygon POS network and running forge debug on a hardhat project with foundry integration.\n\nTo resolve these issues, you can try installing Foundry with Docker, as this has helped some users. Please refer to this base template which provides guidance on how to use Foundry in a project that employs Hardhat: https://github.com/foundry-rs/hardhat-foundry-template. \n\nIf you're new to opcodes, you might find this learning resource useful: https://www.evm.codes/. It can help you understand how to check for opcode usage on-chain. \n\nRemember, if you encounter any other issues or need further clarification, you can always reach out to the CodeArena help desk. We aim to respond to your queries in a timely manner. Additionally, these YouTube links can provide further assistance with understanding the Foundry framework: https://www.youtube.com/watch?v=Rp_V7bYiTCM and https://www.youtube.com/watch?v=EHrvD5c93JU. \n\nI hope this helps and good luck with your coding!", "Q: What is the policy for submitting the same bug for a Code4rena contest and an Immunefi project, how are duplicate submissions handled, and how does the reward system work in these scenarios?\n\nA: At Code4rena (C4), a participant cannot submit the same bug identified during a contest for a reward on both the Code4rena platform and another platform, such as Immunefi. This is detailed in our submission policy [here](https://docs.code4rena.com/roles/wardens/submission-policy#findings-in-parent-of-forked-projects). \n\nIf two participants submit the same bug at the end of the contest, the judging criteria for duplicate submissions are available [here](https://github.com/code-423n4/code-contests/blob/main/JUDGING_CRITERIA.md#duplicate-submissions). The payout does not differentiate between the first person to find a bug and any subsequent person who finds the same bug; the overall value of the bug is reduced and split based on how many people find it. \n\nIt's worth noting that Code4rena's approach differs from the traditional bug bounty model employed by platforms like Immunefi, where only the first valid submission receives the reward. C4 allows all auditors who report the same bug to get a portion of the bounty, even if they were not the first to report it. \n\nIn the scenario where two team members find the same issue but submit it with different wallets, the same duplication and reward policy applies. For more information on the incentive model and awards, you can reference our site [here](https://docs.code4rena.com/awarding/incentive-model-and-awards#duplicates-getting-partial-credit).\n\nFor any further queries regarding the policy, bug submission process, or the contest in general, we encourage participants to reach out to the sponsor team during the contest or submit their questions [here](https://code4rena.com/help/).", "Question: What should I do if I encounter issues while accessing the CodeArena website, logging in, submitting findings, or using platform functions?\n\nAnswer: If you encounter any issues while accessing the CodeArena website, logging in, submitting findings to our contests, or using any platform functions such as 'Create Issue', password reset, running contests with provided instructions, or viewing the console on mobile, there are several steps you can take:\n\n1. Ensure that you are properly logged in. There have been occurrences where the system signifies a successful login, but the user interface does not change. In such cases, try logging out and logging back in.\n\n2. If you're having issues with submitting findings, keep in mind there have been reports of participants seeing 'No findings submitted for this contest' even after submission. If this occurs, double-check your submission and try resubmitting. \n\n3. If you're having trouble with the 'Create Issue' button, it appears this can happen with no console errors being present. Check if the issue persists on another browser or device and report it to our support team.\n\n4. If you're unsure about the severity of a reported issue, a good reference is the discussion at https://github.com/code-423n4/org/issues/8, where handling multiple instances of the same issue is discussed.\n\n5. There have been reports of API rate limit issues when attempting to submit reports. If you encounter this, please wait and try again after some time.\n\n6. For mobile users, if you're having difficulties, such as being unable to view the console, we recommend trying on a desktop browser, if possible.\n\nRemember, while we strive to ensure a seamless experience, intermittent difficulties do occur. If you face any persistent issues, we encourage you to reach out to our support team. We also have active discussions on our Discord where you can seek guidance from other users who may have experienced similar issues.", "Question: What is the significance and process involved when a submission is marked as \"marked the issue as primary issue\"?\n\nAnswer: When a submission is marked as \"marked the issue as primary issue\", it signifies that the particular issue is being used as a central point to cluster or group similar or duplicate issues around it. This is a practice done not in order of submission time, but because the issue has been recognized for its exceptional write-up, which is a factor considered by the judges. This system also acts as an incentive to encourage high-quality submissions. \n\nThe chosen primary issue is evaluated by the judges after the contest ends. It's worth noting that the order of reported issues doesn't necessarily follow the order of submission time. \n\nAlso, an issue can be marked as edited-by-warden if the submitter has used the website to modify the issue after its initial submission. This tag is merely a marker to track edits and does not indicate any wrongdoing. \n\nTo reference a separate submission during the submission of an issue, you can refer to its number on the \"your findings\" page. If you decide to withdraw an issue, it is marked as such and then closed. \n\nUpon submitting an issue, confirmation is usually sent via email. If there's any uncertainty or questions about the submission process, the submission guidelines can be found at [submission guidelines](https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues). It's also possible to revise the severity of issues post-submission by the judges.\n\nThe grading criteria for quality submissions include correct identification of the highest severity impact of the bug, making a case for the severity and validity chosen with evidence, and clarity and understandability in writing. \n\nRemember, editing a submission is normal and the issue will simply be tagged to track that it\u2019s been edited. If submitted issues are similar, grouping them together is appreciated by judges and sponsors. You may also be rewarded for a submitted issue, even if a judge downgrades its severity, unless it is invalidated for overinflating severity.", "Question: How do I correctly set up and manage my Metamask wallet with the Polygon Mainnet on Code4rena?\n\nAnswer: To set up your Metamask wallet with the Polygon Mainnet on CodeArena, you need to switch the network on your Metamask to Polygon Mainnet. After doing so, copy your public key and paste it into your Code4rena account. You can add your public key from Polygon Mainnet to your CodeArena account in your profile settings.\n\nYour Metamask wallet should now be able to display tokens while on the Polygon Network. If this is not the case, the tokens might need to be manually added. You will be able to receive payments in Code4rena via your connected Metamask wallet. \n\nBe aware, however, that your funds will be sent on the polygon network, not the Ethereum network. It's also important to note that Code4rena does not currently allow users to change their login wallet address, but if you have Metamask, you can link multiple addresses. For further clarification, you can refer to Code4rena's documentation at https://docs.code4rena.com/roles/wardens/warden-auth#can-i-change-the-wallet-address-i-log-in-with. \n\nTo move your funds back to the mainnet, you can use the Polygon bridge at https://wallet.polygon.technology/. Keep in mind that if you are bridging from Polygon to Ethereum and later wish to withdraw USDCs on Coinbase, you will need both Matic and Eth if using the Polygon bridge. Alternatively, you can use the Hop Bridge, which only requires Matic, but will result in less USDC received on the Ethereum Mainnet. \n\nMonitor your tokens on https://polygonscan.com/address/ and always ensure the security of your private keys. There have been instances of Metamask wallets being compromised, so please take appropriate security measures. If you suspect that your key might have been compromised, you can change your payment address on Code4rena to a new wallet address to secure your future rewards. \n\nIn case of any issues or queries, refer back to the chat history in Code4rena or reach out to the community for assistance.", "Question: If I've earned rewards and appeared on the leaderboard, should I submit a helpdesk ticket, and if so, how do I go about it?\n\nAnswer: If you've earned rewards and appeared on the leaderboard, you don't necessarily need to create a helpdesk ticket unless you have a specific issue or request. For instance, if you would like to get the \"leaderboard\" Discord role, request a change in your leaderboard/contest results link, update your profile icon, link your Twitter account to the Code4rena leaderboard, or check your eligibility for a backstage role, you can do so by submitting a helpdesk ticket. \n\nTo submit a help desk ticket, you need to go to https://code4rena.com/help and provide a detailed explanation of your issue or request. Your ticket will then be reviewed by the CodeArena team. \n\nIt's also important to note that if there are any issues with rewards distribution or if you believe there are discrepancies with the leaderboard, you can also raise these concerns through the help desk. However, please keep in mind that there may be delays in the display of rewards and the final report of the contest appearing on the C4 site after the leaderboard is shown and rewards are sent. \n\nLastly, if you're part of a team and receive rewards both individually and as part of that team, you will appear separately on the leaderboard. Your leaderboard status, in general, is based on the audits with published results and contest performance. So, if you observe any issues with your status or you have a query about rewards, feel free to submit a help desk ticket.", "Question: \nDoes the size of a mapping (like mapping(address => )) affect the Ethereum Virtual Machine (EVM) execution or gas costs? \n\nAnswer: \nNo, the size of a mapping does not impact EVM execution or gas costs. This is because a mapping is a hashmap, maintaining a constant complexity of O(1), which implies there's no performance overhead regardless of its size. Each slot in the EVM is 32 bytes, and any extra space in an address field is filled with zero padding. However, it's important to note that even though the size of the mapping doesn't affect performance or gas cost, the way you handle and store data can have an impact. Solidity stores state variables in 32 bytes storage slots and packing multiple variables into fewer slots, if they are declared next to each other, can reduce gas costs. More about variable packing can be read [here](https://docs.soliditylang.org/en/v0.8.17/internals/layout_in_storage.html). Also, note that a function can run out of gas if the input is large enough. A common solution to this is to have a start offset and a maximum length to process data in batches. Finally, automatic gas optimizations can be detected using automated audit tools, but their applicability may depend on specific scenarios.\n", "Question: I am unsure about the submission UI issues. Do these affect how the judges view the reports and the numbers included in them? Can I communicate with the judges directly?\n\nAnswer: It's understandable that you may have concerns about this. The issue you're referring to is a known UI issue particularly associated with numbered lists in markdown. Despite the numbers not showing in the preview tab, rest assured that they will be visible to the judges when the report is submitted. Unfortunately, you cannot contact judges directly. They can however view your submissions and the reported issues without needing a direct link sent to them. \n\nThe judges' evaluation isn't solely based on submission time, but also on the quality of the report and write-up. Judges can update the severity of issues after submission, and they have the ability to select the primary issue based on the quality of your report, rather than the order of submission. You can refer to its number on the \"your findings\" page during submission, and also name your findings with a number to aid the judges. \n\nBear in mind that the format of your report can also influence its evaluation by the judges. When a submission to a contest is made but not awarded, you can review why it was rejected after the report is published and the repository is fully opened. This helps you to see the discussions among sponsors and judges on the specific issue. \n\nMoreover, after a contest has ended and the judging process is underway, the status of your submission will not be visible until the report is published and the repository becomes public. \n\nFor further details on grading QA reports, you can visit these links: [https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical](https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical) and [https://docs.code4rena.com/awarding/incentive-model-and-awards#qa-and-gas-optimization-reports](https://docs.code4rena.com/awarding/incentive-model-and-awards#qa-and-gas-optimization-reports).", "Question: What are the guidelines and best practices for submitting gas optimization reports, and how can one maximize their potential earnings from these submissions?\n\nAnswer: Gas optimization is a key aspect of smart contract audits, but there can be some confusion regarding how to report these findings effectively. \n\nWhen submitting gas optimization reports, it's recommended to specify how much gas is being saved for each optimization, even though this is not a strict requirement. Including this information can potentially increase the points for your submission. You should also provide proof of how much gas the refactoring saves to affirm the validity of your claim. \n\nYou can submit gas optimizations in contests as well. It's recommended to report any gas optimizations separately, but findings that are relevant to both QA and gas savings can be included in either report. Judges will decide where it best fits.\n\nEarnings from identifying gas optimizations can vary based on proficiency and the quality of your submissions. The award for gas optimization reports is usually 5% of the contest prize pool, but this percentage can be altered by sponsors based on the importance of gas savings to their project.\n\nPlease be aware that not all gas optimizations are valid when the optimizer is enabled, and this can create some confusion about what should be reported. When in doubt, don't hesitate to ask for clarification in our Discord chatroom.\n\nIt's also worth noting that even non-critical findings can be included in gas optimizations and can contribute to your earnings.\n\nHere is an example spreadsheet for reference on how the reward for gas optimization is distributed: https://docs.google.com/spreadsheets/d/1qTQ7PApFMwpUFikcHHtww7p1oncPLj_y-UY_SZq6qFg/edit#gid=0\n\nRemember, gas optimization is a potential starting point for a first-time audit and can provide valuable insights into the efficient operation of a smart contract. So, whether it is your first audit or you are an experienced auditor, ensuring gas optimization is a crucial part of your audit process.", "Question: As a registered warden, how can I change the wallet attached to my account and what are the effects of changing my username on my registration?\n\nAnswer: As a registered warden with Code4rena, you can change your wallet address where you receive awards. The information on how to do this is available at: [https://docs.code4rena.com/roles/wardens/warden-auth#can-i-change-the-wallet-address-where-i-receive-awards](https://docs.code4rena.com/roles/wardens/warden-auth#can-i-change-the-wallet-address-where-i-receive-awards). \n\nHowever, please note that currently, Code4rena does not allow users to change their login wallet address. But, if you have Metamask, you can link multiple addresses. More detailed information on this process can be found here: [https://docs.code4rena.com/roles/wardens/warden-auth#can-i-change-the-wallet-address-i-log-in-with](https://docs.code4rena.com/roles/wardens/warden-auth#can-i-change-the-wallet-address-i-log-in-with).\n\nRegarding your username, changing it could potentially affect your registration as a warden. If you decide to change your username, you may need to review your registration details and make sure everything is in order.\n\nIf you encounter any issues or have further questions about warden registration, changing the wallet attached to your user account, or other inquiries, you can refer to the FAQs at: [https://docs.code4rena.com/roles/wardens/warden-auth#faq-troubleshooting](https://docs.code4rena.com/roles/wardens/warden-auth#faq-troubleshooting). If you can't find what you're looking for, don't hesitate to submit a help request at: [https://code4rena.com/help](https://code4rena.com/help).", "Question: Why doesn't the preview tab show the numbers for the numbered list in valid markdown? Does this affect the final submission?\n\nAnswer: This is a known issue in our system where numbered lists in valid markdown do not display numbers in the preview tab. Despite this glitch in the preview, rest assured that your numbers will be visible when you submit your report. We're aware of this and our team is working on fixing it. \n\nIt is important to note that the Markdown Renderer on our site might not always provide an accurate preview. For a better visualization of your formatting, you might want to consider viewing your code on Gist. On top of that, you can use platforms like GitHub, Joplin, VScode, and Notion to write and format your reports as long as they support markdown. Some users find it helpful to create issues in Notion, format them there, and then copy-paste the formatted text when submitting as it maintains the necessary markdown formatting.\n\nWe also suggest using Markdown for adding code blocks in your reports. You can use the guide here: [Guide for Code Blocks](https://docs.github.com/en/get-started/writing-on-github/working-with-advanced-formatting/creating-and-highlighting-code-blocks) for assistance. There's also a VS code extension called \"Copy With Line Numbers\" which you can use to get a code snippet with line numbers. It's available at [VS Code Extension](https://marketplace.visualstudio.com/items?itemName=yassh.copy-with-line-numbers).\n\nPlease also be aware that our findings report page does not support HTML tags. It\u2019s best to stick with Markdown for your reports. In addition, markdown formatting can be included in issue titles and findings body. For the latter, however, it's recommended that only links should be included in the small box.\n\nWe appreciate your understanding and patience as we continue to improve our system.", "Question: How does CodeArena handle multiple issues that can be resolved by fixing the same root cause? Are they considered separate issues or a single one?\n\nAnswer: At CodeArena, if two different issues can be addressed by fixing the same root cause, they are generally considered as one issue. This is because the focus is on addressing the root cause, which effectively resolves both issues. However, there are some exceptions to this. If fixing the root cause doesn't fully resolve both issues, meaning one of the issues remains active, they might be considered separate issues. \n\nSimilarly, if the same vulnerability is found in multiple different components of the codebase, it's up to the judge's discretion to determine if they're duplicates or separate findings. Issues that are essentially the same, but occur in different places within the same contract and carry the same meaning, may also be reported as separate issues. \n\nIn case of uncertainty whether findings should be submitted separately or as one consolidated issue, it is advisable to lean towards grouping similar issues together, as this is generally appreciated by judges and sponsors. However, different optimizations should ideally be submitted as separate issues since a single issue submission will be evaluated as one. \n\nIn terms of submitting findings, a single report encompassing all occurrences of the same vulnerability is acceptable. However, if two separate vulnerabilities can be combined to yield a more significant one, a third finding can be submitted explaining this concept. \n\nWhen it comes to reward distribution, if multiple users report the same or similar bugs, it's unclear how the bounty is divided. Users are, however, advised not to submit different issues with varied impacts or attack scenarios if they all stem from the same root cause. \n\nLastly, it's worth noting that even if a certain issue is detected by the bot race, it remains valid for submission if another instance of the same issue hasn't been picked up by the bots. Similarly, issues might potentially be upgraded to a higher severity based on a good explanation of the finding. \n\nIn conclusion, while the general rule is that multiple issues resolved by fixing the same root cause are counted as one, the final determination often depends on the specifics of each case.", "Question: What is the best way to showcase the locations of vulnerabilities when reporting them to CodeArena?\n\nAnswer: When reporting vulnerabilities, it's recommended to utilize both: 1) a URL to the repository with the specific line or range of lines in the text, and 2) a solidity code block. This comprehensive method ensures that CodeArena receives all the necessary information.\n\nThe URL should be a permalink to the affected code block on GitHub. This can be created by clicking on the code line on the left tab which will change the URL. Holding SHIFT can capture a range of lines. More information on creating permalinks to GitHub code can be found [here](https://docs.github.com/en/get-started/writing-on-github/working-with-advanced-formatting/creating-a-permanent-link-to-a-code-snippet#linking-to-code).\n\nThe Solidity code block should be included in the 'Proof of Concept' section of your report, along with any other relevant proof such as screenshots, logs etc. If your Proof of Concept is too large to be embedded directly, you can provide a link to a [private gist](https://gist.github.com/) which can securely host your code without exposing vulnerabilities publicly. If utilizing a private gist, the link can be included in the submission where relevant.\n\nAdditionally, if there are the same vulnerabilities on separate functions, they can be included in one report. More discussion on this can be found at [this link](https://github.com/code-423n4/org/issues/8).\n\nFor issues where mathematical expressions need to be displayed, or for adding syntax highlighting in a code block, you can use three backticks and specify the language (e.g., ```solidity). Ensure to properly format your Solidity code to make your submissions easier to understand. \n\nLastly, if you're utilizing automated tools for attack findings, keep in mind there is a higher burden of proof to demonstrate a relevant HM exploit path to be considered satisfactory. More information can be found [here](https://github.com/code-423n4/org/discussions/50).\n\nIn conclusion, providing a comprehensive and well-formatted vulnerability report with the necessary links and code blocks not only makes the process efficient, but it also helps the CodeArena team in understanding and addressing the vulnerability effectively.", "Q: How are multiple issues related to the same root cause considered in an audit, especially if fixing the root cause doesn't address all issues? Also, how should different instances of the same bug in the code or different ways of exploiting a single line of code be reported? \n\nA: In the context of a smart contract audit at CodeArena, multiple issues that come from the same root cause are typically counted as one. This is the case even if they have different impacts or enable different attack scenarios. However, this is not always straightforward. For instance, if the mitigation of the root cause doesn't fully resolve all related issues and one of them remains active, the case might be dealt with differently. \n\nWhen the same vulnerability manifests in various components of the codebase, it might be counted as separate findings, though this is ultimately determined by the judge. Likewise, if a single line of code presents multiple ways of exploitation, it's unclear whether to report it as one bug or multiple, though it seems preferable to report all bugs while prioritizing the most impactful one.\n\nThere are times when duplicate findings might not be upgraded in severity, especially if they have not been well explained or proven. Conversely, if two distinct vulnerabilities can be combined to create a more potent attack, it's acceptable to submit a third finding that details the proof of concept. \n\nThere's also a suggestion to treat each occurrence of the same bug appearing in different places as separate issues. However, if an issue is either of extremely small impact or lacks sufficient detail or proof, it might be disregarded. \n\nWhen it comes to submitting findings, the emphasis is on a good explanation of the finding rather than the specific severity. High severity findings should be prioritized, and it's even acceptable to include both high and low/medium severity issues in the same report. However, it's worth noting that findings without a Proof of Concept (PoC) might be disregarded unless the issue is extremely obvious. \n\nLastly, if an issue identified in an automated finding can lead to a high severity finding, it could be reported again during the contest by a warden and could be awarded with higher severity. The same applies to an issue found in the same category as a bot report but not included in the bot report - it can be considered a valid finding. \n\nIn all cases, when unsure whether to submit findings as separate issues or as one, it might be best to seek clarification.", "Question: How can I become a certified contributor and gain a certified role at Code4Arena?\n\nAnswer: To become a certified contributor and obtain a certified role at Code4Arena, you need to go through a specific process. This process involves satisfying certain prerequisites, clearing KYC, and undergoing certification which is approved by provenance. \n\nThe detailed step-by-step instructions can be found at https://docs.code4rena.com/roles/certified-contributors#certification-process-and-constraints. After approval, it generally takes a few days for the role to be reflected in your profile. You can check if you have been certified by clicking your name to see assigned roles, and you will also be updated on the status of the certification process via email. \n\nAdditional roles such as 'backstage' or '+backstage' can be obtained only after you have been certified. These roles allow you to discuss your findings and participate in invitational or private audits. Instructions to get the 'backstage' role can be found at https://docs.code4rena.com/roles/certified-contributors/backstage-wardens. You can request for '+backstage' if you believe you meet the required criteria by submitting a helpdesk request.\n\nPlease note, the first high vulnerability you identify could earn you a backstage pass. Users who are certified can also edit their profile. To participate in exclusive audits and contribute in a deeper manner, certification is a necessary prerequisite.", "Q: How can I accurately determine and report the risk level (high, medium, low/QA) of issues found during my smart contract audits for CodeArena?\n\nA: The risk level of an issue found during a smart contract audit is primarily determined by its potential impact. CodeArena provides a detailed framework for estimating risk levels on its website: https://docs.code4rena.com/roles/wardens/judging-criteria#estimating-risk\n\nTo give you some context, an issue can be classified as high, medium or QA (Quality Assurance), which is considered the lowest risk category. Some factors to consider are, if the principal can be stolen without additional requirements, then it's likely a high-risk issue. If there's a risk of all rewards being lost, it's considered a medium to high risk. A risk of losing some rewards is generally medium risk, and if the loss of rewards is due to rounding errors (a negligible amount), it's typically classified as a QA risk.\n\nIf you are unsure about the severity of a reported issue, review the judging criteria provided in the link above and try to make a clear case for the chosen severity using evidence. Judges have the ability to downgrade or upgrade issues based on their assessment, so it's important to provide a clear and comprehensive explanation of your findings.\n\nAvoid submitting a high volume of low-quality reports. Low-quality reports are considered as those that lack a clear explanation or path to the finding. \n\nIn terms of reporting, you can include both high severity and medium/low severity issues in the same report, but ensure more effort is put into high severity issues. Non-critical findings can all be included in one QA report or you can create a separate QA report for each finding. Remember, if a finding initially reported as low risk in a QA report is determined to be medium by the judges, it can be upgraded and will be eligible for medium rewards.\n\nMore discussions and examples of top QA reports can be assessed at the following links: https://github.com/code-423n4/2022-04-backd-findings/issues/182, https://github.com/code-423n4/2022-04-phuture-findings/issues/56, and https://github.com/code-423n4/2022-04-dualityfocus-findings/issues/33. These reports can guide you on how to effectively document and report your findings. \n\nLastly, if you discover multiple findings and wish to include additional findings after an initial submission, you can do so following the procedures detailed in the CodeArena guidelines.", "Question: Can I ask questions about the findings of past projects (audit report is already released in public), and are there any guidelines or protocols we need to follow?\n\nAnswer: Absolutely, you can ask questions about the findings of past projects. It's a great way to learn and improve your auditing skills. However, it's important to respect the fact that specific findings should not be discussed until a report has been posted for the contest in question to avoid divulging sensitive information. \n\nFor the best learning experience, many successful auditors recommend reading past audit reports to understand them better. The findings repo, which includes these reports, is made public once the report is published.\n\nIf you're new to auditing, you might want to look for recommendations on past contests to practice on. It's also important to understand that different projects have different audits and findings can vary greatly.\n\nWhen participating in auditing contests, you are allowed to fork the codebase and create a private repository on Github; this is not considered as information disclosure. The submitted findings will be created as a Github issue. You can also review your submissions and those of others after the report is published and the findings repo is made public.\n\nNote that projects have access to submitted findings before the contest completion. Discussing potential findings with a sponsor over discord or other private messages does not invalidate the finding. \n\nIf you're unsure about anything, don't hesitate to ask. The CodeArena community is here to support you.", "Question: What are the requirements and process for participating in private competitive audits at CodeArena?\n\nAnswer: To participate in a private competitive audit at CodeArena, you need to be a certified warden. Certification involves competing in audit contests and meeting certain conditions. More information on certification can be found at the following link: https://docs.code4rena.com/roles/certified-contributors. \nOnce certified, you may apply to participate in private audits. Each private audit contest might have its own eligibility criteria, which will be listed under the #\ud83d\udd96rsvp-certified channel. Some of these may include ranking on the leaderboard or having participated in the original audit. \nYou can also participate in the audits as part of a team, with a single wallet being used for registration. However, it's important to note that team members can also participate individually in the same contest their team is auditing. \nFor the participation in private audits, completion of the KYC process is also required, details of which can be found at: https://docs.code4rena.com/roles/certified-contributors#certification-process-and-constraints. \nKeep in mind that while certified wardens are generally eligible for private audits, there might be additional conditions depending on the specific audit contest. Furthermore, it's worth noting that private audit contests are distinct from public audits and might be confused. \nFinally, announcements about upcoming contests are made as and when they are scheduled, so stay tuned for updates on potential audit opportunities.", "Question: How are issues categorized in the CodeArena audit process, specifically if two different problems can be solved by addressing the same root cause?\n\nAnswer: At CodeArena, if two different issues can be resolved by fixing the same root cause, these are considered as a single issue, especially if the root cause is the same. However, if addressing the root cause without considering both issues might still leave one of them unresolved, it could be viewed differently. In situations where there is uncertainty whether to submit findings as separate issues or as one, it may require additional deliberation. It's important to note that when multiple wardens find the same issue, the available award is shared among them, potentially reducing the reward each warden receives. More details on this can be found in our incentive model and awards documentation at https://docs.code4rena.com/incentive-model-and-awards.\n\nThe severity of issues should be assessed based on our guidelines, which can be found at https://code423n4.com/judging-criteria/. It's also possible to upgrade issues from a QA report to medium or high, as outlined in our help page: https://docs.code4rena.com/awarding/incentive-model-and-awards/qa-gas-report-faq#what-happens-when-an-issue-submitted-by-the-warden-as-part-of-their-qa-report-an-l-or-n-does-get-bum. \n\nFinally, in the context of reward distribution, the level of detail in the issue submission, such as the inclusion of a Proof of Concept (PoC), and the thoroughness of issue coverage can influence the award amount. Users can view reports from other wardens who found the same issue and learn from their approach. More details about the distribution of rewards, especially when multiple wardens find the same issue, can be found at https://docs.code4rena.com/awarding/incentive-model-and-awards.", "Question: How is the severity of a lack of constraint on admin 'setter' functions for state variables determined in the CodeArena audit process?\n\nAnswer: The severity of a lack of constraint on admin 'setter' functions for state variables is typically considered either low or medium in the CodeArena audit process. This classification is largely dependent on a balance of consequence and likelihood, with high consequences usually involving sizeable fund loss and medium consequences having lesser impact and specific preconditions such as high attack difficulty, specific market conditions, or user unawareness.\n\nIf a finding is submitted as a low in a QA report, but the judges determine that it's a medium, it will be eligible for medium rewards as per CodeArena's guidelines. Similarly, if a finding is submitted as medium severity but the judges consider it high, the severity of the finding can be upgraded, unless there is a reason to penalize it. \n\nIt's important to note that while it is possible to submit a medium/high report without recommending mitigation steps, an explanation as to why it cannot be feasibly mitigated should be included. \n\nParticipants should also be aware that while 'on the fence' vulnerabilities might be a challenge to rate as either High or Medium risk, misclassifying a bug's severity in a submission doesn't necessarily invalidate the finding. A High severity bug that turns out to be only Medium would still receive the reward for a Medium bug.\n\nAlways refer to guidelines provided by CodeArena for more information on the severity classification and rewards determination: https://docs.code4rena.com/awarding/incentive-model-and-awards#satisfactory-unsatisfactory-submissions and https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues.", "Question: What is the process and timeline for becoming a Certified Warden at CodeArena after the Provenance verification process?\n\nAnswer: After your application for becoming a Certified Warden at CodeArena is approved, it enters a queue for certification. The verification process is delegated to Provenance and requires a Know Your Customer (KYC) process, where you might need to provide an identity document such as a passport or driver's license. The initial email from Provenance doesn't specify a timeframe for delivery. However, after working with Provenance, it generally takes around 1-2 business days for the process to be completed. \n\nPlease note, it might take 2-3 weeks to receive the KYC email after submitting an application. The email is sent from compliance@provenance.company and it may appear in your spam folder, so please check there. \n\nOnce approved by Provenance, it takes approximately 2 weeks to be officially marked as a Certified Warden. This status update will be communicated via email. Also, please bear in mind that certain conditions may need to be met to attend a private audit. \n\nFor more specific information, you can refer to our detailed process here: https://docs.code4rena.com/roles/certified-contributors.", "Question: How should I report an issue where the price got by latestRoundData is not being checked for stale values and it's not being checked for the answer in the same roundid issue? Should I treat these as one issue or separate, and how will this impact the reward calculations if multiple wardens find the same issue?\n\nAnswer: In the case of missing oracle validations, such as not checking for stale values and not checking for the answer in the same roundid issue, these could be treated as one issue. This is because they relate to the same underlying problem and can be resolved by fixing the same thing. When you submit the issue, be sure to provide a detailed demonstration of both points.\n\nIf two wardens submit similar or identical issues, the level of detail in the submission can affect the reward calculation. The more comprehensive and detailed the submission, including aspects such as a Proof of Concept (PoC), the potentially higher the reward. However, be aware that duplicate issues may not receive a reward - this is usually granted to the first reporter.\n\nA judge has the final say in these matters. If you're unsure, it's best to ask in the Discord chat or refer to specific examples of awarded issues, such as the one marked as low at [https://code4rena.com/reports/2022-12-caviar#l-01-missing-reentrancy-guard-to-withdraw-function](https://code4rena.com/reports/2022-12-caviar#l-01-missing-reentrancy-guard-to-withdraw-function). \n\nThe importance of detailed reporting was also highlighted in a debate about the \"missing 0 address check\" issue [https://github.com/code-423n4/2021-10-badgerdao-findings/issues/5](https://github.com/code-423n4/2021-10-badgerdao-findings/issues/5). It's crucial for the community to understand the context of the reported issue for better impact.\n\nRemember, if you find multiple similar issues in a code such as Reentrancy attacks or gas optimizations, report them all together. In cases where only one high and one medium issue is found in a contest, the rewards are distributed accordingly. If two people working as a team find the same issue but submit it with different wallets, it may affect the outcome, as the first valid submission is generally rewarded. Always consult the CodeArena community if you have doubts.\n", "Question: Where can I find information on current and upcoming contests, as well as details on past contests, on the Code4rena website?\n\nAnswer: All contests, both public and private, are displayed on the Code4rena website. You can check the main page https://code4rena.com for any upcoming contests. Detailed information about ongoing competitions can be found on the contest page at https://code4rena.com/contests. After a contest is closed, you can access reports on past competitions at https://code4rena.com/reports. These reports also include comments from the judges on the contest submissions. If you have any issues or questions regarding a contest, you can submit a help request at https://code4rena.com/help. Contest rules and the incentive model for rewards can be found in the documentation at https://docs.code4rena.com/. More detailed insights about Code4rena's audit contests can be found at https://medium.com/code4rena/a-look-at-code4rena-audits-versus-6c55d57939ef.", "Question: What are the computer requirements and resources needed for auditing a smart contract?\n\nAnswer: There is no specific type of laptop required to audit a smart contract. The minimum PC requirements for such tasks are relatively low; even a 10-year-old PC should be capable of handling the job. However, certain tasks, notably fuzzing, can benefit from a faster computer. \n\nIn terms of resources, platforms like Sherlock can be used for auditing smart contracts, though they require a high level of competence in the field. For beginners, there are several resources available to start learning about smart contract auditing. Resources include the CodeArena documentation at https://docs.code4rena.com/roles/wardens/tools-and-resources and the post by @cmichel at https://cmichel.io/how-to-become-a-smart-contract-auditor/. \n\nAdditionally, the #\ud83c\udfebeducation channel on our Discord server may provide more insights into auditing smart contracts. Some smart contract projects, particularly complex ones, may require professional mathematicians to audit formulas. This emphasizes the fact that the importance of mathematics for auditing can depend on the smart contract project being audited, with some requiring basic math, and others advanced financial mathematics. For blockchain forensic analysis resources, you may refer to websites like https://immunefi.com/, https://spearbit.com/, and https://hats.finance/.\n\nIt is also worth exploring emerging techniques such as applying machine learning to smart contract auditing. For example, there is research into using graph neural networks for this purpose (https://www.ijcai.org/proceedings/2020/0454.pdf). An intriguing idea mentioned in our chat discussions involves converting a smart contract into image-like shapes, then training a model based on these shapes to predict the vulnerability of future contracts. A relevant GitHub link for this concept can be found at https://github.com/DanielVF/evm-contract-draw.\n\nFinally, you can also refer to this YouTube video that explains some aspects of contract auditing: https://www.youtube.com/watch?v=wCD3fOlsGc4. However, please note that these methods are continually evolving, and it's vital to stay updated with the latest practices in the field.", "Question: How do certified contests, such as the upcoming 225, impact the C4 leaderboard rank, and what benefits does this have?\n\nAnswer: Yes, certified contests like the upcoming 225 do indeed impact the C4 leaderboard rank. The leaderboard ranking is affected by both the current contest and the total participation of a contestant. Once certified, users can join any contest, including certified contests. Being certified also grants access to more contests and allows you to audit private contests given that you have a good ranking on the leaderboard. It's important to note that to participate in private contests after certification, you need to RSVP in the rsvp-certified channel and ensure a high position on the leaderboards from the last 90 days. You can view the cumulative results from the contests on the leaderboard at https://code423n4.com/leaderboard/. The top wardens in the 90-day leaderboard are often prioritized for contests. However, some users have raised concerns that the leaderboard might not accurately reflect a user's accomplishments, as contest results might not be counted for the full duration. It's also worth mentioning that while certified+ status is more stringent and may require high findings or top placements in contests, it allows wardens to see other submissions immediately after contests end, accelerating their learning process.", "Question: How do I determine the severity of a state variable change in a smart contract that can result in reversion in other functions, but is only accessible by the owner? Should it be categorized as QA or medium severity?\n\nAnswer: The severity of a state variable change in a smart contract, which can result in reversion in other functions but is only accessible by the owner, largely depends on the impact of the change or potential damage. If the change can result in a significant loss, it can be classified as medium or even high severity. In contrast, if the effect is minor or negligible, it is usually classified as QA. \n\nHowever, it's worth noting that even constraints on admin 'setter' functions for state variables can be considered a low or medium finding. If a state change fails, it will be reverted back to what it was prior to calling the function. A mismatch between the code and its documentation is typically a QA issue if there's no significant impact. \n\nWhen unsure whether to classify a finding as QA or medium, it's suggested to file it as QA unless the proof of concept (POC) is coded. Judges can downgrade or upgrade issues based on their assessment of the severity when they review your QA report. If a finding is submitted as low risk in the QA report but judges determine it as medium, it's usually upgraded automatically and you'll be eligible for medium rewards. You can find more information about this on Code4Rena's help page: [https://docs.code4rena.com/awarding/incentive-model-and-awards/qa-gas-report-faq#what-happens-when-an-issue-submitted-by-the-warden-as-part-of-their-qa-report-an-l-or-n-does-get-bum](https://docs.code4rena.com/awarding/incentive-model-and-awards/qa-gas-report-faq#what-happens-when-an-issue-submitted-by-the-warden-as-part-of-their-qa-report-an-l-or-n-does-get-bum). \n\nRemember, a QA report can always be edited for more details and all non-critical findings can be included in one QA report. If no high/medium issues are found in a contest, all the rewards may move to the QA category. So, it's essential to pay attention to your QA reports as well.", "Question: What are the conditions and criteria for certified wardens to attend and participate in private audits at CodeArena?\n\nAnswer: Certified wardens are eligible to attend and participate in private audits. However, the exact conditions may vary for each opportunity and are typically listed under #\ud83d\udd96rsvp-certified. Generally, wardens must have certification and have competed in audit contests as a part of the certification process. \n\nThe certification process involves participation in a certain number of contests and having a certain number of valid findings or reports. You need at least 3 top finishes in either the QA or gas report from past contests to become a certified warden. It's also important to note that versus audits require wardens to be certified. \n\nPlease note that there are three types of audits: public, private (where certification is usually sufficient), and invitational (only specific wardens are invited). While certification usually suffices for private audits, invitational audits usually prioritize the highest-ranked wardens.\n\nIn addition, a KYC process and verification process which may require a passport are also necessary steps to become a certified warden. For more information on becoming a warden, please visit: https://docs.code4rena.com/roles/wardens. For detailed criteria on the private audit contests, please check: https://mirror.xyz/c4blog.eth/Ww3sILR-e5iWoMYNpZEB9UME_vA8G0Yqa6TYvpSdEM0.", "Question: What are the requirements and qualifications for participating in the 225 contest and other private contests at CodeArena?\n\nAnswer: \nTo participate in the 225 contest and other private contests at CodeArena such as the PolynomialFi contest, it is required that you are a certified warden. Being a certified warden also allows you to participate in invitational versus contests and mitigation-review contests. You may not necessarily need to rank at the top to participate in private contests, however, being on the leaderboard can increase your odds of qualifying.\n\nBecoming a certified warden involves competing in audit contests and having at least 3 top finishes in either the QA or gas report from past contests. It's also noted that there may be a requirement to participate in a certain number of contests and have a certain number of valid findings or reports. \n\nOnce certified, wardens get access to findings shortly after contests end. High-ranking wardens are prioritized for invitation audits. Versus contests are competitive access for a limited number of the highest performing certified wardens who RSVP. \n\nTo become a certified warden and participate in these private contests, you can sign up as a warden and follow the process detailed in the certification documents at [https://docs.code4rena.com/roles/certified-contributors#certification-process-and-constraints](https://docs.code4rena.com/roles/certified-contributors#certification-process-and-constraints). \n\nPlease note that eligibility criteria for each opportunity is listed in #\ud83d\udd96rsvp-certified. Certified wardens may also have access to private repos after a contest is finished, particularly if they are Certified Plus Wardens. To gain access to contest channels, you need the warden role, which can be obtained by filling the form on the website.", "Question: What are the benefits and requirements of becoming a certified warden at CodeArena in terms of contest participation?\n\nAnswer: Becoming a certified warden at CodeArena offers several benefits. Crucially, it grants wardens access to participate in more contests, including private contests. However, it's important to note that being certified doesn't automatically enable you to join any contest. While some contests require certification for participation and for payouts if any submissions are awarded, others have additional prerequisites or metrics, such as a high leaderboard ranking or specific participation history. This is particularly true for Versus contests and private contests, which often require high leaderboard standing or a particular ranking in recent contests. \n\nTo qualify for certification, you may need to meet certain criteria in terms of the number of contests you've participated in, as well as the number of valid findings or reports you've made. If you're competing as part of a team, remember that all team members need to achieve certified status to be eligible for payout.\n\nOnce you're certified, you're not obliged to apply to every contest, but participation is recommended as a way to improve your skills. Certified wardens also have the opportunity to join the backstage, where they can view what others have submitted and learn more quickly, provided they meet certain criteria such as the number of findings and contest participations.\n\nThe certification process can typically be started within 48 hours of a contest, and upon successful completion, you might be awarded if you're eligible. However, it's suggested that the criteria for the advanced certification level, Certified Plus, could be more stringent, requiring a high ranking in multiple contests or producing a significant finding.\n\nTo participate in private contests or to access private repositories after a contest, certified wardens must RSVP in the #\ud83d\udd96rsvp-certified channel on Discord, and ensure a high position on the leaderboards from the last 90 days. \n\nRemember, the eligibility criteria for each contest is listed in the #\ud83d\udd96rsvp-certified channel. It's advised to check the certification documents for further details and to start the certification process in a timely manner to enhance your chances of accessing private contests and reaping the benefits of your hard work and skills.", "Question: How does participation in certified contests affect the leaderboard ranking, and how do these results factor into the ability to audit private contests?\n\nAnswer: Participation in certified contests directly impacts the leaderboard ranking at CodeArena. Certified contest results, including those of special contests like the upcoming 225, are added to the leaderboard, which is updated every time awards are declared. Additionally, rewards from previous private contests are also considered. The total participation of a contestant, which includes their current contest and cumulative results, also affects their leaderboard ranking. \n\nThe leaderboard not only showcases the best contestants after contest results but also plays a significant role in granting permission to audit private contests. To gain such permission, a contestant typically needs to be certified and maintain a high rank on the leaderboard. Being certified grants access to more contests including private ones. \n\nHowever, it's important to note that not all contest types are currently supported on the leaderboard, and there have been concerns about the longevity of contest results on the leaderboard. There is an ongoing effort to include more features and contests in the leaderboard ranking. \n\nYou can monitor your rank and contest results on the leaderboard at [https://code423n4.com/leaderboard/](https://code423n4.com/leaderboard/). If you have any changes to suggest or queries about the leaderboard or contest results, please reach out to the help desk at [https://code4rena.com/help](https://code4rena.com/help). \n\nRemember, to participate in private contests after certification, RSVP in the rsvp-certified channel and ensure a high position on the leaderboards from the last 90 days. After each contest ends, users can see the number of overall issues they reported on the leaderboard. However, the final report of the contest may not be immediately available on the C4 site after the leaderboard is shown and rewards are sent, as it takes time to compile. It's recommended to wait until the full public report is published before doing a detailed write-up of any issues or bugs found in a project.", "Question: What is the process and requirement for participating in audits at CodeArena, including versus audits?\n\nAnswer: To participate in audits at CodeArena, including versus audits, it's required to be a certified warden. The certification process involves competing in audit contests. The certification of wardens may have certain conditions, depending on the nature of the audit. The three types of audits are public, private, and invitational. \n\nFor public audits, most of the time, it's not mandatory to be a certified contributor. Private audits, however, usually require certification. Invitational audits are exclusive and require certification along with an invitation. \n\nIn the audits, besides identifying vulnerabilities, it's generally required to provide solutions or mitigating strategies. If you wish to participate in an audit that requires Know Your Customer (KYC) certification, this will be specified in the applicable channels. \n\nRSVP is a way for participants to signal their interest in audit opportunities. These opportunities are posted for RSVP, and RSVP is usually assigned based on leaderboard ranking. However, private audit contests are not strictly open to only top-ranking wardens. The eligibility criteria for each opportunity is listed in the specific channel. \n\nTeams can also participate in auditing contests. Note that queries about the difference between advice and a valid issue when auditing and understanding audit reports are common and part of the learning curve. \n\nFor more information on becoming certified, visit https://docs.code4rena.com/roles/certified-contributors. To better understand how to approach auditing of big projects, you can visit this blog post: https://blog.bytes032.xyz/p/audit-like-a-pro-my-3-step-game-plan.", "Question: How should the severity of a bug in a smart contract be categorized, particularly when a state variable's change can result in reverting other functions accessible only by the owner?\n\nAnswer: When categorizing the severity of a bug in a smart contract, it's essential to consider the impact of the vulnerability. This can range from high, medium, low, to QA. In a scenario where a change in a state variable can result in reverting other functions only accessible by the owner, the severity could be classified as low or medium. However, it's important to note that the severity classification may vary depending on the context and possible impact of the vulnerability. \n\nFor instance, if a user can arbitrarily push to an array and cause a Denial of Service (DOS) for everyone else, breaking the system's functionality, this could be classified as a high/medium severity issue. In contrast, if a function call in a smart contract always reverts but assets are not at risk, it can be considered as a Medium or High finding depending on the context.\n\nTo categorize the severity, you should consider the consequence and likelihood of the issue. High consequences generally involve sizeable fund loss or other severe consequences that don't require pre-conditions. Medium consequences usually have lesser impact and specific preconditions such as high attack difficulty, specific market conditions, or user unawareness. \n\nAdditionally, if the issue identified in an automated finding can lead to a high severity finding, it could be reported again during the contest by a warden and could be awarded with higher severity. If there is any uncertainty about the severity of a reported issue, it is advised to review the judging criteria and make a case for the chosen severity using evidence. The judging criteria can be found [here](https://docs.code4rena.com/roles/wardens/judging-criteria#estimating-risk).\n\nIn situations where you are unsure about the severity after reporting an issue, it\u2019s advisable to continue working on the proof-of-concept (POC) until the severity becomes clear. Also, it's recommended to follow the guidelines mentioned at [Code4Arena](https://code423n4.com/judging-criteria/) to assess the severity of the issues. Trapped or inaccessible funds' severity is evaluated based on the impact.\n\nIn conclusion, the severity of an issue in a smart contract depends on various factors, including the impact of the bug, the likelihood of its occurrence, and the context of the bug. It's therefore important to use the guidelines provided and your judgement to determine the appropriate severity level.", "Q: How can I earn a leaderboard role in the CodeArena Discord and what are the prerequisites for getting my finding re-evaluated?\n\nA: The 'leaderboard' role in the CodeArena Discord is awarded to participants who have been placed on the leaderboard. This typically happens when a participant ranks among the top participants in a contest and has subsequently received a reward. Additionally, attaining the 'leaderboard' role may enhance a participant's ability to qualify for private contests. For further instructions on how to become 'certified', refer to the details found [here](https://docs.code4rena.com/roles/certified-contributors).\n\nTo be eligible for the re-evaluation of findings, a participant must first have their findings rewarded and listed, which can be viewed [here](https://discord.com/channels/810916927919620096/1095308824354758696/1130212982094299246). Nonetheless, the exact process for re-evaluating these findings has not been clearly outlined.\n\nMoreover, you can check out the current leaderboard [here](https://github.com/code-423n4/code423n4.com/issues?q=leaderboard) or [here](https://code423n4.com/leaderboard/) and potential improvements being considered for it include having different timelines, adding badges for various achievements, and introducing leaderboard seasons.\n\nAlso, bear in mind that access to backstage information and permission to audit private contests hinge on certain criteria such as holding a certified contributor role and having a certain number of findings. An evaluation might also be influenced by whether you participated in a contest and whether you are on the leaderboard.", "Question: What is the current status of applications for the '+backstage' role at Code4Arena and how can I apply when they reopen?\n\nAnswer: The '+backstage' role applications at Code4Arena are currently paused due to an identified issue. It was mentioned that an update regarding the paused applications is anticipated in the next two weeks, although no concrete resumption date has been provided. \n\nWhen the applications reopen, users who believe they meet the criteria for '+backstage' can submit a help desk request. In order to get the backstage role, one must be certified and meet certain qualifications. The details about the process and qualifications can be found at https://docs.code4rena.com/roles/certified-contributors/backstage-wardens. \n\nHowever, please note the process of backstage access is changing and is still in progress. In the past, backstage access was based on a trust model, but future access may involve some constraints or consequences. Participants can apply for backstage access as soon as the contest results are published on the leaderboard, which usually happens shortly after the awards are announced. The evaluation for the backstage role is typically completed within a week if all qualifications are met and nothing is pending. \n\nPlease stay tuned for updates on the reopening of applications. A notification will be provided once your backstage access request has been reviewed.", "Question: What are the current job opportunities at CodeArena, especially in Asian countries, and what are the requirements to apply for these roles?\n\nAnswer: At the moment, CodeArena has not specifically stated any job openings in Asian countries. However, there were discussions about the need for additional staffing hours, which could imply the need for hiring in various time zones, including Asia.\n\nFor job roles, CodeArena does take into consideration individuals who are helpful and could be potential candidates for official helper roles. In addition, there may be opportunities for individuals with varying English proficiency and technical skills to team up for work roles or participate in contests. This includes wardens who are proficient technical writers but beginners in auditing, and wardens with advanced technical skills but need assistance with English communication.\n\nBecoming a certified warden is an option, which would allow one to participate in CodeArena as a side project without prohibiting employment elsewhere. Foreigners, including digital nomads, can become certified wardens, provided they have necessary details like proof of ID, bank account information, and proof of residence. However, this might require participating in a certain number of contests and producing a certain number of valid findings or reports.\n\nWeb applications might also be in the scope of certain contests. Also, it's possible to apply for a backstage role through a help desk request, although these applications are currently not being accepted but this might change in the coming weeks. To qualify for a backstage role, a certain number of findings in different areas or of different scores is required. \n\nPotential applicants for a working group should note that it is not clear whether all applicants will be contacted or only those who are accepted. Also, please bear in mind that there may be background checks and certain restrictions in place for the KYC process, including OFAC sanctions. \n\nMoreover, there is an \"Available for Hire\" filtering option on the leaderboard which can be used for job hunting. Also, there is a possibility of C4 grants for building tools, particularly for creating a website to display results in a user-friendly manner.\n\nFor further details and updates, please keep an eye on the official CodeArena Discord chatroom as new contests and potential job openings might be announced in the near future.", "Question: What is the process and requirements for applying for a lookout role at Code4Arena, particularly using findings that don't have reports out yet?\n\nAnswer: Yes, you can apply for the lookout role using findings that do not have reports out yet. The role of a lookout at Code4Arena is to pre-sort the repository and provide a summary document to the sponsor. To apply for this role, you can submit your findings even before they are publicly available. It's important to note that until a report goes live, the issues found will not be visible to other participants. Only findings submitted by a user or their team are visible to them until the final report is made public. \n\nNew participants are encouraged to look at the findings of other wardens once the findings repository becomes public. This will provide a valuable learning opportunity and insight into the process. If you have uncertainty on any findings due to lack of specification in the documents, it's recommended to submit these findings or direct message the sponsor team for additional context.\n\nAs a lookout, you can also submit low-risk findings and have the ability to report additional findings. Information about the lookout role and rewards can be found at the following link: [https://docs.code4rena.com/roles/certified-contributors/lookouts](https://docs.code4rena.com/roles/certified-contributors/lookouts).\n\nPlease note that findings in non-winning, unpublished bot-generated reports are still eligible for submission. Furthermore, Wardens will soon have the ability to apply for the certified warden role, which will give them access to findings shortly after contests end. \n\nFinally, please be aware that backstage access, which allows users to observe the report submission and triage process, is open to certified wardens with an established level of contribution.", "Question: Can participants interact with the issues they've submitted during the judging phase and post-judging?\n\nAnswer: Participants can interact with their submitted issues but the level of interaction varies based on the phase of the contest and the user's access. Wardens who had backstage access had the opportunity to see the submissions and provide factual comments during the pre-judging phase, however, it's not a continued practice anymore. \n\nThere are plans to allow certified contributors to view and comment on submitted issues right after contest closure during the judging phase. Users can also engage in a post-judging QA period, during which they can comment on the judges' decisions. If participants disagree with a contest judgement, they can review and comment on issues at https://github.com/code-423n4/org/issues. They may also open a new issue if their concern is not addressed.\n\nParticipants can ask for feedback on issues to understand the decisions made by the judges. If a submission is rejected, participants can review the report to understand why it was not accepted once the repository is fully opened. This allows them to see the discussions among sponsors and judges on the specific issue. \n\nThe severity of issues can be altered post-submission by judges. Participants can also openly discuss issues with the sponsors before the contest is over, including questions about severity and in-scope/out-of-scope matters. Users can edit their submissions after submitting an issue.\n\nOnce the contest is over and the repository is made public, all users can access the issues, including their own, to see the discussion and the final decision. Wardens can then see their submission and the comments in their submission after the announcement. If a user disagrees with a judge's decision on an issue, a discussion can be opened. \n\nPlease note that direct contact with judges may not be available to every participant. In such cases, findings can still be re-evaluated in the post-judging phase through the backstage channel. \n\nInquiries about viewing all submissions after a contest can refer to https://code4rena.com/contests/ for past contests and their results. Remember, these processes are designed to promote transparency and encourage learning and improvement among participants.", "Question: How can I submit an issue that involves multiple lines being changed? Should I send a git patch, a PR to the repo, or should I use another method? \n\nAnswer: If your issue involves multiple lines being changed, you can submit it through a git patch or a PR to the repo, as our users typically do. To do this, you can use diff tools, such as those available on Linux, to include the replaced lines in your submissions. \n\nIf your report is a proof of concept for a bug, consider adding a zip file to your submission or sharing a private Github repository. If your code is too lengthy to be embedded directly in the issue, providing a link to a gist or a private Github repo is acceptable. For more information on how to include a proof of concept in your submission, please refer to our [submission policy](https://docs.code4rena.com/roles/wardens/submission-policy#how-to-include-a-proof-of-concept).\n\nFor submissions involving multiple findings or bugs, it's currently unclear whether you should create one issue per report or find all bugs before creating a final report. Similarly, if you found issues in multiple places in the codebase, you may refer to this [link](https://discord.com/channels/810916927919620096/810936719003090974/1134472653437145149) for guidance. \n\nIf you're submitting an issue as a team, be sure to add your team handle when reporting. To update team information, you'll need to create a PR. \n\nYour code can be formatted in a submission form using Markdown. However, it's unclear whether markdown formatting should be included in issue titles. For referencing code in reports, you can choose to leave direct links to the code on Github or refer to a specific file and line number. \n\nPlease note that if your gas report is larger than ~65k characters, it cannot be submitted through the form due to Github's character limit for issue descriptions. In such cases, you'll need to email your submission to submissions@code423n4.com. \n\nAfter submitting an issue, you can edit it if needed. You can also check your issue for the finding you sent on Github from the report.", "Question: How and when can participants interact with the judge to discuss or re-evaluate a finding in CodeArena contests?\n\nAnswer: Participants in CodeArena contests can interact with the judge during the post-judging stage, provided they have obtained backstage access. This access allows participants to speak with the judge to re-evaluate a finding and provide any factual comments they believe are relevant. This interaction offers an opportunity to seek feedback about issues, understand the reasoning behind the ruling, and discuss potential areas for improvement.\n\nIf participants disagree with a judge's decision, they can engage in a discussion according to the policy outlined at https://docs.code4rena.com/awarding/fairness-and-validity#if-you-disagree-with-a-judges-decision. There is also an appeal process in place for valid findings that have been classified as invalid. \n\nWardens have the privilege of viewing the judging results before they are published, allowing them to raise any issues they see with the judge for reconsideration. Furthermore, if a finding is submitted with a certain severity but the judge believes it to be of a higher severity, the judge has the discretion to upgrade the severity of that finding, unless there is a valid reason to penalize it. \n\nHowever, please be aware that the final determination on the severity, validity, and quality of the findings is made by an independent judge who possesses deep knowledge of Solidity. The judge is also expected to provide reasons for classifying an issue as invalid or disputed if required. \n\nFinally, if you are unsure whether to submit a particular finding or not, you're advised to make a case to the judge in your submission, especially for high-risk findings, as their inclusion depends on the specific contest and the judge.", "Question: How is the Quality Assurance (QA) report evaluated in CodeArena contests, and how are the rewards distributed?\n\nAnswer: The QA reports in CodeArena contests are evaluated based on both the quality and quantity of submissions. Each submission in a QA report is graded individually, and a single item is unlikely to get a high grade unless it is of high quality. Reports are graded as A, B, or lower, with Grade A reports counting as 2 shares, Grade B as 1, and the best report receiving a 30% bonus. \n\nIt's important to note that high-quality and high-quantity findings tend to score better. For reference, participants can compare their findings with winning reports found on the CodeArena website. \n\nIn terms of reward distribution, if no High/Medium issues are found in a contest, the rewards are divided based on Quality Assurance. However, duplicate findings may not be rewarded, and if a participant gets more than 3 reports rejected in a competition, they will not receive any payout for that competition. \n\nParticipants are recommended to submit one big report for QA and one for gas optimizations. Each participant is required to submit one Quality Assurance (QA) report per contest and ideally group all issues together. They should also separate the Gas report from the QA report.\n\nFor more detailed information, you can refer to the following links: [Judging Criteria](https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical) and [Incentive Model and Awards](https://docs.code4rena.com/awarding/incentive-model-and-awards#qa-and-gas-optimization-reports).", "Question: Can we access and comment on our issues during the judging process and how are comments and discussions on reports carried out at CodeArena?\n\nAnswer: Previously, Wardens who had backstage access could view submissions and provide factual comments during the pre-judging stage. Currently, this is not a standard practice. Instead, wardens typically communicate with judges and sponsors through comments in the reports. Backstage access allows wardens who have made a significant contribution to observe the report submission and triage process. It also allows these wardens to speak with the judge to re-evaluate a finding and comment on it. A post-judging QA period also exists where comments can be made on the judges' decisions. \n\nThe issues in the published reports are the same as those reported. However, there might be some questions regarding whether the published reports are a summary of what was submitted by the wardens. If you have concerns or issues with a report, you may seek clarification from the wardens. If you are a participant who submitted to a contest but was not rewarded, you can review why your submission was not accepted once the report is out and the repository is fully opened.\n\nCertified+ wardens are granted early access to the findings repositories and can assist with post-contest processes. Once a contest ends and the final contest report is published, the findings become public. Certified+ wardens can view the findings repo immediately after a contest ends. \n\nParticipants can also ask judges for feedback about issues to understand the reasoning behind the ruling and to see what could be improved. Please note that there is a professional conduct guideline for certified wardens requiring that all findings are treated as private and confidential until the contest report is made public. You can find more details on backstage wardens and the submission process [here](https://docs.code4rena.com/roles/certified-contributors/backstage-wardens) and [here](https://docs.code4rena.com/roles/wardens/submission-policy#audit-contest-guidelines), respectively.", "Question: When can I expect to see the results of my submission after the award announcement from CodeArena?\n\nAnswer: The process of seeing the results of your submission involves several stages and may take anywhere from 2 to 6 weeks, or in some cases, even longer. Once a contest ends, the findings or reports are immediately reviewed and triaged by the judges. This process includes a sponsor review, judge review, sponsor confirmation, and judge's final report. The judging process may vary from 2-4 weeks depending on the volume of submissions and the complexity of the code. Once these stages are completed, the awards are announced and targeted to be sent within 1-2 weeks. \n\nAfter the awards are announced, the final report is prepared and published. This report will allow you to see the results of your submissions. It's important to note that not all findings submitted for contests may make it to the final report, and the reasons might not be immediately known. You'll need to wait until the reports are published to check on this. \n\nOnce the report is published and the findings repository is made public, you can review the submissions for a contest. This process may take about 8 weeks in total for the judges to review the findings, create the leaderboard, and make the findings repo public. Also, be aware that it may take a couple of months for feedback to be given regarding submitted issues. \n\nLastly, please note that the ability to view all submissions after a contest could vary and currently, the findings of a contest cannot be viewed after it finishes but before the results are published. The specific period of time before the findings repo becomes publicly available for discussion is not stated. After an award is received for a submission report, you will have to wait for the payout which typically happens between 1-2 weeks after the announcement.\n\nIn summary, the exact timing to see the results of your submission depends on many factors including the contest's complexity, number of submissions, and the stages of contest completion, which include the sponsor review, judging, awarding, and the final reporting.", "Question: How are \"Centralization Risks\" evaluated and treated in CodeArena audits?\n\nAnswer: \"Centralization Risks\" in our audits are not always considered invalid. Cases where centralization risk may be deemed valid include scenarios where the centralization does not align with the protocol's stated guarantees in their documentation or marketing material. In situations where the centralization poses a significant threat to all users of the protocol and the protocol itself, or is not listed as a potential issue, the centralization risk might also be considered valid.\n\nIf you believe a centralization risk should be flagged in your smart contract audit, you can report it providing all your reasons, and a judge will make the final decision. Remember that submitting baseless assumptions, such as the owner being compromised or centralized, is not encouraged. It's important for us to note that methods with the onlyowner/onlygovernance modifiers are strictly coming through trusted bodies. \n\nFor more information on how we handle \"Centralization Risks\" and other vulnerabilities, you can refer to our guidelines at https://github.com/code-423n4/org/issues/54 and https://docs.code4rena.com/awarding/judging-criteria#estimating-risk. \n\nKeep in mind that the evaluation of risks for vulnerabilities, including the categorization of severity, is a complex process that includes consideration of various factors, including the potential loss of assets, the difficulty of exploiting the vulnerability, and the credibility of the reporting user. It's also worth noting that users are discouraged from rating everything as high risk as a strategy, and that issues marked as high risk are subject to review by judges who may opt to downgrade or discard them. \n\nLastly, if multiple users report the same vulnerability, we have specific criteria in place to handle such scenarios. High-risk findings reported by multiple users are counted as one if they share the same root cause. Each report is diligently evaluated to ensure fair and accurate audit results.", "Question: What tools and methods can be utilized for displaying, formatting, and referencing code snippets with line numbers in CodeArena reports?\n\nAnswer: CodeArena participants often use a variety of tools for displaying, formatting, and referencing code snippets in their reports. The primary tool used is a Visual Studio Code extension called \"Copy With Line Numbers\", which can be accessed at [https://marketplace.visualstudio.com/items?itemName=yassh.copy-with-line-numbers](https://marketplace.visualstudio.com/items?itemName=yassh.copy-with-line-numbers). This extension helps users to get code snippets along with their line numbers.\n\nTo reference specific lines of code on GitHub, users can click on the code line on the left tab which will change the URL. Holding SHIFT can capture a range of lines. Code can also be highlighted on Github by clicking on the starting line of code, then holding down ctrl + shift and clicking on the last line to highlight. \n\nFor formatting the code in reports, Visual Studio's preview tool has been recommended and markdown code to include GitHub code in a report can be found at [https://docs.github.com/en/get-started/writing-on-github/working-with-advanced-formatting/creating-and-highlighting-code-blocks](https://docs.github.com/en/get-started/writing-on-github/working-with-advanced-formatting/creating-and-highlighting-code-blocks). Syntax highlighting in a code block in a finding report can be achieved using three backticks and specifying the language (e.g., ```solidity).\n\nFor issues with large text that don't fit in the textbox on the help desk site, users can link a gist. They can even make a \"secret gist\" to show a code example without being disqualified for disclosing a problem. When showing places of vulnerability, it's recommended to include both the URL to the repository with the line number and a code block.\n\nThe 'Links to Affected Code' section of high/medium findings allows the addition of the GitHub permalink for the respective code block. Users can also include replaced lines in their submissions using diff tools, such as those available on Linux.\n\nPlease note that there was some debate among participants on whether to leave direct links to the code on GitHub or refer to specific files and line numbers. This implies there's no one-size-fits-all approach; the best method may depend on the specific context or preference of the judges.", "Question: When is a centralization risk considered valid, and how should such risks be reported in smart contracts?\n\nAnswer: A centralization risk in smart contracts is generally considered valid when the level of centralization does not align with the protocol's claims or guarantees as portrayed in their documentation or marketing materials. Furthermore, a centralization risk is valid if it poses a threat to all types of users of the protocol and the protocol itself, or if it is not disclosed as a known issue. Such centralization could potentially lead to scenarios like the contract being subjected to a ransom attack, where an attacker takes ownership of the uninitialized contract and demands a ransom to release it, or users losing funds in the event of a malicious admin's involvement. \n\nIf you encounter such a situation, it's recommended to flag the issue and report it, stating all your reasons. For instance, if the potential risk could lock all the protocol assets, it would be a high severity issue. Even if a finding breaks the protocol but no funds get stolen, it could still be classified as high risk due to potential disruptions to functionality. The final decision, however, will be made by a judge. You can read more about \"Centralization Risks\" [here](https://github.com/code-423n4/org/issues/54).\n\nIt's worth noting that the categorization of severity can vary based on the specifics of the situation. For example, a bug that relies on a user's mistake in interacting with a contract may still be valid, but will likely not bear the same severity as if it doesn't require a mistake. Further information about the categorization of severity can be found [here](https://github.com/code-423n4/org/discussions/34). \n\nNonetheless, it's important to remember that all findings are based on the judgement of the reviewer, which can be subjective. Therefore, it's encouraged to ask any questions or voice any concerns regarding the reporting and validation process. Trust between wardens and sponsors is crucial in ensuring the effective resolution of vulnerabilities and maintaining the integrity of the smart contract ecosystem.", "Question: How should I present the vulnerability and Proof of Concept (PoC) when submitting an issue for a smart contract audit in CodeArena?\n\nAnswer: When submitting an issue for a smart contract audit in CodeArena, both the vulnerability and its impact, as well as the Proof of Concept (PoC) should be clearly described.\n\nIn the Impact section, you should explain the vulnerability and its potential impact on the protocol or code. The implications of this vulnerability in terms of how it impacts the existing system, for example, can affect the severity of the issue.\n\nThe Proof of Concept section is where you demonstrate the vulnerability. It can include lines from the code or a test written as an exploit. You can also provide direct links to all referenced code in GitHub, add screenshots, logs, or any other relevant proof that illustrates the concept. If the PoC is too large to be embedded directly in the issue, you can provide a link or a private gist. The PoC can be written in any language as long as it demonstrates the vulnerability effectively. If you can't provide a specific PoC due to the nature of the issue, a clear description, possibly in bullet points, might suffice.\n\nWhen dealing with medium or high-risk vulnerabilities, providing a test code as PoC is highly recommended. Without a PoC, your finding may get disregarded unless the bug is extremely obvious.\n\nFor precision-loss issues, the severity can be submitted as medium as long as the damage done by it justifies it. However, a PoC that proves the case is always necessary.\n\nA good example of how to present a PoC for a bug and its impact can be found at https://github.com/code-423n4/2022-12-caviar-findings/issues/376. For detailed instructions on how to include a PoC, you can check https://docs.code4rena.com/roles/wardens/submission-policy#how-to-include-a-proof-of-concept.\n\nIt's worth noting that if you're using automated tools for attack findings, there's a higher burden of proof to demonstrate a relevant exploit path. More information on this can be found at https://github.com/code-423n4/org/discussions/50.\n\nRemember, it's beneficial to focus your report on one specific attack or issue and make sure to feature the project's code. A simple to understand PoC or specific example, along with a coded test that demonstrates the vulnerability, will make your report more effective.", "Question: How can I link my Twitter account to my username on the CodeArena leaderboard?\n\nAnswer: To link your Twitter account to your CodeArena leaderboard username, you need to submit a help desk request. This help desk request should include your warden name and Twitter URL. Please note that changes to the leaderboard/contest results link could be made through this help desk request. You can submit your help desk request at https://code4rena.com/help. Keep in mind that the leaderboard gets updated every time awards are announced. However, if your username changes, the leaderboard status from your previous handle won't transfer to the new one. Also, remember that having an updated discord username tied to your CodeArena account helps ensure you can be tagged for any award announcements, but it does not affect receiving awards.", "Question: \nCan I receive feedback on my submissions, including the ones that were not rewarded, and how can I access this feedback?\n\nAnswer:\nWhile you may not receive direct feedback on your submissions, especially those that were not rewarded, you do have the option to review why your submission was not accepted. After a contest ends and the report is published, the findings repository, which includes all submissions, is made public. In this repository, you can view the discussion among sponsors and judges regarding specific issues, which will offer insight into why your submission was not accepted or rewarded. \n\nYou can also check for feedback on your submitted findings, and if your submission has been marked as invalid by a judge, you will receive feedback from them. Furthermore, it's important to note that participants are expected to receive an email regarding their submission, whether it's valid or not. \n\nIf there are concerns about too many unsatisfactory submissions, there are processes in place to understand why a bug was not accepted to improve future submissions. You can inquire about your submission rules and even discuss or argue your case if your submission is rejected. \n\nTo check on the success of your report submission, look out for an email confirming the submission and check if you have the ability to edit the submitted findings. If you submitted a report but didn't make the award list, it's likely that your issues were rejected, and you can confirm this by reviewing the available report in the repository.\n\nBear in mind there are plans to allow certified contributors to view submitted issues right after contest closure and give input on these issues during judging. These measures aim to improve the transparency and fairness of the contest.\n\nYou can access all of this information on our public GitHub repository [Link to the repo], which will be made available after each contest ends. Remember, critique and feedback are crucial for improving the platform and your future submissions.", "Q: How can I link my Twitter account to my Code4rena profile and feature it on the leaderboard?\n \nA: In order to link your Twitter account to your Code4rena profile and feature your Twitter handle on the leaderboard, you will need to complete a help desk request. You can submit this request at https://code4rena.com/help. Please provide your warden name and Twitter URL in your request.\n\nPlease note that in order to be featured on the leaderboard, you must be a registered warden and your registration needs to be fully completed. Also, changing your username might affect your account registration as a warden, so we recommend not doing this without guidance. Furthermore, only certified wardens who ranked in the top 5 of a contest and received the reward will get the \"leaderboard\" tag updated in their roles.\n\nIt's also worth mentioning that although you have the ability to edit your warden profiles, this feature is currently only available to those who were certified before warden profiles were introduced. If you wish to edit your profile (like adding a profile picture), you can request this via another help desk request. \n\nIf you're interested in seeing what other wardens are earning, you can visit the leaderboard at https://code4rena.com/leaderboard/. Wardens also have the option to sign up for private contests, which can enhance their ability to qualify for private contests. Good luck on your journey as a warden!", "Q: As a participant in a CodeArena contest, can I contribute my inputs and views on the findings during the contest or after it ends, even if I don't have backstage access? How and when can I review the findings and submissions?\n\nA: As a participant in a CodeArena contest, you can discuss potential issues with the sponsor while the contest is still ongoing. This can happen either in the contest channel or through private messaging. However, making findings \"public\" before a contest is finalized is prohibited. Discussions related to specific findings should wait until the contest report is published.\n\nCurrently, only the team and those with backstage access can view submissions before the end of the contest. Backstage access, which is based on the certified contributor role and requires participation in contests and a minimum number of findings, allows access to the findings repository when a contest closes. Although, applications for backstage access are currently suspended until further notice. \n\nAfter a contest is completed, there is a certain period of time before the findings repository becomes publicly available for discussion - the exact duration is uncertain. Once the report is published, you can review why your submission was not accepted. This allows you to see the discussion among sponsors and judges on your specific issue. \n\nParticipants can also inquire about the validity of an issue marked as invalid by monitoring the backstage channel for the post-judging stage of the concerned contest. However, backstage access is not granted for every contest but is broader than just where the wardens have submitted issues.\n\nIn case you wish to view reports from other wardens after the contest has ended, you can do so as the platform allows viewing of such reports. However, the visibility might depend if there is a table with results. For instance, judges' comments on contest submissions were visible in the Asymmetry contest which can be found at https://code4rena.com/contests/2023-03-asymmetry-contest.\n\nPlease note that not all sponsors may have access to the findings repository before the end of the contest. You can apply for backstage access as soon as the contest results are published on the leaderboard. So keep an eye on the leaderboard, which is usually updated shortly after the awards are announced. \n\nRemember, the submission rules and the platform's policies are in place to ensure fairness and accuracy in the contests. Always try to abide by them when discussing or reviewing findings.", "Question: What are the Mitigation review and Lookout awards in CodeArena's smart contract audit process?\n\nAnswer: Mitigation review and Lookout awards are part of the contest structure that CodeArena employs in its smart contract audit process. \n\nA Mitigation review contest is an event where top wardens from the initial audit are invited back to review bug mitigations proposed by the project team. These wardens evaluate if the proposed solutions are adequate to address the identified vulnerabilities. The review is open only to wardens who participated in the original audit. A notable example of such a contest is the Caviar contest, which involved a prize pool of $8,100 USDC for the top 3 wardens. The rewarding formula for the mitigation contest is at the sponsor's discretion, especially when a participant's findings are disputed. It's worth noting that mitigation recommendations are not obligatory for the project team to follow. More information on Mitigation Reviews can be found at [CodeArena's How It Works page](https://code4rena.com/how-it-works) and a detailed explanation is available in this [CodeArena Medium article](https://medium.com/code-423n4/a-look-at-code4rena-audits-mitigation-review-3e05f8b7acb7).\n\nThe Lookout award, on the other hand, refers to a specific role within the contest. A Lookout's role is to review audit findings, which can be included in the report with detailed findings format like impact, Proof of Concept (PoC), and proposed mitigation. Typically, there is one lookout per contest. Information about the lookout role and reward can be found at [CodeArena's Roles page](https://docs.code4rena.com/roles/certified-contributors/lookouts#lookouts). \n\nIt's important to mention that both these roles are part of CodeArena's effort to ensure a comprehensive, transparent and incentivized approach to smart contract auditing.", "Q: If I initially submitted an issue as Medium risk, but I realize it has greater potential for loss of funds and should be High risk, can I change its risk classification? \n\nA: Yes, you can change the risk classification of your submitted issue, given that the contest is still open and there is no reason for penalizations such as lack of detail or inaccuracies in your report. The severity of a finding, whether it's high or medium risk, is largely determined by the potential loss of assets involved. High risk generally involves sizeable fund loss without needing extra requirements, whereas medium risk usually requires specific preconditions such as high attack difficulty or specific market conditions. \n\nIt's important to note that even if a high severity bug is downgraded to medium, you will still receive the reward for a medium bug. There is currently no penalty for incorrect medium or high submissions, but you must provide strong evidence to demonstrate a relevant high or medium severity exploit path. This is especially pertinent for submissions based on automated tools.\n\nIf you're unsure about an 'on the fence' issue, it's crucial to rely on your experience and balance the consequence of the issue with its likelihood. For more clarity on severity classification, the submission policy and the incentive model can be found at these links respectively: \n- https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues\n- https://docs.code4rena.com/incentive-model-and-awards#high-and-medium-risk-bugs\n\nIf judges determine your submission is of greater severity than you classified, it can be upgraded. However, it's better to be accurate from the onset to avoid any complications. The reward for a finding can be calculated using the formula provided in this link: https://docs.code4rena.com/incentive-model-and-awards#high-and-medium-risk-bugs \n\nAlso, if you find that no Medium or High vulnerabilities are found in the smart contracts, the remaining contest funds will be divided based on the Quality Assurance (QA) report curve.", "Question: Can I discuss my findings with other wardens or in public before the official contest report has been published?\n\nAnswer: No, findings should not be discussed with other wardens or publicly until the official contest report has been published. This is due to the professional conduct guidelines for certified wardens that require all findings to be treated as private and confidential. Such discussions, if held before the report is published, could potentially lead to misuse of disclosed vulnerabilities. Certified wardens can view the findings repository immediately after a contest ends, but they are not allowed to disclose it to other competing wardens. Once the findings are submitted in the competition, they are sealed to other wardens. However, they have to be visible to Code4rena staff, sponsors, and the judging team for the judging process to occur. If you have concerns or issues with a report or need clarification on certain points, you may seek clarification from \"wardens\". You can read more about the guidelines and process here: [https://docs.code4rena.com/roles/wardens/certified-wardens#certified-warden-professional-conduct-guidelines] and [https://docs.code4rena.com/roles/wardens/sub].", "Question: How do the judges review submissions and determine the severity of issues in Code4rena competitions?\n\nAnswer: When a participant submits an issue in a Code4rena competition, the judges review the submission based on the details provided in the report. The judges have the discretion to determine the severity of identified issues and to make changes in severity levels as necessary. They can elevate the severity of an issue if it's explained in detail, or downgrade the severity if they disagree with the participant's initial severity ranking. \n\nHowever, if an issue is marked downgraded, participants will still be awarded for the found issue unless judges invalidate it for overinflating severity. The judges do not invalidate an issue simply because they mark it down from high to medium severity. This decision is done in the context of the guidelines outlined in the Code4rena awards model (https://docs.code4rena.com/awarding/incentive-model-and-awards#satisfactory-unsatisfactory-submissions). \n\nIf a submission is labeled as \"sponsor-disputed\" without an explanation, participants can ask the judge for clarification after the judging. Participants can also ask for feedback about the reasoning behind the ruling and to see how they could improve.\n\nIn the case of a correct bug being submitted with an incorrect solution, the submission can be updated if the contest hasn't ended. High-risk findings are considered based on the specific contest and the judgement of the judges. If participants believe a high-risk finding should be considered, they should make a case in their submission.\n\nThe judges encourage high-quality submissions and may pick the primary issue based on the quality of the write-up rather than the order of submission. It's also important to note that the judges appreciate when similar submission issues are grouped together.\n\nFurthermore, participants can openly discuss issues with the sponsors before the contest is finished, including severity and in-scope/out of scope questions. They can also withdraw their old issue if they want to make a new submission of the same issue.\n\nIn case of any dispute or if a submission is rejected, there is a process for participants to argue their case. Participants can review why their submission wasn't accepted once the report is out and the repository is fully opened. This allows them to see the discussion among sponsors and judges on the specific issue.", "Q: I'm having trouble logging into my CodeArena account. Can I direct message a staff member for assistance?\n\nA: Yes, you can definitely direct message any of our CodeArena staff members for assistance. However, for login issues, it is typically more effective to seek help in the #auth-help channel on our Discord platform. It's also worth noting that some users have reported issues with logging in via certain wallets, like Metamask, or experiencing interface issues where the system shows them as logged in but the interface does not change. If you are encountering these issues, or if you're having difficulty connecting your Discord account with your CodeArena account, our team could potentially resolve these by updating our database. In addition, if you're unable to find your username during the registration process, we are currently investigating this issue. Lastly, please ensure that you're using the correct wallet or email for login, as this could be causing the issue. Users also have the option to switch to using a username and password for login if needed. If you've forgotten your username or have additional login issues, please don't hesitate to reach out to us in the #auth-help channel. Here is the link to our Discord: https://discord.com/channels/810916927919620096/810929015509483554/991410741678719278.", "Question: I have accidentally created two accounts with the same email and discord. Can I merge them or how can I handle this situation?\n\nAnswer: At the moment, Code4Arena does not provide a specific solution to merge accounts. However, here are some observations and workarounds you might find helpful:\n\n1. If you simply want to change your nickname, you can do it via the Account Management page of your profile on Code4Arena's website. Please note that your Discord nickname should remain as your registered Code4Arena username. \n\n2. If you have been using the same email address for your Code4Arena account and wish to switch to a different one, like Gmail, you can make that change in your account settings.\n\n3. If you're experiencing a mismatch between your site username and Discord nickname, please reach out to the Help Desk for assistance and include your email or Discord handle in the form. If your Discord handle has spaces, please include it without spaces in the necessary field but state the actual handle (with spaces) in the description field.\n\n4. For issues related to a changed Discord ID, you can refer to this link (https://discord.com/channels/810916927919620096/810931711609143326/1119321495987032144) for assistance.\n\n5. It is possible for you to sign up as a certified contributor with multiple accounts as long as you only participate with one account. However, creating duplicate accounts to submit the same issue for a greater share of rewards is not beneficial due to Sybil protection measures.\n\n6. If you need to update your Discord handle due to Discord's update asking users to use their name without the discriminator, you can do so in your profile on the site.\n\nPlease remember, changing your account names, wallet logins, or creating another account with the same Github username, email address, and Discord username is generally not allowed. If you have further questions or issues, please contact our Help Desk for a review by our developer team or DM us for assistance.\n\nLink: https://code4rena.com/help", "Question: How can I manage my C4 profile, including username changes and linking it to my Twitter and Discord accounts?\n\nAnswer: Managing your C4 profile, also referred to as Code4rena or simply \"Code Arena\", is a multi-pronged process that allows for several modifications. You can change your C4 username, Discord name, and profile photo by creating a help desk request on the official website: https://code4rena.com/help/.\n\nWhen changing your Discord name, remember to update it on the Account Management page of your warden profile. However, your Discord nickname should remain as your registered C4 username. Remember that any changes you make on Discord can be reflected in your C4 account.\n\nAs for linking your C4 profile to your Twitter account, you can also accomplish this by completing a help desk request. The process was queried specifically for certified auditors, but it appears to be applicable for general users as well.\n\nIf you face any issues logging in to your C4 account, you can seek help in the #auth-help channel on our Discord server. Also, if you suspect that your C4 wallet has been compromised, you should submit a help desk request for assistance immediately.\n\nThe C4 team is continually working to speed up these processes and improve their tools and procedures. If the C4 site appears to be down, you can check its status at https://downforeveryoneorjustme.com/code4rena.com. \n\nFinally, it's important to note that in Code4Arena, your profile name should ideally match your name in the chat for consistency.", "Q: How can I change my username on CodeArena and what implications does it have on my profile and other linked accounts?\n\nA: Currently, CodeArena usernames are immutable and direct username changes are not supported. However, it is possible to change your username by re-registering a new account with your desired username. Do note that if you decide to change your username in this way, you will need to reapply for a certified status if you had one before, as statuses do not carry over between accounts. \n\nIt is also worth mentioning that your new username should match your name in the chat for consistency. If you have linked your CodeArena profile to other platforms such as Twitter or Discord, these may also need to be updated. To change your Twitter username on CodeArena, you may create a help desk request. As for Discord, you can update your Discord name on the Account Management page of your warden profile. However, it is advised that your Discord nickname should remain as your registered C4 username.\n\nWhile we can accommodate these changes, we strongly advise users to keep their account details consistent across platforms to avoid confusion and to submit any inquiries about this topic via our Help Desk for the developers' review. Please note that creating multiple accounts with the same email or GitHub address, or using the same email address for an extended period, is viewed as changing your nickname and could impact account registration for wardens.\n\nFor further assistance, visit our Help Desk at [Insert Help Desk URL here].", "Q: I've encountered some difficulties while logging into my CodeArena account. My wallet doesn't seem to be connected and my Discord nickname and site username don't match. Can I get banned for owning two accounts with one email and Discord? Can I change my username or wallet login?\n\nA: CodeArena is currently addressing an issue related to login difficulties, and wallet connection on our site, which may be due to initial architecture choices of the registration mode. It's possible to change your registered wallet, also known as login address, on the platform. There are two types of wallets: a login wallet, which is set up during account creation, and a payment wallet, which can be updated in your profile.\n\nRegarding your Discord nickname and site username mismatch, you can update your Discord name on the Account Management page of your warden profile. However, remember that your Discord nickname should ideally match your registered C4 username. Although some users have considered changing their nickname through re-registering with the same email or Github address, it's currently unclear if this is allowed.\n\nFurthermore, there seems to be an issue with the help form not accepting Discord handles with spaces, and an update from Discord requires users to use their name without the discriminator, which might affect your warden role on CodeArena. To address these issues, you may need to update your new Discord handle without spaces in your profile on the site.\n\nIf you still experience any issues, feel free to reach out for help, especially if you are having trouble connecting your Discord account with your Code4rena account. You can check out the discussion about issues in logging into CodeArena with Metamask wallet [here](https://discord.com/channels/810916927919620096/810929015509483554/991410741678719278). Please be aware that you are required to connect your wallet when you sign in to submit findings, not every time you submit findings.\n\nAs for your concern about owning two accounts with one email and Discord, we are working to clarify this policy. As it stands, changing a username could affect your account registration as a warden, and changing a nickname requires creating a new registration/Discord handle and starting over with the new name if you are on the leaderboard. There were instances where one user managed to create two accounts with one email and Discord, however, this may not be a typical scenario. \n\nWe apologize for any confusion and inconvenience caused, and we are working hard to improve the user experience on our platform.", "Question:\nWhat forms of identification are accepted for the KYC process, are there certain documents not accepted, and how can I navigate through the process more effectively?\n\nAnswer:\nWhile CodeArena encourages you to start your application process and directly ask our KYC provider, Provenance, about their specific documentation requirements, we can share some broad guidelines based on our observations. \n\nFirstly, the identification verification for KYC may not necessarily require a passport; other forms of ID, such as national Identification cards, may also be accepted. However, note that there might be certain utility bills that are not accepted. \n\nThe KYC process might involve some delays, and the reasons for any rejections are not always communicated promptly. In such cases, you can submit a help desk request to track the status of your KYC confirmation. \n\nSome of our members have experienced delays due to the back and forth between them and Provenance. To avoid this, it's best to provide all the necessary documents promptly. Keep in mind that after providing all documents for KYC to Provenance for certification, there's a 48-hour deadline for response. If you're awaiting a response for more than a week, you can nudge Provenance for an update. \n\nAlso, always check your spam folder for any emails from \"compliance@provenance.company\" related to your KYC process.\n\nWhile KYC is not required for all activities on CodeArena, some, like participating in a contest or receiving payments for audits, do require it. The specific need for KYC will always be stated in the applicable channels.", "Question: What is a bot race in Code4rena and how can I participate?\n\nAnswer: A bot race is a competitive event held by Code4rena that rewards users for findings made with AI. It's a concept where bots are used to identify issues and propose fixes within the Code4rena context. However, users should be cautious as fixes proposed by bots might introduce more damaging exploits. If you wish to use AI in auditing, you're advised to enter the bot races instead of submitting findings independently, as rewards cannot be received for findings made with ChatGPT in regular contests. You can participate in the bot race by visiting the dedicated page at https://code4rena.com/register/bot. There, you will find more detailed information about bot races and the procedure for participation. Note that you might also need to unblock captcha in your browsers when experiencing errors in submissions.", "Question: I'm having difficulties logging into my CodeArena account and connecting my wallet. I've also noticed that my Discord nickname doesn't match the one on the platform. Could I be in trouble if I have created two accounts with the same email and Discord?\n\nAnswer: Login and wallet connection issues can occur due to a variety of reasons, such as not using the correct wallet or email. CodeArena's platform allows you to have a login wallet, which you set up when creating your account, and a payment wallet, which you can update in your profile. If you're having difficulties, it might be worth checking that you're using the correct wallet for the correct purpose. \n\nWhile it's generally not encouraged to have two accounts on the same platform, if you've found that you've created two by accident, don't panic. It's possible to change the registered wallet (login address) on the platform as well as your username and Discord nickname. However, you should be aware that your Discord nickname should remain as your registered C4 username. \n\nThere's no need to worry about being banned if you've created two accounts by accident- we understand that errors can occur. If you're unsure about anything, you can seek help at https://code4rena.com/help. \n\nIf you're trying to submit findings, you'll need to connect your wallet when you sign in, not every time you submit findings. If you've submitted findings before, you should be redirected to a confirmation page instead of the registration page when you connect your wallet. \n\nAs for the mismatch between your site username and Discord nickname, you can update your Discord name on the Account Management page of your warden profile. Remember, it's possible to change your nickname and question the possibility of registering another account with the same email or GitHub address. \n\nIf you're having issues with MetaMask, you should know that signing in with MetaMask is now a requirement. You can check out this discord thread for more information: https://discord.com/channels/810916927919620096/810929015509483554/991410741678719278 \n\nFinally, there's also an alternative solution. You can use the wallets supported by WalletConnect during the registration process. More details can be found at https://walletconnect.com/registry?type=wallet. \n\nIn summary, if you're having login or wallet connection issues, or if you're concerned about account duplication, there are multiple resources and channels you can turn to for help and clarification.", "Question: What is the process and timeline for becoming a certified auditor or warden with CodeArena (C4)?\n\nAnswer: Becoming a certified auditor or warden with CodeArena (C4) involves several steps with varying timelines. Initially, you need to fill out the necessary forms and undergo a Know-Your-Customer (KYC) process, which verifies your identity. This process usually takes a few days to complete, but the time may vary depending on how quickly you can supply the requested documents. \n\nOnce your KYC process is complete, you need to wait for the certification status from Provenance, our KYC provider, which is generally updated within 2-5 business days by the C4 team. It should be noted that the approval for your application to become certified is contingent on the completion of these steps, and the estimated wait time for becoming a certified auditor or warden after sending a request is usually 2 business days. \n\nAfter your application is approved, it takes a few more days for your profile to reflect your certified status. You should receive an email notifying you once your certification has been finalized. This email will be sent from compliance@provenance.company and it's worth checking your spam folder if you haven't seen it in your inbox. \n\nFurthermore, as a participant, if you start the certification process within 48 hours of the contest, you may be eligible for an award upon its completion. However, it's crucial to note that you need to complete the certification within 30 days of the end of the audit to receive your payout. \n\nLastly, if you believe you qualify for Certified+, you may contact us through the help desk form to request this status. This process is more formal and precise details about it would be provided upon request. \n\nPlease remember that being certified is not a full-time commitment but indicates that your identity has been verified and you are eligible to participate in audits.", "Q: How do I manage and utilize feedback, particularly negative ones, to improve my performance and the system's structure on CodeArena?\n\nA: CodeArena highly values and encourages feedback from its users. Whether you're receiving critique on your submissions, your system findings, or any aspect of your participation, it's important to see it as a learning opportunity. Here's how you can use feedback effectively:\n\n1. Always remember that feedback, whether positive or negative, is meant to help improve the platform and the quality of your submissions. It's not personal, so use it as a tool for learning and growth.\n\n2. You can find feedback on your submitted findings, which can help you understand the reasoning behind the judgment and see what could be improved.\n\n3. You can privately ask questions and receive guidance on more fragile aspects of the system. This can help you gain a deeper understanding and improve your performance.\n\n4. If your findings get rejected or you're unsure about the judgment, you can ask the judges for their feedback to understand the reasoning behind their decision.\n\n5. Participants' feedback can influence CodeArena's priority operations projects. So, if you see room for improvement, feel free to share your thoughts. Your feedback could lead to significant changes.\n\n6. Even if you don't have significant findings, you can still send analysis reports to provide advice on things to consider for the future of the project.\n\n7. If you're unsure about the severity of an issue after reporting it, don't hesitate to seek guidance. We appreciate the active participation and are here to help.\n\n8. If your submission gets rejected, remember there's a process in place for you to discuss or argue your case. There's also a feedback channel available for suggestions and other comments.\n\n9. If you're worried about being penalized for too many unsatisfactory submissions, remember that our goal is to help you learn and improve. Use the feedback you receive to enhance your future submissions and avoid repeating the same mistakes.\n\n10. If you have concerns about the process or rules, you're encouraged to review issues on our GitHub page https://github.com/code-423n4/org/issues. You can add fact-based comments, support suggestions, or open new issues there.\n\nRemember, the ultimate goal of feedback is growth. So, embrace it, learn from it, and use it to improve your performance at CodeArena.", "Question: What are the requirements for identity verification in the Certified Warden application process and are there alternative ways to submit documentation?\n\nAnswer: The process of becoming a Certified Warden requires verification of your identity. This is usually done by providing proof of ID and proof of residence. However, it's important to note that the exact requirements may be more detailed and are handled by Provenance, our KYC provider. \n\nYou can potentially complete the certification process using an identity document like a driving license or passport, and it may not necessarily require proof of residence. Some users have reported being approved after submitting their identity documents and a selfie. \n\nAdditionally, you can also verify your identity using other forms such as a national identification card if you do not have a passport. Even digital nomads can become a certified warden using proof of ID, bank account details and other forms of proof of residence. \n\nIf there are issues with submitting this documentation, such as not receiving emails from Provenance, please start the application process and ask Provenance directly what they need. \n\nA reference to this information can also be found in our documentation, however, this is intended as a guideline and Provenance will have the most up-to-date and detailed information. \n\nIf you have any further questions regarding invoicing, you can refer to this document: https://docs.code4rena.com/awarding/incentive-model-and-awards/awarding-process#tax-and-legal-questions. \n\nAnd, remember, while becoming a certified contributor can open up more opportunities, it's not necessary for most audits. You can still participate in contests and submit findings without being a certified contributor.", "Q: I received a DM from a recently created account claiming to be Cod4rena and offering me to buy ARENA tokens from a URL that doesn't look official. I suspect it's a phishing scam. How can I confirm it and ensure my account's security?\n\nA: Yes, it seems like you're encountering a phishing scam. Phishing attempts often involve unsolicited messages from fake accounts offering transactions through unofficial or suspicious URLs. In this case, the URL you mentioned is indeed not associated with Code4rena. \n\nTo ensure your account's security, please follow these steps:\n\n1. Do not click any suspicious links or provide your private information.\n2. If you think your account might have been compromised, you can change your payment address on Code4rena to a new wallet address to prevent future rewards from being stolen. The procedure to change the wallet address connected to CodeArena is detailed here: https://docs.code4rena.com/roles/wardens/warden-auth#can-i-change-my-wallet-address.\n3. If you were unable to log in to your Code4Arena account or it has been inactive for a long time, you can seek help here: https://code4rena.com/help.\n4. If you've forgotten the wallet address used for your registration, you can also request help at the aforementioned link.\n5. Please be aware that currently, there is no support for changing the login address on CodeArena. In case your account has been compromised, submit a help desk request detailing the issue and a mycrypto.com signed message.\n\nRemember, the official way to obtain ARENA tokens is through the contract address 0x6847D3A4c80a82e1fb26f1fC6F09F3Ad5BEB5222. Do not trust unofficial sources or links that are not from our official channels. If you encounter potential scams, please report them to our team or email the issue to security@code4rena.com. Stay safe online, and let's keep our community secure together.", "Question: I received a Direct Message (DM) regarding the purchase of ARENA tokens. Is this a phishing scam and how can I safely obtain ARENA tokens?\n\nAnswer: Yes, any DM attempting to sell you ARENA tokens is likely a phishing scam. We've observed instances of phishing scams involving links to untrustworthy URLs like invst.icu. These scams often involve fake CodeArena accounts. Please be aware that there is currently no token staking system for our ARENA tokens. \n\nTo safely obtain ARENA tokens, use the contract address 0x6847D3A4c80a82e1fb26f1fC6F09F3Ad5BEB5222. Please note that the $ARENA token is a minimum-viable-governance token with sovereignty over the DAO treasury. More information can be found at our DAO constitution link: https://github.com/code-423n4/org/blob/main/CONSTITUTION.md. \n\nIf you have any questions or concerns, feel free to direct message someone from the CodeArena team or submit a help desk request at https://code4rena.com/help/. Please stay vigilant and report any suspicious activities or scams to us. \n\nLastly, remember to keep your wallet secure. If your wallet has been compromised, immediately follow the procedure to change your wallet address as detailed at: https://docs.code4rena.com/roles/wardens/warden-auth#can-i-change-my-wallet-address. If you lose your seed phrase, follow the steps mentioned at: https://docs.code4rena.com/roles/wardens/warden-auth#what-if-my-wallet-was-hacked.", "Question: Is C4 operational on weekends and where can I find updates regarding the progress of my smart contract audit?\n\nAnswer: CodeArena (C4) typically does not operate on weekends. Therefore, you may not receive any updates or responses to queries during these days. During the weekdays, any updates regarding the audit of your smart contract, changes in procedures, or upcoming events are announced on our Discord channel (#\ud83d\udce2announcements) and also included in the C4 newsletter. If there are any changes in your Discord username, you can update it on your C4 account. However, it's advisable to submit such changes via our Help Desk for review by our developer team to avoid any authentication issues. For further queries or support, you can directly message the C4 staff members or use the Help Desk on our website. Please note that Help Desk requests are responded to during business hours. Also, if you're facing issues accessing our website or connecting your Discord account with your Code4Arena account, don't hesitate to reach out for help. You can find more information on the C4 judging process on our Twitter thread: https://twitter.com/sayan_011/status/1629011044516655104?t=DJz16iE54QkwLxkc3MrQtw&s=19.", "Question: Can we embed an image link in our submissions on the Code4rena channel, and if so, how?\n\nAnswer: Yes, images can be embedded in your submissions on Code4rena. This can be particularly useful in clarifying your proof-of-concept. To do this, you can use markdown to link images externally. A suggested method for embedding images includes creating an issue on a private repository, dropping your images there, and grabbing the markdown snippet with the CDN URL. Alternatively, you can register a free account on https://cloudinary.com/, upload the image, and copy the image URL. Project screenshots can be added following the guidelines mentioned here: https://www.markdownguide.org/basic-syntax/#images-1 or https://discord.com/channels/810916927919620096/810931711609143326/1083239106223546420. If you need to provide a larger proof-of-concept that cannot be embedded directly in the issue, you may provide a link to a gist. Remember, for any profile-related help or queries, you should direct them to the #profile-help channel.\n", "Question: How are winners determined in a CodeArena contest?\n\nAnswer: Winners in a CodeArena contest are determined through a comprehensive process that starts immediately after the contest ends. The process involves various stages including Sponsor Review, Judging, Awarding, and Reporting. \n\nFirstly, the findings from the contest are reviewed by the contest sponsors. The review process includes ascertaining the severity, validity, and quality of the findings. \n\nNext, the reviewed findings are passed on to the judges. The judges are chosen based on their experience and reputation and their identities are not disclosed before the contest. These judges also get a share of the prize pool as an incentive for their contribution. \n\nAfter judging, the winners are awarded based on the judges\u2019 decisions. It's important to note that sometimes, more than one participant can be rewarded. In such cases, each team decides how they wish to split their portion of the contest's reward amongst themselves. \n\nThe final step is reporting where the final published report is released, allowing participants to see the results of their submissions. The timeline for publishing contest results depends on the time taken for judging. \n\nSpecific details about the awards can be found here: https://docs.code4rena.com/incentive-model-and-awards \n\nThe process of distribution of rewards among winners is determined after observing the scoring of initial contests and the reward amounts in contests are provided by the sponsor. \n\nLastly, the rewards are sent out manually in batches for multiple contests at a time, separate from the announcement of the awards.\n\nPlease note that there may be some variation to this process depending on whether the contest is public or private and the specific scope decided by the sponsors. In case of any specific questions about a contest, participants are encouraged to connect with the respective sponsor.", "Q: How can I upload and embed images in my smart contract audit report on CodeArena's Discord?\n\nA: There are numerous methods available to you for uploading and embedding images in your report. Firstly, you can upload an image when submitting a report by registering a free account on https://cloudinary.com/, uploading the image and copying the image URL. Alternatively, you can use the markdown snippet with the CDN URL method which involves creating an issue on a private repo, dropping images there, and then grabbing the markdown snippet with the CDN URL. \n\nIf you are using a markdown in your report, you can refer to the guidelines at https://www.markdownguide.org/basic-syntax/#images-1 for adding images. Another method would be to upload the images to your Gist, submit the report with the Gist link, and later delete the Gist. Please note, the image should render correctly for it to appear in your report. \n\nIf needed, you can find guidance for adding screenshots in your submissions at https://discord.com/channels/810916927919620096/810931711609143326/1083239106223546420. If the proof of concept (PoC) for an issue is too large to embed directly in the report, you can provide a link. \n\nRemember, you can add pictures in the report to help explain your proof of concept. In case of any queries or doubts, the best place for clarification would be the contest channel in Discord or you can ask in the general channel for security discussions. If it relates to a specific topic or contest, please ask in the designated channels.\n", "Question: Who is eligible to participate in private auditing contests at CodeArena (C4), and what are the requirements for becoming a certified warden?\n\nAnswer: To participate in a private auditing contest at CodeArena (C4), an individual needs to be a certified warden. The process to become a certified warden involves competing in audit contests, with additional requirements possibly including participation in a certain number of those contests and the discovery of a certain number of valid findings or reports. \n\nRanking on the leaderboard can also enhance a warden's ability to qualify for private contests, but it's important to note that private audit contests are not strictly open to only top-ranking wardens. High-ranked teams are also eligible to compete in invitation audits that prioritize highest-ranked wardens.\n\nFor those who have been absent from C4 for a while but wish to participate in an audit contest, they can log into their account to compete. It should also be noted that there's a difference between a Certified Warden and a Certified Plus Warden - the latter has some entry requirements and gets access to private repositories after a contest has ended. \n\nA certified warden may have the opportunity to audit private contests to a certain extent, but there might be additional conditions, and the eligibility criteria for each opportunity are usually listed in #\ud83d\udd96rsvp-certified.\n\nThe required information on how to become a certified warden to participate in private contests can be accessed at these links: [Certification Process and Constraints](https://docs.code4rena.com/roles/certified-contributors#certification-process-and-constraints) and [Certified Warden Guide](https://mirror.xyz/c4blog.eth/Ww3sILR-e5iWoMYNpZEB9UME_vA8G0Yqa6TYvpSdEM0).", "Question: What is the process for creating and submitting gas reports for smart contract audits at CodeArena?\n\nAnswer: At CodeArena, gas reports play an important role in smart contract audits. To create a gas report, users typically utilize tools like Hardhat or Foundry, which help in benchmarking the code for potential gas savings. As for the format of the report, there are templates and guides available to aid users in creating well-structured reports.\n\nWhen compiling your gas report, it's essential to include the amount of gas saved for each finding. If you have multiple ideas about gas optimizations, it is advised to write them separately and then consolidate them into one report. This helps ensure a comprehensive review of potential optimizations. All findings related to gas optimizations should be grouped under this report, and known issues should be excluded.\n\nParticipants are allowed to submit one combined gas report and one combined QA report per contest. If you have additional findings after submitting your report, you can add them by navigating to the contest page and clicking the 'Your Findings' button. These reports can also be edited while the contest is open.\n\nIt's worth noting that the level of detail required for QA and Gas Optimization reports isn't as comprehensive as for high severity issues. Thus, it may not always be necessary to create a report for 1-2 Low and 1-2 Gas issues unless they provide substantial value.\n\nIf you're looking for further guidance on how to prepare a Gas and QA report, this video tutorial can be helpful: https://www.youtube.com/watch?v=nady250cNo4. Besides, you can find examples of top QA/Gas reports at https://code4rena.com/reports.\n\nRemember, gas optimization and gas reports are indeed the same, and bot-generated reports should theoretically include all kinds of findings, including high, medium, low, non-critical, and gas-related issues. However, there are restrictions on submitting more than one report of gas optimization in a contest, as it's recommended to compile all findings into one report.\n\nIn conclusion, creating and submitting a gas report for CodeArena involves a meticulous process of compiling all findings, optimizing for gas savings, and following the prescribed format, with an emphasis on consolidating ideas and findings into a single report.", "Question: How do I know if a contest on CodeArena is public or private, and how can I participate?\n\nAnswer: CodeArena hosts both public and private contests. You can identify whether a contest is public or private by checking the #\u270brsvp channel on our Discord server, which hosts the RSVPs for all contests. Public contests will be listed in the public RSVP channel, while private contests have their RSVPs available in a channel only visible to certified wardens.\n\nTo participate in a public contest, you simply need to follow the announcement and relevant instructions posted in the #\u270brsvp channel. However, for private contests, participation depends on certain metrics or prerequisites. These contests are typically 'Versus' contests, involving 3-5 certified wardens, and are often open only to top wardens.\n\nPlease note that the findings from a contest remain private until the report is published. And while all contests, both public and private, are listed on the CodeArena website, the specific details regarding the scope of a contest can be addressed to the respective sponsor. The contest details are also available in the #\u270brsvp channel for wardens to decide whether they want to compete. \n\nFor any further inquiries about viewing all submissions after a contest or understanding the rules for submissions, please refer to the respective contest info or reach out to us directly. Remember that making findings \"public\" before a contest is finalized is against our submission rules.", "Q: What are some good resources to study Geth node and Web2 security in the context of Web3 for both beginners and advanced learners?\n\nA: There was much discussion about this topic in our community. Starting with basics, resources such as CryptoZombies.io and CaptureTheEther.com were recommended for beginners who want to start learning about smart contracts and solidity. As you progress and want to dive deep into smart contract auditing, consider visiting https://cmichel.io/how-to-become-a-smart-contract-auditor/ and https://docs.code4rena.com/roles/wardens/tools-and-resources for more in-depth knowledge.\n\nFor advanced learners looking for challenges and industry standards, The Ethernaut challenges and Damn Vulnerable DeFi were recommended. Here are the links: https://ethernaut.openzeppelin.com/ and https://www.damnvulnerabledefi.xyz/. If you are interested in blockchain forensics analysis, especially around hacks and incidents in smart contracts, you may consider learning from Mythril and Slither.\n\nCertain aspects of web2 security also apply to web3 security. For instance, the practical understanding of web2 security, including DDOS attacks, could be beneficial in the context of web3 security. However, it's important to note that the community has different opinions on this -- some believe that while web2 and web3 share a common mindset, focusing on what you individually enjoy and are interested in is more crucial.\n\nThere was a specific discussion about exploiting a Linux kernel 0day and RCE on the node to compromise an Ethereum node, demonstrating the overlap between web2 and web3 security concerns.\n\nFor specific resources on Solidity, you might find https://solidity-by-example.org/0.6 and https://docs.soliditylang.org/en/v0.7.5/ useful. If you're interested in the math behind solidity projects and their accountings, you could check out this YouTube resource: https://www.youtube.com/@smartcontractprogrammer. \n\nIf you're specifically looking into learning more about Cosmos, you can consider these resources: https://academy.terra.money/courses/cosmwasm-smart-contracts-i and https://github.com/Anchor-Protocol. \n\nFinally, OpenZeppelin webinars are considered practical and useful for auditors. You can start with their first video in the series: https://youtu.be/6GaCt_lM_ak. \n\nRemember, studying smart contract security and web3 involves a continuous learning process and it's essential to stay updated with the latest tools, vulnerabilities, and mitigation techniques.\n", "Question: How can I verify the payout for vulnerability issues, understand the process of reporting vulnerabilities, and know which bugs have been identified already?\n\nAnswer: The payout for vulnerability issues can be checked by using the wallet address with which you registered. You can use websites such as polygonscan.com or debank.com to help with this. If you wish to report a vulnerability, you can submit a detailed report, including any Proof of Concept (POC) if available. The POC can clarify your process, even without a live example, and could potentially be rewarded as highly significant if it is clearly described in bullet points. You can include screenshots in the vulnerability details section by copying the Github permalink and the lines of code for the affected area. \n\nYou can find already identified vulnerabilities by searching for your username or handle in the GitHub repo. Past contest reports, which reveal vulnerabilities, can also be used for learning purposes. It is important to note that if a vulnerability is found in an out-of-scope contract, it can be included in the C4 report as an unrewarded finding or you can directly message the project.\n\nIn terms of payouts, it's important to note that there's no difference in payout between the first to find a bug and anyone else who finds the same bug. The overall value of the bug bounty is reduced and split based on how many people find it. If no Medium/High vulnerabilities are found, the full award pool would be divided based on the QA Report curve. The calculation for the reward for a medium/high finding can be found [here](https://docs.code4rena.com/incentive-model-and-awards#high-and-medium-risk-bugs).", "Question: What is the procedure for submitting gas optimization reports in contests on CodeArena and how are they considered in the overall contest?\n\nAnswer: In CodeArena contests, each participant is allowed to submit one gas optimization report. Gas optimizations are usually automated findings that can be uploaded after starting the contest. If there are additional findings, they can be added to the report by going to the contest page and clicking the 'Your Findings' button. \n\nReports can be submitted through the contest submission form on the CodeArena website. However, if the report exceeds the character limit, users can submit a placeholder and email the report to report@code4rena.com. More information can be found at: https://docs.code4rena.com/roles/wardens/qa-gas-report-faq#why-is-a-large-gas-or-qa-report-not-successfully-submitting-through-the-contest-submission-form.\n\nWardens are reminded to consolidate all their findings into one report. The amount of detail required for gas optimization reports is generally less comprehensive than for high severity issues, but judges may require you to specify how much gas is being saved for each optimization. \n\nIt's important to note that not every issue reported by a warden within an hour of a contest's start is considered a bug. For example, if an issue identified in an automated finding could lead to a high severity finding, it could be reported again during the contest by a warden and could be given a higher severity.\n\nYou can find examples of top QA and gas reports from previous contests at https://code4rena.com/reports. While the platform allows viewing reports from other wardens even after contests have ended, visibility may vary if there is no table with results.\n\nRemember, the submission guidelines can be found at https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues. Some contests may not include gas optimizations in the final report if there wasn't a gas pool for that particular contest, as demonstrated here: https://code4rena.com/reports/2022-04-dualityfocus.\n\nIt's worth noting that there is some discrepancy in acceptance of gas optimization reports, with certain judges refusing them while others accept them. Judging criteria for gas optimization and report selection in a contest may vary, and it is advised to review the guidelines and past contests for a better understanding.", "Question: I'm having trouble logging in to Code4rena. How can I get assistance?\n\nAnswer: We apologize for the inconvenience. Code4rena provides assistance through its help desk facility. You can submit a help request by visiting https://code4rena.com/help. When creating your help desk request, please outline the issues you are facing to make it easier for our team to assist you. This could be issues with your username, password, or difficulty linking your Twitter account to your Code4rena profile. If you've forgotten your registration wallet address, or are having problems with contest security issues, these can also be addressed through the help desk. Also, there's an alternative link for help desk requests at https://old.code4rena.com/help/. Our team is dedicated to resolving your issue as quickly as possible.", "Question: How can I participate in private audits at CodeArena?\n\nAnswer: Participating in private audits at CodeArena requires certification. To start, you should complete the KYC process and then obtain your certification. Certified wardens are typically eligible to join private audit contests, although there may be additional conditions that need to be met. Once certified, you can join teams for audits or participate solo. After Provenance confirms your certification, you will be permitted to participate in private audits. It's important to note that the certification process has constraints and specific conditions. You can find more details about the certification process at the following links: https://docs.code4rena.com/roles/certified-contributors#certification-process-and-constraints and https://mirror.xyz/c4blog.eth/Ww3sILR-e5iWoMYNpZEB9UME_vA8G0Yqa6TYvpSdEM0. Be aware that different projects may have different audits and that the timing for becoming a certified auditor can vary. Also, please note that registration is not needed for public audits.", "Question: How are gas reports used and prepared in CodeArena?\n\nAnswer: Gas reports in CodeArena are primarily used for auditing smart contracts with the aim of optimizing gas usage. These reports detail how much gas is consumed by a contract and offer suggestions on how to minimize gas usage. Participants are advised to make a single consolidated report stating all findings related to gas optimization. \n\nThese reports can be generated using tools like Hardhat & Foundry, specifically with the Hardhat gas report plugin to benchmark code for possible gas savings. However, the exact amount of gas saved for every finding is not always required and is often based on the judge's decision. \n\nIn terms of structuring, several ideas about gas optimizations can be written separately and then merged into one report. Users are also permitted to edit existing findings. Known issues, however, should be excluded from these reports. \n\nIt's important to note that the level of detail required for such reports is not as comprehensive as for high severity issues. Contest participants can submit one combined gas report and one combined QA report, and even though the purpose of gas reports is not specifically clarified, it's generally seen as beneficial to show proof of concept for the gas saved, or at least a description and the amount of gas saved.\n\nIn terms of grading and rewards, the gas optimization pool is shared among the reporters and is awarded based on the score of each gas report. You can learn more about this process in the official documentation [here](https://docs.code4rena.com/awarding/incentive-model-and-awards/curve-logic). Examples of top gas reports from previous contests can be found [here](https://code4rena.com/reports).\n\nIf you need additional guidance on how to prepare a Gas and QA report, you can refer to this [video tutorial](https://www.youtube.com/watch?v=nady250cNo4). To add more findings to your gas report, navigate to the contest page and click the 'Your Findings' button. Gas reports that have been uploaded can be changed on the contest details page under \"your findings\".\n\nPlease remember that the worth and validity of gas report submissions, especially when improvements are shown in important functions, depend largely on the judges and the specific contest rules. For instance, there might be a debate on whether the use of storage instead of memory in the view function fits into the category of a gas report or a QA report. Therefore, it's always recommended to understand the guidelines of the contest you're participating in.", "Question: What platforms or tools can one use for cross-chain transactions between Polygon and Ethereum and what are the considerations for using them?\n\nAnswer: For cross-chain transactions between Polygon and Ethereum, you can use third-party bridges like Wormhole or Celer. Alternatively, the Polygon bridge (https://wallet.polygon.technology/) can be used to move funds back to the mainnet. If you're aiming to bridge from Polygon to Ethereum and later withdraw USDCs on Coinbase, the Polygon bridge requires both Matic and Eth. However, this could result in less USDC being received on the Ethereum Mainnet. An alternative is the Hop Bridge, which only needs Matic but might yield less USDC on the Ethereum Mainnet. \n\nIt's important to note that while these platforms facilitate cross-chain transactions, the conversion process, and factors like gas fees may differ. For instance, gasless swaps can be performed at https://polygontimes.com/swap-for-gas-instant-gasless-matic-tokens-on-polygon-pos/. \n\nFor monitoring tokens and managing transactions, you can use https://polygonscan.com/address/. Additionally, deposits into platforms like Coinbase can be made directly from Polygon. However, the cheapest way to swap ERC tokens might be using a DEX aggregator like https://app.1inch.io. \n\nRemember, when using these platforms, it's crucial to understand the specific requirements and potential trade-offs. As always, do thorough research and seek expert advice before making any decisions. \n\nPlease be aware that this information could change as new solutions emerge, and fees or other factors may vary depending on the specific context and timing of your transaction.", "Question: How can I become a certified warden and gain access to private content and contests at CodeArena?\n\nAnswer: To become a certified warden and access private content and contests, you need to complete a few steps. Firstly, you will have to register as a warden. This can be done by joining the #\ud83d\udc3ai-want-to-be-a-warden channel on our Discord. After this, you'll need to complete the Know Your Customer (KYC) process, which is a standard procedure to confirm your identity.\n\nOnce you've registered and completed the KYC, you can then proceed with the certification process. This involves a series of steps that are detailed on our website at this link: https://docs.code4rena.com/roles/certified-contributors#certification-process-and-constraints. \n\nOnce you have completed these steps and become a certified warden, you can then participate in private contests and access private content, including the team-formation channel and the contest preview channel. Plus, you will have access to our private channel for certified+ wardens, which offers assistance with various process-related tasks. \n\nRemember, to be marked as \"Available for Hire\", you must be a Certified warden. This status can be added via the profile editing screen. If you have any further questions about becoming a certified warden, feel free to ask in our Discord community.", "Question: How does the bug finding and payout process work in CodeArena contests, including how contest awards are distributed and where can one find past contest rewards?\n\nAnswer: CodeArena conducts audit contests similar to bug bounty programs, where individuals or teams, known as \"wardens,\" hunt for vulnerabilities in smart contracts. Contests are announced in advance and upon completion, a detailed report about the bugs found is released. These reports can serve as learning material for future contests and can be found at https://code423n4.com/reports.\n\nThe rewards or bounties for each contest are split among those who find bugs. Importantly, there is no difference in payout between the first person to find a bug and any subsequent person who finds the same bug. Instead, the overall value of the bug is reduced and split based on how many people find it. The value of each bug is determined by its severity, with each finding earning a share of the overall contest pot. \n\nUpon discovery of a bug, users submit their findings via a form on the contest\u2019s website. Users can view or edit their own submissions for open contests. Once a bug is submitted, it remains confidential until the contest is over and the judging process has been completed to ensure fairness. It's also possible to alter the severity of reported bugs after the closing time of the contest, either through the PR or by contacting one of the judges.\n\nA detailed list of rewards for each warden for each bug per contest is available at https://raw.githubusercontent.com/code-423n4/code423n4.com/main/_data/findings/findings.csv. This list can give you an idea of how much a finding was worth in past contests. However, it should be noted that there isn't a specific bug-payout list for every contest.\n\nFurther information on the incentive system and reward calculation can be found at https://docs.code4rena.com/, including a comparison of CodeArena's operations to traditional bug bounty platforms. For a more in-depth understanding of how rewards for medium and high-risk bugs are calculated, you can refer to the formula provided at this link: https://docs.code4rena.com/incentive-model-and-awards#high-and-medium-risk-bugs. \n\nTo summarize, the CodeArena process involves a time-limited experiment to find and report bugs, with a guaranteed pot for each contest that is split among those who find vulnerabilities. Keep in mind that common findings are usually out of scope, as they are picked up by the C4udit tool, so unique and high-severity bugs have the potential for higher payouts.", "Question: How can I become certified to participate in private audits on CodeArena?\n\nAnswer: To participate in private audits with CodeArena, you must first become a certified warden. This involves completing the Know Your Customer (KYC) process and meeting certain conditions. Once certified, you are generally eligible to participate in private audits, although additional criteria, such as leaderboard rankings, might be required for some contests.\n\nTo become a certified warden, you will need to compete in audit contests, which will provide valuable experience and improve your understanding of audit reports. Upon completion of the certification process within 30 days of the end of the audit, you will be eligible to receive your payout. \n\nWhile certification is usually sufficient to participate in private audits, note that there are three types of audits: public, private, and invitational. For invitational audits, only specific wardens are invited. \n\nYou can join a certified team to participate in audits, and in some cases, private contest participation is only open to those who originally participated in the audit. Each opportunity has its own eligibility criteria, which are listed in the #\ud83d\udd96rsvp-certified channel. \n\nFor more details about certification and to register as an auditor, visit: https://docs.code4rena.com/roles/certified-contributors and https://docs.code4rena.com/roles/wardens.", "Q: How can I know if the Rubicon contest on CodeArena is open to everyone, and how can I access it?\n\nA: The contest's status, whether public or private, is usually determined by the contest sponsor and can be found in the contest details. For specific information about the Rubicon contest, you can check the #\u270brsvp channel on our Discord server. If the contest is listed in this public channel, it's an open contest which anyone can join. \n\nSometimes, contests may require certain prerequisites or metrics; for example, private contests are only accessible to certified members. You can see the qualification details in the #\ud83d\udd96rsvp-certified channel. If you're a certified member, remember you're not obligated to participate in every contest. \n\nAdditionally, once a contest repo is made public, all submissions are available to everyone, regardless of their validity. You can access the contest page at https://code4rena.com/contests for information about all of our open competitions.\n\nPlease note, the scope for contests is decided by the sponsors, so if you have specific questions about the scope for the Rubicon contest, reaching out directly to the sponsor via their contest channel or direct message might be helpful. If the contest is still ongoing, participants can upgrade the risk level of their findings.\n\nIt's also important to mention that certified status grants users access to more contests. If you're interested in getting certified, this could open up more opportunities for you.", "Question: Should I report an issue if I notice there are not enough decimals in the code and how should I determine its severity?\n\nAnswer: Yes, you should always report any issue you find, even if you're unsure about its severity or impact. In the case of insufficient decimals, this could potentially lead to a loss of precision in the context of the specific code, which can have a significant impact. However, it's important to understand that the decimals() function is technically optional according to the ERC-20 standard, and other contracts must not expect these values to be present. You can read more about this in the EIP-20 documentation at https://eips.ethereum.org/EIPS/eip-20. \n\nWhen reporting, you may consider multiple factors such as the loss of precision or possible ways of exploitation. If you're unsure of the severity, it's recommended to submit your findings and possibly direct message the sponsor team for additional context. Your report should ideally contain a Proof of Concept (PoC), as findings without a PoC may be disregarded unless the issue is extremely obvious. Remember, there are no negative consequences for reporting something that you are uncertain about, but it's recommended to withdraw reports if you find out they are not valid to save the judges' time.", "Question: What is the process and timeline for the C4 team to confirm my certification proof, and add a certified role to my discord?\n\nAnswer: The process starts with registering with Provenance and getting your KYC approved. Once approved, your certification status is typically updated by the C4 team within 2 to 5 business days. This means the 'certified' role on Discord takes roughly the same amount of time to reflect on your profile. After the KYC approval, if there's a delay in the reflection of your certified role, you can open a help desk request at https://code4rena.com/help. To check your status, you can click your name to see the assigned roles or through email communication. Instructions on how to get started with the certification process can be found at https://docs.code4rena.com/roles/certified-contributors and further details can be found on our Discord channel at https://discord.com/channels/810916927919620096/810931711609143326/1092758105646960711. Please note that the C4 team is continuously working on improving the tools and procedures to speed up these steps.", "Question: What does being a Certified Contributor in CodeArena entail and what privileges does it grant?\n\nAnswer: A Certified Contributor in CodeArena is a user who has applied and been approved for the Certified status, a process which can be started at https://docs.code4rena.com/roles/certified-contributors. This status is not obligatory for participation in all contests, though it does open up more opportunities for contributors. Certified contributors are granted access to a wider range of contests, including ones that require certification for payouts if any submissions are awarded. \n\nTo participate in private contests and to gain permission to audit them, users are generally required to be certified. Additionally, Certified contributors who meet certain criteria, such as a specific number of valid findings and contest participations, can join the backstage area, gaining access to the contest repository after its closure and before the public report release.\n\nIt's also important to note that users can apply to be a Certified Contributor with multiple accounts, provided they only participate with one. Some contests may require a KYC (Know Your Customer) process for receiving prizes, and Certified contributors have completed this KYC process. \n\nWhile being a Certified Contributor grants more access and opportunities, participation in contests remains a choice, allowing users to engage in contests that match their interests and capacities. Therefore, the Certified status is a way for users to enhance their participation in CodeArena, offering them a chance to improve their skills, contribute more, and have access to more extensive resources.", "Question: If I disagree with a judge's decision on my issue, such as a rejection, can I open a discussion or escalate the matter? \n\nAnswer: Yes, you can open a discussion if you disagree with a judge's decision on an issue. CodeArena has a process that allows participants to discuss or argue their case if their submission is rejected. You can ask judges for feedback about issues to understand the reasoning behind the ruling and to see what could be improved. If you believe that an issue has been incorrectly marked, like being downgraded or discarded despite being high risk, you can speak with the judge to re-evaluate the finding, provided you have backstage access. This also applies if an issue is labelled as \"sponsor-disputed\" without an explanation. \n\nIf your issue, initially submitted as a high severity one, is disagreed upon by the judge, it might be downgraded, but you will still be awarded unless the judges invalidate it for overinflating severity.\n\nIn cases where you disagree with a decision about a contest judgement, you can review issues at https://github.com/code-423n4/org/issues. You can add comments on existing issues, support existing suggestions, or open a new issue if your concern is not addressed.\n\nIf you disagree with a judgement decision and the contest has already been judged, there is no recourse. However, you are advised to submit such cases and let the judge weigh in. If you feel a centralization risk should be flagged, you can report it, stating all your reasons for the judge to make the final call.\n\nThere's also an appeal process for valid findings classified as invalid, which is detailed in the documentation at https://docs.code4rena.com/awarding/fairness-and-validity#if-you-disagree-with-a-judges-decision. \n\nFor findings rejection, the judges are expected to provide reasons for classifying an issue as invalid or disputed. After a contest, you can review why your submission was not accepted once the report is out and the repository is fully opened. This allows you to see the discussion among sponsors and judges on the specific issue. \n\nRemember, the decision to ignore an issue or how to reward severity escalations in a contest report is ultimately up to the judge. However, you will receive feedback from the judge if a submitted finding is marked as invalid. The inclusion of high-risk findings depends on the specific contest and judge; submit your case accordingly.", "Q: I have passed the KYC process and received confirmation. Why can't I join private contests and what further steps should I take?\n\nA: After passing the KYC process, it is not an automatic guarantee you can join private contests. First, you need to receive the certified role on your Discord handle, which is given by the C4 team. This process may take up to 5 business days after we receive the KYC status update from Provenance, so patience is required. \n\nIf even after this period you cannot access private contests, it could be due to various reasons. The contest could have been already assigned, or perhaps you do not meet the minimum requirements for certain contests. In such cases, or if your KYC application seems to be pending for a longer time, you can submit a help desk request at: https://code4rena.com/help.\n\nGetting certified also involves becoming a \"certified warden\", and more details on this process can be found in the Code4rena documents: https://docs.code4rena.com/roles/certified-contributors#certification-process-and-constraints.\n\nTo participate in specific contests and to be eligible for rewards, like the Chainlink contests, completion of the KYC process is necessary. This process usually takes a few days, though there have been instances where the wait time was longer. In this context, it is important to note that KYC (Know Your Customer) verification might be required to receive prizes for some contests. If you need further guidance on the KYC process, you can check this form: https://docs.code4rena.com/roles/certified-contributors.\n\nFinally, please note that while it is possible to participate and receive payouts without being certified, certain activities or contests may require certification or KYC verification.", "Question: What is the process and timeline to become a 'certified' role after completing the KYC process?\n\nAnswer: After you've successfully completed the KYC (Know Your Customer) verification, you can apply for a 'certified' role. The entire process is managed and approved by Provenance. After your application has been submitted, Provenance typically sends out the KYC confirmation email within one business day. Following this, there is a processing period which may take a few days before the 'certified' role is reflected on your profile. Meanwhile, you can check your status by clicking on your name to see assigned roles or through email communication. To become a certified contributor or a certified warden, you must follow the guidelines provided at: [https://docs.code4rena.com/roles/certified-contributors](https://docs.code4rena.com/roles/certified-contributors). This certification is necessary if you wish to participate in an audit that requires KYC. Furthermore, certain prizes and payments, such as those for the upcoming arbitrum audit, may require you to be a certified contributor. In case of any delays or issues, you can open a help desk request at [https://code4rena.com/help](https://code4rena.com/help).", "Question: What happens after the Bot Races on CodeArena and does it involve making the winning bot code public?\n\nAnswer: In a Bot Race event on CodeArena, once the race is concluded, a report of the winning bot is made publicly available but the specific bot code is not disclosed, considering the bots as a warden's intellectual property. This is to protect the proprietary nature of the winner's bot code. The report will typically include any unique vulnerabilities discovered by the bot and is updated mid contest. The Bot Races are held for the first hour of an audit and if a bot finds a high or medium finding, it only gets the bot pool reward based on the bot race rank. To gain more rewards, the bot needs to earn more points, thus shifting the rank cut-offs and potentially moving other bots to lower ranks. Further information about Bot Races, including how to participate, check for qualifier results, and more, can be found at https://code4rena.com/register/bot. For additional assistance, participants can also refer to the #bot-race-help channel on their Discord.", "Question: Can the function callA(Aang a) perform the same actions as payable(a) in a smart contract, including calling a contract's own functions and checking for account existence before execution?\n\nAnswer: Yes, the function callA(Aang a) is structurally equivalent to payable(a) in the context of a smart contract. However, the specifics of what actions each function can perform depends on the implementation within the smart contract. \n\nMostly, these functions are used to facilitate interactions between contracts and accounts in the Ethereum network. For instance, one of the common uses of such functions is for calling a contract's own functions using a syntax like \"InterfaceA(address(this)).functionA();\". This would be considered an external contract call and would change the msg.sender value inside the function. It's also important to note that calling a view/pure function from a non-view/non-pure function in the same contract does increase the gas cost.\n\nBefore execution, it is often essential to check for account existence in the network. This validation is significant, especially when calling .call() on smart contracts to avoid errors and unnecessary gas usage. \n\nMoreover, the use of such functions extends to various applications, like facilitating transfers in token contracts, like safeTransferFrom function of an ERC-777 token contract, or being used in votes for specific actions in contracts. \n\nRemember that the gas cost of a contract can be calculated using various tools, and it is essential to optimize for gas, especially in function calls and storage-related operations. For instance, swapping the order of a function that first checks from storage, then checks the calldata, could optimize the gas.\n\nFinally, it's also important to note the possibility of delegate calls and state variable changes in the context of smart contracts. Concerns about these factors often come up in severity categorization in audits, since they can impact the contract's behaviour and overall security.\n\nHowever, it's always crucial to consider the contract's specific context and the expectations of the code when using these functions. Therefore, it's highly recommended to refer to best practices or discuss with professionals if unsure.\n\nSource: https://github.com/code-423n4/2021-11-overlay-findings/issues/111", "Question: How can I earn a leaderboard role on CodeArena's Discord server?\n\nAnswer: The leaderboard role on CodeArena's Discord server is given to participants who rank in the top 5 of a contest and have received the contest reward. After winning a reward and appearing on the leaderboards, your \"leaderboard\" tag should be updated in the roles. Ranking on the leaderboard is also crucial if you wish to gain permission to audit private contests, as this typically requires certification and a high leaderboard ranking. If you are interested in participating in private contests after certification, you need to RSVP in the rsvp-certified channel and ensure a high position on the leaderboards from the last 90 days. If you want to view the leaderboard, you can visit https://github.com/code-423n4/code423n4.com/issues?q=leaderboard.\n\nPlease note that besides the leaderboard role, there are other roles like the 'certified' role, the 'warden' role, and the 'backstage' role, which have different requirements and privileges. For more details on these roles, visit https://docs.code4rena.com/roles/certified-contributors/backstage-wardens and https://discord.com/channels/810916927919620096/810931711609143326/1092758105646960711.", "Question: After certification, how can I participate in private contests such as the Party Protocol - Versus contest, and get backstage access to a contest's repository?\n\nAnswer: After obtaining the Certified role, you are now eligible to participate in private contests. However, participation in these contests is highly competitive. For instance, the Versus contest only accepts a limited number of 5-8 high-performing wardens who RSVP. So make sure to RSVP in the rsvp-certified channel and maintain a high position on the leaderboard from the last 90 days. More details about this process can be found in the Code4rena documents [link](https://docs.code4rena.com/roles/certified-contributors#certification-process-and-constraints)\n\nTo access a contest's repository after it closes, and before the public report release, you will need backstage access. This requires Certified+ status, which involves additional entry requirements, such as participating in more than three contests and completing the certification process with ProvenanceDAO. Once Certified+, you will have earlier access to the findings repositories, where you can see what others have submitted and learn more quickly. More information about backstage access can be found [here](https://docs.code4rena.com/roles/certified-contributors/backstage-wardens). \n\nPlease note that some contests are only open to those who participated in the original audit. The KYC process may also be required to receive prizes for some contests. All these requirements are designed to ensure that our certified contributors are skilled and dependable, providing the best possible audits for our clients.", "Question:\nHow can I alter my profile image or logo on the CodeArena leaderboard?\n\nAnswer:\nTo change your logo or profile image on the CodeArena leaderboard, you need to submit a helpdesk request. This can be done by visiting https://code4rena.com/help and providing a link to your new logo or image in your request. Additionally, you can link your Twitter account to the Code4rena leaderboard by including your Twitter handle in this request. Please note that changes to other aspects of your profile, such as your handle or team name, may require a new registration and may impact your leaderboard standings or previous submissions. It's also worth mentioning that the leaderboard updates every time awards are announced, but not all contest types are currently supported. Finally, if you achieve a position in the top 5 in any contest, your profile will be automatically awarded the \"leaderboard\" tag.", "Question: What is the process for submitting gas reports and do I need to provide a Proof of Concept (PoC) or a snapshot showing the gas saved?\n\nAnswer: When submitting gas reports for audits on CodeArena, it is recommended that you include a snapshot showing how much gas would be saved via the refactored code. The purpose of a gas report is to demonstrate improvements in gas efficiency, thus specifying how much gas is being saved can impact the grading of your submission. \n\nAs for the Proof of Concept (PoC), it's beneficial to provide one when reporting an issue, especially in relation to gas optimization. You can fill the PoC section by providing direct links to referenced code in GitHub. Screenshots, logs, or any other relevant proof that illustrates the concept would also be useful. If your PoC is extensive, you can include it in a gist file or a public Github repository. You can also provide a diff of an existing sponsor-supplied test/contract. \n\nKeep in mind that the necessity to specify how much gas is saved and whether to include a PoC may vary based on the judge's decision and the nature of the optimization. Useful tools for generating a gas report include Hardhat & Foundry. \n\nRemember, all types of accepted reports from high-level down to gas optimizations are eligible for payouts, provided the report is of high quality, the findings are accurate, and there is a working proof of concept. More specific instructions on how to include a PoC can be found at https://docs.code4rena.com/roles/wardens/submission-policy#how-to-include-a-proof-of-concept. \n\nIn the end, it's essential to clarify any doubts about the submission process in the chat, as the CodeArena community is always ready to help.", "Question: How can I modify my C4 ID and other personal details associated with my C4 account?\n\nAnswer: To change your C4 ID, you need to re-register, but please note that your leaderboard status will not follow. If you want to change other details linked to your C4 account like your wallet, username, or Twitter handle, you can do so by creating a help desk request on https://code4rena.com/help. Similarly, updating your profile picture or payment addresses can also be done via the help desk or from your account screen respectively. \n\nHowever, when it comes to Discord, while you can update your Discord name on the Account Management page of your warden profile, it's recommended that your Discord nickname remains as your registered C4 username. If you're facing difficulties with any of the mentioned steps or need assistance, you can reach out to the C4 staff through a direct message or seek help from the #auth-help channel for login issues. \n\nThe C4 team strives to address and resolve any issues as swiftly as possible. In certain cases, like the change of a wallet address or other user status updates, the resolution can take a few days. Remember, any modifications to your C4 account should be made with caution to avoid any inconvenience. For instance, if your findings are submitted to the wrong contest, you will need to resubmit them to the correct contest and notify the C4 staff via the help desk.", "Question: How does the classification and grading of issues in High/Medium (H/M), Quality Assurance (QA), and Gas categories affect the rewards system and audit process at CodeArena?\n\nAnswer: The classification and grading of issues in H/M, QA, and Gas categories play a critical role in the rewards system and audit process at CodeArena. \n\nIf a QA issue is submitted, a judge can elevate its severity to Medium or High if necessary, which potentially increases the rewards for the finding. Similarly, if no High/Medium issues are found in a contest, the entire rewards may move down to Quality Assurance. The severity of an issue can be categorized as high, medium, low, or QA, with H/M issues generally carrying higher rewards due to their potential impact on the smart contract's functionality or security. However, the grading of these issues is not static and can be adjusted by judges. For instance, findings in the QA report that are initially classified as high or medium could be downgraded to low/QA, and these are added to the warden's QA report.\n\nIn case of a mismatch between documentation and the code, it is mostly categorized as a QA issue if it doesn't have a significant impact. However, if a low issue/non-critical (QA) bug also reduces gas usage, it should be included in the QA category with a mention of the gas savings.\n\nMoreover, if a finding is submitted as low in the QA report, but the judges determine it's a medium, it will be eligible for medium rewards. In fact, if a low-impact QA report potentially becomes a high-impact report due to the judges' assessment, it can be upgraded. But it's important to note that part of the auditing process involves demonstrating an understanding of how an issue could be exploited. Without demonstrating such understanding, the job is considered only half-done. \n\nWhile the new award philosophy potentially encourages fairer competition, there's a concern that it may not motivate the best efforts in QA/Gas reports. To understand more about the grading and rewards system, you can refer to this link: https://docs.code4rena.com/awarding/incentive-model-and-awards/qa-gas-report-faq#what-happens-when-an-issue-submitted-by-the-warden-as-part-of-their-qa-report-an-l-or-n-does-get-bum.", "Question: How can I check for opcode usage in smart contracts on-chain?\n\nAnswer: It is indeed possible to check for opcode usage in smart contracts on-chain. A tool you may find helpful for introspecting contract execution at the EVM opcode level is \"foundry debug\". It can provide a deep dive into the contract's operation at the opcode level. Additionally, OpenZeppelin's Address library can be used to check for account existence before calling .call() on it in smart contracts. \n\nFor further learning about opcode, you can visit https://www.evm.codes/. It's a great resource to understand Ethereum Virtual Machine (EVM) opcodes. \n\nIt's also worth mentioning that tools like Mythril and Slither are available for helping with testing and auditing of contracts in general. Users have also expressed interest in tools that can verify if a contract has been initialized on the Ethereum mainnet and plugins that can check solidity code for syntax mistakes, similar to the functionality of the online Remix IDE. While these may not directly check for opcode usage, they can prove useful in the auditing process. \n\nPlease note that while the tools and techniques mentioned can assist in checking for opcode usage, individual use cases vary and may require additional strategies or tools.", "Question: How can I effectively highlight and reference code in GitHub for CodeArena audit reports?\n\nAnswer: To highlight multiple lines of code on GitHub, you can click on the starting line, then hold down ctrl + shift and click on the last line you wish to highlight. To reference these lines in your report, simply click on the line number to generate a URL that can be copied and pasted into your report.\n\nIf you're adding the code to your report, remember to use Markdown (MD) formatting to create a code block, which can be done using three backticks (```). You can specify the language for syntax highlighting (for instance, ```solidity for Solidity code). To include line numbers in your code snippet, you might find the VS Code extension 'Copy With Line Numbers' useful. \n\nWhen writing up high/medium findings, it is recommended to include both the GitHub permalink for the affected code block in the 'Links to Affected Code' section and add a formatted code block in the report's body. For extensive code, it might be more appropriate to link to a private repo on GitHub under the 'Proof of concept' section. \n\nEnsure that you follow the guidelines provided [here](https://docs.github.com/en/get-started/writing-on-github/working-with-advanced-formatting/creating-and-highlighting-code-blocks) for advanced formatting and creating permanent links to code snippets, and [CodeArena's submission policy](https://docs.code4rena.com/roles/wardens/submission-policy#how-to-include-a-proof-of-concept) for more information. Please note that adding a link to a sponsor's Github repo code in a findings report doesn't automatically pull in the code snippet into the report. \n\nRemember, the best practice is to make your code and findings as clear and as easy to understand as possible. This might involve using markdown to format your code, using syntax highlighting, and careful linking to specific lines of code or whole files on GitHub.", "Question: What is the scope of the findings listed in the best bot-generated report for a contest and how does it impact the contest?\n\nAnswer: Findings listed in the best bot-generated report for a contest are out of the contest's scope in the same way as current \"Automated Findings\". This means that they are considered known issues and are not eligible for submission in a contest. However, findings in non-best, unpublished bot-generated reports are still eligible for submission. It's worth noting that if a finding in a contest's bot report is ranked as low severity but a participant escalates it to a high severity finding, it is not automatically invalid. Participants are required to provide strong evidence to demonstrate a relevant High or Medium severity exploit path for such escalated issues to be considered satisfactory. Participants can track their report status and see and edit their findings in the \"findings\" tab next to the contest description. The final report for a contest doesn't include findings from wardens whose submissions were not accepted. However, participants can review the submissions for a contest after the report has been published and the findings repo is made public. More details about the policy regarding automated findings can be found at [https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues](https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues).", "Question: What type of findings should be included in the bot-generated reports, and how should these findings be categorized and reported?\n\nAnswer: Bot-generated reports should ideally encompass all types of findings, from high, medium, low, non-critical, to gas-related issues. However, the way these findings are reported varies depending on their severity and type.\n\nHigh, medium, and low severity vulnerabilities, as well as gas optimizations, are generally the focus. For medium and high severity findings, each issue should be submitted as a separate report. Low severity or non-critical issues, also referred to as Quality Assurance (QA) findings, can be grouped together in one report. If a QA bug also reduces gas, it should be mentioned in the QA report. If the issue pertains solely to gas savings, it can be classified from QA to Gas.\n\nGas optimization reports should ideally aggregate all findings related to gas savings. When reporting gas optimizations, it's beneficial to mention the amount of gas saved for every finding.\n\nReports of high quality, accuracy, and with a working proof of concept are eligible for payouts across all levels of findings. You can find information about the average payout for gas optimizations, non-critical findings, and low-risk findings in the findings.csv file on C4's website repository [insert link here].\n\nWhen escalating a low severity finding from a bot report to a high severity, it's important to provide strong evidence demonstrating a relevant High or Medium severity exploit path. The policy for such cases is explained at https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues. \n\nFinally, remember to exclude known issues from gas reports and to classify a finding relevant to both QA and gas savings appropriately\u2014judges may decide where it best fits. Tools like Hardhat & Foundry may assist in generating a gas report.\n\nFor further insights, you can review examples of top QA/Gas reports and winning reports in CodeArena contests at https://code4rena.com/reports.", "Question: If a vulnerability is reported in an unpublished, non-best bot-generated report and rewarded, can it still be reported again as an individual vulnerability with potentially higher severity and receive another reward?\n\nAnswer: Yes, vulnerabilities identified in non-winning, unpublished bot-generated reports are still eligible for submission. If an issue originally rated as low severity by an automated tool is escalated to a higher severity by a Warden during a contest, the submission is not automatically invalidated. However, Wardens using automated tools must provide strong evidence demonstrating a High or Medium severity exploit path for the submission to be considered satisfactory. The criteria for judging such cases is explained at this link: https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues. \n\nIt's important to note that if a Warden reports an issue that was classified as low risk in the QA report and it is later judged as medium, the issue will usually be upgraded, making it eligible for medium rewards as per the guidelines at this link: https://docs.code4rena.com/awarding/incentive-model-and-awards/qa-gas-report-faq#what-happens-when-an-issue-submitted-by-the-warden-as-part-of-their-qa-report-an-l-or-n-does-get-bum. \n\nIn any case, if no Medium or High vulnerabilities are found, the full award pool would be divided based on the QA Report curve. This situation is considered a rarity. More detailed information about awarding can be found at this link: https://docs.code4rena.com/awarding/incentive-model-and-awards.\n\nAlso, please be aware that if the same vulnerability is reported by multiple Wardens with different severities, they are given the same severity for the award calculation, due to the deduplication process and the judging/determining severity that happens afterward.", "Question: What is the recommended process for submitting gas optimization reports to CodeArena, and what kind of information should be included in these reports?\n\nAnswer: When submitting gas optimization reports to CodeArena, it's recommended to include a snapshot showing the potential gas savings achieved by the refactored code. You can use tools like Hardhat and Foundry to generate these reports. To provide the most value, the amount of gas being saved for each optimization should be specified, although the necessity for this depends on the judge's decision. \n\nThe reports should not include known issues; these are listed in the common issues section at https://github.com/byterocket/c4-common-issues/blob/main/0-Gas-Optimizations.md. It's also suggested to report any gas optimizations separately from quality assurance (QA) findings. \n\nWhile not all gas optimizations are valid when the optimizer is enabled, it's still important to include them in your report. Proof of Concept for the gas saved can impact the grading of the submission. However, the level of detail required for QA and Gas Optimization reports is not as comprehensive as for high severity issues. \n\nFor reference, you can find examples of top QA/Gas reports in past contests at https://code4rena.com/reports. If your gas report exceeds Github's character limit (~65k characters), you can email it to submissions@code423n4.com. \n\nPlease note that all types of reports, ranging from high severity to gas optimizations, are eligible for payouts given they are accurate, of high quality, and include a working proof of concept. However, there's currently no specific incentive for reporting QA type of issues as sponsors are more interested in high/medium/low severity vulnerabilities and gas optimizations.", "Question: How can I format, highlight, and reference code in CodeArena reports?\n\nAnswer: To format and highlight code in CodeArena reports, you can use Markdown (MD) format and specify the language for syntax highlighting. Reports support MD format, which allows you to add code blocks. \n\nHere are a few steps on how to do this:\n\n1. Code blocks can be created using three backticks (```), and the language of the code can be specified using the name immediately after the backticks (e.g., ```solidity for Solidity language).\n\n2. Code can be highlighted on Github by clicking on the starting line of code, then holding down ctrl + shift and clicking on the last line to highlight. To link to specific lines of code on GitHub, click on the code line on the left tab which will change the URL. Holding SHIFT can capture a range of lines.\n\n3. If you're working with Solidity, you could add Solidity syntax to your code blocks using the MD format. Alternatively, javascript presets are often used for Solidity.\n\n4. In the 'Links to Affected Code' section of high/medium findings, you can add the GitHub permalink for the respective code block.\n\n5. If you're using VS Code, there is an extension called \"Copy With Line Numbers\" that provides code snippets with line numbers.\n\nRemember, when showing places of vulnerability, it's recommended to include both the URL to the repository with the line number and a code block. The method of providing code for a test depends on the length of the code - either by adding it directly to the report under 'Proof of concept' or linking it on some private repo on Github.\n\nFor more information on Markdown syntax and creating highlighted code blocks, refer to this [Github Guide](https://docs.github.com/en/get-started/writing-on-github/working-with-advanced-formatting/creating-and-highlighting-code-blocks). For detailed submission policy, check out this [Code4rena Guide](https://docs.code4rena.com/roles/wardens/submission-policy#how-to-include-a-proof-of-concept).", "Question: Can I use Remix for auditing smart contracts and are there any other tools or plugins for checking Solidity code for syntax mistakes?\n\nAnswer: Yes, Remix can be used for auditing smart contracts but it can be somewhat tricky, especially with Foundry. To compile the code on Remix, you can clone the whole repository and install the dependencies with Forge. Alternatively, you can manually include the contracts on Remix from the OpenZeppelin contract repo (https://github.com/OpenZeppelin/openzeppelin-contracts) and Solmate (https://github.com/transmissions11/solmate). \n\nIf you're looking for other tools to check Solidity code, you may want to consider tools like Mythril and Slither for testing contracts downloaded from GitHub. If you're using \"slither\" alongside foundry's remappings, remember to identify those remappings for slither. \n\nSome users also find eth-brownie useful for mocking contract deployments. If you're interested in graphical interfaces for observing smart contract interactions, Surya (https://github.com/ConsenSys/surya) could be a potential tool, although it might be outdated. \n\nFor a more innovative approach, there's a suggestion to visualize a smart contract into respective shapes, and then train a model based on these shapes to predict the vulnerability of future contracts. \n\nFinally, if you're facing issues, you can always write to submissions@code4rena.com for assistance.", "Q: Can you elaborate on the process and rewards of the \"Mitigation Review\" mentioned in the Caviar contest post, which specifies a reward of $8,100 USDC for the top 3 wardens?\n\nA: The Mitigation Review as featured in the Caviar contest post is a subsequent phase of the contest where the top ranking wardens from the initial contest are invited back to review the mitigation of bugs identified in the first round. This review is limited to these top wardens and has a specified prize pool of $8,100 USDC for this contest. Although the rewarding formula for this mitigation contest is not specified, the award value can significantly vary depending on factors such as the level of detail in the finding submission, inclusion of a Proof of Concept (PoC), and the comprehensiveness of the issue coverage. In future contests, there will be more of this structure of having an initial audit prize pool and a subsequent mitigation review pool. Only certified wardens, who can apply for this role, are allowed to participate in mitigation-review contests. The amount of rewards for finding issues can vary significantly, with some wardens getting thousands of USDC while others only get hundreds. In case no issues are found during the mitigation review, it is unclear whether the wardens are paid. However, if an issue identified in an automated finding can lead to a high severity finding, it could potentially be reported again during the contest by a warden and could be awarded with higher severity. For more detailed insights about the Mitigation Review, you can visit this link: [https://code4rena.com/how-it-works](https://code4rena.com/how-it-works).", "Q: How can I submit a Proof of Concept (PoC) to report a finding, and where do I upload the results of the git diff command?\n\nA: To submit a Proof of Concept (PoC) for a finding, you should follow the process outlined on our documentation page [here](https://docs.code4rena.com/roles/wardens/submission-policy#how-to-include-a-proof-of-concept). You can submit your PoC either by creating a public Github repository or by providing a diff of an existing sponsor-supplied test/contract.\n\nTo create a PoC for each bug you find, you can review examples of how to present a proof of concept (POC) for a bug and its impact [here](https://github.com/code-423n4/2022-12-caviar-findings/issues/376) and [here](https://github.com/code-423n4/2022-12-caviar-findings/issues/343). If your PoC script is too lengthy to be embedded directly into the issue, you are allowed to provide a link to it. The link can be provided within the submission where it's relevant. If it's a very long PoC, you are also allowed to use external platforms such as gist to submit it.\n\nIn case you have written a PoC script for a vulnerability, you can include the link in the submission wherever relevant, along with direct links to all referenced code in GitHub and adding screenshots, logs, or any other relevant proof that illustrates the concept.\n\nYou can also utilize .orig files and the 'git diff' command of the project folder when submitting a report. If you cannot provide a PoC for a medium severity bug, it may cause your finding to be disregarded unless it is extremely obvious. Therefore, it's always recommended to write a PoC to be sure.\n\nMoreover, when submitting your report, you should include the issue, description, proof of concept (where necessary), and mitigation (where necessary). \n\nAs a certified warden, you can use buttons labeled \"View Repo\" and \"Submit Findings\". If you need to modify your submitted findings, you should be able to do so using the \"Your Findings\" button. Lastly, please note that the level of detail in your submission, including the inclusion of a Proof of Concept (PoC), can influence the award amount for finding the bug.", "Question: How does CodeArena handle and validate the reports submitted for smart contract audits?\n\nAnswer: CodeArena handles smart contract audit reports in a comprehensive and meticulous manner. After a contest launch, a report is run that allows others to vet their analyzers. Issues identified in these reports, both valid and invalid, are released for the knowledge of all participants. Participants can submit reports, which can include all types of findings from high level down to gas optimizations. \n\nHowever, it's important that these reports maintain a high standard of quality, contain accurate findings, and provide a working proof of concept to be considered eligible for payouts. It's advisable for participants to include in their reports the issue, a description of it, a Proof of Concept (where necessary), and a mitigation strategy (where necessary). Please note that the format of your report can influence its evaluation by the judges. \n\nOnce a report is submitted, participants can expect feedback from a judge if a finding is marked as invalid. They are allowed to edit or replace their submitted reports with \"withdrawn\" for invalidation. Reports can also be revised and resubmitted. \n\nIf a user identifies a potential vulnerability and gets it confirmed by the sponsor via private DMs, it may still count when submitting it, depending on the judge's discretion. If a participant submitted issues for a contest but did not make the award list, it is likely that their issues were deemed invalid. Confirmation can be done by reviewing the available report. One can also check the status of their report submission by looking out for an email and the ability to edit submitted findings.\n\nTo verify the reported findings, we have a process that can be accessed via a link on our Discord channel. Note that not all reports or findings are guaranteed a reward, as the reports are graded and must meet quality standards to be considered valid and satisfactory. In certain situations, a low report could be increased to medium by the judges, as per the reference provided [here](https://discord.com/channels/810916927919620096/810931711609143326/938133534982406144). \n\nPast contest reports, which reveal vulnerabilities, can be reviewed and are a valuable learning resource for participants. Please note that questions about the meaning of \"Verified Contest\" can be addressed in the #rsvp channel on Discord.", "Question: Why should I write tests for my smart contracts and how does this relate to gas optimization and reports in CodeArena?\n\nAnswer: Tests are critical for your smart contracts because they help identify and fix potential issues, validate optimizations, and ensure functionality. In the context of gas optimizations, they can be used to provide evidence of the amount of gas saved due to a particular improvement. This can potentially increase the grade of your submission. \n\nWhen it comes to CodeArena, gas optimization reports are highly valued. These reports should ideally specify the amount of gas saved for each optimization identified. For instance, if an internal function is only called once and is inlined, this can save gas and should be noted in the report. However, the necessity to specify the amount of gas saved may depend on the judge's decision. \n\nWhile a description and mention of gas saved can be enough, providing proof of the savings or a snapshot of the refactored code and its gas savings can be more impactful. Remember, the optimization's significance, especially in important functions, can influence the evaluation. \n\nThere may be some confusion about gas optimizations in certain situations, such as when the optimizer is disabled. In this case, not all gas optimizations are valid. The Hardhat gas report plugin can be a valuable tool to benchmark your code for gas savings to clear up such uncertainties.\n\nFinally, it's important to note that the process of gas optimization is not only a great starting point for a first-time audit but also a way to earn, depending on your proficiency. If you have any questions or need clarification on gas optimization, CodeArena encourages users to ask for clarification. \n\nTo learn more about gas optimization, consult the ['Use assembly to check for address(0)'](link) reference. Also, if you would like to know how to calculate the gas cost of a contract, here's a [resource](link). \n\nRemember, your tests, alongside your gas optimization reports, are an indispensable part of the audit process, so do ensure they are thorough and comprehensive.", "Question: What tools and strategies are typically used to find vulnerabilities in smart contracts and how can Foundry assist in this process?\n\nAnswer: When auditing smart contracts for vulnerabilities, auditors often utilize a combination of tools, expertise in solidity, and strategic testing methods. Foundry is a framework that assists in this process. It allows you to write tests in solidity, which are essential for testing the specific aspects of the contracts you're auditing. However, Foundry is just one of many tools used in the auditing process. \n\nOther tools that auditors might use include Hardhat, Truffle, and Slither, a static analysis tool for smart contracts. Before Solidity 8.0, fuzzing tools were often used for auditing, although their usage has somewhat decreased due to the implementation of an overflow/underflow check at the language level. Furthermore, static security testing is another method used to find vulnerabilities. This involves looking at the code without interacting with it, using tools such as a solidity linter and checking contract code in Remix for compilation warnings.\n\nIn addition to using these tools, it's crucial to understand the solidity syntax and programming principles. Resource like CryptoZombies (https://cryptozombies.io/) can be a helpful starting point for learning solidity, and platforms like Capture the Ether (https://capturetheether.com/) provide Capture the Flag challenges to practice your skills.\n\nLastly, in the context of Foundry, you can use \"foundry debug\", a tool to debug hardhat tests and introspect contract execution at the EVM opcode level. You might also track gas usage within Foundry, or deploy contracts that take a struct as an argument in the constructor. \n\nRemember, while automated tools can identify potential vulnerabilities, human auditors still play a critical role in interpreting these results and understanding the full context of a potential vulnerability. Thus, even if automated tools report potential issues, smart contracts should still undergo a comprehensive human audit to ensure all vulnerabilities are properly addressed.", "Question: Why is it necessary to write tests in Solidity when auditing smart contracts?\n\nAnswer: Writing tests in Solidity is crucial for the auditing of smart contracts because these tests enable auditors to verify and validate the smart contracts' functionality under a variety of conditions. These tests can help identify vulnerabilities or bugs in the smart contracts. For instance, auditors may write new test cases or use existing ones to test the code in a test environment. This is especially useful for scenarios involving large numbers of users or complex states, where a public testnet can be used for testing.\n\nFurthermore, some smart contract projects are so complex that they might require professional mathematicians to audit formulas, demonstrating the need for thorough testing. Additionally, understanding certain aspects, such as loan-to-value calculations, can be useful in auditing specific smart contracts.\n\nSome resources for testing contracts include tools like Mythril and Slither, which can be used with contracts downloaded from Github. Remember, prior to Solidity 8.0, fuzzing tools were used a lot for auditing, but their usage has decreased after Solidity 8.0 due to the implementation of an overflow/underflow check at the language level. \n\nLastly, a Proof of Concept (PoC) is often recommended for smart contract audits. Writing an attack contract and then explaining the effects of the contract in plain writing can serve as a PoC. Overall, writing tests in Solidity is a critical part of the smart contracts auditing process, which ultimately enhances the security and reliability of these contracts. For beginners in the space of smart contract auditing, resources such as [How to Become a Smart Contract Auditor](https://cmichel.io/how-to-become-a-smart-contract-auditor/) and [Tools and Resources](https://docs.code4rena.com/roles/wardens/tools-and-resources) can be helpful.", "Question: \nIn the CodeArena audit process, how is the potential vulnerability where the rewards are less than expected due to precision loss, such as in the scenario 'rewards = amount/1e18' where 'amount < 1e18', classified in terms of severity and what factors influence this classification?\n\nAnswer:\nThe classification of vulnerabilities in the CodeArena audit process, especially those related to staking pools where the client doesn't receive the expected amount of rewards or loses rewards, is dependent on several factors. These factors include the maximum value that is lost due to precision loss or other issues and the likelihood of such an event happening. \n\nThe loss of rewards is essentially considered as \"loss of assets\". However, the severity of the vulnerability can be classified as high or medium depending on certain conditions. For example, if there are external conditions or the attack difficulty is high, the issue can be considered of high risk. Similarly, if all rewards can be lost, the issue is usually considered medium or high. \n\nBut if there's just a risk of losing some rewards or if the rewards are lost due to rounding errors leading to a negligible amount, such issues are probably categorized as 'Quality Assurance' (QA). On the other hand, if the principal can be stolen without needing extra requirements then it's probably classified as HIGH. You can find more about this in the [CodeArena Incentive Model and Awards](https://docs.code4rena.com/incentive-model-and-awards#high-and-medium-risk-bugs) document.\n\nIt's also important to note that the reward for a medium/high finding is calculated using a formula provided in the mentioned document. If no medium or high vulnerabilities are found during a contest, the remaining funds are divided based on the QA Report curve.\n\nLastly, even if a High severity bug turns out to be only Medium, the reward for a Medium bug is still received. Please keep in mind that classification and reward distribution are subject to contest rules and severity of the issue as determined by CodeArena.", "Question: How can I modify my submitted security findings or gas reports for a CodeArena contest?\n\nAnswer: Yes, you can modify your submitted security findings or gas reports for a CodeArena contest as long as the contest is still open. To do this, you need to log in to your account and navigate to the specific contest page on the CodeArena website. On the contest page, look for the 'Your Findings' button. Clicking this button will allow you to view your existing submissions. \n\nFrom here, you have the ability to edit or withdraw your submitted reports. This can be especially helpful if you've discovered additional findings after your initial submission or if you realize a submission contains a false positive. It's important to note that only one report of gas optimization and one combined QA report can be submitted per contest. Therefore, if you have multiple findings, you should compile them into one report.\n\nIf you encountered an error or accidentally submitted your findings to the wrong contest, you should resubmit your findings to the correct contest and fill out a form to inform the C4 staff about the incorrect submission. The form can be found at [Code4Arena Help](https://code4rena.com/help/). \n\nRemember, you can continue to revise and resubmit your report until the audit deadline. You can check the success of your report submission by looking out for a confirmation email from CodeArena.", "Question: How can I distinguish between private and public contests in CodeArena, and how do I participate in them?\n\nAnswer: CodeArena hosts both private and public contests. All contests, regardless of their status, are listed on the CodeArena website. Information about public contests is also posted in the #\u270brsvp Discord channel. Public contests are open to all participants, and their announcements are also displayed in our Discord channel. For example, the Frankencoin and ENS contests were public. \n\nPrivate contests, on the other hand, require certification as a warden and sometimes additional qualifications which are described in the #\ud83d\udd96rsvp-certified channel. Some private contests may be open only to those who participated in the original audit. For instance, the Reserve mitigation review contest and the Party Protocol were private contests. To access a private contest, you need to be a certified warden, which you can learn more about at https://mirror.xyz/c4blog.eth/Ww3sILR-e5iWoMYNpZEB9UME_vA8G0Yqa6TYvpSdEM0. Private contests have their RSVPs available in a channel only visible to certified wardens. \n\nPlease note that findings during a contest remain private until the report is published. The submission rules prohibit making findings public until a contest is finalised. We update our public report page mid-contest and after the contest is closed, there is a certain undisclosed period of time before the findings repo becomes publicly available for discussion. \n\nKeep in mind that participation in contests, whether private or public, could provide valuable insights into multiple designs and best security practices for different aspects of smart contracts.", "Question: Why has the High/Medium (H/M) reward pool for the Caviar contest been reduced, and how does the Mitigation Review factor into this decision?\n\nAnswer: The High/Medium reward pool for the Caviar contest was indeed reduced. This is due to the unique structure of the contest which included a Mitigation Review. In this scenario, the top-ranking wardens from the open contest are assigned to carry out the Mitigation Review, which has its own separate prize pool of $8,100 USDC. \n\nAdditionally, if no High/Medium issues are discovered in a contest, the entire rewards may be moved down to Quality Assurance (QA). If multiple people submit the same issue using the same warden but different wallets, each person gets less than half of the reward. Rewards details are specified on the Code4Arena website and each contest's page [https://docs.code4rena.com/#incentive-model-and-awards].\n\nIt's also important to note that the reward amounts in contests are provided by the contest's sponsor and can vary. If there's a query about why some of the rewards are pending after a contest has finished, it could be due to a discrepancy that needs to be resolved. \n\nIn the future, expect to see more contests with a similar structure of having an initial audit prize pool and a separate Mitigation Review pool. This structure allows us to incentivize different types of participation in the contest, and accommodate different types of findings and rewards.", "Q: How does CodeArena classify and reward vulnerabilities in staking pools if the client doesn't receive the promised rewards or doesn't receive any rewards at all (due to precision loss for example)? Can you also clarify how the severity of a vulnerability is determined, and what happens if no medium or high vulnerabilities are found during a contest?\n\nA: The classification of vulnerabilities in staking pools when a client does not receive the promised rewards or any rewards at all due to issues like precision loss, is determined based on the maximum value that could potentially be lost and the likelihood of such an event occurring. \n\nFor example, if all rewards can be lost, the vulnerability is usually classified as medium or high. If there's a risk of losing some rewards, it's likely to be classified as medium. If rewards are lost due to rounding errors (negligible amount), it's likely to be classified as a quality assurance (QA) issue. If the principal can be stolen without needing extra requirements, it's likely to be classified as high.\n\nThe severity assessment takes into account consequence and likelihood. High consequences generally involve sizeable fund loss or other severe outcomes and don't require pre-conditions. Medium consequences usually have less impact and specific preconditions such as a high attack difficulty, specific market conditions, or user unawareness.\n\nIn the rare instance when no medium or high vulnerabilities are found during a contest, the remaining funds are divided based on the QA Report curve. You can see an example of a contest with only low vulnerabilities [here](https://code4rena.com/reports/2021-11-fei).\n\nThe reward for a medium or high finding can be calculated using this [formula](https://docs.code4rena.com/incentive-model-and-awards#high-and-medium-risk-bugs). It is important to note that even if a high severity bug is downgraded to medium, the reward for a medium bug is still received, as explained in the [guidelines](https://docs.code4rena.com/awarding/incentive-model-and-awards#satisfactory-unsatisfactory-submissions). \n\nIf a participant evaluates an issue as low in the QA report but it is judged as medium, it will be eligible for medium rewards as per [CodeArena's policy](https://docs.code4rena.com/awarding/incentive-model-and-awards/qa-gas-report-faq#what-happens-when-an-issue-submitted-by-the-warden-as-part-of-their-qa-report-an-l-or-n-does-get-bum).\n\nHowever, it's worth mentioning that if a vulnerability is found after the contest ends, responsible disclosure to the development team is recommended, as it wouldn't be awarded by CodeArena outside the contest timeframe.", "Question: I've submitted a helpdesk request to change my logo on Code4Arena a few days ago. When can I expect an update?\n\nAnswer: We appreciate your patience. Helpdesk requests are typically reviewed and resolved within 1-2 business days. However, it may take up to a week for some requests depending on their complexity. You can follow up on the status of your request, and we will do our best to expedite the process for you. In the future, to change your logo or any account details such as your profile picture, Twitter username, or avatar, you can submit a helpdesk request on our Code4Arena website at [https://code4rena.com/help](https://code4rena.com/help). Once submitted, you should receive a confirmation that your request has been received and it will be addressed as soon as possible. Also, please remember to include a link to the new logo in your request for faster processing.", "Q: How are the severity classifications of vulnerabilities determined in staking pool audits, especially in cases where a participant doesn't receive the promised rewards or doesn't get any rewards at all? What are the criteria for low, medium, and high severity issues, and how are rewards distributed in various scenarios? \n\nA: The severity classification of vulnerabilities in staking pools is determined based on the maximum value that is lost and how likely the issue is to happen. If all rewards can potentially be lost, the issue is typically classified as Medium or High. If there's a risk of losing some rewards, it's probably medium. If rewards are lost due to roundings (a negligible amount of rewards), it's probably a QA issue. If the principal can be stolen without needing extra requirements, then it's probably HIGH. You can find the exact criteria for these classifications at https://docs.code4rena.com/awarding/judging-criteria/severity-categorization.\n\nIn a contest, if a participant submits a finding as low, but the judges determine that it's a medium, it will be eligible for medium rewards. This is clarified in the guidelines at https://docs.code4rena.com/awarding/incentive-model-and-awards/qa-gas-report-faq#what-happens-when-an-issue-submitted-by-the-warden-as-part-of-their-qa-report-an-l-or-n-does-get-bum.\n\nIf no Medium or High vulnerabilities are found during a contest, the remaining funds are divided based on the QA Report curve, as explained at https://docs.code4rena.com/awarding/incentive-model-and-awards#satisfactory-unsatisfactory-submissions.\n\nSimilarly, if a participant escalates a low severity finding to high, it is not automatically invalid. However, submissions based on automated tools must provide strong evidence to demonstrate a relevant High or Medium severity exploit path to be considered satisfactory. This policy is explained at https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues.\n\nJudges review the findings to decide their severity, validity, and quality. These judges also receive a share of the prize pool as an incentive. If there's any uncertainty about the severity of any reported issue, it's advised to review the judging criteria and make a case for the chosen severity using evidence. The judging criteria can be found at https://docs.code4rena.com/roles/wardens/judging-criteria#estimating-risk.", "Q: I submitted my documents for the Certified Warden Know Your Customer (KYC) process. What is the response time and what steps should I expect next?\n\nA: After submitting your application to become a Certified Warden, you can expect to receive the KYC email from compliance@provenance.company within approximately 2-3 weeks. Please be aware that this email might end up in your spam folder. The response time can vary and may take more than a week. Once you've responded to the KYC email and provided all necessary documents, there is typically a 48-hour deadline for Provenance to respond. \n\nFollowing approval from the KYC firm, it will take around 2 weeks for you to be marked as a Certified Warden. If you don't receive a response to your KYC application within five business days, you can raise a help request through the form on our company's website. \n\nPlease note that the KYC process is necessary to become a Certified Warden. Also, depending on the volume of applications, there may be delays in this process. Keep an eye out for an invite from GitHub as part of the certification process. \n\nRemember, we're here to assist you, so if you have any questions or concerns about the process, don't hesitate to reach out.", "Question: Where can I find tutorial resources or a guide on how to submit audit findings at CodeArena?\n\nAnswer: Unfortunately, we don't have a specific tutorial video on this subject at the moment. However, we do have a variety of resources that can assist you. The process for submitting audit findings is well-documented at https://docs.code4rena.com/roles/wardens/sub. \n\nThe submission guidelines further outline the standards and best practices to adopt, and can be found here: https://docs.code4rena.com/roles/wardens/submission-policy and https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues. If you're looking to improve your submissions, we also offer early feedback on submissions at https://discord.com/channels/810916927919620096/1030197723619659806/1042826344544870440. \n\nTo edit your findings while an audit is still open, you can visit the contest page and click on the \"Your Findings\" button. If you want to learn more about the auditing process, we recommend visiting https://blog.bytes032.xyz/p/audit-like-a-pro-my-3-step-game-plan. It provides a step-by-step guide on how to approach auditing large projects. \n\nYou can also check out some webinars like the one from OpenZeppelin: https://youtu.be/6GaCt_lM_ak. Participating in past contests and reading old reports or findings submitted on our GitHub repo can also be a great way to practice and familiarize yourself with the process. \n\nRemember, all findings need to be submitted before the audit closes. The submission is confirmed by an email and the ability to edit the submitted findings. Regardless of when you submit, there is no additional reward for submitting first. The key is to provide a thorough and accurate report before the deadline.", "Question: Why am I seeing the message \"It looks like you've already submitted a G (Gas Optimization) report for this contest.\" when I try to submit my gas optimization report for a CodeArena contest?\n\nAnswer: The message \"It looks like you've already submitted a G (Gas Optimization) report for this contest\" appears when you have previously submitted a gas optimization report for the same contest. CodeArena allows only one gas optimization report per contest. If you have additional findings, you can add them to your existing report by navigating to the contest page and clicking on the 'Your Findings' button. It's been observed that sometimes automated reports are uploaded after starting contests reporting gas optimizations. For some contests, there may not be any gas optimizations in the final report if there wasn't a gas pool for that particular contest, as in the case of the contest mentioned in this link: https://code4rena.com/reports/2022-04-dualityfocus. If your report exceeds Github's maximum character limit for issue descriptions (~65k characters), you may encounter an error when trying to submit it. In this case, you can submit a placeholder through the form and email your full report to submissions@code423n4.com. For more details, please visit this link: https://docs.code4rena.com/roles/wardens/qa-gas-report-faq#why-is-a-large-gas-or-qa-report-not-successfully-submitting-through-the-contest-submission-form. Please note that the degree of detail required for QA and Gas Optimization reports is not as comprehensive as for high severity issues. The amount of gas saved for each finding may need to be specified based on the judge's decision.", "Q: I've submitted a QA report for a contest, but I've realized I need to edit it. How can I update my submission or submit another report?\n\nA: You can edit your submitted QA report until the audit deadline. To do this, navigate to the contest page and select the \"My findings\" option. Your QA report should be listed there, and you can select it and make necessary edits. Bear in mind that you can only submit one QA report, but you're allowed to update it as much as you need to.\n\nAdditionally, if you have realized that something is a false positive, you can retract the submission from the same \"My findings\" page on the contest page. Alternatively, if you accidentally submitted all your findings to the wrong contest, you should submit them again to the correct contest and fill out a form to let the C4 staff know about the incorrect submissions. You can find the form at [https://code4rena.com/help/](https://code4rena.com/help/).\n\nIf your report exceeds the character limit for regular submissions, you can submit a placeholder and send an email to report@code4rena.com with the necessary details. Find more information about this process at [https://docs.code4rena.com/roles/wardens/qa-gas-report-faq#why-is-a-large-gas-or-qa-report-not-successfully-submitting-through-the-contest-submission-form](https://docs.code4rena.com/roles/wardens/qa-gas-report-faq#why-is-a-large-gas-or-qa-report-not-successfully-submitting-through-the-contest-submission-form).\n\nPlease note that after the contest has ended, you won't be able to submit or edit any findings. All reports need to be finalized and submitted prior to the audit closing.", "Q: What is the process and criteria for submitting gas optimization reports in CodeArena (C4)? \n\nA: When submitting gas optimization reports, it's important to understand that the inclusion of specific details can vary based on the judge's decision. However, as a best practice, it is beneficial to include the amount of gas that would be saved by the refactored code. This information can be presented in a snapshot or as a part of your report. While it is not mandatory to provide a Proof of Concept for the gas saved, such evidence could potentially increase points in your favor. \n\nIt's crucial to note that, while multiple ideas about gas optimizations can be included in one report, it is recommended to report each gas optimization separately. All related findings should be compiled under one comprehensive report. \n\nIn terms of judgement, criteria can include the significance of improvements in important functions and the validity of the gas optimizations, particularly in situations where the optimizer is enabled. Participants can always ask for clarification on gas optimization and other aspects of the audit process.\n\nThe final selection of a report in a contest and distribution of rewards are based on several criteria, which you can refer to in this example spreadsheet: https://docs.google.com/spreadsheets/d/1qTQ7PApFMwpUFikcHHtww7p1oncPLj_y-UY_SZq6qFg/edit#gid=0\n\nPlease remember that gas optimization is a complex concept and it might serve as a good starting point for a first-time audit. For further assistance, you can refer to resources provided in the chat or ask the community.", "Q: How can I calculate and optimize the gas cost of a smart contract using tools like Hardhat and Foundry, and what resources can help me learn more about this process?\n\nA: Hardhat and Foundry are both widely used tools to evaluate and optimize the gas costs associated with smart contracts. They allow you to generate gas reports that can help you benchmark and identify opportunities for gas savings. To use these, you'll need to understand how to read their respective documents and the gas report they generate.\n\nIn addition to these tools, there are resources available for testing contracts downloaded from Github using tools like Mythril and Slither. Eth-brownie is also mentioned as a useful tool for mocking contract deployments.\n\nIf you're interested in learning more about this process, there have been discussions on how to compile findings about gas optimizations into single reports. These reports can also provide information about the amount of gas saved for each finding. \n\nWhen auditing smart contracts, not only should you look for protocol contracts but also for other contracts and non-view/non-pure functions. You can make submissions of gas optimizations in contests, indicating that this is an area of active exploration and innovation. \n\nFor more advanced audits, especially ones that involve complex formulas, you may require professional mathematicians to assist in the process. There are also tools that can help detect price manipulation vulnerabilities such as https://app.metatrust.io/project. \n\nTo learn more about the process and calculations involved in solidity projects, you can check out this YouTube resource: https://www.youtube.com/@smartcontractprogrammer.\n\nFor more context around gas optimization in Ethereum transactions, you can check recent CodeArena (C4) reports, such as this one: https://code4rena.com/reports/2022-11-non-fungible/#gas-optimizations.\n\nFinally, beginners interested in smart contract auditing may seek help and ask for clarifications on gas optimization in our platform's chatroom. Remember, optimizing gas costs is a critical aspect of smart contract auditing, but it is not the only one. Other factors, such as security vulnerabilities and contract initialization, are also crucial.", "Question: How should I prepare and submit my Quality Assurance (QA) and Gas Optimization reports for the CodeArena contests?\n\nAnswer: For the CodeArena contests, participants are required to prepare one Quality Assurance (QA) report and one Gas Optimization report per contest. All related issues should be grouped and consolidated into these respective reports. \n\nFor the QA report, you are expected to compile all non-critical findings into one combined report. For the Gas report, all findings pertaining to gas optimization should be placed under one report. Although the number of issues reported doesn't necessarily determine the grade, judges do consider both the quantity and quality of submissions when grading reports. For instance, one good issue could lead to a grade B, while multiple low-impact issues might only result in a grade C. \n\nParticipants do have the ability to edit existing findings. If a QA/Gas report does not fit in a single submit request, it can be split into separate sends. However, remember that a single item in a QA submission is unlikely to receive a high grade. \n\nIt's also important to know that QA and Gas awards are given according to judges\u2019 scores, and duplicates are disregarded. However, handling downgraded issues, which need to be paired up with wardens\u2019 QA reports, could be challenging. \n\nFor more details on the grading criteria, please refer to the following links: \n\n- [https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical](https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical)\n- [https://docs.code4rena.com/awarding/incentive-model-and-awards#qa-and-gas-optimization-reports](https://docs.code4rena.com/awarding/incentive-model-and-awards#qa-and-gas-optimization-reports) \n\nAdditionally, examples of top QA/Gas reports for these contests can be found at [https://code4rena.com/reports](https://code4rena.com/reports). \n\nPlease remember these guidelines are designed to promote the best efforts in QA/Gas reports and also to ensure fairness for all participants, including newcomers.", "Question: How can I access and utilize reports from past contests at CodeArena?\n\nAnswer: Participants can access reports from past contests at CodeArena on our website at https://code4rena.com/reports. These reports are published after each contest and are made available for participants to read. They contain valuable information about the contest, including the bugs found, which can be used for learning and improvement. \n\nFor participants looking for feedback on their submissions, they can view their Quality Assurance (QA) reports for contests that have already ended. If a participant's submission was not rewarded, they can review why their submission was not accepted once the report is out and the repository is fully opened. This allows them to see the discussion among sponsors and judges on the specific issue. \n\nAdditionally, participants can track their report status and see and edit their findings in the \"findings\" tab next to the contest description. The findings from these contests can be found in the findings repository once the final contest report has been published. Participants can also view reports from other wardens even after the contest has ended. \n\nFor those new to auditing, past contests' reports can provide great practice and learning material. If there are any queries about specific contest reports, like the Maia contest or JPEG'd, they may not be available immediately as the release of these reports depends on the contest and the number of reports under review. \n\nThe process after a contest is completed includes Sponsor Review, Judging, Awarding, and then Reporting. The final published report allows participants to see the results of their submissions. If you're curious about the criteria for a top-3 finish in either the QA or gas report from past contests, you can request this information from the organization. \n\nPlease note that reports from contests are typically checked within an average period of 3-6 weeks, with the precise time depending on the contest and the number of reports on review concurrently.", "Question: How does CodeArena handle the submission and grading of QA/gas reports?\n\nAnswer: CodeArena accepts QA/gas reports from wardens participating in the contests. Participants are required to submit one Quality Assurance (QA) report and one gas report per contest, organizing all issues together in each report. The grading of these reports is based on both the quantity and quality of the findings. For example, a single item in a QA submission is unlikely to receive a high grade, whereas multiple low-impact issues may result in a lesser grade. Incorrect findings can have a negative impact on the report's grade.\n\nIt's important to note that a finding that is relevant to both QA and gas savings can be included in either report, and judges may decide where it best fits. The judges' consideration also extends to duplicates, which are disregarded. If an issue is submitted by a warden as part of their QA report, it can potentially be upgraded from a QA report into a medium or high severity issue. \n\nThe top three finishes in either the QA or gas report from past contests can be checked by the organization upon request. These reports are eligible for payouts, assuming they are of high quality, contain accurate findings, and provide a working proof of concept.\n\nA more detailed explanation of the awarding criteria for QA reports is available at [https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical](https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical) and for gas optimization reports at [https://docs.code4rena.com/awarding/incentive-model-and-awards#qa-and-gas-optimization-reports](https://docs.code4rena.com/awarding/incentive-model-and-awards#qa-and-gas-optimization-reports). \n\nWhile this process aims to encourage fair competition among all participants, there have been concerns about whether this promotes the best efforts in QA/Gas reports. However, the goal remains to ensure fairness for everyone, including newcomers.", "Question: What is the process to create and submit a report for a smart contract audit at CodeArena?\n\nAnswer: In CodeArena, creating and submitting a report is part of the auditing process. The report should include the issue, description, proof of concept (where necessary), and mitigation steps (where necessary) in a semi-professional format primarily using markdown. While creating the report, you can use screenshots, embed code or include images to make it more informative. You can use platforms like Github, Joplin, VSCode, Notion, etc., as long as the tool supports markdown. \n\nYou can submit an analysis report about the system even if you have no significant findings or findings at all, to provide advice on future project considerations. You can put all non-critical findings in one report or create a report for every finding based on your preference. However, it is recommended to compile all QA findings into one combined report and make one big report each for gas and QA. \n\nOnce done, you can either write your report directly into the submission form or if it's a larger report, you can submit it by email and place a placeholder in the original submission. Upon successful submission, you will receive an email confirmation. You can also check the success of your report submission by the ability to edit submitted findings. \n\nYou may have to wait for the report to go live even if you've submitted your findings. Also, after the leaderboard is shown and rewards are sent, the final report of the contest may not immediately appear on the C4 site. It's recommended to wait until the full public report is published before doing a write-up of some issue or bug found on a project. \n\nIf you're unsure about the severity after reporting an issue, you can seek advice from the community or contact us directly. If you are missing any items, you can submit more than once. However, it's not required to fill the \"Recommended Mitigation Steps\" in the bug template, but it can enhance the value of your report. \n\nPlease note that there is a process to determine which reports get featured in the client report and you can view reports from other wardens even after contests have ended. \n\nWe suggest you to refer our documentation for further detailed instructions and templates for drafting your report (insert link to documentation). We're here to assist you if you face any challenges in reporting or submission process.", "Question: How can I effectively include screenshots and codes in my report submission on CodeArena?\n\nAnswer: When preparing your report for CodeArena, it's important to include elements like the issue, its description, a proof of concept (if necessary), and mitigation (if necessary) all in a semi-professional format. \n\nAdding screenshots and code snippets to your reports can enhance your explanation of a proof of concept. However, it is generally recommended not to add screenshots to a finding as they can pose a security issue. Instead, you could copy the Github permalink and the lines of code for the affected code when submitting reports on vulnerabilities. \n\nIf you want to add images to your report, you could use Markdown to embed them. Your report will be compiled with these images if accepted. For more information on how to add images using Markdown, you can check this guide [here](https://docs.github.com/en/get-started/writing-on-github/getting-started-with-writing-and-formatting-on-github/basic-writing-and-formatting-syntax#images).\n\nTools like Visual Studio's preview tool, Markdown, and hackmd could be helpful in improving the presentation of your reports. If you want to upload an image to your report, you can register a free account on [Cloudinary](https://cloudinary.com/), upload the image, and copy its URL. Alternatively, you can upload the image to your Gist, submit the report with the Gist link, and later delete the Gist.\n\nIf your report is large, you can submit it by email and place a placeholder in the original submission. This method has been suggested to be added to the official documentation.\n\nKeep in mind there are guidelines on how to group different reasons why a function won't work in a report, and you can find top winning report examples [here](https://code4rena.com/reports). If you encounter an error when submitting your Quality Assurance report for the first time, you can check if it has been successfully submitted by checking your email for confirmation or viewing the findings through the \"View Context\" function. \n\nLastly, even if you have no significant findings or findings at all, you can still send an analysis report about the system to provide advice on things to consider for the project's future. \n\nRemember, your report is more than just a findings list; it's a critical analysis and assessment of the smart contract. So, careful organization and presentation of your findings, including the use of images and code snippets, can enhance its effectiveness.", "Question: What does the number associated with each finding on the CodeArena website represent, and how are the findings submitted and managed?\n\nAnswer: Each finding listed on the CodeArena (C4) website is associated with a unique number which reflects the GitHub issue number. To submit a finding, users complete a submission process using the C4 form on the \"your findings\" page. Once submitted, the C4 system automatically creates an issue on GitHub, eliminating the need for users to do so separately. \n\nUsers can check the status of their submission by referring to the same number on the \"your findings\" page. Once the final audit report is released, these numbers will align with those in the findings.csv file. This file, along with all other findings, is made public in the C4's GitHub repository, which can be accessed via this link: https://github.com/code-423n4. \n\nThe contest results can also be viewed under the \"Findings\" tab on the C4 Contest page. It's important to note that while on occasion, there may be technical issues with viewing the findings repo or submitting findings, these can often be resolved by ensuring that the GitHub account in use is logged in and is the same account provided to C4.\n\nFor wardens who wish to review their findings, they can refer to the data folder in the findings repo where JSON files are named as [warden-handle]-[issue number]. The issue numbers can be used to look up the findings directly.\n\nPlease note that the number of issues reported in an audit report does not necessarily determine the grading. For example, a report could contain one significant issue and receive a grade B, or it could contain multiple low-impact issues and still receive a grade C.", "Question: I'm experiencing issues with the visibility of certain contests in Code4rena, including not being able to see a contest chat room. Where can I resolve my concerns and inquiries about contest visibility and submissions?\n\nAnswer: Code4rena is continuously improving and updating its contest information for the convenience of the participants. If a contest is not being shown in the live contest section, it might have moved to the upcoming contest section. You can check updates on upcoming contests in the #\u270brsvp channel on Discord. If an expected contest isn't listed, it might not have been updated on the channel yet.\n\nIf you are having trouble submitting a finding, experiencing login issues, or encountering problems when running the contest with provided instructions, feel free to send your queries to submissions@code4rena.com or submit a help request at https://code4rena.com/help. This is particularly important if your issue pertains to a security concern.\n\nAfter a contest has ended, you can still view reports from other wardens, although visibility may be limited if there is no table with results. Queries regarding past contests, leaderboard/contest results changes, and issues marked as invalid can also be directed to the aforementioned help desk.\n\nIssues related to contest visibility on the website are typically resolved by the team and are not user-related. If you've received a warning about your submission being invalidated due to the use of certain tools, you can query this by monitoring the backstage channel for post-judging stage updates of the concerned contest.\n\nIn case of rewards pending or queries about rewards from specific contests like the #llama-jun06 contest, the specifics may not be outlined in the chat but can be addressed through the help desk. \n\nFor those having trouble joining private contests even after passing the KYC, considerations are being made and you can raise the issue at https://code4rena.com/help.\n\nIn the event the help page shows an 'Out of Office' message, rest assured that your concerns will be addressed once the team is available. \n\nFinally, despite the occasional glitches, remember that Code4rena is a platform dedicated to ensuring a fair and transparent contest process. Your concerns and queries are important to us, hence do not hesitate to reach out when in doubt.", "Question: I've noticed that the markdown preview doesn't accurately display lists when I'm submitting issues. Is this just a preview issue, or should I format my findings differently? Can I use markdown formatting in the issue titles and body? \n\nAnswer: Yes, you can still use markdown for your issue submissions, even if the preview doesn't display it correctly. This is a known issue, specifically with numbered lists not showing numbers in the preview tab. However, rest assured that the numbers will be visible in the final submission. Markdown formatting can be included in both the issue titles and the body. When inserting links, only include them in the small text box. For the \"Links to Affected Code\" section for high/medium findings, only the GitHub permalink for the respective code block should be added. \n\nFor better markdown formatting, you may find using tools like Notion or hackmd helpful. You can format your issue in these tools and then copy and paste the formatted text when submitting. Our Markdown Renderer on the site may not be accurate, so you can also view the code on Gist for better formatting.\n\nWhen adding code blocks in reports, it is advised to use markdown and surround the code with ``` on either side. This ensures the code shows up correctly in the report. A guide to doing so can be found [here](https://docs.github.com/en/get-started/writing-on-github/working-with-advanced-formatting/creating-and-highlighting-code-blocks). \n\nOur form for analysis submissions also supports markdown, and the submission form on Code4rena accepts Markdown for formatting the text. If you prefer, you can use the \"Submit finding\" button of the specific contest on the main page to submit each finding separately. However, we no longer update the GitHub template for submissions. Here's the link to the old template: [SUBMISSION_TEMPLATE](https://github.com/code-423n4/code-contests/blob/4db2720312f0958f2e89f6207a6774c9e5360655/SUBMISSION_TEMPLATE.md). \n\nPlease note that our findings report page does not support HTML tags, so it's advised to use Markdown instead. If you're unsure whether your findings should be submitted as separate issues or as one, we don't have a clear guideline, but remember, each finding should be clear and complete.", "Question: When can findings from a completed CodeArena (C4) contest be made public and where can they be viewed?\n\nAnswer: Findings from a completed CodeArena (C4) contest are made public after going through a comprehensive review process which starts immediately after the contest ends. This process includes a sponsor review, judging, and Quality Assurance. Once the findings have been reviewed and triaged, they await the sponsor's review and final judging. After the contest is closed, there is a certain period of time before the findings repo becomes publicly available for discussion. \n\nThe findings can be viewed on the C4 Contest page under the \"Findings\" tab once the final report is published. It's important to note that specific findings should not be discussed until the report has been posted for the contest in question. Certified+ wardens can view the findings repo immediately after a contest ends. Users can also view their QA reports for contests that have already closed. \n\nPlease note that the final report of the contest may not immediately appear on the C4 site even after the leaderboard is shown and rewards are sent. It is recommended to wait until the full public report is published before discussing any issue or bug found on a project. \n\nContestants of C4 contests can inquire about the progress and schedule of final reports. Participants can also track their report status and see and edit their findings in the \"findings\" tab next to the contest description. However, findings submitted for contests may not always make it to the final report. If you wish to check whether your findings have made it to the final report, you will need to wait until the reports are published, which usually takes at least a month. \n\nPublic reports are updated mid-contest, and the final published report allows participants to see the results of their submissions. If you wish to withdraw your findings, you can do so under \"your findings\" on the contest page. In case any of your findings were rejected, you'll need to wait until the report is published to find out. Until then, findings of a contest cannot be viewed after it finishes but before the results are published. \n\nPlease note that the rules prohibit making findings \"public\" until a contest is finalised, and projects have access to submitted findings before the contest completion. Findings from contests are posted in the section where Contests are posted, and audit reports for recent competitions are typically published after contests finish, sponsor reviews, judging, awarding, and reporting.", "Question: What is the most efficient method to locate a transaction hash when user A gives allowance to contract B, if we only have user A's address and contract B's address?\n\nAnswer: The most effective way to find a transaction hash when user A gives allowance to contract B, given only the user's address and the contract's address, includes filtering the logs of the contract and cross-checking topics for that specific address. If the address is indexed, it will expedite the process. More specifically, this involves accessing the contract's logs, which are a part of the Ethereum network's blockchain data. These logs provide a record of all activities involving the contract, including transactions and allowances. By filtering these logs using the known addresses of user A and contract B, you can identify the specific transaction hash in question. However, keep in mind that this method relies on the address being indexed \u2013 a feature which improves search speed by creating a specific, easily accessible reference to the data in the blockchain. While this method is generally reliable, it may not always yield results in cases where the address is not indexed, or if there are issues with the contract's logs.", "Question: What is the current status, process, and requirements for obtaining the backstage role at CodeArena?\n\nAnswer: The backstage role at CodeArena is currently under review and change with no estimated timeline for its implementation. Previously, backstage access was granted based on a trust model, but future access could involve additional constraints or requirements. The applications for backstage roles are currently suspended, with no clear date for re-opening. \n\nOnce the applications resume, the process for obtaining the backstage role and its requirements can be found in detail at https://docs.code4rena.com/roles/certified-contributors/backstage-wardens. Notably, to qualify for the backstage role, a certain number of findings in different areas or of different scores is required. You can request to be a backstage warden through a help desk request once all these criteria are met.\n\nWhen the review of the backstage role is completed, an update will be posted, and those who have applied will be notified of the decision made on their application. Typically, the evaluation is carried out within a week if all qualifications are met and nothing is pending. \n\nWe appreciate your patience and interest in the backstage role. You can find any updates or changes to the backstage function at https://discord.com/channels/810916927919620096/810931711609143326/1082437741586960485. The backstage role is highly valuable for accessing the findings repo when a contest ends, so we are working diligently to finalize the revised process.", "Question: Can you explain what the backstage role at CodeArena is and the process on how to obtain it?\n\nAnswer: The backstage role at CodeArena allows users more extensive access, such as viewing reports of past contests. Historically, access to the backstage was based on a trust model which is now undergoing changes due to instances of privilege abuse. The exact process for obtaining the backstage role is outlined in detail on our website at https://docs.code4rena.com/roles/certified-contributors/backstage-wardens. \n\nTo qualify for the backstage role, a user must first be certified and have identified a certain number of findings in different areas or of different scores. One of the ways to achieve this role is by identifying a high vulnerability. After meeting these qualifications, a user can request to be a backstage warden via a help desk request.\n\nPlease note that despite the mentioned process, the backstage functions are currently closed, and a decision on future access is being planned. Violations leading to the closing of backstage access have involved sharing information about findings for judging in progress with other individuals who did not have backstage access. \n\nFor more information or assistance with application, you can reach out to our help desk. Future updates regarding the backstage role and its access will be communicated as per the plan in place.", "Q: How is the decision taken for the backstage role at CodeArena, and what is its current status?\n\nA: The decision for assigning the backstage role at CodeArena is based on a pre-determined plan. The backstage role allows users to access the findings repo after a contest ends, and even ask the judges to re-evaluate certain findings. To qualify for this role, a user or a team needs to have submitted a certain number of findings in different areas or of different scores. For example, if a team submits 3+ medium findings and they are accepted, all members may become eligible for the backstage role. \n\nHowever, please note the applications for backstage access are currently suspended, with no specific estimated time for their resumption. This suspension may be due to some changes in the process of backstage access, which is still in progress. In the past, access was based on a trust model, but future access may involve some constraints or consequences. \n\nOnce the backstage applications resume, users can apply for the backstage role through a help desk request, and the evaluation for the roles is usually done within a week if all qualifications are met and no issues are pending. Participants can also apply for backstage access as soon as the contest results are published on the leaderboard, which usually happens shortly after the awards are announced.\n\nUsers will be notified once their application for backstage access has been reviewed. For more detailed information regarding backstage role assignment, visit [this link](https://docs.code4rena.com/roles/certified-contributors/backstage-wardens). \n\nPlease keep an eye out for updates regarding the backstage applications, which is expected to be posted within two weeks.", "Question: In the context of smart contract audits, is it necessary to mention if there are more functions in an interface than are used in the code when a protocol interacts with an on-chain contract? Additionally, how does this relation impact the optimization of smart contracts to reduce gas costs?\n\nAnswer: Yes, it is indeed valuable to mention if there are more functions in the interface than are used in the code during a protocol interaction with a contract on-chain. This is part of the due diligence process and can provide insights into potential areas of optimization. Smart contracts are all about efficiency and optimization, not just for protocol contracts, but also for other contracts and non-view/non-pure functions. \n\nFor instance, functions in an interface that are not being used in the code might be unnecessarily increasing gas costs. Function inlining, as an optimization technique, can be used to save gas in smart contracts. However, it's important to note that the context and specific interactions of the smart contracts matter-- for example, a contract's own function like \"InterfaceA(address(this)).functionA();\" would be considered an external contract call and would change the msg.sender value inside the function. \n\nAlso, in a case where Contract A inherits from Contract B, and Contract C inherits from Contract A, Contract C wouldn't be able to access the internal functions of Contract B directly. It would require appropriate interfaces or other mechanisms. \n\nUnderstanding the relationship between interfaces and smart contracts, as well as navigating multiple smart contract files, can be complex. A recommended approach is to start with libraries and interfaces that have the least dependencies. Tools like Surya (https://github.com/ConsenSys/surya) can also provide a graphical interface for understanding smart contract interaction, although it's deprecated now. \n\nFinally, practices such as taking a \"snapshot\" of OpenZeppelin contracts instead of using them directly from the npm repository can be done to allow for necessary changes to external contracts to suit your project requirements. However, the best approach can vary depending on the specific requirements of your project.", "Question: \nIs it acceptable to provide links to QA reports, POCs, or other relevant documents in our submissions, and if so, what formats or platforms are most suitable for these reports?\n\nAnswer:\nYes, it is acceptable to provide links to QA reports, Proof of Concepts (POC), or other relevant documents in your submissions. This can sometimes be a necessity, especially if the POC is too large to be embedded directly in the issue. In such cases, you can provide a link to the POC using external platforms like Gist. \n\nMarkdown and hackmd have been mentioned as potential tools for improving the presentation of your reports. For instance, if you've coded a POC script for a vulnerability, you can include the link in your submission wherever it's relevant. You can also reference links to other contests or findings from Code4rena to strengthen your reports. \n\nWhen submitting a finding, you can fill the Proof of Concept section by providing direct links to all referenced code in GitHub and adding screenshots, logs, or any other relevant proof that illustrates the concept. However, remember that a bug report without a POC may be disregarded unless the issue is extremely obvious.\n\nWhile it's acceptable to submit long POCs using external platforms, be aware that the platform advises against submitting a high volume of low-quality reports. A low-quality report is defined as one lacking a clear explanation or path to the finding. \n\nNo matter what format or platform you use, always ensure your reports are thorough and well presented. For inspiration, you can refer to top QA reports from recent contests found at the following links: \n- https://github.com/code-423n4/2022-04-backd-findings/issues/182 \n- https://github.com/code-423n4/2022-04-phuture-findings/issues/56 \n- https://github.com/code-423n4/2022-04-dualityfocus-findings/issues/33.\n\nRemember, the goal of your report is to provide clear, concise, and actionable insights that aid in the improvement of the smart contracts you're auditing.", "Question: What is the procedure for submitting and validating findings on Code4rena?\n\nAnswer: After identifying potential issues in the code, participants should confirm these findings on their own or collaborate with other wardens without reaching out to the project sponsors or developers. Proofs-of-concept (POCs), reading the documentation, or using Remix can be leveraged for verification. Participants can submit multiple findings, and it is not required to compile all findings into one file. All findings should be submitted through the contest submission form [official documentation](https://docs.code4rena.com/).\n\nIf a participant has submitted findings to a wrong contest, they can resubmit them to the correct contest and notify the C4 staff about the error through the help form at [https://code4rena.com/help](https://code4rena.com/help). Participants can check if their submission has been accepted at [https://code4rena.com/reports](https://code4rena.com/reports), and in case they fail to receive an email confirmation after submission, a help desk request can be opened at [https://code4rena.com/help](https://code4rena.com/help).\n\nIn case of submission errors or issues, help can be sought through [https://code4rena.com/help](https://code4rena.com/help) or by forwarding requests to submissions@code4rena.com. Participants can edit their submissions on the Code4rena platform, and they may include links to other contests in their reports to demonstrate their findings. However, citing examples from Code4rena is seen as more convincing due to a more rigorous judging and QA process. \n\nFor contest-related security issues, participants are advised to submit a help request at [https://code4rena.com/help](https://code4rena.com/help). If a bug severity needs to be increased during a contest, a help request can be submitted to remove the original submission, and then the finding can be submitted again via [https://code4rena.com/help](https://code4rena.com/help).\n\nProjects will have access to the submitted findings before the contest completion. QA and gas reports can be sent via email to report@code4rena.com if there are issues with online submission. Submissions via email to CodeArena will get special attention, and the team will reach out to confirm receipt.", "Q: How can I effectively report a bug or finding during a smart contract audit on Code4rena, should I have to confirm my findings with the sponsor first, and how does creating a Proof of Concept (PoC) play into this process?\n\nA: As an auditor or \"warden\" on Code4rena, it is not necessary to confirm your findings with the sponsor before submitting them. The sponsor is a client who is paying for the audit, and they shouldn't need to spend additional time validating your findings. Instead, it's your responsibility to verify the issues you find.\n\nCreating a Proof of Concept (PoC) is a highly recommended practice. It can be used to demonstrate the existence of a bug and to explain the issue more clearly. You can create a PoC by providing a diff of an existing sponsor-supplied test/contract, or by creating a public Github repository. If the PoC code is too large to be embedded directly in the issue, you can provide a link to the code. You can find more info on how to include a PoC here: https://docs.code4rena.com/roles/wardens/submission-policy#how-to-include-a-proof-of-concept.\n\nIt is worth mentioning that without a PoC, a finding may be disregarded unless the issue is extremely obvious. Having a coded PoC along with your report can increase the chances of your report being selected, which comes with a 30% bonus. The level of detail in your submission, including the inclusion of a PoC and covering the issue in as many aspects as possible, can also influence the award amount.\n\nFinally, it's important to remember that all findings should be treated as private and confidential until the final report is made public as per the professional conduct guidelines for certified wardens: https://docs.code4rena.com/roles/wardens/certified-wardens#certified-warden-professional-conduct-guidelines. This is to give the sponsors time to act on the feedback.\n\nTrust in the sponsors is crucial, and any potential conflict of interest, such as sponsors hiding bugs, should be avoided. If you think you've found something during the contest and want to ask questions, you're encouraged to reach out to the sponsor team, but remember to also submit your finding via the contest submission form, or it won't be eligible for awards.", "Question: How does SafeTransferLib function in smart contracts, particularly in the context of safeTransferFrom, with respect to various tokens?\n\nAnswer: SafeTransferLib is a tool used in smart contracts for safely transferring funds to users. It ensures the operation of sending funds is successful by checking the return status of the call. It is important to note that the decision to use safeTransferFrom should be predicated on the type of token used and the expectations of the code. SafeTransferFrom is often used in smart contracts, specifically when dealing with ERC-777 token contracts or when testing certain functions within a smart contract. A mocked token, for instance, would require both the safeTransfer and safeTransferFrom functions.\n\nFurthermore, some issues have been noted in certain contexts, such as when the token is already wrapped inside IERC20. It's also worth mentioning that not all tokens are fee-on-transfer, meaning they don't remove a small fee from every transfer. However, for those that do, the received amount might be less than the sent amount.\n\nFor more in-depth information about safeTransferFrom, you can refer to Etherscan: https://etherscan.io/token/0xdac17f958d2ee523a2206206994597c13d831ec7#code#L95\n\nRemember that while we can provide some guidance, the final decision on its usage should be based on your own understanding of your contract and its requirements.", "Question: \nHow can I handle any uncertainties, potential findings, or submission issues I encounter during a Code4rena contest?\n\nAnswer: \nDuring a Code4rena contest, it's encouraged for participants to reach out to the sponsor team if they think they've identified a potential bug or have points to clarify. You are also allowed to discuss with the project's developers about your findings. However, it is not necessary to confirm these findings with the developers before submitting them. It is ultimately up to the participant to submit points they perceive as valid findings.\n\nIf you encounter any difficulties in the submission process, you can submit a help request via the Code4rena help desk at https://code4rena.com/help/ to get support. If your issue persists or you're having trouble with the support request form, you can email submissions@code4rena.com for further assistance.\n\nPlease note, all findings must be submitted through the contest submission form on the Code4rena platform to be eligible for awards. If you inadvertently submit your findings to the wrong contest, you should resubmit them to the correct contest and fill out a form to inform C4 staff about the incorrect submissions. \n\nFurthermore, you can check whether you've submitted an address for rewards, find which of your findings were rejected and why, or view others' findings after a contest finishes through the help form. \n\nIn case of submission errors, multiple submissions, or any issues related to the platform, help is available from the team handling the platform. \n\nRemember, the bugs found during the competition are kept confidential until the contest is over and the judging process has been completed.\n\nFinally, it's also worth noting that the time taken for project findings to get reviewed might vary with each contest. \n\nRefer to the official documentation for a more detailed explanation: https://docs.code4rena.com/", "Question: Can you clarify the criteria for categorizing issues as low, medium, and high severity and how they are treated in the submission process?\n\nAnswer: The criteria for determining the severity of an issue as low, medium, or high in Code4Rena can be found at: https://docs.code4rena.com/awarding/judging-criteria/severity-categorization. The severity generally hinges on two things: the consequence and the likelihood of the issue. High severity issues typically involve significant fund loss or serious consequences and don't require pre-conditions. On the other hand, medium severity issues tend to have a lesser impact and specific preconditions such as high attack difficulty, specific market conditions, or user unawareness. Low severity issues, often referred to as QA reports, usually involve negligible losses or issues that don't have a significant impact on the system.\n\nWhen submitting an issue, a user can include both high severity and medium/low severity issues in the same report, but judges expect the highest effort to be put into high severity issues. Judges have the authority to downgrade or upgrade reported issues based on their severity evaluation. If a high severity bug turns out to be only medium, for instance, the reward for a medium bug is still granted. Also, if a finding is submitted as a low in the QA report, but the judges determine it's a medium, it will be eligible for medium rewards as per the guidelines (https://docs.code4rena.com/awarding/incentive-model-and-awards/qa-gas-report-faq#what-happens-when-an-issue-submitted-by-the-warden-as-part-of-their-qa-report-an-l-or-n-does-get-bum).\n\nMoreover, if you escalate a low severity finding from a contest's bot report to a high severity, it isn't automatically invalidated. However, you must provide strong evidence to demonstrate the relevant high or medium severity exploit path to make such submissions satisfactory. This policy is explained at https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues. \n\nIf there is any uncertainty about the severity of a reported issue, review the judging criteria and make a strong case for your chosen severity by providing clear evidence. The grading criteria for submissions include correct identification of the highest possible severity impact, making a compelling case for the chosen severity and validity, and clear and understandable writing.", "Question: What should I do if I encounter a potential scam or malicious activity in the CodeArena chatroom?\n\nAnswer: If you encounter potential scam or malicious activity, such as receiving suspicious direct messages or identifying a potential vulnerability, you should report it immediately. Directly message a member of the CodeArena staff or, for specific issues, the project team. For reporting, you can also use Hashbot, a tool suggested to detect scammers, which can be found at https://Hashbot.io. If you're unsure about the severity, include as many findings as you can in the report and provide your reasons for flagging the issue. If you think your private key might have been leaked, start a discussion about how to verify malicious transactions. After reporting an issue, you can check the status of your report via a link on the Discord channel or in your email. If you need to withdraw a submission, you can request it by directly messaging an administrator. In case you have submitted a report for the first time and are unsure about how to check the status, you can ask for assistance in the chat or send a direct message to a CodeArena staff member. Remember, it's better to report suspicious activities than to ignore them. Even if you're unsure, it's better to get a scam verified and removed.", "Question: How should I present gas savings in my smart contract audit submissions for CodeArena?\n\nAnswer: When submitting your smart contract audits to CodeArena, it is highly beneficial to include information about gas savings, particularly if your audit involves refactored code. It's recommended to specify how much gas would be saved via the refactored code in a snapshot. This is not strictly necessary, but including that information can potentially increase points and the overall grade of your submission. \n\nWhen conducting gas optimizations, you can use tools like Hardhat gas report plugin to benchmark your code. It's also advisable to report each gas optimization separately, as this could be a determining factor in the judge's decision. For every finding related to gas optimization, it is suggested that the amount of gas saved should be specified. \n\nIn the case of findings that are relevant to both QA and gas savings, they can be included in either report, and judges may decide where it best fits. While some participants may find it challenging to distinguish between code simplification and gas optimization, remember that all findings related to gas optimization should be put under one report. \n\nKeep in mind, not all gas optimizations are valid when the optimizer is enabled. Be aware that an issue can be non-critical and also be included in gas optimizations. If you are uncertain, don't hesitate to ask for clarification on gas optimization in our community discussion.\n\nPlease note that criteria for judgment on gas optimizations are based on several factors, including the significance of improvements in important functions. Make sure to include all the approved findings and gas optimizations in your reports. \n\nTo view examples of approved findings and gas optimizations, you can visit our GitHub link (link to be provided).\n\nIn conclusion, while including gas savings details isn't a requirement, it adds value to your submission and could positively influence your grade.", "Question: How should I handle and submit my gas optimization and Quality Assurance (QA) reports for a contest in CodeArena?\n\nAnswer: For gas optimization and Quality Assurance (QA) reports, CodeArena recommends the submission of one consolidated report each. If you're participating in a contest, you need to include all your gas-related findings in one report, and all your QA findings in another separate report. \n\nYou should note that there are restrictions on submitting more than one gas report per contest. Hence, if you discover additional gas optimizations, you can add these findings to your existing report. To do this, navigate to the contest page and click on the 'Your Findings' button. \n\nIt is acceptable to submit a single report containing all occurrences of a specific issue. However, if your report exceeds Github's maximum character limit for issue descriptions (~65k characters), you may not be able to submit it through the CodeArena form. In such instances, you can submit a placeholder and send the complete report via email to submissions@code423n4.com.\n\nWhile it's not mandatory to specify the amount of gas saved for each gas optimization, including this information can potentially increase your points. \n\nFurthermore, when submitting issues, particularly for gas optimization, it is recommended that you separate the gas report from the QA report. \n\nFor more information on the submission policy and report format, please visit the following link: [Submission Policy](https://docs.code4rena.com/roles/wardens/submission-policy#report-format). If your QA/Gas report doesn't fit in a single submission request, please refer to this link for guidance: [QA/gas report FAQ](https://docs.code4rena.com/roles/wardens/qa-gas-report-faq#why-is-a-large-gas-or-qa-report-not-successfully-submitting-through-the-contest-submission-form).", "Q: How can I seek feedback on my submission or understand the reasoning behind a judge's decision after a contest has concluded?\n\nA: Once a contest is completed, the process involves Sponsor Review, Judging, Awarding, and finally Reporting. The results of your submissions can be reviewed and understood once the final report is published and the findings repository is made public.\n\nIf your submission was not awarded, you can review the report to understand the discussion among sponsors and judges that led to this decision. Judges review the findings to decide their severity, validity, and quality. Sometimes, the format of the report can also influence its evaluation by judges. If your findings were marked as invalid, you'll receive feedback from the judge.\n\nIf you had backstage access during the contest, you can use it to speak with the judge to re-evaluate a finding and provide your comments. However, this practice is not always continued. Certified contributors are also permitted to view submitted issues right after contest closure and to comment or give input on these issues during judging.\n\nIn case you disagree with a judge's decision, you can discuss it according to the policy at https://docs.code4rena.com/awarding/fairness-and-validity#if-you-disagree-with-a-judges-decision. \n\nFor further queries or to monitor an issue marked as invalid, you can follow the backstage channel for the post-judging stage of the concerned contest. Remember, feedback from judges is valuable for learning and improving for future contests.\n\nPlease keep in mind that contestants of C4 contests can always inquire about the progress and schedule of final reports.", "Question: When and how are points counted and expired for the 60-day leaderboard in CodeArena contests?\n\nAnswer: Points for the 60-day leaderboard in CodeArena are accumulated from the day the contest is announced. These points may expire 60 days after the contest has ended. However, there seems to be some confusion about this system, and it is being examined by the development team.\n\nThe leaderboard is dynamic and reflects the results from the last 60 days by default. Users have the ability to adjust the settings to view results from a specific time period. The ranking of the leaderboard is influenced by both a user's participation in the current contest and their total participation. The leaderboard gets updated each time awards are announced, but it's important to note that not all contest types are currently supported.\n\nConcerns have been raised regarding the display of rewards and the accurate reflection of a user's accomplishments on the leaderboard. For instance, there might be a delay in the appearance of some rewarded points, and some rewards might be pending even after the contest has finished, for reasons not specified yet.\n\nThe leaderboard system might undergo changes soon, with suggestions like changing the tracking from the last number of days to the last number of contests, or introducing seasonal leaderboards that could last for 4 or 6 months. Additionally, there has also been a suggestion to create a leaderboard displaying the top contestants after the contest results.\n\nOnce a contest is over and the rewards are announced, there is a certain period before the findings repo becomes publicly available for discussion. The final report of the contest may not immediately appear on the C4 site. Participants are therefore encouraged to wait until the full public report is published before discussing any issues or bugs found on a project.\n\nPlease note that the results of contests are dependent on the duration of the judging process and are usually announced a couple of weeks after the contest ends. Participants can apply for backstage access as soon as the contest results are published on the leaderboard.\n\nIf you have any concerns or need more clarity, please reach out to the team or check for updates on the code4rena.com website.", "Q: How does CodeArena handle submissions, particularly in relation to the timing, duplication, quality, and reward distribution?\n\nA: CodeArena encourages submissions at any time prior to the contest end time. There is no specific advantage or disadvantage to submitting earlier or closer to the deadline, although it is discouraged to wait until the very last moment as any findings that could not be submitted before the end of the contest will not be eligible. The important thing is to submit before the audit closes. The quality of a submission is considered when distributing rewards, with a higher quality submission potentially receiving a larger bonus - so it's not just about being the first to submit a finding. \n\nDuplicate submissions are handled by reducing the value of a finding when more of the same type are submitted during the open submission period. If multiple members of a team submit the same item separately, it decreases the overall value of the submission. If a duplicate report is not beyond a certain threshold, there might be no reward awarded for it. \n\nOnce a submission is confirmed and the reward amounts are announced, participants just need to wait for it to go to their wallet. The time taken for this to happen can vary. In terms of viewing all submissions after a contest, it's recommended to wait until the full public report is published. \n\nAfter the leaderboard is shown and rewards are sent, the final report of the contest may not immediately appear on the C4 site. The company is considering releasing all unverified submissions a few days after a contest ends, before judging - a related discussion can be found [here](https://forum.code4rena.com/t/rfc-certified-wardens-rulebook-scout-role-contest-qa-and-mitigation-review-services/123). \n\nRemember, there are inquiries about what happens to the rewards in a contest if no high or medium issues are found and the time taken for project findings to get reviewed can vary with each contest. In some cases, rewards for submissions could be paid partially, or fully.", "Question: How can I update or modify my report after submission, and what are the associated guidelines and consequences?\n\nAnswer: Once you've submitted a report, you can update or modify it by going to the contest page and clicking on the \"My Findings\" button. After submitting a finding, you can expect follow-up. If you have additional findings after an initial submission, especially if the severity of the issue is uncertain or if it's a low-risk finding that could potentially become a high severity issue, you can submit reports multiple times. \n\nIf you accidentally report something that isn't an issue, there won't be negative consequences; however, we recommend withdrawing such reports to save the judges' time. If a typo is made in your report that does not drastically change the meaning of the finding, it can be corrected by filing a help ticket. If there is a discrepancy or problem with the report, you can create a ticket for that as well.\n\nAfter the contest ends, your submissions will be reviewed and the findings repo will be made public once the report is published. However, the report publication might not happen immediately after the leaderboard is shown and the rewards have been sent out. We recommend waiting until the full public report is available before doing a write-up of some issue or bug you found on the project.\n\nPlease note, the option to edit findings may not be available after the audit has closed, so it's important to make sure all findings are submitted before the audit ends. In the meantime, you can check your submission status by looking for a confirmation email and the ability to edit submitted findings.\n\nFinally, remember that in Code4rena, all wardens who report a finding first and those who found the same issue are recognized in reports. As a participant, you can check your issue for the finding you sent on Github from the report.", "Question:\nHow does CodeArena handle the submission and verification of vulnerabilities found during contests, especially in cases where multiple participants report the same vulnerabilities, and what is the policy regarding sharing these findings with the sponsoring company?\n\nAnswer:\nWhen you discover a potential vulnerability during a CodeArena contest, we encourage you to reach out to the sponsor team if you have questions or want to clarify before submitting. If more than one participant reports the same vulnerability, the issue will be handled depending on the specific circumstances. However, we recommend submitting your findings via the contest submission form with a proof of concept and an explanation of how the vulnerability could be exploited. This helps ensure your submission is not marked as invalid.\n\nPlease note that communicating with the sponsor team privately and having a vulnerability confirmed by them may still count towards your submission, but the final award decision will depend on the judgement. If a high or medium severity vulnerability is discovered after the contest ends, we suggest responsible disclosure to the development team. However, such a vulnerability will not be eligible for awards outside the contest timeframe.\n\nWe understand that there may be concerns about the fairness of sponsors having early access to vulnerability submissions. Rest assured, we prioritize maintaining a balanced competition. For clarity and learning purposes, past contest reports that reveal vulnerabilities are made available at https://code4arena.com/reports/2021-11-fei.\n\nIf you've written a Proof of Concept (POC) script for a vulnerability, you're encouraged to include the link in your submission. Edits to submitted security findings for a contest are allowed. In cases where no medium or high vulnerabilities are found during a contest, the remaining funds are divided based on the QA Report curve.\n\nLastly, please be aware of the restrictions on discussing bugs and exploits after submissions for a contest are closed and before contest results are out. If you submitted issues for a contest but did not make the award list, it is likely that your issues were rejected. You can confirm this by reviewing the available report.", "Question: Where can I find resources to learn about smart contract auditing, especially video tutorials?\n\nAnswer: There are numerous resources available to help you learn about auditing smart contracts. The #\ud83c\udfebeducation channel in our Discord chatroom is a popular place to start. We additionally recommend a video tutorial found on YouTube (https://www.youtube.com/watch?v=wCD3fOlsGc4) that explains some aspects of contract auditing. \n\nFor beginners, posts by @cmichel are highly recommended, with one notable post detailing how to become a smart contract auditor available at https://cmichel.io/how-to-become-a-smart-contract-auditor/. \n\nAdditionally, the OpenZeppelin webinars have been found to be useful, with the first video in their series accessible at https://youtu.be/6GaCt_lM_ak. \n\nOur platform also has resources for learning smart contract auditing located at https://docs.code4rena.com/roles/wardens/tools-and-resources. \n\nIf you're interested in more specific aspects, such as understanding math and accounting in solidity projects, another YouTube resource is available at https://www.youtube.com/@smartcontractprogrammer.\n\nAdvanced users might be interested in the use of fuzzing tools and machine learning in auditing smart contracts, or even exploring blockchain forensics analysis for hacks and incidents in smart contracts. For these topics, you could explore discussions in our chatroom and refer to the linked papers and videos.\n\nKeep in mind that smart contract auditing requires a strong competence in the field. For auditing specific products like those built on Polygon, or understanding specialized contracts like SyntheticToken, refer to our YouTube playlist (https://www.youtube.com/playlist?list=PL7RT-0ybd7joiqKeGklvFxcc8dNWpPBCk). \n\nLastly, always be prepared to test and find vulnerabilities in contracts, which is a crucial part of auditing. Feel free to ask further questions in our community, we are always ready to help.", "Question: What is the current status of backstage role applications at CodeArena, and how can I apply when applications reopen?\n\nAnswer: Backstage applications at CodeArena are currently paused due to an identified issue. We're actively working on the problem and are discussing changes. However, we don't have a definite ETA for when applications will resume. Once applications reopen, the process to apply for backstage access is as follows: first, you need to become a certified contributor. You can find more information about this at https://docs.code4rena.com/roles/certified-contributors. After becoming a certified contributor, users who believe they meet the criteria for a backstage role can submit a help desk request for their status to be evaluated. For more details on these requirements, refer to our document on backstage wardens at https://docs.code4rena.com/roles/certified-contributors/backstage-wardens. It's important to note that in the past, backstage access was based on a trust model, but future access may involve additional constraints or consequences. We will provide a notification once your request for backstage access has been reviewed.", "Question: Can I interact with the judge of a contest to get feedback, or discuss my submission and findings before submitting?\n\nAnswer: Due to the design of the CodeArena system, the identity of the contest judge is not disclosed until after the contest ends. This means that participants cannot directly contact the judge to discuss potential submissions or findings before the judging process commences. However, there are other ways for participants to engage and clarify their doubts. \n\nFirstly, you can directly communicate with sponsor teams who have designated contacts throughout the contest duration. You can ask them specific questions about the scope of the contest or discuss potential issues related to severity and in-scope/out of scope topics. \n\nSecondly, you are allowed to cite similar findings from previous contests to justify the severity and validity of your submission. However, remember that judges will take the entire context into account during judgement. \n\nThirdly, if you are unsure about high-risk findings, it is recommended to include them in your submission. The inclusion of such findings is dependent on the contest and the judge, so making a case for it in your submission may prove beneficial. \n\nFinally, after the contest, you can review the reasons why your submission was not accepted in the contest report and the repository discussion among sponsors and judges. This is an excellent opportunity to understand what could be improved in future submissions as you can ask judges for feedback about your issues.\n\nPlease remember that it can take a lengthy time period to judge contests due to various factors, which includes the significant increase in contest submissions. Therefore, patience is advised during this process. \n\nFor further questions, please refer to our [submission rules] (link to rules) or feel free to ask on our chat platform.", "Question: Can I edit or update my QA report after I've submitted it for a CodeArena contest?\n\nAnswer: Yes, you have the ability to edit your QA report after you've submitted it. You can do this by navigating to the contest page on code4arena.com, where you'll find a section labeled 'Your Findings'. Click on this to view or edit your submitted findings. Please note that you can only submit one combined gas and one combined QA report, but you have the freedom to edit your findings as many times as needed until the audit deadline. This includes updating the severity of reported bugs or adding more details to your report. If your QA report exceeds the character limit for regular submissions, you can submit it via help tickets. In the event that a submitted bug severity needs to be increased during an open contest, you can submit a help request to remove the original submission and then submit again. If the contest has already closed, you can still view your QA reports but can't edit them further. You can also check the success of your report submission by looking out for an email confirmation and the ability to edit submitted findings.", "Q: How can I submit, format, and edit my findings on Code4rena?\nA: To submit your findings, navigate to the specific contest on the main page and click on the \"Submit finding\" button. Each finding should be submitted separately. You can use Markdown to format your report, with code blocks surrounded by ``` on either side. There's a default Markdown template proposed by the Code4rena interface when you're submitting your findings, which can be used as a baseline for your report. Once you've submitted your findings, you can edit them by navigating back to the contest page and clicking on the 'Your Findings' button. For further guidance regarding submission and formatting, refer to the official documentation [here](https://docs.code4rena.com/roles/wardens/sub) and [here](https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues). Note that while an old GitHub template for submissions exists [here](https://github.com/code-423n4/code-contests/blob/4db2720312f0958f2e89f6207a6774c9e5360655/SUBMISSION_TEMPLATE.md), it's outdated and not updated anymore.", "Question: Can I receive a reward for findings identified using AI tools like ChatGPT in CodeArena's smart contract audits?\n\nAnswer: No, participants cannot receive a reward for findings made with tools like ChatGPT. CodeArena does not consider these findings as valid for prizes in smart contract audits. If you're interested in using AI in auditing, you're advised to participate in bot races instead. Although using AI tools to generate bug reports may seem appealing, remember that a bug report generated by AI, without the full codebase input, is often deemed not very useful. If you've made a finding using an AI tool and have received a warning indicating the invalidation of your submission, unfortunately, there's no procedure to prove innocence. However, while the use of AI tools is discouraged, you can discuss potential findings with a sponsor over Discord or other private communications without invalidating the finding. If you have any more doubts or queries, feel free to visit our Discord for more information. [https://discord.com/channels/810916927919620096/1095308824354758696/1130212982094299246]", "Question: I'm having trouble running the GoGoPool contest on Windows with Slither, can anyone provide guidance or potential workarounds?\n\nAnswer: It appears that several users have encountered issues while trying to use Slither, a static analysis tool for smart contracts, specifically with the GoGoPool contest on Windows. While the running instructions provided in the document are typically the same for all operating systems, Windows might cause problems with installations. \n\nAs a workaround, some users have reported success with using VirtualBox running Ubuntu. Alternatively, Ubuntu 20.04 can run on windows via WSL2. \n\nTo use Slither effectively, you may need to identify the remappings for Slither if you're using it alongside Foundry's remappings. Users typically use Slither to generate output and while it can be used as a bug finding tool, its success rate varies. It might also be beneficial to check out the discussion on this [link](https://discord.com/channels/810916927919620096/1092789958923784292/1095205359792160918) for more insights.\n\nYou may also want to consider using other tools like Mythril and Echidna for auditing in contests. \n\nRemember, if you're altering the \"REPORT_GAS=true hardhat test\" command in package.json for different operating systems, it's recommended to use a docker image for Windows cmd. \n\nLastly, understand that it's normal to face difficulties and don't hesitate to seek help from the community.", "Question: How can I become a Warden and participate in upcoming contests on CodeArena, especially after a period of absence?\n\nAnswer: If you wish to become a Warden and participate in upcoming contests on CodeArena, there are several steps you need to follow. Firstly, you need to log into your account. If you're a new participant or returning after a period of absence, you must register as a Warden. You can do this by joining the #\ud83d\udc3ai-want-to-be-a-warden channel. To access contest channels and get a preview of the contest, you must obtain the Warden role, which is possible by filling out a form on our website.\n\nTo participate in certain contests such as the PolynomialFi contest, you need to be a certified warden. Becoming a certified warden may require participating in a certain number of contests and having a number of valid findings or reports. You can learn more about the certification process at https://docs.code4rena.com/roles/certified-contributors#certification-process-and-constraints.\n\nCertain contests, including the 'vs contest', which involves only 3 wardens and has an RSVP process, are specifically for certified wardens. To get into the invite list for private contests, becoming a certified warden and making it onto the leaderboard can enhance your chances.\n\nYou can also choose to participate as part of a team. The process for registering a team can be found at https://docs.code4rena.com/roles/wardens#registering-a-team. However, it's important to note that even if you're part of a team, you need to be a certified warden to participate in some contests like the PolynomialFi contest.\n\nWardens will soon have the opportunity to apply for the certified warden role, which will grant them access to findings shortly after contests end. Details on accessing private contests, which require KYC and certified warden status, can be found in the Code4rena documents. \n\nKeep in mind that the criteria for acceptance and certification involves competing in the audit contests, and the best-performing wardens often get first choice in certain contests. Good luck on your journey to becoming a Warden!", "Question: How can I determine the severity of my findings and what resources are available to guide me in this process? \n\nAnswer: The severity of findings in CodeArena is determined by experience and a balance of consequence and likelihood. High severity issues generally involve sizeable fund loss or other severe consequences, often without need for pre-conditions. Medium severity issues might have lesser impact or require specific pre-conditions, like high attack difficulty, specific market conditions, or a realistic chance that a user could be unaware of the issue.\n\nIt's important to note that the severity of your findings can be upgraded from medium to high by the judges, unless there's a valid reason to penalize your submission, such as it being incomplete, lacking detail, or inaccurate. In fact, even if a High severity bug turns out to be only Medium, you will still receive the reward for a Medium bug.\n\nIf you are unsure about the severity of your findings, it is advisable to review the judging criteria and make a case for your chosen severity using evidence. The judging criteria can be found at https://docs.code4rena.com/roles/wardens/judging-criteria#estimating-risk. Following this, you can check the ranking of severity of issues here: https://docs.code4rena.com/awarding/judging-criteria/severity-categorization. You can also look at how similar issues have been judged in the past to help guide your decision.\n\nAdditionally, estimations of risk can be guided by the information provided in this link: https://docs.code4rena.com/roles/wardens/judging-criteria#estimating-risk-tl-dr. And the reward for medium/high findings can be calculated using this formula: https://docs.code4rena.com/incentive-model-and-awards#high-and-medium-risk-bugs.\n\nRemember, it's always better to make the clearest case possible for your findings' severity rather than worrying about their precise classification.", "Question: Can I earn a reward for findings made using AI tools like ChatGPT, and what are the guidelines around the use of AI in CodeArena's audits?\n\nAnswer: No, users cannot receive rewards for findings generated using AI tools like ChatGPT. In fact, the use of such tools may lead to suspension of your warden status. However, CodeArena does host competitions known as bot races where users can be rewarded for findings made with AI. The specifics around what constitutes a finding performed by a robot and the procedures for finding bugs via robots can be complex. To avoid any confusion or unintentional violations, it's advisable to participate in these bot races if you're interested in leveraging AI for auditing.\n\nYou can view a list of your rewarded findings at: https://discord.com/channels/810916927919620096/1095308824354758696/1130212982094299246. If you're interested in rewards for other contributions such as submitting a new detector, you might earn \"Karma Points\". Rewards can also come in different forms depending on the contest and the type of findings, with bonus rewards given for the best reports. The reward for a medium/high finding can be calculated using the formula provided at: https://docs.code4rena.com/incentive-model-and-awards#high-and-medium-risk-bugs. \n\nIt's also worth noting that for the best chance at earning a reward, ensure your reports are of high quality, the findings are accurate, and you have a working proof of concept. If you're part of a team and you submit a non-duplicate finding, the team gets more rewards than if you had individually submitted the same finding. \n\nFor more details on rewards for each warden for each bug per contest, you can visit https://raw.githubusercontent.com/code-423n4/code423n4.com/main/_data/findings/findings.csv.", "Q: How is the award formula for gas and QA reports determined and what factors influence this?\n\nA: The award formula for gas and QA reports at CodeArena (C4) is based on several factors. Firstly, awards are divided into different grades (A, B, C) based on the quality and gas savings of the reports, with Grade A and B reports receiving rewards. For example, Grade A reports count as 2 shares, Grade B as 1, and the best report receives a 30% bonus. \n\nJudges assess both the quantity and quality of submissions when grading the reports. A single item in a QA submission is unlikely to receive a high grade. Duplicates are disregarded, and downgraded issues are paired with wardens\u2019 QA reports. \n\nWhen multiple individuals or teams identify a gas optimization, the reward split is calculated using a specific formula. In terms of submissions, participants are encouraged to submit one Quality Assurance (QA) report and one Gas report per contest, grouping all issues together. The scope of QA and Gas Optimization reports does not need to be as comprehensive as for high severity issues. Participants can submit one combined gas report and one combined QA report and they can edit existing findings.\n\nThe award formula for gas and QA is due to be updated to foster fairer competition and motivate the best efforts in QA/Gas reports. More detailed information on this can be found on CodeArena's website at https://docs.code4rena.com/awarding/incentive-model-and-awards. Further explanation on judging criteria can be found at https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical and https://docs.code4rena.com/awarding/incentive-model-and-awards#qa-and-gas-optimization-reports. \n\nFor examples of top QA/Gas reports, please visit https://code4rena.com/reports. If you have any questions regarding the formatting of gas/QA reports, templates or guides are available.", "Question: How can I know if an upcoming contest on CodeArena is public or private, and where can I find further details about it?\n\nAnswer: All CodeArena contests, both public and private, are listed on the website: https://code4rena.com/. Public contests are displayed in the #\u270brsvp channel on our Discord: https://discord.com/channels/810916927919620096/958800160870240286/1094922278808064103. If you see the contest in this channel, it is open to the public. Private contests, on the other hand, have their RSVPs available in a channel only visible to certified wardens. The details of each contest, including whether it's public or private, the start date, the contract details, and the submission mechanism, can usually be found on the contest's page on the website as well as in the #\u270brsvp channel. Furthermore, the public report page for each contest is updated mid-contest. It's important to note that for some contests, participants need to become certified, which includes successful completion of KYC, to receive awards. As a case in point, the upcoming Chainlink contest will be open to all participants, but they will need to become certified to receive awards.", "Q: How does the reward calculation and announcement process work for CodeArena contests and when can I expect my rewards after a contest has ended?\n\nA: At CodeArena, the process of reward calculation, announcement and payment is systematic yet dependent on the time taken for judging. Typically, the results of a contest are announced about 2 months post contest end. However, the timeline can vary based on the complexity of the contest. For instance, contests involving over 12k sloc may be extended to 4 weeks. \n\nThe leaderboard is built off the dates of the audits themselves, rather than the dates rewards were distributed. So while your last contest outcome may have been announced on March 8th, the leaderboard reflects the date of the audit itself.\n\nOnce the results are announced, the awards are usually paid out between 1-2 weeks afterwards. The signatures for the award distribution are generally rounded up in a standing Monday meeting, so any announced awards should usually get processed Monday or Tuesday.\n\nIt's worth noting that all findings submitted for contests may not always make it to the final report, and the reason might not be immediately known. To check, you need to wait until the reports are published, which usually takes at least a month. \n\nYou can stay updated with the status of contests and reports from the \"Past Contest Status Updates\" section, which provides a timeline of where contests are currently in the process. For specific queries about contest progress and final reports schedules, you are welcome to raise them in our Discord channel. \n\nIn some cases, there might be delays in contest results and award distribution due to changes in the award calculation process or other factors. We are continuously working to improve this process and appreciate your patience.", "Question: Is CodeArena planning on integrating their site with Github to utilize the pull request (PR) that updates the leaderboard with contest results as the reference for the end date of the contest?\n\nAnswer: The idea of integrating the CodeArena site with Github to track timestamps using the PRs updating the leaderboard has been discussed in our Discord channel. However, immediate implementation of this feature may not be feasible due to ongoing developments, such as the migration of all data from csv and json files to a database and API, which is currently our top priority.\n\nYou can find the leaderboard at https://code4rena.com/leaderboard and access the user submissions for completed challenges on the concerned GitHub repo once the contest report is published. The leaderboard updates after each contest ends, reflecting the number of overall issues reported by users. Please note that the development team is considering changing the leaderboard from tracking the last number of days to the last number of contests, and there are ongoing discussions on how to better represent users' achievements and include more features and contests in the leaderboard ranking.\n\nWhile we navigate these changes, your feedback is invaluable to us. We encourage you to share your thoughts on improving the website, leaderboard systems, contest processes, and Discord setup in our suggestion box. In case you encounter any inconsistencies in the contest process and results, you can report them in the 'issues' section of our Github repository at https://github.com/code-423n4/org/issues. \n\nPlease remember to review and make a pull request for your handle at https://github.com/code-423n4/code423n4.com/tree/main/_data/handles to participate in contests. If you need to alter your contest results or leaderboard link, you can request these changes through our help desk at https://code4rena.com/help. And finally, don't forget that your GitHub repositories can serve as proof of concept in your finding submissions.\n\nWe appreciate your patience and support as we work towards enhancing your experience at CodeArena.", "Q: How is the award for gas and QA calculated, especially in cases of duplicates and multiple contributors, and how do grades influence this calculation?\n\nA: The award for gas and QA in CodeArena follows a specific formula and a grading system. The formula utilizes a curve system, as discussed in our Discord chatroom, and is due to be updated in our official documentation. Meanwhile, you can refer to our existing documentation on the incentive model and awarding at https://docs.code4rena.com/awarding/incentive-model-and-awards.\n\nThe grading system for QA/GAS reports plays a significant role in this process. Grade A reports count as 2 shares, Grade B as 1, with the best report receiving a 30% bonus. More information on this can be found at https://docs.code4rena.com/awarding/incentive-model-and-awards.\n\nIn the case of duplicates, they are generally disregarded in the award distribution process. As for multiple contributors, if members of the same team identify a gas optimization, the reward split can be calculated using a formula present at https://docs.code4rena.com/incentive-model-and-awards#high-and-medium-risk-bugs.\n\nIt's important to note that judges consider both quantity and quality of submissions when grading QA reports. For instance, a single item in a QA submission is unlikely to receive a high grade. You can learn more about this at https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical and https://docs.code4rena.com/awarding/incentive-model-and-awards#qa-and-gas-optimization-reports.\n\nRegarding findings of different severities, if a finding is submitted as a low in QA report, but the judges determine that it's a medium, it will be eligible for medium rewards (https://docs.code4rena.com/awarding/incentive-model-and-awards/qa-gas-report-faq#what-happens-when-an-issue-submitted-by-the-warden-as-part-of-their-qa-report-an-l-or-n-does-get-bum).\n\nThe gas optimization pool is shared among the reporters and is rewarded based on the score of each gas report as per https://docs.code4rena.com/awarding/incentive-model-and-awards/curve-logic.\n\nPlease note that our FAQ page at https://docs.code4rena.com/awarding/incentive-model-and-awards/qa-gas-report-faq#why-is-a-large-gas-or-qa-report-not-successfully-submitting-through-the-contest-submission-form will be updated to reflect recent changes. If you have any further queries or uncertainties, please feel free to reach out in the chatroom.", "Q: How is my ranking on the CodeArena Leaderboard determined, and how do contest results and rewards affect it? \n\nA: Your ranking on the CodeArena Leaderboard is determined by your participation in contests and the success of your audits. The points for the 60-day leaderboard are counted from the day of the contest announcement and may expire 60 days after the contest has ended. The ranking is impacted by both your current contest participation and your total participation in contests. \n\nThe display of rewards on the 60-day leaderboard and the crediting of contest results are subjects of ongoing discussions. There are concerns that the leaderboard currently may not accurately reflect a user's accomplishments if the contest results are not counted for their full duration. The development team is considering changing the leaderboard from tracking the last number of days to the last number of contests, which might address this issue.\n\nRewards from previous private contests are also added to the leaderboard. If no issues are found in a contest, the disposition of the sponsor reward pot is a common inquiry, as is the status of pending rewards after a contest has finished. These are typically addressed on a case-by-case basis. \n\nIt's worth noting that the top wardens in the 90-day leaderboard are prioritized for contests. You can increase your chances of participating in private contests after certification by ensuring a high position on the leaderboards from the last 90 days. \n\nThe \"leaderboard\" tag in your profile can be received if you get in the Top 5 in the contests. \n\nAfter each contest ends, the leaderboard gets updated and users can see the number of overall issues they reported at [CodeArena Leaderboard](https://code4rena.com/leaderboard). \n\nPlease note, reducing the turnaround times for reward distribution after a competition is a high priority for our team. Worst-case scenario, rewards may be expected two months after the end of the competition, but we aim to process and distribute multiple contest rewards by the end of a specified week. \n\nLastly, an issue was caught with a couple of items being double counted in the leaderboard, an update to the numbers was scheduled to address this. After the leaderboard is shown and rewards are sent, the final report of the contest may not immediately appear on the C4 site. It's recommended to wait until the full public report is published before doing a write-up of some issue or bug found on a project.", "Question: How does the timing of vulnerability submission and its duplication affect the reward system in Code4rena's contests?\n\nAnswer: At Code4rena, the timing of vulnerability discovery and submission does not influence the reward amount. It's not a first-come, first-served system. Everyone who reports the same vulnerability gets a share of the reward; the reward is not exclusive to the first reporter. \n\nThe distribution is subject to some sybil resistance where each instance is awarded a share of one point depending on the number of duplicate submissions. If multiple participants report the same vulnerability, even if with different severities, they are all given the same severity for the award calculation. \n\nAlso, the order of reported issues doesn't strictly follow the submission time. Judges prioritize the best write-up over the order of submission, which is a practice to incentivize high-quality submissions. \n\nFurthermore, there might be cases where vulnerabilities identified by bots are rated lower than their actual severity. In such scenarios, the vulnerability can be reported again during the contest by a warden and be awarded with the higher severity. \n\nRemember, it's important to submit your findings before the audit closes as vulnerabilities found a few days after the contest wouldn't be rewarded by C4 outside the contest timeframe. Also, if you think you've found a potential vulnerability, it's encouraged to reach out to the sponsor team during the contest. But make sure to submit it via the contest submission form or it won't be eligible for awards.\n\nIn the rare event that no medium or high vulnerabilities are found during a contest, the remaining funds are divided based on the QA Report curve. You can refer to an example of a contest with only low vulnerabilities here: https://code4rena.com/reports/2021-11-fei.\n\nFinally, the quality of a submission is considered when distributing bonuses, with a higher quality submission potentially receiving a larger bonus. This could be influenced by factors such as providing a detailed report, including a Proof of Concept (PoC) or the issue being covered in as many aspects as possible. \n\nPlease note that all participants' submissions may be made available after the contest ends, once the possible exploits have been patched.", "Question: Can you explain the process for selecting winners and distributing rewards in Code4rena contests, including how issues of different severity and duplicate findings are handled?\n\nAnswer: At Code4rena, winners and rewards are determined based on a detailed process. First, the judges review all findings to determine their severity, validity, and quality. The judges themselves are incentivized with a share of the prize pool. After this review, contestants are rewarded shares for bugs discovered based on the severity of the bugs. In a contest with only high and medium issues, those shares give the owner a pro rata piece of the pot. Each share is then redeemed for: pot / number of shares.\n\nIn cases where multiple wardens find the same issue, the reward is typically larger for the best report, while duplicates below a certain threshold might not receive any money. However, the reward and recognition are split between those who found the same issue, regardless of who found it first.\n\nIf no high or medium issues are found in a contest, the specific reward distribution will be decided based on contest-specific criteria. The reward distribution does not occur immediately after the reward computation due to the involved sponsors' time.\n\nThe quality of a submission is also considered when distributing bonuses; a higher quality submission may receive a larger bonus. The reward distribution follows a curve formula, likened to a bell curve used in grading homework or exams. This system is designed to create a fair distribution based on the quality of the findings.\n\nFor more detailed information on reward distribution, including tables that overview the rewards, the reward formula in terms of findings count, and partial credits, as well as details regarding the grading system and categories A, B, C, please refer to Code4rena's awarding policies: [https://docs.code4rena.com/awarding/incentive-model-and-awards](https://docs.code4rena.com/awarding/incentive-model-and-awards). \n\nNote that individual teams determine how to split their portion of a pot amongst themselves. Also, be aware that while we strive to announce and distribute awards as swiftly as possible post-competition, delays can occur, and you should expect rewards up to two months after the end of the competition as a worst-case scenario.", "Question: When and how are the findings from audits reviewed? Can I update my submission and does it cause extra work for judges? \n\nAnswer: The findings from audits are reviewed upon submission at the end of the audit period. To update a submission, you can use the \"Your findings\" button. You can edit your findings as long as the audit contest has not ended. The review process includes a sponsor review, judge review, sponsor confirmation, judge's final report, and the announcement of the results. Although updating a submission does not explicitly cause extra work for judges, the number of contest submissions has increased significantly, potentially leading to increased workloads for judges. \n\nAfter the contest ends, the findings get reviewed and triaged immediately by the judges. The process then awaits sponsor review, final judging, and Quality Assurance before being made public. If your submission is not rewarded, you can review why it was not accepted once the report is out and the repository is fully opened. This allows you to see the discussion among sponsors and judges on the specific issue.\n\nTo check the success of your report submission, you can look for an email and the ability to edit submitted findings. The final published report allows participants to see the results of their submissions. Early feedback on submissions for improving audits may be available, with an associated link to the judge's post [here](https://discord.com/channels/810916927919620096/1030197723619659806/1042826344544870440). \n\nTo get more details about the submission and discussion of findings, refer to the [Code4rena submission policy](https://docs.code4rena.com/roles/wardens/submission-policy#audit-contest-guidelines).", "Q: I'm having trouble submitting and editing findings for a contest, and also checking the status of my submissions. How can I address these issues, and how can I understand the outcome of my submission?\n\nA: If you're experiencing issues with submitting findings to a contest, such as the Escher or Caviar contest, here are some steps to mitigate the problem. First, make sure you're using the form on the contest page on our website to submit your findings. After you fill out the form and click \"CREATE ISSUE\" in \"SUBMIT FINDING\", the form data is turned into a submission that goes into the findings repository for the given contest. This is where your findings will be evaluated by judges after the contest ends. \n\nIf you're not receiving email confirmations of your submissions, there might be an issue, as some users have reported not receiving these confirmation emails. There have been reported issues with GitHub which affected the contest submission form, and some users have had trouble submitting a finding, even when trying on two different browsers. If you're encountering an error when trying to submit a Gas Optimization report for a contest, it could be because you've already submitted one, as only one Gas Optimization report can be submitted per contest. \n\nIf you want to edit your submitted findings, you can go to the contest page and click on the \"Your Findings\" button. Here you can also withdraw your findings if you wish to cancel a submission and create another one. \n\nTo check the status of your reports and see your findings, you can look in the \"findings\" tab next to the contest description. After the contest, if you want to view your own submissions as well as others', you can go to the section where contests are posted on our website and look for the findings from the contests, which are posted in the findings repository.\n\nIf you've submitted issues but did not make the award list, it's likely that your issues were rejected. You can confirm this by reviewing the report available. Please note that if a finding is mentioned in the known issues section in the contest, it will likely be disqualified. \n\nIf you are still facing issues, please consider reaching out to our support team for further assistance.", "Question: I'm experiencing trouble with various issues, such as submitting reports, accessing the site, and creating teams. Will these issues be resolved if I try again?\n\nAnswer: Based on previous observations, it seems that some issues experienced on the CodeArena platform may be resolved simply by trying again or making some minor adjustments. If you're having trouble submitting a report or any other technical issue, you could try clearing your local storage and attempting the action again. In some cases, trying again on a different day may also resolve the issue.\n\nIf you're having difficulty with the 'Create Issue' button, you're not alone. Some users have reported this issue in the past, and our team has been responsive in acknowledging and resolving it. If the problem persists, it may be helpful to try refreshing the page or changing browsers. It's important to note that these issues do not always present console errors.\n\nIn case you encounter a 404 error when trying to access certain links, such as https://github.com/code-423n4/2021-04-redacted, please rest assured that our team is proactive in addressing these issues, and they are typically resolved promptly.\n\nRemember, if you have reported an issue but are unsure about its severity or how to proceed, you can always create a help desk request for unresolved issues. If you're having trouble joining private contests even after passing the KYC, or accessing specific content like Findings for Tapioca DAO on our website https://code4rena.com/contests/2023-07-tapioca-dao#top, please reach out to us. Our team is committed to providing a seamless experience and we work diligently towards resolving any site issues.\n\nIn the rare event that a submission of a finding takes some time to be confirmed via email, or the form fails to return an error if the submission fails, please let us know. We're here to help and your feedback is valuable to us.", "Question: I'm having trouble logging into my CodeArena account. What should I do?\n\nAnswer: We're sorry that you're experiencing difficulties logging into your CodeArena account. This is a known issue that some of our users have faced. Here are a few steps you can try to resolve the issue:\n\n- Clear your local storage and try again.\n- Try logging in again at a different time.\n- If you're using a wallet to log in, make sure you're using the correct one.\n- Check if the email you're using to log in is correct.\n- If you're having trouble with the password reset function, it might be because of some known issues that we're currently trying to resolve.\n- You can also switch to using a username and password for login.\n- If you are a new user trying to log the remaining gas after the state variable update using foundry, you might encounter difficulties. We are currently looking into this issue.\n- If you have recently changed your username and are unable to log in, you might need to reapply for certified status.\n- If you're having trouble submitting findings, trying on a different browser might help.\n\nIf the problem persists, please contact our #auth-help channel for assistance. Our team is able to update the database to fix login issues when necessary. \n\nAdditionally, please note that during the new registration process, if you can't find your username on the list, the issue is being investigated and we hope to resolve it shortly. We understand these issues are inconvenient and we appreciate your patience as we work to improve your user experience.", "Question: How can I view, edit, and track my findings for a contest on CodeArena?\n\nAnswer: Upon participating in a CodeArena contest, you can view and edit your submitted findings by navigating to the respective contest page and clicking on the 'Your Findings' button. Automated findings for a contest can be found in the pinned messages of the contest's channel. Participants are able to track their report status and see their findings in the 'findings' tab next to the contest description. If you wish to edit your submission, you can do so while the audit is still open, and until the contest closes. \n\nAfter a contest ends, the findings are reviewed by sponsors and then it moves to the judging process. The review includes a sponsor review, judge review, sponsor confirmation, judge's final report, and the announcement of results. Please note that findings may not always make it to the final report, and the reason for this might not be immediately known. \n\nTo check the status of your findings, you would have to wait until the reports are published, which typically takes at least one month. As of now, findings from a past contest cannot be viewed after the contest concludes, but before the results are published. However, you can view your Quality Assurance (QA) reports for contests that have already closed. \n\nKeep in mind that all findings from contests are posted in the same section where Contests are posted and these can also be located in the findings repository after they have been reviewed and published. \n\nFor any further inquiries about the process and schedule of final reports, please feel free to ask on the platform or in the dedicated channels.", "Question: What are the requirements and processes to earn the \"leaderboard\" role on CodeArena's Discord and how does it affect my opportunities on the platform?\n\nAnswer: To earn the \"leaderboard\" role on the CodeArena Discord, you need to participate in contests and place in the top five. The leaderboard updates and assigns the \"leaderboard\" role when contest rewards are announced. The leaderboard ranking is influenced by both your performance in the current contest and your overall participation. Once you earn a reward and appear on the leaderboards, the \"leaderboard\" role is added to your profile. This role enhances your visibility and opportunities on the platform, particularly for private contests. \n\nIn addition, earning a place on the leaderboard can qualify you for the RSVP certified jobs, given that you are certified. It's also worth noting that team performances are considered when comparing leaderboard ranks for these opportunities. The leaderboard can be viewed at https://code423n4.com/leaderboard/.\n\nThe leaderboard also plays a role in backstage access, which requires the certified contributor role, a certain number of findings (minimum three medium findings and four total findings), and engagement in contests. Once your awards are announced and added to the leaderboard, you can apply for backstage access. However, joining the backstage requires at least one high rating. \n\nRemember, to appear on the leaderboard, you must complete your Warden registration and participate in contests. Some users have also expressed interest in including additional features and contests in the leaderboard ranking. Lastly, the leaderboard also offers an \"available for hire\" filter for added visibility.", "Question: How does the announcement and process of Bot Races and their results work at CodeArena?\n\nAnswer: Bot Races are exciting events hosted by CodeArena, where participants can be rewarded for findings made with AI. The announcement for these races, including the top 20 bots, usually occurs within a span of a week post the event. For each race, bot registrations are typically announced in the #\u270brsvp channel on our Discord. \n\nTo participate, you need to register your bot during the qualifier round. Detailed information about these races and the registration process can be found at [https://code4rena.com/register/bot](https://code4rena.com/register/bot).\n\nPlease note that the bot race prize pot was initially taken from the HM pot, but this is likely to change soon. If your bot finds a high or medium finding, it only gets the bot pool reward based on the bot race rank. Bots can only gain more rewards by accumulating more points and shifting the rank cutoffs, thereby moving others to lower ranks.\n\nThe winner's bot code will not be made public after Bot Races. Only their report will be visible. For results, users can check the announcements channel. An update to the bot race reward structure is also expected to be announced before the next major contest.\n\nBear in mind, bots not registered in the chainlink protocol cannot be used for certain contests. Lastly, the leaderboard will be updated once we've glued together several pieces of the process.", "Question: What does the term 'grade-c' signify in the context of CodeArena report grading system?\n\nAnswer: In CodeArena's grading system, the term 'grade-c' refers to a report that is considered unsatisfactory. This grading system is used to evaluate both QA and gas reports, and is divided into grades A, B, and C, based on the quality of the report, the number of issues identified, their impact, and gas savings. While an 'A' or 'B' grade report is deemed good and is eligible for rewards, a 'C' grade report does not meet these standards and is thus not eligible for rewards.\n\nThe grading system doesn't solely depend on the number of issues reported. For instance, a report might have one significant issue and be considered a grade 'B', or it could have multiple low-impact issues and still be classified as a grade 'C'. The judges have the discretion to upgrade or downgrade the severity of the issues reported, which can affect the overall grade. Incorrect findings in a report can also lead to a lower grade. \n\nThe grading philosophy of CodeArena is comparable to a bell curve, with the best report receiving a 30% bonus, grade 'A' reports counting as 2 shares, and grade 'B' as 1 share. For detailed information on the grading and reward sharing system, please refer to the official documentation at https://docs.code4rena.com/awarding/incentive-model-and-awards. \n\nIt is important to note that the quality of the English writing of the report also plays a role in the grading. Thus, quality submissions should include correct identification of the highest severity impact of the bug, a well-supported argument for the chosen severity and validity with evidence, and clear, understandable writing. The severity categorization can be reviewed at https://docs.code4rena.com/awarding/judging-criteria/severity-categorization. \n\nRemember, it's possible for a report to receive a zero grade if a judge decides it merits that grade.", "Q: I am having trouble submitting my findings for the contest. Can you provide detailed guidance on the submission process and troubleshooting tips?\n \nA: Yes, you can submit your findings for each contest through a form available on our website. However, some participants have reported issues during the submission process. \n\nIf you see a message saying 'No findings submitted for this contest' even after you have made your submission, it may be due to technical issues that occurred previously, like the ones that affected the Escher and Caviar contests. \n\nPlease note that if you're trying to submit a Gas Optimization report and receive an error message, it could be because one has already been submitted. This issue was reported in a past contest. Also, there may be a size limit on submissions, as some users have faced errors during submission.\n\nIf you are facing any difficulties running the contest with the provided instructions, or if you have questions about the submission rules, don't hesitate to ask. If you are facing issues with submitting findings from a mobile device, you can email your submissions to submissions@code4rena.com.\n\nIn case you have submitted all your findings to the wrong contest, please submit them again to the correct contest and fill out a form to let us know about the incorrect submissions. The form can be found at https://code4rena.com/help/.\n\nWe are actively working on improving the submission process. For instance, a new submission mechanism is slated for implementation in upcoming contests. \n\nPlease bear in mind that late submissions for contests are not accepted as per our submission policy, available at: https://docs.code4rena.com/roles/wardens/submission-policy#late-submissions. \n\nAfter submitting a bug, you can view or edit your own submissions on the site for open contests. It's possible to have concerns about the validity of the issues you've submitted, in which case you can submit the issue again and then create a help desk request to withdraw the invalid submission. \n\nRemember, if a participant submitted issues for a contest but did not make the award list, it's likely that their issues were rejected. You can confirm this by reviewing the available report. \n\nIn the event of multiple submissions or submission errors on Code4rena, you can seek assistance from our team. If a correct bug issue is submitted with an incorrect proposed solution, the submission can be updated if the Contest hasn't ended.\n \nIf you're unsure if you can contact judges directly to ask if you should submit something, it's better to post general questions in the contest's Q&A section. This way, everyone benefits from the answer.\n\nFinally, it's worth noting that a contest could potentially run with zero valid submissions, although this has not happened yet. We hope this detailed guidance helps, and we wish you the best of luck in your contest!\n", "Question: I am having trouble with registration and login on the CodeArena site, what should I do?\n\nAnswer: We are aware that some users have experienced issues with registration and login on CodeArena. If you're having trouble logging in, it may be due to system glitches where it shows you as logged in, but the interface remains unchanged. \n\nIf you are registering as a new user and can't find your username on the list, we are currently investigating this issue. If you did not receive an email after registration, please open a help desk request. \n\nIn case you forget your registration wallet address, or need assistance with login issues, you can seek help at [https://code4rena.com/help](https://code4rena.com/help). Alternatively, you can contact the #auth-help channel for assistance. If you need to change your username or want to switch to using a username and password for login, you would need to re-register on our platform. \n\nPlease note that changing your username could potentially affect your registration status as a warden. Moreover, we have noticed intermittent difficulties with site access and the password reset function. \n\nFor questions related to warden registration, changing the wallet attached to your user account, and other FAQs, please visit our troubleshooting page at [https://docs.code4rena.com/roles/wardens/warden-auth#faq-troubleshooting](https://docs.code4rena.com/roles/wardens/warden-auth#faq-troubleshooting). \n\nLastly, you need to remember that handle registration is mandatory if you want to submit anything. We appreciate your understanding and patience as we work to resolve these issues.", "Question: What should I do if I'm having trouble logging into my CodeArena (C4) account?\n\nAnswer: If you are experiencing issues logging into your CodeArena (C4) account, there are several troubleshooting steps you can take. Firstly, the C4 team has the ability to update the database to resolve login issues, so it might be worth waiting for a short period of time before trying again. If you are still unable to log in after waiting, you can try clearing your local storage and attempting to log in again. These login issues could be due to system errors where it shows you as logged in, but the interface does not change. We've also noticed some users encounter difficulties connecting their wallets on the site, and these issues are usually resolved after multiple attempts. If you continue to face issues, you can reach out for assistance in the #auth-help channel on our Discord server or create a help desk request at [https://code4rena.com/help](https://code4rena.com/help). Please note that some issues like new registration or user status updates may take a few days to be resolved by our team. We appreciate your patience as we work to resolve these issues.", "Question: How can I format and highlight my Solidity code in reports and submissions for CodeArena?\n\nAnswer: When formatting or submitting code for CodeArena, you have two main tools at your disposal. Firstly, you can use a custom print logic for each element to improve the readability of a string representation of a JSON. You can find an example of this on our [GitHub Gist](https://gist.github.com/CodingNameKiki/36f3bfb214907d68fdf3a43cb0cb8ae3).\n\nSecondly, CodeArena supports the use of Markdown (MD) format in the submission and reporting sections. Markdown allows you to add code blocks, which can be quite useful for highlighting specific sections of code. To add these code blocks, you can use three backticks (```) on either side of the block and specify the language to enable syntax highlighting, like ```solidity```. For more detailed information on how to use Markdown for code blocks, you can refer to [GitHub's advanced formatting guide](https://docs.github.com/en/get-started/writing-on-github/working-with-advanced-formatting/creating-and-highlighting-code-blocks).\n\nIf you're working with Solidity, there are some additional methods to format arguments and function names in your audit reports to increase readability. Also, it's been suggested that tools like Visual Studio's preview tool can be helpful in formatting reports.\n\nRemember, if you're comparing two distinct lines of code, you can highlight them on Github by clicking on the starting line of code, then holding down Ctrl + Shift and clicking on the last line to highlight. Line numbers can be included in code snippets, but please consider the judges' preferences regarding this.\n\nOverall, the key is to make your code and reports as readable and understandable as possible. This could include explaining the purpose of a codebase, or breaking down lines of code like 'require(abc<123)', which could be considered a \"magic number\", to make them more understandable.", "Question: How can I log in as a warden once my pull request (PR) is merged in Code4rena?\n\nAnswer: Once your PR (Pull Request) for the warden is merged, you should be able to log in to your Code4rena account as per usual. You can sign up to be a warden using Github. To do this, you'll need a username and password for the platform. After logging into your warden account, you can switch back and forth between your individual account and your team account before making any submissions.\n\nKeep in mind, to access specific channels such as the team-formation or contest preview channel, you need to register as a warden first. You can do this by filling out the form on the Code4rena website. Detailed guidelines on how to register for a warden role are available at [https://docs.code4rena.com/roles/wardens](https://docs.code4rena.com/roles/wardens).\n\nIf you want to change your warden avatar or links on the CodeArena website, you need to look in the _data folder on the site repo and make a PR. Remember, changing your username could affect your registration as a warden. If you want to change the wallet address you log in with, you can follow the instructions at [https://docs.code4rena.com/roles/wardens/warden-auth#can-i-change-the-wallet-address-i-log-in-with](https://docs.code4rena.com/roles/wardens/warden-auth#can-i-change-the-wallet-address-i-log-in-with).\n\nIf you're interested in becoming a certified warden or wish to have backstage access to observe the report submission and triage process, you can find additional information at [https://docs.code4rena.com/roles/certified-contributors](https://docs.code4rena.com/roles/certified-contributors). Backstage access is available to certified wardens who have an established level of contribution to the platform.", "Question: I'm having trouble logging into my CodeArena account, what steps can be taken to resolve this issue?\n\nAnswer: There could be several reasons why you are encountering login issues on CodeArena. Sometimes, the system might show you as logged in, but the interface does not change. Alternatively, you might be unable to log in due to not using the correct wallet or email. Here are some steps to troubleshoot:\n\n1. If you're using a Metamask wallet to log in, ensure that it's connected properly.\n2. Make sure you're using the correct email or username and password.\n3. Try resetting your password, although please note that some users have reported issues with the password reset function.\n4. If you're still unable to log in, you can reach out to the #auth-help channel with details of your issue.\n5. If the issue persists, it might be a technical issue that needs to be escalated to the development team. You can also submit a help desk request regarding the issue.\n\nRemember, once a Pull Request (PR) is merged for the warden, you should be able to log in. Our team is diligently working to address these issues and update our database to provide a smoother login experience for our users.", "Question: How can my company arrange an audit contest through CodeArena and what are the pricing and operational details?\n\nAnswer: CodeArena conducts audit contests which are notably similar to bug bounty programs. Your company can set up the contest with the help of CodeArena's booking team, which is regularly in contact with various projects about upcoming audits. Specific details about the contest's scope can be discussed with the respective sponsor. \n\nTeams can participate in auditing contests and individuals can also participate solo, even if their team is also auditing. Registration for a contest is done using a single wallet. There are both private and public contests, with participation in private contests depending on certain metrics or prerequisites. \n\nPricing details are individual for every contest, as sponsors decide the scope for their contests and list it in their contest info. More information can be found on the CodeArena documentation page here: https://docs.code4rena.com/\n\nCurrent and upcoming contests can be found on the CodeArena website (code423n4.com) and further details about future audit events or contests are dependent on sponsors confirming details and dates. \n\nAfter the contest ends, judging and payout timelines are documented at https://docs.code4rena.com/structure/our-process. If you receive rewards from a contest, the process for creating an invoice can be found at the bottom of this page: https://docs.code4rena.com/awarding/incentive-model-and-awards/awarding-process#tax-and-legal-questions\n\nParticipating in these contests is a great way for your team to gain a better understanding of audit reports and deepen their experience in analyzing smart contracts.", "Q: I've applied for the Know Your Customer (KYC) process over 10 days ago and received confirmation from the KYC-provider. However, I don't see my role as verified on CodeArena yet. Could you help?\n\nA: The KYC process can take some time, generally a few days, and in some cases, up to 2-3 weeks. After receiving your confirmation from the KYC provider, which is Provenance in our case, it usually takes a few more days to process your role on our end at Code4rena. Please note that there might be a delay due to factors such as the volume of applications, or any potential back and forth between you and Provenance. \n\nOnce you have received confirmation of your successful KYC from Provenance, it is communicated to us and we process it accordingly. This could take a few days, but you should receive an update on your status via email. Please make sure to check your spam folder for an email from compliance@provenance.company, as your confirmation might have been delivered there. \n\nIf you've been waiting for a considerable period of time or more than five business days, we recommend you to submit a help desk request for us to look into your case more deeply. You can do this through the form on our website at [https://code4rena.com/help](https://code4rena.com/help). We appreciate your patience during this process and are continuously working to streamline it.", "Question: What should I do if I encounter login issues on the CodeArena platform?\n\nAnswer: If you experience login issues on the CodeArena (C4) platform, there could be various reasons for this. Firstly, it's important to ensure you're using the correct wallet, email, or username and password combination as you might not be able to log in if these details are incorrect.\n\nIf you're a new user and can't find your username on the list during registration, please note that we are currently investigating this issue and will update you as soon as possible. Intermittently, there could be issues with user registration and login on the site which we actively monitor and resolve. \n\nPlease also note that there have been reports of issues with the password reset function. If you're unable to reset your password, or the system shows you as logged in but the interface does not change, please reach out to the #auth-help channel on our Discord server for assistance. \n\nThere's a functionality in place to update our database to fix login issues. Once a PR (Pull Request) is merged for the warden, you should be able to log in. However, this might require you to wait for about 20 minutes before logging in again.\n\nIf you wish to change your login address or username, you can re-register on the platform. After logging in, you can check if you're certified by clicking your name to see assigned roles. Note that you can also participate as a warden in upcoming contests by logging into your account.\n\nFinally, if you experience difficulties accessing the site, please remain patient as these issues are usually temporary. Also, bear in mind that the help page of the website might show an 'Out of Office' message during off-hours.\n\nFor any further assistance, please feel free to reach out to us on the #auth-help channel on our Discord server.", "Question: I've submitted my KYC application and it's been over a week without a response. What should I do to check its status or expedite the process?\n\nAnswer: The Know Your Customer (KYC) process can take a week or more to complete, depending on the back and forth between the applicant and Provenance. After submitting your application, you should receive an email confirmation from both Provenance and Code4rena. If you haven't received any response within five business days, you can submit a help request through the form on our website at https://code4rena.com/help. \n\nIn some cases, KYC applications may be rejected, and the reasons for rejection are not always communicated. If this occurs, it's recommended to directly work again with the originator of the application. Please note that the handling of backstage access requests could take up to 24 hours after KYC is admitted.\n\nAlso, remember that despite passing the KYC process and gaining approval, you might still be unable to access private contests if you don't have certified status on your handle. In such situations, a help desk request can be helpful. \n\nLastly, if you don't have a passport but possess a national identification card, and you're wondering whether you can use it to verify your identity for KYC purposes, this was not addressed in the chat excerpts provided. Please use the help request form to raise such queries.", "Question: How can I improve the formatting and readability of my solidity code and findings submitted to CodeArena?\n\nAnswer: There are several ways to enhance the readability of your code and findings. To make JSON strings more readable, you can use custom print logic for each element. When dealing with solidity code, you can use tools like Visual Studio's preview tool for formatting reports. Markdown and hackmd can also be used to enhance the presentation of your reports.\n\nWhen editing your findings, you can modify the 'test' command in the 'package.json' file to affect the 'REPORT_GAS' function. For specific types of code, consider using 'git diff' in the terminal and using backticks in the report. If you want to display mathematical expressions, you can check how they will be displayed on the GitHub findings repo. \n\nThe Markdown Renderer on our site doesn't always provide the best formatting, so viewing the code on Gist is advised for better formatting. To achieve syntax highlighting in a code block in a finding report, use three backticks and specify the language (e.g., ```solidity). \n\nFor larger text that doesn't fit in the textbox on the help desk site, consider linking a gist. If mitigations are involved, you can use markdown to write the code in the report. If you need to edit a form you filled out incorrectly or want to update your findings, you can't directly edit the analysis report, but you can create a help desk request including a secret gist to have edits added to the comments of your analysis report before the audit closes.\n\nRemember to follow the discussions at [https://github.com/code-423n4/org/discussions/91](https://github.com/code-423n4/org/discussions/91) to stay updated on changes and regulations.", "Question: How does using console.log in smart contracts work, specifically for both public and local variables?\n\nAnswer: In smart contracts, you can use console.log to print both public and local variables. You can do this by importing the \"forge-std/console.sol\" in your function. Note that Hardhat and Foundry can be used to print local variables declared inside a function using console.log. The default foundry comes with console.log in the library. \n\nMore information about state variable visibility, including public variables and storage variables, can be found at https://docs.soliditylang.org/en/v0.8.13/contracts.html#state-variable-visibility. For example, in the openzeppelin contract, _totalSupply is a private storage variable, which requires a view function to view it. In contrast, for public storage variables, a view function with the same name is automatically generated.\n\nIn terms of usage, functions are automatically generated for public storage variables, constants, and immutables which aren't stored in storage. It's also important to remember that the console.sol can be imported inside the original Contract itself and does not necessarily have to be in the x.t.sol file.\n\nKeep in mind that in a web3 console, the calling convention used can differ from what is actually called on the contract in the EVM. It's also worth noting that users may experience difficulty in performing tasks, such as viewing the console, on mobile devices.", "Question: Can I import the console.sol inside the original Contract itself, or does it have to be in the x.t.sol file?\n\nAnswer: You are not required to import console.sol specifically in the x.t.sol file; you also have the option to import it inside the original Contract itself. However, it's crucial to keep in mind that how you structure your imports can affect the accessibility of different functions among your contracts. For instance, if Contract A inherits from Contract B, and Contract C inherits from Contract A, Contract C may not have access to internal functions of Contract B. \n\nAlso, bear in mind that missing imports on .sol files can lead to errors, as observed in our chat discussions. If you ever find yourself encountering such issues, there are several ways to fix them. You can clone the entire repository and install the dependencies using forge, or you can manually include the contracts on Remix from OpenZeppelin contract repo (https://github.com/OpenZeppelin/openzeppelin-contracts) and Solmate (https://github.com/transmissions11/solmate). \n\nAnother point that's worth noting is that there's a practice of directly importing code instead of using an npm package. This is done to allow necessary changes to external contracts to better suit your project requirements, as observed in our chat discussions. \n\nFinally, if you have further questions about Solidity syntax, contract interactions, or any related topics, feel free to ask them in our platform. Our community is always ready to help.", "Question: How can I use Hardhat or Foundry to print local variables that are declared inside a function and what tools are available for debugging?\n\nAnswer: Both Hardhat and Foundry provide the option to print local variables declared inside a function using console.log. Specifically, the default Foundry comes with console.log in its library. \n\nFor debugging in Hardhat, the Hardhat Foundry can be utilized. It has the ability to fork its state from a public testnet or even the mainnet, making it an effective tool for testing smart contracts. \n\nWhen it comes to Foundry, a tool named \"Foundry Debug\" is available to debug hardhat tests or introspect contract execution at the EVM opcode level. However, it should be noted that there have been reports of issues about the \"Source from artifact has no AST\" error when running forge debug on a hardhat project with foundry integration.\n\nIf you're looking to deploy a contract on Foundry that takes a struct as an argument in the constructor, or if you need to directly call internal functions in the context of Foundry, you'll need to write a child contract and use it like a wrapper. \n\nFor anyone looking to use Foundry in a project that employs Hardhat, a base template can be found at https://github.com/foundry-rs/hardhat-foundry-template. \n\nLastly, if you are interested in generating a gas report, both Hardhat and Foundry were suggested as tools for this task. For Hardhat specifically, users use the Hardhat gas report plugin to benchmark their code for gas savings. With Foundry, users have been trying to log gas remaining after the state variable update but have encountered difficulties. \n\nRemember to check the official documentation and forums for up-to-date information and solutions to common issues.", "Question: I have encountered the \"Source from artifact has no AST.\" error when running forge debug on a hardhat project with foundry integration. What could be the cause of this and how can I troubleshoot it?\n\nAnswer: The error message \"Source from artifact has no AST\" might arise due to issues with the way you're running the forge debug on a hardhat project with Foundry integration. Foundry, which allows you to debug hardhat tests and introspect contract execution at the EVM opcode level, can be used in a hardhat project. However, there might be opcode support issues from time to time. \n\nFor a better understanding of how to utilize Foundry in a project that uses Hardhat, a base template has been provided at https://github.com/foundry-rs/hardhat-foundry-template. \n\nIn case you're also interested in deploying a contract that takes a struct as an argument in the constructor on Foundry, or if you're looking for an equivalent for \"upgrades.deployProxy\" from Hardhat in the context of Foundry, this GitHub link (https://github.com/chugsplash/chugsplash-foundry) might be helpful. \n\nIf you're experiencing difficulties with running the forge debug, you might want to try using Hardhat for testing instead of Foundry, as it was suggested as an alternative in some cases.\n\nLastly, bear in mind that Hardhat and Foundry can be used to print local variables that are declared inside a function by using console.log, which might aid you in your debugging process. \n\nRemember that while Foundry is a useful tool for testing scenarios in a local environment and provides an alternative to public testnet, it is not without its challenges and issues, which might require a bit of troubleshooting from time to time.", "Question: How can I print a locally declared variable in Solidity, and does the console.log function work only with public variables?\n\nAnswer: To print locally declared variables in Solidity, you can use the console.log function from the forge-std/console.sol library. You need to import the library using the statement `import \"forge-std/console.sol\";` and then use `console.logUint(localVar)` to print the variable. \n\nThis method is not limited to public variables; it can be used to print local variables that are declared inside a function. Additionally, testing frameworks like Hardhat and Foundry also provide the functionality to print local variables using console.log. In fact, the default Foundry comes with console.log included in its library. \n\nIt's important to note that in Solidity, functions are automatically generated for public storage variables, constants, and immutables which aren't stored in storage. For more information about state variable visibility, you can check the official Solidity documentation [here](https://docs.soliditylang.org/en/v0.8.13/contracts.html#state-variable-visibility). \n\nIn some cases like the openzeppelin contract, private storage variables like `_totalSupply` need a view function to be seen. In contrast, in other contracts, a view function with the same name is automatically generated for public storage variables. \n\nYou can import the console.sol inside the original Contract itself and not necessarily be in the x.t.sol file. When it comes to gas optimization, be aware that declaring variables next to each other can allow them to be packed into a single 32 bytes storage slot, reducing gas costs. More about this can be read at the official Solidity documentation [here](https://docs.soliditylang.org/en/v0.8.17/internals/layout_in_storage.html). \n\nSome of the details of the functionality can be dependent on the console's calling convention and the specific contract in the EVM. This is a complex topic and beyond the scope of this answer.", "Question: What is the recommended way to format Solidity code in my submissions to Code4rena?\n\nAnswer: To ensure your Solidity code is properly formatted in your submissions, you can use Markdown formatting which is accepted in the submission form on Code4rena. This includes using code blocks which can be created by surrounding your code with three backticks (```). \n\nTo further enhance readability, you can add Solidity syntax highlighting in your code block by specifying the language as Solidity. This can be done by placing 'solidity' after your initial three backticks (e.g., ```solidity). \n\nIf you're including a link to a repository or a specific line in your text, provide a valid URL. If you're providing a Solidity code block, ensure it follows the recommended Markdown formatting. \n\nAs an additional tip, you can preview your submission using the Code4rena interface that proposes a markdown template. This will help ensure that your code is readable and well-structured. \n\nRemember, the guidelines on how to report issues related to smart contracts can be found at this link: https://github.com/code-423n4/code-contests/blob/main/SUBMISSION_POLICY.md \n\nIf you want to include line numbers from GitHub, use this Visual Studio extension: https://marketplace.visualstudio.com/items?itemName=yassh.copy-with-line-numbers \n\nFor further reference, you can also review the contest reports on the Code4rena website: https://code4rena.com/reports\n\nIn case you face any issues with syntax highlighting, participants have discussed some issues with VSCode and Solidity annotation syntax highlight in our chatroom. Feel free to ask your questions in the platform, where both beginners and experienced Solidity developers participate.", "Question: Why do some smart contract implementations use the constant product automated market maker (AMM) calculation dy = (y * dx) / (x - dx) instead of dy = (y * dx) / (x + dx), and how can I calculate the optimal amount of tokens to input?\n\nAnswer: The use of different formulas in AMM calculations often depends on the specific requirements and logic of the smart contract in question. Both options are valid depending on the context. The formula dy = (y * dx) / (x - dx) is often used in Uniswap-like scenarios, where x and y are initial amounts of tokens A and B respectively, dx is the amount of token A you input, and dy is the amount of token B you receive. \n\nIn this formula, using (x - dx) can help calculate the optimal amount of token A to input to lower the token B / token A ratio to the fair market value. This can be especially useful in arbitrage opportunities where you aim to maximize profits. However, this formula does not take into account any protocol fees which could potentially reduce profit.\n\nOption 2, dy = (y * dx) / (x + dx), is used in some implementations, like the one found in [this source code](https://github.com/code-423n4/2023-04-caviar/blob/main/src/PrivatePool.sol#L699). The specific reasoning behind using this option over the other will depend on the intricacies of the code and the specifics of the smart contract implementation which may include factors such as gas optimization, precision loss prevention and potentially others.\n\nTo calculate the optimal amount of tokens to input (dx), you would have to derive it from the AMM's price formula, adjusting for price impacts and transaction costs. This is achieved using the formula dx = -x + sqrt(x * y / a).\n\nPlease note that this is a generalized explanation and the specifics can vary based on the smart contract, its set of rules and the particular AMM being used. For more detailed understanding and customization to specific needs, a thorough review of the smart contract code and understanding of the underlying mathematics is necessary.", "Question: How can I use Hardhat and Foundry to print local variables in a smart contract, and what are their advantages in testing and debugging smart contracts?\n\nAnswer: Hardhat and Foundry allow you to print local variables declared inside a function. In Hardhat, you can accomplish this by importing the console using \"import 'hardhat/console.sol'\", then using console.log() to print the variables. Foundry also supports console logging with its default library. \n\nIf you're using Foundry in a project that also uses Hardhat, you can use a base template found at [https://github.com/foundry-rs/hardhat-foundry-template](https://github.com/foundry-rs/hardhat-foundry-template) for easier setup.\n\nIn addition to enabling variable printing, both Hardhat and Foundry provide useful tools for testing and debugging smart contracts. Hardhat is often preferred for testing, and its gas report plugin is a useful tool for benchmarking code for gas savings. For more advanced introspection and debugging at the EVM opcode level, Foundry provides a tool called \"foundry debug\". \n\nFurthermore, the Hardhat Foundry can fork its state from a public testnet or even the mainnet, which can be a more convenient option for testing smart contracts. Foundry also allows for account impersonation using vm.prank(address), similar to Hardhat, and enables you to fork data from a live network such as main or test net to run locally, which is particularly useful for testing scenarios in a local environment. \n\nIf you're looking to learn more about Hardhat's testing framework, the Codecademy Javascript testing module and Alchemy University's Ethereum Bootcamp in week 4 are good resources. For issues with \"Source from artifact has no AST.\" error when running forge debug on a Hardhat project with Foundry integration, it's worth noting that there have been reported issues. \n\nOverall, both Hardhat and Foundry are powerful tools that can assist you in auditing and testing smart contracts, aiding in code coverage, debugging, and more. To choose between the two, it really depends on your specific project needs and familiarity with these tools.", "Question: How can I log and optimize gas remaining after the state variable update in Foundry and how do I submit my findings to CodeArena?\n\nAnswer: Logging gas remaining after a state variable update in Foundry, a smart contract testing framework, involves using the Hardhat gas report plugin. This tool helps to benchmark your code for gas savings. The gas cost in Foundry is measured in units of gas.\n\nTo optimize your gas usage, a few key points can be utilized. It's recommended not to initialize default variables to 0. Solidity stores state variables in 32 bytes storage slots and packing variables into fewer slots can reduce gas costs (you can find more information here: https://docs.soliditylang.org/en/v0.8.17/internals/layout_in_storage.html). There may be exceptions to these guidelines based on the project or specific function you're working on. \n\nOnce you have obtained your findings, these can be added to your gas report. In CodeArena (C4), you can manage your gas report submissions on the contest details page under \"Your Findings\". It is suggested to specify the amount of gas that would be saved for each optimization, although this is ultimately based on the judge's decision. If you have more findings, go to the contest page, and click the 'Your Findings' button to add them. \n\nPlease note that only one gas optimization report can be submitted per contest, but additional findings can be added to the report while the contest is open. If your report exceeds the number of characters allowed in the submission form, submit a placeholder in the form and send an email with the details (more information can be found here: https://docs.code4rena.com/roles/wardens/qa-gas-report-faq#why-is-a-large-gas-or-qa-report-not-successfully-submitting-through-the-contest-submission-form).\n\nRemember, participants can ask for clarification on gas optimization, and it is encouraged to seek out support in the community if you encounter difficulties.", "Question: How can I communicate with the CodeArena staff and other participants for assistance or to discuss potential issues?\n\nAnswer: Yes, you can communicate with participants and team members at CodeArena through various means. Direct messaging (DM) is possible between users, staff members, and code4arena team members. You can also contact certain identified individuals to update your submissions or to report potential vulnerabilities in a project. \n\nDuring a contest, you can discuss potential submissions with the project's development team either in the contest channel or through private messaging. Additionally, each contest has a dedicated channel where general questions can be asked. Sponsor team members are also available for questions via Direct Message (DM). They have designated contacts that participants can direct message during a contest to ask questions. \n\nFor issues related to your account, team modifications, or updates to your profile, you can send a help desk request. It is also possible to contact someone from the streams' protocol team for clarification if required. To report vulnerabilities impacting Code4rena's webapp, you could send a direct message to a specific individual or email the issue to security@code4rena.com. \n\nPlease remember that while personal contact and direct messaging has been encouraged for specific questions, you should also be aware of potential scam attempts in direct messages. Always ensure that you are communicating with verified team members or participants.", "Question: I'm certified with CodeArena but I haven't received an invitation link to GitHub, what should I do?\n\nAnswer: If you're a certified contributor with CodeArena and you haven't received an invitation link to GitHub, it's important to check a few things first. Make sure you've applied for KYC (Know Your Customer) as the invitation link is usually sent via email from Provenance after this process. \n\nThe time it takes for a GitHub organization invite to be sent can vary, however, if it has been a considerable amount of time, reach out to our team for assistance. If you believe you qualify for Certified+ status but haven't found the correct submission form, you can apply through the link provided: https://code4rena.com/certified-contributor-application.\n\nRemember that being certified does not automatically grant you access to the previously participated contest in progress judging repository, you will need a backstage pass for that. For the backstage pass, you need to be certified as well, and you can learn about the certification process here: https://docs.code4rena.com/roles/certified-contributors#certification-process-and-constraints.\n\nIn case you are not receiving emails from Provenance despite being verified for base, or you have issues with receiving an email despite fulfilling requirements, ensure to check your spam folder and if the issue persists, contact our help desk at https://code4rena.com/help. \n\nIf you've passed the KYC process but still can't access private contests, it might be because you don't have certified status on your handle. In such cases, you can create a help desk request. Also, note that immediate access to the findings repo is currently available for Certified+ users.\n\nPlease remember, the process for becoming certified requires the fulfillment of some prerequisites, detailed at https://docs.code4rena.com/roles/certified-contributors. You can start the certification process by reading the document there. You can also check if you're certified by clicking your name to see assigned roles and also via email communication.", "Question: How can I include screenshots or other visual aids in my submission?\n\nAnswer: While our general guidance suggests not using screenshots in submissions, there can be situations where visuals might be helpful. In such scenarios, participants can include images in their submissions by uploading the image to GitHub Gist, submitting the report with the Gist link, and then deleting the Gist. Alternatively, you can register a free account on https://cloudinary.com/, upload the image and copy the image URL. For further details, you can refer to the guidelines at https://www.markdownguide.org/basic-syntax/#images-1 \n\nEnsure that your screenshots or images are relevant and aid in comprehending your report. If your report is larger, you can submit it via email and place a placeholder in the original submission. You can also update your submission by clicking the \"Your Findings\" button.\n\nIt's essential to note that our submission tools and mechanisms are continually updated, with a new submission mechanism slated for implementation in upcoming contests. If you face issues, including performing tasks via mobile, you can reach out to submissions@code4rena.com. Additionally, please familiarize yourself with our submission policy at https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues. \n\nRemember, the focus should be on the content of your report. Including replaced lines using diff tools or 'git diff' can be more beneficial than screenshots for demonstrating changes in the code.\n\nWe are always working to improve our process, so we appreciate your understanding and cooperation.", "Question: Does CodeArena participate in events like consensus in Austin, and what kind of presence can we expect from them at such events?\n\nAnswer: CodeArena does participate in various events, as evidenced by their engagement with events like ETH.NYC and ETH.Denver. Specifically, most of their growth team is usually present at these events. They are also known to host their own events, such as one planned for devcon as announced on their Twitter account [here](https://twitter.com/code4rena/status/1577405876952272896?s=21&t=YjWD5aNJCZKKN9jXrRDh7A). While we don't have specific information about their participation in the consensus in Austin, you can expect their presence to be professional and timely, based on their standard operational practices. For more details about their event participation, you can regularly check their website at [code423n4.com](https://code423n4.com/) and their various social media platforms.", "Question: What is the recommended way to submit gas optimization reports for a contest at CodeArena and how should these reports be formatted?\n\nAnswer: For gas-related submissions, we advise participants to make a single consolidated report that includes all their findings. This report should be written directly into the submission form without the use of any special formatting tools. If you're using a template from a previous contest, remember to modify it to fit the current contest's requirements.\n\nIt is highly recommended to accompany your submissions with a snapshot showing the amount of gas that would be saved via the refactored code. However, be mindful that there are restrictions on submitting more than one report of gas optimization in a contest, so compile all your findings into one report.\n\nIf your report exceeds Github's max character limit for issue descriptions (~65k characters), you won't be able to submit it through the form and may receive an error message. In such cases, you can submit a placeholder and send your report via email to submissions@code423n4.com. More details on this can be found at: https://docs.code4rena.com/roles/wardens/qa-gas-report-faq#why-is-a-large-gas-or-qa-report-not-successfully-submitting-through-the-contest-submission-form.\n\nRemember, only one gas report should be published for a contest. If you have additional findings that need to be added, update your existing report. Also, separate your Gas report from your Quality Assurance (QA) report and remember, it's beneficial to include gas savings from refactored code in submissions.\n\nLastly, for formatting, you may find guides or templates on how gas/QA reports should look on our website. Remember, you have the ability to edit your findings on the C4 page while the contest is open.", "Question: Why can't I view or edit my submissions immediately after a contest has ended and when can I see the status and feedback of my submissions?\n\nAnswer: The inability to view or edit submissions immediately after a contest has ended is due to our policy to maintain security and avoid prematurely revealing sensitive findings. This rule applies to all participants, including sponsors, who do not have access to the findings repository until the contest ends. Only those with the \"backstage\" role, a position that requires KYC/NDA, get access to findings soon after an audit for the purpose of triaging.\n\nOnce the contest has ended, your submissions can no longer be amended, and any late findings cannot be submitted. This is critical to the integrity of the contest and to ensure all participants abide by the same rules. \n\nThe status of your submissions and any discussions regarding it among sponsors and judges will only be disclosed when the report is published and the repository is fully opened. This typically takes at least a month after the contest ends. Until then, you may not be able to determine why your findings were rejected, if they were, or why some of your rewards are still pending.\n\nYou will be able to access your QA reports for contests that have already closed and view other wardens' reports. However, visibility may vary if there is no table with results. \n\nWe're working on a new submission mechanism and have plans to allow certified contributors to view submitted issues right after contest closures, enabling them to comment or give input on these issues during judging. \n\nRemember, you can make your findings \"public\" only after the contest has been finalised. Please stay tuned for more updates on our platform's improvements.", "Question: I submitted an application for a role at CodeArena and haven't received an email confirmation or any response. Has my application been processed and how can I check my status?\n\nAnswer: CodeArena does its best to send out email confirmations upon receiving your application. However, there can be delays or issues with emails not arriving, sometimes due to them landing in the spam folder. If you didn't receive a confirmation email, it doesn't necessarily mean your application was not received. \n\nAs an initial troubleshooting step, please check your spam or junk folder, as emails may have been directed there. If you submitted your application via a form on our website and didn't receive an email, the form should ideally return an error if the submission fails.\n\nIf you are unable to locate any confirmation and remain unsure about the status of your submission, you can open a help desk request at [https://code4rena.com/help/](https://code4rena.com/help/). This is also the typical route for any query or issue you may have related to submission of findings, applications for roles, or ticket creation.\n\nPlease note, however, that there may be a delay in receiving responses due to the high volume of requests we process. The duration for receiving a feedback, like for KYC applications, is not mentioned explicitly in the provided excerpts, but rest assured we aim to respond as soon as possible.\n\nLastly, please be aware that not all applicants might be contacted. Typically, only the selected candidates are contacted for the next steps of recruitment.\n\nThank you for your patience and understanding. We appreciate your interest in CodeArena.", "Question: In the final report of a contest, are wardens included whose findings or submissions were not accepted?\n\nAnswer: No, the final report for a contest does not include wardens whose submissions or findings were not accepted. The final report becomes publicly available once it's published, and certified+ wardens can view the findings repository immediately after a contest ends. If a warden's submission is not accepted or rewarded, they can review why that happened after the report is out and the repository is fully opened. This review process allows them to see the discussion among sponsors and judges about the specific issue. However, all findings are treated as private and confidential until the report is public, following the professional conduct guideline for certified wardens. Information about the submission and discussion of findings can be found at [https://docs.code4rena.com/roles/wardens/submission-policy#audit-contest-guidelines].", "Question: What guidelines should I follow when including links and formatting in my Code4rena submission?\n\nAnswer: You are encouraged to include relevant links in your Code4rena submission. These can consist of links to specific code fields, Proof of Concept (POC) scripts showcasing vulnerabilities, GitHub repositories, and even reports or findings from other contests to justify the severity and validity of your submission. Also, if you have a separate submission, you can refer to it in your current submission by its number on the \"your findings\" page. If your findings pertain to a competitor of the project, you can also link to them as a mitigation measure, provided it's relevant. \n\nRegarding formatting, Markdown is allowed in your submission, including for images and code formatting. Ensure you follow the guidelines for using Markdown which can be found here: [Markdown Guide](https://www.markdownguide.org/basic-syntax/#images-1). You can also use mermaid syntax in the submission preview.\n\nFor longer code submissions or those including a POC, you might want to consider linking to a private Github repo or adding a zip file, especially if the code is extensive. More information about this can be found on our submission policy page: [Code4rena Submission Policy](https://docs.code4rena.com/roles/wardens/submission-policy#how-to-include-a-proof-of-concept). \n\nRemember, you can edit your submission after it's submitted, and your team members can make submissions on behalf of the whole team if needed. When considering high-risk findings, it's advisable to make a case to the judge in your submission. After the contest, you can view all submissions. \n\nAlways ensure your links are valid and your Markdown is properly formatted to maintain the quality of your submission.", "Question: How can I update or edit my submissions on CodeArena?\n \nAnswer: If you want to edit your submitted findings, you can do so via the \"Your Findings\" button located in the middle of the contest page. Here's how:\n\n1. Navigate to the relevant contest page on CodeArena.\n2. Look for the \"Your Findings\" button which should be visible in the middle of the screen.\n3. Click on this button to view and modify your submitted findings.\n\nFor example, if you are participating in the Ethos Reserve contest, you would visit this page to edit your findings: https://code4rena.com/contests/2023-02-ethos-reserve-contest\n\nThe \"Findings\" tab will not only allow you to edit your submission but also keep track of your report status and view feedback for your findings. Please note that there have been instances where users have reported not seeing their findings under this tab despite having submitted them. If this occurs, please contact the support team for assistance.\n\nKeep in mind that you can also withdraw submissions or submit additional findings while the contest is still open. Just return to the \"Your Findings\" button on the contest page to do so. After withdrawal, you can create a new submission if desired.\n\nWe no longer use a GitHub template for submissions, so please be sure to use the \"Submit finding\" button on the contest page to submit each finding separately. \n\nPlease remember to authenticate before submitting your findings, as there may not be an option to submit without authentication. We wish you the best of luck in the competition!", "Question: How can I view and manage my submissions for contests on CodeArena, including viewing others' findings and understanding why certain findings were rejected?\n\nAnswer: After a contest concludes on CodeArena, there is a process that needs to be followed before all submissions become publicly viewable. This is due to our strict adherence to security and to prevent prematurely revealing sensitive findings. \n\nWhen you submit findings for a contest, you can access and edit them under the \"Findings\" tab next to the contest description. If you do not see your submission under \"Findings,\" there may be a delay in the system or a technical issue. However, these submitted findings are not publicly available until after the contest has concluded and the report has been published.\n\nOnce a contest ends, the findings are reviewed and triaged by our team. If you have a \"backstage\" role, you may gain early access to these findings to aid with this process. However, please note that this role requires KYC/NDA and applications are currently suspended.\n\nAfter the reviewing process is complete, a report is published and the findings repository is opened to the public. This allows you to see the discussion among sponsors and judges on specific issues, find out why certain findings were rejected, and view others' findings. The report publication typically takes at least a month after the contest ends.\n\nAdditionally, we are working on plans to allow certified contributors to view submitted issues right after a contest closure and to comment or give input on these issues during judging. \n\nPlease note that the sponsors of the contests do not have access to the findings repo until the contest ends. This is to ensure a fair and unbiased judging process. The time taken for project findings to get reviewed varies with each contest.\n\nIf you have further questions or encounter issues, please do not hesitate to reach out to our support team.", "Question: When will the results for the Rubicon audit be released by CodeArena?\n\nAnswer: The timeline for the release of Rubicon audit results can vary. Once the CodeArena contest is concluded, the findings are reviewed and triaged before they go through sponsor review and final judging. After the judging process, the findings are typically sealed until the audit report is ready for publication, which can take anywhere from 2 to 6 weeks, or even longer depending on various factors including the time taken for judging. It's important to note that not all submitted findings may make it into the final report, and the reason for this might not be immediately known. Participants are advised to wait for the report to be published and the findings repo to be made public to review their submissions. Reports will be published at https://code4rena.com/reports/. The release of the report can sometimes take a lot of time because the CodeArena team needs to get the green light from the projects involved. However, a batch of reports, including the one for Rubicon, is expected to be published soon. Please keep an eye on our website and our Discord channel for the latest updates.", "Q: What are the prerequisites and procedures for gaining backstage access at CodeArena, and when can I expect to gain this access after completing the KYC process?\n\nA: To gain backstage access at CodeArena, a user must go through the KYC (Know Your Customer) process and obtain certification as a certified contributor. This process is crucial for security reasons and ensures that only qualified individuals can participate in private contests and audits. Certified contributors need to meet certain requirements such as having at least three medium findings and four total findings from their participation in contests. \n\nAfter you have fulfilled these requirements, you can apply for backstage access as soon as the contest results are published on the leaderboard. This usually happens shortly after the awards are announced. To apply for backstage access, you can submit a help desk request through the official CodeArena website. More details on this process can be found here: https://docs.code4rena.com/roles/certified-contributors/backstage-wardens\n\nOnce your request for backstage access has been reviewed, you will be notified. However, please note that there were some changes in the backstage access process and request processing was paused at the time of our last update. It typically takes up to 24 hours after KYC admission for your backstage access request to be processed, but this timeline may be subject to change. \n\nFor teams participating in an audit, it's important to note that all team members need to complete the KYC process to receive payment after the audit. Furthermore, if there are any KYC issues, there may be a delay in claiming the audit prize. \n\nAs a final point, please be aware that backstage access in the past was based on a trust model, but future access may involve some constraints or consequences. For the most recent updates, please regularly check our official channels.", "Q: How are gas optimization findings judged at CodeArena and is it necessary to present proof of the gas saved in each case? Is it worthwhile to focus on significant improvements in important functions?\n\nA: Gas optimization findings at CodeArena are evaluated primarily based on the inefficiency of the existing implementation. This means we are interested in seeing potential enhancements that could lead to notable gas savings. If you discover a significant improvement in an important function, it is certainly worth showcasing.\n\nWhen reporting gas optimization, it's encouraged to specify how much gas could be potentially saved with each optimization. However, the necessity to provide a proof of Concept (PoC) for gas saved or whether a description and mention of the gas saved is enough depends on the judge's decision. If possible, submissions for gas reports are best accompanied by a snapshot showing how much gas would be saved via the refactored code.\n\nGas optimization can be a complex topic, and we understand there can be confusion around it. For example, not all gas optimizations are valid when the optimizer is enabled, and there can be debate about whether certain code simplifications fall under QA reports or gas optimizations. To clarify, a finding that is relevant to both QA and gas savings can be included in either report, and judges may decide where it best fits.\n\nPlease don't hesitate to ask for clarification on gas optimization if you're unsure. Remember, a good starting point for first-time audits is focusing on gas optimization. Lastly, you can find a list of all the approved findings and gas optimizations on our GitHub page (insert link here). Please note that all findings related to gas optimization should be consolidated under one report for a more streamlined review process.", "Question: How can I effectively include and highlight code blocks in my finding reports for CodeArena using markdown?\n\nAnswer: CodeArena's report section supports Markdown (MD) format, which is an easy-to-use language that helps format your text. This includes adding code blocks to your report. To add a code block and highlight the syntax, you would use three backticks (```) on either side of your code block and specify the language. For example, if you're working with Solidity, you would use the following format: ```solidity\\ncode\\n```.\n\nIn addition to this, you may want to include line numbers to your code snippets. This can be done using tools like Visual Studio's preview tool. However, it's important to note that the judges' preferences regarding line numbers in code snippets may vary, so it might be a good idea to clarify this before proceeding.\n\nIf you need to embed images or add color to your text, markdown can also help you achieve this. For instance, using presets for code when doing a code block, usually javascript is used for solidity.\n\nRemember to only add the GitHub permalink for the respective code block in the \"Links to Affected Code\" section for high/medium findings. Markdown can be added in the finding body. For more detailed information on how to use markdown to improve the presentation of your reports, visit this link: [Markdown Guide](https://docs.github.com/en/get-started/writing-on-github/working-with-advanced-formatting/creating-and-highlighting-code-blocks)\n\nIf you're using another tool to write your reports, make sure it supports markdown. Some popular options include GitHub, Joplin, VScode, and Notion.", "Question: How can I confirm the acceptance and status of my submitted report?\n\nAnswer: After successfully submitting your report, you will receive an email confirmation. This confirmation will indicate that your submission has been received and is pending review. Reports are typically reviewed and triaged immediately after a contest ends by judges, then they await sponsor review, final judging, and Quality Assurance before being made public. \n\nYou can check the success of your report submission and edit submitted findings at https://code4rena.com/reports. Once the report is generated or the findings repo is made public, you will be able to view the status of your submission and the reasons for any rejection. If your submission was accepted for a closed contest, you would qualify to be Backstage. \n\nThe reward payment for accepted reports is usually made within 1-2 business days of the announcement, and you will see USDC start flowing into your wallet. \n\nPlease note that not all reports are guaranteed a reward; they are graded and must meet quality standards to be considered valid. The final decisions on which reports get featured in the client report are made by our judges. \n\nIf you submitted issues for a contest but did not make the award list, it is likely that your issues were rejected, and you can confirm this by reviewing the available report. If you encounter any issues or have concerns, you can submit a helpdesk request.", "Question: How can I learn more about the participant numbers and contest details in CodeArena contests?\n\nAnswer: At CodeArena, we understand the interest in knowing the number of participants in a given contest. While we are considering including these numbers in contest announcements, the method of delivery is not yet decided. As mentioned, the contest channel in Discord is the best place to reach out for any clarification.\n\nYou can view and participate in our contests listed in the #\u270brsvp channel, which can be accessed via our Discord link. We're also considering implementing a notification system, potentially a Telegram bot, to announce new contests.\n\nIn addition to the number of participants, you may also be interested in other metrics such as the average percentage of pool awarded. These details, as well as the scope for the contests which is decided by the sponsors, can be found in the respective contest information. \n\nFor a more interactive experience, participants can discuss potential submissions with the project's dev team either in the contest channel or through private messaging. Also, during a contest, participants have designated contacts in sponsor teams to direct their questions to.\n\nWe're also looking at the idea of creating a leaderboard to display the best contestants and archiving contests in quarters due to the Discord channel limit. For any suggestions or improvements, we've established a suggestion box where you can share your ideas.\n\nFor specific details about contest rewards, discussions are ongoing at https://github.com/code-423n4/org/discussions/43. Please note that there are both public and private contests, and participation for the latter depends on certain metrics or prerequisites.", "Question: How can I confirm if my report was accepted, and what happens if my submission is not rewarded?\n\nAnswer: After you submit a report, you will receive an email confirmation. The status of your submission can be checked at https://code4rena.com/reports. If your report is accepted, USDC will start flowing into your wallet typically within 1-2 business days of the announcement. However, if your report is not rewarded, you can review the reasons your submission was not accepted by checking the report once it's published and the repository is fully opened. This review process allows for a better understanding of why a bug or issue wasn't accepted, offering insights that can help improve your future submissions. \n\nRemember, all types of reports, from high-level issues to gas optimizations, are eligible for payouts, provided the report is of high quality, accurate, and includes a working proof of concept. If you submitted a report without certification, note that while it may be accepted, certification is needed to receive rewards. \n\nIf you submitted a report and feel uncertain about its severity, or if your report was classified as medium but you believe it's high severity, it will be reviewed accordingly by the judges. Unless there's a reason to penalize it (such as it being incomplete, lacking detail, or inaccurate), the severity could be adjusted. \n\nFor additional help or clarification, you may consult the FAQ at https://docs.code4rena.com/awarding/incentive-model-and-awards/qa-gas-report-faq. We encourage continuous learning and improvement, and we are here to support you in your journey.", "Question: Can I get more information about participation in CodeArena contests, such as estimated number of participants, process of signing up as a warden, and details about the types of contests?\n\nAnswer: At CodeArena, the number of participants in a contest is typically disclosed only after it ends. This is due to our focus on the value provided from a security perspective, which is primarily determined by the results of the contest. However, you can find contest details and decide whether you want to compete by checking the #\u270brsvp channel on our Discord.\n\nTo participate in our contests, you need to sign up as a warden. You can do this by logging into your CodeArena account and registering as a warden. More details on this process can be found at [https://docs.code4rena.com/roles/wardens#registering-a-team](https://docs.code4rena.com/roles/wardens#registering-a-team). Wardens can participate individually or as part of a team. \n\nThere are various types of contests, including public contests, versus contests, and private contests. Public contests are open to all registered wardens, with details displayed in our public Discord channel. Versus contests are invitational and often involve only a few wardens, with opportunities given based on performance in specific contests or during a recent window. Private contests are limited to certified wardens, with RSVPs available in a private Discord channel visible only to certified wardens. \n\nYou can find a detailed distribution of rewards for finding issues on our documentation page at [https://docs.code4rena.com/awarding/incentive-model-and-awards](https://docs.code4rena.com/awarding/incentive-model-and-awards). We encourage participants to check this information and other contest details to make the most out of their participation in CodeArena contests.", "Question: As a beginner interested in smart contract auditing, where can I find resources to learn and get assistance with auditing a contract?\n\nAnswer: There are several resources available for beginners interested in learning about smart contract auditing. \n\n1. For starters, you can check out the blog post by @cmichel, \"How to Become a Smart Contract Auditor\", available at https://cmichel.io/how-to-become-a-smart-contract-auditor/. This is a comprehensive guide that's recommended for beginners.\n\n2. CodeArena also provides resources for wardens (auditors) on its platform at https://docs.code4rena.com/roles/wardens/tools-and-resources.\n\n3. You can also learn by participating in smart contract bug bounty hunting on websites like https://cryptozombies.io/ for solidity and https://capturetheether.com/ for Capture the Flag challenges.\n\n4. Other websites where you can practice and get rewarded for auditing smart contracts include https://immunefi.com/, https://spearbit.com/, and https://hats.finance/.\n\n5. CodeArena runs contests for analyzing smart contracts where you can learn by doing.\n\n6. You may also consider studying old audit reports, an example of which can be found on ChainSecurity at https://chainsecurity.com/audits/.\n\n7. CodeArena has an #\ud83c\udfebeducation channel where users can learn more about auditing smart contracts and engage in discussions.\n\n8. There's also a helpful video on contract auditing available at https://www.youtube.com/watch?v=wCD3fOlsGc4.\n\nRemember, learning to audit smart contracts can be challenging, but with patience and dedication, you can gain proficiency over time. Lastly, participating in discussions and asking for help in our Discord chatroom can also enhance your understanding and skills in this domain.\n", "Q: As a project owner, can I see the findings as they are reported, especially if I have something deployed on mainnet and funds are at risk? If so, how should I proceed?\n\nA: Currently, project owners cannot see the findings as they are reported. If you suspect that your funds on the mainnet are at risk, we recommend reaching out to our staff via a help request as soon as possible. In the meantime, we've been working on standardizing our process for sensitive disclosures, so you can expect an announcement and update to CodeArena's submissions guidelines soon. \n\nIt's worth noting that acceptance of reported issues in smart contracts depends on their severity as evaluated by our sponsors and judges. Even if a vulnerability is found in an out-of-scope contract, it can still be included in the C4 report as an unrewarded finding or the project can be directly messaged. \n\nFurthermore, only the findings submitted by a user or their team are visible to them until the final report is made public. This is to give sponsors time to act on the feedback. If there are certain vulnerabilities affecting a main contract, even if found in an out-of-scope contract, they should be reported. \n\nAnd lastly, if the severity is not clear, we suggest you to continue working on the Proof-of-Concept (POC) until it becomes clear. Our judges are here to assist with any questions regarding severity consideration while reporting issues on smart contracts.", "Question: Is the tool that generates automated findings for CodeArena available to run locally, and how does it impact the submission policy for findings?\n\nAnswer: \nCodeArena has a tool that generates automated findings for each contest, known as the \"C4audit output\". The tool in use can be found at: https://github.com/Picodes/4naly3er. However, it remains uncertain whether this tool is available to run locally based on the information provided in our Discord chatroom.\n\nIt's important to note that automated findings have a specific place in the submission policy. According to the submission policy, available at https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-ineligible, automated findings are considered known issues and are ineligible for rewards. This policy also affects users submitting the same issue found with the automated finding but in a different instance.\n\nAdditionally, if auditors automate the process of finding potential issues in the code and then use automated tools for initial findings, they face a higher burden of proof. They need to demonstrate a relevant high or medium severity exploit path to be considered satisfactory, as detailed at https://github.com/code-423n4/org/discussions/50.\n\nWhile the CodeArena's tool provides automated findings, other tools like Foundry have been recommended for testing scenarios in a local environment, providing an alternative to public testnet.", "Question: \nWhat is the current status of Backstage+ access applications at CodeArena and how can I verify if my application has been reviewed?\n\nAnswer:\nBackstage+ access at CodeArena was recently reopened and previous application requests are being reviewed. However, new applications for backstage access are currently suspended until further notice. If you've already applied, you will be notified once your application has been reviewed.\n\nBackstage access grants you access to the findings repository when a contest ends. If you're a certified contributor and believe you meet the criteria for backstage access, you can open a help desk request to check your eligibility or get help with your application.\n\nPlease note, the process for backstage access is currently being revised and more details about this change will be posted in the coming weeks. The criteria for backstage access, along with how to submit a help desk request, can be found at the following links:\n\n- Backstage Access Criteria: https://docs.code4rena.com/roles/certified-contributors/backstage-wardens\n- Submit a Help Desk Request: https://code4rena.com/help\n\nCheck these links regularly for the most updated information regarding backstage access at CodeArena. Please be aware that the processing of backstage access requests could take up to 24 hours after your KYC is admitted.", "Question: What is the concept of \"bot races\" in Code4rena, and how can one participate and profit from these?\n\nAnswer: Code4rena has introduced a new feature called \"bot races\", which is an interesting variation of a bug-bounty. In these races, participants are rewarded for findings made with bots, particularly AI-powered ones. This concept can be accessed at https://code4rena.com/register/bot. The bot races are time-limited and come with a guaranteed prize pool that pays out. \n\nIn the context of bot races, a bot identifies issues and may propose fixes, although it is suggested that bots should not propose mitigations due to the concern that their proposed fixes might introduce further damaging exploits. A bot can secure rewards from the bot pool based on its rank in the race. Higher or medium findings by a bot only secure rewards based on the bot race rank. Bots can gain more rewards by accumulating more points which would shift the rank cut-offs and potentially lower the ranks of others.\n\nIt's important to note that the uniqueness of vulnerabilities and the number of vulnerabilities found by a bot is crucial in bot-racing. However, there is a possibility that vulnerabilities identified by bots could potentially be rated lower than their actual severity. These vulnerabilities can be reported again during the contest by a human participant (warden) and could be awarded a higher severity. \n\nMoreover, findings in non-winning bot-generated reports that remain unpublished are still eligible for submission. There are, however, concerns about a dishonest project cloning white-hat reports to cut down on their payouts. It is still uncertain whether Code4rena will remain open to new wardens indefinitely, and if this could dilute the prize funds. \n\nWhile the bot race prize pot was initially taken from the Hacker Mode (HM) pot, it is expected that this will change soon. As for the profitability of participating in these bot races, it could vary based on several factors like the bot's performance, the number of unique vulnerabilities identified, and the potential ranking in the race. It's also worth mentioning that there were debates about the efficacy of older PCs in building contests due to slower processing speeds.", "Question: How can I access, use, and understand the findings.csv file on CodeArena?\n\nAnswer: The findings.csv file can be found at https://github.com/code-423n4/code423n4.com/blob/main/_data/findings/findings.csv. This file contains useful information such as all rewards based on each finding and details about duplicate reports. You might need to clean the file from empty lines (not rewarded). This can also be cross-referenced with the contest report available at https://raw.githubusercontent.com/code-423n4/code423n4.com/main/_data/findings/findings.csv.\n\nIf you're looking for previously available information in \"_data/contests/contests.csv\", you might have to conduct a thorough search or submit a query. Participants sometimes experience issues with their findings not appearing on the Findings tab or not being able to edit them. If you see 'No findings submitted for this contest' despite having made submissions, it could mean one entry was eliminated as invalid or judged as a duplicate. \n\nTo understand how findings were judged, check the data folder in the findings repo for json files named as [warden-handle]-[issue number]. \n\nPlease note there have been reported issues with submitting findings through certain browsers, and participants reported some time lag in receiving submission confirmation via email. If a submission fails, the form should return an error.\n\nThe findings.csv file also provides information about the average payout for different types of findings. Bear in mind that access to certain resources, such as the findings page, might be restricted based on user privileges. \n\nLastly, if you're looking to modify submitted findings, you may need to request more information or follow specific guidelines. Feel free to reach out to us for assistance with any issues or concerns.", "Question: What are the Scout and Lookout awards in CodeArena contests and how are they allocated?\n\nAnswer: In CodeArena contests, the Scout and Lookout awards are related to specific roles within the contest. The Scout awards are given to certified contributors who review code before the start of a contest to ensure it is ready for wardens. More detailed information about the role of a Scout can be found here: https://docs.code4rena.com/roles/certified-contributors. \n\nOn the other hand, the Lookout is another role in the contest and typically, there is one Lookout per contest. You can find more details about the Lookout role here: https://docs.code4rena.com/roles/certified-contributors/lookouts. \n\nIt's important to note that the reward amounts in contests come from the sponsor and are not included in the leaderboard ranking calculations. The distribution of rewards may vary depending on the contest context and can be influenced by factors such as the quality of reports, the number of issues found, and whether the issues found are duplicates. More information on this can be found at https://docs.code4rena.com/awarding/incentive-model-and-awards.", "Question: Can you explain what the Lookout role is in CodeArena, how it functions, and what the associated rewards are?\n\nAnswer: The Lookout role in CodeArena is a significant position within our contest framework. The main responsibility of a Lookout is to pre-sort the repository and provide a summary document to the sponsor. A user can apply for a Lookout role using findings that haven't yet been reported. Typically, there is one Lookout assigned per contest. The Lookout role comes with specific rewards, much like other roles in our platform such as Scout and Judge. However, please note that rewards from the Lookout and Scout roles aren't included in leaderboard ranking calculations. For more detailed information on the Lookout role, its responsibilities, and associated rewards, please refer to our documentation at https://docs.code4rena.com/roles/certified-contributors/lookouts.", "Question: How does CodeArena's smart contract auditing process work, and does it involve consensus?\n\nAnswer: CodeArena operates somewhat like a bug bounty platform for smart contract audits. It runs both public and private contests for analyzing smart contracts, where participants, often in teams, submit reports of their findings. The details of these contests, including the ones CodeArena has worked with, can be found on their website: https://code4rena.com/contests. \n\nThe reward system in these contests is based on the quality and quantity of the reports submitted. Rewards are reduced semi-geometrically based on the number of people who find an issue when they are separate, however, the reward is split evenly within a team. \n\nWhile the word \"consensus\" is not expressly used, there seems to be a communal effort towards improving processes and identifying issues. This is evident in the organization's transparency efforts and its non-blame focused culture. \n\nFurthermore, CodeArena is continuously working on improvements to prevent delays, and participant feedback can influence its operational priorities. If any issues or concerns arise, they can be reported through the help ticket system located at https://code4rena.com/help.\n\nThough the nature of consensus in CodeArena's operations is not clear from the chat history, it is evident that CodeArena encourages collaboration, transparency, and improvement in its audit processes.", "Question: What is the process and criteria to become a judge at CodeArena, and what are their roles and responsibilities?\n\nAnswer: To become a judge at CodeArena, you may need to become a certified warden first, although this requirement may not be strictly enforced at the moment. The certification process involves participating in our audit contests. You can find more information about this process at https://docs.code4rena.com/roles/certified-contributors#certification-process-and-constraints. \n\nOnce you become a judge, you will be tasked with reviewing findings to determine their severity, validity, and quality. It's important to note that most of our judges have full-time jobs and other commitments, so this role may require careful time management. Judges also receive a share of the prize pool as an incentive and have backstage access to the contests - https://docs.code4rena.com/roles/certified-contributors/backstage-wardens.\n\nParticipants can ask judges for feedback about issues to understand the reasoning behind the ruling and to see what could be improved. However, the identities of the judges for a contest are not disclosed beforehand to ensure bias-free competition. \n\nPlease familiarize yourself with the submission policy and judging criteria before participating, as outlined in our documentation at https://docs.code4rena.com/roles/wardens and https://github.com/code-423n4/code-contests/blob/main/JUDGING_CRITERIA.md. If you disagree with a judge's decision, the process to discuss it can be found at https://docs.code4rena.com/awarding/fairness-and-validity#if-you-disagree-with-a-judges-decision. \n\nRemember, becoming a judge requires commitment and adherence to the highest standards of fairness.", "Q: What is the typical duration and process for getting KYC confirmed from the provider?\n\nA: The Know Your Customer (KYC) process usually takes a few days to a week to complete, but it may take up to 2-3 weeks in some cases. After applying for KYC, users will typically receive an email from Provenance and CodeArena within one business day. However, receiving the KYC mail and getting the certified role might take longer, even up to 2 weeks. The duration can vary based on the back and forth between the user and Provenance. If the necessary documents are supplied promptly to the KYC provider, the process can move more quickly. However, there can be delays and some users have reported waiting for up to 10 days or more. If users don't receive any reply to their KYC application within five business days, they can submit a help desk request at [https://code4rena.com/help](https://code4rena.com/help) to track the status of their KYC confirmation. Please always check your spam folder for emails from compliance@provenance.company, as the KYC confirmation email may appear there. Once KYC confirmation is received, there is a processing period before the user's role is updated. In case of any delay in this, users can again open a help desk request. Please note that processing times may vary and it's always a good idea to nudge the provider for a response.", "Question: What is the general timeline for the Know Your Customer (KYC) process at CodeArena and what should I do if my application is still pending after a significant period?\n\nAnswer: The Know Your Customer (KYC) process at CodeArena usually takes a few days, but it can take up to two or three weeks in some cases. It's important to note that this timeline may vary and could be longer, depending on the back and forth between the user and Provenance, our KYC provider. Once you have submitted all the necessary documents for KYC, you should receive a response within a 48-hour deadline. After finishing the KYC process, it typically takes a few additional days to receive the certified role.\n\nIf you have applied to become a certified warden, you should receive your KYC email within one business day after your application is submitted. Please check your spam folder as the email will be sent from compliance@provenance.company. It then takes approximately 2 weeks to mark a warden as certified after approval from the KYC firm.\n\nIf you have waited longer than the typical timeframe and have not received a response, you can submit a help request through the form on our website. The same applies if you've received a confirmation email from Provenance but are still waiting for the certified role.\n\nPlease bear in mind that the KYC process can involve rejections, and the reasons for these rejections are not always communicated. To increase the efficiency of the process, ensure that you promptly supply all necessary documents to the KYC provider.", "Question: I've completed my KYC process and it has been approved. Do I need to resend a +backstage ticket? \n\nAnswer: No, there's no need to resend a +backstage ticket. Once your KYC process is approved, backstage access requests are processed, which could take up to 24 hours. You will receive notifications once your backstage access request has been reviewed. Remember, the KYC process is essential for Certified contributors who want to participate in private contests and gain backstage access. This allows access to the contest repo after closure and before the public report release. If there are delays or your KYC application is still pending after a considerable period, you can submit a helpdesk request at https://docs.code4rena.com/roles/certified-contributors/backstage-wardens. Additionally, remember to check your email, including the spam section, for a confirmation email from \"compliance@provenance.company\". If you have any questions or issues regarding the KYC process or backstage access, feel free to raise a support request.", "Question: What are the Lookout and Scout awards in CodeArena?\n\nAnswer: The Lookout and Scout awards are specific roles and corresponding rewards within the CodeArena platform. The Scout award is given to those responsible for reviewing code before the start of a contest to ensure it is ready for wardens. They are independent scope judges providing feedback on an audit's scope. More information on the role of a Scout can be found at: https://docs.code4rena.com/roles/certified-contributors. \n\nOn the other hand, the Lookout award goes to a certified contributor who typically serves as one per contest. More details on the role of Lookout can be found at: https://docs.code4rena.com/roles/certified-contributors/lookouts#lookouts. \n\nThe payment for these roles is not included in leaderboard ranking calculations. The platform has various types of contest rewards, with a leaderboard updated when awards are announced. For instance, there are awards for HM, QA report, Bot race, Gas report, Judge, Lookout, and Scout categories. A contest like Fairside might announce awards the next week, but distribution methods may vary. \n\nHowever, it's important to note that the reward amounts in contests come from the sponsor, and not all information about awards is always immediately clear, as seen with terms like \"Audit summary awards\".", "Question: Can you provide more details about the Lookout and Scout awards at CodeArena?\n\nAnswer: The \"Lookout\" and \"Scout\" awards are specific roles within the contests hosted by CodeArena. The Lookout awards total $6,000 USDC and Scout awards total $500 USDC as part of the overall awards pool, which includes several categories such as HM awards, QA report awards, Bot race awards, Gas report awards, Judge awards, and more. These awards are generally paid within the same week they are announced, usually between 1-2 weeks after the announcement. Once the awards are announced, they are manually sent out in batches for multiple contests at a time. All awards, including Lookout and Scout, are named by handle and distributed from the same awards address publicly on the blockchain, ensuring transparency. Detailed information about these awards, how they are divided and distributed, and the incentive model can be found at https://docs.code4rena.com/incentive-model-and-awards.", "Question: How can I get updates on a contest and who can I contact for specific queries?\n\nAnswer: Contest updates are regularly posted on the public report page, which is updated even mid-contest. For specific queries related to the contest scope, participants can address their questions to the respective sponsor. Sponsor teams have designated contacts whom participants can Direct Message (DM) during a contest for more immediate responses. \n\nInquiries about the progress and schedule of final reports, contest updates, results, team information, and rewards are also welcomed. \n\nFor future contests, announcements are made on the website, the #\u270brsvp channel on Discord, and potentially a Telegram bot which is being considered for development. You may need to RSVP for these upcoming contests and updates about them can be checked on the RSVP channels. \n\nEach contest also has a specific channel where general questions can be asked and sponsor team members are available for questions via DM. \n\nIf you are interested in viewing all submissions after a contest or reading the published reports from a contest, you can check the respective platform or ask the team which is regularly in contact with various projects about upcoming audits. \n\nIf there's a need to edit a finding, a helpdesk request can be made with all the information and the update to the finding before the contest closes. \n\nFinally, if your company is interested in running an audit contest, you can get in touch with our team for further details.", "Q: How are bounty rewards handled in the event of duplicate bug findings, and what is the function of the #\ud83d\udd06hm channel?\n\nA: The #\ud83d\udd06hm channel is not related to findings in a contest. In terms of bounty distribution for duplicate findings, there is no difference in payout between the first person to find a bug and any subsequent person who finds the same bug. The overall value of the bug bounty is reduced and divided among those who report it. This implies that if multiple auditors report the same bug, they all receive a portion of the bounty. However, common findings are usually considered out of scope as they are likely picked up by the C4udit tool. If they're not detected by the tool, they should be submitted. In case a bug's severity is misclassified, the reward corresponding to the actual severity of the bug is still awarded. \n\nFor specific details on how rewards are calculated in such scenarios, you can refer to the formula provided at https://docs.code4rena.com/incentive-model-and-awards#high-and-medium-risk-bugs. \n\nIn the event no High/Medium issues are found, rewards may move down to Quality Assurance. Participants can also submit code for proof of concepts (PoC) for each bug they find. There is no strict obligation to write an exploit for medium severity bugs, although it is common to do so. \n\nFor more specifics on submission policies, please visit https://docs.code4rena.com/roles/wardens/submission-policy. However, please note that submissions based on automated tools must provide strong evidence to demonstrate a relevant High/Medium exploit path to be considered satisfactory. The full policy can be found here: https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues.", "Question: How can I effectively use the 4naly3er tool provided by CodeArena for my smart contract audits?\n\nAnswer: 4naly3er is a tool provided by CodeArena for smart contract audits. To use it, you can access the public script available at https://github.com/Picodes/4naly3er. To analyze the smart contracts, the 4nalyzer requires a specific scope.txt. Although it was noticed that there are some issues running the picode 4naly3er globally, it's still one of the tools used for finding Publicly Known Issues in the auditing process. \n\nFor further understanding on how to fill out the Analysis report, you can check out this link: https://docs.code4rena.com/awarding/judging-criteria#analysis. \n\nPlease note that the tool currently being used by CodeArena for automated findings is https://github.com/Picodes/4naly3er, and these automated findings are ineligible for rewards as detailed in https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-ineligible. \n\nIf you encounter any challenges or need further assistance, you can reach out via the help form available at https://code4rena.com/help. You can also refer to the Guidelines and FAQ page for more information: https://code4rena.notion.site/Analyses-Guidelines-and-FAQ-2808a71e08e44c81a985527194f5f118. \n\nFinally, keep in mind that CodeArena encourages participants to reach out to the sponsor team during the contest if they think they've found something and want to ask questions. However, if you want to disclose a vulnerability, you need to submit it via the contest submission form to be eligible for awards.", "Question: How should I handle submitting findings related to gas optimization in a contest?\n\nAnswer: As a participant, you are allowed to submit one gas optimization report per contest. If you have multiple findings, these should be compiled into a single report. Should you need to add more findings after initial submission, you can do so by navigating to the contest page and clicking on the 'Your Findings' button. You can also withdraw and create a new submission if necessary. Please note that automated reports are sometimes uploaded after starting contests, and for gas optimization reports, it's beneficial to include the amount of gas saved for each finding. \n\nIf you are participating in a contest, you do not necessarily have to submit reports for high, medium, QA, and gas optimization. You can submit what you find. However, it's important to separate the Gas report from the QA report. \n\nFor some contests, like the one referred to in the link https://code4rena.com/reports/2022-04-dualityfocus, there are no gas optimizations in the final report as there wasn't a gas pool for that particular contest. \n\nYou might encounter an error message when trying to submit a Gas Optimization report for a contest if one has already been submitted. In this case, you can cancel your submission and create a new one. \n\nFor further guidance, refer to the official documentation: https://docs.code4rena.com/\n\nPlease note, there are discussions about the criteria for a report to be selected in a contest and how the reward for gas optimization is distributed. An example spreadsheet is provided for reference: https://docs.google.com/spreadsheets/d/1qTQ7PApFMwpUFikcHHtww7p1oncPLj_y-UY_SZq6qFg/edit#gid=0", "Question: How can I apply for and check the status of my backstage application at CodeArena?\n\nAnswer: Backstage applications at CodeArena are currently paused due to an identified issue. There is no exact ETA available for when the applications will be resumed but an update is expected within the next two weeks. \n\nTo apply for a backstage role or to check the status of an existing application, you need to create a help desk request at https://code4rena.com/help. Remember that to be eligible for a backstage role, you must be certified, meet certain qualifications, and have your status evaluated.\n\nBackstage access allows you to access the findings repo when a contest ends. It also allows you to view issues reported for a contest on the website. Applications for backstage roles are reviewed and notifications are provided once the review is complete. \n\nPlease note that the process for backstage access is changing and still in progress. More detailed information about the backstage roles and how to request access can be found at https://docs.code4rena.com/roles/certified-contributors/backstage-wardens. \n\nIf you believe you meet all the criteria and are still interested in applying once the applications are reopened, you can submit your help desk request.", "Question: How do I know if my submitted report on CodeArena has been successfully updated and where can I track my past submissions?\n\nAnswer: Once you have successfully submitted or updated your report on CodeArena, you should receive a confirmation email. This email serves as your primary confirmation for the successful submission or updating of your report. However, please note that there may be delays in receiving the email. \n\nIn addition to this, you can check all the reports you have submitted during a contest. These reports can be found in your email. Furthermore, you have the ability to edit your submitted findings. This can be done by selecting the \"My findings\" option on the contest page. \n\nIt is worth noting that, whether your submitted issue is valid or not, you should expect an email confirmation. If for some reason you participated in a contest and did not make the award list, it is likely that your issues were rejected. You can confirm this by reviewing the available report. \n\nIn terms of tracking the status of past submissions, you can verify if issues submitted got accepted for closed contests when the report is generated or when one qualifies to be Backstage. \n\nLastly, please be aware that changes to content reports or the rewards calculation system can cause delays in updates on the homepage. Rest assured, though, that such reports will be published in due time.\n\nPlease note that if you ever receive an error when submitting a Quality Assurance report for the first time, you can check if it has been successfully submitted by checking your email for confirmation or viewing the findings through the \"View Context\" function.", "Question: What is the current status and process of backstage applications at CodeArena?\n\nAnswer: Backstage applications at CodeArena are currently paused due to an identified issue. An update regarding the situation is expected to be posted within the next two weeks, and there is no estimated time available yet for the resumption of backstage applications. This pause affects new applications as well as those previously submitted, which are currently under review.\n\nThe backstage feature allows users to access the findings repo once a contest ends. However, there have been instances of backstage privilege abuse involving the sharing of information about findings for judging in progress with individuals who did not have backstage access. Therefore, it is crucial that all backstage applicants understand and respect the rules associated with this privileged access.\n\nOnce backstage applications resume, users can apply for a backstage role through a help desk request, provided all the required criteria are met. This includes waiting until the contest results are published on the leaderboard, which usually happens shortly after the awards are announced. \n\nPlease note that the process of backstage access is undergoing changes, and the new process will be communicated once it's finalized. Meanwhile, you can keep track of the ongoing contests and their statuses in the \"Past Contest Status Updates\" section. \n\nFor more information about the paused backstage applications, please check this [link](https://discord.com/channels/810916927919620096/810936719003090974/1098620465897021490).", "Q: How does CodeArena handle notifications, specifically in relation to issue updates, audit report announcements, and submission confirmations?\n\nA: CodeArena's system currently should send out a confirmation email when an issue is submitted. Additionally, users should be able to edit their submitted findings. An email is also sent to users when their certification has been finalized. There are plans to include the severity of bugs in the emails sent out after issue submission. However, there have been instances where users did not receive an email notification about issue updates and audit report announcements; this is something we are aware of and are actively addressing. \n\nAlso, there have been cases of users receiving emails about changes to payment addresses without their knowledge. If you experience this or any other unexpected communication, please report it so our team can investigate. \n\nThere are discussions about improving the notification system, including adding a feature to notify users when a new audit report is published, providing an easier way to update submissions, and offering the ability to respond to submission confirmation emails. We are also considering the idea of letting these email responses be added as comments to the relevant GitHub issue. \n\nIt is important to note that there may have been an interruption in email receipts due to an incident on Github as stated [here](https://www.githubstatus.com/incidents/r5qrpp2f5fc0).\n\nIn the meantime, users can check the success of their report submission by looking for an email confirmation and the ability to edit submitted findings. Also, you can verify whether you are certified by clicking on your name to see assigned roles and through email communication. You can create a help desk request if you have issues with your status. Submissions can be found in the user's email and users can check their issues for their findings on Github from the report.", "Q: I didn't receive an update email for my report, is this normal? What should I expect in terms of email notifications from CodeArena?\n\nA: There are several instances related to email notifications from CodeArena. Firstly, it's important to note that there is no email sent for an issue update. However, you are supposed to receive an email confirmation upon successful submission of your reports. If you have submitted a finding and haven't received a confirmation email, it could be due to a delay; please give it some time. If the submission fails, the form should return an error. \n\nIn some cases, confirmation emails may inadvertently land in your spam folder, so please make sure to check there. If you still don't receive an email, you can open a help desk request at https://code4rena.com/help/. \n\nYou can also check the success of your report submission by looking for an email and the ability to edit submitted findings. There have been instances of users experiencing issues with receiving emails related to their submissions or updates, including emails about payment address updates. If you experience this, please report to our team.\n\nIt's also worth noting that if you submit an issue, you should receive an email about your submission, whether it is valid or not. In rare cases, you might receive two identical confirmation emails after submitting a finding, which doesn't require any specific action. \n\nOne more thing to note: if you create a support ticket on the homepage, you might not receive a notification via email, but rest assured, your ticket has been received. \n\nLastly, some users have reported not receiving an invitation link to Github despite being certified. The interruption in email receipts might have been caused by an incident on Github, as stated here https://www.githubstatus.com/incidents/r5qrpp2f5fc0. \n\nAlways remember to verify your email and check your spam folder to ensure you're receiving all necessary notifications from Provenance and Code4Arena.", "Question: \nHow do I check the status of my report submission and update it, if needed? \n\nAnswer: \nAfter submitting your report, you should receive an email confirming your submission. This is the primary method of verifying successful submission. If you need to revise your analysis report, it can be updated by selecting the \"My findings\" option on the contest page. \n\nPlease note that it is possible to edit your submitted findings, and you can monitor changes to them, however, if you encounter any problems while trying to update your report, you are advised to create a help desk request. \n\nChanges to the findings and reports system may cause some updates to take longer to appear so don't worry if your recent updates are not instantly visible on the homepage. The website is updated mid-contest and a batch of reports is expected to be published soon. For instance, a recent update resulted in accepted findings not being merged and certain reports being removed from the results list. \n\nIn addition, please be aware that only one gas report should be published for a contest. If you have additional findings, you should update your existing report. \n\nFurthermore, the public visibility of reports can vary. For instance, automated reports may be uploaded after starting contests reporting gas optimizations. \n\nAs for the content of the report, if it is worth creating a report for 1-2 Low and 1-2 Gas issues, it would depend on the specific contest requirements. Also, how grades are assigned for QA and gas reports is determined by the judges, who decide which reports get featured in the client report. \n\nFinally, be aware that the issues in the published reports might be the same as those reported initially. All your submissions contribute to the overall pool of findings, and rest assured, your efforts in quality assurance are valued. \n\nIf you have further questions, please feel free to raise them in our Discord chatroom. We encourage an open line of communication to better improve our services.", "Question: What resources can I use to better understand Ethereum, smart contracts, and their audits?\n\nAnswer: Here are several resources that you might find helpful:\n\n1. For a simplified version of the Ethereum yellow paper, you can refer to the Ethereum Beige Paper. It's a more digestible version of the original documentation.\n\n2. For understanding smart contracts, the most recommended tool by our community is the deprecated Surya tool (https://github.com/ConsenSys/surya). While it's not up-to-date, its graphical interface for understanding smart contract interaction is beneficial.\n\n3. If you're looking for a tool to visualize smart contracts, you might find this Github repository useful: https://github.com/DanielVF/evm-contract-draw.\n\n4. To learn more about the auditing process, a recommended source is the OpenZeppelin webinars, which are considered very useful for auditors. The first video in their series can be found here: https://youtu.be/6GaCt_lM_ak.\n\n5. For complex ideas related to gas and contract-size optimization, compiling them into a single report could make it easier to digest and come to grips with.\n\n6. If you're looking to download all the smart contracts deployed at a specific address, you can use etherscan.io for that purpose.\n\nPlease note that while these resources are helpful, understanding reports and concepts related to smart contracts can still be challenging. Many users in our community have discussions about these challenges, and you're welcome to join these conversations. It's always helpful to learn from others who are navigating the same journey.", "Question: How can I view verbose logging in the console for debugging my smart contracts with CodeArena?\n\nAnswer: CodeArena utilises tools like Hardhat and Foundry. You can print local variables that are declared inside a function by using console.log in these tools. The default Foundry comes with console.log in the library. If you're doing this on a mobile device, you might experience some difficulties viewing the console. If you need to debug Hardhat tests or introspect contract execution at the EVM opcode level, you can use a tool named 'foundry debug'. For a more visual reading of your code, Visual Studio's preview tool or the VS code extension called \"Copy With Line Numbers\" might be beneficial for formatting your reports. If you encounter issues with large text not fitting in the textbox, you can link a gist. For additional support, you can create a help desk request, or ask questions directly in the chat. If unsure about the calling convention used in a web3 console, be aware that it can differ from what is actually called on the contract in the EVM.", "Question: How are the HM rewards determined and distributed in a CodeArena contest such as the Eigenlayer contest, especially in cases where only one High and one Medium issue are found or no High/Medium issues are found?\n\nAnswer: The HM rewards for a contest like the Eigenlayer contest are determined based on the severity of the findings and the level of detail in the submissions. If only one High and one Medium issue are found in a contest, the rewards are distributed according to the guidelines stated on the CodeArena website at [https://docs.code4rena.com/awarding/incentive-model-and-awards](https://docs.code4rena.com/awarding/incentive-model-and-awards). \n\nIn the event no High/Medium issues are found, the entire rewards may be reallocated to Quality Assurance (QA). Rewards are typically distributed to one address for one handle per contest. If multiple participants identify the same issue, the reward may be split depending on the level of detail and complexity of each submission, and whether a Proof of Concept (PoC) is provided. \n\nThere have been some instances where there was a discrepancy in the stated rewards between different platforms, such as the RSVP post and the repo details. In such cases, the information on the RSVP post is usually correct as the repo details might not be updated to account for additional awards like the bot race award. \n\nHowever, please note that the specifics of the reward distribution can vary from one contest to another. For instance, some contests, like the OpenSea contest, have a unique system of scaling up the reward pool. For more information or clarification, it is recommended to refer to the official guidelines or ask your questions in the CodeArena Discord chatroom.", "Question: I'm having trouble viewing the logs output when I run a test file that invokes a function in CodeArena. Am I doing something wrong or could there be an issue with the test environment?\n\nAnswer: CodeArena allows running of test files for auditing smart contracts. If you're not seeing logs output when running your test file, there could be a few possibilities to consider:\n\n- Test Environment: Ensure that you're running your tests in the existing test environment. If there's no test setup in the C4 repo, consider checking the sponsor's GitHub for a potential test setup or pulling out the code to test it in isolation. If there are specific instructions for running tests for a certain contest like GoGoPool, make sure to follow them.\n\n- Code Coverage Tools: Participants have mentioned using tools like Hardhat and Foundry to print local variables declared inside a function by using console.log. Foundry, a smart contract testing framework, comes with console.log included in the library by default. These tools could help you with your test and give you better visibility into the output.\n\n- Test Code: If your test code itself has issues, it may prevent the proper output from being logged. For example, a common mishap could be accessing an index that one did not define for an array. \n\n- Further Assistance: If you're still unable to view the output logs, you may request help on the Discord chatroom by pasting the code and detailing the issue you're encountering.\n\nRemember, to ensure the validity of any bugs you find, it's recommended to write an executable test. Additionally, you can check if your Quality Assurance report has been successfully submitted by checking your email for confirmation or viewing the findings through the \"View Context\" function.", "Question: Can I participate in bot races, and will the bots used in these races ever be open sourced?\n\nAnswer: Yes, you can participate in bot races at CodeArena. Bot races are competitions where users are rewarded for findings made with AI and are typically held for the first hour of an audit. If you wish to use AI in auditing, entering the bot races is recommended. However, it's important to understand that bots are considered a warden's intellectual property and are unlikely to be open sourced by CodeArena or the warden. This means that the bot's code will not be made public after the bot races. Only the reports made by bots will be shared. \n\nThere are certain factors considered in bot races, such as the presence of unique vulnerabilities and the accuracy of the bots (no false positives). If a bot finds a high or medium finding, it only gets the bot pool reward based on the bot race rank. Bots can only gain more rewards by having more points and shifting the rank cutoffs, thus bumping others to lower ranks. If the bot race reports a problem but does not report all the actual parts of the codebase where that problem is present, adding them is eligible.\n\nYou can learn more about bot races and apply for participation at https://code4rena.com/register/bot. Further questions related to bot races can be discussed in the #bot-race-help on our Discord channel. Information about upcoming bot qualifier races can be found in the #\u270brsvp channel on Discord.\n\nPlease note that the bot race prize pot was initially taken from the HM pot, this is expected to change soon. Also, while bots sometimes identify issues and propose fixes, there is a concern that the fixes proposed by bots might introduce more damaging exploits. It's important to be knowledgeable about this aspect before participating in the bot races.", "Question: How long does it typically take to get a response from Provenance after submitting an application for KYC or certification, and what should I do if I don't receive a response within the expected timeframe?\n\nAnswer: The response time from Provenance can vary. Typically, Provenance takes about a week to respond to submissions. For Know Your Customer (KYC) requests, it may take more than a week to receive a response. This process can take even longer, depending on the back and forth between the user and Provenance. For instance, becoming a certified contributor, Provenance generally sends the KYC email within one business day after the application is submitted. The certification status from Provenance is usually updated within 5 business days by the C4 team. \n\nOnce your application is approved, you can expect to receive an email from Provenance and C4. If you do not receive an email from Provenance within a few days, you can open a help desk request at [https://code4rena.com/help](https://code4rena.com/help). It's important to note that there are instances where users don't receive emails from Provenance, so you should check your spam folder as well. The email for the KYC process is typically sent from compliance@provenance.company. \n\nAfter your KYC is approved and you're registered with Provenance, there is a processing period on Code4rena's end. If there's no response after a few days, you can again open a help desk request at [https://code4rena.com/help](https://code4rena.com/help). \n\nPlease remember, help desk requests are usually reviewed within 1-2 business days. If you don't get any reply to your KYC application within five business days, you can raise a help request through the form on the company's website. Provenance should be able to update your status on the C4 side within a few days.", "Question: What aspects of gas optimization are relevant in the auditing of smart contracts, and how can I report these optimizations?\n\nAnswer: \nGas optimization is indeed a crucial part of auditing smart contracts and involves several aspects. Primarily, gas optimization should be looked for in all contracts, not just protocol contracts, and specifically non-view/non-pure functions. Function inlining can be a technique used to save gas in smart contracts. Some users have discussed swapping the order of functions that first check from storage, then check the calldata, as a method for gas optimization. Moreover, it is not recommended to initialize default variables to 0 for gas optimization.\n\nWhen reporting gas optimizations, it's important to keep a few things in mind. You might need to specify how much gas is being saved for each optimization, based on the judge's decision. Any gas optimizations should be reported separately. If the optimizations are inside view/pure functions, they can still be reported. However, only those optimizations in the generated report are considered valid; the rest are in the [common-issues repository](https://github.com/byterocket/c4-common-issues/blob/main/0-Gas-Optimizations.md).\n\nWhen you have multiple ideas about gas optimizations, they can be written separately and merged into one report. In your report, it's beneficial to include gas savings from any refactored code. Not all gas optimizations are considered valid when the optimizer is enabled, which has led to some confusion. Thus, it's important to understand the criteria for valid optimizations.\n\nIf you're interested in calculating the gas cost of a contract or need further clarification on gas optimization, feel free to ask in the chatroom. Also, gas optimization can be a good starting point for a first-time audit. You can submit your ideas about gas optimizations in contests and even earn rewards depending on your proficiency. \n\nRemember, there is a [GitHub link](https://github.com/byterocket/c4udit) of all the approved findings and gas optimizations for reference. Overall, participating in discussions about gas optimization can be a valuable learning experience, even if it might seem complex at first.", "Question: \n\nIn relation to gas optimization in Solidity smart contracts, I understand that it's recommended not to initialize default variables to 0. Does this principle apply to a for loop's iteration variable? Also, does the choice between using 'i++' and '++i' in a loop affect the gas cost? \n\nAnswer:\n\nYes, in the context of Solidity, initializing a variable inside a loop does not consume more gas. Therefore, you can initialize a loop variable to 0 without worrying about unnecessary gas consumption. \n\nHowever, there is indeed a gas saving difference between using 'for (uint256 i = 0; i < 1000; i++)' and 'for (uint256 i = 0; i < 1000; ++i)'. The latter ('++i') is generally more gas-efficient.\n\nIn addition to this, there are several other strategies you can use for gas optimization:\n\n1. Using the 'unchecked' keyword when working with loops. This can further optimize gas consumption as it prevents Solidity from performing certain arithmetic checks.\n\n2. Packing multiple variables into one storage slot where possible. Solidity stores state variables in 32-byte slots, and if several variables are declared next to each other, they can potentially be stored in the same slot, reducing gas costs. More details on this can be found [here](https://docs.soliditylang.org/en/v0.8.17/internals/layout_in_storage.html).\n\n3. Utilizing '1e36' to represent large numbers in your code. This method is more gas-efficient than declaring a large number outright, according to the [Solidity documentation](https://docs.soliditylang.org/en/v0.8.15/types.html#rational-and-integer-literals).\n\n4. Considering function inlining for functions that are only called once. This can also lead to gas savings.\n\nPlease note that not all gas optimizations are applicable or beneficial in all situations. For example, the effectiveness of some optimizations may differ depending on whether Solidity's built-in optimizer is enabled or disabled. Always consider the specific context and needs of your contract when seeking to optimize for gas.", "Question: How can I effectively report an issue in a CodeArena contest and what steps should I take if I'm unsure about the severity or validity of the issue?\n\nAnswer: When you report an issue during a CodeArena contest, it's important to include as much detail as possible to ensure your issue is understood and can be validated. A good start is to provide a detailed description of the problem and, if possible, a proof of concept. This helps make a case for how an item can be exploited. If you're unsure about the severity of the issue, or its validity, you can write a test for it, which could help verify its legitimacy.\n\nIn case you find two different issues that can be resolved by fixing the same thing, they would be typically considered as one issue, provided the root cause is the same. However, if addressing the root cause without considering both issues leaves one issue unresolved, it might be necessary to treat them separately.\n\nIf you believe that a submitted bug severity needs to be escalated, you can submit a help request to remove the original submission and then resubmit it via code4rena.com/help.\n\nRemember, maintaining transparency and integrity is crucial for the CodeArena community. If you have used any automated tools like chatGPT and received a warning, it's advisable to provide a detailed explanation to prove your innocence.\n\nLastly, if you've noticed that the same issue appears in multiple places, it's recommended to treat each occurrence separately. Our rulebook provides more guidance on these matters, which can be found at https://github.com/code-423n4/rulebook/\n\nRemember, your contribution is significant to the CodeArena community, and your issues help improve the quality and security of smart contracts. Always ask for help if you need it, and let's make CodeArena a better platform together.", "Q: After the contest ends and the rewards have been distributed, why does it take a significant amount of time to release the final report? \n\nA: After a contest concludes at CodeArena (C4), several steps are taken before the final report is publicly released. Once the contest ends, every submission is promptly reviewed and triaged by our panel of judges. This step is followed by a sponsor review and final judging. \n\nThe report is not immediately published because we prioritize and respect the projects' needs and concerns. We need to acquire a \"green light\" from the involved projects before releasing the report to the public. This is to ensure that they have ample time to address and fix any identified issues before the information becomes publicly available. \n\nFurthermore, the quality assurance process is also undertaken before the report is made public. This involves a thorough review of all reported issues, ensuring the highest degree of accuracy and reliability. \n\nAs a participant, you will be able to review the report and understand the results of your submissions once the final report is published. This includes the opportunity to understand why your submission may not have been accepted or rewarded. \n\nLastly, the process of reporting can take time due to other concurrent tasks such as merging awards and managing the repository. We aim to publish the reports within a few months after a contest ends, but the exact timeline can vary depending on the complexity of the codebase and the number of participants. \n\nPlease note that we are considering plans to allow certified contributors to view submitted issues right after the contest ends and offer their input during the judging phase. This is part of our commitment to maintain transparency and encourage high-quality submissions. \n\nWe appreciate your understanding and patience in this process.", "Q: How and where can I optimize gas usage in my smart contracts during the audit process and do I need to focus on the .sol files in the test/ or scripts/ in the context of a Hardhat project?\n\nA: The primary focus for gas optimization should be on the in-scope smart contracts, rather than the .sol files in the test/ or scripts/. You can potentially optimize gas usage by not initializing default variables to 0, considering the order of function checks from storage then calldata, and exploring the use of function inlining and external visibility settings for public functions.\n\nFor the Hardhat project, you can utilize the Hardhat gas report plugin as a benchmark tool for your code to identify opportunities for gas savings. An example of such a report can be found at https://code4rena.com/reports/2022-11-non-fungible/#gas-optimizations. \n\nWhen submitting gas optimization reports, it is important to specify how much gas is being saved for each optimization unless instructed otherwise by the judge. However, the necessity of a proof of concept regarding saved gas is not always clarified, but a detailed description and mention of the saved gas is usually expected. \n\nIf you are participating in certain contests like the one at https://code4rena.com/reports/2022-04-dualityfocus, please note that not all contests have a gas pool and gas optimizations might not be part of the final report. \n\nFor further reading and potential issues you could look for, please check https://github.com/byterocket/c4-common-issues/blob/main/0-Gas-Optimizations.md. Please note that not all detected optimizations by automated tools are valuable for sponsors, such as the 'Use assembly to check for address(0)' optimization, which may save only a few gas. \n\nIt's highly recommended to test your contracts before auditing, which can be done without spending money using local/testnets, and using tools such as Mythril and Slither for contracts downloaded from Github. \n\nLastly, remember to report any gas optimizations separately and feel free to ask for clarification on gas optimization. The purpose of gas optimization is to improve the efficiency of Ethereum transactions by reducing the cost, which is especially important due to the high gas fees on the Ethereum network.", "Q: What is the process and expected timeline for getting a response or certification status update from Provenance for KYC requests and other inquiries?\n\nA: After submitting a KYC request or other inquiry to Provenance, the initial response time can typically vary from a couple of days to about a week. However, the entire process, including back and forth communication, can sometimes take longer depending on the individual case. \n\nFor becoming a certified contributor, Provenance typically sends the KYC mail within one business day after the application is submitted. The email may come from addresses such as compliance@provenance.company or kobus@provenance.company. Please do check your spam folder as the email might sometimes land there.\n\nIf a KYC request has been submitted and you have not heard back within a reasonable timeframe, you can nudge Provenance for a response. If there is still no response within a couple of days, you can open a help desk request at [Code4rena Help](https://code4rena.com/help). This can also be the case if you've applied to become a certified warden and have not received an email despite waiting for 2-3 weeks.\n\nOnce you receive a confirmation email from Provenance regarding your KYC approval, there is still a processing period for your role to be updated on Code4rena's end. This typically takes around 1-2 business days. If there's a delay, you can open a help desk request at [Code4rena Help](https://code4rena.com/help).\n\nRemember, Provenance directly sends the confirmation to process a private audit application, and the status on the C4 side is typically updated within a few days. There are instances, however, where users have reported not receiving emails from Provenance despite sending a request, so please do not hesitate to follow up if necessary. \n\nNote that it is crucial to provide all necessary documents for the KYC to Provenance within 48 hours to avoid any further delays in the process.", "Question: What is the Bot Race feature and how can I participate?\n\nAnswer: The Bot Race is a new feature introduced by CodeArena (C4) where participants are rewarded for findings made with AI in the auditing process. Bot races are held for the first hour of an audit and involve bot teams which can either consist of your own bot or you being part of a bot team. \n\nTo participate in bot races, you need to register your bot during the qualifiers, which are held every few weeks. Updates about these bot qualifier races and other relevant information like the announcement of the top 20 bots can be found in the #\u270brsvp channel on our Discord. \n\nMore detailed information about the bot races, including how to participate, is available at https://code4rena.com/register/bot/. For additional help and queries related to bot races, you can participate in discussions in the #bot-race-help on our Discord. \n\nNote that the bot race reward structure may change over time, like for the upcoming Maia contest. The updates on changes will be announced and can be found at the respective links provided in our Discord channels. \n\nLastly, if a bot finds a high or medium finding, it only gets the bot pool reward based on the bot race rank. Bots can only gain more rewards by having more points and shifting the rank cutoffs. If you wish to use AI for auditing, it's advisable to partake in the bot races.", "Question: What are the best practices for gas optimization in Solidity, particularly when dealing with variable initialization and loops?\n\nAnswer: In Solidity, a number of practices can help optimize gas usage. For instance, it is typically recommended not to initialize default variables to 0, as Solidity does this automatically. This advice also extends to variables defined in a for loop. For example, there is a significant gas saving difference between using 'for (uint256 i = 0; i < 1000; i++)' and 'for (uint256 i = 0; i < 1000; ++i)'. Excluding the increment (++i) can also reduce gas costs. However, there has been some discussion about the validity of these gas optimizations, especially when the optimizer is enabled or disabled. \n\nAnother area to look at for gas optimizations is the use of the 'unchecked' command in loops. Using this command can further optimize for gas. \n\nIn addition, when using Solidity, it's important to note that the language stores state variables in 32 bytes storage slots. Therefore, packing multiple variables into a single slot, particularly when they are declared next to each other, can reduce gas costs ([More details](https://docs.soliditylang.org/en/v0.8.17/internals/layout_in_storage.html)). \n\nPlease note that an understanding of gas optimization is crucial, and users are encouraged to ask for clarification or explanations, as this topic can be complex. Furthermore, not all gas optimizations may be valid or significant enough to report, so it's important to use sound judgment in these scenarios. \n\nLastly, it's worth noting that an issue can be non-critical and can still be included in gas optimizations. For instance, an optimization inside view/pure functions could be reported. And while it might seem counter-intuitive, in some cases, immutable variables can cost less gas than constants ([Example](https://github.com/code-423n4/2021-11-overlay-findings/issues/111)).\n\nRemember, the ultimate goal should be to write clean, efficient code. While gas optimization is important, it should not come at the expense of readability and maintainability.", "Question: How can I optimize gas costs in a for loop, and what are the differences in gas costs between using ++i and i++?\n\nAnswer: In terms of incrementing variables in a for loop, there is a significant difference in gas costs between using '++i' and 'i++'. Using ++i is less gas-intensive than i++, which can lead to substantial savings if the loop is large enough. \n\nAdditionally, another important note for gas optimization is that you can save gas by excluding the initialization of the loop variable to 0. It was also observed that the use of the 'unchecked' command in loops could further optimize for gas. \n\nHowever, one must remember that the addition of gas-saving measures should be considered carefully as the actual savings might be marginal in some instances. You can refer to this discussion (https://ethereum.stackexchange.com/questions/118547/is-the-gas-cost-for-constant-and-immutable-about-equal) to understand more about the gas cost for constant and immutable variables. \n\nAlso, it's important to note that while it was once believed that immutable variables cost less in gas than constants, as of July 2020, this is no longer the case as there is no difference in cost nor in bytecode, but small demos might show minor differences. Here's a Twitter discussion that supports this information: https://twitter.com/GalloDaSballo/status/1476925462010122245 \n\nLastly, providing proof of how much gas the refactoring saves may affect the grade of the submission, so it's recommended to include this information. For gas optimizations reports, it's suggested that the amount of gas saved for every finding should be mentioned as foundry gas cost is measured in units of gas. Remember, not including the amount of gas saved from refactoring might affect the grade of the submission. \n\nPlease note that there is ongoing discussion on gas optimization, and it's recommended to ask for clarifications should there be any confusion.", "Question: What should I do if I encounter an error when using Code4rena, such as when submitting analyses, reports, findings, or simply accessing the site?\n\nAnswer: If you encounter an error while using Code4rena, there could be a few possible causes and remedies. Sometimes, the error could be as a result of trying to submit an analysis as a team without having a saved polygon address. Make sure to save a polygon address before attempting to submit an analysis.\n\nIf you are trying to submit findings to the Escher contest and you see a message that says 'No findings submitted for this contest' despite having submitted your findings, it could be a temporary issue. We recommend trying to submit again after some time.\n\nUsers have reported an error saying \"API rate limit exceeded for user ID 81770958\" when trying to submit reports. This error might be linked to submitting too many requests within a certain time frame, so allowing some time between submissions might remedy this.\n\nWhen trying to submit a Gas Optimization report for a contest, you might encounter an error if a report has already been submitted. Check to ensure you have not previously submitted a report for the same contest.\n\nSometimes, if you are trying to submit a report, the request can get intercepted by Cloudflare, resulting in errors. In such instances, you may wish to modify your network settings or VPN if applicable.\n\nIt's also possible that you have encountered a size limit on the submissions. In that case, try to reduce the size of your submission and try again. \n\nIf you're facing issues with logging in on the C4 website or accessing certain links, like https://github.com/code-423n4/2023-07-axelar-findings or https://github.com/code-423n4/2021-04-redacted, these could be intermittent site access issues. Try to refresh the page or return to it later.\n\nIn case you are experiencing issues with submitting findings through certain browsers due to an error related to the permalink, consider changing your browser or updating it to the latest version.\n\nIf you're facing issues with submitting findings and you see a captcha-related error, ensure that captcha is not blocked in your browser settings.\n\nFinally, if you are experiencing difficulties or errors while trying to discuss high severity issues with a sponsor before submitting them, please reach out to our support team for assistance.\n\nRemember, our developers are continuously working on resolving any reported errors to improve your user experience on Code4rena. If you're still having trouble after trying these solutions, please report the matter to our support team for further assistance.", "Question: How does CodeArena handle potential scammers in the community and what steps can I take to protect myself from scams?\n\nAnswer: CodeArena is committed to maintaining a safe and trustworthy environment for its community. We have strict protocols in place to handle any potential scams. In instances where a scammer is identified, they are immediately removed from our platforms. However, it's important for users to also take steps to protect their accounts. \n\nA few suggestions include: \n1. Using tools like Hashbot (https://Hashbot.io) to detect potential scams.\n2. Being wary of phishing scams involving fake CodeArena accounts. For example, avoid clicking on untrustworthy URLs like invst.icu.\n3. Ensuring the safety of your private keys and looking out for any unauthorized transactions. \n4. Completing the KYC (Know Your Customer) process when it's requested. You can check your email's spam section for the KYC mail from \"compliance@provenance.company\". \n5. Reporting any suspicious activity or direct messages you receive. \n\nRemember, your security is also our priority. Always stay vigilant, and let us know if you encounter any issues.", "Question: How can I edit my submitted findings and track their status on CodeArena?\n\nAnswer: As a participant in CodeArena, you have the ability to edit your submitted findings. To do so, navigate to the contest page and click on the 'Your Findings' button. This can be found on all contest pages, for example: https://code4rena.com/contests/2023-02-ethos-reserve-contest. Here, you can update the format of your findings or withdraw them if necessary. It's also important to note that findings are reviewed at the end of the audit period, and you are able to edit your findings until the contest closes. \n\nAdditionally, you can check the success of your report submission by looking out for an email confirmation and the ability to edit submitted findings. The status of your reports can be tracked in the \"findings\" tab next to the contest description. \n\nLastly, you should note that analysis reports can be revised and resubmitted. To edit an Analysis report, you need to go to the audit page and click the 'Your Findings' button as previously described. More information on this can be found on this post: https://code4rena.notion.site/Analyses-Guidelines-and-FAQ-2808a71e08e44c81a985527194f5f118. \n\nPlease remember that your findings and analysis are public and will be confirmed and discussed after the contest ends.", "Question: What is the difference in gas cost between using \"for (uint256 i = 0; i < 1000; i++)\" and \"for (uint256 i = 0; i < 1000; ++i)\" in Solidity, and are there any other gas-saving measures that can be adopted?\n\nAnswer: Yes, there is a significant difference in gas costs between using \"for (uint256 i = 0; i < 1000; i++)\" and \"for (uint256 i = 0; i < 1000; ++i)\". The latter results in nearly 5 gas savings per iteration compared to the former. \n\nHowever, it's worth noting that there are other optimizations you can make to further reduce gas costs in Solidity. For instance, it's been reported that excluding the increment (++i) in a for loop could reduce gas costs significantly. You could also avoid initializing default variables to 0, as this is not always necessary. In addition, using the 'unchecked' command in loops is a recommended way to further optimize for gas. \n\nIn the case of large numbers, using the notation 1e36 in your code is more gas-efficient than writing out the entire number, according to the [Solidity documentation](https://docs.soliditylang.org/en/v0.8.15/types.html#rational-and-integer-literals). \n\nAnother approach is to pack multiple variables into a single slot if they are declared next to each other, as Solidity stores state variables in 32 bytes storage slots. This can lead to gas savings as well [More about this can be read at https://docs.soliditylang.org/en/v0.8.17/internals/layout_in_storage.html].\n\nFunction inlining, which can be achieved by declaring certain functions as 'internal', is another method that can be used to save gas in smart contracts. \n\nFinally, one can optimize their code for gas by carefully choosing between 'constant' and 'immutable'. While there is no cost difference between the two, there are cases where 'immutable' costs less gas than 'constants', as explained [here](https://github.com/code-423n4/2021-11-overlay-findings/issues/111).\n\nIt's also important to note that the amount of gas saved may vary depending on the specific implementation and context, and that not all gas optimization methods may be appropriate or necessary for all contracts. For more comprehensive and detailed information about gas optimization in Solidity, refer to the [Solidity documentation](https://docs.soliditylang.org/en/v0.8.15/).", "Question: How can I seek assistance from an Admin if I encounter issues or have queries related to CodeArena?\n\nAnswer: Whether you've encountered a problem, have a question about the platform, need to withdraw a submission, or wish to discuss high severity issues before submitting them, you can reach out to the CodeArena team by creating a help desk request at https://code4rena.com/help. \n\nThis is our main avenue for handling concerns, and it allows us to methodically address your issues. If you're having trouble with new warden registration, bug submission, unsure about the severity of a reported issue, or need guidance on more fragile aspects of the system, we encourage you to submit a help desk request outlining your issue. \n\nIf you're experiencing login issues or forgot your username, reach out to the #auth-help channel for assistance. Even if your concern is something as specific as checking your participation in an audit outside of the leaderboard showings or adding a member to a team, we can help you through a help desk request. \n\nFor security-related concerns that you believe ought to remain private, rest assured that a help desk request maintains your confidentiality. If you need to edit your analysis report and face any issues, you can create a help desk request. Please remember, we're here to assist you, and the help desk system was designed to serve your needs effectively and efficiently.", "Question: What should I do if I'm experiencing issues with the submission process, such as trouble with attachments, the 'create-issue' button not responding, or I'm not sure how to proceed with the findings severity?\n\nAnswer: \n\nIf you're experiencing issues with submission process, there could be several factors at play. It might be due to internet problems, or specific browser compatibility issues, as some users have reported problems when submitting findings using Firefox and Chrome due to an error related to the permalink. \n\nIf your 'create-issue' button is not responding, this is a known intermittent issue that our team is actively working on. In the meantime, you may try refreshing the page or switching browsers.\n\nIf you're unsure about the severity of the findings you're reporting, unfortunately, there's no clear answer. You may have to use your best judgement or reach out to our support team for further assistance.\n\nIf you're not seeing your submissions reflected for a specific contest, like the Escher contest, despite having submitted your findings, there might be a technical glitch. Rest assured that all submissions are important to us and we are looking into these reported issues.\n\nAdditionally, if you're not receiving email receipts for your findings, this could be due to an incident on Github, as stated here: https://www.githubstatus.com/incidents/r5qrpp2f5fc0.\n\nLastly, if you have any concerns about the findings you've submitted or any feedback on the submission process, we're always here to help. We have procedures in place to understand why certain issues were not accepted, which could help improve your future submissions. For your convenience, we also have a specific C4 form for submitting issues.\n\nPlease remember, our team is always working to ensure the best user experience and we appreciate your patience as we address these concerns.\n", "Question: How can I obtain the '+backstage' role on CodeArena and what are its benefits?\n\nAnswer: The '+backstage' role within CodeArena provides access to certain restricted resources such as the findings page and allows you to view issues reported for a contest. To gain this access, you must be a certified contributor who meets certain qualifications, such as identifying a high vulnerability. \n\nOnce you believe you meet these qualifications, you can submit a help desk request to have your eligibility evaluated. The help desk can also assist with the application process if needed. More details about how to apply and the specific requirements can be found in our documentation at: https://docs.code4rena.com/roles/certified-contributors/backstage-wardens.\n\nPlease note that while Backstage access was previously based on a trust model, the process is undergoing changes and may involve future constraints or consequences. Also, there are times when the backstage applications are suspended and reopened for review, reflecting the ongoing evolution of the access process. It's important to check the most current information from our website or Discord chatroom for the latest updates on backstage access.", "Q: Why am I having difficulty submitting my gas optimization report, even when I'm trying to submit low-risk and non-critical findings from the \"Risk rating *\" menu?\n\nA: You may be encountering this issue because only one gas optimization report can be submitted per contest. However, you can add more findings to your existing gas optimization report by visiting the contest page and clicking on the 'Your Findings' button. \n\nIf you are receiving an error message, it could be because you're trying to submit an additional Gas Optimization report after one has already been submitted. All findings related to gas optimization should be put under one report. \n\nShould your report exceed the character limit of ~65k characters set by GitHub for issue descriptions, you may need to submit a placeholder and send the full report via email to submissions@code423n4.com. Additional details on this process can be found here: https://docs.code4rena.com/roles/wardens/qa-gas-report-faq#why-is-a-large-gas-or-qa-report-not-successfully-submitting-through-the-contest-submission-form.\n\nAlso, please note that the level of detail needed for QA and Gas Optimization reports isn't as comprehensive as for high severity issues. Examples of top QA/Gas reports can be reviewed here: https://code4rena.com/reports. \n\nWhen submitting gas optimization reports, you might want to specify how much gas is being saved with each optimization as this could potentially increase your points. However, not all gas optimizations are valid when the optimizer is enabled, leading to some confusion on what should be reported.\n\nFurthermore, bear in mind that the current focus is on high/medium/low severity vulnerabilities and gas optimizations, and there's no direct incentive to report non-critical findings. Participants can submit what they find and do not have to submit all types of reports. \n\nLastly, participants can submit one combined gas report and one combined QA report and they can edit existing findings while the contest is open. Judges consider both quantity and quality of submissions when grading QA reports. A single item in a QA submission is unlikely to receive a high grade. To learn more about this, visit the following links: [https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical](https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical) and [https://docs.code4rena.com/awarding/incentive-model-and-awards#qa-and-gas-optimization-reports](https://docs.code4rena.com/awarding/incentive-model-and-awards#qa-and-gas-optimization-reports).", "Question: What is a Bot Race in CodeArena and how can I participate?\n\nAnswer: A Bot Race is a unique feature introduced by CodeArena to encourage the use of AI in auditing smart contracts. The bot races are events where users create their own bots or join bot teams, known as the bot crew. The bots are considered as the warden's intellectual property and are unlikely to be open sourced by CodeArena.\n\nThese bot races are typically held for the first hour of an audit. The bots are then tasked with identifying unique vulnerabilities in the smart contracts. The more unique vulnerabilities a bot finds, the higher the chance of it winning the race. It's also important to note that accuracy (no false positives) might be an advantage in these races.\n\nTo participate in a bot race, you can register on the CodeArena website at [https://code4rena.com/register/bot](https://code4rena.com/register/bot). Information about the next bot qualifier race, which usually runs every few weeks, can be found in the #\u270brsvp channel on our Discord server. If you need help or have any queries about bot races, you can ask the community in the #bot-race-help channel.\n\nThe rewards for the bot races are based on the bot race rank and the number of unique vulnerabilities found by the bot. Initially, the bot race prize pot was taken from the HM pot, but this is subject to change. If a bot finds a high or medium finding, it only gets the bot pool reward based on the bot race rank. Bots can only gain more rewards by having more points and shifting the rank cutoffs, thus bumping others to lower ranks. Updates about any changes to the bot race reward structure will be announced before the races and can be found at [this link](https://discord.com/channels/810916927919620096/958800160870240286/1109067971915153508).\n\nPlease note that findings made with ChatGPT do not qualify for a reward. If you wish to use AI in auditing, you're advised to enter the bot races instead. The top bots are usually announced after the races, so make sure to keep an eye out for that. If you're interested in getting notifications about new contests, we are looking into creating a notification system, such as a Telegram bot. Good luck with your bot racing!", "Question: Can we use a Binance address for payout, and how can we update or confirm our payout address for the rewards?\n\nAnswer: Yes, you can use a Binance address for payout. However, keep in mind that Binance addresses can change, and if you do not hold the keys to the address, you technically do not own the coins. \n\nYou have the option to update or confirm your wallet address. The submission form for each contest includes a field for users' wallet addresses. If you wish to use a new wallet address in your reports moving forward, the rewards for the report will be distributed to this new address. \n\nIf you've already submitted a finding and want to change the wallet address associated with it, you can do so before the reward payout by submitting a request through the Help Desk at https://code4rena.com/help. \n\nIt's important to note that rewards are tied to your Discord username and specific wallet address. Hence, if you've changed your wallet address, rewards will be sent to the wallet address on file at the time awards are calculated for an audit. \n\nYou can also check if you've submitted an address for rewards or verify your payout for vulnerability issues by checking the wallet address with which you registered, using polygonscan.com or wallet trackers like debank.com. \n\nFor further details about changing wallet addresses, you can visit https://docs.code4rena.com/roles/wardens/warden-auth#can-i-change-the-wallet-address-where-i-receive-awards. \n\nRemember, rewards earned from findings can be withdrawn and sent to your preferred crypto trading platforms such as Binance. To receive your share, ensure to register your handle and ETH address. \n\nLastly, in case of team participation, rewards are distributed to one address for one handle per contest. If two people part of a team find the same issue but submit it with different wallets, the reward is given to the wallet associated with the handle for that specific contest.", "Question: What measures does CodeArena suggest to prevent scams and protect user information, given the recent discussions regarding potential threats?\n\nAnswer: CodeArena encourages smart online behavior to minimize potential scams and threats. One of the suggested measures is the use of Hashbot (https://Hashbot.io) to detect potential scammers. It is also recommended to be cautious about sharing sensitive information like private keys, especially on public platforms like GitHub, which can be monitored by illicit bots. There is also a smart contract scanning tool (https://app.metatrust.io/project) that can detect price manipulation vulnerabilities. \n\nFor potentially malicious transactions, users are advised to check their spam mail and use resources for blockchain forensics analysis. In case of unauthorized transactions, it's suggested to use a new wallet to prevent further attacks. Wallet addresses can be confirmed with polygonscan.com or wallet trackers like debank.com. There's a higher burden of proof for users utilizing automated tools for attack findings, more information can be found at https://github.com/code-423n4/org/discussions/50. \n\nLastly, be wary of phishing scams involving fake Cod4rena accounts or dubious links for purchasing ARENA tokens from untrustworthy URLs. A good rule of thumb is to always verify information and sources before proceeding. In case of any uncertainties, it's better to raise a potential scam alert and report the issue to the community or the CodeArena team.", "Question: Can I privately message or direct message a CodeArena staff or specific individuals for questions and specific issues?\n\nAnswer: Yes, you can definitely make use of the direct messaging feature on Discord to get in touch with the CodeArena or C4 staff members, moderators, or designated contacts from sponsor teams. You can privately ask questions, seek guidance on sensitive aspects of the system, and even report potential scams or spammers.\n\nDuring contests, you're allowed to engage with the project's dev team or the sponsor to discuss potential submissions, vulnerabilities, or high severity issues. This can be done either in the contest's specific channel or via direct messages. Additionally, you can directly message certain individuals to update your submissions or to request withdrawal of a submission.\n\nFor more intricate matters like collaboration, investment issues, or specific code-related questions such as about Yield v2, FairSide, \"redacted-cartel\", or \"pooltogether\", you can send them via DM. If you want to apply for a backstage role or become a backstage warden, make a help desk request, or if you've received a warning about the invalidation of your submission due to the use of chatGPT tools and wish to prove your innocence, direct messaging is the recommended method of communication.\n\nHowever, while direct messaging is encouraged, please remember to use this feature responsibly and respect others' privacy.", "Question: How can I manage changes to my Discord username and how does that affect my CodeArena account?\n\nAnswer: Changes to your Discord username can be managed via your CodeArena account. Inside your account settings, you can update your Discord username, but remember that your Discord nickname should remain as your registered C4 username. However, if you've changed your Discord username, make sure to update it on the Account Management page of your warden profile too. \n\nPlease be aware that changes to your Discord username may affect your warden role on the CodeArena site. If you're experiencing issues with this, you can update your new Discord handle in your profile on the site. \n\nIt is also crucial to note that if you are on our leaderboard and you want to change your nickname, you will need to create a new registration/discord handle and start over with the new name. \n\nIn case you're having trouble with the help form because there's a space in your Discord handle, you can include the Discord handle without spaces in the necessary field, but state the actual handle (with spaces) in the description field. \n\nUpdating your Discord username doesn't affect receiving awards, but it does ensure you can be tagged in for any award announcements. \n\nIf you need more help, we advise you to submit queries via the Help Desk for the developer team to review. There are also guidelines on dealing with a changed Discord ID, which can be found [here](https://discord.com/channels/810916927919620096/810931711609143326/1119321495987032144). \n\nPlease remember that currently users are not allowed to change their wallet logins and it's unclear if you can create another account with the same Github username, email address, and Discord username. If you need to change other account details, like Twitter username or Github username, you can do so by submitting a help desk request. Any changes to your Github username in the Code4rena profile necessitates a manual update to backstage access by Code4rena Github admin. \n\nIt's important to have your Discord username updated correctly to ensure smooth communications and operations within the CodeArena platform.", "Question: When and how can I see the results and feedback from my submissions to the Caviar/Rubicon audits on CodeArena?\n\nAnswer: The results of your submissions for the Caviar/Rubicon audits on CodeArena will be made public once the entire review process is complete. This typically takes between 2 to 6 weeks, but it can sometimes take longer. You will be able to check on your submissions by visiting https://code4rena.com/reports/ where you can view your Analysis Report. You can also view your submitted findings on the C4 Contest page under the \"Findings\" tab. \n\nIf there were any issues with your submission, such as with the Caviar contest, you will be able to see these once the report is published and the findings repo is made public. This will also allow you to see the discussion among sponsors and judges regarding specific issues and why a submission may not have been accepted. \n\nParticipants can also expect to receive an email confirmation of their submission. If you wish to check your submission without modifying it, you should be able to do so via the \"Your findings\" button. \n\nWe are also working on plans to allow certified contributors to view submitted issues right after contest closure and to give input on these issues during judging. For improving future submissions, you can check previous reports to see what a high-quality submission looks like. If you wish to see early feedback on submissions for improving audits, you can visit the judge's post at https://discord.com/channels/810916927919620096/1030197723619659806/1042826344544870440.\n\nPlease note that due to the nature of our process, we cannot provide an exact date for when results will be released. We appreciate your patience.", "Question: What is the process and implications of changing my Discord username in relation to my CodeArena (C4) account? \n\nAnswer: Discord's recent update, which asks users to use their name without the discriminator, may have implications for your warden role on CodeArena. If you decide to change your Discord username, it's recommended to also update this in your profile on the CodeArena site through the Account Management page. If you're experiencing any difficulties with this, you may submit your questions via the Help Desk for developer team review or seek help in the #auth-help channel. \n\nYou can also switch to using a username and password for login, but please note your Discord nickname should still match your registered C4 username. It's important to keep in mind that changing your username may affect your account registration as a warden and could create mismatch issues between your site username and Discord nickname. If severe, this might require a complete re-registration on CodeArena. \n\nDo note that updating your Discord username to your CodeArena account is crucial for ensuring you can be tagged in for any award announcements, though it won't affect your receipt of awards. \n\nFor specific instructions on how to deal with a changed Discord ID, please visit: https://discord.com/channels/810916927919620096/810931711609143326/1119321495987032144\n\nAs of now, usernames on CodeArena are immutable and cannot be changed. But, if you wish to change your Twitter username on C4, you can do so by creating a help desk request at https://code4rena.com/help. \n\nFor further updates, please keep an eye on the #\ud83d\udce2announcements channel and the C4 newsletter.", "Question: How are findings categorized and judged in terms of their validity and severity at CodeArena, and where can I find relevant guidelines for this process?\n\nAnswer: The categorization and judgment of findings in terms of their validity and severity at CodeArena is a detailed process. Information about what types of findings are no longer valid can be found in the conversations on our GitHub page [here](https://github.com/code-423n4/org/issues?q=is%3Aissue+is%3Aopen+label%3Arules). \n\nFurthermore, if a finding is submitted as high severity but is downgraded to medium by a judge, it does not mean the finding is overinflated and thus invalidated. The guidelines for such situations can be found [here](https://docs.code4rena.com/awarding/incentive-model-and-awards#satisfactory-unsatisfactory-submissions). \n\nEqually, if a low severity finding from a contest's bot report is escalated to a high severity by a participant, it does not automatically become invalid. In such cases, the participant must provide strong evidence to demonstrate a relevant High or Medium severity exploit path for it to be considered satisfactory. The policy for judging these cases can be found [here](https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues).\n\nIt's also important to note, participants will receive feedback from a judge if a submitted finding is marked as invalid. The submission policy related to automated findings is provided [here](https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues). If a finding is submitted as medium severity but the judges believe it is high, the severity of the finding can be upgraded, unless there is a reason to penalize it.\n\nFinally, even if a High severity bug turns out to be only Medium, the reward for a Medium bug is still received. Incorrect submissions are usually labelled as \"unsatisfactory\". The severity of issues can be updated post-submission by judges, which ensures a fair evaluation of all findings.", "Question: How can I submit findings on behalf of my team on CodeArena's platform?\n\nAnswer: If you are part of a team, you are capable of submitting findings on behalf of your team on CodeArena's platform. To do this, first, ensure that your team is registered and approved on CodeArena. This can be done by submitting a team request at https://github.com/code-423n4/code423n4.com/pull/28.\n\nOnce your team is approved, you can log in to your Code4rena account as usual, using your individual warden account. You can then switch between your individual account and your team account before making a submission. This can be done through the submission form on the website for each contest, where you can select whether you're submitting as an individual or as a team member. \n\nFindings are submitted through a PR (Pull Request), and you can add your team handle when reporting issues. After submitting a bug, you will have the ability to view or edit your own submissions on the site for any open contests. It's important to note that only the team has access to submissions before a contest ends. \n\nIf there are errors in your submission or if you have made multiple submissions, you can seek assistance from the team handling the platform. If you want to modify your team, you can submit a request through the help desk. \n\nIn case you are wondering, when submitting as a team, all members receive the bug stats, and you can choose to participate solo even if your team is also auditing a contest. \n\nFinally, if you have more queries about how teams operate on Code4rena, including how prizes are split and how reports are submitted, you can direct your questions to the designated contacts of sponsor teams in the contest.", "Question: How can I find information on what types of smart contract findings are no longer valid, and how can I understand the reasons behind the rejection of findings?\n\nAnswer: Information on what types of smart contract findings are no longer valid can be found in the conversations on our GitHub page, which you can access here: https://github.com/code-423n4/org/issues?q=is%3Aissue+is%3Aopen+label%3Arules. This page provides updates on accepted findings that haven't been merged and any reports that have been removed. \n\nWhen a finding is submitted, the participant will receive feedback from a judge if it's marked as invalid. The reasons for rejection are also provided, which can help you understand why certain findings were not accepted. A report is available showing only unique findings, and you can view other participants' findings after a contest has ended. \n\nPlease note that for each contest, the Readme Page has a section titled \"Known Findings,\" listing all the automated findings not accepted in the contests. \n\nIf you have submitted a finding that you believe to be valid, but it's classified as invalid, there is an appeal process in place. You can read more about this in our documentation here: https://docs.code4rena.com/awarding/fairness-and-validity#if-you-disagree-with-a-judges-decision. \n\nLastly, findings that are valid but non-critical, such as the presence of \"Open Todos\" or the \"use of Block.timestamp\", are typically not rewarded. And remember, two wardens submitting the same issue are treated differently. It's important to ensure that your findings are unique and critical for them to be accepted and rewarded.", "Question:\nIf my Gas/QA findings are included in some audits and exceed a certain threshold, does it qualify me for a backstage role and how is my grade determined?\n\nAnswer:\nBeing included in a Gas/QA audit and exceeding a certain threshold can potentially qualify you for a backstage role at CodeArena, however, there are specific criteria that need to be met. These include a high severity finding or three medium severity findings, and a QA or Gas report score of over 85. Backstage access is also based on the certified contributor role, the number of findings (at least three medium findings and four total findings) and participation in contests. \n\nRegarding grading, grades are assigned based on the quality and impact of the findings in your QA or Gas report. The grading system counts Grade A reports as 2 shares, Grade B as 1 share, and the best report receives a 30% bonus. The number of issues reported doesn't necessarily determine the grade; for instance, one high-quality issue could lead to a Grade B, whereas multiple low-impact issues may only yield a Grade C. \n\nIt's important to note that only the most comprehensive QA/gas reports are accepted, and duplicates are disregarded. The judges consider both the quantity and quality of submissions when grading QA reports. So, a single item in a QA submission is unlikely to score high. However, if an issue submitted in a QA report as a low finding is later determined to be a medium finding by the judges, it will be eligible for medium rewards.\n\nYou can request to check your eligibility for the backstage role by opening a help desk request at https://code4rena.com/help. For more detailed information on QA/Gas reports and grading, you can visit https://docs.code4rena.com/awarding/incentive-model-and-awards and https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical.", "Q: As a new member of a team, what is the process I need to follow, and is there any wait time involved?\n\nA: Welcome to CodeArena! Adding new members to a team is a straightforward process. You can submit a team request at [https://github.com/code-423n4/code423n4.com/pull/28](https://github.com/code-423n4/code423n4.com/pull/28) which is the primary step to join the team. These team pull requests need to be accepted by someone from your team. However, you may face some issues while adding or the \"Available for Hire\" status might not immediately appear even after your certification due to some manual steps involved in the backend.\n\nOnce your team request has been approved and registered with Provenance and KYC, there is a processing period involved. The team will process your role after receiving confirmation. Typically, the 'Certified' status confirmation and updation takes around 2 to 5 business days post the approval from Provenance. You will receive an update on the status of your certification process via email.\n\nIf there are delays in this process or if you're facing issues, you can submit a help desk request at [https://code4rena.com/help](https://code4rena.com/help). Also, please note that teams can be modified by submitting a request through the help desk.\n\nRemember, changes in roles, or in Github user requests, are processed by our team. You can check if you're certified by clicking on your name to see assigned roles, as well as through email communication. If needed, you can find further instructions for the verification process at: [https://docs.code4rena.com/roles/certified-contributors](https://docs.code4rena.com/roles/certified-contributors). Please feel free to reach out if you have any further questions or issues.", "Q: Could you elaborate on how the grading system works for QA and Gas reports, how issues are categorized into grades A, B, C, the differences between \"primary issue\" and \"selected for report\", and how bonuses are assigned for each category?\n\nA: The grading system for QA and Gas reports is based on both quantity and quality of submissions. Grades are categorized into A, B, and C. Grade A is assigned to top-quality reports and counts as 2 shares, Grade B counts as 1 share, while Grade C is given to multiple low-impact issues. The \"primary issue\" is selected based on the best write-up, not necessarily the order of submission, and is considered for incentivization to encourage high-quality submissions. The \"selected for report\" classifies issues that are featured in the client report. \n\nBonuses are awarded differently for different grades and categories. For instance, the best report receives a 30% bonus. The awards are divided between grade A and grade B for QA and Gas reports. It's important to note that a single item in a QA submission is unlikely to receive a high grade, and the number of issues reported doesn't necessarily determine the grade.\n\nIssues can be upgraded and downgraded between categories. For example, if a finding is submitted as a low in a QA report, but the judges deem it as a medium, it will be eligible for medium rewards. Similarly, judges can downgrade medium issues to QA and consider them with your QA report when grading.\n\nFor more detailed information on the grading system, bonuses, and categorization of issues, refer to the following links: [https://docs.code4rena.com/awarding/incentive-model-and-awards](https://docs.code4rena.com/awarding/incentive-model-and-awards), [https://docs.code4rena.com/awarding/incentive-model-and-awards/curve-logic](https://docs.code4rena.com/awarding/incentive-model-and-awards/curve-logic), [https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical](https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical), and [https://docs.code4rena.com/awarding/incentive-model-and-awards#qa-and-gas-optimization-reports](https://docs.code4rena.com/awarding/incentive-model-and-awards#qa-and-gas-optimization-reports).\n", "Q: I submitted a low-risk vulnerability finding. Now, I have discovered another finding. How can I submit this new one? Also, can I modify my previous finding?\n\nA: You have the ability to report multiple findings and modify previously submitted ones. To do so, navigate to the contest page and click on the 'your finding' button. Here, you can submit additional vulnerabilities and edit existing ones. Please make a separate submission for each unique vulnerability depending on its type and severity. If two separate vulnerabilities can be combined to create a more powerful one, you can submit a third finding explaining the proof of concept. In case you're unsure about the severity of a finding, consult our guidelines on estimating risk at https://docs.code4rena.com/roles/wardens/judging-criteria#estimating-risk-tl-dr. \n\nIf you believe a finding initially identified as low-risk can lead to a high severity finding, report it again during the contest and provide a clear explanation. If your high-risk finding is judged as low risk or vice versa, rest assured you will still be rewarded appropriately. \n\nShould a submitted bug severity need to be increased, during a contest, you can submit a help request to remove the original submission and then submit a new one via code4rena.com/help. Please remember to avoid submitting a high volume of low-quality reports, which we define as those lacking a clear explanation or path to the finding. The discussion related to this can be found at: https://github.com/code-423n4/org/discussions/34\n\nIn case of submitting a medium/high report without recommended mitigation steps, ensure to include an explanation as to why it cannot be feasibly mitigated. Also, if you find the same issue that was found with the automated finding but in a different instance, you can report it again.\n\nRemember, when reporting vulnerabilities, you can enhance your report by attaching screenshots in the vulnerability details section by copying the Github permalink and the lines of code for the affected code.", "Question: What is the process for submitting a helpdesk request at CodeArena and how long does it typically take to receive a response?\n\nAnswer: At CodeArena, help desk requests can be submitted via our online form at https://code4rena.com/help for a variety of issues ranging from troubles with user registration, backstage application assistance, analysis submission issues, or even logo change requests. Upon submitting your request, you will receive a confirmation indicating that your request has been received. \n\nYour request will then be reviewed and typically, responses are provided within 24-48 hours on business days. However, do note that some complex issues might take up to a week for a thorough review and response. You can also track the status of your request or raise follow up inquiries if needed. Remember that help desk support operates during business hours and doesn't offer service on weekends. \n\nIf you don't receive a response within an expected timeframe or need further assistance, we encourage you to create another help desk request. Our team at CodeArena is committed to providing timely and effective assistance to all our users.", "Question: How can C4 team members navigate working on different contests simultaneously or at different times, while managing their individual and team participations? \n\nAnswer: Currently, CodeArena doesn't directly support the same team name with different members working on different contests simultaneously or at different times. However, individuals can log into their Code4rena accounts and switch between their individual account and team account before submitting findings. \n\nIf a team member wants to participate solo in a contest that their team is also participating in, their name can appear twice on the leaderboard - once for individual participation and once as part of the team. \n\nFor teams where not all members participate in the same contest, each team determines how to split their portion of the contest's reward amongst themselves. More information on this can be found on our page about incentives and awards: https://docs.code4rena.com/incentive-model-and-awards.\n\nWhen submitting findings, team members can choose either their solo handle or team handle. If a team member accidentally submits to the wrong contest, they can submit again to the correct contest and fill out our form to let us know about the incorrect submissions at https://code4rena.com/help/.\n\nWe understand that these situations can be challenging to manage and we're actively discussing improvements. An ongoing discussion on this topic can be found on our GitHub page: https://github.com/code-423n4/org/discussions/43. We also plan to enable the use of different wallets by the same handle in a single contest to provide more flexibility.\n\nThe process of approving a team for contest participation can take a few business days. For changes in a team, such as the addition or removal of members, and for managing different roles in the contest, we recommend reaching out to the contest's designated contacts from the sponsor teams. \n\nPlease note that if a team is competing in a contest, all members need to be certified to receive the payout. \n\nWe're continuously working to improve our system and your feedback is valuable.", "Question: What happens when a team member wants to participate individually in a contest that their entire team is also auditing? How do we manage team participation and rewards distribution in such cases?\n\nAnswer: At CodeArena, we understand that not all team members may want to participate in the same contest all the time. In cases where a team member wants to participate solo in a contest that the rest of the team is auditing, they are completely allowed to do so. When submitting findings, the submission form allows members to select whether they're submitting as an individual or as a team member. \n\nHowever, do keep in mind that if multiple members of the same team submit the same item separately, it can decrease the overall value of the submission. This could also affect the team's leaderboard ranking, which takes into account both the current contest and the total participation of a contestant. \n\nAs for the distribution of rewards, the prize for a team is sent to a single address, and it's the team's responsibility to distribute it amongst themselves. Each team determines how to split their portion of a contest's reward. For more details on this, you can refer to the award information provided on our website: https://docs.code4rena.com/incentive-model-and-awards. \n\nRemember, changes to teams, like the removal and addition of members, are possible. When competing as a team, all members need to be certified to receive the payout. Also, team participation is not mandatory, and users have the option to participate individually. \n\nFor managing teams where not all members participate in the same contest and potential ways to distribute rewards among team members who contributed, ongoing discussions can be found here: https://github.com/code-423n4/org/discussions/43. \n\nPlease note that the process of approving a team for contest participation can take up to a few business days. Your understanding and patience are appreciated.", "Q: How can I link or change my Twitter handle on my CodeArena profile? \n\nA: Users can link their Twitter handle to their CodeArena profile or make any changes by submitting a help desk request. This process also applies to changing your account details like your profile picture and Twitter username. To do this, go to [https://code4rena.com/help](https://code4rena.com/help) and fill out the necessary information. \n\nPlease include your warden name and the Twitter URL you'd like linked to your profile. If you're updating your Twitter handle, make sure to specify your new Twitter username. \n\nFor participants who wish to join contests, you can add your handle to the CodeArena repository at [https://github.com/code-423n4/code423n4.com/tree/main/_data/handles](https://github.com/code-423n4/code423n4.com/tree/main/_data/handles) and make a pull request. \n\nPlease note that if you are a certified user, you have the ability to edit your profile. However, changes to your profile, including the \"Available for Hire\" status may not appear immediately due to backend processes. If you need to check if you've submitted an address for rewards or change your wallet address, you can also use the help form at the link mentioned above.", "Question: I received an approval notification for my application for certification from a security company. What should I anticipate as the next steps in the process?\n\nAnswer: Congratulations on your approval! After receiving the approval for your certification, you will move into the final stages before achieving Certified status. The team at CodeArena will process your application, which typically takes between 2 to 5 business days, but can take up to 2-3 weeks in some instances. You will receive an email from compliance@provenance.company or Provenance and C4 to confirm the successful completion of your KYC (Know Your Customer) verification. Please note that this email might end up in your spam folder, so it's advisable to check there if you don't see it in your inbox. \n\nYour Certified status will then be updated on your profile. You can confirm this by clicking on your name to see the assigned roles. If you applied for the Certified+ status after a high finding, it's important to note that this involves additional steps, including the completion of the KYC verification. \n\nTo understand more about the certification process, you can refer to the document available at https://docs.code4rena.com/roles/certified-contributors. \n\nRemember, the process can move more quickly if the necessary documents were supplied promptly to the KYC provider. If there are any issues or questions regarding your certification, please contact the organization through the help desk form.", "Question: How can I invoice C4, a DAO, and what considerations or changes have been made to accommodate this?\n\nAnswer: Yes, it is possible to invoice C4 which is a DAO. This has been made possible following some recent changes aimed at facilitating compliance with tax laws, especially for those in the EU. The invoicing process can be found at https://github.com/code-423n4/org/discussions/91. If you wish to make an invoice regarding contest payouts, those should be addressed to the Code4rena Foundation. For additional details on tax, legal questions, and how to create an invoice for rewards, refer to https://docs.code4rena.com/awarding/incentive-model-and-awards/awarding-process#tax-and-legal-questions. Be aware that tax reporting on bounty earnings is an individual's responsibility and is not handled by C4 or Provenance, our KYC provider. If you need to update your payment address, you can do this from your C4 account screen at https://code4rena.com/account.", "Question: What does CanAuto mean in the context of issue types and how does it relate to automated findings in CodeArena?\n\nAnswer: CanAuto likely refers to issues that can be automatically found by auditing tools. CodeArena utilizes a tool called \"C4audit output\" to generate automated findings for each contest. These automated findings are typically documented in bot-generated reports and may cover a range of issues including high, medium, low, non-critical, and gas-related issues. \n\nIf a low severity finding in a contest's bot report is escalated to a high severity, it is not automatically invalid. However, to be considered satisfactory, submissions based on automated tools must provide strong evidence to demonstrate a relevant high or medium severity exploit path. \n\nAfter submitting an issue on the C4 website, users do not need to further create an issue on GitHub, as the C4 system does this automatically. It is also worth noting that if an issue found is in the same category as a bot report but not included in the bot report, it can be considered a valid finding. \n\nIt is also possible for issues identified in an automated finding to lead to a high severity finding. In such cases, it has been suggested that it could be reported again during the contest by a warden and could be awarded with higher severity. \n\nFor more details on the submission policy related to automated findings, please refer to CodeArena's documentation at: [https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues](https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues). In addition, the tool currently in use for automated findings can be found at: [https://github.com/Picodes/4naly3er](https://github.com/Picodes/4naly3er).", "Question: How can I obtain the Code4rena UNA address for invoicing purposes?\n\nAnswer: The details for the Code4rena UNA address, which is the entity to be invoiced for received rewards, isn't readily available in the chat history. To obtain these details, you can submit a help desk request via the following link: https://code4rena.com/help. In the request, mention your need for the Code4rena UNA address for invoicing purposes. Please also remember that more information about Code4rena and its teams is available at https://docs.code4rena.com/.", "Question: Can I currently create an invoice for my rewards from a contest, and where can I find the necessary information about this process?\n\nAnswer: Yes, it's already possible to create an invoice for your rewards received from a contest. CodeArena, being a DAO, has made changes to allow for this feature. This is particularly beneficial for individuals in the EU to remain compliant with tax laws such as MiCA. For further information on the invoicing process, you can refer to the bottom of the following page: https://docs.code4rena.com/awarding/incentive-model-and-awards/awarding-process#tax-and-legal-questions. However, it's important to note that some changes may require confirmation by a specific individual. Also, while some of the contracts being discussed could already be deployed, others may not be, so it would be beneficial to stay updated on this topic.", "Q: How can I arrange and participate in an audit for my project with CodeArena (C4)?\n \nA: To arrange an audit for your project, you can make an online inquiry and submit the form on our website. Our booking team will assist with the setup process. You can also ask questions about findings from past projects to better understand the process. Some companies even show interest in running audit contests. \n\nIf you're interested in participating in the audit process, you can do so even before your code is complete. It is possible to take part in private competitive audits, but to participate, you need to become certified. More information on certification can be found at https://docs.code4rena.com/roles/certified-contributors.\n\nCurrent ongoing contests can be found by checking our platform, or more information can be sought from our team, which is regularly in contact with various projects about upcoming audits. Please note that there are no upcoming competitions currently, but we are in talks with several people about potential audits. \n\nYou can also join teams and participate in the audits. To participate in restricted audits, you can apply at https://docs.code4rena.com/roles/certified-contributors. If you're interested in becoming an auditor, we advise getting there through reverse engineering, reading old audit reports, etc. A set of example reports are available at https://chainsecurity.com/audits/.\n\nIf you're new to smart contract auditing, our platform can provide the necessary help. We also suggest you read our blog post at https://blog.bytes032.xyz/p/audit-like-a-pro-my-3-step-game-plan to understand how to approach the auditing of big projects. You can also access our c4audit repo for further resources.\n\nPlease remember that after confirmation from provenance, you can participate in a private audit. Some users have raised concerns about how to manage team members who wish to participate solo in a contest that their team is also auditing, so it's important to coordinate and communicate effectively with your team.\n\nWe hope this information helps, and we look forward to assisting with your audit needs.", "Question: What is the expected timeline for receiving responses to my inquiries, submissions, or applications at CodeArena, and what should I do if I experience delays?\n\nAnswer: At CodeArena, we aim to ensure that every inquiry, submission, or application receives a prompt response. Typically, help desk requests are reviewed within 1-2 business days. If you've submitted a ticket to Code4rena, you should expect a response within the same timeframe. However, there may be delays in receiving responses depending on the nature of your request or submission. \n\nFor submissions related to contest findings or the Certified Warden program, it is recommended that you wait for about a week for a response. This is because our partner, Provenance, who manages these programs, typically takes about a week to respond to submissions. Once a submission is received, participants should receive an email confirmation within a few minutes, but there may sometimes be delays. If you do not receive this email, please check your spam folder as some participants have reported their confirmation emails ending up there.\n\nIf you've sent a request to become a certified warden and haven't received a response after 12 days, or haven't received any reply to your KYC application within five business days, we advise you to raise a help request through the form on the company's website [Include Link Here].\n\nAlso, if you've submitted a report for the first time and want to check the submission status, please know that you can follow up on the status of a help desk request and should get a response within a week. Note that the initial email from Provenance in the Certified Warden verification process doesn't have a specified timeframe for delivery. However, once the process begins with Provenance, it usually takes around 1-2 business days.\n\nDuring certain periods, such as holidays, there might be a delay in responses. You can also reach us via direct messaging for specific questions. We value your patience and understanding, and we're always here to support you through your journey with us at CodeArena.", "Question: How is the invoicing process for the rewards received from a contest handled at Code4rena?\n\nAnswer: Rewards participants receive from the Code4rena contests can be invoiced to the entity, Code4rena UNA. For the complete process of creating an invoice, participants can refer to the information provided at the bottom of this page: https://docs.code4rena.com/awarding/incentive-model-and-awards/awarding-process#tax-and-legal-questions. Please note that the rewards can be paid partially or fully based on the conditions of the contest. Also, the reward amounts for contests are usually provided by the sponsor.\n\nChanges have been implemented by Code4rena, a DAO, to allow for invoicing and these changes may have tax implications. After a report is accepted, typically, the reward payment is made within 1-2 business days of the announcement. There have been instances where the reward distribution was delayed due to the use of multisignature (\"multisig\") wallets, which require signatures from multiple parties before funds can be released. In the future, awards are expected to be distributed via a smart contract once additional pieces are in place.\n\nPlease note, if you change your wallet address, rewards are sent to the wallet address on file at the time awards are calculated for an audit. If working in a team, all rewards go to the team and the team is responsible for dispersing the funds among the members. More information about the rewarding process, including the rewarding formulas and the distribution of rewards in the context of multiple wardens finding the same issue, can be found at https://docs.code4rena.com/awarding/incentive-model-and-awards.", "Question: \nCan I invoice for the rewards I received from a contest at Code4rena and what is the process for doing so?\n\nAnswer: \nYes, it is possible to invoice for the rewards you have received from a contest at Code4rena. However, it needs to be confirmed by a specific individual. This feature is particularly beneficial for participants in the EU for compliance with tax laws such as MiCA.\n\nThe process for creating an invoice can be found at the bottom of the following page: https://docs.code4rena.com/awarding/incentive-model-and-awards/awarding-process#tax-and-legal-questions. Inquiries about the Code4rena UNA address details for invoicing purposes can also be made. After creating your invoice, it should be sent to the Code4rena Foundation.\n\nPlease note that there is a possibility of revising the payment amount (increase, decrease) after payout. Also, it's worth mentioning that C4, being a DAO, has made changes to allow for invoicing, enhancing the smooth flow of operations.\n\nIf you have any additional questions regarding invoicing, feel free to contact us or submit a helpdesk request.", "Question: Where can I find information about sponsorship and how to become a sponsor on CodeArena?\n\nAnswer: If you're interested in becoming a sponsor on CodeArena, you can visit the #\ud83d\udcbci-want-c4-to-audit-our-code channel on our Discord server. This channel is specifically designated for those who wish to sponsor audits. You can also direct message our sponsor team members for any specific queries or discussions. However, please be aware that the timeline for sponsoring contests is not explicitly mentioned and the scope for the contests is decided by the sponsors themselves, who list this information in their own contest channels. Stay updated with new contests on the #\u270brsvp channel. Please note that to have access to certain contest channels, it may be necessary to register as a warden in the #\ud83d\udc3ai-want-to-be-a-warden channel on our server.", "Question: Where can I find information about gsset, gscoldsload and other related terms, and what do they mean?\n\nAnswer: Information about gsset, gscoldsload, and related terms can be found at this GitHub link: https://github.com/wolflo/evm-opcodes/blob/main/gas.md. This repository provides information regarding Ethereum Virtual Machine opcodes and their gas costs. For example, the term \"Gsset\" refers to set storage from 0 to non-0, and \"Gsreset\" refers to set storage from non-0 to non-0, or anything to 0. More in-depth definitions can be found on page 27 of the Ethereum Yellow Paper: https://ethereum.github.io/yellowpaper/paper.pdf. Please note that these terms are related to gas optimization, a key aspect in smart contract auditing. For those interested in further resources on gas optimization and smart contract auditing, you might find these GitHub links useful: https://github.com/transmissions11/solcurity and https://github.com/Tomosuke0930/C4-report-categolized.", "Question: How can I submit, edit, and track the status of my reports on CodeArena?\n\nAnswer: After submitting a report on CodeArena, you can track the status of your submission and edit your findings under the \"Findings\" tab next to the contest description on the contest page. Look for the 'My Findings' or 'Your findings' options to edit your submissions. \n\nAfter reporting an issue, irrespective of its severity, you will receive a follow-up. If you have submitted a low-risk finding and wish to submit more, you can do so by referring to its number on the 'Your Findings' page. \n\nUpon successful submission, you will receive an email confirmation. In some cases, the confirmation may take some time and if the submission fails, the form should return an error. You can check the success of your report submission by looking for this email or using the 'View Context' function. \n\nThe results of the reports you have submitted will be posted at https://code4rena.com/reports/ once the entire process is complete, which can range from 2 to 6 weeks or even longer. In the meantime, you can review previous submissions to see what a high-quality submission looks like. \n\nIf you are submitting a PoC to report a finding, you will need to upload the results of the git diff command. You can also track the issue for the finding you sent on Github from the report. \n\nLastly, if you are faced with any difficulties while submitting your report, such as loading issues or errors, don't hesitate to try again or reach out for help. Your perseverance is key to ensuring the quality and security of smart contracts audited by CodeArena.", "Question: How can I confirm my submission and what steps should I take if I don't receive a confirmation?\n\nAnswer: Once you've submitted your audit report, you should expect to receive a confirmation email. This email serves as a direct confirmation of your submission. Please also check your spam folder in case the confirmation email is directed there. If you do not receive this email within a reasonable period, or if you are facing issues with your submission, you can open a help desk request at [https://code4rena.com/help](https://code4rena.com/help). This platform allows you to track the status of your request and also offers assistance in case your submission hasn't been certified after a response is received. For issues related to mobile tasks, you can also seek assistance by sending requests to submissions@code4rena.com. It's important to note that even if you don't receive an email notification after creating a help desk request, the request is usually confirmed as received.", "Question: What happens after a report is accepted and how are the rewards distributed in CodeArena?\n\nAnswer: Upon acceptance of a report, the reward payment is typically issued within 1-2 business days of the announcement. This payment is made in USDC and directly transferred into the participant's wallet. The exact timing of payment may vary depending on the judging process which can take anywhere from 2-4 weeks, depending on the number of submissions and the complexity of the code. The judging process is final once the rewards are announced. \n\nNot all reports are guaranteed a reward; they are first reviewed and graded based on their quality, accuracy, and the presence of a working proof of concept. All types of accepted reports, from high level to gas optimizations, are eligible for payouts, but reports are evaluated based on their severity by the sponsors and judges. \n\nThere is a possibility for partial or full payments for submissions. If a team submits a finding, a single payment is issued, and the team has discretion over the distribution of the reward amongst its members. If multiple participants find the same issue, the best report usually receives more money, whereas duplicate reports not exceeding a certain threshold may not receive any reward. Bonus rewards are also given for the best reports. \n\nThe final report of a contest may not immediately appear on the C4 site even after rewards are sent and leaderboards are shown. It's recommended to wait until the full public report is published before doing a write-up of some issue or bug found on a project. Participants can view their submissions and the reasons for their rejection once the report is published and the findings repo is made public. \n\nFor more details about the roles and responsibilities of wardens, you can refer to https://docs.code4rena.com/roles/wardens. Further information about the incentive model and awards can be found at https://docs.code4rena.com/awarding/incentive-model-and-awards.", "Question: What happened to the Vine Labs contest and where can I find updates about it?\n\nAnswer: The Vine Labs contest on CodeArena was postponed. Updates regarding the status of this and other contests, including those previously listed in the upcoming contest section and now absent, can be found in the \"Past Contest Status Updates\" section on our platform. This section provides a timeline and current status of all contests. Please note the timing for each contest can vary, especially for large-scale contests involving a high number of sloc. Also, if you can't find a contest in a specific section, it is possible that the contest is private. Access to such contests is typically restricted. For more information on any contest, including the judging process and award distribution, please monitor our Discord chatroom and the backstage channel. However, please remember that access to the findings repo to view contest details such as findings, submission replies and others' submissions is currently suspended until further notice.", "Q: I'm having trouble submitting a report due to errors, what steps can I take to resolve this?\n\nA: If you receive an error while trying to submit a report, the first step is to try waiting for a while and then try again, as some users have resolved their issues this way. Error messages can occur for various reasons, including exceeding the API rate limit or due to browser-related issues. If you're getting an \"API rate limit exceeded\" message, it may be due to too many attempts to submit the report in a short period of time. In this case, waiting a little while before trying again could help.\n\nIf you're using Firefox or sometimes Chrome, you might experience errors related to the permalink when submitting findings. Trying a different browser could bypass this issue. \n\nIf your report is particularly large (for instance, a gas report larger than ~65k characters), you may exceed Github's max character limit for issue descriptions, which prevents the form from being submitted. In such a case, you can email your submission to submissions@code423n4.com. \n\nRemember, you can only submit one Quality Assurance (QA) issue. If you find another error after submitting, you can edit the existing submission. After submitting a report, you should receive a confirmation email. If you're unsure whether your submission was successful, you can check your email or use the \"View Context\" function to view the findings. \n\nIf you still encounter issues while submitting a report, you can always request help through our help desk. More details on report submissions, including how to handle larger reports, can be found on our FAQ page: [https://docs.code4rena.com/roles/wardens/qa-gas-report-faq#why-is-a-large-gas-or-qa-report-not-successfully-submitting-through-the-contest-submission-form](https://docs.code4rena.com/roles/wardens/qa-gas-report-faq#why-is-a-large-gas-or-qa-report-not-successfully-submitting-through-the-contest-submission-form)", "Question: What is the prize structure for bot races in Code4rena and how is it allocated?\n\nAnswer: The Bot Race is a new feature introduced by Code4rena where users are rewarded for findings made with AI. The races take place within the first hour of an audit. The initial prize pot for bot races was taken from the HM (High/Medium) pot, but this is slated to change soon. \n\nThe total awards pool includes several categories, with the Bot Race awards totalling $7,500 USDC. The prize for these races is not taken from the QA or Gas pots. If a bot uncovers a high or medium finding, it only gets the bot pool reward based on its rank in the bot race. The more points a bot has, the higher its ranking, which could potentially shift rank cutoffs and bump other bots to lower ranks.\n\nThe entire contest pot size, which includes the bot race pot, depends partially on the number of lines in the code being audited. Furthermore, the reward structure is expected to be updated before the upcoming Maia contest. You can find more details about this update at this link: [https://discord.com/channels/810916927919620096/958800160870240286/1109067971915153508](https://discord.com/channels/810916927919620096/958800160870240286/1109067971915153508).\n\nQuestions related to the bot races, such as qualifications, upcoming qualifiers, or how to check for qualifier results, can be answered in the #bot-race-help channel on Discord. Note that users cannot receive a reward for findings made with ChatGPT and are advised to take part in the bot races if they wish to use AI in auditing. \n\nPlease keep an eye out for further announcements regarding any changes to the prize structure or other related policies.", "Question: How do I submit a help request on Code4rena?\n\nAnswer: Users can submit a help request through the Code4rena website in case of any issues or assistance needed. These could include errors during the analysis submission process, issues with your status, addition of new team members, changing your profile avatar, tracking the status of your KYC confirmation, or security concerns. \n\nTo submit a help request, simply visit https://code4rena.com/help. After submitting a request, you should receive a confirmation that your request has been received.\n\nIf you experience any difficulties when trying to submit a help request through the form, you can forward your request to submissions@code4rena.com. Similarly, if you're using a mobile device and having trouble with certain tasks, you can send a request to this email for assistance. \n\nIf you have a question about one of the contests and it's a security-related issue, or if you feel it's a security risk to have issue contents made public, you're advised to submit a help request. Teams that meet certain requirements based on audits with published results can also submit a helpdesk request. \n\nPlease note, backstage access and role changes can be requested through a help request given specific criteria are met. Users can also submit a help desk request to add a Twitter handle to their profile page or to request a logo change.\n\nIf you do not receive an email after submitting a finding, ensure you open a help desk request. It's important to remember that our helpdesk is here to assist you, so don't hesitate to reach out whenever you need help.", "Question: Can anyone participate in the test-coverage program at Code4Arena, and if not, what is the process to become eligible?\n\nAnswer: Participation in the test-coverage program, as detailed at [https://medium.com/code4rena/new-to-code4rena-test-coverage-c548645404f9](https://medium.com/code4rena/new-to-code4rena/test-coverage-c548645404f9), is currently open only to certified wardens. Becoming a certified warden involves a certification process, which includes an application and passing the Know Your Client (KYC) process. The application can be made at [https://code4rena.com/certified-contributor-application](https://code4rena.com/certified-contributor-application) and more information regarding the process and requirements is available at [https://docs.code4rena.com/roles/wardens/certified-wardens](https://docs.code4rena.com/roles/wardens/certified-wardens). \n\nCertified wardens also have the privilege to gain backstage access, which allows them to discuss their findings before the rewards are announced, observe the report submission and triage process, and participate in post-judging QA period. More information about backstage access can be found at [https://docs.code4rena.com/roles/certified-contributors/backstage-wardens](https://docs.code4rena.com/roles/certified-contributors/backstage-wardens). \n\nIn addition, certified wardens can also join as a team in the contests. The method of registering a team can be found at [https://docs.code4rena.com/roles/wardens#registering-a-team](https://docs.code4rena.com/roles/wardens#registering-a-team). \n\nIf you believe you meet the criteria for becoming a Certified Warden or for backstage access, you can confirm your eligibility by submitting a help desk request. Please note that any questions related to the Certified Wardens process can be directly asked to Code4rena.", "Question: How can I participate in a private audit with CodeArena after getting approved by Provenance?\n\nAnswer: After receiving approval from Provenance, you are eligible to participate in a private audit with CodeArena. Provenance is responsible for the KYC requirements and directly sends the confirmation to process your private audit application. \n\nTo participate, you need to be certified as a warden, as outlined in CodeArena's guidelines on the link: https://mirror.xyz/c4blog.eth/Ww3sILR-e5iWoMYNpZEB9UME_vA8G0Yqa6TYvpSdEM0. This certification may also involve other conditions like participating in a certain number of contests. \n\nPost-approval, you can expect to receive an email from Provenance and C4. You can also join teams and participate in audits. Remember that joining a private audit requires completion of the KYC process and obtaining certification. \n\nFor more information on the certification process, refer to https://docs.code4rena.com/roles/certified-contributors#certification-process-and-constraints. Please note that to access the private audit contest, it's not mandatory to be a top-ranking warden but having a rank on the leaderboard could be beneficial. \n\nIf you've partway through the Provenance's certified warden process, it's recommended to complete it to access private audit contests. If you have any questions about past projects or findings, feel free to ask. You can also apply for restricted audits at https://docs.code4rena.com/roles/certified-contributors.\n\nAfter completing the certification process with ProvenanceDAO and participating in more than 3 contests, you may receive an upgrade to Certified+. The eligibility criteria for each opportunity is listed in #\ud83d\udd96rsvp-certified. We hope this helps, and we look forward to your participation in our private audits.", "Question: How can I check the status of the issues I submitted for a closed contest and understand the judging process?\n\nAnswer: Once you have submitted issues for a CodeArena contest, the status of these issues is confirmed when the post-contest report is generated or when you qualify to be Backstage. This process usually takes a couple of months after the contest has ended. \n\nDuring the judging phase, your submissions are reviewed and triaged by our judges, then undergo sponsor review, final judging, and a quality assurance process. The acceptance of reported issues depends on their severity as evaluated by the sponsors and judges. \n\nTo understand why a submission was not rewarded, you can review the report after it has been published and the findings repository (repo) has been made public. This will allow you to see the discussion among sponsors and judges on the specific issue. If a submitted issue did not make the award list, it is likely the issue was rejected. \n\nIn addition, for each contest, the Readme Page has a section titled \"Known Findings\" where automated findings not accepted in the contests are listed. You can also view other participants' findings after a contest ends, and you can alter the severity of reported bugs after the contest closes either through the PR or by contacting one of the judges.\n\nThere are plans to allow certified contributors to view submitted issues right after contest closure and to comment or give input on these issues during judging. In addition, there is a consideration to release all unverified submissions a few days after a contest ends for learning purposes. You can learn more about this in our forum post: https://forum.code4rena.com/t/rfc-certified-wardens-rulebook-scout-role-contest-qa-and-mitigation-review-services/123. \n\nPlease note that only our team has access to submissions before a contest ends. After the contests end, those with the \"backstage\" role get access to findings to help with triaging. \n\nIf you have further queries about a particular issue or submission, you can monitor the backstage channel for the post-judging stage of the related contest.\n", "Question: How can I prevent Foundry fuzzer from sending too much value and optimize it for my smart contract audits?\n\nAnswer: The amount of cases generated by Foundry Fuzzer can be modified via its configuration settings. Detailed instructions on how to do this can be found here: https://book.getfoundry.sh/reference/config/testing#fuzz. However, it's worth noting that the use of fuzzing tools for auditing has been declining since Solidity 8.0, due to the implementation of an overflow/underflow check at the language level.\n\nIn terms of optimization, if a function runs out of gas due to large input, a common solution is to introduce a start offset and a maximum length to process the data in batches. Additionally, to minimize gas costs, you could also avoid initializing default variables to 0.\n\nFoundry also supports transaction prioritization, allowing you to run transactions by calling functions in a preferred order. Additionally, the \"foundry debug\" tool can be used to debug hardhat tests and introspect contract execution at the EVM opcode level.\n\nRemember that Foundry is a testing framework that also offers other tools to assist in checking things like storage. It was also recommended as a tool for testing scenarios in a local environment as an alternative to public testnets.\n\nLastly, be aware of potential issues with opcode support in Foundry and difficulties in logging gas remaining after state variable updates. Also, there have been reports about errors when running forge debug on a Hardhat project with Foundry integration.", "Question: What is the process and qualifications to become a Backstage at CodeArena?\n\nAnswer: In order to become a Backstage at CodeArena, you must first become a certified contributor, which is a prerequisite. The certification process and constraints are explained at this link: [certification process](https://docs.code4rena.com/roles/certified-contributors#certification-process-and-constraints).\n\nAfter achieving certification, there are specific requirements to be met to qualify for the backstage role. These include a certain number of findings in different areas or of different scores, and participating in at least 3 contests. You may need to identify a high vulnerability. If you are part of a team, all members can become eligible for the backstage role if they submit and have 3+ Med accepted.\n\nOnce you believe you meet these qualifications, you can create a help desk request to have your status evaluated. The detailed process, qualifications, and how to request backstage access are described at this link: [Backstage Wardens](https://docs.code4rena.com/roles/certified-contributors/backstage-wardens). Please note that being certified does not automatically grant access to the previously participated contest in progress judging repository, backstage access is needed for that.", "Question: How does the exchange rate of compound cToken work and can it decrease?\n\nAnswer: The exchange rate of compound cTokens can indeed decrease. This is influenced by various factors including the repayment of the loan. If 100% of the loan is repaid, the compound cToken exchange rate resets. It's also important to note that the received amount might be less than the transferred amount due to the function of fee-on-transfer tokens. These tokens remove a small fee from every transfer. Therefore, not all types of tokens are fee-on-transfer and it's crucial to understand the type of token being dealt with. Lastly, other factors such as market conditions and specific portfolio values can also influence the exchange rate of cTokens.", "Q: How does CodeArena select and compile low-severity findings for the final report in a contest, and how are these findings rewarded?\n\nA: Only one low-severity finding from among all the submissions is chosen to be included in the final report. However, if a low-severity finding from a contest's bot report is escalated to high-severity, it doesn't automatically become invalid. The process for judging such cases is explained in Code4Arena's submission policy [here](https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues).\n\nMultiple wardens can report the same vulnerability, but if they assign different severities, they are all given the same severity for award calculation due to the deduplication process and the judging that happens afterward. But, a finding initially submitted as low in a QA report can be eligible for medium rewards if judges determine it to be so - stated [here](https://docs.code4rena.com/awarding/incentive-model-and-awards/qa-gas-report-faq#what-happens-when-an-issue-submitted-by-the-warden-as-part-of-their-qa-report-an-l-or-n-does-get-bum).\n\nThe contest final report does not include wardens whose submissions/findings are not accepted. Wardens who report a certain finding first and those who also found the same finding are recognized in reports. All A-graded QA reports receive the same award, regardless of the number of low-severity findings. \n\nThe award may vary significantly depending on the level of detail in the submission, such as the inclusion of a Proof of Concept (PoC), and the way the issue is covered in as many aspects as possible. \n\nThe order of submissions does not matter, but the more wardens find the same issue, the less money each warden receives for this issue. Details can be found [here](https://docs.code4rena.com/incentive-model-and-awards). \n\nLastly, any questions or uncertainties about the severity of a reported issue can be clarified using the judging criteria found [here](https://docs.code4rena.com/roles/wardens/judging-criteria#estimating-risk).", "Question: How can a team acquire the backstage role at CodeArena?\n\nAnswer: A team at CodeArena can acquire the backstage role by fulfilling certain requirements. One of the ways to qualify is by submitting 3 or more accepted Medium severity issues. However, this isn't the only route. Other criteria include identifying a high severity vulnerability, or generating a QA or Gas report with a score of over 85. Additionally, certified contributors may be considered for backstage access based on their number of findings and participation in contests. Once they believe they meet these requirements, they can submit a Help Desk request to confirm their eligibility. It's also worth noting that backstage access permits users to view submitted reports during the triage process and on GitHub, and to view issues reported for past contests on the website. More specific details regarding the backstage role and its requirements can be found in the documentation at https://docs.code4rena.com/roles/certified-contributors/backstage-wardens.", "Question: How does CodeArena handle taxation and invoicing for contest income? Is there a specific process in place, regardless of the participant's location?\n\nAnswer: CodeArena does not directly handle the taxation of contest income. It is the individual participant's responsibility to manage their taxes. For creating an invoice for the rewards received from a competition, participants can refer to our comprehensive guide available at the bottom of this page: https://docs.code4rena.com/awarding/incentive-model-and-awards/awarding-process#tax-and-legal-questions. This document provides necessary information and guidance to create an invoice and handle tax-related questions. Please note that for some contests, you may need to complete a KYC form to receive prizes, which can be found here: https://docs.code4rena.com/roles/certified-contributors. We recommend consulting with a tax professional in your country of residence to understand specific regulations regarding income from contest winnings.", "Q: Where can I find the CSV file that contains all rewards based on each finding that used to be at _data/findings/findings.csv?\n\nA: CodeArena previously hosted a CSV file detailing all rewards based on each finding at _data/findings/findings.csv, however, this file got deleted. The current version of this file can now be accessed at [https://code4rena.com/community-resources/findings.csv](https://code4rena.com/community-resources/findings.csv). This file includes valuable information about the findings, rewards, duplicate reports, and the grading of each finding. You can reference this file with the contest report for a full overview of the findings and payouts. Additionally, you can also find detailed information about each warden's rewards for each bug per contest. The file can also be parsed to create a table with all wardens and their deduplicated findings. The findings.csv file is part of CodeArena's public findings repo, links to which can be found in each report on the C4 website. For more detailed analysis and understanding, you can also view the scoring breakdowns for past contests on each contest page on the C4 website or from the #\ud83d\udce2announcements channel on our Discord server.", "Question: How can a team acquire the Backstage role at CodeArena (C4)?\n\nAnswer: To earn the Backstage role at CodeArena, a team must meet four certification criteria. One of the primary criteria is that the team must submit at least three medium severity findings that are accepted. Alternatively, a team can qualify for the Backstage role by participating in a minimum of three contests or by having one high severity finding. \n\nOnce a team believes that they have satisfied these criteria, they can submit a Help Desk request to have their status evaluated. Keep in mind that the requirements for the Backstage role are considered fulfilled when awards are announced and added to the leaderboard. \n\nIt's also important to note that the Backstage role provides access to findings for triaging after a contest has ended and that the findings must be made public for the role to be granted. \n\nFor further information on the certification process, its requirements, and additional information on roles at Code4Arena, please refer to the official documentation at https://docs.code4rena.com/roles/certified-contributors/backstage-wardens.", "Question: What does the error \"EvmError: OverflowPayment\" mean when it appears after using the fulfillRentalOffer{value: 3}(0) function call and how does it impact the smart contract transactions?\n\nAnswer: The error \"EvmError: OverflowPayment\" typically occurs when a balance overflow has been encountered during a transaction. In this case, it could mean that the amount being transferred or received by the smart contract is exceeding the maximum value that can be held. \n\nIt's important to note that in an Ethereum Virtual Machine (EVM) environment, each slot is 32 bytes, and any extra space in an address field is filled with left padding filled with zeroes. This could also be a factor contributing to the overflow error.\n\nThe error might have stemmed from the use of the function call \"fulfillRentalOffer{value:3}(0)\" in a web3 console. The \"value\" parameter in such a call, especially in instances like an \"eth_call\" in Quicknode, refers to the amount of ether sent with the message call. If the value specified in this call exceeds the available balance or the maximum limit of the smart contract, an overflow error could occur.\n\nWhile the error might not immediately put assets at risk, if a function call in a smart contract always reverts due to such an error, it could be considered a Medium or High finding depending on the context. It's essential to address such issues to ensure efficient operation of the smart contract and prevent potential issues in future transactions.\n\nUnderstanding the exact reason and context for this error might require analyzing the transaction and decompiled bytecode. A tool such as Snowtrace (https://snowtrace.io/tx/0x0806bc0a28e4d808ac4dba25997e4b68b40595e003adbaa758ce4894ee20e15a) could be used to identify the reason for the transaction getting reverted.\n\nFor a deeper understanding of the EVM behavior and specific opcodes, you might want to refer to resources such as https://www.evm.codes/#ff. Lastly, if you want to learn more about the eth_call and how it interacts with the EVM, check out this walk-through video: https://www.youtube.com/watch?v=bEUtGLnCCYM.", "Question: How can I find a report similar to Venus Protocol for reference when searching for bugs in smart contracts? Also, what tools and resources are available for finding vulnerabilities, and how are bounties handled if similar bugs are reported by different people?\n\nAnswer: CodeArena conducts audits similar to Venus protocol which involves lending and borrowing. You can use these audits as a reference point when searching for bugs. Detailed examples of bug reports can be found at https://github.com/code-423n4/2022-12-caviar-findings/issues/141 and https://code423n4.com/reports. \n\nTo find vulnerabilities and bugs in smart contracts, there are tools such as Metatrust (https://app.metatrust.io/project) for price manipulation vulnerabilities and other tools for comparing differences between contracts. You can also use information about protocols that CodeArena has audited on other bug bounty platforms to enhance your profile and understanding.\n\nIn case two people submit the same or similar bug, the bounty price is handled equitably. The overall value of the bug is reduced and split based on how many people find it, there's no difference in payout between the first to find a bug and anyone else who finds the same bug. \n\nFor more detailed information about exploit smart contracts and flash loans, you can refer to previous competition findings like https://github.com/code-423n4/2022-09-artgobblers-findings/issues/137 and https://github.com/code-423n4/2022-12-caviar-findings/issues/376. \n\nRemember, understanding loan-to-value calculations and the differences between flash minting and flash loans can be useful in auditing certain smart contracts. However, please note that all bugs/gas optimizations mentioned in publicly known issues might not be valid for other files within the same repo. \n\nCodeArena operates similarly to a bug bounty platform where prize pools and fees are defined upfront, and you can also explore other websites like https://immunefi.com/, https://spearbit.com/, and https://hats.finance/ for getting rewarded for auditing smart contracts.", "Question: How can I view, edit, and add to my findings in the report, which currently only displays unique findings?\n\nAnswer: To view, edit, or update your findings, including adding more to your gas or analysis report, you need to navigate to the contest page and then click on the \"Your Findings\" button. This page allows you to track your report status, see and edit your findings, and submit additional ones. Remember that only findings submitted by you or your team are visible until the final report is made public. \n\nTo gain insights into any duplicate findings or rejections, you can refer to the 'findings.csv' file on our GitHub page [Link](https://github.com/code-423n4/code423n4.com/tree/main/_data/findings). This file contains data about all wardens' deduplicated findings and can help you understand what has already been covered. \n\nPlease note that while you can submit multiple findings, only one gas optimization report can be submitted per contest. Also, it is acceptable to submit a single report containing all occurrences of the same issue. Lastly, know that there is a process for which reports get featured in the client report, and all findings become public once the report is published.", "Question: How does the submission process differ when working as an individual versus as a team in Code4rena? How do bug statistics and rewards distribution work in the context of team participation?\n\nAnswer: The submission process for Code4rena allows participants to contribute either individually or as part of a team. If you are part of a team, you can choose to submit findings either as an individual or on behalf of your team via the submission form [here](https://docs.code4rena.com/roles/wardens/sub). \n\nWhen a team submits a finding, the entire team receives the bug stats. The payout, however, is issued as a single payment to the team. The team then has the discretion to distribute these funds among its members as it sees fit. This process is described in more detail [here](https://docs.code4rena.com/roles/wardens).\n\nIf two people are part of the same team and submit the same finding using different wallets, each individual gets less than half of the reward, as per the [incentive model and awards](https://docs.code4rena.com/#incentive-model-and-awards). The order in which wardens report a duplicate bug does not impact how much they get paid, and the same rule applies for high/medium bug reports.\n\nIn terms of leaderboard representation, if a warden makes contributions both individually and as part of a team, they will appear separately on the [leaderboard](https://code423n4.com/leaderboard/). \n\nTo register a team, users can follow the method outlined [here](https://docs.code4rena.com/roles/wardens#registering-a-team). Note that once a team is approved, members can log into their Code4rena account as usual and switch back and forth between their individual account and their team account before submitting. \n\nIn conclusion, individuals can choose to work solo or as part of a team, but remember that all rewards go to the team when submitting as a team. It's crucial to read and understand the [submission policy](https://docs.code4rena.com/roles/wardens/submission-policy) and the [incentive model and awards](https://docs.code4rena.com/awarding/incentive-model-and-awards) for a smooth and rewarding Code4rena experience.", "Question: How can I edit my submissions or findings for a CodeArena contest?\n\nAnswer: Yes, you can edit your submitted findings for a CodeArena contest. To do so, you need to navigate to the contest page and click on the \"Your Findings\" button. Here's an example link: https://code4rena.com/contests/2023-02-ethos-reserve-contest. It's important to note that contestants can edit their submissions until the contest closes, after which you won't have access to modify them. If you need to withdraw a submission, you can do so under the same \"Your Findings\" section. If there's a need to edit a finding after the contest closes, you will have to create a help desk request with all the relevant information and the update to the finding. \n\nPlease remember that findings are reviewed at the end of the audit period, and currently, findings of a contest cannot be viewed after it finishes but before the results are published. Following a contest close, there is a certain period of time before the findings repo becomes publicly available for discussion. The specific duration is not mentioned. Participants can track their report status and see and edit their findings in the \"findings\" tab next to the contest description. The findings from the contest are confirmed and discussed after the contest ends.", "Q: How can I participate in CodeArena's Bot Races, is there a qualification process, and how can I learn about upcoming Qualifier Races?\n\nA: Yes, participation in CodeArena's Bot Races is possible, but it does require a qualification process. Bot Races are a competitive event where users are rewarded for findings made with AI. Bot Races are generally held for the first hour of an audit. \n\nTo participate, you would need to form a bot team and register your bot during the qualifier rounds which are held every few weeks. The process of creating a bot team involves registering the bot during the qualifier. The results for bot qualifiers are often announced within a week. \n\nThe next bot qualifier race's information can be found in the #\u270brsvp channel on Discord. Updates about bot qualifier races are also periodically posted in this channel. \n\nKeep in mind, the bot race registration is not always open, and if your bot finds a high or medium finding, it only gets the bot pool reward based on the bot race rank. Bots can only gain more rewards by having more points and shifting the rank cutoffs, thus bumping others to lower ranks. \n\nFor more detailed information about Bot Races and the registration process, you can visit https://code4rena.com/register/bot. You can also join the discussion about Bot Race related issues in the #bot-race-help channel on Discord.\n\nPlease note that users cannot receive a reward for findings made with AI like ChatGPT, if they wish to use AI in auditing, they're advised to enter the bot races instead.", "Question: How can I edit my submitted findings in a CodeArena contest after I initially submitted them?\n\nAnswer: Yes, it is possible to edit your submitted findings in a CodeArena contest. To do so, navigate to the contest page, click on the \"Your Findings\" button, and make the necessary changes. You can edit your findings, including QA reports and bug issue submissions, through this process as many times as necessary until the contest closes. For example, if you have submitted a correct bug issue but your proposed solution is incorrect, you can update your submission before the close of the contest. \n\nYou can also modify the severity of reported bugs after submitting them, but this must be done before the contest ends. If you wish to check your submitted findings or their status without modifying them, you can do so on the same contest page under the \"findings\" tab next to the contest description. \n\nKeep in mind that the level of detail in your submission, such as the inclusion of a Proof of Concept (PoC), can influence the value of the award for your findings. If you believe there is a bug in the award math, you can contact one of the judges. \n\nIf you need to withdraw a submission after the contest has closed, you can create a helpdesk request for it. However, editing is typically not allowed after the contest has closed. \n\nTo access the contest page, you can use this link: https://code4rena.com/contests/2023-02-ethos-reserve-contest.", "Question: How can I execute the 4nalyzer to analyze all contents within a specified folder using the scope.txt file?\n\nAnswer: The 4nalyzer tool, found at https://github.com/Picodes/4naly3er, requires a specific scope.txt file to execute an analysis. It cannot analyze an entire folder at once. However, you can specify within the scope.txt file the contents you want the tool to analyze. Please note that the 4nalyzer tool is used to find Publicly Known Issues and its latest version is named Analyzer. Refer to the official documentation at https://docs.code4rena.com/ for more information about how the tool works and how to use it effectively. Users have reported issues with running the tool globally, so please be aware of this potential limitation when using the tool.", "Q: How can I expedite the approval process for my team's registration for a CodeArena contest and what steps can we take to submit our findings as a team?\n\nA: The approval process for a team's registration for CodeArena contests typically takes a few business days. Once approved, you and your team members will be able to log in and submit your findings as a team. However, the exact process for doing so hasn't been thoroughly detailed.\n\nThe time taken for your findings to be reviewed can vary with each contest and may sometimes take as long as six weeks. The findings you submit may not always make it to the final report, the reason for which might not be immediately known. To check the status, you may need to wait until the reports are published, which usually takes at least a month. \n\nIn case of delays during the approval process, you can open a help desk request at [https://code4rena.com/help](https://code4rena.com/help). Do note that after registration with Provenance and KYC approval, there is a processing period and our team will process your role after receiving confirmation. \n\nIt is also important to clarify that while you can submit issues as a team, if you're part of a team, you can choose to submit solo findings whenever you want. The submission form allows members to select whether they're submitting as an individual or as a team member. Be aware, some users have experienced issues with team registration visibility on their profiles and with the submission process, which we are actively addressing.\n\nFor instance, some users reported problems when submitting findings to the Escher contest, where they saw 'No findings submitted for this contest' despite having submitted their findings. If the submission fails, the form should return an error. If you encounter such a problem, please let us know through our help desk.\n\nThe judging process for contests might take a lengthy time period, with factors beyond the judge's control contributing to delays. Such delays could also be due to slow sponsor review. We appreciate your patience and understanding during this process.", "Question: Can I change my username on CodeArena, and if so, what are the implications?\n\nAnswer: At present, CodeArena does not support direct username changes on the platform. To change your username, you would need to re-register with a new username. It's essential to know that this process will affect your account's registration status, particularly if you are registered as a warden. \n\nIf you change your username, your leaderboard statuses and submissions under the previous handle are not transferable to the new account. This implies that if you were on the leaderboard, you would need to start afresh with the new name.\n\nPlease note, some users have reported issues finding their usernames on the list during the new registration process. The team is currently investigating this. \n\nIt's possible to update your Discord name on the Account Management page of your warden profile. However, your Discord nickname should remain as your registered C4 username to avoid any confusion. \n\nAdditionally, changes to your displayed username or Twitter username do not directly affect your C4 account. To change your Twitter username on CodeArena, you can create a help desk request at https://code4rena.com/help. \n\nUsers have questioned the possibility of registering another account with the same email or GitHub address, or even switching to using a username and password for login, but at the moment, there has been no clear confirmation on these possibilities. \n\nFinally, there's no need to worry about changes to the registered wallet (login address) on the platform; you can also do this. \n\nPlease keep in mind that these rules are subject to change, and we recommend checking the latest information on our website or contacting our support team if you have any questions.", "Question: What tools and techniques are recommended for testing code coverage in CodeArena audits?\n\nAnswer: CodeArena recommends a variety of tools and techniques for testing code coverage. Automated findings can be detected using specific tools, one of which is the Foundry framework. It not only helps in writing tests but also provides tools for checking aspects like storage. \n\nFor analyzing lines of code, 'cloc' is a useful tool. However, for Solidity contracts, there are differences in the measures of lines of code, when using Solidity Coverage (https://www.npmjs.com/package/solidity-coverage) and Solidity Metrics nSLOC (https://github.com/ConsenSys/solidity-metrics).\n\nFor testing contracts downloaded from Github, tools like Mythril and Slither are recommended. Additionally, auditors often use the existing test environment in the repository or write new test cases to confirm code functionalities. In case there's no test setup in the C4 repo, auditors are advised to check the sponsor's GitHub for a potential test setup or isolate the code for testing.\n\nHigh-quality and high-quantity findings are encouraged, and participants can compare their findings with winning reports found at https://code4rena.com/reports/2022-09-artgoblers#low-risk-and-non-critical-issues. If tests lack coverage of significant functionality, auditors may list it as a NC issue in a QA report.\n\nFor gas savings, the Hardhat gas report plugin is a recommended tool. Reports or POCs (Proof of Concepts) may be linked for QA reports, and tools like Markdown and hackmd are useful for improving report presentation. \n\nAdditionally, to facilitate the auditing process, CodeArena is developing a tool located at https://github.com/HardlyCodeMan/audit_helper/. Please bear in mind that participation in test-coverage is currently open only to certified wardens, as outlined at https://medium.com/code4rena/new-to-code4rena-test-coverage-c548645404f9.", "Question: What tools and methods can be used for calculating and referencing lines of code in smart contract audits conducted by CodeArena?\n\nAnswer: CodeArena employs various tools and methods for auditing lines of code in smart contracts. The primary tool for calculating lines of code (LOC) is 'cloc' (Count Lines of Code), an open-source tool that helps measure the lines of code in a software project, excluding comments and whitespace. In the context of CodeArena, LOC often refers to SLOC (Source Lines of Code), which subtracts the number of comment lines from the total. \n\nReferences to specific lines of code in the audit reports can be made in various ways. Some auditors prefer to leave direct links to the code on GitHub, while others refer to a specific file and line number. To link to specific lines of code on GitHub, users can click on the code line on the left tab, which changes the URL. Holding SHIFT can capture a range of lines. \n\nA VS code extension called \"Copy With Line Numbers\" is often used to get code snippets with line numbers. Additionally, differences between distinct lines of code can be effectively managed using diff tools available on platforms like Linux. \n\nUsers can include replaced lines in their submissions using these tools, and some auditors automate the process of finding potential issues in the code. There are also discussions around the inclusion of line numbers in code snippets for high and medium issues, and how mathematical expressions will be displayed on the GitHub findings repo.\n\nFurthermore, there's an ongoing conversation about whether adding a link to a sponsor's Github repo code in a findings report would automatically pull in that code snippet to the report. As of now, this does not happen automatically.\n\nHowever, it is important to note that these practices can vary and may be subject to ongoing discussions within the CodeArena community. \n\nLinks:\n- cloc: https://github.com/AlDanial/cloc\n- VS Code Extension \"Copy With Line Numbers\": https://marketplace.visualstudio.com/items?itemName=satokaz.vscode-line-select\n- Solidity Coverage: https://www.npmjs.com/package/solidity-coverage\n- Solidity Metrics: https://github.com/ConsenSys/solidity-metrics\n", "Question:\nI'm experiencing difficulties when trying to log in to the CodeArena platform. It tells me that I'm logged in after entering my credentials, but the interface remains the same as if I'm not connected. What are the possible solutions for this issue?\n\nAnswer:\nWe're sorry to hear you're having trouble logging in. This is a known issue that some users encounter, where the system acknowledges their login but the interface does not update to reflect this. Here are a few potential solutions:\n\n1. Ensure you're using the correct wallet or email associated with your account, as some users experience login issues due to mismatched credentials.\n2. If you're connecting a wallet like Metamask, make sure it's properly integrated and functioning.\n3. You can try switching to using a username and password for login if you're currently using a wallet.\n4. Clear your local storage as some technical issues on the site may be related to it.\n5. If you are trying to submit a finding, you may need to check if your GitHub account is logged in and it's the same account given for C4.\n \nIf the problem persists, please contact our #auth-help channel for further assistance. In some cases, our team can manually update the database to resolve the issue. We recommend trying a different browser or refreshing the page as some users have found these steps helpful. \n\nFor any other issues such as creating submissions, joining private contests, or accessing certain features, please let us know so we can provide more targeted assistance. \n\nFor more information visit [CodeArena website](http://www.code4rena.com).\n\nPlease note, if you're a new user and are trying to log gas remaining after the state variable update using foundry, you might encounter difficulties. This is a separate issue that needs to be addressed separately.", "Question: What avenues are available for submitting feedback and communicating on the CodeArena platform?\n\nAnswer: CodeArena has several avenues for communication and feedback within the platform, mainly through our Discord server. You can make use of the #\ud83d\udce5suggestion-box for submitting feedback and suggestions. Participants' feedback can greatly influence our operational priorities. Additionally, each contest has a dedicated channel where general questions can be posed. Sponsors' team members are also readily available for questions via Direct Message (DM). If you have suggestions to improve the website, leaderboard system, contest processes, or our Discord setup, your ideas are always welcome in the suggestion box. \n\nFor website-related discussions, you may also submit pull requests with your ideas directly to our GitHub. If you have specific concerns about bug submissions or need clarifications on certain issues, it is suggested to contact us via the contest channel or direct messages. You can also direct message our CodeArena staff members if needed.\n\nIn case of new updates or announcements, please refer to the #\ud83d\udce2announcements channel on our Discord server. There's a suggestion to create an #audit-reports announcements channel where a new message is posted whenever a new report gets published on the CodeArena website. This feature, however, is not yet implemented. \n\nEarly feedback on submissions for improving audits may be available, with an associated link to the judge's post available at https://discord.com/channels/810916927919620096/1030197723619659806/1042826344544870440. \n\nNotably, there has been a discussion about having an editing feature for submitted findings to ease the burden on the team handling tickets, but this feature is still under consideration. For any other issues, users can create a help desk request.", "Question: How can I use https://wallet.polygon.technology/ in relation to my CodeArena account, and what other relevant services does it offer?\n\nAnswer: The https://wallet.polygon.technology/ is a crucial platform for all CodeArena users. Firstly, you should put your Polygon address in your CodeArena account. This is because rewards from contests are paid out in USDC but over the Polygon network. Therefore, to receive these rewards, you need to register your handle and Polygon address. \n\nThe site also offers several important functionalities. For example, you can use it to swap gas at https://wallet.polygon.technology/gas-swap/. This can be particularly useful as transferring coins from a wallet requires Matic to pay the fee. \n\nAdditionally, you can use the Polygon bridge available at the same site to move your funds back to the mainnet. Monitoring your tokens is also possible at https://polygonscan.com/address/. However, issues such as zero balance on your Metamask wallet can potentially be resolved by adding USDC on Polygon to the wallet. \n\nRemember, regardless of wallet settings, funds will be sent to your address, and you control the key to that. To move the funds, you need to send a transaction on Polygon. Always be cautious and ensure the security of your wallet to prevent unauthorized transactions. \n\nFor any smart contracts you build on Polygon, remember that they can be audited by CodeArena.", "Question: Can you provide information or resources on understanding and working with the tx pool (geth) in Ethereum, particularly in relation to smart contract audits?\n\nAnswer: Unfortunately, we do not have specific resources on the tx pool (geth) at the moment. However, for auditing smart contracts, you can further your understanding by studying the Geth node and Web2 security within the context of Web3, as discussed in our chatroom. \n\nFor practical application, you can utilize the public testnet to test your smart contracts, especially for complex state scenarios or those involving large numbers of users. You might want to consider tools like Mythril and Slither for testing contracts downloaded from Github. If you're interested in observing smart contract interactions, you could potentially use Surya, though it might be outdated. \n\nIf you're working on the Ethereum mainnet, you may want to use automated tools to verify if a contract has been initialized. Moreover, it's important to understand the reports and concepts related to smart contracts. For troubleshooting, Ethereum StackExchange can be a good resource: https://ethereum.stackexchange.com/q/140937. \n\nPlease note, there was a discussion about the challenges related to executing foundry fork testing on the polygon POS network and decoding topics/data from event logs without using the web3 library, only with information from Etherscan. You might face similar challenges.\n\nLastly, it's crucial to secure your contracts. We had a user whose Polygon wallet was compromised leading to unauthorized transactions. Therefore, understanding blockchain forensics analysis, particularly for incidents and hacks related to smart contracts, could be beneficial.", "Question: How can I effectively use Foundry for local fork testing in the Polygon POS network?\n\nAnswer: Foundry is a powerful and versatile tool often used for local fork testing in networks like the Polygon POS. The primary advantage of using Foundry is that it eliminates the need to grab testnet tokens for transactions, thus reducing wait times on blocks. Moreover, Foundry can fork its state from public testnets or even mainnets, which makes it a convenient option for testing smart contracts.\n\nYou can also use Foundry to test scenarios in a local environment, which provides an alternative to public testnets. However, please note that some users have reported issues with opcode support in Foundry, and difficulties logging gas remaining after a state variable update. \n\nAdditionally, there are features for transaction prioritization within Foundry tests. This means that you have the control to run transactions by calling functions in the order you desire. \n\nIf your project uses Brownie for testing, you might wonder if it can be written in Foundry. While no explicit information on this was observed, it seems feasible given Foundry's broad usability. Some users have also asked about installing Foundry with Docker, indicating that Foundry can likely be used alongside other tools.\n\nIf you want to deploy a contract on Foundry that takes a struct as an argument in the constructor, or need to send Ether with the constructor while deploying a contract, you might encounter difficulties. No specific solutions were observed in these cases, indicating that these might be advanced topics or common challenges when working with Foundry.\n\nLastly, while it's acceptable to show a proof of concept against a block number known to work on a testnet fork with state changes, take care to avoid polluting the testnet with unnecessary data. Local forking is not only more convenient, but also more responsible as it doesn't contribute to unnecessary data accumulation.\n\nPlease note that while Foundry is a great tool, you might need to refer to other resources or seek expert advice for specific or complex issues. For installation, 'npm install foundry' has been suggested as a potential solution.", "Question: \nWhat are the KYC requirements for participation in CodeArena's contests like the BASE and Maia DAO Ecosystem contests, and how do these impact the receipt of rewards?\n\nAnswer: \nCodeArena's contests can have varying KYC (Know Your Customer) requirements. For instance, the BASE contest requires all team members to undergo KYC verification for participation and in order to receive payment. If any team member has not completed the KYC process, the team may face difficulties in claiming the prize. \n\nOn the other hand, the Maia DAO Ecosystem contest does not require KYC, making it more straightforward for participants. However, please note that even if a contest does not require KYC for participation, it might be required to claim the prizes. \n\nTo comply with the KYC process, participants can apply for KYC certification. After successful completion, they become certified contributors, giving them access to participate in private contests and receive rewards from them. However, even with KYC approval, there may be instances where certain private contests may not be accessible if they have already been assigned.\n\nIn general, participants do not need to be KYC'd or certified to participate or receive rewards in most contests, unless specifically stated. In addition to this, uncertainties exist around what happens to the reward if a team cannot claim it due to KYC issues, with it being unclear whether the prize will be on hold until they complete the KYC or if it's gone forever.\n\nFor more details on the certification and KYC process, please visit: https://docs.code4rena.com/roles/certified-contributors#certification-process-and-constraints. For information about specific contests, check the applicable channels or the contest's details. \n\nPlease bear in mind that the KYC process can be time-consuming, and there might be delays. Therefore, if you anticipate participating in a contest that requires KYC, it is advisable to start the process early.", "Question: Can I modify my issue submission after I have sent it, and how can I do that?\n\nAnswer: Yes, you can edit your issue submission after it has been created. To edit a submitted issue, you need to be logged in and navigate to the contest page. Here, you will find the \"Your Finding\" button located above the contest details. Users can edit their submission as long as the contest is still ongoing, and this includes altering the severity of reported bugs, updating incorrect proposed solutions, or adding additional errors you might have missed in your initial submission. \n\nIf the contest has closed, you may still change the severity of the bug report by contacting one of the judges or through the PR. However, it should be noted that your initial submission might still be publicly available in the edit history. \n\nYou can also withdraw your old issue and create a new one if you wish to submit a different issue instead. You can do this by going to the \"Your Findings\" section on the contest page and withdrawing your findings. \n\nIn the case where your issue involves various lines changed, you can send a git patch or a PR to the repo. If your submission exceeds the character count or needs to be increased in severity, you can submit a help request to remove the original submission and then submit again via www.code4rena.com/help. \n\nAdditionally, if you have submitted an issue and want to reference it in another submission, you can do so by finding the ID at the end of the URL of your submitted issue and referring to it in your new submission. \n\nRemember, you can only submit one QA issue per contest, but you can continuously update it as new errors are discovered or if other modifications are required. We encourage you to review your issues carefully before submitting them and make use of the option to edit your submissions to ensure they are as accurate and complete as possible.", "Q: I have received my reward on Polygon and have connected it to my MetaMask wallet. How can I convert this into EUR and withdraw it, potentially using the Ethereum mainnet and Coinbase? \n\nA: You can definitely convert your award from Polygon to EUR by utilizing your MetaMask wallet and Coinbase. Here's a step-by-step guide: \n\n1. First, ensure you have the Polygon network set up on your MetaMask wallet. You can switch your network to the Polygon Mainnet within MetaMask and monitor your tokens at https://polygonscan.com/address/. \n\n2. Next, you will need to bridge your funds from the Polygon network back to the Ethereum mainnet. You can use the Polygon bridge at https://wallet.polygon.technology/. Note that if you choose to use the Polygon bridge, you will need both Matic and Eth to conduct the transfer. An alternative is the Hop bridge, which only requires Matic, but you might receive less USDC on the Ethereum Mainnet.\n\n3. Once your tokens are on the Ethereum mainnet, you can withdraw them as USDC on Coinbase. If you don't see your tokens, they can be manually added to MetaMask. \n\n4. Lastly, on Coinbase, you can then sell your USDC for EUR and withdraw it.\n\nRemember, the rewards are paid out in USDC on Polygon's Mainnet, not on the Ethereum Mainnet. Also, there might be the need for Matic (a type of cryptocurrency) to transfer your award to another wallet. If necessary, Matic can be swapped without gas fees at https://wallet.polygon.technology/gas-swap/. \n\nAnother thing to note is that if you have any issues with your MetaMask wallet displaying your reward, you can paste your public keys into Code4rena for issue resolution. \n\nIf you intend to exchange your USDC on Polygon to BTC, this would be a completely different process, and we would recommend seeking specific advice on this. Similarly, transferring tokens from the Polygon network to the BNB network would likely involve using a platform like Binance.", "Q: How can I review and edit my submitted findings and understand the reasons for any rejections?\nA: Users can review and edit their submitted findings by navigating to the specific contest page on CodeArena and clicking on the \"Your Findings\" button. If you have submitted a Quality Assurance report for the first time and encounter an error, you can confirm the successful submission by checking your email for confirmation or viewing the findings through the \"View Context\" function. All submissions are confirmed via email and can also be viewed on the C4 Contest page under the \"Findings\" tab. If you have submitted a low-risk finding and want to submit additional findings, you can do so through the same \"Your Findings\" button.\n\nConcerning understanding the reasons for rejection of your findings, participants can review this once the report is published and the findings repository is made public. This will allow you to see the discussion among sponsors and judges around the specific issue. To see what a high-quality submission looks like, users can check previous reports at https://code423n4.com/reports.\n\nPlease note, some users have reported issues with submitting findings or seeing 'No findings submitted for this contest' error despite having submitted their findings. If you encounter such issues, please contact support for further assistance.", "Question: How is the duration for an audit of a project, like Maia DAO, determined, and does it correlate with the Source Lines of Code (SLOC)?\n\nAnswer: The duration for an audit of a project does not appear to be directly proportional to the size of the source code or SLOC as seen from the variations in contest duration like Basin and PoolTogether, in contrast to the project Maia DAO, which has 12K SLOC but only a 20-day audit duration. There have also been concerns raised in the community about whether this limited duration is sufficient for larger codebases, as it might render the review less thorough and potentially miss bugs. However, it's important to note that these timelines are likely influenced by a variety of factors beyond the SLOC, including the complexity of the code, the availability of analysis reports, and the specific requirements of the contest or audit. For further understanding, you may refer to a recent CodeArena report here: https://code4rena.com/reports/2022-11-non-fungible/#gas-optimizations. As for standardizing the LOCs across different contests, it has been suggested but not yet implemented. The determination of SLOC may also differ based on the tool used, such as Solidity Coverage or Solidity Metrics nSLOC.", "Question: How can I qualify for the backstage role at CodeArena and what are the steps in obtaining it?\n\nAnswer: To qualify for the backstage role at CodeArena, one must first be a certified contributor. This process is detailed at [CodeArena's Certified Contributor page](https://docs.code4rena.com/roles/certified-contributors).\n\nOnce certified, you must meet certain criteria, such as having a valid high severity finding, three medium severity findings, or a QA or Gas report with a score of over 85. Additionally, participating in a minimum of three contests could also meet the requirement for backstage access. \n\nAfter meeting these criteria, you can request backstage access through a help desk request. This process, as well as a more detailed explanation of the requirements, is outlined in the [Backstage Warden documentation](https://docs.code4rena.com/roles/certified-contributors/backstage-wardens). \n\nPlease note that it's also possible to get a backstage+ role which requires meeting four minimum criteria, according to their documentation found at the same link. For backstage+ access, a high finding or 3 med findings are needed. However, the findings should be public for the role to be received. \n\nAs a backstage warden, you gain access to view reports of past contests among other privileges. \n\nRemember, if you're a certified contributor and believe you meet the criteria, you can confirm your eligibility by submitting a help desk request.", "Question: What are the guidelines for using markdown formatting at CodeArena?\n\nAnswer: At CodeArena, markdown formatting is widely used and accepted in various forms such as in issue titles, submissions, and reports. When submitting, a markdown template is proposed, and the submission form on CodeArena permits markdown to format the text. Markdown formatting can also be included in the findings body of a report, and links can be included in the small box. If mitigations are involved, markdown can be used to write the code in the report. Code can be formatted in a submission issue form using markdown and adding code blocks in reports can be done using markdown to ensure it reads correctly in the report. A useful guide to doing this can be found at [Github Document](https://docs.github.com/en/get-started/writing-on-github/working-with-advanced-formatting/creating-and-highlighting-code-blocks).\n\nImages and Github code can be embedded in reports using markdown, with resources available at [Github Document](https://docs.github.com/en/get-started/writing-on-github/getting-started-with-writing-and-formatting-on-github/basic-writing-and-formatting-syntax#images) and [Markdown Guide](https://www.markdownguide.org/basic-syntax/#images-1) respectively. A dollar sign can be used without creating a mathematical expression by typing \"$\". Also, reports can be written using platforms like Github, Joplin, VSCode, Notion, etc. as long as the tool supports markdown.\n\nWhile we encourage the use of markdown, it's important to note that the findings report page does not support HTML tags, and it's advised to use Markdown instead. However, the submission preview supports mermaid syntax. If you're unfamiliar with markdown, a useful resource can be found at [Markdown It](https://markdown-it.github.io/).", "Question: I submitted a help desk request but haven't received a reply yet. What should I do?\n\nAnswer: At CodeArena, we strive to ensure all help desk requests are addressed in a timely manner, typically within 1-2 business days during normal business hours. However, please note that we do not reply on weekends. If you have submitted a help desk request for any issue, including status updates, user profile changes, team modifications, or any other inquiries, rest assured that your request has been received once it has been submitted and confirmed. \n\nSometimes, the response time may extend up to a week depending on the nature of the request. Meanwhile, you can check the status of your request. If you haven't received an email confirmation after submitting your request or if you're experiencing errors while submitting requests, we recommend re-submitting your request at https://code4rena.com/help. \n\nIf you still do not receive a response after re-submitting, it might be possible that we are temporarily 'Out of Office'. We appreciate your patience and assure you that your request will be attended to as soon as possible.", "Question: Is there a possibility of precision loss due to the division operation before multiplication in the expression Profit = allProfit - ((allProfit / 100) * fee), and if so, what's the potential impact?\n\nAnswer: The potential for precision loss in the given expression is indeed possible. Precision loss occurs when dividing allProfit by 100 before multiplying by the fee, due to the nature of integer division not preserving fractional parts. This precision loss could potentially lead to a slight discrepancy in the calculated profit.\n\nThe impact of this precision loss varies and is dependent on several factors, such as the amount of allProfit and the value of the fee. In scenarios where the precision loss results in a lower-than-expected profit, it might be classified as a medium severity issue. However, it requires a Proof of Concept (PoC) to confirm the practical implications and the extent of the impact.\n\nIt's worth noting that such precision loss issues could potentially lead to other effects, such as the user receiving fewer rewards than expected, or even lose funds if improperly managed. In such a case, the severity of the issue can be escalated to high, especially if it leads to a direct loss of assets or grants arbitrage opportunities.\n\nIn case of doubt, it's always recommended to consult with an audit expert or use automated tools to identify such issues in your smart contracts and mitigate possible risks.", "Question: I received a confirmation email from Provenance regarding my KYC. How much time will it typically take for my role to be processed on CodeArena (C4)?\n\nAnswer: Once you receive a confirmation email from Provenance regarding your Know Your Customer (KYC) approval, there is a processing period for your role to be updated on CodeArena (C4). Typically, Provenance sends the KYC mail within one business day after your application is submitted, but responses to KYC requests can sometimes take over a week. Once Provenance confirms your successful KYC, it usually takes a few more days for the role to reflect on your profile on CodeArena's end. \n\nPlease note that the initial email from Provenance in the Certified Warden verification process doesn't have a specified delivery timeframe, and the actual KYC process can take several days to complete. In some cases, it might take 2-3 weeks to receive the KYC email after submitting an application to become a certified warden. The email will be sent from compliance@provenance.company or kobus@provenance.company, and it's suggested to also check your spam folder.\n\nIf there is a delay or no response after a few days, it's recommended to open a help desk request at CodeArena for them to track your situation. You can do so by visiting https://code4rena.com/help. Be sure to keep an eye on your email for further updates regarding the status of your certification process or any additional information from Provenance. Remember, the process may vary depending on various factors, including the back and forth between you and Provenance.", "Question: Is precision loss possible in this code due to division before multiplication, and how can I validate and mitigate such issues with smart contracts?\n\nAnswer: Yes, precision loss can occur in code due to division operations carried out before multiplication. Our bot at CodeArena is advanced enough to identify such issues concerning division-before-multiplication and resultant precision loss. If suspected, such issues can be validated by developing a Proof of Concept (PoC) to support the claim. \n\nThe severity of a precision loss issue can be classified as medium, as long as the damage done by the issue is significant and justifiable. The severity classification also depends on the maximum value that could potentially be lost due to the precision loss and its likelihood of occurrence.\n\nIn terms of mitigation, it's essential to understand that not all gas optimizations are valid, especially when the optimizer is enabled. Hence, careful consideration is needed when reporting such optimizations. Formula optimizations can also have a substantial impact, and may result in a medium to high \"share\" allocation, depending on the type of optimizations found. \n\nIt's also important to note that the amount of gas saved from refactoring might affect the grade of the submission. Therefore, providing proof of how much gas can be saved due to the refactoring may significantly impact the decision-making process.\n\nFurthermore, for gas optimization, it's generally recommended not to initialize default variables to 0. This could save some gas and help avoid precision loss issues.\n\nIf you discover such a precision loss issue in a smart contract, you can submit it as a medium issue in contests hosted on CodeArena, as long as the damage justifies it. Please refer to https://code4rena.com/contests/2023-08-arbitrum-foundation#top for more details on contest participation and rewards.", "Question: What is the typical duration of an audit on CodeArena, and what factors are considered while deciding the timeline, especially for large projects like Maia with 12K SLOC?\n\nAnswer: The duration of audits at CodeArena vary and are not directly proportional to the size of the source code. Historically, audit contests have been conducted within a range of 13 days to 5 weeks. For instance, an audit for Maia, a 12K SLOC project, was initially set for 20 days, but the project timeline was later extended to 5 weeks after discussions with the project team. The duration of an audit is strategically decided to maintain focused review and to not split attention between audits and other opportunities. However, it's important to note that there is room for flexibility based on the complexity of the project and the willingness of the project sponsor. \n\nConcerns regarding the thoroughness of the review due to time constraints have been raised, and it is recognized that larger codebases might necessitate more time for a comprehensive review. Care is taken to ensure that the SLOC count is accurately reported, omitting spaces and other non-code components. \n\nIt's essential to understand that the duration of an audit also includes time for project findings to be reviewed, which varies with each contest. Any concerns or discrepancies related to the audit process, SLOC counts, or timelines can be addressed through channels such as the project's Discord or the organization's documentation at https://docs.code4rena.com/structure/our-process. \n\nIt's also worth mentioning that CodeArena is open to running multiple contests simultaneously and has expressed aspirations to handle up to 20 contests a week. \n\nIn summary, while there is a standard process and timeline for audits at CodeArena, there is a high degree of adaptability to ensure the best possible audit outcome for each unique project.", "Question: Can the project timeline for a smart contract audit at CodeArena be extended, and what factors could influence this extension?\n\nAnswer: Yes, the project timeline at CodeArena can indeed be extended beyond the typical duration. Various factors could influence this extension. For instance, for larger projects like Maia with over 12K Source Lines of Code (SLOC), the project team was open to extending the audit duration to 5 weeks due to the extensive nature of the code base. However, any decision to extend the project timeline would typically require the agreement of the sponsor. \n\nGenerally, the longest duration for an audit at CodeArena has been three weeks, but there have been exceptions. The company also runs contests that can last up to 13 days, and the potential for longer durations has been discussed. \n\nThe time taken for the audit findings to be reviewed can vary with each contest. Also, the countdown timer might be implemented to ensure participants don't miss the submission deadline and there's a grace period provided on submissions.\n\nIt's important to note that while extensions are possible, they are not guaranteed and are typically granted on a case-by-case basis, mainly depending upon the project's complexity and the sponsor's agreement. \n\nFor more details on our process and estimated timelines, you can refer to our official documentation at [https://docs.code4rena.com/structure/our-process](https://docs.code4rena.com/structure/our-process).", "Q: Considering the audit for the Maia project with 12K Source Lines of Code (SLOC) scheduled for 20 days, there are concerns that due to its size some bugs might be missed. Could the audit time be extended for projects with larger codebases?\n\nA: The time allocated for an audit at CodeArena takes into account various factors, including the size of the codebase (SLOC), complexity of the code, and the current state of the project, among others. Although there is no direct proportionality between the duration of audit contests and the size of the source code, for larger projects like Maia, extending the duration may indeed be beneficial for a more thorough review. In fact, the project team for Maia was open to extending the audit duration to 5 weeks. \n\nIt's worth noting that while our process is designed to uncover as many bugs as possible within the allocated time, some bugs may still be missed. There were instances where bugs were found later in the process and if an error persists until the deadline, it is flagged for the development team to handle.\n\nAlso, it's important to be aware that some parts of the code, such as vulnerabilities pertaining to deployment or early actions like initializers, may not be included in the scope of the audit, especially for projects with already deployed code. There was also confusion around tests and peripheral code such as interfaces in the last audit. These pieces were lost because they were in separate repos.\n\nAdditionally, our auditing process can be a great learning opportunity even if you don't find bugs. Participants can engage in the audit process before their code is complete and the full process of participating in the audit is considered a good learning opportunity by many of our users.\n\nFinally, to understand the meaning of SLOC and the numbers added for every contract, and to learn more about our audit process, you can watch this talk by Quantstamp's Sebastian Banescu: https://www.youtube.com/watch?v=O1rKwDv5kLQ. It outlines how Code4Arena uses a process that consistently finds more bugs faster than other methods, with \"More auditors, more findings\" as a highlighted mantra.", "Question: What are the possibilities and methods for extending the project timeline of an audit at CodeArena?\n\nAnswer: Yes, it is possible to extend the project timeline for an audit at CodeArena. The extension can be up to 4 weeks or more, contingent upon the agreement of the sponsor. For instance, we've seen projects like Maia, with a large codebase of 12K SLOC, where the audit timeline was extended to 5 weeks to ensure a thorough review. However, the duration for each audit varies and can be influenced by factors such as the size of the codebase. \n\nChanges to the timeline can also affect other aspects of the audit process. For instance, you can edit a submitted QA report until the new audit deadline. The review time for project findings can vary with each contest and may be extended accordingly. \n\nAn estimated timeline for the entire process is provided in the organization's documentation, which you can access [here](https://docs.code4rena.com/structure/our-process). \n\nIt's also worth noting that CodeArena is considering features like a countdown timer and Github integration to ensure participants adhere to deadlines and to better track project timelines. However, these are still under discussion and not yet implemented. \n\nRemember, extending the timeline is aimed at facilitating a more comprehensive and quality audit, and it's crucial to factor in the scope and complexity of the project when requesting an extension.", "Question: What strategies does CodeArena implement to manage auditors and ensure they are fully focused on a single audit, and how can an auditor, either solo or in a team, participate in the audit processes?\n\nAnswer: At CodeArena, we have observed that running multiple audits simultaneously tends to increase the activity of registered auditors on the platform. However, to make sure that auditors aren't splitting their attention between different audits, we avoid running other public contests during the audit period. This strategy helps to reduce distractions and allows auditors to focus solely on the audit at hand.\n\nFor team members who wish to participate solo in an audit that their team is also auditing, we manage such instances by providing clear guidelines. When auditing as a team, all rewards are given to the team, which is then responsible for distributing the funds. Both individual contributors and teams can participate in auditing contests and private audits.\n\nStarting the audit process earlier, even before the code is complete, has also been beneficial. This allows for ample preparation time and the opportunity to promote the upcoming audit. Auditors must review both contracts in cases where one contract inherits from another. They may also automate the process of finding potential issues in the code, and use diff commands to spot differences between two contracts.\n\nAfter completing an audit, auditors need to provide Quality Assurance (QA) and gas reports as divided reports, and offer solutions or mitigations for identified vulnerabilities. Non-critical and low severity findings of a given auditor are consolidated into a single QA report. \n\nTo better understand how to approach big projects and gain a deeper understanding of audit reports, we recommend reading past reports and participating in contests. A blog post at https://blog.bytes032.xyz/p/audit-like-a-pro-my-3-step-game-plan provides additional insights on how to approach the auditing of large projects.\n\nPlease note that becoming a certified auditor can take time, and certification is generally sufficient for private audits. There are also multiple paths to becoming an auditor, including reverse engineering and understanding old audit reports. On average, we conduct 2-5 audit projects per week. All these measures allow us to maintain a high quality of audits and contribute to the continuous improvement of our auditing process.\n", "Question: How does the process and impact of running multiple audits simultaneously work at Code4Arena?\n\nAnswer: Running multiple audits simultaneously at Code4Arena tends to increase the activity of registered auditors on the platform, giving an advantage of \"more auditors, more findings\" as mentioned by Quantstamp's Sebastian Banescu in his talk (https://www.youtube.com/watch?v=O1rKwDv5kLQ). This procedure often finds more bugs faster than other methods. It's worth mentioning that it's possible to submit more than one high-risk finding in the same audit, but if the root causes are identical, they would be counted as one. \n\nStarting the audit process earlier allows for enough time for promotion and preparation. Keep in mind the average turnaround time from audit competition to the release of reports is about a month, but efforts are being made to decrease this time. For instance, the audit report for the Yaxis project took longer to be released due to a high participation rate and numerous submissions to review. \n\nInquiries about the timing of the next audit event and queries regarding running an audit contest for contracts are common, showing the active interest and participation of our community. In fact, 1000 auditors were added to the platform in the past month, and both individuals and teams can participate in auditing contests. \n\nAuditors can also automate the process of finding potential issues in the code and AI is becoming an increasingly important part of auditing. Additionally, gas optimization is often a potential starting point for first-time audits. \n\nMoreover, a tool for running audits, which is a work in progress, can be found at https://github.com/HardlyCodeMan/audit_helper/. It's important to note that there might be confusion about bounty payouts; if multiple auditors report the same bug, they all get a portion of the bounty. Common findings are usually out of scope as they are picked up by the C4udit tool. \n\nFinally, it's worth noting that on average, there are 2-5 audit projects per week and there are more audit contests coming out in Code4Arena, providing ample opportunities for auditors to participate.", "Question: Can you tell me more about the auditors on the CodeArena platform, how many have been added recently, and what their role and activities entail?\n\nAnswer: In the last month, we have onboarded 1000 new auditors to the CodeArena platform. Our auditors contribute significantly to our operations by participating in numerous audits that run simultaneously. This increased activity has been observed to correlate directly with the number of audits performed.\n\nAs an auditor, you have the opportunity to contribute to various projects, primarily auditing smart contracts, but there are also opportunities for other smart contract-related gigs. You can participate in both public and private audits, and for those interested in expanding their reach, there's a feature that allows you to link your C4 profile to your Twitter profile. This is especially useful for our certified auditors.\n\nWe are continuously evolving and expanding the reach of our audits. For instance, we have plans to open up to Solana audits soon. We also encourage auditors to use information about protocols they have audited on other bug bounty platforms to fill their profiles. \n\nThere are no competitions currently upcoming, but we are in talks about potential audits. You can stay updated about such events, as well as ongoing contests, by checking Code4Rena site or by contacting our team who is regularly in touch with various projects about upcoming audits.\n\nBecoming a certified auditor requires a process, and while we can't specify a specific timeframe, we can assure you that our team is ready to assist with any inquiries on this. Furthermore, to help beginners in smart contract auditing, we have a tool for running audits, which is still a work-in-progress, located at https://github.com/HardlyCodeMan/audit_helper/.\n\nAs an auditor, you also have the option to join teams and participate in the audits. In fact, in some of our contests, such as the jul05 Chainlink contest, we even select top three auditors during the mitigation review. More such audit contests are planned in the future. \n\nFinally, to ensure you never miss an update, we are working on an easier way for you to get notified as soon as a new Audit Report is added on the Code4Rena site.\n\nOverall, our platform not only provides a space for auditors to grow and enhance their skills but also values their contributions greatly in improving the quality of smart contracts across the industry.", "Q: How has the auditor base and their activity changed over time on the CodeArena platform?\n\nA: Two years ago, an audit with 12 participants was a considerable size. The growth since then has been substantial, with 1000 new auditors added to our platform just in the past month. The range of experience among these newcomers varies, as many are entering the field via different paths such as reverse engineering and understanding old audit reports.\n\nOur platform is not only growing in terms of auditor numbers but also in terms of activity. We've observed that an increase in simultaneous audits tends to boost the activity of registered auditors. Furthermore, we have approximately 2-5 audit projects per week on average, and auditors can participate individually or as part of a team. \n\nDespite the increase in numbers, the process of becoming a certified auditor still involves time, as shown by the inquiries received about the time it takes to become certified. Some users are currently waiting to become certified auditors. \n\nWith the advent of AI, this field is constantly evolving and becoming even more crucial. As a result, there is significant interest in conducting more web2 whitebox audits, as some users have suggested. \n\nIn addition, auditors can use information about protocols they have audited on other bug bounty platforms to enhance their profiles, making it easier for them to participate in private audits. \n\nIn terms of report turnaround time, we're continuously improving. Currently, the average time from audit competition to report release is about a month, but efforts are ongoing to reduce this. For instance, the audit report for the Yaxis project may take longer due to high participation and numerous submissions. \n\nWe are also expanding the scope of our audits, with plans to introduce Solana audits on the platform. As stated by Quantstamp's Sebastian Banescu, our process consistently finds bugs faster than other methods. The mantra \"More auditors, more findings\" truly highlights our growth and success [Link to the talk: https://www.youtube.com/watch?v=O1rKwDv5kLQ]. \n\nIt's important to know that anyone can become an auditor and contribute to CodeArena, making it a unique and dynamic platform for smart contract auditing.", "Question: What is the process to request and receive the backstage role at CodeArena, including evaluation time and qualifications?\n\nAnswer: To request the backstage role, you must first meet certain qualifications including being certified and identifying a high vulnerability or multiple medium vulnerabilities. You may also qualify by submitting a QA or Gas report with a score of over 85. Once these conditions are met, you can raise a help desk request to have your status evaluated. The evaluation typically takes place within a week, assuming all qualifications are met and nothing is pending. Once reviewed, a notification will be provided. However, please note that the processing of requests may sometimes be paused and could take up to 24 hours after KYC is admitted. For more detailed information about the backstage role and how to request access, please visit the [Backstage Wardens page](https://docs.code4rena.com/roles/certified-contributors/backstage-wardens) on our website. Be aware that the process is still being refined and may change.", "Question: How long does it take to receive the KYC email after I submitted my Certified Warden application and what should I do if I don't receive it?\n\nAnswer: After submitting an application to become a Certified Warden, it may typically take 2-3 weeks to receive the KYC (Know Your Customer) email. This email is sent from compliance@provenance.company and could possibly appear in your spam folder, so please check there. The explicit timeline for receiving the KYC email can vary, but the process after engaging with Provenance typically takes 1-2 business days. If you haven't received a response about your KYC application within an extended period, you can submit a help request through our company's website.\n\nAfter approval from the KYC firm, it may take approximately two weeks to mark a warden as certified. Remember, being a Warden does not imply that KYC process has been passed. It takes additional time to get the certified role after finishing the KYC process. More detailed information about becoming a Certified Warden and the KYC process can be found at [https://docs.code4rena.com/roles/wardens/certified-wardens](https://docs.code4rena.com/roles/wardens/certified-wardens). \n\nIf you want to submit your application to become a Certified Warden, you can do so at [https://code4rena.com/certified-contributor-application](https://code4rena.com/certified-contributor-application).", "Question: How can I effectively communicate or submit requests, including changes to my wallet address, issues with submissions, and technical queries, to the CodeArena team?\n\nAnswer: You can communicate with the CodeArena team in a variety of ways depending on the nature of your request or issue. If you need to change your wallet address, or have queries regarding the submission process, you can complete a help desk request at https://code4rena.com/help. Remember to double-check all information before submitting the form to avoid any errors.\n\nIf your issue relates to a large text that doesn't fit in the textbox on the help desk site, you can link a gist. Similarly, if your Proof of Concept (PoC) for an issue is too large to be embedded directly in the issue, providing a gist is acceptable. Also, if you have a QA/Gas report that does not fit in a single submit request, it can be split into separate sends.\n\nThere is a specific process for submitting an issue using the C4 form. If you need to modify submitted findings, you can do so by direct messaging certain identified individuals.\n\nIf you're unsure whether you should submit something, it's not recommended to contact judges directly. You can, however, direct message designated contacts of sponsor teams during a contest to ask questions.\n\nIf you're having trouble performing tasks via mobile, you can send requests for assistance to submissions@code4rena.com. You should expect to receive an email confirmation of your submission, although there may be some delay.\n\nRegarding the use of tools such as \"brownie\" for auditing or other technical queries, you can seek assistance in our Discord chatroom. Participants are encouraged to assist each other and can send help requests in the chat room.\n\nFinally, if you're planning to attend an event like ETH CC in Paris and have tangible items to deliver (such as gummy bears), you can pass them in person. But for most other communication, the methods outlined above should be your go-to.", "Q: How do I apply for a backstage role at Code4rena and when can I expect a reply to my help desk request?\n\nA: To apply for a backstage role at Code4rena, you need to be a certified contributor who meets certain qualifications. These qualifications are typically based on your participation in contests - usually you need to have participated in three contests and have either one high or three medium findings. Once you believe you meet these criteria, you can submit a help desk request for evaluation of your status. The link to submit this request is https://code4rena.com/help. \n\nMoreover, you can find more details about the criteria and process for obtaining a backstage role at https://docs.code4rena.com/roles/certified-contributors/backstage-wardens. Please note that at certain times, backstage role applications may not be accepted, so it's good to keep an eye on any updates regarding this.\n\nAfter you've submitted a help desk request, you should expect a response within a week. However, some users have reported not receiving a response. If this happens, you can follow up on the status of your request. It's also important to note that you may not receive a notification via email when your ticket is received, but rest assured that all tickets are processed. \n\nRemember, the backstage role grants you access to view issues reported for a contest on the website, which could be helpful in your contributions. If you have any further queries, don't hesitate to open a new help desk request.", "Question: What is the process and timeline for obtaining a backstage role after completing the Know Your Customer (KYC) process?\n\nAnswer: After successfully completing the Know Your Customer (KYC) process, users can apply for a backstage role. The KYC process usually takes a few days but could extend up to a week or more depending on the back and forth between the user and Provenance. Once the KYC process is complete, Provenance typically sends a confirmation email within one business day after the application is submitted. Please note it might take 2-3 weeks to receive this email and it may appear in your spam folder. \n\nUpon receipt of the KYC confirmation, there is an additional processing period before your role is granted. This backstage access request processing can take a few days to a week depending upon the qualifications met and any pending issues. There is a possibility of delay during this processing period, however, a help request can be submitted at https://code4rena.com/help in case of a considerable wait.\n\nBackstage wardens have access to findings soon after an audit but this requires the completion of Non-Disclosure Agreement (NDA) procedures, in addition to KYC, for security reasons. Certified contributors have completed the KYC process and can participate in private contests, while backstage wardens require certified status and a minimum number of submissions to access the contest repository post closure and pre-public report release. \n\nPlease keep in mind that there may be changes in the process and all updates will be notified once reviewed. For more information on the requirements and the process to become a backstage warden, please visit https://docs.code4rena.com/roles/certified-contributors/backstage-wardens.", "Question: How can I gain permission to participate in a private audit contest at CodeArena?\n\nAnswer: To gain permission to participate in a private audit contest, you typically need to be certified as a warden and potentially have a certain ranking on the leaderboard. Certification details can be found at https://docs.code4rena.com/roles/certified-contributors, and more specific information about the requirements for each private contest can be found in the #\ud83d\udd96rsvp-certified channel on our Discord. Please note that being certified does not automatically grant access to all private contests, as some may have specific prerequisites or be open only to those who participated in the original audit. If you meet the qualifications based on published contest results and would like to access backstage, you may submit a help desk request. It's also worth mentioning that teams can participate in auditing contests, although this might raise management concerns if team members also wish to participate solo. Some private contests may require KYC approval, and application for KYC approval does not automatically grant access to private contests. There may be a ranking cutoff for some contests, and after confirmation from provenance, participation in a private audit is possible.", "Question: What is the process and requirements to become a Certified Contributor or a Warden at Code4rena?\n\nAnswer: In most cases, being a certified contributor isn't a mandatory requirement for audits at Code4rena, as being a warden without certification is sufficient. However, to participate in certain contests or private events, you may be required to become a certified warden.\n\nThe process to become a certified contributor involves several steps, including an application and Know Your Customer (KYC) procedure. You may also need to participate in a defined number of contests and have a certain number of valid findings or reports to be considered. Information about the process, eligibility, and application can be found in the following links:\n\n- For the overall process and constraints: [Certified Contributor Process](https://docs.code4rena.com/roles/certified-contributors#certification-process-and-constraints).\n- For eligibility requirements: [Eligibility for Certified Contributor](https://docs.code4rena.com/roles/wardens/certified-wardens#who-is-eligible-to-be-a-certified-contributor).\n- To apply for becoming a certified contributor: [Certified Contributor Application](https://code4rena.com/certified-contributor-application).\n\nOn the other hand, if you wish to participate as a warden, you can sign up for competitions without necessarily going through the certification process. However, becoming a certified warden could make you eligible for a judge role and allows access to private repos once a contest concludes. \n\nPlease note that while certification isn't currently required, the situation may change in the future based on company policies or specific contest rules. For the most up-to-date and accurate information, always refer back to the official Code4rena documentation and announcements.", "Question: How does CodeArena (C4) provide updates and notifications, particularly about the subject referred to as \"Masons\"?\n\nAnswer: At present, there has been no specific update provided regarding the subject referred to as \"Masons\". C4 often communicates updates through the #\ud83d\udce2announcements channel on Discord where updates are posted. Additionally, we are exploring other notification systems, such as a Telegram bot, to announce new contests and updates. However, our platform currently doesn't have a mail or email notification system for updates on issues. You might also find information about certain updates on our Discord channel [here](https://discord.com/channels/810916927919620096/1111666431050919996). There's also a suggestion to create an announcements channel named #audit-reports where a new message is posted whenever a report gets published on the C4 website. Please note that we discourage public discussions until reports are officially published. We are working on procedures for sensitive disclosures and updates will be announced soon. Please stay tuned to our channels for any updates.", "Question: How can I participate in the Ambire Contest as a Warden on CodeArena?\n\nAnswer: To participate in the Ambire Contest or any other contest as a warden on CodeArena, you need to be registered as a warden. You can do so by logging into your account, following the guidelines and filling the form available on the Code4rena website: https://docs.code4rena.com/roles/wardens#registering-a-team. After registering, you can check your acceptance as a warden on the platform. \n\nYou can participate in the competition individually or form a team. Specific information regarding team registration can also be found at the provided link. \n\nFor access to private contests, including the Ambire Contest, you will need to be a certified warden, which requires KYC completion and adherence to specific certification processes and constraints. Details on this process are available here: https://docs.code4rena.com/roles/certified-contributors#certification-process-and-constraints. Note that certain contests may only be open to certified wardens. \n\nIt's worth noting that as a warden, you will be competing in audit contests. Thus, it's essential to familiarize yourself with the submission policy and judging criteria, outlined here: https://docs.code4rena.com/roles/wardens. \n\nWhile there are some contests that have specific selection criteria, usually based on the wardens' past performance, there are also opportunities to engage in other ways, like judging or gaining backstage access, as outlined here: https://docs.code4rena.com/roles/certified-contributors/backstage-wardens.", "Question: What are the requirements and implications for a team to participate in a contest and receive payouts on CodeArena (C4)?\n\nAnswer: CodeArena enables teams to participate in contests and receive payouts. However, in order to be eligible for these payouts, every individual member of the team must be certified. This includes the Versus contest, PolynomialFi contest, and others where certification is necessary. If any team member wants to participate solo in a contest that their team is also auditing, they can do so provided they have a certified status. Being certified grants access to a wider range of contests, including private ones, and also allows participants to audit these private contests, provided they rank on the leaderboard. \n\nParticipants wanting to be certified wardens may have to fulfill certain criteria like participating in a specific number of contests and submitting a certain number of valid findings or reports. There is also a suggestion for a more stringent certification requirement, such as winning a top ranking in multiple contests. Once certified, they can join any contest and receive payouts if eligible. \n\nTeams are considered when comparing leaderboard ranks to select people for RSVP certified jobs. High-ranked teams are eligible to participate in competition. Participants can sign up as certified contributors with multiple accounts, but can only participate with one account. Certification does not hamper employment elsewhere and can be pursued as a side project. The certification process can start within 48 hours of the contest, and upon completion, the participant can be awarded if they are eligible.\n\nFor certain contests like base and chain link, all team members should undergo KYC verification due to anti-money laundering laws. For more details on certification, users can check the certification documents. Please note that there is a need for a more formal process for requesting Certified+ status.", "Question: What is the unit of gas cost in the Foundry framework, and how can I effectively work with it?\n\nAnswer: The gas cost in the Foundry framework is measured in units of gas. When working with smart contracts, understanding and minimizing these gas costs is crucial for efficient execution. \n\nFoundry, along with Hardhat, are recommended tools for generating gas reports, which can provide valuable insights about your smart contracts. If you're aiming for gas optimization, you might find it useful to note the amount of gas saved for every finding in your gas optimization reports.\n\nWhile working with Foundry, you can test various scenarios in a local environment, avoiding the need for testnet tokens or waiting for blocks. For example, you might want to log the gas remaining after a state variable update, or calculate the gas cost of a contract. However, if you encounter difficulties, don't hesitate to ask for clarification or assistance in the community.\n\nGas findings and optimizations are often judged based on the inefficiency of the current implementation. All valid findings for gas optimizations are weighted the same, meaning that every optimization could potentially add value to your contract.\n\nIf you're looking for more details about gas cost, a useful resource is this StackExchange thread on the gas cost for constant and immutable: https://ethereum.stackexchange.com/questions/118547/is-the-gas-cost-for-constant-and-immutable-about-equal. However, please note that some information may be outdated. For example, as of July 2020, immutable no longer costs less gas than constants.\n\nIn CodeArena's competitions, you can make submissions of gas optimizations. The criteria for judging these submissions, as well as the potential earnings, can depend on many factors, including the significance of the optimization and your proficiency in identifying such optimizations. \n\nHere is a reference to a recent CodeArena report for more context: https://code4rena.com/reports/2022-11-non-fungible/#gas-optimizations.\n\nRemember, when working with Foundry or any other tool, always ensure you're mindful of the gas costs and strive for optimization where possible.", "Question: For auditing contests such as the Base and Chainlink contests, are all team members required to undergo KYC verification in order to be eligible for rewards?\n\nAnswer: Yes, for the Base and Chainlink contests, all team members must undergo KYC (Know Your Customer) verification to be eligible for rewards. It's important to note that this may not be the case for all contests, as some, like the Maia DAO Ecosystem contest, do not require KYC. However, for audits that do require KYC, all team members must be certified in order for the team to get paid. Certification includes successful completion of the KYC process. Participants can apply for this certification and begin the KYC process at https://docs.code4rena.com/roles/certified-contributors. The requirement for KYC will be stated for contests that necessitate it. For example, if one wishes to participate in an audit that requires KYC, this information will be clearly specified. While most contests do not require being KYC'ed, certain activities and private contests do require certification or KYC. If competing with a team in such cases, all members need to be certified to receive the payout.", "Question: What are the different types of audits in CodeArena (C4) and what is the role and eligibility of wardens in these audits?\n\nAnswer: CodeArena (C4) conducts three types of audits: public, private, and invitational. \n\nPublic audits are generally open to all. Private audits are usually accessible to certified wardens, though they may need to meet additional conditions. The specific eligibility criteria for each private audit opportunity is listed in #\ud83d\udd96rsvp-certified. To acquire certification to qualify as a warden, one needs to compete in the audit contests and satisfy certain requirements like participating in a specific number of contests and reporting valid findings. More about the certification process can be found at [https://docs.code4rena.com/roles/wardens](https://docs.code4rena.com/roles/wardens).\n\nInvitational audits, on the other hand, are targeted towards high-ranking teams and prioritize the highest ranked wardens. The ranking may influence eligibility for private contests, with top 3 or 5 usually considered for mid-review or invitational. \n\nIn both private and invitational audits, there is a professional conduct guideline for certified wardens that requires all findings to be treated as private and confidential until the contest report is made public [https://docs.code4rena.com/roles/wardens/certified-wardens#certified-warden-professional-conduct-guidelines](https://docs.code4rena.com/roles/wardens/certified-wardens#certified-warden-professional-conduct-guidelines).\n\nFurthermore, the platform encourages teamwork between wardens with diverse skills, allowing those with strong technical writing skills to team up with wardens having advanced technical auditing skills. \n\nOn occasion, wardens are also called backstage after an audit closes if it is an open audit. They assist with various process-related tasks within a dedicated channel for certified+ wardens.\n\nTo start the journey of becoming an auditor, refer to the official instructions at [https://docs.code4rena.com/roles/wardens](https://docs.code4rena.com/roles/wardens).", "Question: What forms of identification are acceptable for the Know Your Customer (KYC) verification process, and is a passport specifically required?\n\nAnswer: While a passport may be used for the Know Your Customer (KYC) verification process, it is not the only form of identification that is acceptable. Participants who do not have a passport can use other forms of ID, such as a National Identification Card or a driving license. The process of KYC verification is a crucial part of becoming a certified warden at CodeArena (C4) and participants may be required to complete it to participate in certain contests and audits. It's important to note that the certification process can move more smoothly if the necessary documents are supplied promptly to the KYC provider, Provenance. However, Provenance may have more detailed requirements for documentation than what is outlined in C4's guidelines. It is also worth noting that not everyone desires to go through the KYC process to become a certified warden. Some users are able to participate and receive payouts without being certified, though certain activities do require KYC verification. The KYC process usually takes a few days to complete. There is a 48-hour deadline for response after providing all documents for KYC to Provenance for getting certified, and there may be potential delays in the process. For more specific details on the KYC process, participants should refer to the applicable channels.", "Question: What are the eligibility criteria for auditing contests at CodeArena, and how does one's ranking on the leaderboard affect this?\n\nAnswer: At CodeArena, permission to audit contests depends on a variety of factors. For all contests, certification and a position on the leaderboard are generally necessary. The specific eligibility criteria for each opportunity are listed in #\ud83d\udd96rsvp-certified on our Discord channel. \n\nFor private audit contests, simply being certified is usually sufficient. However, for more specialized contests like the mit review or invitational, we typically select the top 3 or 5 from the leaderboard. It's important to note that the leaderboard ranking is influenced by both current contest participation and total participation of a contestant.\n\nTeam participation is allowed in auditing contests. However, concerns have been raised on managing team members who wish to participate solo in a contest their team is also auditing. Additionally, there have been suggestions for more stringent criteria for specific distinctions such as certification+, like being in the Top 3 in 3 contests or making significant findings.\n\nBeing a certified warden grants access to more contests. The path to certification involves competing in audit contests. Certified contests, like the upcoming 225, do impact the c4 leaderboard rank. \n\nLastly, it's worth noting that it does take about 8 weeks for the judges to review the findings and create the leaderboard after an audit ends. If you have any questions, feel free to ask on our Discord channel.", "Question: How can I access and interact with judges' comments on my submissions for a contest on CodeArena?\n\nAnswer: CodeArena provides several ways for participants to interact with judges' comments on their submissions. Once you've made a submission for a contest, you can view and edit your findings via the \"Your Findings\" button on the contest page. You can check the status of your submission and any associated comments on the \"Findings\" tab next to the contest description. \n\nIf your submission was not rewarded, you can review why it was not accepted once the report is out and the repository is fully opened. This gives you access to the discussion among sponsors and judges on the specific issue. A post-judging Q&A period also exists, allowing participants to comment on the judges' decisions. In some cases, you may receive feedback directly from a judge if your submission is marked as invalid.\n\nFurthermore, there's a process for querying an issue marked as invalid. This involves monitoring the backstage channel for the post-judging stage of the concerned contest. However, direct access to judges for discussions is not a regular practice anymore. \n\nFor cases where you want to seek early feedback on your submissions for improving audits, you can refer to this Discord link: [Judge's Post](https://discord.com/channels/810916927919620096/1030197723619659806/1042826344544870440).\n\nFinally, after a contest closes, all the submissions can be reviewed once the report is published and the findings repository is made public. This allows you to view which findings were rejected and why, along with other participants' findings. \n\nPlease note that these features and processes are based on current practices and may be subject to changes. For instance, a new submission mechanism is slated for implementation in future contests. Be sure to stay updated by following CodeArena's official announcements.", "Q: I am experiencing a 'page not found' error on Code4rena. What could be the possible issues and how can I get help?\n\nA: We've noticed that this usually happens due to a DNS issue or it might be possible that the Code4rena site could be temporarily down. You can check the site's status at https://downforeveryoneorjustme.com/code4rena.com. Sometimes, it may also be due to an error with the API or difficulties while trying to view findings. Our developers are always on it and looking into any reported issues. \n\nIf these problems persist, you are encouraged to submit a help request on https://code4rena.com/help. In case you encounter errors on the main help page, you can use the alternative help link: https://old.code4rena.com/help. If you still can't submit a help request through the form, you can forward your issue directly to submissions@code4rena.com. \n\nRemember, Code4rena is pronounced as \"Code Arena\" and if you're interested in learning more about us and our teams, you can visit https://docs.code4rena.com.", "Question: How can I change my Twitter username or link my Twitter account to my profile on CodeArena (C4)?\n\nAnswer: Yes, you can change your Twitter username or link your Twitter account to your Code4Arena profile. This can be carried out by submitting a help desk request at [https://code4rena.com/help](https://code4rena.com/help) with your warden name and Twitter URL. You also have the ability to update your Discord name on the Account Management page of your warden profile. However, please note that any changes to your username may affect your account registration as a warden. If there are any issues or you need further assistance, feel free to ask for support from the C4 staff members or address your concerns in the #auth-help channel.", "Question: Can you explain what 'score' means in the context of CodeArena's findings and grading system?\n\nAnswer: In CodeArena, 'score' is a crucial part of the grading system for findings and reports submitted during competitions. It refers to the evaluation of the severity, validity, and quality of a given finding or report. Scores are assigned on a scale between 0 and 100, with a higher score indicating a better quality finding. It's important to note that scores are relative, meaning they're compared to the scores of other reports in the same competition. \n\nThe terms 'score', 'pie', 'split', and 'slice' in the findings file are methods used to divide the funds among the ranked findings, with 'score' referring to the individual ranking of a report. If a report contains invalid issues, its score may be lowered. If the report closely resembles a bot report, it may face additional penalties. \n\nAn 'A' grade report is considered good, while a 'C' grade report is viewed as unsatisfactory. The grading system is explained more comprehensively in the C4 documentation: https://docs.code4rena.com/awarding/incentive-model-and-awards/curve-logic. \n\nHigh-quality and high-quantity findings tend to earn better scores in CodeArena competitions. Participants can gain more insight by comparing their findings with winning reports, which can be found at https://code4rena.com/reports/2022-09-artgobblers#low-risk-and-non-critical-issues. \n\nWhile the score is a critical aspect in grading and ranking, it's not the only factor that affects a participant's standing in the leaderboard. Both the current contest performance and total participation also influence the ranking. \n\nAs CodeArena's grading system is still being refined, the method for distributing awards based on scores will be designed after observing initial contests.", "Q: I'm experiencing an issue with CodeArena's services and need help. How do I request assistance?\nA: If you're encountering any issues, you can submit a help request at https://code4rena.com/help. This could range from problems while submitting, issues with your status or registration, challenges in team coordination, or security concerns regarding contests. If you have missed an item on your QA reports or need to check your participation outside of the leaderboard showings, you can also describe these queries in your help request. The help desk request form is user-friendly and will walk you through the process. Once submitted, you should receive confirmation that your request has been received. If your query remains unresolved or you don't get a reply within five business days, you might want to submit a follow-up request. Remember that you can also direct private inquiries to a member of the Code4rena team through this Help Desk request. In case of persisting issues with the help request form, you can forward your request to submissions@code4rena.com.", "Question: What are the rules and processes regarding wardens' compensation and the certified warden program at Code4rena?\n\nAnswer: At Code4rena, wardens play a vital role in identifying issues in smart contracts. They may receive payment for identifying both sponsor confirmed issues as well as disputed ones, with the final decision resting with the Judge. If multiple wardens find the same issue, the reward money is divided among them, regardless of the order they submit their findings. For a comprehensive understanding of this, you can review our incentive model and awards section: https://docs.code4rena.com/incentive-model-and-awards.\n\nThe certified warden program is another aspect of the platform where wardens can receive additional benefits. This includes backstage access and payments from KYC-required sponsors like Chainlink. To become a certified warden, there may be certain prerequisites such as participating in a number of contests or having a certain number of valid findings or reports. Certified wardens are also eligible to attend private audits and join private auditing contests. More details on becoming a certified warden can be asked directly to Code4rena or found in the certification documents.\n\nFurthermore, when a team submits a finding, a single payment will be issued which the team has the discretion to distribute among its members. Details on this can be found here: https://docs.code4rena.com/roles/wardens. \n\nPlease note that not all vulnerabilities may be considered for awards, such as non-critical ones, despite their potential benefit to the sponsor. The guidelines on awarding shares or rewards can be found here: https://docs.code4rena.com/awarding/incentive-model-and-awards.\n\nLastly, there is ongoing work on tax reporting for wardens, ensuring transparency and compliance for all participants.", "Question: How can I participate in private or restricted audits at CodeArena?\n\nAnswer: Participating in private or restricted audits at CodeArena requires that you first become certified. You can apply for certification at https://docs.code4rena.com/roles/certified-contributors, which includes instructions on how to register as an auditor and start auditing, as well as the certification process and constraints. Once certified, you are eligible to participate in private audits and contests, although there may be other conditions to meet, depending on the specific opportunity. \n\nThe eligibility criteria for each audit or contest is usually listed in the #\ud83d\udd96rsvp-certified channel. Some private audits may require KYC (Know Your Customer) certification, and this requirement will be specified in the applicable channels. Notably, private audit contests are not strictly open only to top-ranking wardens. \n\nIf you are part of a team, you may participate in auditing contests as a team. However, if you wish to participate solo in a contest that your team is also auditing, you should manage this carefully to avoid potential conflicts. \n\nRSVP is a common way for participants to signal their interest in audit opportunities. To gain a better understanding of audit reports, participating in these contests is highly recommended. Remember that it is possible to ask questions about findings of past projects and even partake in private competitive audits. \n\nFinally, keep in mind that sometimes contests are only open to those who participated in the original audit, such as the Mitigation Review. The more you participate, the more opportunities you may have access to. It's a rewarding and engaging process that benefits all involved.", "Question: What is the protocol if a team wins an audit prize but cannot claim it due to KYC issues?\n\nAnswer: If a team wins an audit but encounters issues claiming the prize due to KYC (Know Your Customer) certification, the procedure is currently not entirely clear. However, it's important to know that all members of a team need to successfully complete the KYC process to receive payment after participating in certain audits. The prize for an audit contest is sent to a single address, and it's up to the team to distribute it amongst themselves. Therefore, incomplete KYC verification by any team member could potentially hinder the entire team's ability to claim the prize.\n\nTo avoid such issues, it is recommended that all team members complete the KYC verification process before audit participation. The KYC form can be found at https://docs.code4rena.com/roles/certified-contributors. Once the KYC is confirmed, the organization processes it. If there are still problems in claiming the prize, it might be advisable for the team to submit a helpdesk request.\n\nNote that while KYC might be required to receive prizes for some contests, it is not necessary for all. More information about contest-specific requirements will be specified in the applicable channels or events.", "Question: Can you provide detailed information about \"Audit Summary Awards\" at CodeArena?\n\nAnswer: \n\"Audit Summary Awards\" at CodeArena are distributed after the completion of audit contests. These contests involve participants, referred to as \"wardens\", who audit smart contracts. Each contest is followed by a submission review period where the findings are reviewed. This process can take from 2 weeks to over 6 weeks. \n\nThe awards pool is divided into several categories: HM awards ($56,250 USDC), QA report awards ($7,500 USDC), Bot race awards ($7,500 USDC), Gas report awards ($3,750 USDC), Judge awards ($9,000 USDC), Lookout awards ($6,000 USDC), and Scout awards ($500 USDC). Both \"Lookout\" and \"Scout\" refer to specific roles within the contest. \n\nUnique High or Medium findings that are selected for inclusion in the audit report receive a 30% share bonus. However, non-critical findings do not share in the award pot. QA and Gas awards are given according to judges\u2019 scores, and duplicates are disregarded. There have been challenges in handling downgraded issues, which need to be paired up with wardens\u2019 QA reports. \n\nThe award distribution is done manually in batches for multiple contests at a time. The leaderboard updates when awards are announced, and participants can find the awards list in the announcements channel. However, the exact process for distributing these awards is not explicitly outlined. \n\nMore information about how awards are divided between grade A and grade B for QA and Gas reports can be found at [https://docs.code4rena.com/awarding/incentive-model-and-awards](https://docs.code4rena.com/awarding/incentive-model-and-awards). \n\nPlease note that the exact dates of award issuance are not tracked on the company's website. The website builds the leaderboard based on the dates of the audits themselves. Also, it's important to note that there can sometimes be delays in the distribution of awards, as seen for the Nested Finance audit contest. \n\nFuture contests will have the same structure of an initial audit prize pool and a mitigation review pool, with the audit reports for contests being published after the stages of contest finish, sponsor reviews, judging, and awarding are completed. \n\nFor questions about the timing of the next audit event or contest, participants are advised to stay updated with the announcements channel of CodeArena's Discord chatroom.\n", "Question: What does the \"I\" signify in the report judging decisions and how does it influence my submission in CodeArena competitions? \n\nAnswer: In CodeArena's report judging decisions, the \"I\" stands for \"informational\". This term is used to classify non-critical findings in your submission. For bot-racing instances, however, \"I\" may also mean \"ignored\". Participants can name their findings with a number to help judges, and these findings are then grouped and scored. If your finding is marked as invalid, you will receive feedback from a judge. \n\nIt is also worth noting that the inclusion of high-risk or low/non-critical findings ('NC' issues) in your submission depends on the contest and the judge's discretion. Participants are advised to make a case for the judge in the submission if they believe a certain finding should be considered. For instance, all low/NC issues are to be submitted in one QA report and judges and sponsors appreciate when similar submission issues are grouped together.\n\nMoreover, your submission might be influenced by the self-assessment of risk as the final determination of severity is made by a judge and this can impact your award levels. You are allowed to cite similar findings from other contests to justify the severity and validity within your submission, but keep in mind that judges will consider the entire context when judging.\n\nFor more detailed guidelines on judging criteria and instructions on how to prepare your Analysis report, refer to the official documentation at https://docs.code4rena.com/awarding/judging-criteria#analysis and https://docs.code4rena.com/awarding/incentive-model-and-awards.\n\nPlease be aware that interpretations may vary, and it is always a good idea to seek further clarification in the CodeArena Discord chatroom.", "Question: What does the \"I\" stand for in report judging decisions in CodeArena's competitions, and how does it impact the judging process? \n\nAnswer: The \"I\" in CodeArena's report judging decisions can have different meanings based on the context. In bot racing, it stands for \"ignored.\" However, in report judging, it might also represent \"informational,\" which signifies a non-critical finding. This symbol is part of the criteria used by judges to decide the severity, validity, and quality of a submission. \n\nWhen citing findings from other contests to justify the severity and validity of a submission, it is important to know that the judges will consider the entire context in their decision. The judges are not known ahead of time and their comments on submissions may be visible. They're perceived as fair and have upgraded severities in cases. Participants are advised to make a case for the inclusion of high-risk findings if they believe it should be considered. The final determination of severity is made by the judge, and this can impact award levels.\n\nIf a submitted finding is marked as invalid, feedback will be provided by a judge. Wardens, who can see the judging results before they are public, can raise issues to the judge for reconsideration. Post judging, a QA period exists where comments can be made on the judges' decisions. These comments are usually between judges and sponsors, though occasionally there are comments from \"backstage wardens.\"\n\nIn certain cases, the format of the report can influence its evaluation - including the grouping of similar submission issues, or the numbering of findings to assist judges. However, the final attribution of the findings ids in the findings.csv file is at the discretion of the judges.\n\nFor more information on the specific contests and judging criteria, you can visit https://code4rena.com/contests/2023-03-asymmetry-contest. Please note that the judging of contests may take a lengthy period, with factors beyond the judge's control contributing to delays.", "Question: What is the process, timeline, and requirements for becoming a Certified Contributor with Provenance's Know Your Customer (KYC) process?\n\nAnswer: To become a Certified Contributor with Provenance, the first step is to apply for KYC certification. This can be initiated at https://docs.code4rena.com/roles/certified-contributors. After submitting your application, Provenance usually sends out a KYC mail within a business day. This email will come from either compliance@provenance.company or kobus@provenance.company, so please check your spam folder if you don't see it. \n\nAfter receiving this email, you'll need to provide the necessary documents for KYC. After submission, you should expect a response from them within a 48-hour period. However, be aware the entire KYC process can take a while, especially if there is a back and forth between you and Provenance. It could even take up to 2-3 weeks to get a response. \n\nOnce the KYC process is complete, it usually takes a few more days for the certified role to reflect on your profile. The confirmation for this will often be received within 5 business days. Please note, to clear KYC and earn Certified Contributor status, you must follow the steps outlined here: https://docs.code4rena.com/roles/certified-contributors. \n\nAs a Certified Contributor, you will be able to participate in private contests and receive payments for work such as the arbitrum audit. If you have completed the certification process and participated in more than three contests, you might also be eligible for a certification+ status. Keep in mind, granting the certification+ status and marking a warden as certified after approval from the KYC firm takes approximately 2 weeks. \n\nIf you have any issues or delays during this process, don't hesitate to follow up with Provenance for a response.", "Question: What are the requirements and qualifications for participating in a private reserve audit at CodeArena?\n\nAnswer: Private reserve audits at CodeArena are not open to all members, but are specifically for certified wardens. However, additional conditions may need to be met, which vary for different audits. Upon confirmation from provenance, you may be allowed to participate in a private audit. It's worth noting that private audits are not strictly open to only top-ranking wardens. The eligibility criteria for each opportunity can be found in the #\ud83d\udd96rsvp-certified channel on our Discord. \n\nPrivate audit contests are announced, but they can sometimes be confused with open public audits, so it's important to clarify which type of audit you are interested in. Furthermore, reports from these audits remain private until they are officially made public, and findings from these should not be discussed on public channels. \n\nTo become certified and get access to private audit contests, follow this link: https://mirror.xyz/c4blog.eth/Ww3sILR-e5iWoMYNpZEB9UME_vA8G0Yqa6TYvpSdEM0. Remember, you don't need to register for public audits.\n\nPlease note that different projects have different types of audits and not all audits have office hours at CodeArena, so always check the schedule and other details for each project.", "Question: Why might an issue reported in CodeArena be ignored or not accepted and how can I improve my submissions?\n\nAnswer: There could be multiple reasons why an issue might be ignored. It could be due to lack of sufficient detail or proof, or if the impact of the issue is extremely small. If your bug report does not contain a Proof of Concept (PoC), it may be disregarded unless the issue is extremely obvious, such as a wrong parameter, typo, or code that doesn't compile. Additionally, the judge ultimately has the discretion to ignore an issue. \n\nIt's also important to know that an issue may be valid to submit even if it is found by the bot race but another instance of that issue is not picked up by the bots. If you submit an issue with what you believe to be a high severity rating, be aware that a judge may downgrade the severity if they disagree with your assessment. However, you will still be awarded for the found issue unless it's invalidated for overinflating severity. \n\nRegarding submissions, bear in mind that the specific severity of an issue does not matter as much as a good explanation of your findings. However, submitting a high severity issue without working code that demonstrates the impact may lead to the issue being downgraded or ineligible for awards. \n\nIf you're unsure about the reasons for issue rejection or want to improve future submissions, there is a process available for understanding why a bug was not accepted. You can find more information about that here: https://github.com/code-423n4/2022-05-rubicon-findings/issues/148#issuecomment-1167393094\n\nRemember that visibility of reported issues on the Issues page could potentially be affected by GitHub issues. You can also submit a help desk request for unresolved issues. If you're unsure about the feedback you're receiving on your submissions, it's encouraged to raise your concerns.\n\nFinally, you should receive an email notification about the status of your submitted issue, whether it is valid or not. If you're not receiving these notifications, it may be advisable to reach out to the CodeArena team.", "Question: What does the \"I\" represent in the report judging decisions at CodeArena?\n\nAnswer: The \"I\" in the report judging decisions often signifies \"informational,\" denoting a noncritical note or observation made by the judge. This, however, may vary as each judge applies their own shorthand when reviewing reports. For example, in bot racing, \"I\" might stand for \"ignored\". Judges use their discretion to determine the severity of identified issues in the submitted reports, and they can make changes in these severity levels as needed. \n\nFor understanding how judges evaluate reports, it's important to note that factors such as the report's format, the clarity and detail in the write-up, the evidence provided to back up the identified issues, and the self-assessment of risk by the participant all play a role. \n\nIf you are uncertain about how your findings were judged, you can ask for feedback from the judges. They can provide valuable insights into the reasoning behind their decisions and what could be improved in your submissions. If there is any uncertainty about the severity of a reported issue, it is advised to review the judging criteria and make a case for the chosen severity using evidence. The judging criteria can be found here: [https://docs.code4rena.com/roles/wardens/judging-criteria#estimating-risk](https://docs.code4rena.com/roles/wardens/judging-criteria#estimating-risk). \n\nMoreover, depending on the contest, high-risk findings can be of primary importance. If you believe that a high-risk finding should be considered, it is advised to make a case in your report submission and let the judge make the final call. Remember that the judges have the final say on findings, and they also pick the primary issue based on the best write-up rather than the order of submission. \n\nFor more information on how to prepare an Analysis report, you can refer to [https://docs.code4rena.com/awarding/judging-criteria#analysis](https://docs.code4rena.com/awarding/judging-criteria#analysis).", "Question: How does CodeArena handle gas optimizations, rewards, and submissions on their platform?\n\nAnswer: At CodeArena, gas optimizations are considered valuable contributions and are indeed rewarded. However, there are no dedicated gas optimization rewards on the Base platform. Gas optimizations are awarded from a separate award pool specified on the CodeArena website and each contest's page. This means that participants can make submissions of gas optimizations in contests and earn rewards based on their proficiency. \n\nWhen it comes to calculating rewards, they are shared among the reporters and awarded based on the score of each gas report. This is outlined in the documentation, available at: https://docs.code4rena.com/awarding/incentive-model-and-awards/curve-logic. A formula is also used to calculate reward split in instances where multiple people, including team members, identify a gas optimization. You can find this formula here: https://docs.code4rena.com/incentive-model-and-awards#high-and-medium-risk-bugs.\n\nFor gas optimization reports, it is suggested but not mandatory to mention the amount of gas saved for every finding. Including this information could potentially increase points. You should also note that not all gas optimizations are valid when the optimizer is enabled, which has led to some confusion about what should be reported. \n\nDespite some users having stopped reporting gas optimizations due to discrepancies in judge decisions, it is recommended to report any gas optimizations separately. The focus is primarily on high, medium, and low severity vulnerabilities and gas optimizations, without a direct incentive to report non-critical findings. However, all valid findings for gas optimizations are weighted the same.\n\nThere is ongoing discussion and updates planned for the formula used for awarding gas and QA. If you have questions or need clarification on gas optimization, you are encouraged to ask in the platform. Remember, the aim is to help improve the security and efficiency of the smart contracts through this process.", "Question: How can I change my username, and is it possible to register another account with the same email/Github address on CodeArena?\n\nAnswer: Users can change their usernames on CodeArena, but it requires re-registration with the platform. Existing account details like email, Github username, and Discord username can be used for the new registration. However, please note that any leaderboard standings and submissions under the previous handle are not transferable to the new account. Additionally, if you had certified status under your old username, you would need to reapply for that status after changing your username. \n\nYou can also change details like your Twitter username or registered wallet by submitting a request to the help desk. If you wish to update your Discord name, this can be done on the Account Management page of your warden profile, but your Discord nickname should remain as your registered C4 username.\n\nIn summary, while it is possible to change your username and other details on CodeArena, it's important to understand that these changes require a new registration and may affect your standings and status on the platform. If you have further questions or require assistance with this process, we recommend submitting your query via the Help Desk for a developer team review.", "Question: Can I complete the KYC process with only a National Identification Card instead of a passport, and how does it affect my participation in CodeArena contests and audits?\n\nAnswer: Yes, you can potentially complete the KYC (Know Your Customer) process with a National Identification Card. If a participant doesn't have a passport, other forms of identification like a National ID or a driving license can also be acceptable. This is because our KYC provider, Provenance, accepts different types of ID for verification. \n\nPlease note that while participating and receiving payouts in most contests do not require KYC certification, some specific activities and contests do necessitate KYC verification. This information will be explicitly stated in the applicable channels. In particular, if you want to apply for Certified+ after a high finding or wish to become a certified warden, the KYC process is compulsory.\n\nKeep in mind that the KYC process usually takes a few days to complete, and there might be delays. The process can move more quickly if you promptly supply the necessary documents to Provenance. After you've submitted all the documents, there is a 48-hour deadline for a response.\n\nIn case your KYC application is still pending after a considerable time, a help request can be submitted. Once your KYC is successful, the confirmation is communicated to us at CodeArena (C4) and we then process it. \n\nPlease note that there are certain restrictions in place for the KYC process, primarily OFAC sanctions and background checks. For any additional queries, we encourage you to contact Provenance directly or ask in our chat channels.", "Question: I've been inactive since November 2022 and I'm interested in the Chainlink contest. Can you tell me about any vital modifications to the contest rules and the KYC process that I should be aware of?\n\nAnswer: Welcome back! There haven't been any significant changes to the contest rules, submission guidelines, or prize allocations recently. You can always check for rule changes in the documentation at https://docs.code4rena.com/. However, there are some important details about the Chainlink contest you should know. All participants are welcome to join the Chainlink contest, but to be eligible for rewards, you must complete a Know Your Customer (KYC) process before submitting your work. This includes verifying your identity after the contest ends to receive the payout. For team-based contests, all team members should undergo KYC verification. Reports from past Chainlink contests can be viewed by those with the backstage role, which you can learn more about here: https://docs.code4rena.com/roles/certified-contributors/backstage-wardens. Please note that unregistered bots in the chainlink protocol cannot be used for some contests. Lastly, remember that if you started participating in contests after June 2022, you are not eligible for any token airdrops; eligibility began in 2021.", "Question: Where can I find the latest contest rules, updates, and submission guidelines for Code4rena?\n\nAnswer: All the current rules, submission guidelines, and updates related to contests can be found in our official documentation at [https://docs.code4rena.com/](https://docs.code4rena.com/). As of now, we haven't made any significant changes to our rules, submission guidelines, or prize splits. We are, however, considering implementing a new submission mechanism in future contests. If you have any specific questions about the scope for a contest, it's best to reach out to the respective sponsor. \n\nYou can also keep track of contest updates, results, team information, and rewards through the \"Past Contest Status Updates\" section on our website. This section provides a timeline of where contests are currently in their process. For more information on judging and payout timelines after a contest ends, you can visit [https://docs.code4rena.com/structure/our-process](https://docs.code4rena.com/structure/our-process). \n\nPlease note that the scope for each contest is set by the contest sponsor and is listed in their contest info. However, we're planning to introduce features in the future that would indicate the number of participants in a given contest, and might require an RSVP for the contests. These updates can be checked on the RSVP channels. \n\nFinally, becoming a certified participant grants you access to more contests. If you have any questions or inquiries about the progress and schedule of final reports, you can discuss potential issues with the sponsor while the contest is ongoing.", "Question: I applied for the Certified Warden or KYC process with Provenance but haven't received any email. What should I do?\n\nAnswer: We understand that waiting for a response can be frustrating. However, it's important to note that the sending of emails from Provenance doesn't have a specified timeframe. Generally, you can expect a response within about a week after you have submitted your application or request. In case of KYC requests, this might take even longer. Once your application is approved, Provenance will send you an email, so do keep an eye out for that.\n\nPlease make sure to check the spam section of your email for the response from Provenance. The emails usually come from \"compliance@provenance.company\" and \"kobus@provenance.company\". In some instances, you may also receive an email from us, C4.\n\nIf you are waiting for an invitation link to Github or a confirmation of your Certified Warden application, these should also arrive via email from an @provenance.company address. \n\nIf you haven't received a response or confirmation email within a reasonable time frame, you are encouraged to nudge Provenance for a response. Additionally, if there is no response after a couple of days, feel free to open a help desk request at [CodeArena's Help Desk](https://code4rena.com/help). \n\nPlease note, the confirmation email for your Certified Warden or KYC application is crucial for progressing with your involvement in CodeArena activities, as it confirms your status. \n\nThere have been some inconsistencies reported in the Certified Warden application and response email, and we are working on updating our documentation to resolve these issues. \n\nWe appreciate your patience and understanding during this process.", "Q: I've applied to be verified with CodeArena, but I'm not receiving any emails from Provenance. What should I do?\n\nA: We understand that it can be frustrating not to receive anticipated emails. Provenance typically responds within a week, but there may be instances where emails might not get through to you. Here's a few things you can do:\n\n1. Check your spam or junk mail folder. The email for KYC and other communications from Provenance may accidentally land there. The email will be sent from either \"compliance@provenance.company\" or \"kobus@provenance.company\".\n\n2. Ensure you have correctly completed the Certified Contributor Application at https://code4rena.com/certified-contributor-application. This process involves sending your identity for verification.\n\n3. Verify that your email address is correct. After applying for KYC, you should receive an email from both Provenance and CodeArena. If you haven't received any, there might be an issue with the email address you provided.\n\n4. If you have done all of the above, and it's been more than a week without a response, please reach out to us directly so we can assist you further.\n\nRemember, after your Provenance application is approved, it generally takes a few days for the role to reflect on your profile. During this time, it's normal not to receive any further communication. However, keep an eye on your email for any updates or next steps.\n\nAlso, note that the verification process can be initiated as per the instructions provided at: https://docs.code4rena.com/roles/certified-contributors. We appreciate your patience and understanding in this process.", "Question: Do all members of a team need to be KYC certified in order to participate in an audit or contest, and to receive the payout?\n\nAnswer: Yes, all members of a team need to undergo the Know Your Customer (KYC) verification process in order to participate in audits or contests that require KYC, including the BASE contest and Chainlink contests. This procedure is a part of our anti-money laundering policies. This information is usually specified in the applicable channels for each audit or contest. If a team wins a prize but is unable to claim it due to KYC issues, it's unclear whether the prize will be on hold until they complete the KYC or if it's lost forever. For team rewards in an audit, the prize is sent to a single address, and it is the team's responsibility to distribute it amongst themselves. It should be noted that some activities or audits do not require KYC, such as the Maia DAO Ecosystem contest. You can apply for KYC certification and get more details on the process at https://docs.code4rena.com/roles/certified-contributors#certification-process-and-constraints.", "Question: How are updates to the bot race reward structure announced and when can I expect the next update?\n\nAnswer: Updates to the bot race reward structure are typically announced prior to the commencement of contests, such as the Maia contest. You can track these updates via the link provided in the #\u270brsvp channel on our Discord server. For instance, the most recent update for the Maia contest can be found [here](https://discord.com/channels/810916927919620096/958800160870240286/1109067971915153508). These updates may include changes to the prize pot, previously sourced from the HM pot, among other changes. \n\nThe bot races, a new feature in CodeArena, are held during the first hour of an audit. The leaderboard is updated when awards are announced. The updates on rewards are manually sent out in batches for multiple contests at a time, and they are distributed to the user's registered wallet address.\n\nPlease be aware that some rewards may still be pending after a contest has finished. This could be due to various reasons not explicitly stated in the chat. For more information on upcoming contests, changes to reward structures, and other announcements, please keep an eye on our announcement channel.", "Question: What is the analysis reward at CodeArena and how is it determined?\n\nAnswer: The Analysis reward is a new feature at CodeArena, designed to incentivize and reward users for analyzing smart contracts in a competitive context. The total reward pool for analysis is $4,250 USDC, while a separate pool for QA awards is $2,000 USDC. \n\nRewards are distributed based on the quality and detail of the analysis, with a reward formula that takes into account the number of findings and partial credit considerations. For instance, there's a 30% bonus awarded for the best advanced analysis report in each competition. You can submit an analysis for individual contests, with each contest having its own guidelines and reward schemes. \n\nTo better understand how to draft an Analysis report and what details are required, you can refer to the [Judging Criteria](https://docs.code4rena.com/awarding/judging-criteria#analysis) and [Analysis Guidelines](https://code4rena.notion.site/Analyses-Guidelines-and-FAQ-2808a71e08e44c81a985527194f5f118) on the official CodeArena website.\n\nThe reward division also takes into account duplicate findings, meaning that if multiple people or teams identify an issue, the reward is split among them, irrespective of who found it first. The specific division can be calculated using the [formula](https://docs.code4rena.com/incentive-model-and-awards#high-and-medium-risk-bugs) provided in the CodeArena documentation. \n\nIt's important to note that rewards are distributed on a curve, a system likened to grading on a bell curve in academic settings. A detailed overview of the reward system, including tables and formulas, can be found [here](https://docs.code4rena.com/awarding/incentive-model-and-awards/curve-logic). \n\nFinally, it's possible to change the wallet address associated with your report, and future rewards will then be distributed to this new address. However, please note that the payment of rewards varies per contest, and some contests may offer other forms of recognition such as \"Karma Points\".", "Question: How does CodeArena's audit contest operate compared to a traditional bug bounty program and how are bugs reported and rewarded within these contests?\n\nAnswer: CodeArena does not currently offer a bug bounty award for its own platform. However, the platform conducts audit contests that operate somewhat similarly to bug bounty programs. In these contests, auditors report bugs they find and there are certain rewards attached.\n\nUnlike traditional bug bounty programs where the second person to report a bug receives no reward due to duplication, CodeArena operates differently. If multiple auditors report the same bug, they all get a portion of the bounty, unless it's a common finding that should be picked up by the C4udit tool. In such cases, these findings would be deemed out-of-scope and usually not awarded.\n\nOnce a vulnerability is found, it should be submitted using the contest submission form on the CodeArena website. It is important to note that a vulnerability found in an out-of-scope contract can be included in the C4 report as an unrewarded finding or the team of the audited project can be directly messaged.\n\nWhen reporting a bug, the severity of the bug to be reported depends on its impact. Guidelines for estimating risk and the submission policy are provided in CodeArena's documentation (https://docs.code4rena.com/roles/wardens/judging-criteria#estimating-risk-tl-dr and https://docs.code4rena.com/roles/wardens/submission-policy).\n\nThe platform is also considering adding the severity of bugs to the emails sent out after issue submission. \n\nUsers are also encouraged to submit code as proof of concepts (PoC) for each bug they find. \n\nIf a high or medium severity vulnerability is found a few days after the contest ends, it should be responsibly disclosed to the development team, as it would not be awarded by C4 outside the contest timeframe.\n\nCurrently, sponsors are more interested in high/medium/low severity vulnerabilities and gas optimizations, therefore, there's no intentional incentive for reporting QA type of submissions. \n\nIf you've found a vulnerability impacting Code4rena's webapp, it's recommended to send a direct message to a specific team member or email the issue to security@code4rena.com. \n\nIt's important to note that after submitting an issue on the C4 website, users don't need to create an issue on GitHub as well. The C4 system does this automatically.\n\nIf you have any questions during the contest, CodeArena encourages you to reach out to the sponsor team.\n\nAs for the question regarding how the bounty price is handled if two people submit the same or similar bug, though it's not mentioned directly, the implication is that duplicate findings do receive a reward unlike traditional bug bounties. \n\nFinally, participants can seek support directly from the C4 website or review audit contest reports for best practices: https://code4rena.com/reports.", "Question: Can a delegate call be made from a receive function in a smart contract, and how does it interact with various aspects like storage, return values, and reverts?\n\nAnswer: Yes, a delegate call can be made from a receive function in a smart contract. In the context of Ethereum, a delegate call is a type of call that allows a contract to execute code in the context of itself, but the code being executed is from another contract. \n\nDuring a delegate call, the storage, current address and balance of the calling contract, not the called contract, are used. This allows the called contract to change the state of the calling contract. This behavior is critical for upgradeable contracts, where new behavior is added by delegate calling to a new contract's code while maintaining the state in the original contract.\n\nHowever, it's crucial to note that the implementation contract storage cannot be used to affect the delegate caller contract when delegatecall is in use. This implies that delegatecall won\u2019t affect the storage of the contract making the call. The storage layout of the delegate called contract should exactly match the layout of the storage of the contract making the delegatecall.\n\nRegarding return values, delegate call returns whatever the called contract returns. However, things can get tricky when a revert occurs in the target function. If the called function reverts, then the entire delegate call reverts as well. This has to be handled carefully to avoid unwanted outcomes.\n\nA contract using delegate call can interact with other contracts, such as ERC-721 or ERC-1155 contracts. These contracts may know if tokens were sent there because they have a recipient contract call onReceive. For example, one might call the safeTransferFrom function of an ERC-777 token contract in another smart contract. \n\nIn all such interactions, it's important to understand how the msg.sender value is affected. When a contract's own function is called with \"InterfaceA(address(this)).functionA();\", it would be considered an external contract call and would change the msg.sender value inside the function.\n\nMore information about how functions like delegatecall work with storage can be found in the Solidity docs and the Geth source code at https://github.com/ethereum/go-ethereum/blob/master/core/vm/evm.go#L302.", "Question: How do I become a participant in Code4rena's invitational contests?\n\nAnswer: To participate in Code4rena's invitational contests, you first need to become a certified warden. The process for certification can be found at [https://docs.code4rena.com/roles/certified-contributors](https://docs.code4rena.com/roles/certified-contributors). Once certified, you can participate in both public and private contests. \n\nPublic contests can be found in the #\u270brsvp channel, and anyone who meets the qualifications can participate. On the other hand, private contests are only accessible to certified wardens, and details about these contests are found in the #\ud83d\udd96rsvp-certified channel. Some private contests are open only to those who participated in the original audit. \n\nFor all contests, you need to RSVP, and these are filled based on the sponsor's request and the 90-day leaderboard ranking of those who RSVP'ed. If you are interested in a private contest, make sure to maintain a high position on the leaderboards from the last 90 days. \n\nThere are potential opportunities for high-ranking wardens to be invited to special events like the C4 dinner, which is mainly for those with high severity findings on the leaderboard in the past year. \n\nYou may also join as a warden in upcoming contests by logging into your account or participating as part of a team. The method of registering a team can be found at [https://docs.code4rena.com/roles/wardens#registering-a-team](https://docs.code4rena.com/roles/wardens#registering-a-team). \n\nStay informed about upcoming contests by checking the respective RSVP channels regularly. If you meet all the requirements and are qualified to participate, you will receive an invitation link via email from Provenance.", "Q: Has the report for Frankencoin been published? If so, where can I access it, and how can I get notified of future publications?\n\nA: The report for Frankencoin has not yet been published as per the latest updates. However, reports are typically made public on our website at https://code4rena.com/reports where they are sorted by publication date. Additionally, the findings repository is also made public after the report is published and can be accessed on GitHub at https://github.com/code-423n4. For Frankencoin, you should also check the Frankencoin contest page on our site. Regarding notifications on new report publications, currently, there isn't a direct notification system in place. However, you can regularly check our website or the Discord channel where new report publications are typically announced. Please note that before the reports are published, there is a process of responsible disclosure, adopted from the guidelines at https://github.com/RD-Crypto-Spec/Responsible-Disclosure#the-standard, ensuring the findings are validated and any potential vulnerabilities are addressed.", "Question: Can you explain the mason role in CodeArena and how it may compare to other roles such as the minter, burner, scout, or certified warden?\n\nAnswer: The role of a \"mason\" in CodeArena is explained in detail at [this link](https://discord.com/channels/810916927919620096/810956862609424414/964680554509377577). It's important to note that our platform features several other roles like minter, burner, scout, and certified warden. Each role has different functions and responsibilities in the auditing process.\n\nFor example, a minter or burner is often a subject of discussion in smart contract audits. The scout role involves identifying potential vulnerabilities, whereas the role of a certified warden needs backstage access to examine certain reports, like the Chainlink Staking v0.1 on CodeArena. More about the certified warden role and how to get certified can be found at [this link](https://docs.code4rena.com/roles/certified-contributors#certification-process-and-constraints) and [here](https://docs.code4rena.com/roles/certified-contributors/backstage-wardens).\n\nAdditionally, users may have questions about distinguishing between different roles in the contest such as a certified role and a backstage role. It's also worth mentioning that it's possible to be a warden and a mason at the same time.\n\nPlease note that understanding these roles is crucial for participating in CodeArena and contributing to the auditing process. We suggest that projects should add a trust model description for all involved roles to clarify their responsibilities and functions in the process.", "Question: \nCan you provide an update on the sharing of more details prior to the start of a contest, and tell me what happens to the findings during and after the contest?\n\nAnswer: \nCertainly. More detailed information about each contest, including \"Audit summary awards\", contest specifics and sponsorship details, are shared prior to the contest start through various channels and can be found here: [Link](https://discord.com/channels/810916927919620096/1111666431050919996). \n\nAlso, it's important to note that a contest can either be public or private - this will also be indicated in the details shared prior to the contest start. The public report page is updated mid-contest, and contestants are allowed to inquire about the progress and schedule of final reports.\n\nDuring a contest, any findings remain private until the report is finalized and published. This is to ensure fairness and accuracy. Contestants are allowed to discuss potential issues with the sponsor while the contest is ongoing. However, the submission rules do prohibit making these findings \"public\" until a contest is finalized. \n\nAfter a contest is closed, the findings are reviewed and triaged immediately, but they await sponsor review and final judging before being made public. Note that the sponsors may not have access to the findings repo before the contest ends. There is a certain period of time before the findings repo becomes publicly available for discussion, but the specific duration is not mentioned. \n\nProjects do have access to submitted findings before the contest completion. Remember, specific questions about the scope for a contest can be addressed to the respective sponsor. \n\nFinally, the timeline of various contests - past, present, and future can be found in the \"Past Contest Status Updates\" section. Our future audit events or contests are dependent on sponsors confirming details and dates. We are expecting a number of new contests in the coming month, including some that might not have been updated on the specific channels yet.", "Question: I wish to change my username on CodeArena. Can I use the same GitHub and Discord accounts during re-registration?\n\nAnswer: Yes, you can change your username on CodeArena, but this requires you to re-register. This also applies to changing your nickname. During this process, you can use the same GitHub and Discord accounts that you used previously. However, in the case of Discord, you should ensure that your nickname stays as your registered C4 username. \n\nIf you have updated your GitHub or Discord usernames, it is possible to reflect these changes in your C4 account. For Discord, you can update your username on the Account Management page of your warden profile. For GitHub, you can make a request for a change which will be processed by our team. Please note that an updated Discord username tied to your CodeArena account will help us tag you for any award announcements, though it doesn't affect receiving awards.\n\nFor other account details such as Twitter username, you should create a help desk request at https://code4rena.com/help. Please bear in mind, changing your username could affect your registration as a warden. If you wish to change your email as well, you can do this in the account settings, where you can also change your Discord and GitHub usernames. \n\nIf you experience any mismatches between your site username and Discord nickname, or if you have any other questions about updating your account details, please submit these through the Help Desk for review by our developer team.", "Question: What are the functions of different channels in the CodeArena Discord chatroom and how can I use them?\n\nAnswer: In the CodeArena Discord chatroom, different channels serve distinct purposes:\n\n1. `#\ud83d\udce2announcements`: This channel is where all updates, including contest results, are posted.\n\n2. `#profile-help`: Users should direct any queries related to their profile or report bugs in the new profile UI to this channel.\n\n3. `#\ud83d\udcbci-want-c4-to-audit-our-code`: This channel is intended for those who want to sponsor a CodeArena audit.\n\n4. `#\u270brsvp`: In this channel, users can find out about upcoming contests and public audits. If you wish to participate, you can \"raise your hand\" by reacting to the message. Furthermore, bot registrations for contests and the announcement of new public contests are also made here.\n\n5. `#\ud83d\udd06hm`: This channel's purpose does not pertain to findings in a contest.\n\n6. `#auth-help`: If you encounter any login issues, you can seek assistance from this channel.\n\n7. `#\ud83c\udfebeducation`: This channel is for users interested in learning about CodeArena auditing or starting a contest.\n\n8. `#\ud83d\udc3ai-want-to-be-a-warden`: If you wish to contribute as a warden, you will need to register by joining this channel.\n\nEach contest will also have its own dedicated channel for questions and code walkthroughs. These channels allow for general questions and direct messages (DMs) to sponsor team members.\n\nTo tag a specific channel, simply type \"#channel\" in your message. For example, if you want to tag the #\ud83d\udce2announcements channel, you would type \"#\ud83d\udce2announcements\". Registering as a 'warden' may grant you permission to specific channels.\n\nThere has been a suggestion to create an announcements-like channel named `#audit-reports`, where a new message is posted whenever a new report gets published on the CodeArena website, but it hasn't been implemented yet.", "Question: I'm new to smart contract auditing. Do you have a recommended approach and resources to get started, especially for larger projects?\n\nAnswer: Auditing smart contracts, especially for larger projects, is a complex process that requires in-depth knowledge and expertise. If you're just starting out, it's beneficial to first understand the foundational concepts. A useful resource to start is this [blog post](https://blog.bytes032.xyz/p/audit-like-a-pro-my-3-step-game-plan) which provides a roadmap to approach auditing of big projects.\n\nFor more hands-on experience and learning, you might consider practicing on past contests and reading old audit reports. These resources: [cmichel.io](https://cmichel.io/how-to-become-a-smart-contract-auditor/) and [docs.code4rena.com](https://docs.code4rena.com/roles/wardens/tools-and-resources) provide additional learning materials.\n\nIn the process of auditing, you'll encounter various aspects such as gas optimization and running audit contests. For such specific inquiries, you can always ask questions on our platform.\n\nCodeArena is primarily targeting auditors for contributions, hence, you might consider becoming an auditor. This transition may involve reverse engineering, reading old audit reports and persistence. For instance, a set of past reports are available at [ChainSecurity](https://chainsecurity.com/audits/).\n\nIn terms of tools used for audits, you might have to decide between Hardhat/Truffle or Foundry. Similarly, you may need to understand how to use 'brownie' in the context of auditing. \n\nFinally, remember, auditing is not just about identifying vulnerabilities, but also providing solutions or mitigations. It's a continuous learning process and requires patience and dedication. You can also be a part of private competitive audits to further enhance your skills.", "Question: When and where can I find the recordings of the CodeArena office hours sessions?\n\nAnswer: The recordings of the CodeArena office hours sessions are typically uploaded on the CodeArena YouTube channel (https://www.youtube.com/@code4rena) in the early part of the week following the session. However, there is some uncertainty about the exact timing. Please note that not all audits at CodeArena have office hours. Information about the office hours for audits, including upcoming sessions, is shared in the C4 rollup in our #announcements. In addition, it's worth mentioning that not only the office hours but also other contest-related videos and post mortems can be found on our YouTube channel.", "Question: How can I become a certified auditor and participate in the Private Competitive Audits at CodeArena?\n\nAnswer: To participate in the Private Competitive Audits at CodeArena, you need to become a certified warden. This process involves completion of the KYC (Know Your Customer) process and obtaining certification. Specifics about the certification process can be found at https://docs.code4rena.com/roles/certified-contributors#certification-process-and-constraints.\n\nAs a certified warden, you might be eligible to join private auditing contests, although the specific eligibility criteria for each opportunity are listed in the #\ud83d\udd96rsvp-certified channel on our Discord. For some contests, certification might be sufficient, but others might require additional qualifications or even a ranking on the leaderboard. Some contests are only open to those who participated in the original audit.\n\nIt's important to note that not all audits require you to be a certified contributor. For example, public audits do not require registration. Announcements about private contests are made, but these should not be confused with open public audits as different projects have different audits. \n\nLastly, if you are interested in auditing but do not wish to focus on the blockchain's frontend, becoming a security auditor might be a suitable option for you. Also, if you're part of a company that's interested in running an audit contest, we would be happy to provide the necessary guidance. \n\nPlease refer to https://docs.code4rena.com/roles/wardens for detailed instructions on how to register as an auditor and start auditing.", "Q: Can I register or link the same GitHub or Discord account to my CodeArena account, even if my username was changed or my account was hacked? \n\nA: Yes, you can link the same GitHub or Discord account to your CodeArena account, even if your username was changed. However, please bear in mind that changing your username on Discord or GitHub would require you to update it on your CodeArena account as well. You can do this through the Account Management page of your warden profile. Note that your Discord nickname should remain as your registered C4 username for ease of communication, especially for award announcements.\n\nIn case your account was compromised or hacked, it is highly recommended to secure your account and report it through our Help Desk for further review by the developer team. \n\nMoreover, while users can change their email, discord, and GitHub username in the account settings, they cannot change their account names and wallet logins. You may also request changes to your Github username, but such requests need to be processed by our team. \n\nParticipants can also link their GitHub repositories as proof of concept in their finding submissions. However, if you face technical issues with viewing the repo or submitting findings, please ensure that your GitHub account is logged in and it is the same account given for C4.\n\nPlease refer to these resources for more information: \nDiscord username change: https://discord.com/channels/810916927919620096/810931711609143326/1119321495987032144\nReporting issues in the codebase: https://discord.com/channels/810916927919620096/810936719003090974/1134472653437145149\n\nFinally, if you're considering creating a second account, be aware that signing up as a certified contributor with multiple accounts is allowed, as long as you only participate with one.", "Question: What is the process for participating in office hours for audits at CodeArena?\n\nAnswer: At CodeArena, not all audits have scheduled office hours. When there are office hours for an upcoming audit, the information is posted in the C4 rollup in our #announcements channel on Discord. The number of audits varies, but on average, there are 2-5 audit projects per week.\n\nParticipation in these audits doesn't require registration if it's a public audit. For private audits, usually, certified wardens are eligible to attend, but there might be other conditions to meet. The certification process is something that takes time and has specific requirements, as seen through inquiries about how long it takes to become a certified auditor.\n\nWe also have invitational audits, where only specific wardens are invited. For all types of audits, it's possible to ask questions about the findings of past projects. Furthermore, users can join teams and participate in the audits, and teams can also participate in auditing contests. \n\nOffice hour sessions are recorded and uploaded to our YouTube channel for future reference, and the link to the recording will be shared early the following week. \n\nWe also have a booking team at CodeArena that can assist with setting up audits, and any inquiries about auditing projects can be made online. \n\nFor further assistance and guidance, the community is open to discussions regarding auditing research, and suggestions for improvements - such as hosting more web2 whitebox audits - are always welcome.", "Question: What is the procedure if someone sets a recipient address and initiates a flashloan on Code4rena?\n \nAnswer: In the case of flashloans on Code4rena, the recipient contract is responsible for performing any necessary validations to ensure no loss of funds by the end of the operation. For smart contracts, a proposed way of handling flashloans is to use a flag to allow or disallow the flashloan, similar to a reentrancy guard. However, it's important to note that this approach may result in additional gas overhead. \n\nIf you have set a recipient address and initiated a flashloan, you can change the wallet address where you receive awards if needed. The rewards for the report will be distributed to the new wallet address you provide. Remember, if you change your wallet address, rewards will be sent to the wallet address on file at the time the awards are calculated for an audit.\n\nPlease note that if your wallet is compromised and you change your payment address, you should create a help desk request if you logged in via the same wallet. If you have lost or forgotten your wallet address to receive the bounty, refer to the email you received when the bug report was submitted. \n\nIn case of any questions or complications, please reach out to our support team via a help request at https://code4rena.com/help. You can also find more information about changing your wallet address at https://docs.code4rena.com/roles/wardens/warden-auth#can-i-change-the-wallet-address-where-i-receive-awards.", "Question: What is the process and timeline for becoming a Certified Contributor with CodeArena, including completing the Know Your Customer (KYC) verification?\n\nAnswer: To become a Certified Contributor with CodeArena, you first need to apply for KYC certification. This involves submitting a KYC application, which can be initiated at https://docs.code4rena.com/roles/certified-contributors. Provenance, our KYC provider, typically sends the KYC mail within one business day after the application is submitted. Please be aware that the email might be sent from compliance@provenance.company and could appear in your spam folder.\n\nThe KYC process itself can take a week or longer to complete and may involve some back and forth between the user and Provenance. After Provenance approves your KYC, there is a processing period. The certification process can move more quickly if you supply the necessary documents promptly. \n\nOnce KYC approval is confirmed, CodeArena team will process your role. The process of getting a 'Certified' status confirmed and added to your profile generally takes a few days, and in some cases, it can range from 2 days to 5 business days. However, some users have reported waiting for 10 days or even 2-3 weeks to receive the KYC email and another 2 weeks to get the 'Certified' status after submitting the application.\n\nOnce you've completed the KYC process, you can apply for Certified+ after a high finding. To participate in a private audit, you'll need to complete the KYC process and obtain certification. More details on this can be found at https://docs.code4rena.com/roles/certified-contributors#certification-process-and-constraints. It's important to note that you'll need to complete your certification within 30 days of the end of an audit to receive your payout.\n\nIf there are delays or if you have further questions, you can open a help desk request at https://code4rena.com/help. It's worth mentioning that sometimes there may be pauses in backstage access request processing, which could take up to 24 hours after KYC is admitted.\n\nPlease remember that the timeline can vary, and the information provided here is based on typical experiences shared in our community.", "Question: Can a flashloan be forced onto a recipient and what measures can be taken to ensure secure handling of such transactions?\n\nAnswer: When it comes to flashloans, it's vital to understand that they are often a legitimate aspect of decentralized finance protocols. However, it is possible for a person to start a flashloan and force the recipient to accept it. The recipient of such flashloans, usually a smart contract, needs to be cautious. It's important to note that the funds and fees from the flashloan must be returned in the same transaction. If the recipient contract behaves inappropriately under a flashloan, it's the recipient contract's fault and it's their responsibility to perform any necessary validations. This includes making sure no funds are lost by the end of the operation.\n\nHandling flashloans in the context of smart contracts may involve the use of a flag to either allow or disallow the flashloan. This mechanism is similar to a reentrancy guard, though it does come with a gas overhead. Additionally, it's crucial to be aware of potential risks such as depositing funds into an uninitialized contract, which could make the contract vulnerable to ransom attacks.\n\nFurthermore, it's worth noting that flash loans can be obtained from different networks, such as the BSC network, potentially with a low fee and high liquidity. For instance, PCS is one such source of flash loans on the BSC network.\n\nFor more detailed information about exploit smart contracts and flash loans, you can refer to resources such as this post on FEG token flashloan exploit analysis at [https://www.certik.com/resources/blog/w6AxRmf6l2ow4zL884gr8-feg-token-flashloan-exploit-analysis](https://www.certik.com/resources/blog/w6AxRmf6l2ow4zL884gr8-feg-token-flashloan-exploit-analysis). It's important to stay vigilant and keep yourself updated about potential scams and exploits in the DeFi space.\n\nLastly, it's important to mention that flashloans are a part of a broader category of operations in the DeFi space, which also includes flash minting. While flash loans involve borrowing an asset at one price in one market and selling it at a higher price in another market within a single transaction, flash minting refers to the creation of new tokens, which are then immediately redeemed or burned.", "Question: Could you explain the impact of using a flag for managing flashloans, similar to a reentrancy guard, on gas optimization, and what are some other considerations or alternatives to this method?\n\nAnswer: Yes, using a flag to manage flashloans in the context of smart contracts could be a beneficial strategy. This is similar to a reentrancy guard that might be used to protect against potential risks associated with reentrancy attacks, as discussed in this CodeArena report [https://code4rena.com/reports/2022-12-caviar#l-01-missing-reentrancy-guard-to-withdraw-function].\n\nHowever, one of the key considerations here is the gas overhead associated with this strategy. Implementing a flag could increase the gas costs. There are several techniques to optimize for gas in smart contracts. For instance, using the 'unchecked' command in loops, not initializing default variables or the loop variable to 0 in for loops, or function inlining can save gas. Also, you could exclude the increment (++i) in a for loop or cache a storage pointer in smart contracts to reduce gas costs [https://code4rena.com/reports/2022-11-non-fungible/#gas-optimizations].\n\nFurthermore, it's important to remember that in the case of flashloans, it's the responsibility of the recipient contract to perform any necessary validations to ensure they don't lose any funds by the end of the operation. \n\nMoreover, there are other possibilities to consider, such as adding an emergency withdrawal function to clear tokens from the contract, checking for account existence before calling .call() on it, or using the safeTransferFrom function of an ERC-777 token contract depending on the token used and the expectation of the code.\n\nLastly, it's crucial to understand that certain methods such as using a flag for flashloans or other gas optimization techniques can depend on various factors including the specific use case, contract size, Ethereum transaction context, and the costs of storage or calldata.", "Question: I'm trying to use console.log in Foundry to print local variables declared inside a function, but I'm encountering an issue that says \"console - undeclared identifier\". How can I resolve this and successfully use console.log in Foundry?\n\nAnswer: Yes, you can use console.log in Foundry to print local variables that are declared inside a function. Foundry, a framework primarily used to write and execute tests, comes with console.log in its library by default. If you're having trouble declaring console, it might have to do with how you're importing it. A common practice is to import console.sol inside the original Contract itself, and not necessarily inside a specific .sol file.\n\nIn case the issue persists, it could be related to opcode support within Foundry or due to an error message like \"Source from artifact has no AST.\" when running forge debug on a hardhat project with Foundry integration. Foundry also offers tools for checking storage, debugging hardhat tests, and introspecting contract execution at the EVM opcode level through the \"foundry debug\" feature. \n\nIf you're using it in synergy with Hardhat, remember that Foundry can be used in a project that employs Hardhat. A base template for this integration can be found [here](https://github.com/foundry-rs/hardhat-foundry-template). \n\nAdditionally, you may want to watch these tutorials for a more comprehensive understanding of the Foundry framework: \n1. [Foundry Tutorial 1](https://www.youtube.com/watch?v=Rp_V7bYiTCM)\n2. [Foundry Tutorial 2](https://www.youtube.com/watch?v=EHrvD5c93JU)\n\nIt's also worth noting that difficulties have been reported with logging gas remaining after the state variable update using foundry. If you're encountering similar issues, it could be worth reaching out to the community for further guidance.", "Question: How can I confirm if I'm certified within CodeArena and what does this certification entail?\n\nAnswer: You can confirm your certification status in a few ways. After your application is approved, you will receive an email from Provenance. Also, you can click on your username on the platform to see your assigned roles. It usually takes 2 to 5 business days for the 'certified' status to reflect on your profile after being approved. \n\nBeing certified in CodeArena means that your identity has been verified, and this verification allows you to participate in more contests, including private audits and certified contests, and even gives you backstage access. It's important to note that being certified does not require a full-time commitment from you. \n\nThe certification process involves applying after a high finding and completing a Know Your Customer (KYC) verification through Provenance. You can start the certification process by following the guidelines at https://docs.code4rena.com/roles/certified-contributors.\n\nIn case you are interested in a higher level of certification, such as Certified+, you should know that it might require more stringent prerequisites like being in the top 3 in 3 contests or making a high finding. Also, keep in mind that to apply for Certified+ after a high finding, you will need to have completed your KYC verification.\n\nIf you haven't heard back about your certification status within the stipulated time, feel free to open a help desk request. Please remember that Versus contests are only for certified wardens.", "Question: How can I effectively use console log and deal with common issues in Foundry for smart contract auditing?\n\nAnswer: Foundry, a framework used for smart contract testing, comes with console.log as a part of its default library. This tool can be used effectively to print local variables that are declared inside a function, helping in checking aspects such as storage. \n\nTo install Foundry, you can simply use the 'npm install foundry' command. There is also an option to install Foundry with Docker. However, be aware that some users have reported encountering errors with this method. For projects that employ Hardhat, a base template for integrating Foundry can be found at https://github.com/foundry-rs/hardhat-foundry-template. \n\nThere are also tools available to debug Hardhat tests or introspect contract execution at the EVM opcode level, one of which is \"foundry debug\". Yet, it's worth noting that there have been reports of issues with opcode support in Foundry. Also, when running forge debug on a hardhat project with Foundry integration, an error titled \"Source from artifact has no AST\" might occur. \n\nFor further understanding of the Foundry framework, you can refer to these YouTube links: https://www.youtube.com/watch?v=Rp_V7bYiTCM and https://www.youtube.com/watch?v=EHrvD5c93JU. \n\nLastly, if you are trying to log gas remaining after the state variable update using Foundry and are encountering difficulties, it might be worth looking at Hardhat as an alternative tool for generating a gas report. \n\nPlease note that while Foundry can be a great tool for local testing, it's not without issues and there are alternatives like Hardhat available. Always assess which tool is best for your specific project requirements.", "Q: I submitted a Certification Application to become a Certified Warden but haven't received any communication yet. How long does the process usually take and how will I know if I have been approved?\n\nA: The process to become a Certified Warden with CodeArena (C4) involves submitting your application and identity verification to Provenance. After the Provenance team approves your application, it can take approximately 2-3 weeks for you to receive a Know Your Customer (KYC) email. This email comes from compliance@provenance.company and might appear in your spam folder, so please check there as well. After receiving the KYC email, it generally takes a few days to a week for your certified status to reflect on your profile. \n\nPlease be aware that there may be delays in the process. If you haven't received an email within this timeframe, it's recommended to create a help desk request for assistance. Notably, you should receive a confirmation email for each submission including your application to become a Certified Warden. This email serves as acknowledgement of your submission and should arrive within a few minutes of your application.\n\nAdditionally, if you believe you have qualified for a higher status like Certified+, please contact us through the help desk form for further guidance. Certified status is also communicated via email and can be checked by clicking your name to see your assigned roles. \n\nIf you have submitted a report for the first time, the status of your submission can also be confirmed through a confirmation email. Be aware that due to the number of submissions, it may take some time before your finding is confirmed via email. If your submission fails, the form should return an error.\n\nPlease note that the process to get 'certified' status confirmed and updated on your profile takes approximately 2 to 5 business days. Do reach out if you have any further queries or face any inconsistencies in the Certified Warden application and response email.", "Question: Can I utilize console.log in Foundry, and what are some other features and issues that I should be aware of?\n\nAnswer: Yes, you can use console.log in Foundry. Foundry is a framework designed to write tests and it comes with console.log built into its library by default. This allows you to print local variables that are declared inside a function. Foundry also provides other tools to assist in checking elements like storage. \n\nIt should be noted that projects using Brownie for testing can also be written in Foundry. To install Foundry, you may use Docker, although some users have reported encountering errors during this process. Additionally, there may be issues regarding opcode support in Foundry.\n\nFoundry also offers a tool called \"foundry debug\" to debug hardhat tests or introspect contract execution at the EVM opcode level. You can also deploy contracts in Foundry that take a struct as an argument in the constructor and send ether with the constructor while deploying a contract.\n\nIf you're working on a project that uses Hardhat, Foundry can also be integrated. A base template for this can be found at https://github.com/foundry-rs/hardhat-foundry-template.\n\nThere are two YouTube links that can help you understand the Foundry framework better: https://www.youtube.com/watch?v=Rp_V7bYiTCM and https://www.youtube.com/watch?v=EHrvD5c93JU.\n\nIf you face issues like \"Source from artifact has no AST.\" when running forge debug on a hardhat project with Foundry integration, know that it's been reported before and you might want to seek assistance from the community.\n\nDo note that to directly call internal functions within Foundry, you would need to write and use a child contract like wrappers. If you need to impersonate an account, it is possible via vm.prank(address).\n\nLastly, Foundry can fork data from a live network like a main or test net and run it locally, providing an alternative to public testnet. This can be especially useful as it saves you the need to grab testnet tokens for transactions or wait time on blocks. Please be aware, however, that some users have reported difficulties when executing Foundry fork testing in the Polygon POS network.", "Question: What should I do if I don't receive a response from Provenance or Code4rena after submitting my documents or help desk request?\n\nAnswer: If you do not receive a response from Provenance or Code4rena within a week of submitting your documents, you can open a help desk request on Code4rena's website at https://code4rena.com/help. This includes issues such as not receiving an email after registration, after applying for KYC, or after submitting a finding. When you submit a help desk request, you will receive a confirmation that your request has been received. The status of your request can be followed up, and you should get a response within a week. If the issue persists, such as not receiving a response after sending a ticket to Code4rena, you can nudge them for a response. Please note that KYC requests through Provenance may take more than a week to get a response, and there have been instances where users do not receive emails from Provenance. It is also important to check your spam folder for emails from Provenance or Code4rena.", "Question: What options exist for practicing auditing of smart contracts on CodeArena and are there any resources for beginners?\n\nAnswer: CodeArena offers a variety of options for users to practice and improve their auditing skills. You can choose to practice on both unaudited contracts and previously audited ones. \n\nFor beginners new to auditing, recommendations on past contests to practice on and to read old reports can be found in the platform. Users can also ask questions about findings of past projects. This can serve as a valuable resource for understanding common issues and best practices. \n\nIf you are interested in delving deeper into the intricacies of contract auditing, you can participate in private audits. These typically require certification, but upon confirmation from provenance, participation is possible. \n\nWhile auditing, it's important to note that some of the contracts you'll be working on could already be deployed, while others may not be. This means that you'll have the opportunity to engage in the audit process before the code is complete. \n\nAlso, keep in mind that CodeArena's focus is not only on auditing contracts. Users have also expressed interest in smart contract gigs, which implies that there may be other forms of engagements that could be beneficial to your learning process. \n\nFinally, a helpful resource is this video that explains some aspects of contract auditing: [https://www.youtube.com/watch?v=wCD3fOlsGc4](https://www.youtube.com/watch?v=wCD3fOlsGc4) \n\nRemember, auditing is a process of constant learning and improvement. Don't hesitate to ask for help on the platform when needed.", "Question: \nIn a scenario where a user can push to an array, causing a Denial of Service (DOS) for everyone else and breaking system functionality, should this be considered as a low severity bot race finding, or should it be categorized differently? \n\nAnswer:\nThe situation you described where a user can arbitrarily push to an array, causing a Denial of Service for all users and breaking system functionality, is not considered a low severity bot race finding. Despite the initial low severity ranking by a contest's bot report, such a scenario should be submitted as a High/Medium severity issue. This escalation is not automatically invalid but would require the participant to provide strong evidence demonstrating a relevant High or Medium severity exploit path to be considered satisfactory. There is a higher burden of proof when using automated tools for such findings. In some cases, a bot may identify an issue and even propose a fix, but it's important to note that the fix could potentially introduce a more damaging exploit. Therefore, it's essential to carefully analyse and validate any proposed fixes by bots. \n\nFor vulnerabilities identified by bots, they can potentially be rated lower than their actual severity, and then the vulnerability can be reported again during the contest by a warden and awarded with the higher severity based on provided evidence.\n\nThe guidelines and criteria for judging such escalations are explained in Code4rena's submission policy: https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues.", "Q: I submitted an issue here regarding differences in judging and am worried it will not get resolved before the contest is finalized. Can any staff look at the issue I submitted? \n\nA: Yes, your issue will be looked at by the relevant staff. They evaluate each issue strictly based on what was submitted. If you feel the need to update your submission or if you disagree with a decision about a contest judgement, you can review issues at https://github.com/code-423n4/org/issues. Here you can add comments on existing issues, support existing suggestions, or open a new issue if your concern is not already addressed. If the contest hasn't ended, you can update your submission, especially if the correct bug issue is submitted with an incorrect proposed solution. \n\nThe judging process may take some time, especially considering the significant increase in contest submissions. Please be aware that the judges pick the primary issue based on the best write-up rather than the order of submission to encourage high-quality submissions. If you submitted issues for a contest but did not make the award list, your issues may have been rejected. You can confirm by reviewing the available report once it's out and the repository is fully opened. \n\nPlease note, each issue submitted in a contest is evaluated individually, and judges do not have the capability to \"multiply\" an issue. Also, if there are concerns about the golom contest, you are advised to resubmit the issue and then create a help desk request to withdraw the invalid submission. \n\nRemember, you can alter the severity of reported bugs after the contest closing time either through the PR or by contacting one of the judges. Changes to after contest bug reports can be passed to the judge through designated contact points. \n\nIn case of duplicate submissions at the end of the contest, the judging criteria can be found at https://github.com/code-423n4/code-contests/blob/main/JUDGING_CRITERIA.md#duplicate-submissions. \n\nIf at any point you have concerns about the validity of the issues submitted or about inconsistencies in the contest process and results, these can be discussed and reported in the 'issues' section of the organization's Github repository [https://github.com/code-423n4/org/issues]. \n\nLastly, it's good to note that judges and sponsors appreciate when similar submission issues are grouped together. This helps to streamline the judging process and also helps in reducing the judging backlog.", "Question: I have submitted all my documents for the Know Your Customer (KYC) process to Provenance for certification but haven't received any response even after the 48 hours deadline. Can anyone provide guidance on how long this process typically takes and how will I know if I get certified?\n\nAnswer: The KYC process through Provenance may take more than the stated 48-hour deadline. It can take up to a week or even 2-3 weeks in some cases to get a response. After you have submitted your application, Provenance typically sends the KYC email within one business day. It's usual for the process to involve a back-and-forth between the user and Provenance, which can take extra time. If you've been certified and applied for KYC, you will receive an invitation link via email from Provenance. \n\nPlease note that after you get KYC approval, there is a processing period on Code4rena's end. The status from Provenance is generally updated within 5 business days by the C4 team. It can take a few more days for your new role to reflect on your profile after the process is complete. \n\nIf you haven't received a reply within a week or if your process seems to be delayed beyond the usual timeframe, you can nudge Provenance for a response. If there is still no response after a few days, you can open a help desk request on Code4rena's website at [https://code4rena.com/help](https://code4rena.com/help). \n\nRemember to regularly check your email, including your spam folder, for a response from Provenance. Also, supplying the necessary documents promptly to the KYC provider can help speed up the process. Provenance may have more detailed requirements for documentation than what is outlined in C4's guidelines, so be prepared for possible additional requests. \n\nLastly, remember that the certification process is approved by Provenance, and the status of the process is updated via email, so ensure you're monitoring your inbox.", "Q: How does CodeArena grade basic analyses and decide whether they are eligible for rewards?\n \nA: CodeArena uses a grading system for the evaluation of smart contract audit reports or findings. The grading spans from A, B, C down to unsatisfactory, which is often labeled as \"grade-c\". Not all reports or findings guarantee a reward. They need to meet certain quality standards to be deemed satisfactory and qualify for rewards. \n\nThe grading system for Quality Assurance (QA) and gas reports is particularly important. Rewards are divided based on the grade of the report and the gas savings that have been achieved. Grade A and B reports are eligible for rewards, with Grade A reports counting as 2 shares, Grade B as 1, and the best report receiving a 30% bonus. \n\nHowever, submissions judged as 'C' score or 'unsatisfactory' do not qualify for rewards. This includes valid yet non-critical findings such as the presence of \"Open Todos\" or the \"use of Block.timestamp\". It's also important to note that the number of issues reported doesn't necessarily determine the grade. A report could have one good issue to be a grade B, or it could have multiple low-impact issues and still be a grade C.\n\nJudges consider both the quantity and quality of submissions when grading QA reports. An individual item in a QA submission is unlikely to receive a high grade. The grading system is explained in more detail here: [https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical](https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical) and [https://docs.code4rena.com/awarding/incentive-model-and-awards#qa-and-gas-optimization-reports](https://docs.code4rena.com/awarding/incentive-model-and-awards#qa-and-gas-optimization-reports)\n\nIn cases where no high or medium issues are found in a contest, the entire rewards may move down to Quality Assurance (QA). This decision is based on the findings' severity and the value it adds to the improvement of the smart contracts under audit.\n\nFinally, the grading of basic analysis is clarified in more detail in this Discord conversation: [https://discord.com/channels/810916927919620096/1111666431050919996/1111674611646611567](https://discord.com/channels/810916927919620096/1111666431050919996/1111674611646611567)", "Q: How can I obtain the backstage role at CodeArena and what qualifications are necessary?\n\nA: The backstage role at CodeArena is a privileged role that provides additional access and capabilities. To qualify for this role, individuals must meet several criteria, which often includes being a certified contributor and identifying a high vulnerability. In some cases, the participant must have a certain number of findings in different areas or of different scores. The backstage role allows users to view reports of past contests, among other things.\n\nOnce you meet these qualifications, you can apply for the backstage role through a help desk request. Bear in mind that access to the backstage role was traditionally based on a trust model, but future access may involve additional constraints or consequences. Sometimes the backstage functions may be closed, so availability can vary.\n\nFor detailed information on the qualifications for the backstage role and the application process, please visit https://docs.code4rena.com/roles/certified-contributors/backstage-wardens. If you need to understand more about the certification process that precedes backstage access, you can find useful information at https://docs.code4rena.com/roles/certified-contributors#certification-process-and-constraints. If you meet the criteria, you can request backstage access via a help desk request at https://code4rena.com/help.", "Question: Can one become a security auditor in the field of smart contracts without focusing on the front-end aspect of the blockchain? \n\nAnswer: Yes, it is possible to be a security auditor without focusing on the frontend of the blockchain. Smart contract auditing is a special area which doesn't necessarily require front-end skills. As a smart contract auditor, your main focus would be on the security of the smart contracts. \n\nFor those looking to start their journey in smart contract auditing, resources such as [How to Become a Smart Contract Auditor](https://cmichel.io/how-to-become-a-smart-contract-auditor/) and the [Wardens Tools and Resources](https://docs.code4rena.com/roles/wardens/tools-and-resources) can be very beneficial. \n\nIt's also worthwhile to read and understand old audit reports such as those available at [ChainSecurity Audits](https://chainsecurity.com/audits/) to gain better insights into the process. Reverse engineering is a highly recommended path to becoming an auditor. \n\nIn terms of choosing between smart contract security and web2 security as a career, it is advised to focus on what you're most interested in and enjoy doing. While there's interest in expanding the scope of audits to include web2 whitebox audits and pentesting audits in the crypto space, CodeArena is currently primarily focused on contract audits in the crypto space. \n\nFor those looking to contribute to projects and potentially take part in private competitive audits, becoming a warden is suggested. However, it's important to note that this process involves Know Your Customer (KYC) and Non-Disclosure Agreement (NDA) procedures for security reasons. \n\nWhile tools such as fuzzing tools and solidity linter can be helpful in auditing, it's also worth noting that many still opt for audits despite automated tools reporting vulnerabilities. This is because automated tools cannot catch all potential issues, and auditing provides a more thorough and in-depth analysis. \n\nLastly, even if you are a beginner or face challenges in identifying vulnerabilities, platforms like CodeArena are open to helping, and you can even engage in the audit process before your code is complete.", "Question: How can I get Ethereum (ETH) on the Goerli testnet for ethernaut?\n\nAnswer: You can obtain ETH on the Goerli testnet by using polygon/sepolia. This method was suggested in a discussion in our chat. However, some users have reported issues such as \"insufficient funds for gas * price + value\" with the Goerli faucet hosted by Mudit. As such, we cannot guarantee its effectiveness. \nIf you are seeking to perform transactions or test your smart contracts, another alternative to consider could be using Foundry for local forking. This method would eliminate the need to obtain testnet tokens.\nAdditionally, for testing on different networks, you can also obtain Rinkeby testnet tokens from this faucet: https://faucet.rinkeby.io. \nMoreover, when testing or submitting findings, ensure to register your handle and ETH address to receive your share. This process also includes a field for the polygon address.\nFor further learning and advancing your knowledge in solidity and defi industry standards, resources like The Ethernaut challenges and Damn Vulnerable DeFi are recommended. Check them here: https://ethernaut.openzeppelin.com/ and https://www.damnvulnerabledefi.xyz/.\nPlease note, to perform transactions on different networks, you can switch the network in your Metamask to Polygon Mainnet, copy your public keys, and paste them into Code4rena.", "Question: I've been conducting forge tests on Foundry and noticed that the public getter functions for state variables marked as public aren't showing up in the function table. Is there a way to see these functions and their gas costs?\n\nAnswer: In Solidity, getter functions are automatically generated for public storage variables, constants, and immutables which aren't stored in storage. You can read more about state variable visibility in the Solidity documentation [here](https://docs.soliditylang.org/en/v0.8.13/contracts.html#state-variable-visibility).\n\nWhen it comes to measuring gas costs, Foundry and Hardhat are recommended tools. Foundry has a debug feature you can use for introspecting contract execution at the EVM opcode level, and you can also generate a gas report using Hardhat. You may need to adjust the 'REPORT_GAS' function in the 'test' command found in the 'package.json' file. Gas costs in Foundry are measured in units of gas. You can use the Hardhat gas report plugin to benchmark your code for gas savings.\n\nRemember, gas optimization inside view/pure functions can be reported, but there might be some challenges when trying to log gas remaining after the state variable update within Foundry. The purpose of gas reports isn't explicitly clarified, but it can be inferred that they are to show Proof of Concept for gas savings or at least a description and mention of gas saved.\n\nIf you encounter issues like the \"Source from artifact has no AST.\" error when running forge debug, or you're trying to run foundry fork testing in Polygon POS network, it's advisable to seek guidance in the community or from the Foundry team.\n\nIt's worth noting that the Hardhat Foundry can fork its state from a public testnet or even the mainnet, making it a more convenient option for testing smart contracts. For reference, you can check out a recent CodeArena report [here](https://code4rena.com/reports/2022-11-non-fungible/#gas-optimizations).\n\nRemember, gas optimization is a critical aspect of smart contract development and auditing, and at CodeArena, it's an aspect we pay great attention to. If you need further clarification on gas optimization, don't hesitate to ask in our community.", "Question: Do you have any updates or details about the changes discussed at https://github.com/code-423n4/org/discussions/91#discussioncomment-5289561?\n\nAnswer: While there isn't a specific update in our chat regarding https://github.com/code-423n4/org/discussions/91#discussioncomment-5289561, we've had several discussions around different issues on our GitHub page. The changes discussed at https://github.com/code-423n4/org/discussions/91 are mainly aimed at helping people comply with tax regulations. \n\nYou may also find it useful to review other issues and discussions on our GitHub for additional context. For instance, if you have concerns about inconsistency, process, or lack of clarity in our rules, you can review issues at https://github.com/code-423n4/org/issues. Here, you can add fact-based comments, support suggestions, or open new issues. \n\nAlso, if ever a decision about a contest judgement is disagreed upon, the same link provides a platform for participants to voice their thoughts. \n\nFor more technical issues, there's a link to a reported issue for review and possible creation of a coded POC at https://github.com/code-423n4/2023-06-lybra-findings/issues/364#issuecomment-1689165295 and a proposed fix for a submission issue at https://github.com/code-423n4/code423n4.com/pull/2338. \n\nFurthermore, information on our 'known issues' policy can be found at https://github.com/code-423n4/org/discussions/50. We're continually striving to improve the process and appreciate your understanding and patience.", "Q: I am experiencing difficulties while trying to add a new member to my team on CodeArena. Can you guide me through the correct process and help me understand any potential issues that could be causing this error?\n\nA: To add a new member to your team in CodeArena, you must submit a team request at this link: https://github.com/code-423n4/code423n4.com/pull/28. Once the team pull request is processed, the new member should be added to the team. \n\nThere can be a variety of technical issues that could cause errors while adding new members. For instance, some users reported a blank page appearing while trying to select team members during the creation process. You may also encounter problems if there's a space in your Discord handle when submitting help forms. \n\nIf you're unable to add a team member after trying again on a different day, or if you're experiencing other issues with team management, please open a help desk request at https://code4rena.com/help. It's important to remember that a team's membership can be modified by submitting such a request. \n\nFurthermore, it has been noted that there can be difficulties in managing team members who want to participate solo in a contest that their team is auditing. It's essential to understand that once a participant joins a team, they are not obligated to always participate as a team.\n\nWe understand these processes can be complex, and we're here to help ensure your experience on CodeArena is efficient and trouble-free. If you're still facing issues, please don't hesitate to reach out to our help desk for further assistance.", "Question: What is the process for submitting and reviewing pull requests (PRs) on CodeArena?\n\nAnswer: When you submit a PR on CodeArena, it needs to be approved by a member of the C4 team before it can be merged. You can submit a PR for various purposes, including updating team information, submitting findings as a team, reporting issues, or making changes to your Github user requests. If you're submitting an issue, particularly one involving various lines changed, you can send a git patch or a PR to the repo. You can also add your team handle when reporting issues through a PR. \n\nAfter submitting a PR, you might unsure about the severity of the issue you reported. If this is the case, you can alter the severity of reported bugs after the closing time of the contest either through the PR or by contacting one of the judges. A process is in place to help you understand why a bug was not accepted, which can help improve future submissions. \n\nNote that checks don't fully run for external PRs on the CodeArena platform. If a team creation process has started but didn't pass the checks, this might be due to prioritization of other tasks such as merging awards. \n\nYou can see merged PRs at https://github.com/heiho1/code423n4.com/pulls, and the status of specific PRs can also be found through their individual links. For instance, the pull request at https://github.com/heiho1/code423n4.com/pulls was confirmed to have been merged. \n\nRemember, part of the process might also include a KYC inquiry. If you have further questions or concerns about the process or the status of your submission, feel free to reach out on the platform.", "Question: How does CodeArena classify a mismatch between documentation and code, and what is the process for changing the severity of an issue?\n\nAnswer: At CodeArena, a mismatch between the documentation and the code is generally categorized as a Quality Assurance (QA) issue, unless a significant impact is identified. If there's any uncertainty about the severity of a finding, it should be filed as QA. \n\nHowever, the severity of an issue can be adjusted based on further evaluation. If a finding is submitted as low in a QA report, but the judges determine that it's a medium, it will be eligible for medium rewards as per CodeArena's guidelines. Similarly, if a reported issue is incorrectly categorized as medium, CodeArena judges have the ability to upgrade it to high. The judges can even downgrade medium issues to QA and consider them alongside your QA report when grading. \n\nIt's important to note that the judges consider both the quantity and quality of submissions when grading QA reports, judging criteria for which are explained in detail at https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical. They also have the ability to upgrade items from your QA report if they feel the severity should be higher.\n\nIn the scenario where no high/medium (H/M) issues are found in a contest, the entire rewards may move down to Quality Assurance (QA). The exact criteria for low, medium, and high severity issues can be found at https://docs.code4rena.com/awarding/judging-criteria/severity-categorization.\n\nRemember, it's essential to accurately classify the severity of issues in your reports. If a high severity bug is found to be only medium, you'll receive the reward for a medium bug. However, if an issue submitted as high severity is downgraded to medium, it would not be considered as overinflated severity and thus invalidated, as per the guidelines at https://docs.code4rena.com/awarding/incentive-model-and-awards#satisfactory-unsatisfactory-submissions.\n\nFor further information on CodeArena's incentive model and awards, you can refer to https://docs.code4rena.com/awarding/incentive-model-and-awards/qa-gas-report-faq#what-happens-when-an-issue-submitted-by-the-warden-as-part-of-their-qa-report-an-l-or-n-does-get-bum.", "Q: I am having difficulties in accessing the CodeArena site, is it just me or is there a common issue?\n\nA: We understand that users experience intermittent troubles with the site, which can range from logging in, accessing certain resources or links, and even submitting findings. These issues could be due to various reasons including technical glitches, local storage problems, or even DNS issues. It is also worth noting that there are certain privileges, such as being a part of the \"backstage\" group, which may restrict access to certain resources. Mobile users may also face challenges in performing tasks on the site. We suggest checking the status of the site at https://downforeveryoneorjustme.com/code4rena.com to see if the problem is on our end or yours. If the site is up and you're still having trouble, try refreshing the page or changing browsers. If issues persist, rest assured that our team is aware and works promptly towards finding a resolution. If you're submitting for a contest and face issues, please contact us immediately to avoid missing deadlines due to any technical difficulties.", "Question: What is the process and timeline for becoming a Certified Warden with CodeArena, and what are the eligibility requirements?\n\nAnswer: Becoming a Certified Warden with CodeArena involves several steps. After submitting your application through our Certified Contributor Application page (https://code4rena.com/certified-contributor-application), it may take 2-3 weeks to receive a Know Your Customer (KYC) verification email from compliance@provenance.company, so please ensure to check your spam folder. Note, however, that this initial email does not have a specified timeframe for delivery. \n\nOnce your application has been reviewed and approved, it can take approximately 2 business days to officially certify you as a warden. Note that even after approval, it may take up to 2 weeks to mark a warden as certified. \n\nIn terms of eligibility, you do not necessarily need to be a resident or citizen of a specific country to become a certified warden. However, the verification process does involve identity verification, which may require an identity document such as a passport or driving license. In some cases, a proof of residence may be required, though some users have completed the process with just a photo ID and a selfie.\n\nAs a Certified Warden, you will be eligible for certain privileges, such as access to private audits and potentially eligibility for a judge role. However, there may also be additional requirements to fulfill these roles, such as participating in a certain number of contests or submitting a certain number of valid findings or reports. \n\nPlease note that if your application remains inactive for 2 days, it may be closed. We recommend keeping an eye on your email for any updates or requests for additional information to avoid this. \n\nIn some cases, you may need to wait for an invite to join our Github organization, but the timeline for this is currently uncertain. Overall, while the process requires patience, we strive to ensure a thorough and efficient process, and we look forward to your participation in CodeArena as a Certified Warden.", "Question: What documents are needed for the ID and address verification process for becoming a Certified Warden?\n\nAnswer: The process for becoming a Certified Warden involves an opt-in ID and address verification process, which is handled by Provenance, our KYC provider. They may have specific requirements for verification, but generally, participants have been approved after submitting sufficient documentation. This might include a proof of residence (like a utility bill, bank statement, rental or lease agreement, or local authority document), or an identity document such as a national identification card, driving license, or passport. A selfie can also be used for photo identification. Digital nomads have been able to become certified using proof of ID, bank account details, and other forms of proof of residence. \n\nIt's important to note that the final decision regarding the acceptance of your documentation is entirely at the discretion of Provenance. If you're unsure about the status of your verification, you can check by using the help form at https://code4rena.com/help. Once your documentation is approved, you should receive an email confirmation. \n\nFor more detailed information on awarding and invoicing, please refer to our document: https://docs.code4rena.com/awarding/incentive-model-and-awards/awarding-process#tax-and-legal-questions. \n\nPlease ensure you've submitted all your gas findings in one submission and that you've included your wallet address in the appropriate field in the submission form. Once your finding is submitted for a contest, you should expect a mail copy of the form as the only confirmation. For gas-related submissions, we recommend making a single consolidated report, and the same applies for quality assurance (QA) submissions. \n\nKeep in mind that the keys to the wallet address you submit for a payout must be in your possession to ensure ownership of your coins. If you have further queries about submission rules, feel free to ask. We're here to help!", "Question: Is the inclusion of a Proof of Concept (POC) necessary for a successful submission and how does it impact the evaluation of findings in smart contract audits? \n\nAnswer: A Proof of Concept (POC) is not strictly mandatory for a submission, but it is highly recommended to support your findings while auditing smart contracts. Submissions without a POC may be disregarded unless the issue identified is extremely obvious such as a straightforward coding or parameter error. A POC can be presented in either code or plain English, and it doesn't necessarily have to be an exact piece of code. Detailed instructions on how to include a POC can be found at [https://docs.code4rena.com/roles/wardens/submission-policy#how-to-include-a-proof-of-concept](https://docs.code4rena.com/roles/wardens/submission-policy#how-to-include-a-proof-of-concept). \n\nPlease note that the level of detail in the submission, particularly the inclusion of a POC and the thorough coverage of the issue, can significantly influence the evaluation of your submission and potentially the award amount. You may also submit your POCs by creating a public Github repository or providing a diff of an existing sponsor-supplied test/contract. You can include the link to your POC script for a vulnerability in your submission if you have one. If your POC is lengthy, it's acceptable to use external platforms like a gist. \n\nRemember, if the severity of a finding is unclear or if you are unsure whether your finding is QA or Medium, it is suggested to continue working on your POC until the severity becomes clear. Furthermore, if you're debating the severity of a finding, it's better to file it as QA unless the POC is coded. \n\nWhile POCs do not directly affect awards or the contest per CodeArena (C4) guidelines, they are instrumental in proving the validity and severity of your findings. However, be cautious about submitting too many unsatisfactory findings as there is a concern about penalties for such submissions. \n\nIn case of any queries or concerns about the submission rules, you can check the submission guidelines at [https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues](https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues).", "Question: What are the requirements and consequences for submitting a vulnerability without a Proof of Concept (PoC), especially for medium and high severity ones?\n\nAnswer: A vulnerability, even without a PoC, can potentially be awarded as a high if the process is clearly described in bullet points. However, submitting a high or medium severity vulnerability without a working code that demonstrates the impact may lead to a high severity issue being downgraded or deemed ineligible for awards. If you cannot provide a PoC for a medium severity bug, your finding may be disregarded unless the bug is extremely obvious. Therefore, it is highly recommended to always write a PoC to ensure your submission is considered. \n\nThe level of detail in your submission largely influences the award amount. Including a PoC and covering the issue from as many aspects as possible can greatly enhance the value of your submission. Ideally, medium risk vulnerabilities (Risk 2) require test codes as PoCs when you are writing reports, and this requirement applies similarly to high-risk vulnerabilities. \n\nIn the event of misclassifying a bug's severity, even if a high severity bug turns out to be only medium, you will still receive the reward for a medium bug. The reward for a medium/high finding can be calculated using the formula provided on our website (https://docs.code4rena.com/incentive-model-and-awards#high-and-medium-risk-bugs). \n\nFurthermore, if your finding breaks the protocol but no funds are stolen, it could still be classified as a high risk. The severity of loss that qualifies a finding as high, medium, or quality assurance (QA) can vary: if all rewards can potentially be lost, it's considered medium or high; if there's a risk of losing some rewards, it's probably medium; if rewards are lost due to rounding errors (a negligible amount), it's probably QA; and if the principal can be stolen without needing extra requirements, it's likely considered high.\n\nKeep in mind, a coded PoC along with the report can increase the chances of your report being selected, which comes with a 30% bonus. Even if a vulnerability is found in an out-of-scope contract, it can be included in the C4 report as an unrewarded finding or the project can be directly messaged. There is an incentive for wardens to submit non-critical vulnerabilities as it benefits the sponsor, despite non-critical vulnerabilities not being considered for awards. \n\nIn case no medium or high vulnerabilities are found in the smart contracts, remaining contest funds will be divided based on the Quality Assurance (QA) report curve. The average award pot for low or non-critical vulnerabilities in contests is typically 10% of the total prize pool.", "Question: What is the process for submitting a Proof of Concept (PoC) for a report on Code4rena (C4)?\n\nAnswer: Submitting a Proof of Concept (PoC) for a report on Code4rena is a straightforward process. Firstly, you can submit your PoC by creating a public Github repository or by providing a diff of an existing sponsor-supplied test/contract. If the PoC is too large to be embedded directly in the issue, you can provide a link instead. This can be a link to a private gist or a website, which is acceptable and implemented by many wardens. Remember that it is not necessary to make the repository public due to the risk of exposing vulnerabilities to the public. \n\nIf you prefer, you can also include a zip file with your submission or share a private Github repository. This is often considered when you have a PoC script for each bug. In this case, you can simply drop the link into the submission where it is relevant. For instance, if you've written a PoC script for a vulnerability, you can include the link in the submission wherever applicable. \n\nIncluding a coded PoC along with the report can increase your chances of your report being selected, which comes with a 30% bonus. Therefore, it's heavily recommended to always write a PoC to be sure, even for medium-severity bugs that may otherwise be disregarded if the bug isn't extremely obvious.\n\nYou can also add screenshots, logs, or any other relevant proof in the PoC section when submitting a finding. This can be done by creating an issue on a private repo, dropping images there, and grabbing the markdown snippet with the CDN URL. You can also submit screenshots in the vulnerability details section by copying the Github permalink and the lines of code for the affected code.\n\nMore detailed instructions on how to include a PoC are available at the Code4arena official documentation: [https://docs.code4rena.com/roles/wardens/submission-policy#how-to-include-a-proof-of-concept](https://docs.code4rena.com/roles/wardens/submission-policy#how-to-include-a-proof-of-concept). Here you can find examples of accepted PoCs and detailed instructions on how to submit a report. \n\nRemember, the best reports are focused on one specific attack or issue, feature the project's code, have a simple to understand PoC, and have a coded test that demonstrates the vulnerability.", "Question: \nWhat happens to the rewarding shares and findingCount value when there are multiple reports of a high severity finding, and one of the duplicates is marked as partial credit in CodeArena's reward model?\n\nAnswer: \nIn CodeArena's reward model, when a high severity finding has multiple reports, each report usually receives 4.5 shares, excluding the bonus for the best report. This rule applies regardless of the order in which the wardens report the duplicate bug. However, when one of the duplicates is marked as partial credit, for instance, partial-50, it suggests that this particular report will receive 50% of the typical shares. \n\nThe overall value of the finding reduces and is divided among the reporters, irrespective of who found it first. For example, if there were three submissions (1 original + 2 duplicates), the reward for the finding would reduce by approximately 10% for each duplicate submission. Therefore, the shares received by each warden would be less than 4.5.\n\nThe best report among these is also eligible for a 30% share bonus, which applies to the share of the user, not the overall finding's share. If a duplicate report does not cross a certain threshold, it may not receive any reward.\n\nIt's also important to note that the findingCount value might decrease due to partial credit marking. However, the specifics would depend on the degree of the partial credit and the awarding calculation at that moment. For more detailed information, the guidelines for rewards and duplicity of findings are available at Code4rena's documentation: https://docs.code4rena.com/awarding/incentive-model-and-awards#duplicates-getting-partial-credit.\n\nLastly, remember that this model differs from traditional bug bounty models where only the first reporter is rewarded, and subsequent reporters receive nothing due to duplication. Code4rena's model is designed to reward the quality of the reports and the contribution to identifying the issue.", "Question: What is the reward system for findings submitted to CodeArena, and does every finding- even if not selected for the final report- get a reward?\n\nAnswer: Not all findings or reports submitted to CodeArena are guaranteed a reward. The reports are evaluated and must meet quality standards to be considered valid and satisfactory. The final report for a contest typically excludes wardens whose submissions or findings are not accepted. This means that a finding may not receive a reward if it does not make it to the final report. \n\nHowever, there are exceptions to this rule. If a disputed finding, deemed by the sponsor as 'won't fix', is valid, it will still get rewarded. Similarly, if a high-risk finding is judged as low risk (and vice versa), the submitter will still be rewarded. \n\nThe reward system also accounts for the severity and uniqueness of the findings. Non-critical findings do not share in the reward pot, and common findings that are picked up by the C4udit tool are usually out of scope. If a team submits a non-duplicate finding, they earn more rewards than if they had individually submitted the same finding. \n\nThe timing of a finding's discovery does not affect the reward; the system does not operate on a first-come, first-served basis. The best report typically receives more money, and duplicate reports below a certain threshold might not receive any money. Bonus rewards in the contest are given for the best reports.\n\nFor more details on the reward system, you can visit https://docs.code4rena.com/awarding/incentive-model-and-awards. Please note, any findings that are not submitted before the end of the contest will not be eligible for rewards.", "Question: How can I apply for a backstage role at CodeArena?\n\nAnswer: To apply for a backstage role at CodeArena, you first need to meet certain qualifications, such as having a valid high rating and becoming a certified contributor. The detailed requirements and process can be found at [Backstage Wardens](https://docs.code4rena.com/roles/certified-contributors/backstage-wardens). Once all criteria are met, you can submit a help desk request for backstage access through this link [Code4rena Help Desk](https://code4rena.com/help). However, please note that the process of backstage access is currently undergoing changes and applications might be suspended. Furthermore, it's important to be aware of the distinction between different roles, such as a certified role and a backstage role. The backstage role is required to access the findings repo when a contest ends and to view issues reported for a contest on the website. After your request is submitted, you will be notified once it has been reviewed.", "Question:\nI've recently changed my wallet address on Code4rena, will my future rewards still be sent to my old address? Can I use this new wallet address in my reports and have the rewards distributed to it?\n\nAnswer:\nAt Code4rena, your rewards are sent to the wallet address that is on file at the time the awards are calculated for an audit. This means, if you've recently changed your wallet address, your rewards will be sent to the new address, provided the change was made before we started our calculations. You can also use this new wallet address in your future reports and the rewards for these reports will be distributed to the new address. \n\nPlease remember, if your wallet was compromised and you changed your payment address, you can submit a help request to update your address in our records. If you've forgotten your wallet address to receive the bounty, you can refer back to the email you received when you submitted the bug report. \n\nYou can update or confirm your reward wallet address in the Manage Account section on Code4rena. If you need further guidance about changing your wallet address or checking if an address for rewards has been submitted, you can find more information here: https://docs.code4rena.com/roles/wardens/warden-auth#can-i-change-the-wallet-address-where-i-receive-awards. If you need to submit a help request, you can do it here: https://code4rena.com/help. \n\nPlease note that rewards are distributed to one address for one handle per contest. Also, be aware that rewards are not distributed immediately after the computation due to the use of multisignature wallets that require signatures from multiple parties before funds can be released. However, we are working on improving this process with the use of smart contracts in the future. \n\nLastly, it's important to remember that if you're considering submitting a Binance address for payout, the addresses can change and if you do not possess the keys, you do not own the coins. Be cautious and ensure your wallet security to prevent rewards from being stolen.", "Q: How are the rewards distributed in a contest if multiple participants identify the same bug or if only one QA bug is found?\n\nA: Code4rena adopts a unique model that ensures each bug finder gets a share of the reward, irrespective of whether they were the first to find the bug or not. When multiple auditors report the same bug, the bug's overall value is reduced and split among them. This is not a first-come, first-served model, meaning the timing of bug discovery does not affect the reward. \n\nHowever, it's important to note that the best report typically receives more money, and duplicate reports beyond a certain threshold might not receive any. More details can be found at [Code4rena's Incentive Model and Awards](https://docs.code4rena.com/awarding/incentive-model-and-awards).\n\nIf only one QA bug is found, or if no Medium/High vulnerabilities are uncovered during the contest, the reward pool will be divided based on the QA Report curve. More information on this can be found [here](https://docs.code4rena.com/awarding/incentive-model-and-awards/qa-gas-report-faq#what-happens-when-an-issue-submitted-by-the-warden-as-part-of-their-qa-report-an-l-or-n-does-get-bum).\n\nAlso, there is an advantage to reporting findings as a team. If a team submits a non-duplicate finding, they stand to earn more rewards than if they had individually submitted the same finding. \n\nFinally, it's important that auditors classify bugs carefully. Even if a High severity bug turns out to be only Medium, the reward for a Medium bug will still be received. If a finding is submitted as a low in a QA report but is judged to be a medium, it will be eligible for medium rewards.", "Question: What are the rules and criteria regarding the submission and reward distribution for Quality Assurance (QA) and Gas Optimization reports?\n\nAnswer: Participants in a Code4Rena contest are required to submit one Quality Assurance (QA) report and one Gas Optimization report per contest. Ideally, all issues should be grouped together in their respective reports. For an in-depth understanding of what these reports should look like, you can view examples at https://code4rena.com/reports.\n\nRegarding the reward distribution, judges consider both the quantity and quality of submissions when grading QA reports. This means a single finding in a report is unlikely to be highly graded. The grading system is as follows: grade A reports count as 2 shares, grade B reports count as 1 share, and the best report receives a 30% bonus. More information on judging criteria can be found at https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical and https://docs.code4rena.com/awarding/incentive-model-and-awards#qa-and-gas-optimization-reports.\n\nIf multiple auditors report the same issue, the reward is split between them. However, common findings, which are usually picked up by the C4udit tool, are out of scope and do not receive a reward.\n\nIf a finding is initially submitted as a low severity issue in the QA report, but judges later determine it to be of medium severity, it will be eligible for medium rewards. Details about this can be found at https://docs.code4rena.com/awarding/incentive-model-and-awards/qa-gas-report-faq#what-happens-when-an-issue-submitted-by-the-warden-as-part-of-their-qa-report-an-l-or-n-does-get-bum.\n\nIn the absence of medium or high severity findings in the smart contracts, remaining contest funds are divided based on the Quality Assurance (QA) report curve. More clarity on this policy can be found at: https://docs.code4rena.com/roles/wardens/submission-policy#report-format.\n\nRemember, the primary incentive is to find high/medium/low severity vulnerabilities and gas optimizations. The QA report is important but not the primary focus.", "Question: I recently placed 3rd in the EigenLayer Contest and my Twitter handle wasn't correctly tagged in the Twitter post about the contest results. How can I change my Twitter tag from windowhan001 to windowhan on Code4rena leaderboard and profile?\n\nAnswer: You can associate your Twitter handle with your CodeArena profile by creating a help desk request. To do this, please go to https://code4rena.com/help and submit a request with your Warden name and the Twitter URL you want to associate. Changes to the leaderboard or contest results link can also be requested on this page. \n\nAdditionally, you can make a pull request for your handle at https://github.com/code-423n4/code423n4.com/tree/main/_data/handles. Please note that while it's possible to change your handle, leaderboard standings and submissions linked to your previous handle are non-transferrable to the new account. Also, changing the handle itself is currently not advised due to potential issues with past or ongoing contests. \n\nIf you placed in the top 5 of a contest, like the EigenLayer Contest, and have received the reward, your \"leaderboard\" tag should be updated in the roles. If this is not the case, you may want to include this in your help desk request. \n\nLastly, please remember to monitor the backstage channel for the post-judging stage of your contest, if there are any disputes or issues regarding the contest you should be able to find the information there.", "Question: How can I submit a help desk request at Code4rena and what issues can it help me resolve?\n\nAnswer: You can submit a help desk request at Code4rena for a variety of issues by visiting https://code4rena.com/help. The help desk request can help you resolve issues such as status updates, troubles during the analysis submission process, applying for backstage roles, requesting changes in your user profile picture, Twitter link and logo, adding new team members, and so on. If your team meets certain requirements based on audits with published results, you can also submit a request through this platform. Furthermore, you can approach the Code4rena team with private inquiries via a help desk request. After the submission, you will receive a confirmation that your request has been received and it will be fulfilled in a timely manner. Additionally, if you find it a security risk to make issue contents public, a help desk request can be submitted to address your concern.", "Question: Does the submission preview support mermaid syntax for including flowcharts in an analysis report? \n\nAnswer: Yes, the submission preview does support mermaid syntax. Code4rena encourages the use of Markdown for text formatting in the submission form for analysis reports. This includes the ability to embed code, create lists, and even integrate flowcharts with mermaid syntax. Images can also be embedded using Markdown. \n\nWhen writing your report, you can use a range of tools like GitHub, Joplin, VScode, or Notion, but it's essential to ensure your chosen tool supports Markdown. Visual Studio's preview tool is often recommended for formatting reports. If your report involves mitigations, you can use Markdown to format the code within the report. \n\nCurrently, there are some limitations to be aware of. You cannot edit or resubmit an analysis report after submission, although this functionality is planned for the future. Also, Markdown preview might not correctly display lists during the submission process, but this only affects the preview and not the final submission.\n\nYou can view a guide on how to create and highlight code blocks here: https://docs.github.com/en/get-started/writing-on-github/working-with-advanced-formatting/creating-and-highlighting-code-blocks.\n\nFor further guidelines on analyses and frequently asked questions, please visit this link: https://code4rena.notion.site/Analyses-Guidelines-and-FAQ-2808a71e08e44c81a985527194f5f118.", "Question: How do I submit a report for Gas Optimization in a contest on CodeArena, and how is the reward calculated?\n \nAnswer: To submit a Gas Optimization report in a contest on CodeArena, you should compile all your findings into one report. To add more findings to your report, you can navigate to the contest page and click the 'Your Findings' button. Notably, not all gas optimizations are valid when the optimizer is enabled, and this may cause some confusion on what should be reported. \n\nReporting the amount of gas saved for each finding in your gas optimization report is not strictly required. However, including this detail can potentially earn you more points as it provides valuable information on the efficiency improvements. It is noteworthy that the judgement criteria for gas optimizations and their importance can vary based on the specific contest and the judges involved. \n\nAs for the reward calculation for gas optimizations, it's generally based on the score of each gas report. The gas optimization pool is shared among the reporters and is awarded based on the score of each reporter's gas optimization report. For some contests, there might not be a gas optimization pool. Usually, the award for gas optimization reports is 5% of the prize pool. However, this percentage can be altered by the sponsors based on the importance of gas savings to their project. \n\nYou can find further details about the incentive model and awards in the official documentation here: https://docs.code4rena.com/#incentive-model-and-awards. For a practical example, you can refer to this spreadsheet: https://docs.google.com/spreadsheets/d/1qTQ7PApFMwpUFikcHHtww7p1oncPLj_y-UY_SZq6qFg/edit#gid=0. \n\nIf you encounter difficulties or confusion during this process, you can always ask for clarification in the CodeArena community.", "Question: How is the loss of rewards classified in terms of asset loss and severity, and how does this classification affect the reward allocation?\n\nAnswer: Loss of rewards is considered a \"loss of assets\". The classification as High or Medium risk depends on external conditions or attack difficulty. For example, if all rewards can be lost, it may be classified as Medium/High, and if there's a risk of losing some rewards, it might be considered Medium. If rewards are lost due to rounding or negligible amounts, it's likely to be categorized as a QA issue. On the other hand, if the principal can be stolen without needing extra requirements, it's probably categorized as High.\n\nIn terms of reward allocation, if a finding is submitted as Medium but it turns out to be High, the reward for a Medium finding is still received, unless the report is incomplete, lacking detail, or not as accurate. On the contrary, if a finding is evaluated as Low and reported in a QA report but is later judged as Medium, it will be eligible for Medium rewards, as per the guidelines provided [here](https://docs.code4rena.com/awarding/incentive-model-and-awards/qa-gas-report-faq#what-happens-when-an-issue-submitted-by-the-warden-as-part-of-their-qa-report-an-l-or-n-does-get-bum). \n\nThe reward for a medium/high finding can be calculated using the formula provided [here](https://docs.code4rena.com/incentive-model-and-awards#high-and-medium-risk-bugs). If no Medium/High vulnerabilities are found, the full award pool would be divided based on the QA Report curve. \n\nIt's crucial to remember that the severity classification is based on a balance of consequence and likelihood. High consequences generally involve sizeable fund loss or other severe consequences and don't require pre-conditions, while Medium consequences usually have lesser impact and specific preconditions such as high attack difficulty, specific market conditions, or user unawareness.\n\nPlease refer to our [incentive model and awards](https://docs.code4rena.com/incentive-model-and-awards#high-and-medium-risk-bugs) document for more details.", "Question: Are judge payment, lookout/scout payment, and other contest rewards considered in the calculation of leaderboard rankings on CodeArena?\n\nAnswer: No, judge payment and lookout/scout payment are not included in the leaderboard ranking calculations on CodeArena. These awards, while important for recognizing the contributions of judges and scouts, are treated separately from the leaderboard standings. \n\nThe leaderboard ranking is influenced by both the current contest participation and the total participation of a contestant. It's also worth noting that if a warden receives rewards both individually and as part of a team, the team and the individual will appear separately on the leaderboard. \n\nThe \"Lookout\" and \"Scout\" awards refer to specific roles within the contest. The term \"judge + presort\" is related to the bounties, where \"judge + presort\" refers to the portion of awards set aside for work performed by judges, such as consolidating duplicates. Scouts are independent scope judges providing feedback on an audit's scope. \n\nJudges are selected based on their experience and reputation, and their decisions on a bounty are shared after the contest concludes. They review the findings to decide their severity, validity, and quality. These judges also receive a share of the prize pool as an incentive.\n\nIt's also important to note that certified contests, like the upcoming 225, do impact the c4 leaderboard rank. You can view the leaderboard and learn more about how rankings are calculated at https://code423n4.com/leaderboard/.\n\nPlease remember that once the contest payouts have been sent, the outcome cannot be changed. However, any overlooked issues can be flagged to the judge and sponsor. Judging becomes final after rewards are announced. If you rank in the top 5 of a contest and have received the reward, the \"leaderboard\" tag should be updated in the roles. \n\nFor more details, please check our documentation: https://docs.code4rena.com/roles/wardens.", "Question: Does the submission form on Code4rena accept Mermaid syntax and Markdown for formatting the submissions?\n\nAnswer: Yes, the submission form on Code4rena supports both Mermaid syntax and Markdown for formatting the submissions. Markdown can be used to format your code, create lists, and even include images in your submissions as per the guidelines at [Markdown Guide](https://www.markdownguide.org/basic-syntax/#images-1). Additionally, you can use Markdown to format the Solidity code in your submissions to make it more legible. It's important to note that while the Markdown preview may not properly display lists, this is only a preview issue and the final submission will display the numbers correctly. There's also a known rendering issue with inline math in the preview. \n\nWhen submitting through the Code4rena interface, a Markdown template is proposed to aid in your submission. Although Markdown formatting is allowed in issue titles, there have been discussions on whether or not to include it. \n\nIn terms of specific details about coding, adding Solidity syntax to code blocks can be done using the Markdown format. However, a question about the availability of a tool or plugin to check Solidity code syntax was not answered in the provided excerpt.\n\nWhile the current submission mechanism allows for fairly extensive formatting and structure, there are future plans for further improvements and new mechanisms. For additional details and updates, you can refer to the [Analysis Guidelines and FAQ](https://code4rena.notion.site/Analyses-Guidelines-and-FAQ-2808a71e08e44c81a985527194f5f118) on the Code4rena website.", "Question: How does CodeArena calculate and distribute rewards for findings, particularly in instances of duplicate findings and partial credits?\n\nAnswer: CodeArena employs a complex rewarding formula to ensure fair distribution of rewards among participating wardens. In the event where multiple wardens discover a bug, the reward is shared between them. The order in which the bug is reported doesn't affect the reward each warden receives, nor does using different wallets for the same warden.\n\nIf a warden finds a \"High\" severity bug, and it gets duplicated, the reward pool or 'pie size' is calculated using 10*0.9 = 9. The wardens share equally from this pie, obtaining 4.5 each. In a scenario where a partial and a full credit finding is made, the partial credit warden receives less - 3, while the full credit warden receives 6.\n\nIf no High or Medium severity issues are found in a contest, the rewards are still distributed based on Quality Assurance. In the context of QA and gas reports, rewards are divided into grade A, B, C, based on the quality and gas savings. Grade A and B are entitled to rewards. \n\nThe reward amounts in contests come from the sponsor. After the awards are announced, they are sent out manually in batches for multiple contests at a time. The complete guidelines for reward distribution including how to calculate reward splits for different severity findings and partial and full credits can be found at Code4Arena's incentive model and awards section: https://docs.code4rena.com/awarding/incentive-model-and-awards. This section also covers intricate details of our reward distribution, including distribution on a curve, which is a system to be designed after observing the scoring of initial contests. \n\nAdditionally, if the findings are made by a team, it\u2019s up to the team to decide how to distribute the awarded amount among themselves.", "Question: Why wasn't my handle included in the gas optimization report for Ethos Reserve and why haven't I received a reward yet?\n\nAnswer: There might be a few reasons why your handle isn't mentioned in the gas optimization report and you haven't received a reward yet. Firstly, not every contest includes gas optimizations rewards as part of its prize pool. For instance, specific contests like the one mentioned here (https://code4rena.com/reports/2022-04-dualityfocus), didn't have a gas optimization pool. Thus, if Ethos Reserve were such a contest, no gas optimization rewards would be given.\n\nSecondly, gas optimization rewards are shared among reporters based on the score of each gas report (https://docs.code4rena.com/awarding/incentive-model-and-awards/curve-logic). It's advisable to report any gas optimizations separately. The amount of gas saved for every finding may also factor into the reward. If your report wasn't included, it could be due to the criteria used to select reports in a contest.\n\nAnother factor could be the validity of your report. Certain reports might not be accepted if the optimizer was enabled when they were made. Confusion over this issue has led to some reports being refused by judges, while others accept them. If in doubt, contact the judges or community for clarity.\n\nRewards are not always distributed immediately after computation due to the use of multisignature wallets which require multiple signatures before funds can be released. This could explain a delay in receiving your reward (https://docs.code4rena.com/#incentive-model-and-awards).\n\nLastly, ensure you have registered your handle and Ethereum (ETH) address to receive your share of the rewards (https://docs.google.com/spreadsheets/d/1qTQ7PApFMwpUFikcHHtww7p1oncPLj_y-UY_SZq6qFg/edit#gid=0). If you haven't done this, your reward could still be pending.\n\nFor further assistance or any concerns, consider reaching out to the CodeArena team via the chatroom or email.", "Question: What is the process to initiate verification and certification at Code4rena and what are the restrictions or requirements?\n\nAnswer: To initiate the verification or certification process at Code4rena, you need to follow the instructions provided at https://docs.code4rena.com/roles/certified-contributors. As a part of this verification, you need to undergo a Know Your Customer (KYC) process which would involve submitting your identification for verification. There may be certain restrictions in place for the KYC process, particularly involving OFAC sanctions and background checks. \n\nIn some cases, you may be able to participate and receive payouts without certification, but certain activities do require either completion of the certification or the KYC process. To participate in audits or private contests, you will need to be certified and this may require KYC certification as well. \n\nOnce the verification process is completed and approved by provenance, a few days are generally required for the role to reflect on your profile. The status of your certification process will be updated to you via email. In case you are experiencing issues with receiving emails, you are advised to check your spam mail.\n\nIt is also important to note that all team members should undergo KYC verification for certain contests such as the base and chain link contest. You can also verify if you have submitted an address for rewards using the help form at https://code4rena.com/help.\n\nIn case you do not possess a passport for KYC purposes but have a national identification card, it is recommended to check with the team for further guidance. Lastly, you can check your certification status by clicking on your name to see assigned roles and also through your email communication.", "Question: What is the verification process at CodeArena and are there any restrictions or special requirements?\n\nAnswer: CodeArena has an opt-in identification and address verification process, which can be initiated by following the instructions provided at https://docs.code4rena.com/roles/certified-contributors. This process involves KYC (Know Your Customer) verification, which may require different forms of identification depending on the contest. For example, some contests may require all team members to undergo KYC verification, while others, like the OpenSea contest, require ID verification. \n\nThere are certain restrictions in place for the KYC process, primarily OFAC sanctions and background checks. Users should also be aware that the KYC approval does not automatically grant access to private contests. Private audit contests each have individual eligibility criteria listed, and some may not be accessible if they have already been assigned. \n\nUsers should note that it is possible to participate and receive payouts without being certified, but some activities, like mitigation-review contests, are only available to certified wardens. Certification involves sending your identity for verification, and users may be required to check their spam mail for verification for base. \n\nThe company has considered releasing all unverified submissions a few days after a contest ends for learning purposes. More details on this can be found at https://forum.code4rena.com/t/rfc-certified-wardens-rulebook-scout-role-contest-qa-and-mitigation-review-services/123. \n\nIt is important to understand the submission rules and policies, which include restrictions on reporting anything related to input checks from governance variables in contests, and the fact that getting more than 3 reports rejected in a competition will prevent the user from getting any payout for that competition. More information about submission policies can be found at https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-ineligible. \n\nPlease remember that all these processes are in place to maintain the integrity and transparency of the contests at CodeArena.", "Question: Where can I find information about the withdrawal field validation bug and submit or withdraw my analysis in CodeArena?\n\nAnswer: Currently, we don't have any specific articles or reports regarding the withdrawal field validation bug at a CEX. However, we have a system in place for findings related to potential issues. You can refer to this report about a potential reentrancy risk marked as low at [https://code4rena.com/reports/2022-12-caviar#l-01-missing-reentrancy-guard-to-withdraw-function](https://code4rena.com/reports/2022-12-caviar#l-01-missing-reentrancy-guard-to-withdraw-function) for an example. \n\nIf you have submitted an analysis and you wish to withdraw it, you can do so by editing or replacing your submission with \"withdrawn\" for invalidation. If the issue is wrongly submitted, you can submit a help desk request at [https://code4rena.com/help](https://code4rena.com/help). \n\nPlease ensure your submissions are valid, as findings related to potential vulnerabilities like an external function with the transfer of ERC20 tokens without reentrancy protection, may not be eligible for medium or high categorization unless there is a clear explanation of the exploit path. Such findings could be downgraded to QA. \n\nAlso, please note that there have been reports of intermittent issues with the submission process. If you face any such issues, please bring it to our notice.", "Question: Can you explain the role and usage of abstract contracts in smart contract repositories, and how they fit into the overall contract auditing process?\n\nAnswer: Abstract contracts play a crucial role in smart contract repositories. They are like template contracts that are not meant to be used on their own. Instead, they are meant to be extended or completed by other contracts before they can be deployed. For example, if you have an abstract contract A, you cannot deploy A directly. However, you can deploy another contract, let's call it B, that extends A and includes the required functions.\n\nIn CodeArena's auditing process, abstract contracts could be part of the contracts that are in scope for auditing. For instance, in the Vader repository, all contracts are classified as applicable for testing (https://github.com/code-423n4/2021-04-vader/tree/main/vader-protocol/contracts). However, this can vary with different repositories and audits, so always check the README.md for each contest to understand what is in scope for auditing.\n\nAdditionally, understanding the role and relationship of interfaces to these contracts is also important. When auditing, tools like Mythril and Slither can be used for testing contracts downloaded from Github and comparing differences between them. When issues are found, their severity is reviewed in context, particularly when dealing with more complicated contract types such as upgradeable contracts, and issues related to storage variables.\n\nWhile abstract contracts provide a template, each contract can be unique. Some may already be deployed, while others may not be. Some contracts might appear to be \"snapshots\" of OpenZeppelin contracts, likely because necessary changes were made to suit project requirements. This can sometimes lead to a mismatch between the number of lines of code (LOC) mentioned in the README.md and the actual lines in the contract files. It's important to note these discrepancies during the auditing process.\n\nIn cases where a user needs to directly call internal functions, a child contract needs to be written and used like wrappers. Also, if a bug is found in a contract that's in scope, but it impacts another contract that's out of scope, the impact might still be considered during the audit at the judge's discretion.\n\nOverall, understanding the role of abstract contracts, how to interact with them, and their place in the broader system of smart contracts is critical for an effective audit. The auditing process can be a complex task due to multiple interrelated contracts and sometimes limited documentation, but tools and resources are available to assist in making the process more manageable.", "Question: How can I review and edit my own findings for an audit, check other's findings, and understand the review process?\n\nAnswer: You can review and edit your findings while an audit is still open by visiting the audit page and clicking on the \"Your Findings\" button. This allows for real-time edits and feedback during the audit period. Please note, the ability to edit your findings may not be available after the audit has closed. You will also be notified via email upon successful submission of your report.\n\nTo check the findings of others, visit the C4 GitHub repo where completed audit findings are publicly available. You can use these reports as a learning tool to understand the process and improve your auditing skills. For more reports to study, visit https://chainsecurity.com/audits/.\n \nQueries about your findings, including why they were rejected or accepted, can be raised in the chat. Judges review all findings at the end of the audit period and provide valuable feedback. Participants can also track the status of their reports in the \"findings\" tab next to the contest description. \n\nLastly, for those interested in private audits, after confirmation from provenance, it's possible to participate. You can also join teams and participate collaboratively in the audits.\n\nRemember, becoming an auditor involves constant learning, including reverse engineering and understanding old audit reports. So, take advantage of the wealth of information available to you and don't hesitate to ask questions in the chat.", "Question: How can a user acquire and utilize the backstage role to view others' findings on CodeArena (C4)?\n\nAnswer: The backstage role at CodeArena (C4) is designed to provide qualified users with elevated access to findings and reports. To qualify for this privileged role, a user should be a certified contributor with a considerable number of findings and contest participations, as specified by the C4 rules. The criteria include identifying at least three medium findings and four total findings. \n\nOnce granted, a backstage role allows these certified contributors to access findings and reports of the contests once they end. They can view past contest reports, grades on published reports, and even engage in discussions with the judge to re-evaluate a finding. Backstage role users can also see when their findings are edited and provide additional context to their reported issues. \n\nHowever, it's important to note that this role is governed by strict guidelines to prevent privilege misuse, such as sharing ongoing judgment details with unauthorized personnel. Violation of these guidelines has led to the suspension of backstage access in the past. \n\nThose interested in obtaining the backstage role can apply through a help request or directly on the C4 website once they meet the specified criteria. You can find more details about the backstage role and its application process at https://docs.code4rena.com/roles/certified-contributors/backstage-wardens.", "Question: How can I initiate and complete the verification process at CodeArena, and what should I expect during this process?\n\nAnswer: You can initiate the verification process by following the instructions at this link: https://docs.code4rena.com/roles/certified-contributors. The process involves sending your identity for verification through a Know Your Customer (KYC) process. Once you send a KYC request to Provenance, you will need to wait for confirmation. After approval from Provenance, it generally takes a few days for the certification role to reflect on your profile, and the status of this process will be updated to you via email. \n\nUsers can check if they have been certified by clicking their name to view assigned roles, or check for an email communication. If you have applied for KYC and are certified, you will receive an invitation link via email from Provenance. After confirmation from Provenance, you'll be able to participate in a private audit. \n\nTo apply for Certified+ after a high finding, you must have completed the KYC verification. The initial email from Provenance in the Certified Warden verification process doesn't specify a timeframe for delivery, but the process after working with Provenance typically takes around 1-2 business days. For further details on the certification process and constraints, you can visit this link: https://docs.code4rena.com/roles/certified-contributors#certification-process-and-constraints. \n\nPlease note, the KYC process is a requirement for entering a contest. In the case of any warning or issues regarding your submission, you may need to provide additional proof or explanations, and further assistance can be sought through the help form at https://code4rena.com/help.", "Question: What are the penalties and considerations for report submissions in CodeArena?\n\nAnswer: CodeArena has a grading system for submitted reports, with certain penalties for mistakes, errors or unsatisfactory submissions. The quality of the reports heavily influences its evaluation by judges and its potential reward. The format, detail level, and accuracy of severity ratings in smart contract auditing reports are significant factors affecting the final grading. \n\nIncorrect findings or setting incorrect severity of issues don't necessarily lead to penalties, but they can influence the report's score, possibly lowering it. The best-graded report receives more rewards, and there might be no reward for duplicate reports that do not surpass a certain threshold. \n\nThere's a high bar for performance and a certain number of strikes may lead to penalties. However, there are no negative consequences for accidentally reporting something that's not an issue - although withdrawing such reports to save the judges' time is recommended. \n\nIf a report is not accepted, a review process takes place to determine why it didn\u2019t meet the standards once the report is out, and the findings repo is fully opened. Reports that are not accepted are not included in the final report for a contest.\n\nIt is important to note that issues can be reported with worded descriptions only, and there is no penalty for incorrect reasoning as long as it's not spam. The submission of analysis along with findings is not mandatory, but detailed reports are preferred over one-line summaries. Furthermore, the order of issue reporting does not necessarily go according to submission time; the judges pick the primary issue based on the quality of the write-up.\n\nDespite these guidelines, some users have expressed concerns about the fairness and effectiveness of the penalty system. Adding to this, there is currently no penalty for incorrect medium/high submissions, and findings in non-best, unpublished bot-generated reports are still eligible for submission. \n\nParticipants are allowed to edit or replace their submitted reports with \"withdrawn\" for invalidation. They can view their submissions along with the reasons for their rejection once the report is published and the findings repo is made public. \n\nPlease refer to our [discussion on grading and awarding](link) for more details and future updates on possible penalties.", "Question: Can you explain the process that follows the conclusion of an audit, including the timeline for judging, publishing findings and creation of the leaderboard?\n\nAnswer: After an audit concludes, the findings are immediately reviewed and triaged by the judges. Participants can view and edit their findings in the \"Findings\" tab next to the contest description on the contest page. The review process includes a sponsor review, judge review, sponsor confirmation, and the judge's final report. This process typically takes about 8 weeks, but can vary depending on the contest and the number of reports under review concurrently. \n\nOnce the review process is completed, and the findings have been validated, the leaderboard for the contest is created. However, please note that the findings reports only become public once the final contest report has been published. Certified wardens can view the findings repo immediately after a contest ends.\n\nThe final stage of this process is the publishing of the contest report which could take anywhere from 2 to 6 weeks or even longer after the contest end. The report provides the results of submissions and allows participants to see the outcome of their findings. The timeline for publishing contest results depends on the time taken for judging. \n\nYou may find more details about the process at https://docs.code4rena.com/roles/certified-contributors. Some uncertainty exists regarding specific durations, which can vary based on the contest and other factors. Always check the specific contest information for details.", "Question: What are the implications of submitting incorrect or invalid issues in the Quality Assurance (QA) or Gas reports in Code4Rena contests?\n\nAnswer: In Code4Rena contests, participants are required to submit one Quality Assurance (QA) report and one Gas report per contest. While there generally isn't a penalty for submitting incorrect findings, they can affect the overall grade of your submission. For instance, if a report contains a few invalid issues, the score may be lowered. \n\nFurthermore, if a report resembles a bot-generated report, it could be penalized even further. However, it's important to note that the number of issues reported does not necessarily determine the grade of the report. A report with one significant issue may receive a higher grade than a report with multiple low-impact issues. \n\nJudges take into account both the quantity and quality of submissions when grading. If a finding is submitted as low severity in a QA report, but it is assessed as medium severity by the judges, it can be eligible for medium rewards. \n\nOn the other hand, if an issue is reported with incorrect severity, such as high instead of medium, this could negatively affect the submission. Participants will receive feedback from judges if an issue is marked as invalid.\n\nIn addition, please note that a submission can receive a grade of 0 if a judge deems it to be of that value. For more details on grading and awarding criteria, please refer to the following links: [Grading criteria](https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical) and [Incentive model and awards](https://docs.code4rena.com/awarding/incentive-model-and-awards#qa-and-gas-optimization-reports).\n\nLastly, please ensure to separate your QA report from your Gas report. If you're unsure about how to submit your reports or if there are issues with the online submission, you can send your reports via email to report@code4rena.com. For more information about report submissions, please visit [this page](https://docs.code4rena.com/roles/wardens/qa-gas-report-faq#why-is-a-large-gas-or-qa-report-not-successfully-submitting-through-the-contest-submission-form).", "Question: What should I do if I'm experiencing difficulties with the Code4rena website, including site access, login issues, or API errors?\n\nAnswer: We're sorry to hear you're experiencing issues. The Code4Arena team is always on hand to resolve any problems that arise and we've prepared several steps to assist you. First, you can check if the site is down for everyone or just for you by visiting https://downforeveryoneorjustme.com/code4rena.com. If you're experiencing a \"page not found\" error, it might be due to a temporary DNS issue which our team is likely already addressing. For issues related to logging in or accessing inactive accounts, such as those participating in past contests like the 2022-11-looksrare-aggregator-contest (https://code4arena.com/contests/2022-11-looksrare-aggregator-contest), we encourage you to open a help desk request at https://code4rena.com/help. If you encounter a 500 error when trying to access api.code4rena.com, it's valuable for us to know. Similarly, any vulnerabilities impacting our web app should be reported to security@code4rena.com. For all other issues or concerns, creating a help desk request is a simple and efficient way to receive help. Our help desk usually responds in a timely manner, although there may be delays during peak times. Rest assured, every ticket sent is important to us and we work to address each one. Thank you for your patience and understanding.", "Question: Should I include in my report the same issues that were already reported by a bot, particularly if there are instances the bot missed or if they can be used to construct a more complex exploit?\n\nAnswer: While our policy generally advises against repeating the same issues already identified by a bot, there are instances where it is appropriate to include such findings. An issue spotted by the bot but missed elsewhere in the codebase can be a valid submission. If an issue found is in the same category as a bot report but not included in the bot report, it can be considered a valid finding as well. Additionally, if you can use known issues to construct a more complex exploit, it is also valid to include it in your report. \n\nHowever, as stated in our submission policy (https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues), submissions based on automated tools must provide strong evidence to demonstrate a relevant High or Medium severity exploit path to be considered satisfactory. \n\nDo note that the score for a report may be lowered if it contains a few invalid issues, and if it's very similar to a bot report, it may be further penalized. Therefore, it's advisable to ensure your report includes unique findings and provides value beyond what the bot has already identified. \n\nIn terms of severity escalation, if a bot race report ranks an issue as low but you escalate it to high, it's not automatically invalid. However, you must provide sufficient evidence to justify the increased severity.\n\nMoreover, findings in non-best, unpublished bot-generated reports are still eligible for submission. But remember, the highest effort should be put into high severity issues, although medium or low severity issues can also be included in the report.\n\nLastly, if you are unsure whether to report occurrences of the same issue separately or together, you can choose either way. However, it's often good practice to group similar issues together and clearly communicate their relation in your report. This makes it easier for the judge to understand the context and assess the report accurately.", "Question: How can I view, edit or track my submissions for a contest at CodeArena?\n\nAnswer: You can view, edit or track your submissions on the CodeArena website. After submitting a bug or making an analysis for a contest, head to the contest page and look for the \"Your Findings\" button. This will allow you to view, edit, and keep a track of your submissions. For instance, you can find the \"Your Findings\" button at the Ethos Reserve contest page: https://code4rena.com/contests/2023-02-ethos-reserve-contest. \n\nIn cases where your submission was not rewarded, you will have access to the reasoning upon the publication of the contest report and full opening of the repository. This will enable you to see the discussion among sponsors and judges on the specific issue. \n\nSubmissions are also confirmed via email and can be viewed under the \"Findings\" tab on the C4 Contest page. If needed, you can also retract or cancel your submission through the \"Your Findings\" section on the contest page. \n\nFor completed contests, your submissions can be accessed on the concerned GitHub repo once the contest report is published. Moreover, users who have received the + certification get the advantage of viewing other submissions immediately after contests end. \n\nPlease note that during the judging process, visibility into the status of submissions is not available until the report and repo are made public. Lastly, CodeArena has plans to introduce a new submission mechanism in future contests which will allow certified contributors to view submitted issues right after contest closure and to comment or give input on these issues during judging.", "Question: What can I see and do after submitting my Analysis Report in CodeArena, and is it possible to edit or resubmit my report?\n\nAnswer: After submitting your Analysis Report, you will be able to see your Risk Rating selection. At the moment, you cannot edit or resubmit your Analysis Report directly through the submission UI on our site. However, you can see your submissions by checking your Analysis Report; only the findings submitted by you or your team are visible to you until the final report is made public. \n\nThere might be situations where you don't see your submissions in the Findings tab or wish to add additional findings after an initial submission. Remember that only one low-severity report among all the low-severity reports submitted is chosen to be included in the final report. If your report is not mentioned in the responses, it might be because it was listed as an automated finding, not awarded, or rated as grade-c in the judgement procedure. \n\nAlthough you cannot currently send in updates to your analyses, we are considering adding this feature in the future. If you have questions about how to submit an Analysis Report or how judges determine which reports get featured, you can find more information at: https://code4rena.notion.site/Analyses-Guidelines-and-FAQ-2808a71e08e44c81a985527194f5f118\n\nIf you want to edit findings or analysis reports, you need to go to the audit page and click the 'Your Findings' button. If you submit a high-risk finding that is judged as low risk, you will still be rewarded and vice versa. Please note that only the 'Selected For Report' gets a bonus.\n\nIt's also important to know that if you encounter an error while submitting a Quality Assurance report for the first time, you can check if it has been successfully submitted by checking your email for confirmation or viewing the findings through the \"View Context\" function. We are continuously working to improve our system and appreciate your patience and understanding.", "Question: How do I obtain a backstage role at CodeArena?\n\nAnswer: Gaining backstage access at CodeArena involves a process that commences with becoming a certified contributor. This certification denotes that you've met certain qualifications, including submitting high-rated findings, or three or more medium-confirmed findings from various areas. Once certified, you can apply for the backstage role through a help desk request.\n\nPlease note that all members of a team that submit 3+ medium findings and get them accepted become eligible for the backstage role. However, public findings are necessary to receive the role. Backstage access allows you to view reports of past contests.\n\nDetails about the certification process, backstage qualifications, and the process to request backstage access can be found at https://docs.code4rena.com/roles/certified-contributors and https://docs.code4rena.com/roles/certified-contributors/backstage-wardens.\n\nIt's important to note that the availability of backstage applications may vary from time to time. So, it's recommended to keep an eye on updates from CodeArena regarding any changes.\n\nAs always, for further assistance regarding the backstage application, you can reach out through the help desk.", "Question: \nI have recently updated my Discord username, which is different from my original one I used while joining C4 as a warden. Should I update my new Discord username on my C4 account or leave it as it is to avoid potential issues with GitHub records and contest report submissions?\n\nAnswer: \nYou can certainly update your Discord username on your C4 account. To do this, head over to the Account Management page on your warden profile. However, to avoid any potential confusion or issues, it's recommended to keep your Discord nickname the same as your registered C4 username.\n\nDiscord's recent update allows users to use their name without the discriminator (the #number part), which might affect your warden role. To prevent this, it's advised to update your new Discord handle in your profile on Code4rena's site.\n\nPlease note that changing your handle could potentially cause issues with past or ongoing contests. Therefore, if you're considering changing your handle itself, it is not currently advised. Leaderboard standings and submissions under the previous handle are not transferable to a new account.\n\nKeep in mind that having an updated Discord username linked to your CodeArena account ensures that you can be tagged in any award announcements. However, it does not affect the process of receiving awards.\n\nAlso, if you're looking to change or link other accounts such as your Twitter handle to your CodeArena profile, please submit a help desk request with your warden name and Twitter URL at https://code4rena.com/help.\n\nRemember, any changes or issues related to your username, be it on Discord or other platforms, can be reported and resolved via the Help Desk at https://code4rena.com/help. The developer team will review your request and provide assistance accordingly.", "Question: Who can participate in the xETH - Mitigation Review and what does the process involve?\n\nAnswer: The xETH - Mitigation Review is open only to those who participated in the original Invitational audit. It is part of a process where projects invite top wardens back after the contests to review bug mitigations. \n\nWhile participants can apply for KYC certification and submit reports without being certified, please note that certification is required to receive rewards. You can become a certified warden following the guidelines provided at this link: https://mirror.xyz/c4blog.eth/Ww3sILR-e5iWoMYNpZEB9UME_vA8G0Yqa6TYvpSdEM0. \n\nThe top three auditors are usually selected in the mitigation review. For example, this was the process followed in the jul05 Chainlink contest. There is a possibility of a mitigation review for Chainlink CCIP, as mentioned in the original RSVP message. You can find this information here: https://discord.com/channels/810916927919620096/958800160870240286/1111007546183012382. \n\nFor more information on the Mitigation Review process at CodeArena, you can refer to this article: https://medium.com/code-423n4/a-look-at-code4rena-audits-mitigation-review-3e05f8b7acb7. You can also find additional details on the process at https://code4rena.com/how-it-works. \n\nJust a note, there were questions about whether CodeArena focuses only on auditing or if they also handle smart contract gigs. At present, the platform is primarily focused on auditing. \n\nPlease ensure that you're up-to-date with the certification process as there was an issue which has now been resolved. Some users are still waiting to become certified auditors and we hope to welcome them soon to our mitigation review process.", "Question: How can I request assistance or support for issues I encounter on Code4rena?\n\nAnswer: If you encounter any issues on Code4rena, whether it involves account issues, KYC process, collaboration, investment inquiries, backstage application assistance, missing permissions, tool usage, or submission of findings, you can seek immediate support by creating a help desk request. To do this, visit https://code4rena.com/help and outline the specific issue that you are experiencing. If you are having trouble using the mobile application or need to submit any findings outside of the form on the website, you can send an email to submissions@code4rena.com. Remember that your request has been received once you've submitted it, and if you're not certified after a response is received, feel free to create a follow-up request. If you're interested in applying for a backstage role or becoming a certified warden, these can also be requested through the help desk. If you wish to discuss high severity issues before submitting them, the help desk is always there to assist you. It's important to note that there may be times when the help page shows an 'Out of Office' message, so please be patient as the team will respond to your request as soon as possible.", "Question: How can I participate in invitational audits at CodeArena?\n\nAnswer: To participate in invitational audits at CodeArena, you need to be certified as a warden and join a team. Certified wardens have demonstrated their skill and reliability in past audit contests and are thus eligible to participate in private and invitational audits. To become certified, you need to compete in audit contests and rank on the leaderboard. \n\nOnce certified, you can participate in the audits as part of a team or individually. Teams can participate in auditing contests and, if highly ranked, may be eligible to compete in invitational audits which prioritize the highest ranked wardens. \n\nAccessing private audit contests usually requires certification and ranking on the leaderboard. The eligibility criteria for each opportunity is listed in the #\ud83d\udd96rsvp-certified channel on our Discord server.\n\nYou may also use the #\u270brsvp channel to see upcoming public audits and signal your interest in participating. For more detailed information on becoming a certified warden and participating in audits, please refer to the following resources: \n- https://docs.code4rena.com/roles/certified-contributors\n- https://docs.code4rena.com/roles/wardens\n- https://medium.com/code4rena/a-look-at-code4rena-audits-versus-6c55d57939ef\n- https://mirror.xyz/c4blog.eth/Ww3sILR-e5iWoMYNpZEB9UME_vA8G0Yqa6TYvpSdEM0\n\nPlease remember, participation in audit contests can provide valuable experience and a better understanding of audit reports, which can enhance your chances of becoming involved in private or invitational audits.", "Q: How do I use the RSVP mechanism on CodeArena for audit opportunities and what does it entail?\n\nA: RSVP stands for 'R\u00e9pondez s'il vous pla\u00eet' and it is a way for you to express your interest in participating in upcoming audit opportunities on CodeArena. The process entails reacting to a message in the `#\u270brsvp` channel on our Discord server. \n\nOur company organizes RSVP contests and updates about them are frequently posted on the RSVP channels. The RSVP feature may also be required for participation in future contest opportunities. \n\nIf you're interested in a 'Verified Contest' or a 'vs contest', which involves only a few select highest performing wardens, you can signal your participation through RSVP. \n\nFor all public contests, information and updates are posted in the public `#\u270brsvp` channel. However, for private contests exclusive to certified wardens, RSVPs are shared in a channel only visible to the certified individuals. \n\nYour position on the leaderboard from the last 90 days will determine whether you'll be selected for such certified jobs. If you and your team are completely certified and meet the qualifications of an audit, you can participate in the `#\ud83d\udd96rsvp-certified` channel.\n\nBot registrations for contests are announced on the `#\u270brsvp` channel every couple of weeks. If you're looking for information about future qualifiers or the next contest, you can check the same channel here: [RSVP channel link](https://discord.com/channels/810916927919620096/958800160870240286/1142165149050998784). \n\nKeep in mind that the number of contests on CodeArena can sometimes vary, with top-tier projects occasionally appearing on the RSVP channels. This is considered normal.", "Question: I have submitted issues for the Llama contest on the CodeArena website, but I can't see them. What could be the reason and how can I view them?\n\nAnswer: There could be several reasons why you're unable to see your submitted issues. \n\nFirstly, to view issues you've reported for a contest on the website, you need to have a \"+backstage\" role. If you don't have this role and should, please contact a moderator.\n\nSecondly, if your issues were submitted but aren't appearing on the leaderboard or award list, it's possible they were rejected. Once the contest has ended and the report has been published, you can review why your submission was not accepted. This is because the repository becomes fully opened, allowing participants to see the discussion among sponsors and judges about specific issues.\n\nIf you're still unsure about your submission status, you can check your QA report by selecting the \"My findings\" option on the contest page. This will let you view or edit your own submissions for open contests.\n\nIf you come across issues when submitting or viewing your findings, or if you want to challenge a decision about a contest judgement, you can reach out to the CodeArena help desk by visiting https://code4rena.com/help. \n\nPlease note, it's recommended to avoid discussing specific findings until the report has been posted for the contest in question. If a finding was already listed in the known issues section of the contest, it will likely be disqualified. \n\nLastly, CodeArena is working on plans to allow certified contributors to view submitted issues right after contest closure and to comment or give input on these issues during the judging process.", "Question: I've applied for +backstage access at CodeArena, can I expect any progress on my application?\n \nAnswer: As of recent updates, backstage access applications at CodeArena are currently paused due to an identified issue. We anticipate an update regarding this situation to be posted within the next two weeks. However, there is no exact ETA available for the resumption of backstage applications at this time. \n\nTo apply for a backstage role, applicants must meet certain qualifications as a certified contributor and then submit a help desk request for their status to be evaluated. More details about the qualifications and the application process can be found at https://docs.code4rena.com/roles/certified-contributors/backstage-wardens. \n\nPlease note, once applications have reopened, the evaluation for the backstage role is usually done within a week if all qualifications are met and nothing is pending. Participants can apply for backstage access as soon as the contest results are published on the leaderboard, which usually happens shortly after the awards are announced. \n\nWe will provide a notification once we have reviewed your request for backstage access. We appreciate your patience and understand the importance of the backstage role, which allows access to our findings repo after a contest ends and the ability to view issues reported for a contest on our website. \n\nWe're working on changes to the backstage access process and will keep you updated. Thanks for your interest in becoming a backstage warden at CodeArena.", "Q: How does Code4Rena evaluate QA and Gas Optimization reports? If I find a few gas optimization issues or low/non-critical issues, should I report them, and how does the number of issues affect my report grade? \n\nA: The grading of QA and Gas Optimization reports at Code4Rena is not solely determined by the number of issues you report. Even a single impactful issue can earn a grade of B, while a report with many low-impact issues may only earn a grade C. It's about quality more than quantity. \n\nWhen you find an issue, consider its impact and relevance. It could be a QA issue, a gas optimization, or both. If a low/non-critical issue you found also involves gas savings, you should include it in the QA category and mention the gas savings. However, if the issue is solely related to gas savings, it might be downgraded from QA to Gas.\n\nYou are required to submit one QA report per contest and group all issues together, separating the Gas report from the QA report. For each report, it's recommended to have one consolidated submission.\n\nJudges do take into account both the quantity and quality of submissions when grading QA reports. You can find more information on how these reports are graded on the following links: [Judging Criteria](https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical) and [Incentive Model and Awards](https://docs.code4rena.com/awarding/incentive-model-and-awards#qa-and-gas-optimization-reports).\n\nRemember, a finding that is relevant to both QA and gas savings can be included in either report, and judges may decide where it best fits. If a finding submitted as low in the QA report gets bumped up to medium severity by the judges, it will be eligible for medium rewards.\n\nFor gas optimizations, not all reported optimizations are valid when the optimizer is enabled. It's also suggested to mention the amount of gas saved for each finding in your gas optimization reports, though this will ultimately depend on the judge's decision.\n\nRemember, the purpose of your reports is to provide meaningful and impactful feedback on the smart contracts. The better and more detailed your finding, the higher grade you're likely to receive. Always aim for quality over quantity.", "Question: How can I find if my automated findings are accepted in a CodeArena contest?\n\nAnswer: While there isn't a global list for automated findings that are not accepted in the contests, each contest has a specific policy. You can refer to the \"Known Findings\" section on the Readme Page of each contest, which lists automated findings not accepted for that specific contest. Additionally, findings listed in the best bot-generated report are out of the contest\u2019s scope. \n\nFor a more comprehensive understanding, you may refer to the submission policy related to automated findings at https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-ineligible and https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues. These policies provide insights into how findings are judged and which ones are considered known issues.\n\nRemember that if a finding is mentioned in the known issues section in the contest, it is likely to be disqualified. However, if a low severity finding in a contest's bot report is escalated to a high severity, it is not automatically invalid. The criteria for judging such cases is also explained in the submission policy page.\n\nSubmissions for a contest can be edited after they have been made. Users can utilize this feature to improve their findings based on feedback or new insights. Automated findings for a contest can also be found in the pinned messages of the contest's channel on Discord. \n\nLastly, while citing similar findings from other contests is not explicitly prohibited, the validity and severity of a finding is assessed based on the specifics of the contest it's submitted for. As such, it's best to treat each contest as unique and carefully review the contest's specific criteria and guidelines.", "Q: I assume I've identified a logic flaw in the smart contract. I have trouble writing a Proof of Concept (PoC) for it due to its complexity and the exploitation requiring certain edge cases. Can I submit my findings simply as a detailed description and reasoning? If so, what would be the implications if my reasoning is incorrect and it's not a flaw? Would there be any penalty for my future reports? Specifically, I'm talking about a medium-severe issue.\n\nA: Yes, you are allowed to submit your findings with only extensive descriptions and reasoning. However, it's important to note that if you don't provide a PoC, especially for medium-severe issues, your report may not be fully considered unless the issue is extremely obvious or easily identifiable, such as wrong parameters, typos, or non-compiling code.\n\nThere is no penalty for incorrect findings as long as you are not spamming. The importance of PoC lies in its role as proof. A coded PoC that can be easily replicated proves the validity of your claim. Including a PoC in your report can also significantly increase your chances of selection, which comes with a 30% bonus.\n\nIf the severity of the bug is unclear, it's recommended to keep working on the PoC until it becomes clear. For vulnerabilities that rely on user interactions with the contract or precision-loss issues, a PoC is necessary unless the damage caused by the flaw can justify its severity. If a vulnerability involves external functions with the transfer of ERC20 tokens without reentrancy protection, a clear explanation of the exploit path is needed to avoid being downgraded to QA.\n\nYou have the option to provide your PoC in any language that demonstrates the vulnerability, or even in plain English. For large PoCs that can't be embedded directly, you could provide a link. You could also write an attack contract and explain its effects in plain writing as a PoC. However, you need to fully demonstrate the process if possible.\n\nWhen submitting your issue, you should explain the vulnerability and its impact on the protocol/code in the impact section, and the PoC section should contain relevant code lines or a written test that serves as the exploit. The level of detail in your submission, including a PoC, and how you cover the issue in all possible aspects can influence the award amount.\n\nIncorrectly assessing the severity of an issue can result in a penalty. If a single line of code can be exploited in multiple ways, it's uncertain whether it should be reported as a single bug or multiple. If you find a vulnerability in an out-of-scope contract, you could include it in the C4 report as an unrewarded finding or contact the project directly.\n\nAn example of an accepted PoC is provided here: https://github.com/code-423n4/2022-12-caviar-findings/issues/343.\n\nRemember, submitting a high severity issue without working code that demonstrates the impact may lead to it being downgraded or deemed ineligible for awards. For medium risk vulnerabilities (Risk 2), similar to high-risk vulnerabilities, test codes as PoCs are ideally required when writing reports.", "Question: How can I find, edit, or submit automated findings, including gas optimizations, for a Code4rena contest?\n\nAnswer: Automated findings not accepted in the contests, including gas optimizations, are listed in the \"Known Findings\" section of the Readme Page for each contest. If you wish to edit your gas report findings or add more findings to your gas report, you can do so by going to the contest page and clicking the 'Your Findings' button while the contest is still open. Note that only one report of gas optimization can be submitted per contest; all findings should be compiled into one report.\n\nWhen entering a contest, you don't have to submit all reports for high, medium, QA, and gas optimization. You can submit what you find. Gas optimizations are awarded from a separate award pool specified on the C4 website and each contest's page.\n\nSubmissions can be retracted on the contest page under the findings tab. To access information about the average payout for gas optimizations, non-critical findings, and low-risk findings, refer to the findings.csv file on the C4's website repository. \n\nSome users have reported inconsistencies in the acceptance of gas optimization reports. If you have concerns about this, it may be best to reach out to a contest organizer or moderator for clarification.\n\nMake sure to review the submission policy related to automated findings at https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-ineligible and https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues. \n\nFinally, if you want to see which findings of a contest were rejected and why, as well as how to view others' findings after a contest finishes, the contest details page and the after-contest summary should provide this information. This information may also be found in the pinned messages of the contest's Discord channel.", "Question: How can I find and manage my automated findings for a contest on CodeArena?\n\nAnswer: For each contest, you can find your automated findings in the \"Known Findings\" section of the Readme Page. If you need more information about the submission policy for these findings, please refer to our submission policy [here](https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-ineligible). You can also look for the automated findings in the pinned messages of each contest's Discord channel.\n\nIf you have already submitted findings but want to modify or edit them, you can do so by going to the specific contest page and clicking on the 'Your Findings' button. For example, if you're participating in the Ethos Reserve contest, you would navigate to [here](https://code4rena.com/contests/2023-02-ethos-reserve-contest). It's important to note that any findings listed in the Known Issues section are likely to be disqualified.\n\nAfter a contest, you can view the results at [this link](https://code4rena.com/reports), and you can also view your report status and manage your findings in the \"findings\" tab next to the contest description. If you accidentally submit your findings to the wrong contest, resubmit them to the correct contest and fill out a form [here](https://code4rena.com/help/) so the CodeArena staff is aware of the incorrect submissions. \n\nIf you're having trouble with any of the links to the repositories or if you can't see your findings for a specific contest despite submitting them, it might be due to some reported issues with certain contests. In such cases, be sure to reach out for further assistance. Also, keep in mind that bots not registered in the chainlink protocol may not be usable for certain contests.", "Question: I'd like to understand more about findings not accepted in the contests, and how they relate to the Bot Race. Can you provide more details about this?\n\nAnswer: Yes, findings not accepted in the contests can originate from various sources, including the Bot Race. This is a competition where users are rewarded for findings made using their AI bots. If a bot finds a high or medium finding, it only gets the bot pool reward based on its rank in the Bot Race. \n\nHowever, not all findings not accepted in the contests are based on the Bot Race. Sometimes, the contest sponsor can add details as well. For each contest, the Known Findings section on the Readme Page lists out automated findings that are not accepted in the contests. \n\nAdditionally, findings listed in the best bot-generated report are out of the contest's scope and are similar to the current 'Automated Findings'. An issue can still be valid to submit even if it is found by the Bot Race and another instance of this issue was not picked up by the bots. However, the final report for a contest does not include wardens whose submissions or findings are not accepted. \n\nRemember that findings during a contest remain private until the report is published and any findings that are not submitted before the end of the contest will not be eligible. They are reviewed by sponsors soon after the contest ends, and then it goes to judging. \n\nFor more details on judging cases, you can refer to the Submission Policy on our website: https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues. Please note that sponsors may not have access to the findings repo before the contest ends.\n\nFor any discussions or queries about Bot Race related issues, you can go to #bot-race-help.", "Question: How can I bridge from Polygon to Ethereum and then withdraw my USDCs on Coinbase, and what kind of requirements and implications does this process have?\n\nAnswer: Depending on the bridge service you use, the requirements differ. If you use the Polygon Bridge, you will need both Matic and Eth for paying transaction fees. The Polygon bridge can be accessed here: https://wallet.polygon.technology/. \n\nHowever, if you opt for the Hop Bridge, only Matic is required to cover transaction fees, but it's important to note that you will receive a lesser amount of USDC on the Ethereum Mainnet due to the fee structure. \n\nOnce your USDC is on the Ethereum Mainnet, you can deposit it directly into Coinbase from the Mainnet. Be aware that you may need to switch the network on your wallet (for instance, MetaMask) to Polygon Mainnet to view your tokens. If your balance still appears as zero, you might need to manually add the USDC on Polygon to your wallet.\n\nIn case you're running low on Matic for transaction fees, you can swap for more, potentially even for free, at this link: https://wallet.polygon.technology/polygon/gas-swap. For those interested in tracking their tokens, they can do so at https://polygonscan.com/address/.\n\nRemember, when withdrawing funds, both Polygon and Ethereum addresses are required for the withdrawal process. You have complete control of your address and key, and to move your funds, you'll need to send a transaction on Polygon. \n\nPlease note, these observations are based on chatroom data and may be subject to change or have errors. Always proceed with caution and verify from official sources when dealing with cryptocurrency transactions.", "Question: How does the recent Discord update, which requires users to use their name without the discriminator, impact my Warden role on CodeArena and what actions should I take?\n\nAnswer: The recent update to Discord might affect your Warden role on CodeArena. As a result of this update, you may need to update your new Discord handle - your name without the discriminator - on your CodeArena profile. \n\nTo do this, you can navigate to the Account Management page of your Warden profile. Here, you can update your Discord handle. Remember, your Discord nickname should remain as your registered C4 username. \n\nAdditionally, having an updated Discord username tied to your CodeArena account ensures that you can be tagged in any award announcements. However, it's important to note that this does not affect you receiving awards. \n\nIf you experience any issues or have further questions, it's advisable to submit your queries via the Help Desk for the developer team to review. For more information about how to deal with a changed Discord ID, you can refer to this link: https://discord.com/channels/810916927919620096/810931711609143326/1119321495987032144. \n\nYour email and GitHub username will not be made public by CodeArena. However, as a certified warden, you will be part of a permissions group/team on GitHub to give you access to private repositories. You can choose whether to make your membership on private teams public or not. \n\nLastly, it's important to note that the completion of Warden registration is necessary for your handle to appear on the leaderboard. If you are making changes to your username or wallet, ensure that these changes are updated in your CodeArena account.", "Question: How does changing my username affect my warden account, and what steps should I take to ensure my account remains functional?\n\nAnswer: Changing your username could indeed affect your account registration as a warden on CodeArena. If you change your username on Discord, you could potentially encounter missing permission issues. This is because Discord's update asks users to use their name without the discriminator, which might affect your warden role.\n\nTo address this, you'll need to update your new Discord handle in your profile on the CodeArena site. You can do this on the Account Management page of your warden profile. However, it's important to note that your Discord nickname should remain as your registered C4 username.\n\nIf you're considering changing your nickname, be aware that you might need to re-register with CodeArena using the new username. When you re-register, ensure that your registration is fully completed before your handle will appear on the leaderboard. If you're registering as a warden for the first time, you can do so using Github, and you might need a username and password to submit a finding.\n\nRemember, if you change your username, your statuses may not carry over to the new account. If you encounter any issues with the warden registration or bug submission, you're encouraged to communicate directly with CodeArena staff for further clarification. For more information, you can access the Warden FAQ guide at https://docs.code4rena.com/roles/wardens/warden-auth#faq-troubleshooting. If you still have unresolved questions, you can submit a help request at https://code4rena.com/help.", "Q: How can I participate in private contests at CodeArena?\n\nA: To participate in private contests at CodeArena, you must first become a certified warden. This involves completing KYC approval, although it's important to note that KYC approval doesn't automatically grant access to private contests. Once certified, you can view all contests, both public and private, listed on our website. \n\nThe access to private contests depends on certain metrics or prerequisites. Having a high position on the leaderboards from the last 90 days enhances your ability to qualify for private contests. In some cases, you may need to have participated in the original audit, or have been a part of three or more contests to meet the requirement for backstage+ access. \n\nPrivate contests are usually announced in the #\ud83d\udd96rsvp-certified channel. The RSVPs for these contests are available in a channel only visible to certified wardens. If a contest is in the public RSVP channel, it's a public contest. Even after certification and ranking on the leaderboard, certain private contests may not be accessible if they have already been assigned. \n\nSpecific questions about the scope for a contest can be addressed to the respective sponsor. The scope for the contests is decided by the sponsors and is listed in their contest information.\n\nRemember, even as a certified contributor, you are not obligated to apply to every contest. Participation in contests is recommended for improving skills and gaining access to more opportunities, but it's not mandatory. You can find more details about this process in the Code4rena documents.", "Question: What happens to the reports provided by wardens in Code4Rena? Are they published, edited for language, or contain any private information? \n\nAnswer: The reports provided by wardens in Code4Rena are subject to a specific process. If there are concerns or issues with a report, the team may seek clarification from wardens. The reports are then made public once the final contest report has been published. Certified wardens can view the findings repo immediately after a contest ends, while other users can view the reports even after the contests have ended. The reports are available in the reports section, each title of which is a link that points to one of the warden's reports on GitHub. \n\nReports may contain a summary of what was submitted by the wardens and recognize wardens who report a certain finding first, as well as those who found the same finding. However, the reports do not contain any private information - the emails and GitHub usernames of the wardens will not be listed anywhere publicly by C4. Certified wardens will be part of a permissions group/team on GitHub to give them access to private repos, but they can decide to make their membership on private teams public or not.\n\nAlso, it's worth noting that there is a professional conduct guideline for certified wardens that requires all findings to be treated as private and confidential until the contest report is made public. This guideline and the process for submitting findings can be found in the documents provided by Code4Rena at [https://docs.code4rena.com/roles/wardens/certified-wardens#certified-warden-professional-conduct-guidelines] and [https://docs.code4rena.com/roles/wardens/sub] respectively.\n\nIt's important to note that the final report for a contest doesn't include wardens whose submissions/findings are not accepted. Also, even though the platform allows viewing reports from other wardens, there is a query regarding visibility if there is no table with results.", "Question: How can I edit and manage my submitted QA report for a contest on CodeArena?\n\nAnswer: After submitting your Quality Assurance (QA) report on CodeArena, you are allowed to make necessary edits and updates until the audit deadline. You are only permitted to submit one QA report and one combined gas report for each contest. However, you can make edits to your existing submission if further errors are discovered or if more details need to be added. \n\nTo update your QA report, you should navigate to the specific contest page, and click on the 'Findings' tab. From this tab, you can edit your existing findings by selecting the \"My Findings\" option. This process allows you to review and revise your QA report as needed. \n\nIn situations where your QA report exceeds the character count for regular submissions, you can submit your QA report via a help desk ticket. \n\nIn the event of an error upon submission, you can verify the successful submission of your QA report by receiving an email confirmation or by viewing the submitted findings through the \"View Context\" function. \n\nFurthermore, if you wish to view your previous QA reports for contests that have already closed, you can do so from the contest page. \n\nPlease note, currently, it is not possible to directly edit an analysis report. However, you can create a help desk request with a secret gist to have edits added to the comments of your analysis report before the audit closes. \n\nIf you continue to experience issues while editing your QA report, CodeArena's help desk is available for assistance.", "Question: If a finding that I initially classified as low-risk in my Quality Assurance (QA) report is later judged and confirmed as medium-risk by other wardens, what steps should I take to have it upgraded to medium-risk, and does this affect the rewards I receive?\n\nAnswer: If a finding you initially classified as low-risk in your QA report is later evaluated and confirmed as medium-risk by other wardens or judges, the judge typically upgrades the severity level automatically, as per the information provided on our help page [here](https://docs.code4rena.com/awarding/incentive-model-and-awards/qa-gas-report-faq#what-happens-when-an-issue-submitted-by-the-warden-as-part-of-their-qa-report-an-l-or-n-does-get-bum). This has implications for the rewards system as well, as issues judged as medium are eligible for medium rewards.\n\nIn the process of reporting, it's important to accurately estimate the severity of a finding based on the potential loss caused by the issue. If you are uncertain about the severity of a reported issue, review the judging criteria and present a case for the chosen severity using as much evidence as you can. The judging criteria can be found [here](https://docs.code4rena.com/roles/wardens/judging-criteria#estimating-risk). \n\nThe severity of loss that qualifies a finding as high, medium, or QA is as follows: If all rewards can be lost, it's MED/HIGH. If there's a risk of losing some rewards, it's probably medium. If rewards are lost due to roundings (a negligible amount of rewards), it's probably QA. If the principal can be stolen without needing extra requirements, then it's most likely HIGH.\n\nFinally, it's worth noting that judges have the authority to downgrade or upgrade the severity of your findings if they deem it necessary. Therefore, the category of findings you submit as part of your QA report can be adjusted according to the judges' evaluations.", "Question: Will the audit of Canto be conducted in Go language and what other audit services does CodeArena offer?\n\nAnswer: Yes, the audit of Canto will be conducted in Go language. CodeArena not only conducts audits in Go, but also in Rust and potentially plans to open up to Solana audits in the future. The platform conducts audit contests where teams can participate and it seems that there are more contests coming in the future. Completed audit findings can be reviewed via the C4 GitHub repo. There are queries regarding running an audit contest for contracts, including pricing and operational details. The platform also provides post-judging QA and gas optimization services. For specific scope of the audits, you can refer to links like: https://github.com/code-423n4/2022-07-golom#scope. In addition to public contests, there are also private contests that you can apply for if you are certified as a warden [link: https://mirror.xyz/c4blog.eth/Ww3sILR-e5iWoMYNpZEB9UME_vA8G0Yqa6TYvpSdEM0]. They also have a booking team that can assist with setting up audits. For questions about the use of tools for auditing, they have a work-in-progress auditing tool located here: https://github.com/HardlyCodeMan/audit_helper/.", "Question: What exactly is the post-judging QA in CodeArena and how does it function?\n\nAnswer: The post-judging Quality Assurance (QA) is a period after a contest ends where the \"backstage wardens\" are able to comment on and query the judges' decisions. This process is essential for ensuring the accuracy, quality, and fairness of the judging process. \n\nAfter the contest ends, reports are initially reviewed and triaged by judges, and then they await sponsor review, final judging, and QA before they are made public. During the QA process, judges have the authority to adjust the severity of issues from the submitted QA reports. This could mean that a medium issue could be downgraded to QA or that a low issue could be upgraded to medium if it's justified. The judges take into account both the quantity and quality of submissions when grading QA reports, and a single item in a QA submission is unlikely to receive a high grade. \n\nIf a QA issue is submitted, a judge can elevate its severity to Medium/High (M/H) if necessary. Here, the detailed description of a QA issue can be influential for the judges' decisions. This means if an issue is submitted as low severity in a QA report, but upon review, the judges elevate it to medium severity, it will be eligible for medium rewards. \n\nAlso, if no High/Medium (H/M) issues are found in a contest, the entire rewards may move down to Quality Assurance (QA). Being a warden, you can view the judging results before they are published and if any issues are identified, they can be raised to the judge for reconsideration. \n\nFor more information on grading and awarding criteria for QA reports, refer to the following links: [https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical](https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical) and [https://docs.code4rena.com/awarding/incentive-model-and-awards#qa-and-gas-optimization-reports](https://docs.code4rena.com/awarding/incentive-model-and-awards#qa-and-gas-optimization-reports).", "Question: How can I understand the bounty distribution based on different exploit types in a contest and identify the already reported bugs?\n\nAnswer: The bounties for different exploit types based on a contest are specified on the contest page. If multiple auditors report the same bug, the bounty is split among them. Common findings are usually out of scope as they are identified by the C4udit tool. The list of findings is linked in each contest readme, and if a bug isn't picked up by the tool, it should be submitted manually.\n\nTo see a detailed list of rewards for each bug per contest, you can visit: https://raw.githubusercontent.com/code-423n4/code423n4.com/main/_data/findings/findings.csv. \n\nThe platform has several types of contest rewards, such as Scout, Lookout, and Judge awards. Participants are given shares for bugs discovered based on severity. These shares give the owner a pro rata piece of the pot. The severity of the bugs and the reward distribution are decided by the judges, who are chosen based on experience and reputation. Their decisions on a bounty are shared after the contest concludes.\n\nAfter the contest ends and the possible exploits have been patched, all participants' submissions may be made available. To keep track of your report status and view or edit your findings, you can refer to the \"findings\" tab next to the contest description. \n\nIf you are interested in viewing previously available information, you can refer to \"_data/contests/contests.csv\". For a list of contest reports, visit: https://code4rena.com/reports. You can also find the findings from contests in the section where Contests are posted.\n\nRemember, while submitting an issue for any contest, it is beneficial to include a proof of concept and a case made for how an item can be exploited to avoid being marked as invalid. Instructions on sharing vulnerability discovery PoCs can be found at this GitHub link: https://github.com/code-423n4/code-contests/tree/main/contests/01-slingshot#sharing-vulnerabilitydiscovery-poc.", "Question: How can I manage changes to my Discord username related to my CodeArena account?\n\nAnswer: If you've changed your Discord username, there are a few steps you need to follow to ensure your CodeArena account reflects these changes. Firstly, it's important to note that your Discord nickname should remain as your registered C4 username. You can update your Discord name on the Account Management page of your warden profile. However, if your Discord's update asks you to use your name without the discriminator, this might affect your warden role. To address this, you need to update your new Discord handle in your profile on the CodeArena site. \n\nPlease note, if you're on the leaderboard, you may need to create a new registration or Discord handle and start over with the new name as leaderboard status does not transfer. If you are having issues updating your username or linking it to your CodeArena account, it's advised to submit your questions via the Help Desk for the developer team's review at https://code4rena.com/help. \n\nMoreover, users can also change their wallet and username on Discord. These changes should be reflected in your C4 account if correctly linked. Having an updated Discord username tied to your CodeArena account does not affect receiving awards but ensures you can be tagged in for any award announcements. \n\nInstructions on how to update your username and other related information can be found at: https://discord.com/channels/810916927919620096/810931711609143326/1119321495987032144.\n\nRemember, it is essential that your Code4Arena profile name matches with your Discord chat name. If there's a mismatch, you can report this via the Help Desk. Be aware that it is possible to create two accounts with one email and Discord, but each account should have a unique username.", "Q: How can I view, edit, track, or retract my submissions on CodeArena (C4)?\n\nA: After submitting your findings for a contest on CodeArena, you can view and edit your submissions by navigating to the specific contest page and clicking on the 'Your Findings' button. For instance, if you participated in the Ethos Reserve contest, you would go to https://code4rena.com/contests/2023-02-ethos-reserve-contest. Your submissions can also be tracked from your Analysis Report. \n\nIf you've submitted a bug, you can view and edit your submission for open contests on our site. If you wish to retract a submission, you can do so on the contest page under the findings tab, where you have the option to remove a finding submission, likely found under an 'edit' button. \n\nNote that after a contest has ended and is in the judging process, the status of your submissions will not be visible until the contest report is published and the repo becomes public. However, you will receive an email confirmation of your submission and you can check whether your submission was successful at https://code4rena.com/reports. \n\nIf your submission wasn't rewarded, you can review the reasons for rejection once the report is out and the repository is fully opened. This provides insights into the discussion among sponsors and judges on the specific issue. \n\nPlease bear in mind that each contest may have specific submission rules, so it's important to familiarize yourself with these before submitting your findings.", "Question: How can I access, view, and edit my submissions for the Maia audit on CodeArena?\n\nAnswer: You need to be logged into your C4 user account to access your submissions for the Maia audit. Once logged in, you can view your submissions by checking your Analysis Report or on the C4 Contest page under the \"Findings\" tab. You can also edit your submissions while the contest is open. If you encounter technical issues with viewing the repo or submitting findings, please ensure that you're logged into the same GitHub account provided for C4. If you're a certified warden, remember to connect your wallet to your account to submit findings. Moreover, wardens can see their submissions and any comments on them once the repo is set to public after the announcement, unless they are certified for backstage access. If you are not on the leaderboard but believe you participated, you can check your participation by creating a help desk request. You also receive a confirmation of your submissions via email. To become a certified warden or learn more about submission policies, visit https://mirror.xyz/c4blog.eth/Ww3sILR-e5iWoMYNpZEB9UME_vA8G0Yqa6TYvpSdEM0 and https://docs.code4rena.com/roles/wardens/submission-policy#audit-contest-guidelines respectively.", "Question: How can I view, edit, and track the status of my submissions for CodeArena audits?\n\nAnswer: After the submission of your findings for a CodeArena audit, you should receive an email confirming the successful submission and indicating that you can view and edit your findings before the audit closes. You can manage these submissions by checking your Analysis Report, and for ongoing audits, you can access your findings by navigating to the contest page and clicking on the \"Your Findings\" button. \n\nPlease note that it might take some time for your issue to be visible in the Issues in the repo created for the audit. Also, you cannot submit bug reports after the audit contest has ended, and all findings must be submitted prior to the audit closing. \n\nOnce the audit contest has ended and is in the judgment process, you may not be able to see the status of your submissions immediately. The report has to be published and the repo has to become public before you can review your submissions and the discussion among sponsors and judges on specific issues. If you made a submission that was not rewarded, this process lets you learn why it wasn't accepted.\n\nFor private audits, you need to be certified as a warden to participate, and you can find more information on how to become a warden here: [https://mirror.xyz/c4blog.eth/Ww3sILR-e5iWoMYNpZEB9UME_vA8G0Yqa6TYvpSdEM0]. \n\nIf you have any issues or confusion regarding your participation in an audit, feel free to create a help desk request explaining the problem. Our team is here to assist you.", "Question: How can I obtain the \"leaderboard\" tag in my profile on the Code4Arena platform?\n\nAnswer: The \"leaderboard\" tag is automatically assigned to your profile when you rank in the Top 5 in any of the Code4Arena contests. The leaderboard is updated each time awards are announced, capturing the performance of users in various contests. Do note that not all contest types are currently supported for leaderboard updates. Also, it's important to be aware that there may be instances where the rewards are announced before the leaderboard is updated. \n\nWhen you rank in the Top 5 and receive your rewards, you should see the \"leaderboard\" tag added to your profile. However, if you do not see this update, it may be due to a delay in the leaderboard update process. The final contest report may not immediately appear on the Code4Arena site even after the leaderboard is displayed and rewards are sent. We recommend waiting until the full public report is published before checking for leaderboard updates. \n\nYou can view the leaderboard at any time at https://code4rena.com/leaderboard/. If you want to change your profile icon on the leaderboard, you can request this change through the help desk at https://code4arena.com/help. \n\nRemember, achieving a high ranking on the leaderboard can enhance your ability to qualify for private contests. It's an excellent way to showcase your participation and achievements on Code4Arena.", "Q: Why can't I see a list of my submissions under the \"Your Findings\" tab on the contest page, and how can I edit, track, or withdraw my submissions?\n\nA: If you can't see your submissions under the \"Your Findings\" tab, it is possible that you may not be logged into your C4 user account. Once logged in, you can see, edit, track, or withdraw your submissions in the 'Findings' tab next to the contest description on the contest page.\n\nYou can edit your submitted findings by navigating to the contest page and clicking on the 'Your Findings' button. For example, in contests like Ethos Reserve, you can go to the contest page at https://code4rena.com/contests/2023-02-ethos-reserve-contest and click on the \"Your Findings\" button. You can add more findings or update your QA report by selecting the \"My findings\" option on the contest page.\n\nIf you realize something is a false positive after submission, you can retract the submission by going to the contest page and clicking the findings tab. Additionally, it's also possible to withdraw your findings from the contest through the same \"Your findings\" button.\n\nSubmissions are confirmed via email and can be viewed on the C4 Contest page under the \"Findings\" tab. You can also check the status of your report in your Analysis Report. However, please be aware that there have been instances where users have experienced issues when submitting findings, where they see 'No findings submitted for this contest' despite having submitted their findings. Also, please note that currently, findings of a contest cannot be viewed after it finishes but before the results are published. \n\nIf you have any further queries about your submissions, feel free to reach out in the chatroom. We aim to provide a seamless experience, but please bear with us if unexpected issues arise.", "Question: I've reported an issue on CodeArena, but it's not visible on the Issues page and it seems to have been overlooked. What is the best way to proceed?\n\nAnswer: It's important to note that after reporting an issue through the form provided on the CodeArena website, the reported issue may not be immediately visible in the Issues on the repo created for the audit. This might be due to potential GitHub issues. If you're uncertain about the severity of the reported issue, you can check your issue for the finding you sent directly on GitHub. If you encounter any discrepancies with your report, or have concerns about the lack of feedback on your bug submissions, you can create a help ticket for further assistance. \n\nFor those reporting a technical issue where the \"Create Issue\" button was not responding, this problem has been acknowledged and we recommend creating a help desk request for this as well. \n\nYou can also check your participation in an audit outside of the leaderboard showings by creating a help desk request explaining the issue. \n\nRemember, if you submitted an issue for a contest but did not make the award list, it is likely that your issues were rejected. You can confirm this by reviewing the available report on Github. \n\nFinally, please be aware that until the report goes live, the issues found cannot be seen by other participants. Therefore, it's recommended to review issues carefully before they are reported. \n\nKeep in mind that even if an issue is found by the bot race but another instance of that issue is not picked up by the bots, it is still valid to submit. \n\nFor additional context and information on submitting and reviewing issues, visit https://code423n4.com/reports.", "Q: I've reported an issue on CodeArena, how should I proceed? Do I need to send the link to the judge or lookout?\n\nA: Once an issue is reported on CodeArena, you don't need to send the link to the judge or lookout as they can view it directly. Instead, users are advised to include all pertinent information in their report and submit it for the judge to evaluate. If your Proof of Concept (PoC) for the issue is too large to embed directly in the issue, you can provide a link to it. This method is widely accepted and implemented by many wardens. However, if the issue is labeled as \"sponsor-disputed\" and no explanation is provided, you may check for duplicates and consult the judge after judging.\n\nIt's also important to note that you can include findings related to bot findings in your report, making it clear to the judge the relationship between the two. If you're uncertain about the severity of an issue or whether to submit something, it's recommended to submit it and let the judge make the final call. You can also ask the judge directly if you have any questions.\n\nIf you are uncertain about whether to submit findings as separate issues or as one, or how to report issues found in multiple places in the codebase, you may refer to this link for guidance: https://discord.com/channels/810916927919620096/810936719003090974/1134472653437145149. \n\nYou can check your submission status or report on Github. There are no negative consequences for accidentally reporting something that isn't an issue, although it's advisable to withdraw such reports to save the judges' time. Lastly, the severity of issues can be updated post-submission by judges at their discretion.", "Q: I submitted my application to become a certified warden with CodeArena, but I haven't received any email from Provenance yet. What should I do?\n\nA: Typically, Provenance responds to certified warden applications within 2-3 weeks, so your situation is not unusual. However, the email could have landed in your spam folder, so make sure to check there. The email will be sent from the address compliance@provenance.company. \n\nThe process for becoming a certified warden involves a Know Your Customer (KYC) process delegated to Provenance. Once this verification process is completed, the certification process usually takes a few more days to be reflected on your profile. \n\nIf you've been waiting longer than 3 weeks, there may have been an inconsistency in the application process. To apply, you should have completed the form at https://code4rena.com/certified-contributor-application. For more details on the process and any necessary documentation, visit https://docs.code4rena.com/roles/certified-contributors#certification-process-and-constraints. \n\nPlease note that the timeline for receiving a response can vary, and it can take a few days for your warden to be marked as certified, even after approval. In the meantime, continue checking your email (including the spam folder) for updates.", "Question: If I make changes to my Discord username or display name, how will this impact my CodeArena (C4) account?\n\nAnswer: If you update your Discord username or display name, it generally does not impact your CodeArena account. However, it's recommended that you update your new Discord handle in your profile on the site to maintain consistency. This is particularly important because your updated Discord username is used to tag you in award announcements. Note that changing your username doesn't affect receiving awards. \n\nHowever, changing your Discord username may have some impacts. For instance, if you change your username, your statuses may not carry over to the new account. Also, a change in your username could affect your account registration as a warden. In this case, you may need to reapply for certified status.\n\nPlease note that while you can update your Discord name on the Account Management page of your warden profile, your Discord nickname should ideally remain as your registered C4 username. This is because the usernames on CodeArena are currently immutable and cannot be changed, and some users have experienced a mismatch between their site username and Discord nickname. \n\nIf you wish to change other account details, like your Twitter username, you can do so by submitting a help desk request. However, changes such as account names and wallet logins as well as the creation of a second account with the same Github username, email address, and Discord username are not permitted. \n\nShould you wish to change your username on CodeArena itself, you may need to re-register your account. However, be aware that leaderboard standings and submissions under the previous handle will not be transferable to the new account. \n\nIn case of any queries, it's recommended to contact the C4 staff or submit your questions via the Help Desk for developer team review.", "Question: How can I log in to my CodeArena account and what should I do if I encounter issues?\n\nAnswer: To log in to your CodeArena account, you can use your email and password or your username and password credentials that you created when setting up your account. If you wish to change your login credentials, such as your username, you can do so by re-registering your account. However, please note that currently, there is no support for changing the login address on CodeArena. If your account has been compromised, you need to submit a help desk request with details and a mycrypto.com signed message.\n\nIf you encounter login issues, it could be because you are not using the correct wallet or email. Keep in mind that there are two types of wallets - a login wallet and a payment wallet. The login wallet is set up when creating the account, and the payment wallet can be updated in the profile. Instructions for changing the login wallet address can be found at https://docs.code4rena.com/roles/wardens/warden-auth#can-i-change-the-wallet-address-i-log-in-with\n\nIn some cases, you might see yourself as logged in, but the interface does not change. If you are experiencing any of these issues, or other problems with logging in, you can reach out to the #auth-help channel or direct message for assistance. The team also has the functionality to update the database to resolve any persistent login issues.", "Q: I'm having trouble logging into my CodeArena account. What should I do?\n\nA: If you're experiencing issues logging into your CodeArena account, there are a few steps you can try. \n\nFirstly, ensure you're using the correct wallet or email associated with your account. If you're attempting to log in with a Metamask wallet, make sure it is the correct one. You may also switch to using a username and password for your login.\n\nIf you're seeing issues where the system shows you as logged in, but the interface does not change, or if you're having trouble with the password reset function, these might be technical glitches that our team can help you resolve.\n\nUsers who have not accessed their CodeArena accounts for a long time might face additional issues. These could be related to specific contests, such as the 2022-11-looksrare-aggregator-contest (https://code4arena.com/contests/2022-11-looksrare-aggregator-contest).\n\nIf you're unable to resolve the issue, please contact our #auth-help channel for assistance. You may also send a direct message for assistance with account issues. If you're a team account user, you can open a help desk ticket at https://code4rena.com/help.\n\nLastly, if your wallet has been compromised, and you've had to change your payment address, this might result in issues logging in. In such cases, the compromised address should be removed from the login.\n\nPlease note that the company can update the database to resolve login issues, so don't hesitate to contact us if you require any assistance.", "Question: How can I update my Code4rena profile, including linking it to my Twitter account, changing my avatar, and updating my username?\n\nAnswer: You can make various updates to your Code4rena profile by submitting a help desk request. To link your Twitter account, change your avatar, or update your username, you need to provide specific details in your request. When linking your Twitter account, include your warden name and Twitter URL; for changing your avatar, include a link to your preferred picture; and for updating your username, provide your new desired username. All these requests can be made through the Code4rena help desk at https://code4rena.com/help. \n\nAdditionally, if your intention is to link your Twitter handle to the Code4rena leaderboard or to change a link with your username in the leaderboard or contest results, these can also be done via a help desk request. \n\nFor profile picture changes, a new feature has been introduced, but it still requires making a help desk request. If you wish to update your payment addresses, you can do so from your C4 account screen at https://code4rena.com/account. \n\nFor more detailed instructions on how to associate your Twitter handle with your CodeArena profile by making a pull request, you can follow the guide at https://github.com/code-423n4/code423n4.com/tree/main/_data/handles. \n\nIf you have any further queries, you can direct message someone from Code4rena, or learn more about Code4rena and teams at https://docs.code4rena.com/.", "Question: When can I expect the results of my smart contract audit submission and how can I review the findings?\n\nAnswer: The timeline for publishing the results of a smart contract audit contest depends on the duration of the judging process. This could range from 2 to 6 weeks or even longer. The findings of the contest are kept private until the report is published. Once the report is live, the findings repository is made public and you can then review your submission. Please note that not all findings submitted for contests always make it to the final report, and the reasons may not be immediately known. In addition, findings are not shared with anyone, including the project team and judges until after the contest ends. For specific updates on ongoing or past project results, keep an eye on our website. Uncertainty exists due to the complex nature of auditing, variable judging periods, and ensuring the highest quality in our published reports.", "Q: How can I qualify and apply for backstage access at CodeArena, and when can I join?\n \nA: Gaining backstage access at CodeArena is based on several qualifications and is not granted automatically. To qualify, you should first be a certified contributor. This generally involves participation in at least three contests and having a certain number of findings. More specifically, you need at least three medium findings and four total findings. Participants that have one valid high rating or teams that have submitted 3+ medium findings that have been accepted also qualify for backstage access.\n\nOnce you meet these qualifications, you can apply for backstage access by submitting a help desk request. Applications are typically opened as soon as the results of a contest are published on the leaderboard, which usually happens shortly after the awards are announced. However, please be aware that the process for gaining backstage access is currently undergoing changes, and applications for backstage access have been temporarily suspended until further notice.\n\nBackstage access grants you the chance to aid in triaging and to view the findings repository after a contest ends. But note that findings of a contest cannot be viewed after it finishes but before the results are published. Participants are advised to wait for the report to be published and the findings repository to be made public to check on their submissions.\n\nMore information on the criteria for backstage access and the application process can be found on the [Code4Rena website](https://docs.code4rena.com/roles/certified-contributors/backstage-wardens). Please keep an eye on the official channels for updates on when backstage applications will be reopened.", "Question: How can I effectively reference specific lines of code on Github and include them in my CodeArena reports?\n\nAnswer:\nTo reference specific lines of code on GitHub, you can click on the line number on the left tab of your code, which will change the URL. If you want to capture a range of lines, simply hold down the SHIFT key while clicking on the code lines. Additionally, you can highlight a block of code by clicking on the starting line of code, then holding down CTRL + SHIFT and clicking on the last line to highlight it.\n\nWhen completing the 'Links to Affected Code' section of high/medium findings in your reports, you are recommended to add the GitHub permalink for the designated code block. This provides a direct and specific reference to the code in question.\n\nInclusion of code in your report can be done in two recommended ways: Providing the URL to the repository with the specific line number and a code block. However, remember that adding a link that points to a sponsor's GitHub repo code does not automatically pull in that code snippet to the report.\n\nIf you are including code blocks in your report, note that the reporting section supports Markdown (MD) format. Information on how to add code blocks in MD format can be found at this GitHub documentation link: [Creating and Highlighting Code Blocks](https://docs.github.com/en/get-started/writing-on-github/working-with-advanced-formatting/creating-and-highlighting-code-blocks). \n\nFor proof of concept, you can either add code directly to the report or link it from a private repository on Github, depending on the length of the code. More information on this can be found in our submission policy: [How to include a proof of concept](https://docs.code4rena.com/roles/wardens/submission-policy#how-to-include-a-proof-of-concept). \n\nFinally, always double-check your code references for accuracy. For instance, there could be discrepancies in the number of lines of code (LOC) mentioned in the README.md and the actual lines in the contract files. By ensuring your references are accurate, you maintain the integrity of your reports and findings.", "Question: How does payment work in CodeArena, and what are some important aspects I should understand about it?\n\nAnswer: In CodeArena, payment for audits, contests, and rewards are made in the cryptocurrency USDC (USD Coin) on the Polygon network. To receive these payments, you're encouraged to add your payment wallet to your account. A preferred choice for many is the Metamask wallet. Notably, there are two types of wallets: a login wallet set up when creating the account, and a payment wallet, which can be updated in your profile. \n\nOnce a submission is confirmed and reward amounts announced, you simply need to wait for it to arrive in your wallet. Payouts are linked to your Discord username and the specific wallet address you provided. You can verify your payout for vulnerability issues by checking the wallet address you registered with on polygonscan.com or wallet trackers like debank.com.\n\nIf you wish to transfer your awards to another wallet or exchange them for fiat currency, you might need Matic, another cryptocurrency, to pay for the gas of the transfer. It's also possible to withdraw your earnings and send them to other crypto trading platforms, such as Binance. However, remember that if you don't have the keys for a Binance address, you technically don't own the coins in it. \n\nPlease note that while you do not need to login with a wallet to participate in contests, a payment wallet is necessary to receive prizes. Also, it's important to know that not all tokens are fee-on-transfer, and our payment address is multisig and is likely to remain the same unless there are accounting issues. For specific audits like the arbitrum audit, you must become a Certified Contributor by completing KYC to receive payment. \n\nIt's worth noting that we've had discussions about alternative payment channels due to restrictions from certain countries, and we are continually exploring options. As of now, it's unclear which chains are accepted for payment from the sponsor side, whether just ETH L1 or other alt L1s/L2s. As a last resort, Binance P2P is suggested for crypto transactions. However, always be aware that addresses can change.", "Question: How does updating my Discord username affect my Code4Arena account and how can I make these updates?\n\nAnswer: Updating your Discord username can potentially impact your Code4Arena account and its associated roles. As a user, you can change your Discord username on the Account Management page of your warden profile. Please remember, however, that your Discord nickname should continue to be your registered C4 username. If you've changed your Discord username, you'll likely need to update it in your CodeArena account as well. It's crucial to note that having an updated Discord username linked to your CodeArena account helps ensure you can be tagged for award announcements, but it does not affect the process of receiving awards. If you're experiencing any issues with this process, issues can be addressed in the #auth-help channel on our Discord server or you can direct message the C4 staff members for further assistance. Any changes in your Discord handle might affect your warden role, so it's advisable to keep your handles updated and submit any related queries via the Help Desk for developer team review. Here are the links for reference: [Account Management Page](https://code4arena.com/account), [Help Desk](https://code4arena.com/help), and [Discord server](https://discord.com/channels/810916927919620096/810936719003090974/1098620465897021490).", "Question: What are the requirements and process to gain backstage access at CodeArena, particularly after participating in contests and having certain findings?\n\nAnswer: Backstage access at CodeArena is granted based on several criteria, including your role as a certified contributor, your participation in contests, and the number of your findings. To qualify, you need to have at least three medium findings and four total findings. Additionally, you can meet the requirement for backstage access by participating in a minimum of three contests. \n\nYou can apply for backstage access as soon as the contest results are published on the leaderboard, which generally happens shortly after the awards are announced. However, please note that backstage access applications could be suspended at times.\n\nRemember, being a certified contributor does not automatically grant you access to the previously participated contest in progress judging repository. You need backstage access for that. Certified contributors have done KYC and can participate in private contests, while backstage requires certified status and minimum requirements of submissions to access the contest repo post-closure and pre-public report release.\n\nTo apply for backstage access, you first need to become a certified contributor. More information about becoming a certified contributor and about the backstage access can be found at https://docs.code4rena.com/roles/certified-contributors and https://docs.code4rena.com/roles/certified-contributors/backstage-wardens respectively.\n\nOnce you meet the qualifications based on published contest results, you can submit a help desk request to gain access to backstage. If a team submits 3+ medium findings and they are accepted, all members become eligible for the backstage role. \n\nFor backstage+ access, you need a high finding or 3 medium findings. However, these findings should be public for the role to be received. \n\nPlease note that backstage access allows you to discuss your findings and gain access to findings repo when a contest ends. It can also be obtained if a participant has identified their first high vulnerability. To confirm your eligibility, you can submit a help desk request.", "Question: Can you clarify the purpose and function of the #\ud83d\udd06hm channel in the CodeArena Discord chat?\n\nAnswer: Based on observations from the chat, the purpose of the #\ud83d\udd06hm channel within the CodeArena Discord chat remains largely undefined, with no clear association with contest findings or any other specific functionality. It seems to not be directly related to the contests, nor does it function as a space for profile assistance or for smart contracts education, both of which have their own designated channels (#profile-help and #\ud83c\udfebeducation, respectively). As the context suggests HM could refer to a high medium level, it's possible this channel could be related to that, though we can't confirm this without more information. Other channels like #\u270brsvp for upcoming public audits and contests, #\ud83d\udcbci-want-c4-to-audit-our-code for sponsorship interest, and #auth-help for login issues serve specific purposes. Please keep in mind that each contest has a separate channel for general questions, and sponsor team members are available for queries via Direct Message (DM). For specific queries, the best option recommended is to reach out through the respective contest channel within the Discord chat.", "Question: What is the process to withdraw a finding at CodeArena, and are there any consequences of submitting a report that turns out not to be an issue?\n\nAnswer: Withdrawing a finding at CodeArena is equivalent to canceling it. This can be done under the \"your findings\" section on the contest page. You may cancel a submission and create another one if you wish to edit or replace your submitted reports. The process to withdraw a finding is also available in the CodeArena documentation. \n\nIf you realize a submission is a false positive after submission, you can retract it using the same method. There are no negative consequences for submitting a report that you later realize is not an issue, although it's recommended to withdraw such reports to save the judges' time. When a report is withdrawn, it is marked as such and then closed. However, if your finding was disputed by the sponsor as \"won't fix\" but turns out to be a valid one, you will still receive a reward.\n\nIf you need to withdraw a submission, you can also directly message the moderators or an administrator. After submitting a finding, participants can expect a follow-up and should receive a confirmation email. There are queries on how to know the reasons for finding rejections, which are provided in some form. However, users have also sought clarity on what happens when their proposed mitigations are disagreed with by the judge and sponsor. \n\nPlease note, it is important to follow the guidelines provided by CodeArena before submitting a finding, and to be sure before you withdraw a submission.", "Question: Can I submit my Rust code base to CodeArena and participate in Rust-contests?\n\nAnswer: Yes, you can submit a Rust code base to CodeArena. We have performed audits with a Rust focus and are considering the possibility of hosting Rust contests in the future. As a participant, if you think you've found something and want to ask questions, you can reach out to the sponsor team during the contest. If you discover a vulnerability, you can disclose it to the team, but remember to submit it via the contest submission form or it won't be eligible for awards. \n\nYou can submit your findings through the Code4Arena interface, where a markdown template is proposed for your convenience. The submission form accepts Markdown to format your text. If you encounter any issues while submitting, you can submit a help request at [https://code4rena.com/help](https://code4rena.com/help). Help requests can also be forwarded to submissions@code4rena.com under certain circumstances.\n\nFor multiple findings, refer to our official documentation at [https://docs.code4rena.com/](https://docs.code4rena.com/) for best practices. You can also review the audit contest reports at [https://code4rena.com/reports](https://code4rena.com/reports). If you're interested in becoming a certified contributor, you can apply at [https://code4rena.com/certified-contributor-application](https://code4rena.com/certified-contributor-application). \n\nKeep an eye on our website for the possibility of future Rust contests. If you're new and want to sign up, you can check [https://code4rena.com](https://code4rena.com). Remember, the Code4rena staff is always there to assist you, from editing your submissions to resolving your help tickets.", "Question: How can I track the progress and schedule of the final report as a contestant of a CodeArena contest?\n\nAnswer: As a contestant in a CodeArena contest, you have access to several features to track the progress and schedule of the final report. After a contest ends, the review process for findings begins immediately, which involves a sponsor review, judge review, sponsor confirmation, and the judge's final report. This process could take at least a month, and the exact duration is unspecified. During this period, your submissions will be reviewed and triaged, but they are not made public until after the sponsor review and final judging. \n\nYou can monitor the progress of the report via the public report page, which gets updated mid-contest and once the final report has been published. Reports or findings from the contest will be published and can be accessed by participants. You could also view reports from other wardens after contests have ended. \n\nYou can check all the reports you submitted during the contest in the \"findings\" tab next to the contest description and track their status. You will also receive confirmation via email. However, if you wish to see the reasons for the rejection of your findings, you need to wait for the report to be published and the findings repo to be made public. \n\nIt's recommended to wait until the full public report is published before doing a write-up of some issue or bug found on a project. The leaderboard and rewards are usually sent out before the final report becomes available on the C4 site. \n\nRemember, findings submitted for contests may not always make it to the final report, and the reason might not be immediately known. Projects do receive access to submitted findings before the contest completion but the sponsors may not have access to the findings repo before the contest ends. \n\nOnce the report is published and the findings repo is made public, you can review all submissions from the contest, and see the discussion among sponsors and judges on the specific issue. This allows you to understand why certain findings were accepted or rejected. \n\nPlease note, these processes are subject to changes and it's always best to check the most current guidelines on the CodeArena website.", "Question: Has CodeArena considered alternative payment methods to USDC, given the difficulties some participants face in converting cryptocurrency to fiat currency in certain countries?\n\nAnswer: Yes, alternative payment methods, including paying in fiat (USD) instead of cryptocurrency (USDC), have been considered by CodeArena. This idea was born out of the need to assist participants experiencing challenges in converting cryptocurrency to fiat due to restrictions in their countries. As an interim measure, participants are encouraged to explore other options for exchanging cryptocurrency to fiat, such as using crypto-friendly platforms like Revolut and ZEN. Additionally, platforms like Coinbase and Binance were suggested for conversions or exchanges, as well as the Ethereum bridge for sending to different addresses. For example, USDC rewards received on Coinbase can be converted into BTC. You can also deposit USDC into Coinbase from Polygon. However, it's important to note that transferring awards to another wallet may require Matic, another type of cryptocurrency. As we continue to explore solutions, alternative payment channels to crypto are under discussion. It's also vital to be aware of potential issues with USDC as outlined in this shared article: [https://taibbi.substack.com/p/the-financial-bubble-era-comes-full?utm_source=substack&%3Butm_campaign=post_embed&%3Butm_medium=email&utm_medium=email](https://taibbi.substack.com/p/the-financial-bubble-era-comes-full?utm_source=substack&%3Butm_campaign=post_embed&%3Butm_medium=email&utm_medium=email) As crypto-market dynamics evolve, it's critical to stay updated on potential shifts in stablecoin valuation or usage. Please note, payments are currently made in USDC on the Polygon network, and participants are encouraged to add their payment wallets to their account.\n", "Question: How can I communicate with the C4 staff or ask for help?\n\nAnswer: There are several ways you can communicate with the CodeArena (C4) staff or ask for help. Firstly, you can direct message (DM) a C4 staff member for assistance with account issues or specific questions - this is also applicable to sponsor team members during a contest. Each contest usually has a dedicated channel where general questions can be asked. If you have issues accessing your account or the C4 website, you can use the #auth-help channel on our Discord server.\n\nFor more formal inquiries or for tasks like updating your profile photo, changing your Twitter username, linking your C4 handle with your Twitter handle, or applying for a backstage role, you can create a help desk request on our website: https://code4rena.com/help. It's also possible to update your submissions by direct messaging identified individuals.\n\nIf you have questions related to certified wardens' process, FairSide, or you want to share your experience with C4 as part of the warden outreach, you can direct these inquiries to Code4rena. However, please note that we respect privacy: emails and GitHub usernames of the wardens won't be listed publicly by C4. Wardens will be part of a permissions group/team on GitHub, allowing them to access private repos, and they can decide whether or not to make their membership public. \n\nWe encourage direct communication and personal contact in our community to ensure a high level of trust in C4 staff and projects. Remember, we're here to help and support!", "Question: Has the UNA at CodeArena considered sending USD (fiat) to participants instead of USDC? What are the implications and feasibility of this?\n\nAnswer: Yes, the UNA at CodeArena has considered sending USD (fiat) to participants instead of USDC, especially to aid participants from countries that experience difficulties in converting cryptocurrencies to fiat. This is in response to several discussions about alternative payment channels to crypto due to restrictions from certain countries. \n\nThough the feasibility of this is not fully clear, participants are currently encouraged to explore other options for exchanging to fiat currency. USDC can be deposited into Coinbase from Polygon and can be converted into BTC. If a report is accepted, USDC will start flowing into the contributor's wallet. There have been questions raised about various aspects of using USDC including how to send ether with the constructor while deploying a contract in Foundry, how to proceed when the team payout address is a smart contract, and concerns related to the potential risks of depositing funds in an uninitialized contract. \n\nThere have been some concerns raised about USDC, as detailed in this article: https://taibbi.substack.com/p/the-financial-bubble-era-comes-full?utm_source=substack&%3Butm_campaign=post_embed&%3Butm_medium=email&utm_medium=email\n\nIt should be noted that there's the possibility of needing Matic, another cryptocurrency, to transfer awards to another wallet. Additionally, it was not specified which chains are accepted for payment from the sponsor side, whether just ETH L1 or other alt L1s/L2s. \n\nThe company also encourages participants to add their payment wallets to their account. The rewards distribution process is not immediate due to the use of multisignature wallets which require signatures from multiple parties before funds can be released. However, the company aims to distribute awards via smart contract once more pieces are in place. \n\nPlease note that this is a topic of ongoing discussion and more detailed information will be provided as decisions are made.", "Question: How is the severity of a smart contract vulnerability that causes a function call to always revert but doesn't put assets at risk classified?\n\nAnswer: The severity of a vulnerability in a smart contract that causes a function call to always revert, without putting assets at risk, can be classified either as Medium or High, depending on the context. High severity issues typically involve substantial fund loss or other severe consequences that don't require pre-conditions. Medium severity issues usually have a lesser impact and specific preconditions such as high attack difficulty, specific market conditions, or user unawareness. \n\nIf the vulnerability breaks the protocol but doesn't result in funds stolen, it can still be high-risk. If it affects an end-user in a rare situation it's a medium severity issue, but if it locks all the protocol assets it's a high severity. If the loss of rewards is considered a \"loss of assets\", the categorization as high or medium risk depends on external conditions or attack difficulty. \n\nHowever, not all findings that involve reentrancy protection or the transfer of ERC20 tokens can be classified as medium or high. Unless there is a clear explanation of the exploit path, such a finding may not be eligible for medium or high categorization and could be downgraded to QA.\n\nIn the case of 'on the fence' vulnerabilities, the classification of severity remains a topic of discussion with no definitive answer. Users often rely on experience and a balance of consequence and likelihood to make these determinations.\n\nLastly, it's important to note that misclassifying a bug's severity in a submission does not necessarily result in a loss of rewards. If a High severity bug turns out to be only Medium, the reward for a Medium bug is still received. For more information on the reward calculation, you can visit: https://docs.code4rena.com/incentive-model-and-awards#high-and-medium-risk-bugs", "Question: What solutions are available for people in India and Israel to convert crypto to fiat given the prevalent banking restrictions?\n\nAnswer: As banking restrictions regarding the conversion of crypto to fiat can pose challenges in countries like India and Israel, there are a few alternative solutions. The United Nations Association (UNA) has considered sending USD (fiat) to participants in place of USDC, a type of stablecoin, to help facilitate fiat transactions. Crypto-friendly platforms like Revolut and ZEN have also been suggested for more ease in handling crypto to fiat exchanges. Binance P2P is often suggested as a last resort for such exchanges due to concerns over official entities flagging accounts leading to bank account freezes. However, it's crucial to remember that due to \"Know Your Customer\" (KYC) regulations, there might be delays in the process of setting up these accounts. Always ensure to research each platform thoroughly before use to avoid any potential issues.", "Question: How should I effectively raise and report 'Lookout' category of findings when auditing a codebase in a Code4Arena contest?\n\nAnswer: When auditing a codebase in a Code4Arena contest, 'Lookout' category of findings should be included in your QA report. Use a detailed Medium finding format to document your findings, which includes the impact, a Proof of Concept (POC), and mitigation strategies. \n\nThe 'Lookout' category findings could potentially be escalated to a higher severity during the review stage by a judge if they determine that it is warranted. You can refer to the submission policy for more information about automated findings and the judging criteria, which can be found here: https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues.\n\nFor a better chance at winning a Code4Arena contest, both high quantity and high-quality reports are encouraged. You can check out an example of a winning report at https://code4rena.com/reports/2022-09-artgoblers#low-risk-and-non-critical-issues for a better understanding of what constitutes high-quality reporting. \n\nRemember to always read the README.md for each contest, as it outlines what's in scope for auditing and what's not. If the same vulnerability appears in multiple code components, it may count as separate findings; however, this is ultimately the judge's call to determine if they're duplicates. \n\nIn case you discover a high or medium severity vulnerability a few days after the contest ends, it is recommended to report it to the development team through responsible disclosure, though it would likely not be awarded by C4 outside the contest timeframe. \n\nLastly, if you are an auditor looking to improve your skills, it might be beneficial to read previous reports, audit different codebases, and stay persistent. Automated tools can also be used to find potential issues in the code, but they must provide strong evidence to demonstrate a relevant High or Medium severity exploit path to be considered satisfactory.\n\nRemember, Code4Arena operates on the mantra \"More auditors, more findings,\" as highlighted by Sebastian Banescu from Quantstamp in his talk: https://www.youtube.com/watch?v=O1rKwDv5kLQ. Happy auditing!", "Question: How are analysis awards distributed at CodeArena?\n\nAnswer: The process for distributing analysis awards at CodeArena is multi-faceted. Every participant can submit their analysis for contests. Based on the quality and relevance of these submissions, awards are calculated, details of which can be found in the Guidelines here: [Analyses Guidelines](https://code4rena.notion.site/Analyses-Guidelines-and-FAQ-2808a71e08e44c81a985527194f5f118). The awards for the contests are then announced separately from the disbursement of funds. \n\nPost announcement, the awards are then manually sent out in batches for multiple contests at a time, usually within 1-2 weeks, to the user's registered wallet address. Each participating team has the discretion to split their portion of a contest's reward amongst themselves. \n\nThe total award for the analysis reports stands at $4,250 USDC. However, if no Medium/High vulnerabilities are found, the full award pool would be divided based on the QA Report curve. It should be noted that non-critical findings do not share in the award pot. \n\nFor detailed information on how the Analysis report works and what needs to be filled in it, please refer to [this link](https://docs.code4rena.com/awarding/judging-criteria#analysis). And for general information on awards, visit [this link](https://docs.code4rena.com/incentive-model-and-awards).\n\nThe community has suggested, and CodeArena is working on, improving the clarity of the awards announcement and distribution process. Changes to the award calculation process are also being planned based on user feedback and observations from initial contests. Please note, the specifics of the awarding calculations, such as the effect of duplicate reports on the payout or the rewarding formula in terms of findings count and partial credits, are still under review and might be subject to change. \n\nParticipants can check the announcement channel for updates on distribution, and the leaderboard will be updated when awards are announced, providing a competitive and transparent process for all involved.", "Question: How can I include images in my report submissions for CodeArena and what platforms can I use to write my reports?\n\nAnswer: You can include images in your report submissions for CodeArena by following a few steps. First, write your report in markdown format, as our submission form supports this syntax. You can use platforms like Github, Joplin, VSCode, Notion, etc. to write these reports, provided they support markdown. \n\nTo add an image, upload it to Gist and submit the report with the gist link. You can delete your Gist later if you wish. Alternatively, you can upload an image by registering a free account on https://cloudinary.com/, then copying the image URL. You can also embed images in your report using Markdown. More on adding images to markdown can be found [here](https://docs.github.com/en/get-started/writing-on-github/getting-started-with-writing-and-formatting-on-github/basic-writing-and-formatting-syntax#images) and [here](https://www.markdownguide.org/basic-syntax/#images-1).\n\nIf the Proof of Concept (PoC) for an issue is too large to be embedded directly in the issue, you can provide a gist link. Long proofs of concept (POC) can also be submitted using external platforms like Gist. If you're using GitHub to submit a \"Proof of Concept\", you don't have to make the repository public. Instead, a private gist can be used to avoid exposing vulnerabilities to the public.\n\nRemember, the Markdown Renderer on our site may not display formatting accurately, so viewing the code on Gist is recommended for better formatting. Also, if you have large text or issues that don't fit in the textbox on the help desk site, you can link a gist.\n\nPlease note that while it is possible to include an image in a report, it is suggested not to import screenshots in submissions but to paste gas report directly. For issues with image submission guidelines, they can be resolved by rendering the image correctly in another place like GitHub.", "Question: What is the largest contest in terms of Source Lines of Code (SLOC) at CodeArena (C4)?\n\nAnswer: The information about the specific largest contest in terms of Source Lines of Code (SLOC) is not explicitly provided in the chat observations. However, it is mentioned that there was a contest involving over 12k SLOC, and concerns were raised about the limited duration (20 days) for the audit of a project named Maia, which has 12K Source Lines of Code (SLOC). \n\nSLOC, as used in the context of this discussion, stands for \"Source Lines of Code\", which is the number of Lines of Code minus the number of lines that are comments. This indicates the size and complexity of a contract to be audited in a contest. The tool 'cloc' is used to calculate LOC (Lines of Code). \n\nIt's important to note that the duration of contests is not directly proportional to the size of the source code (SLOC). For instance, Code4rena contests are generally shorter than Sherlock contests because they tend to achieve high-quality results even with a smaller auditor participation. \n\nCodeArena conducts contests for auditing and analyzing smart contracts, which are often compared to bug bounty programs. The bugs found during a contest are judged by a C4 judge and the rules are decided by Certora. The cumulative results, including the largest contests, can be viewed on the leaderboard at https://code423n4.com/leaderboard/.\n\nYou can explore more about upcoming and past contests at https://code4rena.com/. If you find any discrepancies in the SLOC count for a contest, you can raise the issue as it was done for a contest on https://code4rena.com/contests/2023-08-arbitrum-foundation#top. \n\nFor additional information related to contests and comparison between bug bounties and C4 audit contests, you can visit: https://docs.code4rena.com/.", "Question: How can I submit an image within my smart contract audit report at Code4Arena?\n\nAnswer: To submit an image with your report at Code4Arena, you can use the syntax provided in the markdown guide, which can be found here: [Markdown Guide](https://www.markdownguide.org/basic-syntax/#images-1). \n\nThere are a few other methods you can use for image submission. If you're dealing with issues regarding the image guidelines, rendering the image correctly in a platform like GitHub may help. Alternatively, you can upload your image to your Gist, submit your report including the link to this Gist, and then delete the Gist after the submission. You can also register a free account on [Cloudinary](https://cloudinary.com/), upload your image there and then copy the image URL to your report. \n\nPlease note, in addition to images, the submission may also contain proofs of concept, for which instructions can be found here: [Proof of Concept Instructions](https://docs.code4rena.com/roles/wardens/submission-policy#how-to-include-a-proof-of-concept). \n\nFor any other submission-related queries, you can refer to the Code4Arena's submission policy: [Submission Policy](https://docs.code4rena.com/roles/wardens/submission-policy). Keep in mind that a new submission mechanism is expected to be implemented for upcoming contests. If you're submitting a report for the first time and unsure about the submission status, remember, you can always submit a help desk request for any issues during the submission process.", "Question: What happens to the reward distribution if a bot finds a high or medium vulnerability and how does it vary with the number of vulnerabilities found, their severity, and the accuracy of findings?\n\nAnswer: The reward a bot receives for finding a high or medium vulnerability is not considered unique, and it does not share the total reward pool. Instead, the bot pool reward is determined based on the bot's rank in the bot race. The bot can increase its rewards by having more points which would shift the rank cutoffs, thereby lowering the ranks of others. \n\nIf a bot discovers a unique high or medium vulnerability that is included in the audit report, it receives a 30% share bonus. The amount of reward for each medium/high risk finding can be determined using the formula provided at https://docs.code4rena.com/incentive-model-and-awards#high-and-medium-risk-bugs. In scenarios where multiple people, including team members, identify a gas optimization, the reward split can similarly be calculated using a formula available on the same link. \n\nIn the event where no high or medium vulnerabilities are found, the entire award pool would be distributed based on the Quality Assurance Report curve. This scenario is relatively rare, as there have only been a few contests without high vulnerabilities and no contest without a medium vulnerability. \n\nThere is no difference in payout between the first to find a bug and anyone else who finds the same bug. If a team submits a non-duplicate finding, the team receives more rewards than if they had individually submitted the same finding. However, if a participant escalates a low severity finding to high, the criteria for judging such cases is explained at https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues. \n\nIf a participant misclassifies a bug's severity, they still receive a reward. For instance, if they submit a high severity bug that turns out to be only medium, they will still receive a reward for a medium bug. Similarly, if a submitted high-risk finding is judged as low risk, they will still receive a reward, and vice versa.", "Question: What do the emojis signify that are attached to certain smart contracts in the CodeArena repositories, such as Lybra finance repo?\n\nAnswer: The emojis used in CodeArena repositories serve the purpose of identifying contracts that are out of scope for a particular bounty program. For instance, in the Lybra finance repo, you may notice emojis next to certain files like \"FloatCapital_v0.sol\", \"Treasury_v0.sol\" and \"oracles/\". These files are not in scope for the bounty program. If you see these emojis and are unsure of their meaning, you can hover over them with your mouse to get a brief description. However, as always, it's recommended to read the README.md file for each contest as it outlines what is in scope and what is not. The README.md should also provide clarity if there's any discrepancy between the number of lines of code (LOC) mentioned and the actual lines in the contract files.", "Question: After MAIADao, which contest in CodeArena had the largest volume of Source Lines of Code (SLOC)?\n\nAnswer: It's difficult to definitively state which contest had the next largest volume of SLOC after the MAIADao contest. However, you can track the various contests and their SLOC counts via the CodeArena website. Do note that the duration of the contests is not directly proportional to the size of the source code. For example, the Maia project, which had 12K SLOC, had an audit duration of 20 days. The contests generally vary in length and complexity, with some posing challenges to judges due to the complexity of the code. Additionally, the SLOC count may vary due to how Lines of Code (LOC) are determined across contests, thus a suggestion has been made to standardize LOC counts to avoid confusion. As a participant, it's also important to note that high-quality and high-quantity reports tend to win in CodeArena contests. \n\nYou can view information about past contests, including SLOC counts and results at https://code4rena.com/contests/2023-08-arbitrum-foundation#top and https://code423n4.com/leaderboard/. The cumulative results from the first two contests can be viewed on the leaderboard. \n\nFor more detailed information about how to create winning reports, you can refer to this example: https://code4rena.com/reports/2022-09-artgobblers#low-risk-and-non-critical-issues. \n\nRemember, you can ask questions about SLOC and other contest details directly in CodeArena's Discord chatroom.", "Question: How do I upload and embed an image in my report submission on Code4rena using Markdown?\n\nAnswer: To include an image in your report submission for Code4rena, you will have to use Markdown syntax. The Code4rena submission form supports markdown and images can be added to it. There are two primary ways to do it:\n\n1. You can upload your image to a Gist. To do this, you need to submit your report with the Gist link and then delete your Gist after submission. \n\n2. Alternatively, you can also use an image hosting service like Cloudinary. After registering a free account on https://cloudinary.com/, you can upload your image and copy the image URL. Then, you can use this URL to embed the image in your report.\n\nYour images can be embedded in the report using the following Markdown syntax: `![Image Description](Image URL)`. Please refer to this guide for more details: https://www.markdownguide.org/basic-syntax/#images-1. \n\nIn addition to this, you can also include code in your submission using Markdown. For instance, code can be formatted using backticks (`). The guide to adding code blocks can be found here: https://docs.github.com/en/get-started/writing-on-github/working-with-advanced-formatting/creating-and-highlighting-code-blocks.\n\nRemember that the tool you use to write your report, such as Github, Joplin, VSCode, or Notion, must support markdown. If your report is larger than ~65k characters due to Github's max character limit for issue descriptions, you can email your submission to submissions@code423n4.com.\n\nLastly, some users have suggested creating an issue on a private repo, dropping images there, and grabbing the markdown snippet with the CDN URL, or submitting a zip file of a private GitHub repo. However, these methods are not officially documented.", "Question: \nCan you provide an overview of the timeline and process for the announcement, distribution, and payout of contest awards at CodeArena, particularly the Stader Labs contest?\n\nAnswer: \nThe timeline and process for award announcements, distribution, and payouts for CodeArena contests, including the Stader Labs contest, typically follow a specific pattern. After a contest ends, the review process begins promptly, which includes sponsor review, judge review, sponsor confirmation, and judge's final report. The results are usually announced a couple of weeks after the contest ends, but this can take from 2 weeks to over 2 months, depending on the time taken for judging.\n\nOnce the contest results are announced, the awards list is published in the announcements channel on our Discord and posted in the contest channel. Contestants can also find a leaderboard for the participants. If you participated in the contest, you can inquire about the progress and schedule of final reports.\n\nThe process of distributing awards typically starts 1-2 weeks after the announcement. The awards are sent out manually, usually in batches spanning multiple contests. The signatures for the award distribution are generally rounded up in a standing Monday meeting, so any announced awards should usually get processed on Monday or Tuesday.\n\nLastly, payouts for contest awards are usually made between 1-2 weeks after the announcement. The rewards for the contest will be distributed manually in batches by CodeArena. Please note, the team aims to process awards much faster and has a goal to process a list of awards by the end of the week.\n\nPlease note, this timeline can change due to various factors, so please stay tuned to our announcements channel for the most accurate and recent information.", "Question: How does the process work once a contest at CodeArena has concluded?\n\nAnswer: Once a contest has ended at CodeArena, the findings from the contest are confirmed and discussed. This is followed by the submission of reports which are reviewed by sponsors soon after the contest ends and then sent to judging. Please note that report submissions can be updated as long as the contest has not ended. Once a contest has ended, submissions for it cannot be amended. Additionally, contestants can edit their submissions until the contest's conclusion.\n\nResults of the contest are posted in the contest channel once judging is complete. However, it's important to note that the findings of a contest cannot be viewed after it finishes but before the results are published. The number of wardens participating in a contest is also disclosed only after the contest ends.\n\nThe \"Past Contest Status Updates\" section provides a timeline of where contests are currently in the process. The order in this section represents the progression of the contest. \n\nThere may be some delay in reward distribution, as seen in cases where some of the rewards are pending after the contest has finished. This is due to several contests pending and some having been fully judged but awards still need to be calculated. Changes to the award calculation process are currently underway.\n\nFor more information, you can refer to the next scheduled contest, ongoing judgings, and the anticipated future contests, featured in the respective sections of the platform. For example, the next public contest was scheduled to begin on February 16th. \n\nAny potential changes, such as the development team considering to indicate the number of participants in a given contest or changing the leaderboard from tracking the last number of days to the last number of contests, will be communicated accordingly.", "Question: How can I modify or update my submitted findings in CodeArena's smart contract auditing contest?\n\nAnswer: If the audit contest is still open, you certainly can modify or update your submitted findings. To do this, navigate to the contest page. On this page, you'll find a button labeled \"Your Findings\". Clicking this allows you to access and edit your existing submissions. For instance, you might be auditing a contract and find new evidence that changes the severity of the issue, or even spot a different issue in a different instance of your initial finding. In such cases, visit the contest page, e.g., https://code4rena.com/contests/2023-02-ethos-reserve-contest, and click the \"Your Findings\" button to make necessary amendments.\n\nYou can also withdraw your submitted findings and resubmit a new one if needed. However, please note that if the audit has already ended, you won't have the opportunity to make an update. If you're unsure about a submission or its classification between QA and Medium for instance, you can still submit it. The judges will evaluate it after the contest ends and may upgrade its severity level if they find it necessary.\n\nRemember, you can expect a follow-up after your submission. Also, keep an eye on your email for a notification about the success of your report submission. If you face any issues related to submitting or loading your findings, feel free to submit a helpdesk request with all the necessary information before the contest closes.", "Question: Does the uniqueness of Low issues factor into their ranking or grading in CodeArena's audits?\n\nAnswer: No, the uniqueness of Low issues was once a ranking factor, but it is no longer relevant. Low issues, often referred to in the context of Quality Assurance (QA) reports, are graded based on their number, but not their uniqueness. For instance, two A-graded QA reports, one with 2-3 low findings and another with 5-6 low findings, would receive the same award. It is important to note that the platform advises against submitting a high volume of low-quality reports, defining low quality as having no clear explanation or path to the finding. To be considered high-quality, the grading criteria for submissions include: correct identification of the highest severity impact of the bug, making a case for the severity and validity chosen with evidence, and clear and understandable writing. For more details on this policy, you can refer to https://github.com/code-423n4/org/discussions/34. \n\nWhile a report can include both high severity and medium/low severity issues, the most effort should be put into high severity issues. In case the same vulnerability is found in multiple components of the codebase, it could count as separate findings, but this decision ultimately lies with the judges. There is also a provision to escalate a low severity finding to a high severity, however, such cases require strong evidence to demonstrate a relevant exploit path of high or medium severity. The policy for automated findings is explained at https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues. \n\nFor more on the criteria for low, medium, and high severity issues, refer to https://docs.code4rena.com/awarding/judging-criteria/severity-categorization.", "Question: I encountered some issues when trying to make a submission on CodeArena. What are some common issues and how can I troubleshoot them?\n\nAnswer: A variety of issues have been reported when making submissions on CodeArena. These include difficulties in uploading images for report submissions, problems with adding members to teams, and errors related to browser compatibility. Additionally, users have reported issues when trying to submit their findings for specific contests like the Caviar contest and the GoGoPool contest.\n\nHere are few suggestions that might help you troubleshoot:\n\n1. Image Submission: To submit an image, try rendering it correctly in another place like GitHub. You can also upload images to your report submissions by uploading it to your Gist, submitting the report with the gist link, and later deleting your gist. Check the image submission guidelines for more information.\n\n2. Browser Compatibility: If you're facing issues with submitting findings through Firefox or Chrome, try clearing your local storage or switch to a different browser.\n\n3. Team Addition: If you're facing difficulties in adding members to your team, ensure that you've passed all the necessary checks in the team creation process.\n\n4. Report Update: In case of difficulties while updating your report, you may want to try refreshing the page or changing browsers.\n\n5. Size Limitation: Some users have experienced errors when trying to make submissions, suggesting there might be a potential size limit on submissions. If you're submitting a large file, consider compressing it into a smaller format or providing a link to a hosted version.\n\n6. API Limitations: If you're receiving an error message that says \"API rate limit exceeded,\" this could be due to API limitations. Waiting for some time before making another submission might help resolve this issue.\n\n7. User Permission: It's important that you have the necessary permissions to make a submission. If you're facing a 'Permission denied' issue, ensure you're registered as a warden.\n\n8. GitHub Repositories: If you're having trouble with GitHub repositories, such as getting the 'maple-core repository' running, ensure you have the right permissions (publickey). In case you're unable to access specific resource links like [https://github.com/code-423n4/2023-07-axelar-findings](https://github.com/code-423n4/2023-07-axelar-findings), check your permissions or request to be added to the necessary group on GitHub.\n\nIf the issue persists, please report it in our Discord chatroom for further assistance.", "Question: How are QA reports evaluated at CodeArena, and how does the number of low findings affect the grading and potential reward?\n\nAnswer: At CodeArena, Quality Assurance (QA) reports are evaluated considering both the quantity and quality of findings. Reports with a grade \"A\" can have different numbers of low findings, but they would receive the same award. For instance, a report with 2-3 low findings and another with 5-6 low findings would both be graded \"A\" and receive the same award. \n\nHowever, it's important to note that judges look at more than just the number of low findings when grading. They consider the quality of each submission, and a single low finding in a QA report is unlikely to receive a high grade. Furthermore, the severity of a finding can also influence the grading. If a finding is initially classified as low in a QA report, but the judges determine that its severity is medium, it will be eligible for medium rewards. On the other hand, if a finding is incorrect, it can affect the QA grade negatively. \n\nGrades are assigned based on a relative score compared to other reports, and the rewards are given according to judges' scores, with duplicates being disregarded. For a better understanding of the grading and awarding system, you can refer to these resources: [Judging Criteria](https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical) and [Incentive Model and Awards](https://docs.code4rena.com/awarding/incentive-model-and-awards#qa-and-gas-optimization-reports). \n\nIn summary, while the number of low findings does play a role in the evaluation of QA reports, the quality and severity of those findings are equally, if not more, important in determining the final grade and reward.\n", "Q: What are the implications of misclassifying the severity of a finding in my report? For instance, if I classify a finding as Low, but it's actually Medium or High?\n\nA: At CodeArena, the severity of the issues found during a smart contract audit is typically categorized into High, Medium, Low, or QA. Misclassifying the severity of an issue in your report does have implications. If you incorrectly classify a finding as Medium when it's actually High, the judges at CodeArena have the discretion to upgrade the severity of the issue unless there's a compelling reason to penalize your report, such as it lacking detail or being inaccurate. \n\nConversely, if a High severity bug is misclassified as Medium, you will still receive the reward for a Medium bug. If you submit a finding as Low (in the QA report) but the judges determine it's Medium, your finding will be eligible for Medium rewards. \n\nIt's important to note that the severity of an issue is determined by a balance of consequence and likelihood. High severity issues generally involve substantial loss of funds or other severe consequences and don't require preconditions. Medium severity issues typically have less impact and specific preconditions such as high attack difficulty, specific market conditions, or user unawareness. \n\nYou can also submit a finding in both Medium and Gas findings if the issue is of medium severity and affects gas. Precision-loss issues can be submitted as Medium if the damage caused justifies it. \n\nYou can refer to [Code4rena's judging criteria](https://docs.code4rena.com/awarding/judging-criteria/severity-categorization) for a detailed understanding of severity categorization and [submission policy](https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues) for more information. It's always recommended to provide a strong evidence and a good explanation of your finding, regardless of the severity classification.\n\nRemember, it's not just about correctly classifying the severity, but also about providing a comprehensive and accurate report. Misclassifications do happen, and it's through experience and understanding of the criteria that you can improve your accuracy. Misclassifications don't always result in penalties, but they could impact the rewards you receive.", "Question: I am trying to get CodeArena certified, but I'm having issues with my proof of address verification since I live with my parents and don't have utility bills in my name. I have provided my national identity card but it's not working. Can you suggest any alternative ways for me to verify my address?\n\nAnswer: It seems that you're having issues with the Know Your Customer (KYC) verification process, an important step in becoming a certified warden at CodeArena. While a proof of residence is often required, our members have shared that they've been able to complete the process using a photo ID and a selfie. Other acceptable forms of identity documents could be a driving license or a passport, not necessarily requiring a proof of residence.\n\nAdditionally, if you don't have a passport, a National Identification Card could be an acceptable form of identification, as some of our users have completed the process using such. For digital nomads, bank account details and other forms of proof of residence have been successfully used as well.\n\nIf you're still having trouble with the verification process, please contact us via our help desk form at https://code4rena.com/help. This way, we can assist you directly and answer any specific queries you may have about the process. Please note that while certain activities and rewards on CodeArena require certification, it is possible to participate without being certified. \n\nKeep in mind that being certified is not a full-time commitment but rather a verification of your identity that allows you to participate in certain activities and receive rewards. We appreciate your interest in becoming a certified warden at CodeArena and look forward to helping you complete your verification process.", "Question: What is the incentive structure for low-risk findings selected for the audit report on CodeArena?\n\nAnswer: CodeArena offers an incentive model for the selection of low-risk findings for inclusion in the audit report. Only one report containing low-severity findings is chosen from all submissions for inclusion in the final client report. However, the best report will receive more money than other reports, and if a finding is submitted as a low-risk in the QA report, but is judged as a medium risk by the panel, it will be eligible for medium rewards. \n\nA 30% bonus share is awarded for each unique High or Medium finding selected for inclusion in the Audit report. In the event of a duplicate finding, the best report is still eligible for a 30% share bonus. For a medium/high finding, the reward can be calculated using the formula provided in the documentation [here](https://docs.code4rena.com/incentive-model-and-awards#high-and-medium-risk-bugs).\n\nFor low-risk findings that are submitted in the QA report but are judged as medium, the reward can be calculated using the formula provided [here](https://docs.code4rena.com/awarding/incentive-model-and-awards/qa-gas-report-faq#what-happens-when-an-issue-submitted-by-the-warden-as-part-of-their-qa-report-an-l-or-n-does-get-bum).\n\nPlease note, all A graded QA reports receive the same award, regardless of the number of low findings. Detailed information about the incentive model and the rewarding process can be found in the provided document [here](https://docs.code4rena.com/awarding/incentive-model-and-awards/awarding-process).\n\nRemember, in a scenario where multiple people, including team members, identify a gas optimization, a formula is used to calculate the reward split. A team submitting a non-duplicate finding will earn more rewards than if they had individually submitted the same finding. \n\nIt is critical to note that while participants can submit low-risk findings and report additional findings, they do not have to submit all reports for high, medium, QA, and gas optimization. They are free to submit what they find. However, cases of duplicate reports may lower their value for each warden.\n\nFinally, it is very important to make a strong case when escalating a known low from automated findings to a high severity issue.", "Q: How can I use the #\u270brsvp channel on CodeArena's Discord and what information can I find there?\n \nA: The #\u270brsvp channel on CodeArena's Discord server is a multifunctional platform that provides a variety of information and features related to our audit contests. You can access it using this link: https://discord.com/channels/810916927919620096/958800160870240286/1142165149050998784. \n\nThe primary function of the channel is to let users view upcoming public audits and RSVP (or signal their intent) to participate in them. To RSVP, users need to react to the relevant message in the channel. \n\nIn addition to this, the #\u270brsvp channel is also a hub for announcements and updates. For instance, details about new contests, updates about existing ones, and notifications about bot registration openings, which occur every couple of weeks, are frequently posted here. The channel also provides information about bot qualifier races, future qualifiers, and private contests that are open only for certified members. \n\nFor contests that require RSVP, such as invitation contests, participants are selected based on sponsor requests and the 90-day leaderboard ranking of those who RSVPed. \n\nMoreover, the channel periodically hosts top-tier projects and contains threads where participants can signal their team's involvement. \n\nPlease note, there is also a #\ud83d\udd96rsvp-certified channel for teams that are completely certified and meet the qualifications of an audit. \n\nAlways keep an eye on the #\u270brsvp channel to stay updated with the latest news, contests, and opportunities at CodeArena.\n", "Q: How does the quantity and severity of findings in a QA report affect the award an auditor receives at Code4Arena, and how are these findings evaluated and classified?\n\nA: Code4Arena evaluates Quality Assurance (QA) reports based on both the quantity and quality of findings. The grading considers the number of low findings identified, with two reports graded \"A\", one with 2-3 low findings and another with 5-6 low findings, receiving the same award. \n\nHowever, it's crucial to note that findings are consolidated into a single QA report, regardless of the number of low or non-critical findings. More than one high-risk finding can be submitted in the same audit, but if the root causes are the same, they would all be counted as one. Similarly, if a finding is submitted as low but is determined by the judges to be a medium severity issue, the auditor will be eligible for medium rewards. \n\nThe severity of findings is gauged by the potential loss they may cause. If all rewards could be lost, the finding is classified as Medium/High severity. If there's a risk of losing some rewards, it's likely a medium severity issue, and if rewards are lost due to rounding errors (negligible amounts), it falls under the QA category. If the principal can be stolen without needing extra requirements, then it's probably a high severity finding.\n\nFor gas and quality assurance, one issue and sending all is sufficient; for medium and high risks, one issue for each finding is required. Incorrect findings in a QA report can affect the QA grade, and findings can be downgraded from High/Medium to Low/QA as per the judges' discretion. These are then added to the warden's QA report.\n\nIn the event where no High/Medium issues are found in a contest, the rewards are divided based on the Quality Assurance grading. For further details, you can refer to these documents: \n- [Judging Criteria](https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical)\n- [Incentive Model and Awards](https://docs.code4rena.com/awarding/incentive-model-and-awards#qa-and-gas-optimization-reports)\n\nRemember, while the quantity of findings can influence the grading, the quality of these findings and an understanding of their potential impact is just as critical.", "Question: What documents are required to verify my identity for KYC purposes and how do I submit them?\n\nAnswer: CodeArena recognizes several forms of documentation for identity verification in the KYC (Know Your Customer) process. You can use documents such as your national identification card or passport for identity verification. It's important to note that Provenance, our KYC provider, may have more detailed requirements for documentation than what is outlined in our guidelines. \n\nTo submit these documents, you must undergo the KYC process which involves sending your identification for verification. If you wish to submit additional findings or have any queries, you might be able to discuss these directly with our sponsor team for more context. \n\nKeep in mind that the certification process and the review of your documentation by Provenance can sometimes take time. However, you can always nudge them for a response. Providing all your documents promptly can help move the process more quickly. After submission, you can expect a response within 48 hours. \n\nWe understand that some users have been waiting for responses to their KYC applications, and we appreciate your patience during this process. If you're a first-time applicant, you may be wondering about the status of your submission. You can check this by contacting the KYC provider or our team. \n\nAlso, if you're a digital nomad, you can still become a certified warden. You would need to provide your proof of ID, bank account details, and other forms of proof of residence. \n\nFor additional information, you can visit our website or reach out to our team directly. Detailed instructions on how to complete the KYC process will be provided in the applicable channels. Please feel free to raise any questions or concerns you might have.", "Question: How can I update my profile picture or Twitter link on my Code4Arena account?\n\nAnswer: If you'd like to update your profile picture or Twitter link on your Code4Arena account, you will need to submit a help desk request. This includes changes to your profile picture, your Twitter username, and logo on the leaderboard. To submit a request, please visit https://code4arena.com/help and provide necessary details such as your email or Discord handle. Once submitted, you will receive a confirmation that your request has been received. For changes to your profile picture, please include a link to your new profile picture in your help desk request. For changes to your Twitter link, include the new Twitter username in the request. Please note that this is currently the process in place, and we appreciate your understanding.", "Q: How can I update my profile, such as changing my profile picture, username or adding a Twitter link, on Code4Arena?\n\nA: To change your profile, including your profile picture, username or adding a Twitter link, you need to submit a help desk request [here](https://code4rena.com/help). Please note that this is a necessary process as users currently do not have self-editing capabilities for these account details. Changes to usernames, Twitter links, and display avatars are typically processed within a week. \n\nFor certified users, you have the ability to edit your warden profiles, but this feature was only available for those certified at the time of the warden profile introduction. If you encounter any bugs or issues related to the new profile UI, you can report them in the #profile-help channel on Discord. Remember, changes in display username will not affect your user account. \n\nIn addition to this, if you wish to update your submissions, you can do so by direct messaging certain identified individuals. However, in your account settings, please note that currently you can only change your email, discord and GitHub username, but not the link or photo.", "Question: How are the QA reports graded at CodeArena, and does the inclusion of incorrect or non-valid findings affect the grading?\n\nAnswer: At CodeArena, the grading of QA reports is based on both the quantity and quality of your findings, not just the sheer number of them. Even if your report includes one good issue, it could still earn a grade B, while a report with multiple low-impact issues could be graded as C. \n\nConsequently, if your QA reports contain 1-2 incorrect or non-valid findings, it can indeed affect your QA grade. The grading system also allows judges the flexibility to downgrade or upgrade the severity of your findings. For instance, medium issues can be downgraded to QA and considered alongside your QA report when grading. Likewise, if a judge deems a finding's severity should be higher, items from your QA report could get upgraded.\n\nHowever, it's crucial to note that non-critical and low severity findings are generally consolidated into a single QA report for each auditor. If a finding is submitted as low in a QA report, but the judges determine that it's a medium, it will become eligible for medium rewards as per our incentive model and awards guidelines.\n\nIf you have doubts about classifying a finding between QA and Medium, it's advisable to file it as QA unless a proof of concept (POC) is coded. You can update your QA report by selecting the \"My findings\" option on the contest page.\n\nFor further understanding of the grading criteria used for QA reports, you may refer to the following links. \n\n1. [Judging Criteria](https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical)\n2. [Incentive Model and Awards](https://docs.code4rena.com/awarding/incentive-model-and-awards#qa-and-gas-optimization-reports)\n3. [QA and Gas Report FAQ](https://docs.code4rena.com/awarding/incentive-model-and-awards/qa-gas-report-faq#what-happens-when-an-issue-submitted-by-the-warden-as-part-of-their-qa-report-an-l-or-n-does-get-bum)\n\nRemember, CodeArena's goal is to encourage quality and impactful findings, and thus, quality assurance is more than just a numbers game.\n", "Question: How does CodeArena handle the classification and subsequent reward distribution for various severities of issues identified by participants?\n\nAnswer: CodeArena allows participants to classify their findings into High, Medium, or QA (Low) issues based on their perceived severity. Judges then validate these classifications and can adjust them if they feel a different severity level is more appropriate. For instance, if a participant classifies a finding as a Medium issue, but the judge believes it should be a Low issue, the judge has the authority to downgrade it. Similarly, if an issue is submitted as a Low (QA report) but judges evaluate it as Medium, the issue can be upgraded, and the participant will be eligible for Medium rewards according to the guidelines on the [CodeArena Awards page](https://docs.code4rena.com/awarding/incentive-model-and-awards/qa-gas-report-faq#what-happens-when-an-issue-submitted-by-the-warden-as-part-of-their-qa-report-an-l-or-n-does-get-bum). \n\nIf a participant submits a bug with High severity but it's judged as Medium, the reward for a Medium bug is still received, unless the submission is invalidated due to overinflation of severity or other issues such as it being incomplete, lacking detail, or inaccurate. \n\nIf no High/Medium issues are found in a contest, all rewards may shift to Quality Assurance (QA), and the full award pool would be divided based on the QA Report curve as explained [here](https://docs.code4rena.com/awarding/incentive-model-and-awards). \n\nIt's also worth mentioning that the term 'Low issue' in discussions often refers to QA reports, which generally include non-critical bugs. In some cases, if a bug reduces gas usage, it can be included in the QA category and mention the gas savings. \n\nJudges consider both the quantity and quality of submissions when grading QA reports. Therefore, the more issues a participant includes in their QA report, the higher the potential reward. However, it's important to note that overinflating the severity of an issue could lead to the submission being invalidated. \n\nKeep in mind that the classification of issues is based on the severity of loss caused by the issue. For instance, if all rewards can be lost, it's typically categorized as MED/HIGH. If there's a risk of losing some rewards, it's likely Medium, and if negligible rewards are lost due to roundings, it's typically QA. \n\nFor more detailed information about the classification and awarding process, refer to the [CodeArena Judging Criteria page](https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical) and [CodeArena Incentive Model and Awards page](https://docs.code4rena.com/awarding/incentive-model-and-awards#qa-and-gas-optimization-reports).", "Question: How can I update my profile picture or add links to my CodeArena profile?\n\nAnswer: To update your profile picture or add a Twitter link to your CodeArena profile, you need to submit a help desk request at https://code4rena.com/help. In the request, please include the picture link or Twitter handle you wish to use. \n\nIf you're submitting a report and wish to include an image to help explain the proof of concept, you can register a free account on https://cloudinary.com/, upload the image, and copy the image URL into your submission. You can also use markdown to embed images following the guidelines at https://www.markdownguide.org/basic-syntax/#images-1. \n\nFor further help with managing your profile, direct your queries to the #profile-help channel on our Discord server. Please note that changes to profile pictures and Twitter links are typically addressed within a week.", "Question: Can auditors use information about protocols they have audited on other bug bounty platforms to fill their new CodeArena profile? Also, how is the bounty payout handled if multiple auditors report the same bug?\n\nAnswer: Yes, auditors can absolutely use information about protocols they have previously audited on other bug bounty platforms to fill their CodeArena profiles. This helps showcase their experience and competence in the field. \n\nAs for the confusion about bounty payouts, if multiple auditors report the same bug, all of them receive a portion of the bounty. However, it's important to note that common findings are usually out of scope as they are often picked up by the C4udit tool. If certain findings are not picked up by the tool, auditors should submit them. The findings are linked in each contest readme.\n\nPlease note that participating in the audit, even if not successful in finding bugs, is considered a valuable learning opportunity by many of our users. You may also be interested in private competitive audits or asking questions about findings from past projects for further learning. \n\nLastly, please be aware that while creating coded Proof-of-Concepts (POCs) to further explain your reported issues is appreciated, it will not have an effect on awards or the contest according to C4 guidelines.", "Question: How should I determine and report the severity of a finding if I'm unsure whether it's Low, Medium, or High, and what are the implications of a misclassification?\n\nAnswer: The severity of a finding, be it Low, Medium, or High, is generally based on the potential loss caused by the issue and the conditions required for the issue to be exploited. High consequences often involve significant fund loss or other severe consequences and usually don't need pre-conditions. Medium consequences typically have less impact and require specific preconditions such as high attack difficulty, specific market conditions, or users being unaware. Low issues, often under QA, usually involve negligible losses.\n\nWhen you're unsure about the severity of a finding, it's advisable to make the most educated guess you can, relying on your experience and a balance of consequence and likelihood. You can include both high severity and medium/low severity issues in the same report, with the highest effort on high severity issues. If a report is misclassified, it can be adjusted by judges. For instance, a medium report could be upgraded to a high, or a low finding can be escalated to a medium, given there isn't a reason to penalize it, such as it being incomplete, lacking detail, or not as accurate. \n\nYou can submit a medium/high report without recommended mitigation steps, but you should include an explanation as to why it cannot be feasibly mitigated. Note that if you escalate a known low issue from the automated findings to a high, you'll need to make a strong case demonstrating a relevant High or Medium severity exploit path.\n\nIt's worth noting that even if a high severity bug turns out to be only medium, you'll still receive the reward for a medium bug. In fact, if you submit a finding as low in a QA report, but the judges determine that it's a medium, you'll be eligible for medium rewards as per the guidelines.\n\nKeep in mind that if you're unsure due to lack of specification in documents, it's advised to submit these findings or direct message the sponsor team for additional context.\n\nFor more details, refer to the [Submission Policy](https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues) and [QA Gas Report FAQ](https://docs.code4rena.com/awarding/incentive-model-and-awards/qa-gas-report-faq#what-happens-when-an-issue-submitted-by-the-warden-as-part-of-their-qa-report-an-l-or-n-does-get-bum) on the CodeArena website.", "Question: How can I become a moderator for CodeArena's Russian chat, considering I have relevant management experience?\n\nAnswer: Thank you for your interest in becoming a moderator for our Russian chat. At CodeArena, we have an extensive community management system. If you are interested in becoming a moderator, you may want to consider applying for a backstage warden role that gives you certain moderation privileges. If you believe you meet the criteria for a '+backstage' role, you can submit a help desk request on our website (https://docs.code4rena.com/roles/certified-contributors/backstage-wardens). \n\nKeep in mind that our main chat is locked to contributors to maintain the quality of the discussions and reduce spam. However, we do add users to certain rooms on request. Also, it's worth noting that some of our users have expressed interest in hosting more contests in various programming languages, like Rust, and we have a dedicated team that can assist with setting up these events. \n\nWe also encourage interested users to become Certified Contributors, which gives them the ability to edit their profiles, among other privileges. However, please note that each individual is allowed only one certified contributor account. \n\nWe appreciate your expressed interest in helping manage our community and we invite you to send a direct message to any of the C4 staff members to further discuss your application.", "Question: How does the leaderboard ranking work at CodeArena, and how does it reflect my achievements in various contests including the Blockswap contest?\n\nAnswer: The leaderboard at CodeArena ranks users based on their achievements in various contests, including both current and past competitions. Your ranking can be boosted by your participation and placement in these events. For instance, if you are in the top 5 of a contest and have received the reward, your profile will receive a \"leaderboard\" tag. The leaderboard gets updated every time awards are announced, though not all contest types are currently supported, including certain ones like the Blockswap contest. \n\nAs we continue to evolve the leaderboard, we are considering several potential improvements. These include changes in the tracking timeline (from the last number of days to the last number of contests), introducing leaderboard seasons with unique NFTs as rewards, and adding position numbers and a \"Low\" column to the leaderboard. We're also discussing featuring current year statistics primarily, while still keeping all-time stats visible. \n\nAdditionally, certified contests, including the upcoming 225, will impact your leaderboard rank. To participate in private contests after certification, ensure a high position on the leaderboards from the last 90 days. Certified wardens also have an increased chance to qualify for private contests. \n\nRewards from previous private contests and judge payments are added to the leaderboard, but there have been queries about the display of these rewards and concerns about their fairness for non-KYC wardens. Users can request changes to the leaderboard or contest results link through our help desk at https://code4arena.com/help. \n\nIt's also worth noting that the leaderboard does not currently include all past contests, like the \"Blockswap FV contest,\" but we are working on this. Please understand that while we strive for accuracy, there may be delays or inconsistencies, and the leaderboard may not always fully reflect a user's accomplishments. \n\nYou can view the cumulative results from the first two contests on the leaderboard at https://code423n4.com/leaderboard/. Please feel free to reach out with any further questions or concerns.", "Question: How can I modify my Code4Arena profile, including changing my profile picture, linking my Twitter handle or updating my payment address?\n\nAnswer: To change your profile picture or link your Twitter handle to your Code4Arena profile, you'll need to submit a help desk request. This can be done by visiting https://code4rena.com/help and providing the necessary information. If you're looking to link your Twitter handle, you can follow the instructions at https://github.com/code-423n4/code423n4.com/tree/main/_data/handles and make a pull request for your handle. Please note that while this feature exists, it might primarily be for certified auditors.\n\nIf you want to update your payment addresses, you should go to your C4 account screen: https://code4rena.com/account. Note that while you can change your email, Discord and Github username from your account settings, you are unable to directly change your profile picture or link from this area. \n\nIf you encounter any issues in this process, or have any additional inquiries about your profile, you can reach out directly to a C4 staff member or submit an issue using the C4 form. It might be worth noting that there are reports of users having difficulties accessing the C4 website, so if you encounter this issue, don't hesitate to reach out for support.", "Question: How can I effectively report a bug in the new profile UI on CodeArena and what should I consider when doing so?\n\nAnswer: You can report bugs related to the new profile UI on CodeArena in the #profile-help channel on Discord, as our developers monitor this channel and log all reported issues. When you submit a bug, you can view or edit your own submission on the site for open contests. If you need to attach screenshots to better illustrate the bug, you can do so in the vulnerability details section. Simply copy the Github permalink and the lines of code that are affected.\n \nRemember to create a separate report for each bug found, taking into consideration the type and severity of the bug. You are allowed to change the severity rating even after the contest has closed either through the PR or by contacting one of the judges. In the report, you can also provide your reasons for flagging an issue. It's also recommended to include a proof of concept (PoC) for each bug found.\n \nOnce you've submitted your bug report, you can find it in your email. The platform is considering adding the severity of bugs to these emails in the future. If you encounter any issues while submitting or updating your report, such as receiving an error message saying \"API rate limit exceeded for user ID 81770958\", you can create a help desk request for assistance. Please note that user error can affect the grading of bug reports. \n\nIf you're unsure of how to make a quality submission, you can view examples of past submissions at https://code423n4.com/reports. Additionally, you can refer to the \"Findings\" tab where you can edit your QA issue submissions and find feedback for your submitted findings. Finally, the results of your submitted bugs will be revealed once the report is made public. Until then, you can review previous reports to understand what a high-quality submission looks like.", "Question: I noticed a discrepancy in the event dates for Nouns DAO and Chainlink Staking v0.2 between the #\u270brsvp channel and the Code4rena website. Can you confirm the correct event dates?\n\nAnswer: Thanks for bringing this to our attention. Discrepancies can sometimes occur due to changes in scheduling, but the dates on the Code4arena website are the most accurate. The Nouns DAO contest will run from July 3-13. For Chainlink Staking v0.2, the start date listed on the Code4rena website is the correct one. \n\nFor future audit contests and event updates, we recommend checking both the #\u270brsvp channel and our website, https://code4rena.com. The website also includes details on bounty amounts, registration requirements, and timelines. \n\nAlso, bear in mind that event details are sometimes updated, so keep an eye on any changes. In case of any discrepancies or uncertainty, feel free to ask for clarification in our Discord chatroom or open a help desk request at https://code4rena.com/help.\n\nFinally, you might want to follow us on Twitter for the latest news about our events, such as our planned participation at DevCon: https://twitter.com/code4rena/status/1577405876952272896?s=21&t=YjWD5aNJCZKKN9jXrRDh7A.", "Question: How can I develop expertise in auditing smart contracts and understanding their vulnerabilities?\n\nAnswer: For those starting out in smart contract auditing, there are several online resources to consider. You can begin with the basics of solidity and smart contracts by visiting CryptoZombies.io and CaptureTheEther.com, which provide interactive learning and Capture the Flag challenges.\n\nIf you are interested in becoming a smart contract auditor, you might find the post by @cmichel called \"How to become a smart contract auditor\" helpful. You can read it here: https://cmichel.io/how-to-become-a-smart-contract-auditor/\n\nFor advanced solidity and defi industry standards, you can try The Ethernaut challenges and Damn Vulnerable DeFi: https://ethernaut.openzeppelin.com/ and https://www.damnvulnerabledefi.xyz/\n\nFor an understanding of blockchain forensics specifically for hacks and incidents in smart contracts, resources like https://docs.code4rena.com/roles/wardens/tools-and-resources can be beneficial. \n\nIf you are interested specifically in tools used to find vulnerabilities and bugs, Metatrust is a smart contract scanning tool that can detect price manipulation vulnerabilities: https://app.metatrust.io/project\n\nFor those who prefer video content, there is a demand for YouTube resources on smart contract auditing, although specific videos are yet to be recommended.\n\nWhile learning, it's crucial to remember that the time it takes to master the basics and start finding bugs in smart contracts depends greatly on your prior experience and learning capabilities.\n\nRemember, understanding vulnerabilities and being able to audit smart contracts effectively also requires understanding of the reports and concepts related to smart contracts. It's not just about learning to code, but also understanding the context in which that code operates.\n\nLastly, while focusing on smart contract security is important, individuals should pursue what they enjoy and are interested in, not just potential earnings, as suggested in our community discussions.", "Question: Why can't I participate in private contests on Code4rena even though I have passed the KYC?\n\nAnswer: Access to private contests on Code4rena is granted to certified members only. To become a certified member, you need to complete the Know Your Customer (KYC) process and achieve a certified status on your handle. Details on this process can be found in the Code4rena documents. Once you become a certified warden, you have the ability to participate in private contests, but it's important to note that you are not obligated to apply to every contest. The eligibility criteria for each private contest are listed in the #\ud83d\udd96rsvp-certified channel. Some private contests may be open only to those who participated in the original audit or those who rank high on the leaderboard within the last 90 days. RSVP in the certified rsvp channel to participate in private contests after certification. If you're having issues with access after passing the KYC, consider creating a help desk request at https://code4rena.com/help. Remember that even with KYC approval and certification, you may not have access to certain contests if they have already been assigned. Also, to receive prizes for some contests, KYC might be required, with the form found at: https://docs.code4rena.com/roles/certified-contributors.", "Question: I received an unexpected email about an update to my payment address on Code4rena, which I did not initiate. How can I have this issue checked and rectified if necessary?\n\nAnswer: This issue has come up in our community before. If you received an unexpected email regarding the updating of your payment address, please report it to our team through the help desk (https://code4rena.com/help). This link takes you to the form where you can provide details about the situation. We'll thoroughly investigate the issue. Please note that the payment address can be updated from your C4 account screen (https://code4rena.com/account). If you've recently applied for KYC, you'll receive an email from Provenance and C4, which could be the email you received. However, if your account has been compromised and you've changed payment addresses, it's crucial to let us know. We can assist you to update your payment address in the Manage Account section of our site to ensure future rewards are directed to the correct wallet. Please remember, it's essential to maintain the security of your wallet to prevent theft of rewards. Be rest assured, we're committed to rectifying any errors and ensuring your rewards are secure.", "Q: Why did I receive an email about the update of my payment address even though I didn't initiate such changes? \n\nA: We have had instances where users receive emails about the update of payment addresses without their knowledge. This can be due to several reasons, including potential security incidents. In case your wallet was compromised, you might have needed to change your payment address and remove the compromised one from your account. \n\nPayment addresses can be updated within the Manage Account section on Code4rena (https://code4rena.com/account). If you didn't make this change, please report it immediately to our team via the help desk (https://code4rena.com/help). \n\nIt's also worth noting that email receipts can sometimes be interrupted due to factors outside of our control, such as incidents on Github (https://www.githubstatus.com/incidents/r5qrpp2f5fc0). Please check your spam folder as sometimes emails may end up there. \n\nIf you have recently switched to a new email address, ensure that your Code4rena account is updated accordingly. Remember, it's important to keep your contact details current to ensure the security and integrity of your account. \n\nAs part of our security measures, we do not include Ethereum addresses in the email confirmations. \n\nLastly, please be aware of potential scam alerts. If you suspect any fraudulent activity, contact us immediately.", "Question: I received an unexpected email about changing my payment address on Code4rena, but I didn't make any changes. What should I do?\n\nAnswer: We understand your concerns about the unexpected email. It seems some users have reported a similar issue. This usually happens when an attempt is made to change the payment address associated with your account. If you haven't made any such changes, it's crucial to confirm the status of your account and payment address.\n\nYou can verify your current payment address in the \"Manage Account\" section on your C4 account. Here is the link: https://code4rena.com/account. If you find any unexpected changes, please report the issue to our help desk immediately. You can submit a request at https://code4rena.com/help.\n\nMoreover, after any changes like this, we recommend changing your payment address to a new wallet address, especially if you suspect your current wallet may have been compromised. The security of user accounts is paramount to us, so we have set processes to ensure all changes are done correctly and securely. We advise you to keep track of all your communication related to Code4rena, including checking your spam folder regularly for any emails from Provenance or C4.\n\nRemember, payment wallet addresses can be changed within your user profile on Code4rena, and you can update your wallet address after a finding submission and before the reward payout by submitting a request through the Help Desk.\n\nFinally, if your wallet is hacked and you change your payment address while using the same wallet to log in, please create a help desk request to ensure the secure handling of your account and rewards.", "Question: What is the OG Warden status and how can one acquire this badge on their profile?\n\nAnswer: The OG Warden status refers to a badge on the Code4Arena website that is given to wardens who have been with us for a significant period of time. Currently, the process to obtain this status has not been detailed in our discussions. However, to become a warden, which can be a prerequisite for the OG Warden status, you need to register and complete a Know Your Customer (KYC) process through Provenance as part of our certified warden process. Details on how to become a certified warden can be found here: https://docs.code4rena.com/roles/wardens/certified-wardens. Once registered, you will have the ability to edit your warden profile to reflect your availability status. Note that this feature is currently only available to certified wardens. \n\nAs a certified warden, you'll gain certain privileges which have not been fully detailed yet. You can also participate in contests, get involved in our leaderboard, and apply for private contests as well. Check your acceptance as a warden on our platform and keep an eye out for new opportunities such as the OpenSea contest. To get your wallet whitelisted, you'll also need to register as a warden. \n\nPlease note that the process of becoming an OG Warden may be different or more extensive, as it denotes a level of longevity and experience within our platform. We recommend being active in our community and continuing to contribute to our efforts. \n\nFor more queries, access our help desk at https://code4rena.com/help or check out our leaderboard at https://code4rena.com/leaderboard/ to see what other wardens are earning.", "Question: Can a non-critical issue be included in gas optimizations and how should it be reported within the CodeArena system?\n\nAnswer: Yes, a non-critical issue can be included in gas optimizations at CodeArena. If a non-critical issue (or low severity/QA bug) is discovered that also reduces gas, it should be reported in the QA category and mention the gas savings. However, if the issue only relates to gas savings, it could be downgraded from QA to Gas. \n\nYou can submit your findings to CodeArena where the reports are evaluated based on their impact on gas consumption. For example, gas optimization inside view/pure functions can be reported. It's also recommended to report any gas optimizations separately. If you have multiple ideas about gas optimizations, they can be written separately and then merged into one report. \n\nWhen submitting a gas optimization report, it is not mandatory to specify the amount of gas saved. However, including this information can potentially increase points. \n\nPlease note that not all gas optimizations are valid when the optimizer is enabled, which has caused some confusion about what should be reported. Only those optimizations in the generated report are considered invalid, the rest can be found in the common issues list on CodeArena's GitHub page: https://github.com/byterocket/c4-common-issues/blob/main/0-Gas-Optimizations.md.\n\nKnown issues, including those listed in publicly known issues, should be excluded from gas reports. When submitting a report, it's recommended to clarify if the bug/gas optimization is valid for other files within the same repository.\n\nPlease remember that the current focus of CodeArena is on high, medium, low severity vulnerabilities and gas optimizations - there's no direct incentive to report non-critical findings. However, gas optimization is a potential starting point for a first-time audit and it is beneficial to include gas savings from refactored code in submissions.", "Question: What is the status of the Basin audit for the Bean Money protocol and are there any delays in contests at Code4rena?\n\nAnswer: The Basin audit for the Bean Money protocol is not postponed. You can find information about it at this link: https://code4rena.com/contests/2023-07-basin. However, it's important to note that some contests at Code4rena, like the streaming protocol contest and the Vine Labs contest, have been postponed. Delays sometimes occur due to factors related to the protocol itself or the judging process. For example, the Chainlink staking v 0.2 contest on the C4 site and the Overlay Protocol contest have been delayed and will be re-posted once dates are confirmed. Sponsors can also contribute to the delays of contest judgement. Furthermore, payout distribution can sometimes also be delayed, as with the Nested Finance audit contest. New contests are typically announced, like the one planned to begin on February 16th, and there are often queries about the status and timing of these events.", "Question: What is the timeline for a contest at CodeArena, given that some complex projects have more than 12k Source Lines of Code (SLOC)?\n\nAnswer: The timeline for a contest at CodeArena can vary depending on the complexity of the project and the number of submissions. For contests involving large projects such as those with over 12k SLOC, the contest duration has been extended to 4 weeks. However, this does not necessarily mean that the duration of a contest is directly proportional to the size of its source code. \n\nThe judging process can take anywhere from 2-4 weeks after the contest, with the precise time depending on the contest and the number of reports on review concurrently. After judging, the findings are reviewed and the awards are distributed, which could add an additional 2 weeks to over 6 weeks to the timeline. In some cases, the rewards distribution can take up to 2 months after the end of the competition, although this is a worst-case scenario, and CodeArena is working on reducing these turnaround times.\n\nSimultaneously, CodeArena can handle multiple contests and it's possible for two or more contests to run at the same time. For example, there have been instances where two contests were queued up for the next week. CodeArena aims to process and distribute multiple contest rewards by the end of a specified week.\n\nAlso, the initiation of new contests is a regular occurrence with the company running week-long contests each week and a number of new contests are expected to take place in the coming month. \n\nFor more specific queries about the scope and timeline for a particular contest, you can reach out to the respective sponsor. All contest details, including timelines and SLOC counts, can be found on our contest page [https://code4rena.com/contests/](https://code4rena.com/contests/). Please note that the requirement for backstage+ could also be met by participating in a minimum of 3 contests.", "Question: What is the timeline for CodeArena's auditing process, and when can I expect to receive rewards after the completion of a contest?\n\nAnswer: CodeArena's auditing process can typically take between 3-6 weeks, depending on the complexity of the project and the number of reports under review. For larger projects, such as those involving over 12k sloc, the timeline can be extended to 4 or even 5 weeks. You can find a more detailed description of our process in our docs: https://docs.code4rena.com/structure/our-process. \n\nIn terms of reward distribution, we aim to process and distribute rewards by the end of the contest week, with the expectation that they go out the following week. However, this is a worst-case scenario, and we are actively working on reducing these turnaround times. For example, funds for specific contests, like the nested finance audit contest, are expected to be sent out on a specific Monday or Tuesday following the contest's conclusion. \n\nWe also plan and execute multiple contests per week, with an average of 2-5 audit projects. Depending on necessity and capacity, we might simultaneously run up to 20 contests a week. \n\nPlease also note that the Know Your Customer (KYC) process can take a week or longer to complete, which might affect the timing of receiving your rewards. \n\nFor updates on rewards and upcoming contests, you can join our community calls, which are typically planned for the following week. We are also considering implementing seasons for our leaderboard that could last 4-6 months, and changing the leaderboard from tracking the last number of days to the last number of contests. \n\nWe acknowledge that there are exceptions and delays in some cases, such as holidays, but we are committed to providing you with the most accurate information and support. Feel free to ask about the status of your rewards or any other questions you might have in our Discord chatroom.", "Q: I'm encountering an error when submitting an analysis as a team regarding a saved polygon address. How can I resolve this? \n\nA: This error is a known issue for several users. When submitting an analysis as a team, it's crucial to ensure you have a polygon address saved in your account. You can use this link to access the Guidelines and FAQ page for more information on analyses and submissions: https://code4rena.notion.site/Analyses-Guidelines-and-FAQ-2808a71e08e44c81a985527194f5f118 \n\nIf you have already saved your polygon address but still encounter the error, please submit a help desk request with your team details and the specific audit you're submitting for. You can do this at https://code4rena.com/help. If your analysis was initially submitted from a personal account instead of a team account, you can resubmit it from the team's account and ask the help desk to withdraw the other one. \n\nPlease note that currently, it's not possible to edit or resubmit an analysis report once submitted; though we are working on adding this functionality. If your analysis submission is exceptionally large (over ~65k characters), it may exceed Github's max character limit for issue descriptions. In such cases, you can email your submission to submissions@code423n4.com. \n\nWe are aware of some instances where users have had trouble submitting findings through certain browsers like Firefox and Chrome due to an error related to the permalink. We're actively working on resolving these issues.", "Question: Does the CodeArena platform support markdown formatting in its submission forms and reports?\n\nAnswer: Yes, CodeArena (C4) does support markdown formatting across its platform, including the submission forms and reports. \n\nYou can use markdown formatting for analysis submissions, issue titles, and even in the reporting section where it can be used to add code blocks. The guide on how to do so can be found here: https://docs.github.com/en/get-started/writing-on-github/working-with-advanced-formatting/creating-and-highlighting-code-blocks.\n\nPlease note that the findings report page does not support HTML tags, and users are strongly advised to use Markdown instead. The submission form on Code4rena accepts Markdown for formatting the text, and even the submission preview supports mermaid syntax. \n\nImages can also be embedded in the report using Markdown, and CodeArena has confirmed that markdown previews may not properly display lists, but this is only an issue with the preview and not the final submission. \n\nFor more intricate formatting, like mathematical expressions or code blocks, you can use Markdown. Tools such as GitHub, Joplin, VScode, and Notion are popular for writing reports because they support Markdown, and it is recommended to use a platform that supports Markdown. \n\nWhen writing reports, a markdown template is proposed if you're submitting through the Code4rena interface. If you're writing a report that includes mitigations, you can also use markdown to format the code. The markdown code to include GitHub code in a report can be found at the same link provided above. \n\nTo ensure your code blocks are correctly formatted in reports, remember to surround the codes with ``` on either side. If your report includes Solidity syntax, this can be done using the MD format.\n\nIt's also worth mentioning that there is no standardized guideline or rule on the formatting of the gas/qa reports, aside from the use of markdown.\n\nWhile some users choose to write their QA/gas reports directly into the submission form without using any special tools, others find it helpful to create issues in tools like Notion, format them there, and copy-paste the formatted text when submitting, as this maintains the necessary markdown formatting.\n\nLastly, there was a question about the judges' preference regarding the inclusion of line numbers in code snippets for h/m issues. However, this is yet to be confirmed. It's also worth noting that there is a known issue where numbered lists in markdown do not show numbers in the preview tab, but the numbers are visible when the report is submitted.", "Question: What guidelines should I follow when submitting for analysis awards, and how should I structure my QA and Gas reports? Can you also clarify the grading system and the award formula?\n\nAnswer: At Code4Rena, analysis submissions follow separate guidelines which can be found here: [Analysis Guidelines](https://code4rena.notion.site/Analyses-Guidelines-and-FAQ-2808a71e08e44c81a985527194f5f118). Participants are recommended to submit one comprehensive report for Gas and one for Quality Assurance (QA), ideally grouping all issues together. QA and Gas reports are assessed based on both quantity and quality of submissions, and it's unlikely for a single item in a QA submission to receive a high grade. More details on this can be found in these links: [Judging Criteria](https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical) and [Incentive Model and Awards](https://docs.code4rena.com/awarding/incentive-model-and-awards#qa-and-gas-optimization-reports).\n\nThe grading system classifies submissions into grades A, B, C with each grade having its own specific bonuses. Submissions are also categorized into \"primary issue\" and \"selected for report\". More details on the grading system can be found here: [Incentive Model and Awards](https://docs.code4rena.com/awarding/incentive-model-and-awards) and [Curve Logic](https://docs.code4rena.com/awarding/incentive-model-and-awards/curve-logic).\n\nThe awards for Analysis reports are $4,250 USDC and for QA reports are $2,000 USDC. However, it remains unclear if there is a documented formula for the awards. \n\nAdditionally, if a finding is submitted as low in a QA report but judges determine it's medium, it will be eligible for medium rewards. More information on this is available here: [QA Gas Report FAQ](https://docs.code4rena.com/awarding/incentive-model-and-awards/qa-gas-report-faq#what-happens-when-an-issue-submitted-by-the-warden-as-part-of-their-qa-report-an-l-or-n-does-get-bum).\n\nRemember, you can also edit your submissions if needed. For a better understanding, you can check previous reports to see what a high-quality submission looks like.", "Question: What is the protocol regarding the disclosure of judges and lookouts in CodeArena's contests and how can I interact with them or the findings?\n\nAnswer: At CodeArena, maintaining the integrity of the contests is our priority. To ensure a bias-free competition, the identity of the judges and lookouts is not disclosed before or during any contest, regardless of its nature. This means participants cannot contact the judges or lookouts directly to inquire about their submissions or other contest-related matters. \n\nThe judges for each contest are chosen based on their expertise and reputation, and the results of their judgement are only shared after the contest concludes. While wardens used to have the ability to view submissions and provide factual comments at the pre-judging stage, this practice has been discontinued. \n\nOnce a contest concludes, participants may ask judges for feedback on issues to understand their ruling and improve future submissions. However, this is only possible via backstage access during the post-judging stage.\n\nAfter a contest ends, the findings are immediately reviewed in a process that includes sponsor review, judge review, sponsor confirmation, judge's final report, and announcement of the results. These findings are visible to the C4 staff, sponsors, and judging team. There are plans in place to allow certified contributors to view submitted issues right after contest closure and to comment or provide input during judging. \n\nPlease note that once contest payouts have been sent, the outcome cannot be changed, but any overlooked issues can be flagged to the judge and sponsor. If a judge is unable to complete their work in a timely manner due to unforeseen circumstances, the contest is reassigned to another judge.\n\nYou can find more information about specific contests on their respective page, which may include a list or links to wardens, judges, and sponsors. For example, details about the Asymmetry contest can be found [here](https://code4rena.com/contests/2023-03-asymmetry-contest). \n\nIt's important, also, to remember to direct any specific questions about the scope of a contest to the respective sponsor. Additionally, you can openly discuss issues with the sponsors before the contest ends, including questions about severity and scope.\n\nIn terms of seeing other findings, while you have the ability to view reports from other wardens even after a contest has ended, the total number of wardens participating in a contest is only disclosed once the contest finishes. If you have queries about why certain findings were rejected or how to view others' findings after a contest ends, please don't hesitate to ask.\n\nWe hope that this information helps you better understand our process and supports your participation in our contests. If you have any more questions, feel free to reach out.", "Question: If I have a limited time for audit, and I've just spotted 1-2 Low and 1-2 Gas issues, should I create a report for them? How are these reports graded in comparison to others?\n\nAnswer: Yes, it is recommended to create reports even when you have discovered a limited number of issues. For gas and low-quality assurance (QA) findings, you can group all issues together in one report, while medium and high-risk findings require separate reports for each issue. The grading of your report is not solely determined by the quantity of the issues you report. Grading is a comparative process, where your report will be evaluated against other highly ranked reports. Even a report with one good issue could be graded a B, while a report with multiple low-impact issues could still be a C. \n\nFor QA reports, including non-critical and low severity findings, it is often better to have a higher number of low findings as they are graded based on quantity. However, keep in mind that the quality of submissions is also considered alongside the quantity when grading QA reports. For example, two reports graded A, one with 2-3 low findings and another with 5-6 low findings, would receive the same award. \n\nIf a low issue/non-critical (QA) bug that also reduces gas is found, it should be included in the QA category and mention the gas savings. If the issue only relates to gas savings, it may be downgraded from QA to Gas. Be aware that judges have the ability to change the severity of your reported issues, which can influence the grade of your report. For instance, if a finding is submitted as a low in a QA report, but the judges determine that it's a medium, it will be eligible for medium rewards.\n\nRemember, the main goal is to provide as much valuable information as possible, even if the submission only contains a few findings. Helpful examples of highly graded QA/Gas reports can be found at this link: https://code4rena.com/reports. For more detailed explanation on grading, you can refer to the followings links: [https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical](https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical) and [https://docs.code4rena.com/awarding/incentive-model-and-awards#qa-and-gas-optimization-reports](https://docs.code4rena.com/awarding/incentive-model-and-awards#qa-and-gas-optimization-reports).", "Question: How is the grading system for QA and Gas reports structured in Code4Arena, and is it worth reporting minor issues and gas optimizations?\n\nAnswer: The grading system for QA and Gas reports at Code4Arena focuses on high/medium/low severity vulnerabilities and gas optimizations. While the number of issues reported doesn't necessarily determine the grade, the nature and impact of the reported issues can influence the grading. For instance, a report could have one high-impact issue and be graded as B, or have multiple low-impact issues and still be graded as a C. \n\nEach report is graded between 0 and 100, with Grade A reports counting as 2 shares, Grade B as 1, and the best report receiving a 30% bonus. The awards for QA and Gas reports are given according to judges\u2019 scores, and duplicates are disregarded. However, handling downgraded issues, which need to be paired up with wardens\u2019 QA reports, has been challenging. \n\nReporting minor issues and gas optimizations is still valuable. While there's no direct incentive for reporting non-critical findings, if a low issue/non-critical (QA) bug that also reduces gas is discovered, it should be included in the QA category and mention the gas savings. If the issue is only related to gas savings, it could be downgraded from QA to Gas. For gas optimizations reports, it's suggested that the amount of gas saved for every finding should be mentioned, as providing proof of how much gas the refactoring saves may affect the grade of the submission.\n\nWhen entering a contest, participants can submit what they find and are not obligated to submit reports for high, medium, low, and gas optimization. However, for gas and low/quality assurance, one issue and send all is sufficient; for medium and high risks, one issue for each finding is required. Users should submit one Quality Assurance (QA) report per contest and ideally group all issues together. They should also separate the Gas report from the QA report.\n\nThere are restrictions on submitting more than one report of gas optimization in a contest; users should compile all findings into one report. Known issues should be excluded from gas reports. Users can also submit one combined gas and one combined QA report.\n\nThis grading and award system encourages fair competition and can be understood in more detail at https://docs.code4rena.com/awarding/incentive-model-and-awards/qa-gas-report-faq.", "Q: How can I set my profile as \"Available for Hire\" and appear on the leaderboard on CodeArena?\n\nA: As a Certified Warden on CodeArena, you have the option to set your profile as \"Available for Hire\". However, please note that this option may not immediately appear after you become certified, as there are manual steps on our backend. Once available, you can set your status through the profile editing page.\n\nTo appear on the leaderboard, you need to participate in our contests and place in the top 5. Once you've received a contest reward, your profile should be automatically tagged with \"leaderboard\". If you want to change your profile icon or link on the leaderboard, you can submit a help desk request at [https://code4rena.com/help](https://code4rena.com/help).\n\nKeep in mind that placing on the leaderboard and becoming a Certified Warden can enhance your chances of qualifying for private contests and RSVP certified jobs. The default leaderboard setting shows results from the last 60 days, but you can adjust this to view results over a specific period. The leaderboard also considers individual and team contributions, so your name could appear twice if you're part of a team.\n\nRemember that we're always looking to improve CodeArena and have considered potential upgrades to the leaderboard, like different timelines for results (all-time, the last three months, etc.), adding badges for various achievements, and introducing leaderboard seasons. If you have any suggestions, we'd love to hear them.", "Question: I'm having trouble with submitting multiple findings during an audit. After submitting one high-risk finding, I'm having trouble submitting another. Can I submit more than one, and how can I troubleshoot if I'm having issues?\n\nAnswer: Yes, you can submit more than one high-risk finding during the same audit. However, if the root causes of the findings are the same, they will be counted as one. If you are having issues with submitting findings through the \"Risk rating *\" menu or if a submission fails, check for an error on the form. Make sure to wait for a confirmation email to ensure your submission was successful. \n\nPlease bear in mind that submissions can be edited while an audit is still open. You can do this by going to the contest page and clicking on the \"Your Findings\" button. If you encounter an error message, you might have already submitted a similar finding. CodeArena handles duplicate submissions by reducing the value of a finding when more of the same kind are submitted during the open submission period. However, if an issue identified in an automated finding can lead to a high severity finding, it can be reported again during the contest by a warden and could be awarded with higher severity.\n\nLastly, whether high-risk findings are considered or not depends on the specific contest and the judge. Submitters should make a case to the judge in their submission if they believe a high-risk finding should be considered. If a submitted high-risk finding is judged as low risk, the submitter will still be rewarded and vice versa.\n\nFor more information, you can refer to CodeArena's policies here: https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues. If you're still encountering issues, please submit a help request to the CodeArena team here: https://code4rena.com/help.", "Question: Can I submit multiple high-risk findings in the same audit, and how are they evaluated and rewarded?\n\nAnswer: Yes, it is possible to submit more than one high-risk finding in the same audit. However, multiple findings that share the same root cause are typically counted as one. If the same vulnerability is found in different components of the codebase, it might count as separate findings, but ultimately, it's up to the judge to determine if they're duplicates. \n\nThe evaluation of whether high-risk findings are considered depends on the specific contest and the judge's discretion. The submitters are advised to make a case to the judge in their submission if they believe a high-risk finding should be considered. If a finding initially submitted as high-risk gets judged as low-risk, the submitter will still be rewarded, and vice versa. If a finding is evaluated as medium severity but the judges assess it to be high-risk, the severity can be upgraded, unless there's a reason to penalize it.\n\nFor each unique high or medium finding included in the audit report, a 30% share bonus is provided. However, if the same vulnerability is reported by two or more wardens, there's a specific criterion followed in sharing the reward. If multiple auditors report the same bug, all of them get a portion of the bounty. \n\nAll findings need to be submitted before the audit closes. It's important to note that there's no reward for being the first to submit findings. There's a process open for editing findings while the audit is ongoing. To edit, go to the contest page and click on the \"Your Findings\" button. \n\nAdditional findings, including low-risk ones, can be reported. Non-critical and low severity findings are usually consolidated into a single Quality Assurance (QA) report. A single report with all occurrences of the same issue is acceptable when submitting findings. Participants can also submit one combined gas report and one combined QA report, and they have the ability to edit existing findings. \n\nIf a participant is uncertain whether findings should be submitted separately or as one, it would be best to seek guidance from the contest rules or consult the judge.", "Q: I've been certified but I can't select the \"Available for Hire\" option in my profile settings. What's the reason and how can I resolve this?\n\nA: There can be a delay in the option to add \"Available for Hire\" status on your profile after certification due to some manual backend processes. Certification is approved by Provenance and typically takes around 2 to 5 business days to reflect on your profile. You will receive an email once your certification has been finalized, which also indicates that you can start editing your profile. \n\nIf you believe you are certified but the option isn't available, check your assigned roles by clicking your name on the platform and in your email communication. If you're indeed certified and still can't edit your profile or if you haven't received the certification email from Provenance, we recommend creating a help desk request for assistance at https://code4rena.com/help. \n\nPlease note that only Certified wardens can be marked as \"Available for Hire\". If you're waiting to become Certified or you've submitted KYC (Know Your Customer) verification but haven't received a confirmation email from Provenance, please hang tight as it may take several days for the process to be completed. Remember to check your spam folder as well. If you've recently changed your username, you may need to reapply for certified status. \n\nOnce your \"Available for Hire\" status is activated, you will be visible in the \"Available for Hire\" filtering option on the leaderboard, and you will be granted access to more contests.", "Question: Can Uniswap TWAP be used in Arbitrium for optimizing the purchase of tokens and maximizing profits in arbitrage opportunities?\n\nAnswer: There isn't a straightforward answer to this question because it involves a lot of specific factors related to token swaps, price impacts, and transaction costs. In general, to maximize profits in arbitrage opportunities, you would need to derive the optimal strategy from the Automated Market Maker's (AMM) price formula in Uniswap-like scenarios.\n\nFor example, Uniswap and PancakeSwap use different formulas for calculating protocol fees. Uniswap V2 employs a 5 basis point (0.05%) protocol fee, while PancakeSwap V2 utilizes 8/25 of the growth in the square root of K as its protocol fee. The code for PancakeSwap can be found at https://bscscan.com/address/0xcA143Ce32Fe78f1f7019d7d551a6402fC5350c73#code.\n\nIn Uniswap, ERC Tokens can be swapped with a minimum fee of 0.05%. However, there's a possibility of arbitrage opportunities across multiple tokens (e.g., A -> B1 -> B2 -> A), although a generalized formula for finding the optimal amount to buy is not provided.\n\nWhen it comes to Arbitrium, due to its rollup chain, the transactions costs may be lower than Ethereum mainnet but it depends upon the specific conditions at the time of your transaction. You will need to develop a specific algorithm taking into account these factors to find the optimal swap strategy.\n\nIt's worth mentioning that there exist other cross-chain dex options between polygon and ethereum, such as wormhole or celer, which might offer alternative opportunities for arbitrage.\n\nFinally, tools like Slither, a static analysis tool for smart contracts, can be used to find vulnerabilities and bugs in smart contracts, potentially helping you to avoid costly errors.", "Question: If I edit a submitted issue in CodeArena, will the initial (pre-edited) version still be publicly visible, and if so, where can it be found?\n\nAnswer: Yes, if you edit a submitted issue, the initial (pre-edited) version may still be publicly available. They can be found in the edit history once the repo is made public. Repositories are usually private until they are made public after the issues have been mitigated and cleared for publication by the sponsors. This means that your initial submissions, along with any edits you make, are not visible to the public until the report goes live and the findings repo is made public. \n\nHowever, there are some concerns around this process. For instance, if too much information is accidentally pasted in an issue that should not be publicly available, editing is the suggested course of action. But, if you believe the issue contents pose a security risk if made public, you can submit a Help Desk request to discuss further actions. \n\nAlso, it's important to note that sponsors are given access to the findings repo either after the contest is over (old contests) or one week after with triaged and deduped issues. There's a fairness concern raised that if sponsors have early access to the vulnerability submissions, they might exploit the information. \n\nParticipants, however, can review their issues before they are reported and can see when their findings are edited. A user can view their submission and the comments in their submission after the announcement once the repo is set to public, unless they are certified for backstage access. If an issue was reported, it doesn't need to be sent to the judge/lookout because the judge can see it. \n\nLastly, remember that you can withdraw your old issue if you want to make a new submission of the same issue. The severity of issues can also be updated post-submission by judges. These features aim to make the process as fair and transparent as possible.", "Question: If I accidentally pasted too much sensitive information in the issue that I don't want to be publicly available, is it appropriate to edit the issue? Are there any precautions I should take?\n\nAnswer: If too much information is accidentally pasted in an issue which should not be publicly available, it's suggested to edit the issue as soon as possible to protect your sensitive data. But please be aware that even after editing the issue, the initial (pre-edited) content may still be publicly available in the edit history. \n\nIf you feel this poses a security risk, we recommend submitting a Help Desk request to address the concern. Also, when submitting a \"Proof of Concept\" with Github, please note that it doesn't require the repository to be made public due to the risk of exposing vulnerabilities. You can use a private gist instead. \n\nIf you believe that the issue involves various lines changed, you can send a git patch or a PR to the repo. And in case your issue's text is too large to fit in the textbox, you can link a gist. Always ensure to provide enough context and detail to your issue for it to be properly addressed.\n\nFurthermore, if submitting an issue involves various lines changed, users can send a git patch or a PR to the repo. You can review your issue and related findings before reporting. If you are unsure about the severity of the issue, you can ask for help in the chat. It's also important to know that you can withdraw your old issue if you want to make a new submission of the same issue. In doing so, it saves the judges' time and gives your fresh submission a better chance of being addressed promptly.", "Q: I received an email confirming my certification, but I can't see this reflected in my profile settings. Why is this, and how can I verify my certified status?\n\nA: The certification process is approved by Provenance. Once your certification is finalized, you will receive a confirmation email from provenancecompliance.com, which is legitimate. Please note that it generally takes between 2 to 5 business days for the status to reflect on your profile after approval. \n\nDuring this time, while we update your status, there might be some manual steps on our end that delay the reflection of your certification on your profile immediately. However, you can check if you have been assigned the certified role by clicking on your name. \n\nOnce certified, you will have the ability to edit your profile and status, including adding an \"Available for Hire\" status. This feature was introduced with the warden profiles and is currently only available to those who have completed the certification process. \n\nPlease be aware that if you do not receive an email from us, despite applying for certification, it's possible the email ended up in your spam folder. If you have not received an email within the stated timeline, please feel free to contact the organization through the help-desk form. For those who submitted an application to become a certified warden and are waiting for KYC emails, please be patient as we process your applications in the order they were received.\n\nFinally, if you believe you qualify for the Certified+ status but have encountered issues finding the correct submission form, we understand your concern and are currently improving the process for requesting this status. \n\nWe appreciate your patience and understanding as we work diligently to process all certifications. Your certified status will grant you access to more contests, among other benefits. Please keep an eye on your email for updates on your certification status.", "Question: Can you guide me on how to properly use and run the Picodes analyzer? I'm encountering issues with the base path, scope file, and git url.\n\nAnswer: Sure, the Picodes analyzer, also known as the 4nalyzer, is a tool used for finding publicly known issues. The newest fork of the tool is called Analyzer and can be found [here](https://github.com/Picodes/4naly3er).\n\nBefore running the analyzer, ensure that you have a proper scope.txt file. The 4nalyzer requires a specific scope.txt to analyze, instead of analyzing an entire folder. In scope.txt, you can execute the 4nalyzer and analyze everything inside the specified folder.\n\nConcerning the base path and git url, it's common for beginners to encounter difficulties. You can access the Analysis Guidelines and FAQ [here](https://code4rena.notion.site/Analyses-Guidelines-and-FAQ-2808a71e08e44c81a985527194f5f118) and [here](https://docs.code4rena.com/awarding/judging-criteria#analysis). \n\nThese documents will help you understand how to create an analysis report, including using 'git diff' in the terminal and embedding code in the report. When referencing issues, it's recommended to include both the URL to the repository with the line number and a code block.\n\nRemember, you can always find the list of optimizations/L1 issues that are looked for in audits [here](https://github.com/Picodes/4naly3er/tree/main/src/issues). Also, it's beneficial to understand the purpose of the codebase before running the analyzer, which typically involves reading the documentation or having previous experience with similar code. \n\nLastly, don't forget that issues can be browsed [here](https://code4rena.com/reports), and each issue provides a link to the relevant GitHub issue, which can be helpful in understanding how to run the analyzer and avoid common problems.", "Question: Can I edit or resubmit my analysis report after submission?\n\nAnswer: Presently, CodeArena (C4) does not support direct editing or resubmission of an analysis report. However, there are a few alternatives available. If you have accidentally submitted the analysis from a personal account, you can resubmit it from the team's account. If you have further findings or wish to make changes to your analysis, you can use the 'Your Findings' button on the contest page to edit your submissions while the contest is open. Additionally, you can invoke the \u2018withdrawn\u2019 status to invalidate your submitted report and replace it with a new one. If you encounter any issues or need to make changes to your analysis report after submission, you may create a help desk request detailing the desired changes. \n\nDo note that the ability to directly edit or resubmit an analysis report is a future functionality that C4 plans to implement. You can keep yourself updated with the latest developments by visiting our Analysis Guidelines and FAQ page at: https://code4rena.notion.site/Analyses-Guidelines-and-FAQ-2808a71e08e44c81a985527194f5f118.", "Question: How can I access post mortems, participate in audits and follow up on contest findings at CodeArena?\n\nAnswer: Post mortems of the audits can be found on our YouTube channel: https://www.youtube.com/@code4rena. Additional information and announcements about upcoming post mortems are posted in the #\ud83d\udce2announcements section. A recent post mortem analysis of the TempleDao incident can be found on this Twitter link: https://twitter.com/staxfinance/status/1580383607541354498?t=gyGLiqWddReeKaKKYCigig&s=19.\n\nYou have the opportunity to ask questions about findings from past projects and also participate in private competitive audits. After a contest ends, you can view the findings and understand why some were rejected. The findings repository becomes public, allowing you to review the findings of other wardens. You can use the \"View Repo\" and \"Submit Findings\" buttons if you are a certified warden. Examples of past submissions from bug hunts can be found at https://code423n4.com/reports.\n\nNew participants are encouraged to practice on past contests and read old reports for learning. You can also view all submissions after a contest, with analysis examples available from the Maia contest onwards. For any queries regarding your submission replies, you can view them directly on our platform. In case you have findings that could fit into two categories (mechanism and architecture), you can categorize them appropriately in your analysis report.\n\nThere's a post-judging QA period where you can make comments on the judges' decisions. If you are a warden, you can see the judging results before they are published and if you see issues, you can raise them to the judge for reconsideration. Findings are sealed to other wardens during the contest but they are visible to C4 staff, sponsors and the judging team for the judging to occur.\n\nNote that findings from each contest become public only after the final contest report has been published. Certified+ wardens have the privilege to view the findings repo immediately after a contest ends. If you are waiting for warden verification, there might be other options to submit findings outside of the form on the website. It is also worth mentioning that there are queries about tools to test code coverage and resources for blockchain forensics analysis, particularly for hacks and incidents in smart contracts. Lastly, remember you can always find feedback for your submitted findings.", "Q: How can I manage my submissions in CodeArena, including editing, checking prior submissions, withdrawing, or resubmitting issues?\n\nA: Once an issue has been submitted in CodeArena, you have several options for managing it. Firstly, you can edit your submissions even after you've initially submitted an issue. This is particularly useful if you've accidentally included too much information that shouldn't be publicly available or if you find another error after your first submission.\n\nYou can edit your submission directly on the contest page under the \"your findings\" or \"findings\" tab. If you've used the website to make changes after submitting an issue, it will be tagged with an \"edited-by-warden\" label.\n\nIf you've submitted an issue with incorrect information or if you've found the same issue but in a different instance, you can withdraw the issue and resubmit it. To withdraw a submission, you can go to the contest page, click on the findings tab, and follow the prompts to withdraw your submission. Alternatively, you can directly message the moderators or submit a help request via www.code4rena.com/help to withdraw your submission. \n\nPlease note, even if you've withdrawn an issue, the initial submission may still be publicly available in the edit history. If you have concerns about this, you may wish to contact the help desk.\n\nIf a correct bug issue has been submitted with an incorrect proposed solution, you can update your submission as long as the contest hasn't ended. In the case where a submitted bug severity needs to be increased during a contest, you can submit a help request to remove the original submission and then submit again.\n\nPlease remember to review your submissions before they are reported to avoid any potential issues. Also, note that participants can only submit one QA issue but they can edit the existing submission if they find another error.", "Question: How does a sponsor's decision impact the auditing process and contest outcomes in CodeArena?\n\nAnswer: In CodeArena, each sponsor's decision is independent and does not affect other sponsors' decisions. Sponsors play significant roles in various aspects of the auditing process. They are responsible for deciding the scope of their contests which is typically listed in their contest information. Furthermore, they play a role in contest delays, often due to slow reviews.\n\nParticipants are allowed to discuss potential issues with the sponsors during an ongoing contest which can possibly influence their decisions. However, issues of fairness have been raised as concerns were voiced about sponsors potentially exploiting early access to vulnerability submissions. In response to this, CodeArena adjusted the process so that sponsors now receive a triaged list of submissions after an initial sorting process, reducing their early access to participant findings.\n\nIn the event of a disagreement between a participant's findings and a judge's or sponsor's opinion, the sponsor's decision on mitigation holds sway. However, participants pointing out a judge-approved bug or logic flaw will still receive recognition for their work.\n\nDespite their independence, sponsors' actions can complicate the judging process. If sponsors do not fulfill their duties, it generates additional work for judges who have to identify duplicate submissions. Trust in sponsors is paramount, even though potential conflict of interest scenarios, such as sponsors intentionally hiding bugs, have been brought up.\n\nParticipants who have questions about the scope for a particular contest can contact the respective sponsor for clarification. Please note that while sponsors play a significant role, there are also other factors affecting the completion of a contest which may not be visible to all participants. \n\nFor more information on the role of sponsors and the rules surrounding contest participation, please visit our [link to detailed guidelines].", "Question: I have made some errors in my submission, including grammar typos, and have edited it. Is it acceptable to edit submissions, and what are the implications of doing so?\n\nAnswer: Yes, it is absolutely acceptable to edit your submissions. We aim to foster a learning environment where everyone can improve, and this includes making necessary corrections to your submissions. You can edit your submission if you find another error after you've already submitted once. The system tracks edits and they might be tagged to indicate that they\u2019ve been edited, but there is no penalty for doing so.\n\nHowever, if the typo is in a report and drastically changes the meaning of the finding, you will need to file a help ticket to correct it. It's important to note that once a contest has ended, you won't be able to fix typos in your submissions, so aim to review and correct them before the contest conclusion.\n\nAlso, be aware that even after editing, the initial (pre-edited) issue may still be publicly available in the edit history. If you have pasted too much information that should not be publicly available, editing would be the best course of action. If you accidentally submitted all your findings to the wrong contest, you will need to submit them again to the correct contest and fill out this form https://code4rena.com/help/ to let the C4 staff know about the incorrect submissions.\n\nLastly, if you realize something is a false positive after submission, you can retract the submission by going to the contest page and clicking the findings tab. You can only submit one QA issue, but you can edit the existing submission if you find another error. \n\nRemember, at CodeArena, we encourage learning and growth, so don't be ashamed of mistakes. Instead, use them as opportunities to learn and improve.", "Question: Can you provide more details about bot races on CodeArena, including what they are, how to participate, what rewards are available, and where to find updates?\n\nAnswer: Bot races are a feature on CodeArena where participants compete through AI-driven auditing of smart contracts. These races are competitions where users can be rewarded for findings made with AI. Interested participants can register their own bot or be part of a bot team during qualifiers, which are held every few weeks. The bot races are held for the first hour of an audit.\n\nTo participate in bot races, you can follow the registration link [here](https://code4rena.com/register/bot). For the bot races, the bots are owned by the individual wardens and are unlikely to be open-sourced by CodeArena. \n\nReward structure is based on the bot race rank, with bots gaining more rewards by achieving higher points and shifting rank cutoffs, thereby displacing others to lower ranks. However, the prize pot for bot races may undergo changes, as mentioned in the observations.\n\nFor those interested in getting help with bot races, it can be found in the #bot-race-help channel and updates or information about the next bot qualifier race are posted in the #\u270brsvp channel on our Discord server. It's also worth noting that the winning bot code will not be made public after bot races, only their report will be. \n\nLastly, the importance of finding unique vulnerabilities in bot-racing was discussed and while no definitive answer was provided, it's advisable for bot developers to pay attention to accuracy and avoid false positives.", "Q: As a participant in a CodeArena contest, how do I submit and manage my findings effectively?\n\nA: Each contest on CodeArena has a specific \"Submit finding\" button on the contest page. After you click \"CREATE ISSUE\" in \"SUBMIT FINDING\", the form data gets turned into a submission that goes into the findings repository for that specific contest. \n\nYou can submit one issue per report as each finding needs to be submitted separately. It's recommended to find all bugs before creating a final report to ensure a thorough audit. If you need to edit your already submitted findings, you can do so by going to the contest page and clicking on the \"Your Findings\" button. Participants can also check their submission status or report by selecting the \"My findings\" option on the contest page. \n\nIt's important to note that if multiple auditors report the same bug, they all get a portion of the bounty. Common findings are usually out of scope as they are picked up by the C4udit tool. \n\nFor the \"Proof of Concept\" section when submitting a finding, provide direct links to all referenced code in GitHub and add screenshots, logs, or any other relevant proof that illustrates the concept. \n\nYou can check your issue for the finding you sent on Github from the report. User submissions for completed challenges can also be accessed on the concerned GitHub repo once the contest report is published. \n\nFor a better understanding of audit reports, it's recommended to start with reports from smaller bounty contests due to their smaller codebase sizes and less complexity. Past contest reports can be found here: https://code4rena.com/reports.\n\nLastly, the policies related to submission and discussion of findings can be found in the submission policy documentation: https://docs.code4rena.com/roles/wardens/submission-policy#audit-contest-guidelines.", "Question: What happens when an issue is withdrawn in CodeArena's GitHub repository, can it still be accessed and is its history preserved?\n\nAnswer: Yes, when an issue is withdrawn in CodeArena's GitHub repository, it's not deleted but gets marked as 'withdrawn' and then closed. This means any participant can withdraw their issue if they wish to make a new submission of the same issue. After an issue has been edited or withdrawn, the original pre-edited or withdrawn issue remains publicly available in the edit history. \n\nParticipants can check the issue they sent in the report on GitHub. All issues including those that have been withdrawn or rejected can be found in the closed issues section. They can also access all the issues, including theirs, once the repository is made public. \n\nSubmissions for completed challenges can also be accessed on the concerned GitHub repository once the contest report is published. This includes any changes made to various lines in an issue, for which participants can send a git patch or a PR to the repository.\n\nAn example of a disputed issue can be found at [https://github.com/code-423n4/2023-06-lybra-findings/issues/549](https://github.com/code-423n4/2023-06-lybra-findings/issues/549). If participants disagree with a decision about a contest judgement, they can review issues at [https://github.com/code-423n4/org/issues](https://github.com/code-423n4/org/issues). They can add comments on existing issues, support existing suggestions, or open a new issue if their concern is not already addressed.\n\nHowever, it's important to note that there may be issues with visibility of reported issues on the Issues page, potentially due to GitHub issues. In such cases where GitHub has failed to accept issues, it has rejected submissions via the API, resulting in failed submissions. During a recent GitHub outage, several submissions were successfully received in the beholder repository despite the issue.\n\nRules and policies such as the 'known issues' policy can be found at [https://github.com/code-423n4/org/discussions/50](https://github.com/code-423n4/org/discussions/50). For inconsistencies in the contest process and results, or if there is a lack of clarity in rules, participants are encouraged to review issues at [https://github.com/code-423n4/org/issues](https://github.com/code-423n4/org/issues). They can add fact-based comments, support suggestions or open new issues there. \n\nFinally, it's worth noting that users can review issues before they are reported, report them, and even reference previous issues if they're submitting another issue within the same context.", "Question: How do I manage and submit QA reports for low/non-critical issues found during the audit?\n\nAnswer: At Code4Arena, we require users to consolidate all low-severity or non-critical (NC) findings in a single Quality Assurance (QA) report. However, if you've already submitted your QA report and discover another issue, you have the ability to edit your existing submission under \"your findings\" on the contest page. Also, if your QA/Gas report exceeds the submission character limit, you can split it into separate sends or submit it via help tickets.\n\nWhen making your submission, it's important to note that all QA/Gas reports issues should be combined into a single report and the gas report should be separated from the QA report. In other words, one big report for gas and one big report for QA is the recommended way of making submissions. Multiple issues of the same nature in a code can be reported as one and a single report with all occurrences of the same issue is acceptable.\n\nFurthermore, the number and nature of issues in your QA report are considered when grading - a single good issue could warrant a grade B, while multiple low-impact issues might result in a grade C. Judges have the ability to upgrade or downgrade issues based on their evaluated severity. For further information on grading criteria and QA/Gas optimizations, refer to our documentation: [https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical](https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical) and [https://docs.code4rena.com/awarding/incentive-model-and-awards#qa-and-gas-optimization-reports](https://docs.code4rena.com/awarding/incentive-model-and-awards#qa-and-gas-optimization-reports).\n\nIf you're unsure whether a major functionality lacking test coverage should be listed as a non-critical issue, or if you've found an issue with automated findings but in a different instance, it's best to include these in your report for assessment. Always remember that it's possible to edit your submitted QA report until the audit deadline.", "Question: How can participants gain backstage access and take part in the judging process after the audit contest closes and before the final report is submitted?\n\nAnswer: Backstage access at CodeArena allows certified contributors to participate in the judging process after a contest ends. Backstage wardens can review findings, interact with the judge to discuss and re-evaluate findings, contribute to the triage process, and even observe the report submission. \n\nTo obtain backstage access, a contributor must be certified and must meet certain criteria, such as a minimum number of findings and participation in contests. Usually, contributors can apply for backstage access once the contest results are published on the leaderboard, but applications for backstage access might sometimes be suspended. \n\nBackstage access does not automatically grant access to a contest in progress or previously participated contest's judging repository. There are plans to allow certified contributors to view submitted issues right after contest closure and to comment or give input on these issues during judging. \n\nOnce a participant gains backstage access, they can also participate in a post-judging QA period to comment on the judges' decisions. The status of issues submitted for closed contests is made known when the report is generated or when a participant qualifies for backstage access.\n\nFor more detailed information on how to gain backstage access and the responsibilities and privileges that come with it, please visit: https://docs.code4rena.com/roles/certified-contributors/backstage-wardens.", "Question: What is the process and outcome if I submit a finding that turns out to be incorrect or disputed in severity during a Code4Arena audit?\n\nAnswer: Code4Arena encourages the submission of all findings, even if you're not 100% sure of them. If you submit a finding that is later determined to be incorrect or disputed, there are several possible outcomes. \n\nIf a finding is marked as invalid, feedback will be given from a judge. This feedback is beneficial for learning and improving future submissions. If you disagree with a judge's decision, there's an appeal process that you can follow, which is detailed on the website [here](https://docs.code4rena.com/awarding/fairness-and-validity#if-you-disagree-with-a-judges-decision).\n\nIf the judge and sponsor disagree with your proposed mitigation, the final decision lies with the sponsor. However, if you manage to point out a bug or logic flaw that is judge-approved, it's considered an achievement.\n\nOn the other hand, if a finding is valid but the severity is deemed incorrect, a discussion is initiated and the severity may be adjusted, unless there is reason for penalization. There is a penalty system in place for setting incorrect severity of issues in smart contract auditing. \n\nIf a finding is deemed to be a false positive and you realize this after submission, you can retract the submission by navigating to the contest page and clicking on the findings tab. There are no negative consequences for accidentally reporting something that is not an issue, but it's recommended to withdraw such reports to save judges' time. \n\nFinally, it's important to note that repeated incorrect findings in a QA report can affect your QA grade. For further clarity on rejections or disputes, you can check the findings report repositories or seek clarification from \"wardens\".", "Question: How should I compile and submit a single report of my findings related to gas optimizations in a contest?\n\nAnswer: When you have multiple ideas about gas optimizations, each finding should be written separately. You can then compile these separate findings into one consolidated report for submission. Remember, only one report of gas optimization can be submitted per contest. If you have more findings after submission, you can add them to your report by going to the contest page and clicking the 'Your Findings' button.\n\nIt's also worth noting that if an optimization finding can be applied in more than one line of code, it should be submitted as one finding and mention all lines where it can be applied. If possible, it's helpful to include how much gas would be saved via the refactored code. However, the necessity to specify the amount of gas saved is based on the judge's decision, so it's recommended to ask for clarification if you're unsure.\n\nRemember to separate your Quality Assurance (QA) report from your gas optimization report. Examples of top QA/Gas report from previous contests can be found at https://code4rena.com/reports. If you're unsure whether code simplification, such as combining two for loops into one, should be a QA report or GAS optimization, feel free to ask for clarification.\n\nIt's important to understand that not all gas optimizations are valid when the optimizer is enabled, which can lead to some confusion about what should be reported. For more information about the selection criteria for a report in a contest and the reward distribution for gas optimization, you can refer to this spreadsheet provided for reference: https://docs.google.com/spreadsheets/d/1qTQ7PApFMwpUFikcHHtww7p1oncPLj_y-UY_SZq6qFg/edit#gid=0.", "Question: How can I submit updates to my analysis report, specifically for medium findings, and how are these updates assessed by CodeArena (C4)?\n\nAnswer: If you wish to update your analysis report, you should first submit a help desk request. Staff can then add the changes as a comment on the analysis. If you've evaluated an issue as low and included it in a Quality Assurance (QA) report, but it's judged as medium, it will be eligible for medium rewards according to Code4rena's incentive model and awards guidelines, as found [here](https://docs.code4rena.com/awarding/incentive-model-and-awards/qa-gas-report-faq#what-happens-when-an-issue-submitted-by-the-warden-as-part-of-their-qa-report-an-l-or-n-does-get-bum). \n\nWhen submitting a medium finding, you can add it without recommended mitigation steps, but a detailed explanation of why it cannot be feasibly mitigated should be included. If you initially classify a finding as medium and it's judged to be of high severity, C4 judges can upgrade the severity. However, if the report is incomplete, lacking in detail, or inaccurate, there might be a reason to penalize it.\n\nIf you discover additional findings after you've already submitted a low-risk report, you can update this information by clicking on the \"Your findings\" button. Medium/High reports can be submitted without recommended mitigation steps, even if there are believed to be none available. Remember, the explanation of your finding is as crucial as its severity classification.", "Question: What should I expect after submitting a help desk request and linking a gist for larger issues?\n\nAnswer: When you submit a help desk request, you'll receive a confirmation that your request has been received. This might not necessarily come via email, especially if there have been recent issues with Github, as reported here https://www.githubstatus.com/incidents/r5qrpp2f5fc0. Your request will be processed and should receive a response within a week. \n\nFor larger issues that don't fit in the textbox on the help desk site, you have the option to link a gist. While you can't edit the analysis report directly, you can include a secret gist in your help desk request to have edits added to the comments of your analysis report before the audit closes. \n\nIf your help desk request is related to the status of an audit, your KYC confirmation, or to track a submission, you can open a request for these specific issues. If you're concerned about the security of your issue contents or if your Proof of Concept (PoC) is too large to be included directly in the issue, linking a gist is an acceptable method. \n\nRemember, if you don't receive a confirmation email after submitting a finding or registering with CodeArena, you can open a help desk request at https://code4rena.com/help/. You can always check the status of your request by submitting a separate help desk ticket.", "Question: I am participating in the Maia contest which is ending in a few hours. How can I submit my findings and are there any specific instructions I need to follow?\n\nAnswer: \nYou can submit your findings for the Maia contest at the end of the contest period. Please note that you can edit your submissions until the contest closes. If you are facing difficulties running the contest with the provided instructions, we recommend checking the updates to the bot race reward structure announced for the Maia contest, which you can find at this link: https://discord.com/channels/810916927919620096/958800160870240286/1109067971915153508. \n\nIn case you've missed the deadline due to unforeseen circumstances such as a power outage, unfortunately, we currently don't have a policy to accommodate such situations. To keep track of the submission deadline, there have been requests for a countdown timer, something we may implement in the future. \n\nFor analysis, examples will be provided from the Maia contest onwards. If you encounter any security issues or have further questions related to the contest after it has closed, please submit a help request at https://code4rena.com/help. \n\nPlease remember that unlike some other contests like the BASE contest, the Maia DAO Ecosystem contest does not require a KYC (Know Your Customer) protocol. Good luck with your participation!", "Q: How can I submit a help desk request at Code4Arena, especially when the text for the request exceeds the character limit on the site?\n\nA: If your help desk request exceeds the character limit, you can still submit your request through a couple of methods. First, you can edit the submission to meet the character limit. However, if your text is too large to fit into the textbox, you can also provide the help desk request by linking a gist. This is particularly helpful if you're submitting QA reports or issues that are complex and require more detailed information. \n\nYou can create a help desk request for a variety of issues, such as problems with your status, questions about analysis report, or even backstage access, once all criteria are met. You can also use the service for specific requests such as applying for a backstage role or requesting a logo change. \n\nTo ensure your privacy and security, especially if you're dealing with sensitive issues, you can make private inquiries to a member of the Code4Arena team through the Help Desk request. \n\nWe strive to make the process as smooth as possible. Once you submit your request, you will receive a confirmation that it has been received and it will be processed in a timely manner.\n\nYou can submit your help desk request on our website at https://code4rena.com/help. Should you need further assistance or have any difficulty, please do not hesitate to reach out to our team. We're here to help!", "Question: I was unable to submit my findings for the Maia contest due to certain issues. Can you assist?\n\nAnswer: We're sorry to hear about the difficulties you faced during the Maia contest. We understand that there were different types of issues, such as power cuts and technical problems. After such issues are resolved, you should be able to submit your findings. Remember, there isn't a specific timeframe for submitting high or medium issues, but you should avoid submitting too close to the contest close time to avoid any last-minute hitches. If you're still unable to submit your findings, please contact us through https://code4rena.com/help. \n\nAlso, please note that changes to the severity of bugs can be made after the contest's closing time through the PR or by contacting one of our judges. If you're worried about certain issues you've reported being marked as invalid, you can monitor the backstage channel for post-judging updates related to the contest. \n\nOnce a contest is closed, you won't be able to fix typos in your submissions, so double-check before submitting. Lastly, updates to the contest reward structure are usually announced before the contest; you can check the updates for the Maia contest here: https://discord.com/channels/810916927919620096/958800160870240286/1109067971915153508. \n\nWe value your participation, and we're here to support you throughout the process.", "Question: Is it permissible to submit a Notion link for the Analysis report during the submission process, and can this report be edited after it has been submitted?\n\nAnswer: The chat records do not explicitly confirm whether a Notion link can be submitted for an Analysis Report during the submission process. However, it is known that users have the ability to submit links for QA reports or Proof of Concept scripts. There are guidelines for analysis submissions on this link: https://code4rena.notion.site/Analyses-Guidelines-and-FAQ-2808a71e08e44c81a985527194f5f118. As per the discussions, it is suggested that one should be able to check the success of their report submission by looking out for an email and the ability to edit submitted findings. However, concerns were raised about editing a Notion document after the report is closed. It is also stated that currently, users cannot send in updates to their analyses. Therefore, if you wish to use Notion for formatting your analysis report, it may be beneficial to copy-paste the formatted text when submitting. This way, you can preserve the necessary markdown formatting. Please be sure to verify these details with official sources to confirm the acceptability and feasibility of this method.", "Question: How does the analysis report creation and submission work for a CodeArena contest like the Maia contest?\n\nAnswer: Users have the ability to create and submit an analysis for CodeArena contests such as the Maia contest. To understand what needs to be included in the analysis report, you can check out our Judging Criteria on the Code4rena website (https://docs.code4rena.com/awarding/judging-criteria#analysis). After the report is submitted, it can be viewed in the \"My Findings\" section on the contest page and can be edited if needed. The edits can be made while the contest is still open. However, please note that it's currently not possible to send in updates to analyses after the contest closes (https://code4rena.notion.site/Analyses-Guidelines-and-FAQ-2808a71e08e44c81a985527194f5f118). \n\nEvery time a contest launches, a report is run which allows others to vet their analyzers. These reports are then published mid-contest on the public report page. At the end of the contest, the submissions for a contest can be reviewed and the findings repo is made public. Unfortunately, the findings of a contest cannot be viewed after it finishes but before the results are published.\n\nUsers can check all the reports they submitted during the competition and they will receive confirmation via email. Additionally, projects have access to submitted findings before the contest completion. Participants can further track their report status and see and edit their findings in the \"findings\" tab next to the contest description. Reports from past contests are available at https://code4rena.com/reports. Please be aware that there are plans to allow certified contributors to view submitted issues right after contest closure and to comment or give input on these issues during judging.", "Question: What are the key considerations in participating in a bot race at CodeArena, particularly regarding the identification of unique vulnerabilities, their frequency, and the accuracy of findings?\n\nAnswer: In CodeArena's bot races, it appears that both the presence of unique vulnerabilities and their frequency are significant. However, the exact weightage of these factors has not been definitively discussed or clarified in the provided chat history. \n\nA bot's ability to accurately identify vulnerabilities without producing false positives seems to be advantageous, but again, it's unclear how this is evaluated. It's important to note that a bot's proposed fixes might introduce more damaging exploits, causing concern among participants. Also, a bot race report containing a low vulnerability with multiple instances should be added to the QA report.\n\nIf a bot identifies a high or medium finding, it only gains the bot pool reward based on the bot race rank. Greater rewards are earned by achieving more points, shifting the rank cutoffs, and pushing others to lower ranks. A bot's findings may be rated lower than their actual severity, and a warden can later report the vulnerability during the contest with a higher severity rating. \n\nIf a participant escalates a low-severity issue from a contest's bot report to a high-severity one, it's not automatically invalid. However, the claim must be backed by strong evidence demonstrating a relevant high or medium severity exploit path. More details on this policy can be found here: https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues.\n\nIn terms of participating in bot races, it's important to understand that the bots are considered a warden's intellectual property and are unlikely to be open-sourced by CodeArena. For more information about bot races and registration, please visit https://code4rena.com/register/bot.", "Question: Can I use a Notion link for my analysis report, and can this be edited after submission? \n\nAnswer: Yes, you can use a Notion link for your analysis report. However, keep in mind that concerns have been raised about the ability to edit a Notion document after the analysis report is closed, as this could potentially create an unfair advantage. If your Proof of Concept (PoC) for an issue is too large to embed directly, you can provide a link to it, a method known and implemented by many wardens. You can also refer to a specific file and line number for code in reports. But remember that adding a link that points to the sponsor's GitHub repo code does not automatically pull in that code snippet to the report. \n\nYou may edit your analysis after submission, but direct edits to the report are not possible. You can create a help desk request including a secret gist to have edits added to the comments of your analysis report before the audit closes. You can view your submissions by checking your Analysis Report. Until the report goes live, the issues found cannot be seen by the participants. The platform allows viewing reports from other wardens even after contests have ended. You can check the success of your report submission by looking out for an email and the ability to edit submitted findings.\n\nFor more information on how the Analysis report works and what needs to be filled, visit the following link https://docs.code4rena.com/awarding/judging-criteria#analysis. You can also find information about submitting an Analysis Report, and other FAQs at https://code4rena.notion.site/Analyses-Guidelines-and-FAQ-2808a71e08e44c81a985527194f5f118.", "Question: I wasn't able to submit my findings for a contest before the deadline due to unavoidable circumstances. Is there another way for me to submit my findings?\n\nAnswer: We're sorry to hear about your situation, but our policy strictly prohibits the acceptance of late submissions. All findings must be submitted before a contest ends. You can find more information about our submission policy at https://docs.code4rena.com/roles/wardens/submission-policy#late-submissions.\n\nHowever, we understand there can be technical issues. If you've submitted your findings but saw a \"No findings submitted for this contest\" message, or you didn't receive a confirmation email, there might have been an error. In such cases, you can open a help desk request at https://code4rena.com/help/.\n\nAs for editing or checking your submitted findings, you can navigate to the contest page, click on the \"Your Findings\" button and modify your submission. Note that your findings will not be made \"public\" until the contest is finalized, and sponsors may not have access to the findings repo before the contest end.\n\nRemember, findings submitted for contests may not always make it to the final report. The reasons might not be immediately known. To check, you need to wait until the reports are published, which usually takes at least a month after the contest ends. Also, backstage access to the findings repo when a contest ends is currently suspended until further notice. \n\nFor any further queries or issues, feel free to reach out to us.", "Question: When and how does the public visibility of the analysis reports and findings occur in the CodeArena process?\n\nAnswer: Analysis reports and findings in CodeArena go through a series of processes before they become publicly visible. After a contest ends, the reports or findings are immediately reviewed and triaged by judges. However, they are not made public right away. They have to await sponsor review, final judging, and Quality Assurance. During this period, only the sponsor and C4 staff can access the findings.\n\nOnce the report is published, the findings repository is made public. Participants can then view their submissions and understand the reason for their rejection, if any, as the report offers visibility into the discussion among sponsors and judges on the specific issue. This process allows for transparency and understanding on the participants' end. The specific duration for this process is not explicitly mentioned.\n\nFurthermore, users can see their submissions by checking their Analysis Report. For clarity on how the Analysis report works and what needs to be filled in it, users can refer to the document [here](https://docs.code4rena.com/awarding/judging-criteria#analysis). \n\nThough only findings submitted by a user or their team are visible to them until the final report is made public, certified contributors have the privilege to view the findings repository immediately after a contest ends. \n\nFindings during a contest remain private until the report is published to ensure fairness in the contest. Finally, audit reports for recent competitions are typically made publicly available after the conclusion of the contest, sponsor reviews, judging, awarding and reporting.", "Q: How can I create, submit and edit an analysis report on CodeArena?\n\nA: To create an analysis report on CodeArena, you need to submit your findings or analysis about the system. This can be done even if you have no significant findings as this provides advice on future aspects of the project. You can check your submissions by looking at your Analysis Report. Information on how to submit an Analysis Report can be found at [this link](https://code4rena.notion.site/Analyses-Guidelines-and-FAQ-2808a71e08e44c81a985527194f5f118). \n\nAfter you've submitted your analysis, you cannot currently edit or resubmit it directly through the platform. However, you do have the option to edit your findings by going to the audit page and clicking the \"Your Findings\" button. If you need to make changes to the analysis report, a help desk request can be created with your edits, which will be added to the comment section of your analysis report before the audit closes. You can also check when your findings have been edited. \n\nIf you're unsure whether your submission was successful due to an error, you can confirm your submission's status via the confirmation email you receive, or by viewing the findings through the \"View Context\" function. \n\nIn the future, CodeArena also plans to introduce the functionality to edit or resubmit an analysis report. For more details on how the Analysis report works and what needs to be filled in, you can refer to [this page](https://docs.code4rena.com/awarding/judging-criteria#analysis). \n\nPlease note that the current submission UI on the site does not support upgrading an analysis report. However, you can create a Quality Assurance (QA) report and edit it for more details. If you are participating in a contest and need to create an analysis report, such as for the Maia contest, the report can be viewed by others for vetting after the contest launch. All reports remain visible even after the contests have ended. \n\nYou also have flexibility in how you present your findings in your report. Users are discussing whether they can put all non-critical findings in one QA report or create one QA report for every finding. It's also possible to include images in your report. For a more precise categorization of findings that could fit into two categories, such as mechanism and architecture, you can refer to the report formatting guidelines. \n\nAlways remember to check the guidelines and FAQ page for updated information and instructions.", "Question: Can you provide more details about the Mechanism review in the analysis report and how to approach it if I don't have expertise in mechanism and incentive design?\n\nAnswer: The Mechanism review is a part of the analysis report where you can contribute insights related to mechanism and incentive design and how they could be gamed or abused. However, if you're not experienced in this area, it's not necessary to force it. Instead, you should focus on areas where you have expertise. If you find a piece of information that could fit into both Mechanism and Architecture categories, you can choose the most appropriate one based on your understanding.\n\nRemember that an analysis report is not only about findings, but also about providing constructive advice for the future of the project. You can still submit a report even if you have no significant findings. \n\nFor more detailed guidelines and instructions on how to fill out an Analysis report, you can refer to https://docs.code4rena.com/awarding/judging-criteria#analysis and https://code4rena.notion.site/Analyses-Guidelines-and-FAQ-2808a71e08e44c81a985527194f5f118. \n\nYou can view your submissions by checking your Analysis Report and it's worth noting that reports can be revised and resubmitted if required. If you're interested in the grading process used in QA reports, you can read the following article: https://medium.com/code-423n4/a-look-at-code4rena-audits-mitigation-review-3e05f8b7acb7.\n\nPlease note that the process involves demonstrating an understanding of how an issue could be exploited. In the case of a low-impact QA report potentially becoming a high-impact report, the report could be upgraded. However, without such understanding, the job is considered only half-done. \n\nLastly, please be aware that your analysis reports are publicly visible.", "Question: How should I categorize and report findings from a smart contract audit that could fit into more than one category, such as mechanism and architecture, or QA and Medium?\n\nAnswer: When you conduct a smart contract audit and come across findings that seem to fit into multiple categories, you can use your discretion to place them where it makes the most sense to you. You can also include the same finding in both reports if it's relevant for both categories, like mechanism and architecture, or QA and Medium. However, keep in mind that the judge has the final say on where the finding best fits. \n\nIf you're unsure whether one issue should be reported as separate issues, consider whether the vulnerabilities are found in different components, or if different issues can be resolved by fixing the same thing. In the former case, these might count as separate findings, but in the latter, they could be considered as one issue, especially if the root cause is the same. If two separate vulnerabilities can be combined to create a more powerful one, you might want to submit a third finding explaining the proof of concept. \n\nIf a single line of code has multiple ways of exploitation, there's some debate on whether it should be reported as one bug or multiple, and the final decision is generally up to the judge. \n\nIn your report, make sure to include a Proof of Concept (PoC) for potential medium findings. Without a PoC, a finding may be disregarded unless the issue is extremely obvious, like a wrong parameter, typo, or code that doesn't compile. \n\nFinally, remember that you can include both high severity and medium/low severity issues in the same report. However, put the highest effort into detailing high severity issues. For more details, refer to our Analysis Guidelines and FAQ at https://code4rena.notion.site/Analyses-Guidelines-and-FAQ-2808a71e08e44c81a985527194f5f118.", "Question: How can I format, update, and improve my smart contract audit submissions on CodeArena?\n\nAnswer: Yes, you have the flexibility to format your audit submissions in a way that helps you best present your findings. You can use markdown formatting not only in your report but also in issue titles. Our reporting section supports Markdown (MD) format, which can be used to add code blocks. If you're unsure how to do it, here's a helpful guide: https://docs.github.com/en/get-started/writing-on-github/working-with-advanced-formatting/creating-and-highlighting-code-blocks.\n\nIf your findings include visual elements, you can include images in your report; the final report will be compiled with the image(s) if accepted. More information on adding images to markdown can be found here: https://docs.github.com/en/get-started/writing-on-github/getting-started-with-writing-and-formatting-on-github/basic-writing-and-formatting-syntax#images. \n\nYou're even allowed to cite similar findings from other contests to justify the severity and validity within your submissions. If you discover additional findings after an initial submission, you can update your report through the \"your findings\" button on the contest page. In case you have larger reports, you can submit them via email and place a placeholder in the original submission. \n\nIf you're part of a team, you have the option to submit findings individually or as a team. You can modify your submitted findings if needed and if you're unsure about the success of your submission, you can look out for an email confirming the submission and the ability to edit submitted findings. \n\nHowever, it's currently unclear whether the judges prefer the inclusion of line numbers in code snippets for h/m issues, or how to categorize findings that could fit into two categories. If you're uncertain, feel free to ask for clarification in our Discord chatroom.", "Question: What are the rules and procedures regarding submissions in CodeArena contests?\n\nAnswer: Submissions in CodeArena contests follow a set of rules outlined in the Submission Policy. Participants are allowed to submit their findings at any time prior to the contest end time. However, it is important to note that submissions cannot be made more than 3 hours prior to the contest stop time. Participants can edit their submissions until the contest closes and updates to report submissions are permissible as long as the contest has not ended. A grace period on submissions is also provided, but late submissions for contests are not accepted. In case a correct bug issue is submitted with an incorrect proposed solution, the submission can be updated if the contest hasn't ended.\n\nOnly the team has access to submissions before a contest ends. After the contests end, those with the \"backstage\" role get access to findings to help with triaging. Sponsors generally do not see the submissions before the contest ends. There are plans to allow certified contributors to view submitted issues right after contest closure and to comment or give input on these issues during judging.\n\nThe company is considering releasing all unverified submissions a few days after a contest ends, before judging. The related discussion can be found [here](https://forum.code4rena.com/t/rfc-certified-wardens-rulebook-scout-role-contest-qa-and-mitigation-review-services/123). \n\nThere is also a request for a countdown timer for the submission deadline and the company is considering its implementation. Finally, the submission rules prohibit making findings \"public\" until a contest is finalized. Any findings that are not submitted before the end of the contest will not be eligible.", "Question: Can you provide some resources and clarification on whether a view function returning 0 is the same as a revert in smart contracts?\n\nAnswer: A view function returning 0 is not the same as a revert in a smart contract. In Ethereum Smart Contracts, a function reverting implies an error or abnormal condition occurred and the transaction is not successful. It also means that all changes to the state of the contract are rolled back, and the gas used up to the point of revert is consumed. On the other hand, a view function returning 0 typically means the function completed successfully and the return value is 0. \n\nIf a function call in a smart contract always reverts, it can be considered as a Medium or High finding depending on the context, such as if assets are not at risk. Gas optimization in view functions can be reported as well. Furthermore, calling a view function from a non-view function in the same contract can cost more gas. If you want to gain a deeper understanding of how functions like delegatecall work with storage, you may refer to the Solidity docs and the Geth source code at https://github.com/ethereum/go-ethereum/blob/master/core/vm/evm.go#L302.\n\nFor more detailed information and resources about Solidity, smart contract auditing, and related topics, we recommend the following:\n\n1. Ethereum StackExchange for a broad range of discussions and Q&A on Ethereum and smart contracts: https://ethereum.stackexchange.com/\n2. Code4Rena's documentation for learning smart contract auditing: https://docs.code4rena.com/roles/wardens/tools-and-resources\n3. A GitHub repository explaining the case of tokens that do not revert on failure: https://github.com/d-xo/weird-erc20#no-revert-on-failure\n4. For learning math regarding solidity projects and how the accountings are done, this YouTube channel may be useful: https://www.youtube.com/@smartcontractprogrammer\n5. EVM opcode learning resource: https://www.evm.codes/\n6. This repository for smart contract visualization also provides good insights: https://github.com/DanielVF/evm-contract-draw\n7. For starting to learn smart contract auditing, resources such as https://cmichel.io/how-to-become-a-smart-contract-auditor/ can be useful.\n8. For more about solidity contracts and issues related to them, you can check approved findings and gas optimizations on our GitHub: https://github.com/code-423n4\n\nPlease note that this is a complex topic and the understanding of it can vary based on the exact use case and context.", "Q: What can I do if I missed the deadline for submitting my findings for the MaiaDAO contest due to a power cut, and how can I manage my submissions?\n\nA: We understand that unforeseen circumstances like power cuts may happen. However, according to our policy, we unfortunately cannot accept late submissions under any circumstances. You can view the policy here: https://docs.code4rena.com/roles/wardens/submission-policy#late-submissions. \n\nOn another note, for future reference, you should know that our platform allows for flexible management of your submissions. You can submit, edit, or withdraw your findings multiple times before the contest deadline. To do this, simply navigate to the specific contest page on our website and click on the \"Your Findings\" button. For example: https://code4rena.com/contests/2023-02-ethos-reserve-contest. \n\nIf in case you submit a finding to the wrong contest, you can resubmit it to the correct contest and fill out a form to let the C4 staff know about the incorrect submissions. The form can be found at https://code4rena.com/help/. \n\nPlease be aware that all findings must be submitted prior to the contest closing and cannot be submitted after the contest has concluded. Findings that are not submitted before the contest ends are not eligible. Also, even after the contest closes, you have the ability to alter the severity of reported bugs either through the PR or by contacting one of our judges. \n\nAfter the contest, you can review your submissions in the published report when the findings repository is made public. You can also view other participants' findings at this time. Please note that it can take at least a month for the reports to be published, and not all findings submitted may make it to the final report. The reason might not be immediately known and you might have to wait until the reports are published to check.", "Q: How can I register for the Bot Races in CodeArena and when are the registrations usually open?\nA: Bot Races are a unique feature of CodeArena where users can participate using bots to find vulnerabilities in smart contracts. The registration for Bot Races is not always open, it is typically opened every couple of weeks. Announcements regarding bot registrations and qualifier races are made on the #\u270brsvp channel on our Discord. Additionally, you can find detailed information about Bot Races, including the process of creating a bot team and registering for the race during qualifiers, at https://code4rena.com/register/bot. Sometimes, results for bot qualifiers are announced within a week. Please note that for certain contests, only bots registered in the chainlink protocol can be used. The concept of 'bot crews' is also used in these races, which is different from teams and requires registration during the qualifiers. As for the Bot Race prize pot, it was initially taken from the HM pot, but this arrangement may change in the near future. Keep an eye on our updates for more information.", "Question: When and where can I find the results from the CodeArena (C4) contests, such as the BASE contest?\n\nAnswer: Contest results usually take about two months to be announced after the contest ends. Please note that the timeline can be dependent on how long the judging process takes. Once the contest ends, the findings are reviewed and triaged by the sponsors before they go to judging. These findings remain private until the report is published. \n\nYou can usually expect the public report page to be updated mid-contest with initial information. The full report, containing analysis and findings, is made public and can be reviewed after the contest ends. You can find which findings of a contest were rejected and why, as well as view others' findings in this report.\n\nThe cumulative results from the first two contests can be viewed on the leaderboard at https://code423n4.com/leaderboard/. Results of past contests are available at https://code4rena.com/reports. \n\nFor individual contests such as the BASE contest, please note that delays can occur. As per the latest update, there was a delay in the BASE results but they will be available soon. \n\nIf you have participated in a contest and wish to inquire about the progress and schedule of final reports, you may do so. To submit your findings for a contest, you can visit the specific contest page on the CodeArena website and fill out the form.\n\nAs always, the results of contests are confirmed and discussed in the section where contests are posted. You can also look out for results announcements in the contest channel on our Discord.\n\nFor other queries about contest updates, results, team information, and rewards, feel free to reach out to us. We're here to help you.", "Question: How does CodeArena ensure the stability of its operations and rewards in USDC, considering possible fluctuations in the value of USDC?\n\nAnswer: CodeArena is mindful of the stability of the platforms and rewards it offers. When it comes to the value of USDC, the company has previously handled several stablecoin crises, making swaps as necessary based on the market situation. If USDC appears to be losing value significantly, CodeArena would likely swap to another stablecoin to ensure the value of rewards and payments.\n\nThe process involves defined prize pools and fees upfront, similar to a bug bounty platform. Once a report by a participant is accepted, USDC begins to flow into the contributor's wallet. It is worth noting that some users have raised concerns about the stability and future of USDC, as seen in this article: https://taibbi.substack.com/p/the-financial-bubble-era-comes-full?utm_source=substack&%3Butm_campaign=post_embed&%3Butm_medium=email&utm_medium=email.\n\nHowever, CodeArena actively monitors such situations and aims to ensure the secure and timely delivery of rewards and payments. As CodeArena continues to grow and improve its processes, it remains committed to maintaining transparency and effectiveness in its operations. Any changes in the CodeArena's policies or procedures including those related to the use of USDC will be documented and can be proposed at: github.com/code-423n4/docs.", "Question: How does CodeArena manage the potential risks associated with USDC, and what assurances can they offer in case of any financial instabilities?\n\nAnswer: CodeArena is well-prepared to manage potential financial instabilities associated with USDC. We have previously weathered various stablecoin crises, adapting our strategies as necessary to maintain stability. We do this by swapping to another stablecoin if it appears that the USDC might be heading towards a crisis. \n\nIt's important to note that we see no current risk to USDC. Nonetheless, we understand and appreciate the concerns raised by our community members. For instance, several users shared this article discussing potential financial instabilities associated with USDC (https://taibbi.substack.com/p/the-financial-bubble-era-comes-full?utm_source=substack&%3Butm_campaign=post_embed&%3Butm_medium=email&utm_medium=email). We value such insights from our community as they help us maintain a proactive stance.\n\nOur primary commitment is to the security of our operations. Part of these operations include running contests for analyzing smart contracts and potentially audits for websites and other infrastructures in the crypto space. We're also considering introducing pentesting audits to further ensure the security of our platform, as suggested by some of our members.\n\nIn terms of transparency, we are open about our risk management strategies and the steps we would take in response to potential financial crises. Our aim is to continually improve our processes to prevent any long delays in the future, thus ensuring our operations remain effective and reliable.\n\nWe also want to assure our users that we intend to remain open to new wardens indefinitely. We believe in an inclusive approach and don't see this as a dilution of prize funds. Instead, we see it as an expansion of our community and a resulting increase in our collective knowledge and capabilities.\n\nRemember that we value the trust that our users put in CodeArena, and we strive to maintain that trust by ensuring the security and stability of our operations. We thank our community members for their active participation and valuable insights, which contribute significantly to our continual improvement.", "Q: I am unable to log into my CodeArena account and have been facing issues accessing my account that has been inactive for some time. What steps can I take to recover my account? \n\nA: Firstly, ensure that you're using the correct username and password for your CodeArena account. If you've forgotten your username or password, or if you're still having issues logging in, you can seek assistance in the #auth-help channel on our Discord. \n\nIf your account was inactive for a long time, such as participants in the 2022-11-looksrare-aggregator-contest, this could be causing the issue. It's important to remember that usernames on CodeArena are currently immutable and cannot be changed. Therefore, if you've changed your username elsewhere (like on Discord or Twitter), make sure you're using the original username for CodeArena. \n\nIn case your account has been compromised or you need to change your login address, please submit a helpdesk request with details and a mycrypto.com signed message. Please note that CodeArena currently doesn't support changing the login address directly. \n\nFor any other issues, you may need to submit a help desk ticket at https://code4rena.com/help. This includes problems with receiving emails after registration, associating your Twitter handle to your CodeArena profile, or changing your profile image. \n\nIf you believe there's a security vulnerability impacting CodeArena's webapp, please report it to security@code4rena.com.", "Question: I'm having trouble logging into my CodeArena (C4) account. What steps should I take to resolve this issue?\n\nAnswer: There could be a number of reasons why you might be experiencing difficulties logging into your CodeArena account. Here are some steps you can take to troubleshoot this issue:\n\n1. Check if you're using the correct wallet or email for logging in. For example, if your account was inactive for a long time or you signed up for a contest such as the 2022-11-looksrare-aggregator-contest (https://code4arena.com/contests/2022-11-looksrare-aggregator-contest), you may need to use the same login credentials you used at that time.\n\n2. Check if the C4 website is operational. There have been reports of users experiencing issues with accessing the C4 website. You can check the site's status at https://downforeveryoneorjustme.com/code4rena.com.\n\n3. If you're having issues with viewing the repo or submitting findings, ensure your GitHub account is logged in and it is the same account given for C4.\n\n4. Seek help in the #auth-help channel if you're still having trouble logging into Code4Arena. \n\n5. If you believe your C4 wallet has been compromised, submit a help desk request for assistance at https://code4rena.com/help/.\n\n6. If you have issues connecting your Discord account with your Code4Arena account, don't hesitate to reach out for help.\n\n7. If you need to change any account details (such as your Twitter username, C4 profile photo or payment addresses), this can be done by submitting a help desk request at https://code4rena.com/help/ or from your account screen https://code4rena.com/account respectively.\n\nRemember, you can always direct message the C4 staff members if you need further support.", "Question: How can I locate my findings in the CodeArena GitHub repository?\n\nAnswer: To locate your findings in the CodeArena GitHub repository, you will need to search for your username or handle. You can check the issue for the finding you submitted by navigating to the relevant repository under CodeArena's GitHub account. These repositories generally have names ending with 'findings' or 'audit'. You can access all past submissions in any repository ending with '-findings' at https://github.com/code-423n4. \n\nIf you want to check how your findings were judged, look in the data folder in the findings repository for JSON files named as [warden-handle]-[issue number]. For findings from bug hunts, you can look at examples of past submissions at https://code423n4.com/reports. \n\nA GitHub link that provides instructions on sharing Proof of Concepts (PoC) for vulnerability discovery is available at: https://github.com/code-423n4/code-contests/tree/main/contests/01-slingshot#sharing-vulnerabilitydiscovery-poc. If you used automated tools for your findings, bear in mind that there is a higher burden of proof required to demonstrate a relevant exploit path. More information can be found at https://github.com/code-423n4/org/discussions/50. \n\nIf you experience any technical issues viewing the repo or submitting findings, make sure your GitHub account is logged in and that it's the same account you provided for CodeArena. If you still cannot access the findings repo, you may need to request to be added to the backstage group on GitHub. \n\nRemember, all the findings are posted as GitHub issues on a public repository and are also made available on the C4 website, https://github.com/code-423n4.", "Question: How can I update my Twitter handle and other profile details on CodeArena?\n\nAnswer: You can update your Twitter handle, profile image, and other profile details such as the warden name and avatar on CodeArena by creating a help desk request. This can be done by visiting the help desk page at [https://code4rena.com/help]. When submitting a request, be sure to include your current handle and the updated information you wish to change. This could include your new Twitter URL, the desired image link for your new avatar, or any other updates for your profile. Once your request is submitted, CodeArena will update your profile accordingly. Please note, to change your username, you may need to re-register on the platform. For changing the login wallet address, you can follow the instructions provided at [https://docs.code4rena.com/roles/wardens/warden-auth#can-i-change-the-wallet-address-i-log-in-with].", "Question: What tool does CodeArena use to calculate Lines of Code (LOC) and how is it applied across different contests?\n\nAnswer: CodeArena uses the tool 'cloc' to calculate Lines of Code (LOC). However, it's important to note that there can be differences in the measurements of lines of code in different contracts and reports. For instance, LOC can sometimes be confused with SLOC, which stands for Source Lines of Code. SLOC is actually the number of Lines of Code minus the number of lines that are comments. You can learn more about this concept [here](https://www.google.com/search?q=SLOC+meaning&oq=SLOC+meaning). \n\nIn terms of standardization across different contests, there has been a suggestion to normalize this to avoid any confusion on how LOC or SLOC is determined. This can also help in maintaining the integrity of the reports, especially when the number of lines of code mentioned in the README.md may not match the actual lines in the contract files, as it was noticed in the Sherlock finance's repo [here](https://github.com/code-423n4/2022-01-sherlock).\n\nMoreover, there is a tool [here](https://github.com/sseefried/c4-stats) that can help in accessing contest-related information, including LOC or SLOC. Although the C4 team is continually working on improving their tools and procedures to ensure accuracy and speed, there may be times when discrepancies occur, like the incorrect SLOCs reported for Dopex. In such cases, it's important to refer to the official channels or documents for confirmation. \n\nHowever, keep in mind that the tool used for automated findings is not specified if it is available to run locally. In the case of any confusion or queries, the users can always refer to the organization's official [process documentation](https://docs.code4rena.com/structure/our-process).", "Question: Is it possible to edit or resubmit an analysis report on CodeArena's platform? \n\nAnswer: Currently, the platform does not support editing or resubmitting an analysis report after its submission. This limitation is noted in CodeArena's Analyses Guidelines and FAQ (https://code4rena.notion.site/Analyses-Guidelines-and-FAQ-2808a71e08e44c81a985527194f5f118). However, you still have the option to make changes to your analysis report before the audit closes by creating a help desk request and including a secret gist. The changes will be added to the comments of your analysis report. \n\nPlease note that there might be some issues with visibility of the analyses and the embedment of images in the Analysis Report Preview. To view your submitted findings, you can go to the audit page and click on the \"Your Findings\" button. \n\nCodeArena is aware of the desire for this feature and is planning to implement the ability to edit and resubmit analysis reports in the future. Participants will be notified when this feature becomes available. We appreciate your patience and understanding as we continuously work to improve our platform.", "Question: Is it safe to use `safeTransferFrom` function in the context of smart contracts, specifically when ERC-20 or ERC-777 tokens are involved?\n\nAnswer: The safety of using `safeTransferFrom` greatly depends on the token used and the expectations of the code. `safeTransferFrom` is generally used to prevent failed transfers or approvals from passing silently. In some tokens, transfers or approvals that fail do not revert, leading to potential loss of funds or other unintended consequences. You can refer to this [repository](https://github.com/d-xo/weird-erc20#no-revert-on-failure) for more information on tokens that do not revert on failure.\n\nHowever, it's essential to note that using `safeTransferFrom` with certain tokens may lead to unexpected behaviors. For instance, when interacting with ERC-777 tokens, calling `safeTransferFrom` could potentially invoke a reentrancy attack if not properly guarded. An example of such a scenario with a low-risk categorization can be found [here](https://code4rena.com/reports/2022-12-caviar#l-01-missing-reentrancy-guard-to-withdraw-function).\n\nAdditionally, if a token approval goes back to zero as part of a race protection mechanism, using `safeTransferFrom` should not cause an issue.\n\nLastly, when using `safeTransferFrom` or any function that interacts with external contracts or tokens, it is crucial to check that the contract has been properly initialized before deployment on the Ethereum mainnet. This can help mitigate risks associated with uninitialized contracts.\n\nIn summary, while `safeTransferFrom` function provides certain protection mechanisms, its safety and efficacy are highly contextual and dependent on the specific token and code in use. It is always recommended to conduct a thorough audit of the smart contracts in question to identify and mitigate potential risks. CodeArena, for instance, specializes in helping companies audit their smart contracts.", "Q: How can I locate my reported vulnerabilities in the CodeArena GitHub repo, especially when there are numerous reported vulnerabilities? \n\nA: First, to find your reported vulnerabilities in the CodeArena GitHub repo, you can search for your username or handle. CodeArena repositories containing findings end with the suffix '-findings'. For example, you can check past projects like the Ajna finding at https://github.com/code-423n4/2023-05-ajna-findings/issues/329. \n\nAll past submissions can also be viewed in any repository ending with '-findings' on the CodeArena GitHub page: https://github.com/code-423n4. If you are looking for how your findings were judged, you can check the data folder in the findings repository for JSON files named as [warden-handle]-[issue number]. \n\nTo understand more about issue finding, you can also access the findings.csv file in CodeArena's website repository at https://github.com/code-423n4/code423n4.com/tree/main/_data/findings. \n\nFor detailed discussions about specific issues, you can visit the Github page of CodeArena, for example, https://github.com/code-423n4/2023-06-lybra-findings/issues/364#issuecomment-1689165295. \n\nRemember, the findings repo is public, and there are links to the findings repo in each report on the C4 website: https://github.com/code-423n4. If you encounter any technical issues accessing the repo or submitting findings, make sure your GitHub account is logged in and it is the same account you shared with C4.", "Question: Can I modify my issue submission on CodeArena and what are the conditions and steps to do so?\n\nAnswer: Yes, you are allowed to modify your issue submission in CodeArena, as long as the contest hasn't ended. You can modify issues such as the severity of reported bugs, or the proposed solution if initially submitted incorrectly. If you notice another error after your initial submission, you can also update your QA report. \n\nTo edit your submission, you can navigate to the contest page, click on the \"your findings\" button and make your required edits. For detailed guidelines on how to do this, you can refer to this link: [Analyses Guidelines and FAQ](https://code4rena.notion.site/Analyses-Guidelines-and-FAQ-2808a71e08e44c81a985527194f5f118). \n\nPlease note, it's possible to review and withdraw your issue if you want to submit a new one. However, even after editing, the initial (pre-edited) issue may still be publicly available in the edit history. \n\nMoreover, if you're a certified contributor, you'll be allowed to view submitted issues right after the contest closure and give inputs on these during judging. \n\nPlease bear in mind, if you encounter any issue with the submission form or process, you can always communicate it to our team for resolution.", "Question: What should I do if I'm experiencing issues connecting to the CodeArena website using wallet connect, I can't log in, or change my wallet address?\n\nAnswer: If you're having trouble connecting to the CodeArena website using wallet connect, logging in, or changing your wallet address, there are several steps you can take. \n\nFirstly, you can report your connection issues to the #auth-help channel on our Discord server. Participants have also reported issues with logging into Code4rena, which could be due to using the wrong wallet or email. If you have any issues connecting your Discord account with your Code4Arena account, you can also reach out for help.\n\nIf you're struggling to remember your registration wallet address, you can seek assistance at https://code4rena.com/help. This is also a good place to go if you've noticed suspicious activity and think your account may have been compromised.\n\nKeep in mind that currently Code4rena does not allow users to change their login wallet address. However, if you are using Metamask, you can link multiple addresses. More information can be found here: https://docs.code4rena.com/roles/wardens/warden-auth#can-i-change-the-wallet-address-i-log-in-with\n\nIf you are still experiencing issues, or if your question isn't answered here or on the FAQ page, you can submit a help request at https://code4rena.com/help. Be sure to include as much information as possible so we can best assist you.", "Question: \nI've submitted my findings for the Ajna project but I can't seem to locate them. How can I find and edit my submissions?\n\nAnswer: \nIf you've submitted findings to a contest like Ajna, they should be accessible on the contest page under the \"Your Findings\" button. For instance, the Ajna project can be found at https://github.com/code-423n4/2023-05-ajna-findings/issues/329. \n\nGenerally, you can also search for your findings in the GitHub repository using your handle. If you're having trouble finding your submissions, it's worth noting that there have been instances of participants not seeing their submissions immediately or running into issues with the loading of submitted findings. \n\nTo edit your submitted findings, navigate to the contest page and click on the 'Your Findings' button. If you need to retract a submission, this can also be done under the 'Your Findings' section on the contest page. \n\nOnce a finding is successfully submitted, you should receive a confirmation email. In case you're unsure about the success of your submission, look out for this email or check if you can edit your submitted findings, as this usually indicates successful submission.\n\nRemember that it's possible for findings to be credited to the wrong person if you use someone else's handle. To avoid this, always make sure you're using your own handle.\n\nFinally, it's natural to be curious about the status of your report or submission. You can track the status of your report and see your findings in the \"Findings\" tab next to the contest description. \n\nPlease note that if you're trying to submit a finding and experiencing issues, it may be worth trying on a different browser as some users have reported difficulties when using certain browsers.", "Question: As a participant, I'm unsure about managing my solo participation in a contest that my team is also auditing. Should I submit my findings separately or together with my team? Also, can I contact the judges directly to clarify my submission?\n\nAnswer: At Code4Arena, participants have the freedom to decide whether they want to participate solo or be part of a team in a contest. If you're part of a team and also participating solo, it's important to communicate with your team to avoid duplicate submissions. When you're unsure about whether to submit findings as separate issues or as one, it's best to provide clear and comprehensive reports of your findings. \n\nYou can contact judges directly for clarifications but remember to maintain professionalism at all times. Also, remember that excessive unsatisfactory submissions may lead to penalties, so it's crucial to ensure that your submissions are valuable and well-prepared. \n\nRemember, the Code4Arena platform is maintained with fairness and trust as key principles. There are discussions of indicating the number of participants in a contest and potential changes towards backstage access to increase fairness. Also, there's a continuous effort to ensure the leaderboard accurately reflects all user accomplishments. \n\nKeep an eye on updates about future contests on our RSVP channels and remember submitting unsatisfactory findings repetitively could lead to penalties. If you have any more questions or concerns, feel free to reach out. We're here to help! \n\nRemember, Code4Arena is committed to being open to new wardens indefinitely, and we are constantly working to maintain the balance between welcoming new participants and ensuring the prize funds remain attractive.\n\nLink: Code4Arena FAQ", "Question: How can I modify my findings while a Smart Contract audit contest is ongoing on CodeArena?\n\nAnswer: To make amendments to your findings during an active audit contest on CodeArena, follow these steps:\n\n1. Navigate to the specific contest page on CodeArena, for example: [https://code4rena.com/contests/2023-02-ethos-reserve-contest](https://code4rena.com/contests/2023-02-ethos-reserve-contest).\n2. Click on the \"Your Findings\" button which is usually positioned next to the contest description. \n\nPlease note the following:\n\n- This option is only available while the auditing contest is still open. Once a contest is closed, you will not be able to edit your findings. \n- To make any necessary changes after a contest has closed, you will need to create a helpdesk request with all the information and the proposed updates. \n- You can check the status of your report and view when your findings are edited in the \"findings\" tab. \n- If you wish, you can also withdraw your findings under the \"your findings\" section on the contest page.\n- The platform doesn't allow you to directly edit an analysis report. However, you can request edits to be added to the comments of your analysis report by creating a helpdesk request and including a secret gist before the audit closes. \n- You can determine the success of your report submission by looking out for a confirmation email and the ability to edit your findings.\n- It's also possible to cancel a submission and create another one by withdrawing the findings under the \"your findings\" section on the contest page.\n \nRemember, for the integrity of the contest, all findings need to be submitted before the audit deadline.", "Question: Why are the durations of various contests at CodeArena, such as Basin and PoolTogether, not directly proportional to their source lines of code (SLOC), with some contests having 1100 SLOC and others having 3300 SLOC, but all lasting around 7 days?\n\nAnswer: The duration of contests at CodeArena, such as Basin and PoolTogether, is not directly proportional to their SLOC count. This is because the contest duration does not solely depend on the size of the source code, but rather a variety of factors, including the scope of the contest, complexity, and judging time required. For example, there was an instance where a contest involving over 12k SLOC was extended to 4 weeks due to its complexity. \n\nCodeArena runs contests each week, with durations varying from a week up to 13 days. Some contests are large enough to keep participants engaged for a while, like the Ethos contest. Despite the varying SLOC counts, CodeArena has been able to achieve high-quality results with various sizes of auditor participation. \n\nIt's important to note that the contest price pool is not related to the SLOC count but is rather scoped. For instance, contests worth 30k are expected to be smaller. The contest pot size is partially based on the number of lines, and the amount awarded includes a judging pot. \n\nFor more detailed information about upcoming contests and their specifics, you can refer to the company's website [code423n4.com](https://code423n4.com/). Any results of previous contests can also be viewed on the leaderboard [here](https://code423n4.com/leaderboard/). \n\nPlease note that the details mentioned above are based on current practices, and the development team is always considering improvements for the system based on user feedback and contest experiences.", "Q: I have identified a potential high-risk issue in a smart contract but don't have time to fully examine it or create a Proof of Concept (PoC). Should I still report it and how should I label it? Can I face any penalties for wrong submissions or misjudging the severity?\n\nA: If you have identified a potential vulnerability but do not have time to fully examine it or create a Proof of Concept (PoC), it is still worth reporting it. However, remember that a bug report without a PoC may be disregarded unless the bug is highly apparent. If you can, try to describe the process clearly in bullet points as this could help your finding be rewarded even without a PoC. \n\nYou can include the PoC later if you manage to create one. If the PoC is too large to be embedded directly in the issue, you can provide a link to it. Including a PoC with your report can increase its chances of selection and you could even get a bonus for it.\n\nWhen reporting, label the issue according to its perceived severity. If you are unsure of the severity, continue working on the PoC until the severity becomes clearer. The severity can be adjusted later as needed, and a good explanation of your finding is more important than the specific severity label. If you have escalated a low severity issue to a high severity issue, you must provide strong evidence to back up your claim. You can check the criteria for these cases [here](https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues).\n\nThere is no specific penalty for misjudging the severity of a vulnerability, but incomplete or inaccurate submissions could potentially be penalized. Also, submitting a high severity issue without working code that demonstrates the impact may lead to a high severity issue being downgraded or deemed ineligible for awards. For more insight on this, you may want to read [this discussion](https://github.com/code-423n4/org/discussions/34). \n\nFinally, whether a high-risk finding without a PoC will be considered heavily depends on the specific contest and judge. Thus, make sure to present a strong case in your submission if you believe your finding should be considered. If unsure, you can also direct message the sponsor team for additional context.", "Question: How can I submit an analysis, edit it after submission, and check its status on CodeArena?\n\nAnswer: To submit an analysis for a contest, you can go to the specific contest page and fill out the form provided. If you want to edit your findings after submission, you can go to the contest page and click on the \"Your Findings\" button. This will allow you to modify your report. It's important to mention that you also have the ability to update your QA report post-submission. Your submissions are officially confirmed via email and can be viewed on the C4 Contest page under the \"Findings\" tab. You can track the status of your report and see your findings in the \"Findings\" tab next to the contest description. If you're uncertain about how to submit an analysis, you can check out the Analysis Guidelines on CodeArena's website [here](https://code4rena.notion.site/Analyses-Guidelines-and-FAQ-2808a71e08e44c81a985527194f5f118). After submitting your findings, you can expect a follow-up from our side. Also, any feedback on your submitted findings will be available for you to review and learn from.", "Question: How do I submit issues during an audit and where can I find them after submission?\n\nAnswer: To submit an issue during an audit, please go to the specific contest page on CodeArena's website and click on the 'Your Findings' button. You don't need to submit anything on GitHub, as our system will automatically create an issue there. In case of multiple lines changed, you can send a git patch or a PR to our repository. If you are part of a team, you can also submit as a team, but the exact process isn't clearly defined yet.\n\nPlease note that there is no intentional incentive for being the first to submit an issue or for reporting QA type issues. Our sponsors are primarily interested in high/medium/low severity vulnerabilities and gas optimizations.\n\nAfter submission, your issues are posted as GitHub issues on a private repository. You may not immediately see your submitted issue in the Issues of the created repo for the audit. It's also possible that you might not receive feedback on your submission, especially if it is rejected. However, you can see your rejected submissions among the closed issues on GitHub. \n\nFor visibility of issues and updates, you might not get a mail notification. You can browse them at https://code4rena.com/reports where each issue provides a link to the relevant Github issue.\n\nIn the past, we've had some issues with GitHub which impacted our contest submission form. For instance, during a recent GitHub outage, several submissions were successfully received in another repository. If you encounter any issues with the submission process on our platform, rest assured they will be handled by our developers.\n\nFor inconsistencies, process concerns or lack of clarity in rules, please visit https://github.com/code-423n4/org/issues. Here you can review existing issues, add fact-based comments, support suggestions, or open new issues. \n\nPlease also be aware that some links to the repositories in the contests might not work and there have been concerns about the lack of feedback on bug submissions, as well as issues with image submission guidelines. If there are any issues with image guidelines, they can be resolved by rendering the image correctly in another place like GitHub.\n\nFInally, there is an outdated GitHub template for submissions that is not updated anymore. For the best results, we advise using the \"Submit finding\" button for each finding separately. The outdated template can be found here: https://github.com/code-423n4/code-contests/blob/4db2720312f0958f2e89f6207a6774c9e5360655/SUBMISSION_TEMPLATE.md.", "Question: Who has the ability to edit a Warden profile on Code4Arena and what does the process entail?\n\nAnswer: At present, the ability to edit a Warden profile on Code4Arena is only available to those who were certified when the Warden profiles were introduced. This feature allows certified wardens to add a profile picture, twitter handle, and mark themselves as \"Available for Hire\" via the profile editing screen. However, it's important to note that the profile editing feature is not directly accessible to users. To edit your profile, you will need to submit a request via our help desk at https://code4rena.com/help.\n\nIf you wish to change your C4 profile photo or update your Discord name, these changes can also be requested via the help desk. Remember, your Discord nickname should remain as your registered C4 username. \n\nRegarding the OG Warden status and other functionalities related to Warden profiles, these topics are addressed in our Certified Warden process, which is a topic that often comes up. For more information on how to become a certified warden, the criteria for backstage access, or about the privileges that come with a Certified Warden status, you can visit https://docs.code4rena.com/roles/certified-contributors. \n\nFor any other questions related to Warden registration, changing the wallet attached to your account, or other frequently asked questions, please check our FAQs at https://docs.code4rena.com/roles/wardens/warden-auth#faq-troubleshooting. If you can't find what you're looking for, don't hesitate to submit a help request at https://code4rena.com/help. \n\nKeep in mind that emails and GitHub usernames of wardens will not be listed publicly by C4. However, certified wardens will be part of a permissions group/team on GitHub to give them access to private repos. You can decide whether to make your membership on private teams public or not.", "Question: How can I edit my profile, change my avatar, set my hiring status, or alter my rank on Code4Arena?\n\nAnswer: The ability to edit your profile on Code4Arena is a feature available only for users with certification. If you want to be marked as \"Available for Hire\", note that this status can only be set if you're a Certified Warden. To change your avatar or update your account details, such as your Twitter username, you will need to submit a help desk request at https://code4rena.com/help. \n\nHowever, please be aware that changes such as adding the \"Available for Hire\" status may not appear immediately due to manual backend processes. To change your rank on the leaderboard or to gain the \"leaderboard\" tag on your profile, you need to rank in the top 5 of a contest and receive a reward. If you want to edit your submissions, you can navigate to the contest page and click the \"Your Findings\" button. \n\nFinally, if you're uncertain about your certification status, you can check this by clicking your name to see assigned roles and also via email communication. Do note that these changes are typically processed within a week.", "Question: What does \"OG Warden\" refer to and how does one achieve this status in CodeArena?\n\nAnswer: The term \"OG Warden\" refers to a badge on the CodeArena website that is given to wardens who have been with us for a significant duration. Wardens, or participants in our audit contests, play a crucial role in our community. To become a Warden, participants need to sign up through our website and follow a specific process, which includes a Know Your Customer (KYC) process delegated to Provenance. \n\nOnce registered, wardens can join competitions, like the Vader protocol bounty or the PolynomialFi contest, and also participate in various processes through a dedicated workspace in a private channel for certified wardens. In some cases, wardens can even request to be backstage wardens.\n\nThe process and requirements to become a \"Certified\" or \"Certified Plus\" Warden, and consequently an \"OG Warden\", are outlined in our documents. It's worth noting that Certified Plus Wardens have additional entry requirements but receive access to private repos once a contest concludes. \n\nAny new functionalities, updates, or queries regarding Warden profiles are generally discussed in the wardens channel within our community. If you wish to check the performance of wardens, you can do so at our leaderboard at https://code423n4.com/leaderboard/. \n\nPlease note that while we are working to provide more privileges to wardens, the specifics of these privileges, including how to become an OG Warden, are still under development and will be detailed in future updates.", "Question: Can the severity of a reported smart contract bug be re-evaluated and potentially upgraded by C4, even if initially submitted as a medium severity issue?\n\nAnswer: Yes, the severity of a reported bug can indeed be reevaluated, and potentially upgraded by C4 judges. However, this is subject to the submission meeting certain criteria. When you classify a bug's severity as medium, it's typically based on a balance of consequence and likelihood, where the impact is less severe and specific preconditions exist such as high attack difficulty, specific market conditions, or user unawareness. If nonetheless, the judges perceive the bug to be of high severity \u2014 which generally involves substantial potential fund loss or other severe consequences without needing any preconditions \u2014 they have the authority to upgrade the severity classification. \n\nHowever, it's important to note that this applies unless there's a reason to penalize the submission, such as it being incomplete, lacking detail, or not as accurate. Therefore, the highest effort should be put into high severity issues when submitting a report. In fact, an item from your QA report may also be upgraded if judges feel the severity should be higher. It's advisable to provide a good explanation of the finding, as the specific severity of the issue doesn't matter as much.\n\nUncertainty does exist in 'on the fence' vulnerabilities and their rating as high or medium risk, but generally, if a vulnerability locks all protocol assets, it's considered high severity. If it affects an end-user in a rare situation, it's typically a medium severity issue. For comprehensive understanding on severity categorization, refer to this link: [https://docs.code4rena.com/awarding/judging-criteria/severity-categorization](https://docs.code4rena.com/awarding/judging-criteria/severity-categorization). \n\nAlso, while submitting a medium/high report, it's acceptable not to include recommended mitigation steps if it can't be feasibly mitigated but an explanation as to why it can't be mitigated should be provided. As for the reward structure, the reward for a medium/high finding can be calculated using the formula provided in the link: [https://docs.code4rena.com/incentive-model-and-awards#high-and-medium-risk-bugs](https://docs.code4rena.com/incentive-model-and-awards#high-and-medium-risk-bugs).", "Q: I've received approval for my smart contract audit application from Provenance, how long will it take for the certification process to be completed and reflected on my profile?\n \nA: Once Provenance has approved your application, the CodeArena (C4) team generally updates the status of your certification within 5 business days. The completion of this certification process includes verification of your identity and possibly address, which is handled by Provenance. After this verification, your 'certified' status is confirmed and added to your profile. This verification process might involve some back and forth and can take approximately 2 to 3 weeks. If you've applied for KYC, you will receive an email from both Provenance and C4. This email might come from the address compliance@provenance.company, and it may appear in your spam folder, so it's advisable to check there as well. Finally, remember that if you're participating in contests and have completed more than 3, you may be eligible for an upgrade to Certified+, following the completion of your certification process. Please be patient as these updates are processed. You can expect to receive an email once the update is finalized.", "Question: \nI cannot access the Nouns DAO protocol files, i.e., the source code, on GitHub. What should I do, and are there specific files that I should look into?\n\nAnswer: \nAccess to the source code of certain protocol files, such as the Nouns DAO protocol, can sometimes be restricted due to various reasons. However, please note that files like \"FloatCapital_v0.sol\", \"Treasury_v0.sol\", and \"oracles/\" are not within the scope for the bounty program. \n\nIn case you have a specific query about a finding in the Nouns DAO contest, you can appeal it here: https://github.com/code-423n4/2022-08-nounsdao-findings/issues/315. This will lead you to a detailed discussion on the matter, which could help clarify your doubts.\n\nIf you are experiencing issues with accessing repositories related to various contests, it is worth noting that some links to the repositories have been reported as not working. In such cases, it would be best to reach out to the CodeArena staff or the community for assistance. \n\nIt's essential to understand that setting up the environment for contest repositories can be time-consuming due to multiple interrelated contracts and sometimes limited documentation. If you're having difficulties, don't hesitate to request help. CodeArena's community is full of experienced participants who can offer assistance and insights.\n\nLastly, bear in mind that immediate access to findings repo is for Certified+ users. If you're a Certified user, you can access projects like the Polynomial project by viewing the repo and submitting findings. However, for the findings repo access, it has not been rolled out to anyone as of the last chat update.\n\nIf you're a Certified user and haven't received an invitation link to Github, please reach out to CodeArena to resolve this issue. \n\nRemember, CodeArena is here to help you understand smart contracts better, and we encourage open discussion and questions related to these topics.", "Question: What happens to low findings in the QA report and how does this affect the distribution of rewards in the QA and HM awards pool? \n\nAnswer: Low findings submitted in a Quality Assurance (QA) report could potentially impact the allocation of rewards in a contest. If no High/Medium (H/M) vulnerabilities are found in a contest, the entire HM rewards may move down to QA. Similarly, if a finding is initially submitted as low in a QA report, but the judges later determine it to be a medium finding, it will be eligible for medium rewards. In this situation, the full award pool would then be divided accordingly, based on the Quality Assurance (QA) Report curve. \n\nHowever, it's important to note that the classification of findings (High, Medium or QA) is determined based on the severity of loss caused by the issue. High loss could result in a high classification, while medium loss could result in a medium classification. Any negligible amount of loss, like those due to rounding errors, is usually classified under QA. \n\nAlso, remember that the QA and Gas awards are given according to judges\u2019 scores and duplicates are disregarded. Therefore, the number of low findings in a QA report might not directly impact the amount of reward, as all 'A' graded QA reports will receive the same award, regardless of the number of low findings. \n\nJudges consider both quantity and quality of submissions when grading QA reports and a single entry is unlikely to receive a high grade. They also have the ability to downgrade or upgrade the severity of findings as they deem fit. \n\nMore details on these processes can be found at the following links: \n\n- https://docs.code4rena.com/roles/wardens\n- https://docs.code4rena.com/awarding/incentive-model-and-awards/qa-gas-report-faq#what-happens-when-an-issue-submitted-by-the-warden-as-part-of-their-qa-report-an-l-or-n-does-get-bum\n- https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical\n- https://docs.code4rena.com/awarding/incentive-model-and-awards#qa-and-gas-optimization-reports", "Question: How can I access and manage my QA reports for contests that have already closed on CodeArena?\n\nAnswer: Yes, on CodeArena, you can access and manage your Quality Assurance (QA) reports for contests that have already closed. To view your submitted QA reports, go to https://code4rena.com/reports. To update your QA report, you can go to the specific contest page and select the \"My findings\" option. This is where you can edit and update your QA report until the audit deadline. \n\nAfter a contest has ended, your submissions are reviewed, triaged, and await sponsor review, final judging, and Quality Assurance before being made public. However, during this judging process, you cannot see the status of your submissions until the report is published and the contest's repository becomes public. Once the report is published, it becomes publicly accessible, and you can review your submissions on the concerned GitHub repo. \n\nIt's worth noting that you cannot submit bug reports after the contest has ended; all findings have to be submitted prior to the audit closing. If you need to alter the severity of reported bugs after the contest closes, you can do this either through the PR or by contacting one of the judges. \n\nRemember, your submissions for a contest can be reviewed after the report is published. You can track your report status and see your findings in the \"findings\" tab next to the contest description. Also, if you submit a QA report and receive an error, you can check if it has been successfully submitted by checking your email for confirmation or viewing the findings through the \"View Context\" function. \n\nPlease note, the platform allows viewing reports from other wardens even after contests have ended. However, there's a plan to allow certified contributors to view submitted issues right after contest closure and to comment or give input on these issues during judging. Keep an eye out for updates regarding this feature. \n\nIf you have any further queries about viewing all submissions or finding out which of your findings were rejected and why, feel free to reach out and our team will be glad to assist you.", "Question: Can I edit my submission after I have submitted it for a contest on Code4rena?\n\nAnswer: Yes, you can edit your submission after you have submitted it, but only until the contest has ended. Submissions can be modified for any open contest by visiting the contest page and clicking on the 'Your Findings' button. This allows you to edit submitted QA reports, security findings, and analysis. You can also alter the severity of reported bugs, cancel a submission and create another one, or edit your submission if you find another error after submitting. However, once the contest has ended, there is no mechanism to edit the text of a submission and users cannot fix typos. It's worth mentioning that the company has plans for a new submission mechanism in upcoming contests, and there are plans to allow certified contributors to view submitted issues right after contest closure and to comment or give input on these issues during judging. You can find more guidelines on submission editing on [this post](https://code4rena.notion.site/Analyses-Guidelines-and-FAQ-2808a71e08e44c81a985527194f5f118).", "Question: Where and when can I find out about the next bot qualifier race for CodeArena's smart contracts audit?\n\nAnswer: Information regarding the next bot qualifier race is frequently updated and can be found on CodeArena's #\u270brsvp channel on Discord, which usually runs every few weeks. You may access the channel using this link: https://discord.com/channels/810916927919620096/958800160870240286/1142165149050998784. Registration for bot races is not always open and the qualifiers are held regularly every few weeks. Results for these qualifiers are typically announced within a week. To participate in the bot race, you will need to register your bot during the qualifier as part of a bot crew. Further details about participation and the concept of bot races can be obtained at: https://code4rena.com/register/bot. Please be informed that bots which are not registered in the chainlink protocol may not be eligible for certain contests.", "Q: How can I access, edit, and understand the analysis findings after participating in a CodeArena contest?\n\nA: After participating in a CodeArena contest, you can access your submitted analysis findings by checking your Analysis Report. You will be able to see the status of your report and any edits made to your findings. The findings from all contests are lodged in the findings repo, which is made public once the report is published. However, you must wait for the report to go live to view the findings, even if you've already submitted yours.\n\nTo edit your findings or the analysis report, navigate to the contest's audit page and select the 'Your Findings' button. Please note that currently, updates to analyses cannot be submitted post-submission, as outlined in the Analyses Guidelines and FAQ [here](https://code4rena.notion.site/Analyses-Guidelines-and-FAQ-2808a71e08e44c81a985527194f5f118).\n\nFor a comprehensive understanding of the analysis report and its criteria, you can review the documentation [here](https://docs.code4rena.com/awarding/judging-criteria#analysis). You can also view the scoring breakdowns from past contests on the CodeArena website, in the announcements channel, or [here](https://github.com/code-423n4/code423n4.com/blob/main/_data/findings/findings.csv).\n\nAdditionally, you may submit an analysis for a contest even without significant findings. Such reports can provide valuable insights for future project considerations. However, please note that the exact moment when findings are posted is uncertain, and immediate access to the findings repo is limited to Certified+ users, which has not been rolled out to everyone yet as of the time of writing this.", "Question: How can I gain backstage access at Code4Arena and what benefits can it provide me after the publication of contest results, such as the recent Canto Jun 20 results?\n\nAnswer: Backstage access at Code4Arena is granted to certified contributors who meet certain criteria, which include a specific number of findings - at least three medium findings and four total findings - and participation in contests. To qualify, you can submit a help desk request once the contest results for which you've made submissions are published on the leaderboard. This usually happens shortly after the awards are announced. \n\nThe backstage role provides several benefits. It grants you access to the findings repo after the contest ends, allows you to edit your submitted findings under 'your findings' on the contest page, and enables you to monitor the backstage channel during the post-judging stage of the contest to query any of your issues that have been marked as invalid. Additionally, it gives you the ability to discuss your findings with the judge for re-evaluation and provide factual comments on them.\n\nHowever, it's important to note that only the team has access to submissions before a contest ends. After the contest concludes, those with the \"backstage\" role get access to the findings to assist with triaging. \n\nAlso, while backstage access previously permitted wardens to view submissions and comment at the pre-judging stage, this practice has been discontinued. Furthermore, it's worth noting that the applications for backstage access are currently suspended until further notice due to a violation that involved sharing information about findings for judging in progress with others who did not have backstage access.\n\nFor more information on the backstage role and the certification process, please refer to this link: https://docs.code4rena.com/roles/certified-contributors/backstage-wardens.", "Question: How can I get whitelisted for the C4 event in Paris and have access to private contests?\n\nAnswer: To get whitelisted for the C4 event in Paris or to access private contests, you have to become a Certified Warden. You can do this by registering at the Code4rena website. This involves completing a Know Your Customer (KYC) process, the details of which can be found in the Code4rena documents. Once you are a Warden, you can access contest channels, join competitions, and have your wallet whitelisted. If you have issues accessing the website or if you believe you are eligible for a backstage role, please submit a help desk request at https://code4rena.com/help. If you wish to participate in judging and gain backstage access, more information can be found at https://docs.code4rena.com/roles/certified-contributors/backstage-wardens. If you wish to register as a team for the contest, the procedure can be found at https://docs.code4rena.com/roles/wardens#registering-a-team. We encourage participants to reach out to the sponsor team during the contest if they think they've found something and want to ask questions. As a Warden, you have the privilege to participate in private audit contests, such as the Ambire Contest. Please note that some channels require specific permissions, which may necessitate additional registration or approval. We look forward to seeing you at the event!", "Question: What are the procedures and functionalities related to submitting and updating an Analysis Report on CodeArena?\n\nAnswer: Submitting an Analysis Report on CodeArena allows users to present their reviews of smart contracts for contests. Users can see their report submissions by checking their Analysis Report. Currently, users cannot edit or resubmit an analysis report, but there are plans to include this functionality in the future. However, help desk requests can be used to make changes in the meantime. \n\nUsers can submit a report even if they have no significant findings to provide advice for future project considerations. It's also possible to resubmit an analysis from a team's account if it was accidentally submitted from a personal account. \n\nOnce a report is submitted, users receive an email confirmation. Also, they can check the success of their report submission by looking out for an email confirmation and the ability to preview their findings. \n\nThe submissions for a contest can be reviewed after the report is published, and the findings repository is made public. Participants can then view their submissions and the reasons for their rejection. \n\nMore details about submitting an Analysis Report and what needs to be filled in it can be found on the following links: [Analysis Guidelines and FAQ](https://code4rena.notion.site/Analyses-Guidelines-and-FAQ-2808a71e08e44c81a985527194f5f118) and [Judging Criteria for Analysis](https://docs.code4rena.com/awarding/judging-criteria#analysis).", "Question: What is the process and compensation method for auditors in case no issues are found during the mitigation review at CodeArena?\n\nAnswer: The mitigation review process at CodeArena involves inviting the top wardens from the initial audit, usually the top 3 to 5 based on ranking, to review bug mitigations. This might happen after projects invite top wardens back after the contests. However, it is not explicitly stated if they are paid if no issues are found during the review. In some instance, wardens could potentially be compensated for sponsor confirmed issues or sometimes even disputed ones. If no Medium/High vulnerabilities are found, the full award pool may be divided based on the QA Report curve. For more information about the general Mitigation Review process at CodeArena, you could refer to this article: https://medium.com/code-423n4/a-look-at-code4rena-audits-mitigation-review-3e05f8b7acb7.", "Question: Can I edit my analysis submissions on CodeArena and how does this process work?\n\nAnswer: Currently, it is not possible to edit a finalized analysis submission on CodeArena. However, certain types of reports, such as QA reports and security findings submitted during an open audit, can be edited until the audit deadline. You can do this from the contest page under 'Your Findings'. Despite this, once the audit is closed or the contest has ended, the ability to edit these findings might not be available. Additionally, if you accidentally submitted an analysis from a personal account instead of your team's, you can resubmit it from the right account. \n\nAfter submitting, you can check your submission by looking for an email confirmation or by checking your Analysis Report. If you cannot see your submissions on the Findings tab or receive a message like 'No findings submitted for this contest' even after submitting, there might be a technical issue and you should report it. \n\nLastly, there have been concerns raised about the ability to edit a Notion document after the analysis report is closed. To address this, you can post a Notion link for the analysis report during the submission process. Just be aware, the current submission UI does not support upgrading an analysis report. \n\nFuture improvements are being planned to allow editing of analysis submissions, but this functionality is not available yet. You can stay updated on this by following our Guidelines and FAQ at https://code4rena.notion.site/Analyses-Guidelines-and-FAQ-2808a71e08e44c81a985527194f5f118.", "Question: What's the protocol and the potential consequences for incorrect or unsatisfactory submissions in CodeArena contests?\n\nAnswer: In the context of CodeArena contests, incorrect or unsatisfactory submissions are quite normal and currently, there is no penalty for incorrect medium or high severity submissions. These unsatisfactory submissions might include QA, gas, duplicates, and invalid ones out of an estimated 150-300 total submissions per contest.\n\nWhile there is some concern amongst users about getting penalized for too many unsatisfactory submissions, the present rule, as specified in the guidelines, is that if a user has more than three reports rejected in a competition, they will not receive any payout for that competition. However, even if a submission is not rewarded, there's a review process to understand why the submission was not accepted.\n\nJudges in the contests consider both the quantity and quality of submissions when grading. A single item in a QA submission is unlikely to receive a high grade. The grading criteria include correct identification of the highest severity impact of the bug, making a case for the severity and validity chosen with evidence, and clear and understandable writing. More details can be found in these links: [Judging Criteria](https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical) and [Incentive Model and Awards](https://docs.code4rena.com/awarding/incentive-model-and-awards#qa-and-gas-optimization-reports).\n\nIt's also noted that the order of reported issues doesn't necessarily go according to submission time. Judges pick the primary issue based on the best write-up rather than the order of submission to encourage high-quality submissions.", "Question: How can I track, view, and manage my submitted reports and findings, including invalid issues, on CodeArena?\n\nAnswer: \nOnce you've submitted a report on CodeArena, you can track and manage your findings in various ways. Firstly, you will receive a confirmation email for each successful report submission, which will allow you to verify its receipt. \n\nFor a more detailed view of your report, you can check the \"Findings\" tab next to the contest description on the contest page. Here, you can review, edit, or even replace your submitted findings. If a finding is marked as invalid and you wish to withdraw it, you can do so from this tab.\n\nThe status of your reports can also be tracked through your Analysis Report. If you're participating in a contest and your issues didn't make the award list, it's possible they were rejected. You can confirm this by reviewing your Analysis Report.\n\nIf you encounter an error while submitting a QA report for the first time, you can check the success of your submission either by checking your email for confirmation or by viewing the findings through the \"View Context\" function.\n\nAll submitted reports, including invalid issues, can be found on Github at the following link: https://github.com/search?q=org%3Acode-423n4+is%3Aissue+label%3Ainvalid. Here, you can also view examples of past submissions and gain insights into what a high-quality submission looks like.\n\nYou can also check whether your submissions were accepted at https://code4rena.com/reports. If you still have issues or discrepancies with your reports, you can create a ticket for further assistance.\n\nKeep in mind, all issues remain confidential until the report is made public. However, rest assured that all reported issues can be viewed by a judge without needing a direct link sent to them.", "Question: How can I escalate the severity of a report in a contest and interact with judges for feedback and re-evaluations?\n\nAnswer: After submitting a report, you have the opportunity to escalate the severity of issues in your report. This could be done either through direct changes in the PR or by contacting a judge. The decision to reward severity escalations is up to the judge's discretion and is dependent on the strength of your case. \n\nFor example, a known low-severity issue from the automated findings can be escalated to a high severity, supported by a detailed description of the potential risks and implications. You can reference the criteria explained in the [submission policy](https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues) to strengthen your argument. If you're unsure about the severity of an issue you've identified, report it and let the judge make the final call.\n\nDuring the post-judging QA period, you have the opportunity to comment on the judges' decisions. This period is only available for backstage access users, where they can discuss directly with judges and raise objections or ask for re-evaluations. Ensure your arguments are well justified and detailed.\n\nFurthermore, if a warden identifies an issue during the contest that was initially identified as a low-severity finding in the automated report but could lead to a high-severity finding, they can report it again and it could potentially be awarded with higher severity. \n\nPlease remember, judges are the ones who determine the severity of identified issues in submitted reports and they have the discretion to make changes in severity levels as necessary. This means that they can elevate the severity of a QA issue if it is described in detail or reduce it if it does not pose as high a risk as initially thought.\n\nLastly, don't hesitate to seek feedback from judges about issues to understand the reasoning behind their ruling and to see what could be improved. This interaction will not only help you gain insight into your submission but also aid in improving your future submissions.", "Question: How can I improve my skills in auditing smart contracts and better identify high & critical issues?\n\nAnswer: Improving your skills in smart contract auditing involves a combination of continuous learning, practice, and persistence. Here's a step-by-step guide:\n\n1. Begin by educating yourself. There are several resources available for beginners in the field. For a comprehensive introduction to smart contract auditing, check out this post https://cmichel.io/how-to-become-a-smart-contract-auditor/. Additionally, CodeArena provides tools and resources to help you get started, which you can find here: https://docs.code4rena.com/roles/wardens/tools-and-resources.\n\n2. Practice is key. Regularly read audit reports and audit codebases. Even if your findings are invalidated, don't give up. The more you understand a protocol, the easier it becomes to identify issues.\n\n3. Participate in discussions and training. CodeArena\u2019s Discord chatroom provides a platform for you to seek help and engage in topics such as the use of fuzzing tools and machine learning in smart contract auditing. You can also explore our #\ud83c\udfebeducation channel for further learning.\n\n4. Expand your knowledge on tools used for auditing. Understanding how to use different tools to find vulnerabilities and bugs in smart contracts is crucial. Consider testing your skills in solidity to check certain aspects of the Contracts being audited.\n\n5. Consider obtaining practical experience. Websites like https://immunefi.com/, https://spearbit.com/, and https://hats.finance/ offer rewards for auditing smart contracts, giving you a chance to gain practical experience.\n\n6. Stay updated on new techniques and methods. For instance, an innovative idea shared on our platform suggests visualizing smart contracts into respective shapes and using models to predict the vulnerability of future contracts.\n\n7. Remember, the field of smart contract auditing is ever-evolving, and staying updated on the latest developments will be beneficial. As you progress, you might want to dive into more specialized areas such as blockchain forensics analysis for hacks and incidents in smart contracts.\n\n8. Lastly, don't hesitate to ask questions and seek advice when needed. For example, if you're unsure whether to focus primarily on smart contract auditing or pursue traditional hacking and web2 security as well, our community is here to help you make informed decisions.\n\nRemember, hard work always pays off in the end. Keep going, don't stop learning, and you'll gradually see improvements in your auditing skills.", "Question: Can a project be live on the blockchain while simultaneously being audited on CodeArena (C4)?\n\nAnswer: Yes, there are instances where projects may be live on the blockchain while simultaneously being audited on CodeArena. These projects span across varying platforms, including Polygon, and include real smart contracts that will be deployed after the auditing process. It's important to note, however, that some projects going through audit contests on CodeArena are not yet deployed. Audit findings for completed projects can be explored via the C4 GitHub repo or at https://chainsecurity.com/audits/. For those interested in participating in auditing processes or contests, inquiries can be made online and beginners can seek help on the platform. Additionally, people can check on the progress of ongoing audits, ask queries about findings from past projects, and even partake in private competitive audits. Please remember that different projects may have different audits.", "Question: What are some effective ways to improve my skills and excel in the field of smart contract auditing?\n\nAnswer: Smart contract auditing requires consistent effort and learning. A good starting point for beginners is to refer to resources such as [How To Become A Smart Contract Auditor](https://cmichel.io/how-to-become-a-smart-contract-auditor/) and the tools and resources available at [Code4Arena](https://docs.code4rena.com/roles/wardens/tools-and-resources). In addition to these resources, you can advance your skills by regularly reading audit reports and auditing codebases. Even if your findings are invalidated, don't be discouraged, as this process plays a crucial role in your learning journey. \n\nEngage in discussions and seek help on platforms like CodeArena or Sherlock, although the latter may require more advanced skills. You can also learn from platforms like [cryptozombies.io](https://cryptozombies.io/) for solidity and [capturetheether.com](https://capturetheether.com/) for Capture the Flag challenges. Participate in bug bounties on platforms such as [Immunefi](https://immunefi.com/), [Spearbit](https://spearbit.com/), and [Hats Finance](https://hats.finance/) to gain real-world experience and rewards. \n\nThere's also a growing interest in the application of machine learning for smart contract auditing, which might be worth exploring. Some have suggested converting non-image tasks such as smart contract auditing into image tasks where a smart contract is visualized into respective shapes, and a model is trained based on these shapes to predict future contract vulnerabilities.\n\nAnother aspect to keep in mind is that the importance of mathematics in auditing can depend on the project. Some require basic math, while others might require advanced financial mathematics. \n\nFinally, consider joining the #\ud83c\udfebeducation channel to learn more about auditing smart contracts, or watch educational videos on the subject like [this one](https://www.youtube.com/watch?v=wCD3fOlsGc4). There's also a demand for resources on smart contract security, including books and certifications, which would be a valuable addition to your learning path.\n\nRemember, your focus should be on understanding smart contracts thoroughly, but being open to learning about related areas is also beneficial. With patience and persistence, you can build a successful career in smart contract auditing.", "Question: How can I understand and learn from past audit reports without a deep understanding of the codebase, and how does this assist in my journey to become an auditor?\n\nAnswer: Understanding past audit reports can provide valuable insights into the types of bugs often considered high impact and unique, even if you don't fully comprehend the codebase. It's also a useful way of learning how experienced auditors approach their task, which can be instrumental in your journey to becoming an auditor. \n\nOne method to gain such understanding is by participating in contests, as this provides hands-on experience with auditing. You can find recommendations for contests on our platform or you could read old reports to study how they were conducted. Contest details are usually outlined in the README.md, which also helps determine what's in scope for auditing. \n\nReverse engineering old audit reports is another path to becoming an auditor. You can access past reports at https://chainsecurity.com/audits/. While reading these reports, you may also want to check findings for completed audits available on the C4 GitHub repo. This will allow you to learn from real examples and understand the thought process behind identifying issues.\n\nFurther, you can enrich your auditing skills by reading relevant blog posts like https://blog.bytes032.xyz/p/audit-like-a-pro-my-3-step-game-plan. It provides a comprehensive guide on approaching the auditing of large projects. \n\nIn the case of complex projects that involve intricate mathematics or financial logic, it's recommended to have a solid understanding of the subject area. This may require a separate, dedicated effort of study. \n\nMeanwhile, if you're uncertain about anything, you can always engage with the community. You can ask questions about past projects, join private competitive audits, or seek advice from experienced auditors. \n\nRemember, even if you don't find bugs, participating in the auditing process is a valuable learning experience. And with continued persistence and practice, you'll become adept at identifying security issues in smart contracts.", "Question: How are projects financially supported during their development and auditing phase?\n\nAnswer: Projects under CodeArena are usually pre-funded prior to the start of any contests, ensuring they are financially committed and have no incentive to withhold audit reports. The project's financial resources can be sourced from different avenues, including the possibility of C4 grants for building specific tools. \n\nIt's important to note that auditing smart contracts, especially those with complex mathematical aspects, can be a costly affair requiring years of experience and specialized knowledge. In some cases, professional mathematicians may even be brought on board to audit intricate formulas. \n\nFortunately, resources are available to help those interested in learning about the auditing process, such as this YouTube channel: https://www.youtube.com/@smartcontractprogrammer. CodeArena also allows inquiries about ongoing projects and past audit findings, which can be beneficial for those looking to understand the process better.\n\nAdditionally, each contest's prize money, which forms a significant part of project finances, is sponsored. For instance, for gas optimization reports, the allocation is typically around 5% of the prize pool. However, this may vary depending on the specific project's priorities. \n\nThere have been concerns about the potential for dishonest projects to clone white-hat reports to reduce their payouts. However, CodeArena has measures in place to ensure fairness. The best report typically receives a larger portion of the prize money, and duplicate reports that don't meet certain standards may not receive any reward.\n\nLastly, the project timeline can significantly impact finances. While the standard timeline is typically extended to 5 weeks, it's possible to extend even further if agreed upon by the sponsor, which could affect the overall financial commitment. It's also worth mentioning that some audited projects may be live on chain even while being audited on C4, which could also impact financial elements.", "Question: Is it necessary to write an exploit for medium severity bugs, and what are the implications if one cannot provide a proper proof of concept?\n\nAnswer: While there is no strict requirement to write an exploit for medium severity bugs, it is highly recommended to do so. A well-defined proof of concept (PoC), ideally via a test code, greatly aids in explaining the vulnerability and its potential impact on the protocol or code. If you can't provide a PoC for a medium severity bug, your finding might be disregarded unless the bug is glaringly apparent. The severity of a bug is determined by its potential impact, and if a line of code can be exploited in multiple ways, it's recommended to report all the bugs, prioritizing the one with the most significant impact. If an issue is ranked as low by a contest's bot report, but you believe it's of medium or high severity, your submission will need strong evidence to demonstrate the potential exploit path to be considered satisfactory. Remember, misclassification of a bug's severity does not affect the reward, i.e., even if a high severity bug turns out to be medium, the reward for a medium bug is still granted. In case of any doubts, refer to our submission and grading policy that provides more clarity on the expectations and criteria: https://github.com/code-423n4/org/discussions/50 and https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues.", "Question: How can I learn to understand and generate high-quality audit reports without extensive familiarity with the codebase?\n\nAnswer: Obtaining a comprehensive understanding of an audit report without a thorough knowledge of the codebase can be challenging, especially for beginners. However, there are several strategies that can aid your understanding and improve your ability to generate high-quality reports:\n\n1. Participate in Contests: Code4Arena frequently hosts contests which are a great way to hone your skills in auditing. Start with contests involving smaller bounty due to their less complex codebases. This will give you a feel of how auditing works and gradually you can take on larger codebases.\n\n2. Analyze Reports: go through previously conducted audits available at [Code4Rena reports](https://code4rena.com/reports). Understanding the types of bugs considered high risk and unique can provide valuable insights. Pay attention to how the reports are structured, and how they reference the codebase. \n\n3. Understand the Codebase: Ideally, getting familiar with the codebase would give you more context. If this is not possible, try to understand the purpose of the codebase by reading its documentation or seeking guidance from individuals with experience in similar codebases.\n\n4. Formatting & Tools: Use tools like Markdown and Hackmd to improve the presentation of your reports. In some reports, you might need to embed code or run tests on the code, so you'll need to familiarize yourself with code testing and embedding tools.\n\n5. Reference Related Issues: If you come across issues that you don't fully understand, it may be beneficial to create a report and reference the related issues in it. This way, you are able to keep track of problematic code snippets for further analysis.\n\n6. Understand the Grading System: Become familiar with the grading system used in assessing QA reports to ensure you're meeting the right standards.\n\n7. Persistence: It's crucial to persist in your efforts to understand codebases and reports. As you gather more experience, you'll become more proficient.\n\nRemember, the best reports focus on one specific issue or attack, feature the project's code, provide a simple to understand Proof of Concept (PoC), and offer a coded test that demonstrates the vulnerability. Reports can still be valuable even if they don't find significant bugs or any at all, as they can provide advice on things to consider for the project's future.\n\nBear in mind, there is some debate as to whether to link directly to code on GitHub or refer to a specific file and line number, as the best method of referencing code in reports, and whether a single line of code with multiple exploitations should be reported as one bug or several. There is no one-size-fits-all approach, so use your discretion based on the specific circumstances.\n\nFor more information on how to include a Proof of Concept, visit [here](https://docs.code4rena.com/roles/wardens/submission-policy#how-to-include-a-proof-of-concept).", "Question: How does CodeArena handle multiple submissions of the same or similar issue? Does it affect the distribution of rewards?\n\nAnswer: CodeArena follows a comprehensive procedure when dealing with duplicate submissions for the same or similar issue. If two different participants submit the same bug, the order of submission does not impact the amount they get paid. Each participant is awarded a share of the bounty, and the overall value of the bug is reduced and split based on how many people find it. \n\nNot all duplicate submissions receive a reward, however. If a duplicate report does not surpass a certain threshold, it might not receive any money. The best report typically receives more money than other reports. This is supported by the incentive model and awards section of the Code4rena documentation: https://docs.code4rena.com/awarding/incentive-model-and-awards#duplicates-getting-partial-credit.\n\nAdditionally, the level of detail in the submission, such as including a Proof of Concept (PoC), and thoroughly covering the issue in as many aspects as possible can influence the award amount. \n\nIt's also important to note that if two people are part of a team and they submit the same issue with different wallets, the team gets more rewards than if they had individually submitted the same finding. \n\nDistinct bugs that can be resolved by addressing the same root cause are considered duplicates. However, the same vulnerability found in multiple different components of the codebase might be considered as separate issues, subject to the judge's decision.\n\nUsers are allowed to submit findings they are unsure about, but if more than three reports are rejected in a competition, the user will be prevented from receiving any payout for that competition. \n\nCreating duplicate accounts to submit the same issue for a greater share of rewards is not beneficial due to Sybil protection measures. More about judging criteria for duplicate submissions can be found here: https://github.com/code-423n4/code-contests/blob/main/JUDGING_CRITERIA.md#duplicate-submissions.", "Question: What is the process when judges mark an issue as satisfactory, but it is subsequently marked as Sponsor Disputed? Can participants still comment, and what steps should they take in such cases?\n\nAnswer: If an issue has been marked as satisfactory by a judge but is later disputed by the sponsor, you are still allowed to comment and ask for feedback to understand the reasoning behind the ruling and to see what could be improved. You can openly discuss the issue with the sponsors before the contest ends, even if there are disagreements about the scope or severity of the issue. A discussion can be opened if you disagree with a judge's decision. If the disagreement persists, you can follow the guidelines set out in the policy at https://docs.code4rena.com/awarding/fairness-and-validity#if-you-disagree-with-a-judges-decision.\n\nIf there is a lack of explanation for the \"sponsor-disputed\" label, you can check for duplicates and pose your questions to the judge. However, remember that the comments in reports are generally between judges and sponsors, with occasional input from \"backstage wardens.\" There are also plans to allow certified contributors to comment or give input on submitted issues during the judging phase. \n\nIn case of persistent disagreements, issues can be flagged for re-evaluation even after contest payouts have been made. However, note that once the payouts are sent, the contest outcomes cannot be changed. Also, if you have findings that the judge and sponsor disagree with, the final decision on the mitigation part lies with the sponsor. \n\nFor further disagreements or concerns not addressed, you can review issues at https://github.com/code-423n4/org/issues, where you can add comments, support existing suggestions or open a new issue. If your submission is rejected, you can review the report to understand why it was not accepted, which allows you to see the sponsors' and judges' discussions on the specific issue. \n\nUltimately, sponsors play a significant role in contest judgments, and their lack of fulfillment of their duties can result in delays and make judging more challenging. Therefore, it's essential to maintain open communication with them throughout the process.", "Question: Has there been an instance where C4 has revised the payment amount after payout, and if so, under what circumstances can this happen?\n\nAnswer: While there is a possibility of revising the payment amount (increase, decrease) after payout, it is not a common occurrence. C4's payment address is a multisig, which means multiple authorizations are needed to execute a transaction including changes in payment amounts. Typically, it remains the same unless there are accounting issues. Discrepancies in bounty amounts as shown in different channels are usually rectified with updates and a note indicating that details are subject to change. An instance of such a discrepancy was observed between the #\u270brsvp channel and C4 regarding the bounty for the Cally contest. \n\nAlso, it is possible to update your payment addresses from your C4 account screen: https://code4rena.com/account, before the reward payout by submitting a request through the Help Desk at https://code4rena.com/help. Once the contest payouts have been sent, however, the outcome cannot be changed. Any overlooked issues can be flagged to the judge and sponsor for consideration. Please note that the prize pool for a contest can be adjusted to account for changes such as an increase in the judging fee, and rewards for submissions can be paid either partially or fully.", "Question: How can I edit my submitted findings in a CodeArena contest?\n\nAnswer: To edit your submitted findings in a CodeArena contest, navigate to the contest page of the particular smart contract audit. On this page, there is a \"Your Findings\" button that allows you to modify your submissions. You can access the contest page by following this example link: https://code4rena.com/contests/2023-02-ethos-reserve-contest. \n\nOnce you've navigated to the contest page, you can click on the 'Your Findings' button, where you can edit your analysis reports or findings, update the format, or even withdraw your findings. Participants can track their report status and see and edit their findings in the 'Findings' tab next to the contest description. \n\nPlease note, there have been discussions about allowing the original author to make edits to submitted findings, but this feature may not always be available. \n\nFurthermore, if you want to view the judgement of your findings, you can check the data folder in the findings repo and look for json files named as [warden-handle]-[issue number]. For feedback on your submitted findings, you will receive an email notification. Through this process, you can continuously improve your smart contract auditing capabilities.", "Question: How can I track the progress and results of a CodeArena contest?\n\nAnswer: The results of CodeArena contests, including the BASE and Enso contests, are dependent on the duration of the judging process. There may be delays, but rest assured that results will be posted in the respective contest channels once judging is complete. If you're curious about the progression of a specific contest, you can refer to the \"Past Contest Status Updates\" section, which provides a timeline of where contests are currently in the process.\n\nThe process after a contest is completed follows this order: Sponsor Review, Judging, Awarding, and Reporting. The final published report allows participants to see the results of their submissions. During the contest, the public report page is also updated.\n\nFor a cumulative view of the results from the first two contests, you can refer to the leaderboard at https://code423n4.com/leaderboard/. Please note that findings from a contest cannot be viewed after it finishes but before the results are published. \n\nQueries about contest updates, results, team information, and rewards are common and welcome. If you have specific questions about the validity or invalidity of the issues you have submitted in the contest, you can raise them in the chat.\n\nRemember, some results might still be pending and there might be changes in the award calculation process. Also, please note that it generally takes about 2 months for the results of a contest to be announced. Be sure to keep an eye out for a number of new contests expected to take place in the coming month.", "Question: Can the current bot in CodeArena detect issues such as division before multiplication and precision loss due to division? If so, are there any considerations when interpreting and reporting these issues?\n\nAnswer: Yes, the current bot used in CodeArena's bot races is sophisticated enough to detect issues such as division before multiplication and loss of precision due to division. However, it's important to note that the bot's findings are not always final. For instance, if a bot identifies a low-severity issue, and a participant believes it to be high-severity, the issue isn't automatically invalid. Participants are allowed to escalate an issue but they must provide robust evidence to demonstrate a relevant high or medium severity exploit path, based on CodeArena's submission policy. \n\nMoreover, if a bot identifies an issue and proposes a fix, it's crucial to evaluate the proposed solution as it might inadvertently introduce a more damaging exploit. If a bot race report has a low vulnerability logged more than twice, it should be included in the QA report. However, the same issues being reported by a bot should not ordinarily be included in the report, unless they contribute to a more complex exploit. When submitting issues related to precision loss, participants are encouraged to provide a Proof of Concept (PoC) to support their submissions. \n\nFinally, participants are reminded to check for qualifier results for the bot race and to seek assistance in #bot-race-help for related issues. Find more information in the submission policy here: https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues.", "Question: I am trying to view and edit my submitted findings for the Tapioca DAO on the CodeArena website, but I am encountering an error. How can I resolve this issue?\n\nAnswer: We apologize for the inconvenience you're experiencing. It is possible to edit your submitted findings by navigating to the specific contest page and clicking the \"Your Findings\" button. For instance, you can access the Tapioca DAO contest page at https://code4rena.com/contests/2023-07-tapioca-dao#top. It's worth noting that some users have experienced issues when trying to access their submitted findings, and these issues are usually resolved. If you're still encountering this error, it could be due to various factors such as site updates or server problems. We suggest waiting a few moments and trying again. If the problem persists, please feel free to reach out to us for further assistance. You can also check your email for a confirmation of your report submission, as this email includes the ability to edit your findings. Remember, the changes to your findings will be visible to you once edited.", "Q: How can I edit or retract my submitted findings in CodeArena?\n\nA: You can edit or retract your submitted findings by navigating to the specific contest page on CodeArena and clicking on the 'Your Findings' button. This button allows you to modify, add to or withdraw your findings while the audit is still open. For example, you can go to the Ethos Reserve contest page and click the \"Your Findings\" button at https://code4rena.com/contests/2023-02-ethos-reserve-contest. \n\nPlease note, only one report of gas optimization can be submitted per contest, but more findings can be added to the report using the same method. After editing or withdrawing your findings, your modified data forms a submission that goes into the findings repository for the given contest, which is later evaluated by the judges after the contest ends. \n\nSubmissions are confirmed via email and can also be viewed on the CodeArena Contest page under the \"Findings\" tab. However, some users have reported issues related to submitting findings and loading submitted findings. These could be due to errors related to the permalink and might also vary depending on the browser being used. If you face such issues, it might be beneficial to try a different browser or reach out to the CodeArena support for assistance.", "Question: Where can I find the details about CodeArena's severity ranking and how it impacts the reporting and auditing process?\n\nAnswer: You can find all the details about CodeArena's severity ranking on our [Judging Criteria page](https://docs.code4rena.com/awarding/judging-criteria/severity-categorization). This page outlines the exact criteria for low, medium, and high severity issues. \n\nThe severity of an issue is dependent on its impact, and the guidelines for estimating risk can be found [here](https://docs.code4rena.com/roles/wardens/judging-criteria#estimating-risk). In case you're uncertain about the severity of a reported issue, it is advised to review these guidelines and make a case for the chosen severity using evidence. \n\nIf you come across a valid finding but believe the severity is not correct, it doesn't automatically become invalid. Criteria for judging such cases are also explained on our [Submission Policy page](https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues). \n\nIf you're interested in understanding how severity impacts our reporting and auditing process, you can review the top winning reports on our [Reports page](https://code4rena.com/reports). Here, you can see what a high-quality submission looks like and how high-quality and high-quantity findings tend to score better in CodeArena competitions. \n\nWe also encourage you to look at our grading system and the criteria for a 'grade A' report on our [Incentives and Awards page](https://docs.code4rena.com/awarding/incentive-model-and-awards) for a deeper understanding of our severity ranking.", "Question: What happens if I classify a finding in my QA report with a certain severity level, but the judges determine the severity to be different? \n\nAnswer: If you classify a finding in your QA report as having a certain severity level, but the judges determine otherwise, the reward and perceived severity may be adjusted accordingly. Judges do have the discretion to upgrade or downgrade the severity levels. \n\nFor example, if you classify a finding as 'low' but the judges determine it to be 'medium', your finding will be eligible for 'medium' rewards. Conversely, a submitted 'medium' or 'high' finding that is judged to be 'low' risk, you will still be rewarded, unless the submission is assessed to be overinflated, incomplete, lacking detail, or not as accurate, in which case it might not be considered valid. \n\nMoreover, if no high or medium vulnerabilities are found during a contest, the remaining funds are divided based on the QA Report curve. \n\nKeep in mind that the severity is judged based on the potential loss caused by the issue. If all rewards can be lost, it's possibly 'medium' or 'high'. If there's a risk of losing some rewards, it's probably 'medium'. If rewards are lost due to roundings (a negligible amount of rewards), it's likely 'low' or QA. If the principal can be stolen without needing extra requirements, then it's probably 'high'. \n\nMoreover, front-running possibilities could be considered either 'medium' findings or QA, depending on the impact. \n\nLastly, it's important to note that judges consider both the quantity and quality of submissions when grading QA reports. A single item in a QA submission is unlikely to receive a high grade. \n\nFor more information, please refer to the following links:\n- [https://docs.code4rena.com/awarding/incentive-model-and-awards/qa-gas-report-faq#what-happens-when-an-issue-submitted-by-the-warden-as-part-of-their-qa-report-an-l-or-n-does-get-bum](https://docs.code4rena.com/awarding/incentive-model-and-awards/qa-gas-report-faq#what-happens-when-an-issue-submitted-by-the-warden-as-part-of-their-qa-report-an-l-or-n-does-get-bum)\n- [https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical](https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical)\n- [https://docs.code4rena.com/awarding/incentive-model-and-awards#qa-and-gas-optimization-reports](https://docs.code4rena.com/awarding/incentive-model-and-awards#qa-and-gas-optimization-reports)", "Question: If a bot race report identifies a low vulnerability with multiple instances, should I include all instances in my QA report? \n\nAnswer: Yes, you should include all the instances of the vulnerability identified by a bot race report in your QA report. However, you should report multiple instances of the same vulnerability as a single issue, unless these instances are found in different components of the codebase. In the latter scenario, it might count as separate findings but this will be ultimately determined by the judge. Additionally, if a bot race report identifies a vulnerability but does not report all the actual parts of the codebase where that problem is present, it is eligible to add them to your report. \n\nNevertheless, bear in mind that the same issues reported by a bot should not be included in the report unless they build a more complex exploit. If you escalate a low severity finding to a high severity, it will not be automatically invalid, but you must provide strong evidence to demonstrate a relevant High or Medium severity exploit path to be considered satisfactory. For more details, visit the policy at [https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues](https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues). \n\nAlso, note that QA reports that are very similar to a bot report may be penalized and those that merely include QA bot findings from bot races but develop their explanation more and are more detailed, are not eligible for QA report rewards. The score for a report may be lowered if it contains a few invalid issues. \n\nThe vulnerability level titled \"Low\" or \"QA\" includes both Low and non-critical vulnerabilities. The QA reports are graded based on the number of low findings. Therefore, two reports graded \"A\", one with 2-3 low findings and another with 5-6 low findings, would receive the same award. \n\nLastly, it's important to understand that while bots sometimes identify issues and propose fixes, these fixes may introduce a more damaging exploit. Therefore, it's crucial to carefully analyze the bot's findings and proposed fixes.", "Question: Where can I find more information about the Amphora Protocol and the related contests on Code4Arena? \n\nAnswer: You can find detailed information about the Amphora Protocol and its associated contest on the Code4Arena's website at the following link: [Amphora Protocol](https://code4rena.com/contests/2023-07-amphora-protocol#top). In addition to Amphora, Code4Arena has worked with numerous other protocols, which can also be found on the [Code4Arena's contest page](https://code4rena.com/contests). It seems that there isn't a separate website link provided for the Amphora protocol in the rsvp channel. If you're interested in learning more about smart contract auditing, you can refer to [Code4Arena's resources](https://docs.code4rena.com/roles/wardens/tools-and-resources) or check out the [repositories implementing proofs of concepts for hacks](https://github.com/Crypto-Virus?tab=repositories). Code4Arena also seems to have dedicated resources for the [Cosmos project](https://code4rena.com/cosmos). Lastly, for any guidelines and frequently asked questions, you can refer to the [Analyses Guidelines and FAQ](https://code4rena.notion.site/Analyses-Guidelines-and-FAQ-2808a71e08e44c81a985527194f5f118) page.", "Question: What is the typical response and processing time for various requests and actions within CodeArena?\n\nAnswer: The response and processing time for various requests and actions within CodeArena can vary widely depending on the nature of the request or action:\n\n- There can be delays in processing certain data. One such example observed in our chatroom had an anticipated duration of approximately 5 hours.\n- For users facing issues while getting certified, once resolved, the site usually takes about 10 minutes to redeploy.\n- The Know Your Customer (KYC) process can be lengthy, depending on the back and forth between the user and Provenance. Once KYC is admitted, backstage access request could take up to an additional 24 hours. Sometimes the KYC application may still be pending after a considerable time - in such cases, users can submit a help request.\n- Help desk requests are generally reviewed within 1-2 business days. However, it's important to note these can be delayed due to holidays and are typically resolved within 24-48 hours on regular business days. The status of a help desk request can be followed up and should receive a response within a week.\n- If there was a delay in Base results, they will be available soon. \n- Project findings review times can vary and unfortunately, we don't have a clear average time as of now. \n- Provenance typically takes about a week to respond to submissions and can update a user's status on the C4 side within a few days.\n- Applications for certain processes within CodeArena are typically processed within one business day.\n\nPlease note that these times are not guaranteed and are subject to change based on the volume of requests and other factors. If you have received a confirmation email from Provenance regarding their KYC, you may have to wait for a certain period for the role. It is always a good idea to check on the status of your request if you feel it is taking longer than expected. You can create a help desk request to do this through this link: [Help Desk Link].", "Question: What is the purpose of the #\u270brsvp channel in Code4Arena's Discord community, and how can I use it to participate in contests?\n\nAnswer: The #\u270brsvp channel on the Code4Arena Discord server is a crucial resource for our community. It is where we post updates about upcoming contests, including RSVP contests, and other essential announcements. You can use this channel to learn about public audits, raise your hand if you plan to participate, and even get information about future qualifiers. \n\nThe RSVP process typically requires a reaction to the announcement message in the #\u270brsvp channel. Once a new public contest is confirmed, it will be posted in this channel, and bot registration openings are also announced here. Please note that the start dates for contests might vary between the #\u270brsvp channel and the official Code4Arena website; the latter is always the correct one. \n\nPrivate contests have separate RSVP channels that are visible only to certified wardens. If a contest's RSVP is listed in the public #\u270brsvp channel, it means it's a public contest. Occasionally, you may also find top-tier projects appearing in this channel.\n\nIn case of discrepancies or confusion around contest details, we recommend double-checking on our website, [https://code4rena.com](https://code4rena.com). We strive to update the information regularly and provide accurate details for every contest. \n\nKeep an eye on the #\u270brsvp channel to stay updated on all contest-related developments. Here is the link to the channel for your convenience: [https://discord.com/channels/810916927919620096/958800160870240286/1142165149050998784](https://discord.com/channels/810916927919620096/958800160870240286/1142165149050998784).", "Question: What is the HM page and how is it relevant to CodeArena's contest and findings system?\n\nAnswer: The \"HM\" in HM page refers to High/Medium or high-medium levels in the context of CodeArena's contests and findings system. This page might be related to the process of elevating the severity of issues found in contests, or to the high-medium rewards associated with certain contests like the Eigenlayer contest. However, it should be noted that the #\ud83d\udd06hm channel in the CodeArena Discord server does not directly deal with findings in a contest. \n\nFor users utilizing automated tools for attack findings, there is a higher burden of proof to demonstrate a relevant HM exploit path to be considered satisfactory. Additional details on this can be found at https://github.com/code-423n4/org/discussions/50. \n\nIt is also observed that if no High/Medium (H/M) issues are found in a contest, the entire rewards may potentially move down to Quality Assurance (QA). However, it's generally considered unlikely that no H/M issues would be found, as no code is considered perfect. \n\nIf you need to edit findings or analysis reports, you need to navigate to the contest page and click the \"Your Findings\" button.\n\nPlease note that this information is gleaned from various chatroom discussions and might be subject to changes or updates. Always refer to the latest official CodeArena guidelines or ask directly in the chatroom for the most accurate and updated information.", "Question: I'm experiencing issues while trying to submit a report or a finding on CodeArena, can you please help me with this?\n\nAnswer: Absolutely, we understand that some users have encountered problems while attempting to submit a report or a finding on CodeArena. There can be a variety of technical issues, ranging from problems with the \"Create Issue\" button to form validation errors. Sometimes, these issues have been tied to GitHub outages or a delay in processing some data.\n\nIn some cases, issues were resolved after multiple attempts or after direct communication with our team. For instance, a user once had trouble accessing their Findings for Tapioca DAO on our website [https://code4rena.com/contests/2023-07-tapioca-dao#top](https://code4rena.com/contests/2023-07-tapioca-dao#top), but the issue was addressed promptly.\n\nPlease note that even if you're not 100% sure of your findings, you're still able to submit them. Also, if you're submitting the same issue found with automated findings, be aware that they would have to be in a different instance. \n\nWe're actively working on improving our processes to prevent long delays in the future and to provide a smoother user experience. But be informed that certain delays in help requests might occur due to holidays. Thank you for your understanding and patience.\n\nYou can also check the status of your request at our pull request at [https://github.com/heiho1/code423n4.com/pulls](https://github.com/heiho1/code423n4.com/pulls). Rest assured, if you raise a concern or report an error, the issue will be escalated to our development team for resolution. \n\nPlease do not hesitate to reach out to us should you encounter any more issues or if you have any other questions. We're here to help!", "Question: What does HM signify in the context of CodeArena and how does it impact the contests?\n\nAnswer: HM, in the context of CodeArena, stands for High/Medium issues and is a term often used in discussions about the severity of findings during a contest audit. For instance, when a QA issue is submitted, a judge can elevate its severity to M/H if deemed necessary. This is particularly significant as it's generally unlikely that no High/Medium issues would be found, since no code is considered perfect. If no H/M issues are discovered during a contest, the entire rewards may be shifted down to Quality Assurance. Furthermore, automated tools users have a higher burden of proof to showcase a relevant HM exploit path for their findings to be deemed satisfactory. More information on this can be found [here](https://github.com/code-423n4/org/discussions/50). While the term HM is also used in the context of certain channels and events such as the #\ud83d\udd06hm channel and the Eigenlayer contest, these do not necessarily relate to findings in a contest.", "Question: What can you tell me about the API currently being used by CodeArena?\n\nAnswer: As of the last update, CodeArena's API is intended mainly for internal use. However, it does have some features exposed for judges involved in the audit process. The exact details of which functionalities are accessible are not publicly documented, as per the discussions in our Discord channel. There have been suggestions for a two-tier system for access to the code, and there are certain API limitations that users might encounter, such as rate limits which were flagged during the \"Arcade contest.\" There were also discussions about potentially integrating the website with Github to better track specific timestamps. Please note that any changes or updates to the API usage might not be immediately reflected in the documentation, and in such cases, it is usually treated as a quality assurance (QA) issue unless it significantly impacts the functionality. For more detailed information on our processes, you can refer to our official documents at https://docs.code4rena.com/.", "Question: What are the requirements and qualifications to obtain the backstage role at CodeArena?\n\nAnswer: The backstage role at CodeArena has specific requirements that must be met. This includes finding high severity issues, making three medium severity findings, or submitting a Quality Assurance (QA) or Gas report with a score over 85. If a QA/Gas report does not fit in a single submission, you can split it into separate submissions. Reports should be separated into one big report for gas and one for QA. Only the best or most comprehensive QA/gas reports are accepted.\n\nFor a QA report, it's enough to submit one issue and include all potential issues in that report. However, for medium and high risks, a separate report for each finding is required. The detail required for QA and Gas Optimization reports is not as comprehensive as for high severity issues, but the quality of the submissions is still important.\n\nIf a team submits 3+ medium severity issues and they are accepted, all members become eligible for the backstage role. However, these findings must be made public for the role to be achieved. Another way to qualify for the backstage role is by participating in a minimum of 3 contests. \n\nIf a finding is submitted as a low in a QA report, but the judges determine that it's a medium, it will be eligible for medium rewards as per CodeArena's rules (https://docs.code4rena.com/awarding/incentive-model-and-awards/qa-gas-report-faq#what-happens-when-an-issue-submitted-by-the-warden-as-part-of-their-qa-report-an-l-or-n-does-get-bum). \n\nFor a backstage+ access, a high finding or 3 medium findings are needed. More information on backstage qualifications can be found at this link: https://docs.code4rena.com/roles/certified-contributors/backstage-wardens\n\nIt's important to note that the grading and sharing system for QA/GAS reports is explained, with Grade A reports counting as 2 shares, Grade B as 1, and the best report receiving a 30% bonus. There is an award formula for gas and QA, but it's not clear if the formula is documented. \n\nKeep in mind that changes in the handling of reports may not promote the best efforts in QA/Gas reports but may be fairer for everyone, including newcomers.", "Q: I'm experiencing a 500 error on api.code4rena.com, what steps should I take to resolve this issue?\n \nA: The first step is to try logging out and then logging back in as this can sometimes resolve the issue. If the problem persists, it could be due to a variety of issues, including a DNS error or an issue with the CodeArena website. In this case, it's recommended to submit a help desk request outlining the issue you are experiencing. You can do this by going to https://code4rena.com/help. If you are not able to submit a help desk request via the form, or if your issue is specifically related to secure findings submission, you can forward your request to submissions@code4rena.com. If your issue is related to vulnerabilities in the CodeArena webapp, please report it to security@code4rena.com. Please note that in case you get no response from Provenance within a couple of days, or if you encounter issues with changes to a team, you are also encouraged to submit a help request at the aforementioned link.", "Question: I'm having trouble creating a bot team on CodeArena, what steps should I take to properly form and manage a team?\n\nAnswer:\nThe process to create a bot team on CodeArena involves registering your bot during the qualifier. You can register your bot or bot crew (an individual who is in a bot team or has their own bot) on this page: https://code4rena.com/register/bot. \n\nIf you're trying to add new members to your team and are experiencing issues, you might need to try again at a different time or day. If persisting issues occur, consider submitting a help desk request at: https://code4rena.com/help. Changes to teams such as addition or removal of members can also be managed through this help desk.\n\nIt's worth noting that teams and bot crews are different; bot crews require registration during the qualifier, whereas teams can be created at any point on https://code4rena.com/register-team. If you're having trouble with team creation, this may require approval from the Code4Arena team, so do not hesitate to reach out for help.\n\nIn case you wish to participate in bot races that are held for the first hour of an audit, more information is available on this page: https://code4rena.com/register/bot. However, please remember that bots not registered in the chainlink protocol cannot be used for certain contests.\n\nRemember, to access the team-formation channel, you need to register as a warden first. Managing the same team name with different members at different contests might be challenging, but it can be resolved by contacting the help desk. \n\nLastly, if you wish to change your team name on CodeArena, you can do so by submitting a request through the help desk.", "Question: What is the structure and progression of contests at CodeArena?\n\nAnswer: At CodeArena, contests are an integral part of our operations and they follow a specific progression which is reflected in the order we process them. We host both private and public contests, and the details for these are posted in the Contests section. \n\nWhile we have a schedule of contests, including those already queued for future weeks, new contests are always being planned and are expected to take place regularly. For instance, we often hold a BASE contest, which is not necessarily the first contest but has been conducted before. We also run week-long contests each week and have explored the possibility of running multiple contests simultaneously - potentially handling up to 20 contests a week.\n\nContest results are dependent on the time taken for judging and the results, including those from the first two contests, can be viewed on our leaderboard at https://code423n4.com/leaderboard/. \n\nWe have introduced a suggestion to allow submissions at any time prior to the contest end time, with a policy of accepting only the first (or last) entry that a person/team sends. There is a possibility that a contest could run with zero valid submissions, but this has not happened yet. We are also considering a shift in leaderboard tracking from last number of days to last number of contests.\n\nIn terms of participation, being certified grants access to more contests and participation in contests is recommended for skill improvement. The top wardens in our 90-day leaderboard are prioritized for contests. Finally, it's worth noting that the results and findings from contests are posted in the Contest section, and we're looking into allowing users to view all submissions after a contest ends.", "Question: What rewards or bonuses are available for high-quality analysis reports in CodeArena competitions?\n\nAnswer: In CodeArena competitions, high-quality analysis reports are eligible for several rewards and bonuses. A bonus of 30% share is given for each unique High or Medium finding that is selected for inclusion in the audit report. This selection is determined by the judges and is based on the quality of the submission. Having a coded Proof of Concept (PoC) with the report can increase the chances of a report being selected. Reports are graded and must meet certain quality standards to be considered valid. Grade A reports count as 2 shares, and Grade B as 1, with the best report receiving additional bonuses. However, not all reports or findings are guaranteed a reward, especially duplicate reports that fall below a certain threshold. You can find more information about the incentive model and awards at https://docs.code4rena.com/awarding/incentive-model-and-awards and detailed judging criteria for the analysis report at https://docs.code4rena.com/awarding/judging-criteria#analysis.", "Question: Has OpenSea introduced a new feature called \"deals\" as part of a contest hosted by CodeArena (C4)?\n\nAnswer: From the information in our Discord chatroom, it appears that there might be some confusion about the terminology. On CodeArena, the correct term for these activities is \"transactions,\" not \"deals.\" \n\nWith regards to a new feature, OpenSea did host a contest facilitated by CodeArena, which is similar to a bug bounty platform where prize pools and fees are defined upfront. The OpenSea contest had a unique system of scaling up the reward pool based on the severity of the findings. This contest was an exception and was greatly appreciated by the users, as seen by their interest in more high prize contests like the $1M OpenSea contest. \n\nHowever, it's important to note that this contest required processes to ensure public transparency, including Know Your Customer (KYC) certification. Participants interested in the OpenSea contest needed to complete the form at https://code4rena.com/certified-contributor-application and undergo an ID verification process run on behalf of CodeArena by Provenance. \n\nIn summary, while OpenSea has not introduced a feature called \"deals\", they did host a unique contest with CodeArena that increased the prize pool based on the severity of the findings.", "Question: How do participants manage their submissions, communicate with the team, and follow updates on CodeArena's Discord channel?\n\nAnswer: On CodeArena's Discord channel, participants can manage their submissions, communicate with team members, and stay informed about updates in a variety of ways. For instance, participants can check reported findings via a link shared on the Discord channel and they can discuss with project team members in assigned channels. Early feedback for improving audits may be available with a link to the judge's post at https://discord.com/channels/810916927919620096/1030197723619659806/1042826344544870440. \n\nParticipants can view and join contests listed in the #\u270brsvp channel, accessed via the Discord link, and updates on new contests are also provided in the same channel and the contest-specific Discord channel. Users can edit their submissions by direct messaging certain individuals and the steps for this are outlined in the announcement from this link: https://discord.com/channels/810916927919620096/810929015509483554/1002648649135824906.\n\nIf participants have questions or need clarifications, the contest channel in Discord is the suggested place to reach out. When a new public contest is confirmed, it will be posted in the #\u270brsvp channel. Participants can also view the list of their rewarded findings at https://discord.com/channels/810916927919620096/1095308824354758696/1130212982094299246. During a contest, potential submissions can be discussed with the project's dev team either in the contest channel or through private messaging. \n\nHowever, it's important to note that changes in Discord usernames can affect C4 authentication and any questions or issues related to this should be submitted via the Help Desk for the developer team's review.", "Question: Do bot crews have to undergo KYC verification to partake in audits and receive payments at CodeArena?\n\nAnswer: Bot crews, which consist of individuals in a bot team or those who have their own bots, may need to undergo a Know Your Customer (KYC) verification process, depending on the type of audit or contest they are participating in. For some audits and contests such as the Base audit and the Chainlink contests, all team members are required to be KYC'ed in order to participate and receive payments. However, there are also certain activities and contests, like the Maia DAO Ecosystem contest, where the KYC process isn't necessary. \n\nEach contest or audit will specify whether KYC is required or not. To become KYC certified, one must become a Certified Contributor which involves a certain process as explained at https://docs.code4rena.com/roles/certified-contributors. Certified contributors have completed the KYC process and thus have the ability to participate in private contests and potentially other exclusive activities. Note that the organization has a KYC process in place and there may be delays while going through it. For more details on contests that require KYC and the process to become a Certified Contributor, please visit: https://docs.code4rena.com/roles/certified-contributors.", "Question: Why is there a discrepancy between the lines of code (SLOC) mentioned for the #arcade-jul21 contest in the #\u270brsvp channel and the contest page on the CodeArena website?\n\nAnswer: There can sometimes be discrepancies in the information provided on different platforms for CodeArena contests. In the case of the #arcade-jul21 contest, it appears there was a difference in the SLOC count between the #\u270brsvp channel and the contest page. This could be due to a typo, as has been observed in the past with other contests, or it could be due to a change in the scope of the contest as decided by the sponsor. It's always recommended to check both the #\u270brsvp channel and the actual contest page on the CodeArena website [https://code4rena.com] for the most accurate and updated information. Please note that contest details, including SLOC count, are subject to change. If you notice such discrepancies, feel free to raise your questions in the Discord channel or directly contact CodeArena for clarifications.", "Q: How do I modify or manage my team on CodeArena?\n\nA: To modify your team at CodeArena, you can add or remove members. However, changing the team name requires you to create a new team altogether and this new team would not retain any previous leaderboard positioning. To add new members, you can do it through the platform but if you face any technical issues, like a blank page appearing when selecting members, you may need to attempt at a later time or submit a help desk request at https://code4rena.com/help. Also, remember that you are not obligated to always participate in contests as a team once you join one. \n\nIf you want to update your team information on CodeArena, it requires creating a PR. If you are facing issues managing the same team name with different team members or want to participate solo in a contest that your team is also auditing, you should raise this issue through a help desk request. \n\nTo create a new team, you need to go to code4rena.com/register-team, but be aware that this might require approval from the Code4Arena (C4) team. In case you face any issues during team creation, you can report it via a help desk request. If you need to change your nickname, this would require creating a new registration/discord handle and starting over with the new name if you were on the leaderboard. \n\nFor new wardens to team up and collaborate, they can go to the #\u26bdteam-formation channel after registering as a warden. Also, users can log into their Code4rena account and switch back and forth between their individual account and their team account before submitting.", "Question: How should I report vulnerabilities impacting the Code4Arena's webapp and what is the process for it?\n\nAnswer: If you identify a vulnerability affecting the Code4Arena's webapp, you can report it by following these steps: \n\n1. You can directly message the issue to @EvilPacket or send it to security@code4arena.com. These channels will ensure your report reaches the security team and gets into the triage queue.\n\n2. You can also submit an issue via the C4 form. When submitting, paste your report into the Vulnerability details section in .md format. Be sure to include any relevant details such as screenshots, the Github permalink, and the lines of code for the affected code. \n\n3. If the vulnerability is high or medium severity, responsible disclosure to the development team is required. Reporting such vulnerabilities found few days after the contest ends would most likely not be awarded by C4 outside the contest timeframe. \n\n4. If you find a vulnerability in an out-of-scope contract, it can be included in the C4 report as an unrewarded finding or the project can be directly messaged.\n\n5. If two separate vulnerabilities can be combined to create a more powerful one, you can submit a third finding explaining the proof of concept. \n\n6. If you've created a POC script for a vulnerability, you can simply drop the link into the submission where it is relevant. \n\nWhen it comes to estimating the risk of bugs, you can refer to the guidelines here: https://docs.code4rena.com/roles/wardens/judging-criteria#estimating-risk-tl-dr. If you're unsure about the severity after reporting an issue, you can reach out for support from the C4 website or directly message the project team. \n\nRemember, even if a vulnerability is difficult to fix without major changes to the protocol, it can still be reported. Recommendations for fixes are appreciated but not required. Please note that multiple instances of the same vulnerability should be reported as one issue. \n\nThe results of submitted bugs to the contests in Code4 are revealed once the report is made public. In the meantime, you can check previous reports to see what a high-quality submission looks like. \n\nThis process is still being refined and documented, so it may evolve over time. Your feedback is always welcome.", "Question: How do I navigate and participate in the CodeArena Discord channels? \n\nAnswer: The CodeArena Discord server is structured with individual channels, each serving a specific purpose. For instance, each contest has its own channel for questions and code walkthroughs. General questions related to contests can be asked in these specific channels, while queries for the sponsor team members can be sent via Direct Messages (DM). \n\nThe #\u270brsvp channel is where you can view and participate in contests, accessed via the provided discord link. If you come across a potential vulnerability and confirm it with the contest sponsor via private DM's, it might still count for your submission, depending on the judgement. \n\nIf you need to check the status of your submissions or want early feedback on them for improving audits, you may refer to the judge's post: [https://discord.com/channels/810916927919620096/1030197723619659806/1042826344544870440](https://discord.com/channels/810916927919620096/1030197723619659806/1042826344544870440). You can also update your submissions by directly messaging certain identified individuals. Guidelines for editing your submissions can be found at: [https://discord.com/channels/810916927919620096/810929015509483554/1002648649135824906](https://discord.com/channels/810916927919620096/810929015509483554/1002648649135824906).\n\nRegarding the #\ud83d\udd06hm channel and \"Verified Contest\" in the #rsvp channel, it's worth noting that they do not pertain to findings in a contest. The HM page, in the context of the chat, likely refers to a high medium level. \n\nThe company also has a plan to release all unverified submissions a few days after a contest ends before the judging process. You can find related discussions here: [https://forum.code4rena.com/t/rfc-certified-wardens-rulebook-scout-role-contest-qa-and-mitigation-review-services/123](https://forum.code4rena.com/t/rfc-certified-wardens-rulebook-scout-role-contest-qa-and-mitigation-review-services/123)\n\nIf you have any suggestions pertaining to the website, leaderboard systems, contest processes, or Discord setup, feel free to share them in the suggestion box established within the server. For issues related to your Discord account, such as hacking or changes in usernames affecting C4 authentication, it is advised to submit such questions via the Help Desk for the developer team review.\n\nPlease be aware that to manage the channel limit on Discord, the company is considering archiving contests in quarters. While discussing potential submissions during a contest, please avoid revealing vital information in the contest channel; private messaging or discussing with the project's dev team is encouraged.", "Question: If I submit a finding on Code4Arena and the severity is not initially correct, how does the system handle reassigning the severity? For instance, if I submit a high severity finding that is judged as low, what happens?\n\nAnswer: On Code4Arena, if a finding is valid but the severity is initially incorrect, it does not automatically get reassigned. Instead, the process involves a discussion and review by the C4 judges. If a report is incorrectly categorized, say it's marked as medium but should be high, the judges can upgrade the severity of the finding unless there's a reason to penalize it, which could include the report being incomplete, lacking detail, or not being accurate. \n\nIf a low severity finding is escalated to high severity, it does not automatically become invalid. However, parties escalating a severity from low to high must provide substantial evidence demonstrating a relevant High or Medium severity exploit path. The criteria for judging such cases can be found at [https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues](https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues). \n\nSimilarly, if an issue is submitted with what is thought to be high severity and the judge disagrees, the issue might be downgraded, but you will still be awarded for the found issue, unless judges invalidate it for overinflating the severity. \n\nFor findings initially classified as low risk that are confirmed as medium or high risk by the judges, the findings can be upgraded automatically and the submitter could be eligible for higher rewards based on the updated severity level as per [https://docs.code4rena.com/awarding/incentive-model-and-awards/qa-gas-report-faq#what-happens-when-an-issue-submitted-by-the-warden-as-part-of-their-qa-report-an-l-or-n-does-get-bum](https://docs.code4rena.com/awarding/incentive-model-and-awards/qa-gas-report-faq#what-happens-when-an-issue-submitted-by-the-warden-as-part-of-their-qa-report-an-l-or-n-does-get-bum).\n\nThe severity of an issue doesn't matter as much as a comprehensive explanation of the finding. A strong case is needed to escalate a known low from the automated findings to a high. The classification of findings (High, Medium, or QA) is primarily based on the severity of loss caused by the issue. For instance, if all rewards can be lost, it's considered Medium / High severity. A risk of losing some rewards is usually Medium, and loss due to roundings (a negligible amount) is most likely QA. If the principal can be stolen without needing extra requirements, it's probably High.\n\nIf a valid finding is in the same category as a bot report but not included in the bot report, it can still be considered a valid finding. It's important to note that the score for a report may be lowered if it has a few invalid issues, and if it's very similar to a bot report, it may be further penalized. Incorrect findings in a QA report can also affect the QA grade.\n\nRemember, the goal of auditing is not just identifying issues but demonstrating an understanding of how an issue could be exploited. Without this understanding, the job is deemed incomplete.", "Question: How can I change my username on CodeArena?\n\nAnswer: Changing your username on CodeArena involves re-registering your account. Please note that leaderboard standings and previous submissions under the old handle are not transferable to the new account. If you change your Discord or Twitter username, you can update it in your Code4rena account but you may need to submit a help desk request at https://code4rena.com/help for this change to be reflected. Also, changing your username may affect your registration as a warden and you might need to reapply for certified status. Additionally, usernames on CodeArena are currently immutable and cannot be changed, but it is possible to change your handle. If you experience a mismatch between your site username and Discord nickname, or if you have any other issues or questions, please submit your queries via the Help Desk for the developer team to review.", "Question: What is the process and guidelines for reporting different severity issues in a CodeArena audit, and how are these reports handled?\n\nAnswer: In a CodeArena audit, wardens are expected to submit reports on a range of severity issues discovered in smart contracts. These issues are typically classified as high, medium, low, non-critical, and gas-related issues. \n\nHigh severity issues should be the primary focus of the report, with the most effort put into detailing them. However, it's also possible and even encouraged to include medium and low severity issues in the same report. When it comes to submitting findings of low severity, QA, or gas-related issues, these should be compiled into one combined report. \n\nIf a single line of exploitation is discovered, it should be reported as one bug, even if there are multiple ways of exploitation. If there's uncertainty whether findings should be submitted separately or together, the best approach isn't always clear and may depend on the specific circumstances. \n\nEvery submitted report should ideally include recommended mitigation steps. If, however, there are no feasible mitigation steps, an explanation should be included as to why this is the case. \n\nThe judges at CodeArena have the authority to adjust the severity categorization of a report. For instance, if a report is submitted as medium severity but the judges deem it to be high, they can upgrade its severity unless there's a reason to penalize it - such as the report being incomplete, lacking detail, or not being accurate.\n\nDetermining the severity of a finding often depends on the experience and judgement of the user, and a balance of the consequence and likelihood of exploitation. High severity usually involves the potential for large fund loss or other serious consequences, and typically do not need pre-conditions. Medium severity usually have a lesser impact and specific preconditions, such as high attack difficulty, specific market conditions, or user unawareness.\n\nLastly, if you are uncertain about the severity of an issue, the judging criteria page at CodeArena provides some guidance to help you assess the risk associated with your findings: [link](https://docs.code4rena.com/roles/wardens/judging-criteria#estimating-risk-tl-dr)", "Q: When I audit a protocol and find similar issues like the misuse of \"transfer\" instead of \"safeTransferFrom\" or common vulnerabilities across different parts of the code, how should I report them? Should they be reported as individual findings or grouped together?\n\nA: When you encounter multiple instances of the same issue during an audit, it is generally acceptable to report these as one finding. However, the specifics can vary based on the nature and risk level of the issues identified. For low-impact quality assurance (QA) and gas optimization issues, it's recommended to group all instances together in one report, providing the number of instances and permalinks to each of them.\n\nFor medium and high-risk vulnerabilities, each finding should be reported separately. If the same vulnerability is found in different components of the codebase, it might count as separate findings. However, this is ultimately at the discretion of the reviewer to determine if they are duplicates or not. \n\nIf a single line of code has multiple potential exploits, all the bugs should ideally be reported, but priority should be given to the most impactful one. \n\nYou can include a variety of findings based on different combinations of issues found to create different attacks. However, if the root causes are the same, they might be counted as one finding, even if the impact varies. \n\nRemember, a well-structured report is focused on one specific attack or issue, provides code examples, includes a simple to understand proof of concept (POC), and shows a coded test that demonstrates the vulnerability. \n\nFor more discussion on this topic, refer to: https://github.com/code-423n4/org/issues/8. And for a simpler example of a bug report, see: https://github.com/code-423n4/2022-12-caviar-findings/issues/141.\n\nAs for the use of \"safeTransferFrom\", it depends on the token used and the expectation of the code. Here's a link to Etherscan for further information: https://etherscan.io/token/0xdac17f958d2ee523a2206206994597c13d831ec7#code#L95. \n\nRegardless of the reporting style, ensure that your findings demonstrate a clear understanding of how the issue could be exploited. Without such understanding, the audit is not fully complete.", "Q: I'm having trouble logging into my account on the C4 website, what could be the reason and how can I resolve this?\n\nA: There could be several reasons for facing login issues on the CodeArena website. These could include technical issues, occasional site maintenance causing temporary downtime, or issues with your GitHub or wallet connections. If the site is down, you can check its status at [https://downforeveryoneorjustme.com/code4rena.com](https://downforeveryoneorjustme.com/code4rena.com). \n\nIf you're experiencing issues related to viewing the repo or submitting findings, please ensure your GitHub account is logged in and matches the account provided to C4. If you're having trouble connecting your wallet, this could also prevent successful login. \n\nAdditionally, issues related to login could occur due to inactivity of your Code4Arena account. For example, if you participated in past contests like the 2022-11-looksrare-aggregator-contest and haven't logged in for a while, you may face login issues. You can find more about this contest at [https://code4arena.com/contests/2022-11-looksrare-aggregator-contest](https://code4arena.com/contests/2022-11-looksrare-aggregator-contest).\n\nIf you're facing issues with logging into your C4 account, you can ask for support in the #auth-help channel or send a direct message to C4 staff members. If you're unable to perform tasks via mobile, you can request help by sending an email to submissions@code4rena.com. \n\nAlso, please note that not having certified status on your handle could prevent you from accessing private contests, even if you have passed the KYC process and got approval, in such cases, you can create a help desk request at [https://code4rena.com/help](https://code4rena.com/help). \n\nRemember, C4 doesn't typically operate on weekends, so there may be a delay in receiving responses to certain requests or applications. You can also experience issues if your user status is not updated on the C4 side which typically happens within a few days. \n\nPlease be aware that technical issues related to local storage could also affect your login experience, showing you as logged in, but the interface does not change. If you continue to face issues, please reach out for technical support.", "Question: I found the same issue in multiple locations within the code I'm auditing. How should I report these in my audit report?\n\nAnswer: When encountering the same issue in different parts of the smart contract you're auditing, the reporting method can depend on the severity and nature of the issue. \n\nFor low severity and non-critical findings, such as Quality Assurance (QA) or gas optimization issues, it's most suitable to compile all instances into a single consolidated report. This will help maintain the report's readability and succinctness and it's often recommended for these kinds of issues.\n\nOn the other hand, for medium and high risk findings, it might be necessary to report each instance individually. This is especially the case when a single line of code has multiple ways of exploitation or if the same vulnerability is found in different components of the codebase. However, if the root causes of these high-risk findings are identical, they may be counted as a single issue. \n\nIt's important to remember that these are guidelines and the final decision often lies with the judge or reviewer assessing the audit. \n\nAll reports, whether individual or consolidated, should include a description of the issue, proof of concept (where necessary), and suggested mitigation measures. \n\nFor further discussion on this matter, please refer to: https://github.com/code-423n4/org/issues/8 and https://discord.com/channels/810916927919620096/810936719003090974/1134472653437145149.", "Question: How do I diagnose and report an issue when the CodeArena site is down or inaccessible?\n\nAnswer: If you encounter issues with the CodeArena site, you can begin by determining whether the site is down for everyone or just for you by using this resource: https://downforeveryoneorjustme.com/code4rena.com. \n\nIf you find the site is down, please know that our team is likely already aware of the situation and is working towards a resolution. You may experience some delay in response during these times.\n\nIn case you are experiencing issues while accessing the site on a mobile device or performing specific tasks, we suggest trying to access the site via a desktop browser for optimal experience. \n\nWhen reporting an issue such as this, you can create a help desk request at https://code4rena.com/help. Your request should describe the issue you're experiencing in detail. Screenshots can be especially useful in diagnosing and resolving issues, so if you can, include them in your report. Also, keep in mind that the severity of the issue will be categorized as high, low, or QA depending on the impact. \n\nFor more specific issues like the loss of precision in code or issues with the contest submission process, please provide as much detail as possible, including a description of the problem, the context in which it occurred, any potential impact, and suggestions for mitigation if applicable.\n\nIf you believe the issue poses a security risk and are uncomfortable with the details being public, mention this in your Help Desk request. We take privacy and security seriously and will handle the matter accordingly. \n\nRemember, we're here to assist you. Please don't hesitate to reach out with any questions or concerns.", "Q: I've registered a team on CodeArena but it's not visible on my profile. Can you guide me through the process and help me resolve any potential issues?\n\nA: Sure, we understand that there have been instances of team registration visibility issues on user profiles. To register a team, you can head to https://code4rena.com/register-team and follow the steps. Make sure to create a team handle as guided here: https://github.com/code-423n4/code423n4.com/blob/main/data/handles/pocotiempo.json. \n\nSome users also face issues while adding members to their teams, possibly seeing a blank page opening. This is a known technical concern and it might get resolved by trying again on a different day. Alternatively, you can check the information in the docs specifically the #\u26bdteam-formation channel at https://docs.code4rena.com/roles/wardens#registering-a-team for more assistance.\n\nWarden registration needs to be fully completed before the handle will appear on the leaderboard. Your name can appear twice on the leaderboard, once individually and once as part of your team.\n\nAfter your registration with Provenance and KYC approval, there is a processing period, and we will process your user role upon receiving confirmation. Please note that the process of approving a team for contest participation can take up to a few business days. If there is a delay, or if you face any issues, you can open a help desk request at https://code4rena.com/help.\n\nOnce your team is approved, you can log in and submit findings as a team. Please bear with us if you encounter any issues, we are constantly working to improve the process.", "Question: If an issue identified in an automated finding can lead to high severity, how should I submit and categorize this?\n\nAnswer: If an automated finding identifies an issue that you believe can lead to a high severity finding, it is recommended to submit it separately from the QA report. While the bot report may rank it as low, escalating it to a high severity isn't automatically invalid. However, when using automated tools for initial findings, there is a higher burden of proof required to demonstrate a relevant high or medium severity exploit path. Therefore, strong evidence supporting your escalation to high or medium severity must be included in your submission to be considered satisfactory.\n\nThe severity assessment of issues is often based on a balance of consequence and likelihood. High severity consequences usually involve sizeable fund loss or severe consequences without preconditions. Medium severity consequences may have a lesser impact or require specific preconditions such as a high attack difficulty or specific market conditions.\n\nIf a report is submitted as a certain severity but the judges deem its severity differs, the severity can be adjusted unless the submission is penalized due to reasons such as being incomplete, lacking detail, or not accurate. Therefore, if you originally submit an issue as low or medium but it is judged as high, it can be raised to high severity unless there are reasons to penalize it.\n\nIt is also worth noting that you can submit medium/high severity reports without recommended mitigation steps. However, you should include an explanation as to why it cannot be feasibly mitigated. \n\nRemember, the specific severity of an issue does not matter as much as a clear and detailed explanation of the finding. Unclear or low-quality reports, which lack a clear explanation or path to the finding, are discouraged. \n\nAdditional guidelines on this topic can be found at: https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues and https://github.com/code-423n4/org/discussions/50.", "Question: How can I customize my Code4Arena profile, including changing my profile picture, username, and linking my Twitter account?\n\nAnswer: To customize your Code4Arena profile, you should go through the following steps:\n\n1. To change your profile picture, you can submit a help desk request at [https://code4rena.com/help](https://code4rena.com/help) with a link to your desired picture. This also applies if you wish to change your avatar on the Code4Arena leaderboard.\n\n2. If you want to link your Twitter account to your Code4Arena profile or change your Twitter handle, you'll need to make a help desk request with your warden name and Twitter URL at [https://code4rena.com/help](https://code4rena.com/help). Alternatively, you can follow the instructions at [https://github.com/code-423n4/code423n4.com/tree/main/_data/handles](https://github.com/code-423n4/code423n4.com/tree/main/_data/handles) and make a pull request for your handle.\n\n3. To change your username on Code4Arena, you might need to re-register on the platform. If you run into issues with username changes, you can report them via the help desk.\n\n4. If you need to change the wallet address connected to your Code4Arena account, there's a procedure detailed at [https://docs.code4arena.com/roles/wardens/warden-auth#can-i-change-my-wallet-address](https://docs.code4arena.com/roles/wardens/warden-auth#can-i-change-my-wallet-address).\n\nRemember, your profile name should match your name in the chat. Major changes such as creating a new team or changing a team's name might require approval from the Code4Arena team. It's important to note that the ability to edit your user profile requires certification. If you encounter any difficulties while customizing your profile, don't hesitate to reach out to the help desk.", "**Improved Question:** \n\nIn the case of discovering several medium or low severity issues that collectively contribute to a high severity issue, how should these findings be reported in terms of prioritizing severity, and what are the potential consequences of misclassification in the report?\n\n**Improved Answer:**\n\nWhen reporting multiple issues, it's best to include both high severity and medium/low severity issues in the same report. However, the primary focus should be put into detailing the high severity issue. Severity can be classified as high, low, or QA. The specific severity of an issue doesn't matter as much as a thorough explanation of the finding to justify its potential impact. \n\nIf you have a Medium/High severity issue, according to our submission guidelines, it should ideally be submitted as such. However, make note that if you're unable to provide suggested mitigation steps, an explanation as to why it can't be feasibly mitigated should be included. \n\nJudges have the ability to upgrade or downgrade the severity of the issues based on their judgment. For example, medium issues can be downgraded to QA and considered alongside your QA report when grading. They can also upgrade items from your QA report if they believe the severity should be higher.\n\nIt's important to note that misclassification of a bug's severity in your submission doesn't always lead to penalization. If a high severity bug turns out to be only medium, you'll still receive the reward for a medium bug. Similarly, if you submit a medium severity but judges determine it's high, the severity of the finding can be upgraded, unless there's a reason to penalize it, like being incomplete, lacking detail, or inaccuracies.\n\nTo determine if a finding is of high or medium severity, experience and a balance of consequence and likelihood are typically relied upon. High consequences generally involve sizeable fund loss or other severe consequences and don't require pre-conditions, while medium consequences usually have a lesser impact and specific preconditions. For detailed criteria for severity classification, refer to [our guidelines here](https://docs.code4rena.com/awarding/judging-criteria/severity-categorization).\n\nIn cases where the severity of an issue is unclear, it's advisable to consult with the community or refer back to [our documentation](https://docs.code4rena.com/awarding/incentive-model-and-awards/qa-gas-report-faq#what-happens-when-an-issue-submitted-by-the-warden-as-part-of-their-qa-report-an-l-or-n-does-get-bum) for further clarification. \n\nRemember, the goal is to provide the most accurate and thorough report possible to help improve the safety and reliability of the audited smart contracts.\n", "Question: How can I check or manage the reports that I have submitted during the CodeArena competition?\n\nAnswer: After you have successfully submitted your report, you will receive a confirmation email. You can also check the status of your submissions at https://code4rena.com/reports. On the C4 Contest page, you can view your submissions under the \"Findings\" tab, where you have the option to edit your submitted findings.\n\nIf it's your first time submitting a report and you encounter an error, you can verify your submission by checking for the confirmation email or looking at the \"View Context\" function. You can also update your submissions after the contest; to do this, navigate to the contest page, click on your findings and make the necessary edits. \n\nDuring the contest, the public report page is updated mid-contest. However, be aware that after a contest has ended and is in the judging process, the status of your submissions won't be available until the report is published and the repo is made public. Furthermore, the submissions for a contest can be reviewed after the report is published. \n\nFinally, after the contest is completed, you can view your Quality Assurance reports and the submissions for completed challenges on the concerned GitHub repo once the contest report is published.", "Q: What is the Bot Race at CodeArena, how can I apply, and where can I find information regarding the qualifiers and results?\n\nA: The Bot Race is a unique event at CodeArena, where participants, known as bot wardens, are rewarded for findings made with AI during the first hour of an audit. You can apply for the Bot Race at this link: https://discord.com/channels/810916927919620096/1093914558776758403/1132679460437639248. Keep in mind that registration is not always open as there are qualifiers held every few weeks. Detailed information about the Bot Race, including the process of creating a bot team, the bot crew role, and upcoming qualifiers can be found here: https://code4rena.com/register/bot. Results of the qualifiers and updates about the next bot qualifier race are available in the #\u270brsvp channel on our Discord. For more specific questions or issues related to the Bot Race, you can head over to the #bot-race-help channel. Please be aware that while there are discussions about the importance of unique vulnerabilities and accuracy (no false positives) in bot racing, there isn't a definitive answer on these topics in the chat excerpts provided. Also, the bots are considered a warden's intellectual property and are unlikely to be open sourced by CodeArena.", "Question: What should I do if I'm experiencing issues logging into CodeArena with my Metamask wallet?\n\nAnswer: There have been several instances reported of users having difficulty logging into CodeArena using Metamask wallet. If you're encountering similar problems, there are a few things you should check. Ensure that you are using the correct wallet and email for login. If your account has been inactive for a long time, that might also cause access issues, as evidenced by some users participating in the 2022-11-looksrare-aggregator-contest. If you suspect that your wallet has been hacked and rewards have been stolen, you should promptly report this. \n\nIf you're having trouble connecting your Discord account with your Code4Arena account, or if you're unable to access specific functionalities like submitting findings or seeing your rewards, it is advised to reach out for help. You can open issue tickets for these problems, and they will be reviewed by the CodeArena team. \n\nTo seek assistance, submit a help desk request at https://code4rena.com/help with detailed information about your issue. If the problem relates to a compromised account, you will also need to provide a mycrypto.com signed message. \n\nCurrently, Code4rena does not support changing the login wallet address. However, if you're using Metamask, you're able to link multiple addresses. Here's how you can do that: https://docs.code4rena.com/roles/wardens/warden-auth#can-i-change-the-wallet-address-i-log-in-with. \n\nIf you need to change the network in Metamask, you can switch to the Polygon Mainnet, copy your public keys, and paste them into Code4rena. \n\nPlease remember that when encountering any issues logging in to CodeArena, you can report these to the #auth-help channel for further assistance.", "Q: Can you provide more information about submitting a \"Proof of Concept\" (PoC) on Github for vulnerabilities found within smart contracts? Do we need to make the repository public and does it expose any risks to the project?\n\nA: When submitting a \"Proof of Concept\" (PoC) for vulnerabilities found in smart contracts, it is not necessary to make the repository public. This is to avoid exposing vulnerabilities to the public, which could put the project at risk. Instead, a private gist can be used to share your PoC securely. \n\nAdding your PoC directly to your report under 'Proof of concept' or linking it to a private repository on Github is recommended. The method of submission largely depends on the length of your code. If you have a very long PoC, you may consider using an external platform such as gist to submit it. Further instructions on how to include a PoC can be found [here](https://docs.code4rena.com/roles/wardens/submission-policy#how-to-include-a-proof-of-concept).\n\nWhen showing places of vulnerabilities, it's recommended to provide a URL to the repository with the line number and a code block. You should also explain the vulnerability and its impact on the protocol/code in the impact section of your report. Participants can also fill the Proof of Concept section by providing direct links to all referenced code in GitHub and adding screenshots, logs, or any other relevant proof that illustrates the concept.\n\nAn example of how to present a PoC for a bug and its impact can be found [here](https://github.com/code-423n4/2022-12-caviar-findings/issues/376). Further instructions on how to share vulnerability discovery PoCs can be found [here](https://github.com/code-423n4/code-contests/tree/main/contests/01-slingshot#sharing-vulnerabilitydiscovery-poc).\n\nIt's important to note that if you are unable to provide a PoC for a medium severity bug, it may cause your finding to be disregarded unless the bug is extremely obvious. Hence, it's always recommended to write a PoC to be sure.\n\nFinally, it's perfectly acceptable for auditors to fork the codebase and create a private repository on Github. This would not be considered as information disclosure, as the submitted findings will be created as a Github issue. These repositories are usually private until they are made public after the issues have been mitigated and have been cleared for publication by the sponsors.", "Question: Why do people still opt for smart contract audits even when automated tools have reported vulnerabilities?\n\nAnswer: Automated tools like fuzzing tools (like Echidna), static analysis tools (like Slither), or smart contract scanning tools (like Metatrust https://app.metatrust.io/project) play a vital role in identifying potential vulnerabilities in smart contracts. However, they are not foolproof and may not catch all types of issues. Moreover, with updates such as Solidity 8.0 implementing overflow/underflow checks at the language level, the usage of certain automated tools has decreased. \n\nAdditionally, complex smart contracts may require professional mathematicians to audit complex formulas. Even machine learning techniques are being explored for smart contract auditing, where a smart contract is visualized into respective shapes, and a model is trained based on these shapes to predict the vulnerability of future contracts.\n\nBeyond the technical aspect, audits are also essential for the credibility and security assurance they provide to a project's stakeholders. Given the open, immutable nature of smart contracts, any vulnerabilities have the potential for severe financial and reputational damage, making professional auditing an important risk management measure.\n\nCodeArena is focused on auditing smart contracts, with a community that can provide advice and support for beginners in smart contract auditing. It also provides a space for auditors to use information about protocols they have audited on other bug bounty platforms to fill their profiles. While currently focused on smart contract audits, there have been discussions on expanding services to include website and other infrastructure pentesting audits in the crypto space.\n\nIn essence, while automated tools provide a good starting point for identifying potential vulnerabilities, a comprehensive audit by skilled professionals is still the industry standard for ensuring the security of smart contracts.", "Question: How does the RSVP process work for invitation contests in CodeArena and where can I find updates about those?\n\nAnswer: CodeArena hosts various contests, some of which require an RSVP. The spots for these invitation contests are first filled based on sponsor request, and the remaining spots are filled based on the RSVPs received and the 90-day leaderboard ranking of those who RSVP'ed. \n\nUpdates and announcements about these contests, including new ones, private contests, versus contests, and more, are regularly posted in the #\u270brsvp channel on our Discord. You can check this channel for information about when a contest will open to the public or details about a specific contest. \n\nFor private contests, certified wardens can find the RSVPs and eligibility criteria in the #\ud83d\udd96rsvp-certified channel. Some private contests might even be open only to those who participated in the original audit.\n\nThe meaning of \"Verified Contest\" and other specific terms related to contests can also be found in the #rsvp channel. Versus contests are competitive access for a limited number of the highest performing wardens who RSVP. \n\nRemember, RSVPing is a crucial step to signal your interest in audit opportunities. For further inquiries about a contest's scope, you may reach out to the respective sponsor.\n\nYou may also find links to upcoming contests on the CodeArena website, like this one for the Party Protocol Versus Contest: https://code4rena.com/contests/2023-04-party-protocol-versus-contest. \n\nAlways keep an eye on the RSVP channels and our website to stay updated on new contests and opportunities.", "Question: Are there any known issues with accessing and using the Code4rena (C4) website?\n\nAnswer: Yes, there have been some reports of issues with the Code4rena website, including problems with logging in and accessing certain features. If you're having trouble accessing the site, you can check its status at https://downforeveryoneorjustme.com/code4rena.com. In case of issues with logging into your C4 account, you can seek help in the #auth-help channel. If you're struggling with tasks via mobile, you can email submissions@code4rena.com for assistance. \n\nAfter submitting an issue through the C4 form, there is no need to also create an issue on GitHub, as our system will do that automatically. If you accidentally submit to the wrong contest, you should resubmit to the correct contest and then fill out a form at https://code4rena.com/help to let us know about the mistake. \n\nAlso, if you're facing issues with viewing the repo or submitting findings, make sure the GitHub account you're logged into is the same one connected to your C4 account. \n\nIf you need support with anything else or wish to update your profile photo, you can submit a request at https://code4rena.com/help. However, please be aware that C4 does not typically operate on weekends. \n\nAs we continually strive to improve our tools and procedures, we appreciate your patience and assure you that any issues will be addressed as quickly as possible.", "Question: How can I view, edit, or withdraw my findings on CodeArena?\n\nAnswer: You can view, edit, or withdraw your submitted findings on the CodeArena platform via the 'Your Findings' button located on the contest page. However, it is worth noting that findings of a contest cannot be viewed after the contest finishes but before the results are published. You can track your report status and even see when your findings are edited. If you want to add more findings, navigate to the contest page and click the 'Your Findings' button. If you experience issues when submitting findings as some users have reported, please reach out for support. Submissions are confirmed via email, and feedback for submitted findings can be found on the Contest page under the \"Findings\" tab. You can also update the format of your findings or add to your report by selecting the \"My findings\" option. Please note that all findings are reviewed at the end of the audit period, and you are permitted to edit your findings until the contest closes. Once the report is published, the findings repo is made public.", "Q: When will the Base reward be sent?\n\nA: There is not a specific date we can provide you with for when the Base rewards will be sent. However, once the reward amounts are announced, the rewards are typically sent within 1-2 weeks. This is because they are sent manually in batches for multiple contests at a time. There may be a delay in Base results, but once these results are available, the distribution of rewards is planned to be completed by the end of the following week. Please note that the rewards for specific activities such as the \"arcade reward\" and \"pool together reward\" will also be distributed the following week. Keep an eye out for the announcement of the rewards, as it'll indicate the rewards are queued at the multisig and should be distributed within a week. We aim to pay out rewards in the same week they are announced, but delays can occur. There have been instances where rewards for a contest have not yet been paid out to participants. It's important to remember that you will need to wait for the reward to be transferred to your wallet once the amount has been announced. If you have any other queries about reward distribution, feel free to ask in our Discord channel.", "Question: How should I submit issues discovered in out-of-scope contracts during a CodeArena audit contest?\n\nAnswer: If you find a vulnerability in an out-of-scope contract during a CodeArena audit contest, you have several options available. The vulnerability can be included in the C4 report as an unrewarded finding, or the project can be directly informed about the issue. If the vulnerability affects a main contract, it should still be reported even if it was located in an out-of-scope contract. Additionally, a judge might decide to bring the issue into scope based on its impact on an in-scope contract. \n\nTo report an issue, follow the procedures outlined in the C4 Submission Policy at https://github.com/code-423n4/code-contests/blob/main/SUBMISSION_POLICY.md. For automated findings, refer to the guidelines at https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues. \n\nThe acceptance of reported issues depends on their severity as evaluated by the sponsors and judges. If there's any disagreement about the scope of a particular issue, we encourage you still to report the issue. You may also openly discuss issues with the sponsors before the contest is finished, including questions about severity and scope. \n\nRemember to monitor the backstage channel for the post-judging stage of the concerned contest if you want to query an issue marked as invalid. If you are part of a team, you can submit issues as a team, although the exact process for this isn't clarified. \n\nPlease note that common findings that are picked up by the C4udit tool are usually out of scope. For each contest, a warden is asked to run the C4udit tool and post the output in the contest channel. If an issue is already posted in the channel, it is considered a known issue and is classified as out of scope. \n\nIf there is any confusion or you need further assistance during the analysis submission process, consider submitting a help desk request.", "Question: Is it correct to suggest that the modulo operation of a prime number in elliptical curve cryptography resembles a bell curve distribution?\n\nAnswer: No, the modulo operation of a prime number does not resemble a bell curve distribution. Instead, due to the number theory, it generates a more evenly distributed set of returns, with each having a similar chance regardless of the input number. The prime number is used in the modulo operation, especially in elliptical curve cryptography, because it confines the x and y coordinates of the curve to a finite plain. This has been useful in dealing with issues like signature malleability. \n\nFurthermore, the metaphor of a bell curve is often used in CodeArena to describe the method of distributing rewards or prizes across different tiers of quality in our contests. For instance, in contests such as PolynomialFi or Maple Finance, certified wardens participate and submit findings. These findings are then evaluated and rewarded based on a formula that takes into account the severity of the findings and the potential for partial credits.\n\nHowever, this reward distribution concept doesn't resemble the mathematical operation of modulo with a prime number in terms of distribution pattern. The former is a method of reward allocation whereas the latter is a mathematical operation used for generating evenly distributed sets of returns.", "Question: Why does the elliptical curve cryptography formula take a prime number for the modulo operation and how does this relate to the security of asymmetric cryptography?\n\nAnswer: \nThe elliptical curve cryptography formula takes a prime number for the modulo operation due to number theory. A prime number provides a more normal distribution than a modulo of a composite number, leading to predictable behavior, which plays a significant role in cryptography. \n\nThis is particularly important in elliptical curve cryptography, where the x and y coordinates of the curve are contained up to a finite plain. This maintenance of a finite plain is crucial for signature non-malleability - a property that ensures the signature corresponding to a message or transaction cannot be manipulated without access to the private key.\n\nThis property is directly linked with the foundational principle of asymmetric cryptography: the inability to derive a private key from a public key. If this principle wasn't maintained, it would significantly compromise the security of the cryptographic system. Thus, taking a prime number for the modulo operation is a critical part of ensuring a robust and secure cryptographic system.\n\nIn some cases, especially in smart contracts with complex formulas, the audit process may require professional mathematicians. This is because understanding these deep mathematical principles and their implications is crucial for securing the system, as exemplified by the need for prime numbers in elliptical curve cryptography.", "Question: I am encountering an error message stating \"Oops! Something went wrong. Cannot read properties of undefined (reading 'name')\" when trying to view my findings on Code4Rena. Does this issue occur across multiple audits or one particular audit, and what steps should I take to resolve it? \n\nAnswer: This issue seems to be occurring across multiple audits. Our developers are currently investigating this problem. We have previously resolved a similar issue that occurred when trying to access findings for the Tapioca DAO on our website. If you're experiencing this issue while using certain browsers like Firefox or Chrome, it could be due to an error related to the permalink. \n\nPlease ensure you are not experiencing a login issue, as some users have reported difficulties logging into Code4Rena. If you are unable to log in, please open a help desk request at [https://code4rena.com/help/](https://code4rena.com/help/).\n\nIn the meantime, you can check findings for completed audits via the C4 GitHub repo. Also, please make sure you have the appropriate privileges to access certain resources like the findings page. For example, only users who are part of the \"backstage\" group can access certain pages.\n\nYou can also check your findings via the findings.csv file in CodeArena's website repository [https://code4rena.com/community-resources/findings.csv](https://code4rena.com/community-resources/findings.csv). Please note that you can edit your findings while the audit is open by going to the audit page and clicking the 'Your Findings' button.\n\nIf you encounter an \"API rate limit\" error, it's possible you're facing a similar problem to users during the \"Arcade contest\" audit. \n\nFor more information, you can refer to our official documentation at [https://docs.code4rena.com/](https://docs.code4rena.com/). If none of these solutions work, please contact our support for further assistance.", "Question: Are there any updated tools or platforms that can help visualize how smart contracts interact with each other, especially for beginners who might be struggling to understand the relationship of interfaces to smart contracts?\n\nAnswer: Visualizing smart contract interactions can be a great way to understand their interdependencies, especially for beginners. While Surya (https://github.com/ConsenSys/surya) has been utilized in the past, it appears to be outdated and may not be compatible with the latest Solidity upgrades. \n\nIt is also noted in the past discussions that tools for creating sequence diagrams other than the UML diagram tool (sol2uml) were also sought after. This indicates that the community is also interested in alternatives that can help generate comprehensive visuals. \n\nMoreover, other platforms like Sherlock were mentioned for smart contract auditing, but they seem to require a high degree of competence in the field. This could be a barrier for those still learning the ropes.\n\nAn additional resource you might find valuable is https://github.com/DanielVF/evm-contract-draw. This Github repository provides visualization for smart contracts, which could be a helpful tool for you.\n\nIn the context of auditing, CodeArena runs contests for analyzing smart contracts which can be a great way to learn and understand smart contracts in a more practical way. Also, automated tools like Mythril, Slither, and MetaTrust (https://app.metatrust.io/project) were mentioned for their utility in detecting vulnerabilities and bugs in smart contracts, which might be helpful in your understanding of the system as well.\n\nIf you are interested in learning solidity syntax and programming, the online Remix IDE was mentioned for its ability to check solidity code for syntax mistakes and checks. \n\nRemember, these resources and tools are just aids to help you understand the complexity of smart contracts. You might need to experiment with different resources and approaches until you find what works best for you.", "Q: My application to become a Certified Warden was \"closed due to inactivity for 2 days\". What does this mean and what should I do next?\n\nA: When your application to become a Certified Warden is \"closed due to inactivity for 2 days\", it usually means that there has been no action or response from your side within two business days after sending your request. While we do not have specific details about your case, please ensure that you have completed all the necessary steps such as checking your email, including the spam folder, for a communication from our Know Your Customer (KYC) partner at compliance@provenance.company. The KYC email usually arrives 2-3 weeks after submitting your application.\n\nIf you have already done this and are still facing issues, make sure you have met the requirements to become a certified warden which may include participating in a certain number of contests and having a certain number of valid findings or reports. If you've recently changed your username, this could potentially affect your application status.\n\nKeep in mind that after approval from the KYC firm, it takes approximately 2 weeks to mark a warden as certified. You can check your acceptance status on CodeArena's platform.\n\nIf you are still encountering issues, please reapply at https://code4rena.com/certified-contributor-application. For more details about the process and constraints, visit https://docs.code4rena.com/roles/certified-contributors#certification-process-and-constraints. \n\nRemember, once you're a Certified warden, you will be marked as \"Available for Hire\" and can participate in upcoming contests by logging into your account. We appreciate your patience and understanding during this process.", "Q: What is the impact of automated findings on the CodeArena contests, and how should I report bugs potentially introduced through mitigation efforts?\n\nA: The impact of automated findings on the contests is significant. These findings often identify potential issues in the smart contracts. However, bots not only identify issues but sometimes propose fixes. The concern arises when these proposed fixes introduce additional exploits. If you notice that a bot-proposed fix could lead to a new bug, it is important to understand that you cannot submit this new bug directly. \n\nOn Code4Arena, if a bug is found, it should be reported, irrespective of whether it might require substantial changes to the protocol. In such cases, recommendations for mitigation are appreciated, but not a requirement. However, the 'Recommended Mitigation Steps' in the bug template can improve the value of your report. While it's possible to submit a medium/high report without these steps, you should include an explanation as to why it cannot be feasibly mitigated. \n\nIn instances where an issue identified in an automated finding leads to a high severity finding, it's suggested that it could be reported again during the contest by a warden and could be rewarded with higher severity. However, it's important to understand that if a contest's bot report ranks an issue as low but a participant escalates it to high, the submission isn't automatically invalid. Submissions based on automated tools must provide strong evidence to demonstrate a relevant High or Medium severity exploit path to be considered satisfactory. \n\nAnother point to note is that if a single line of code has multiple ways of exploitation, each exploit should be reported but priority should be given to the one with the most significant impact. If an issue found is in the same category as a bot report but not included in the bot report, it can be considered a valid finding. \n\nFor any report, always aim to include the issue, description, proof of concept (when necessary), and mitigation (when necessary) in a semi-professional report format. And remember, if a finding is valid but the severity is not correct, it may be automatically re-affected.\n\nPlease ensure you follow the submission guidelines provided at [https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues](https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues).", "Q: What are the requirements and best practices for providing a Proof of Concept (PoC) during a smart contract audit at CodeArena?\n\nA: Proofs of Concept (PoCs) are strongly recommended for smart contract audits at CodeArena. They can be presented in plain English, coded in any language, or even an attack contract followed by a written explanation of its effects. It is also acceptable to submit very long PoCs using external platforms like Gist.\n\nFor a medium severity bug, a PoC is usually required unless the bug is extremely apparent (like a typo or incorrect parameter). If you're unsure whether a finding is QA or Medium, it's better to file it as QA unless the PoC is coded. \n\nYou can submit a PoC by creating a public GitHub repository, providing a diff of an existing sponsor-supplied test/contract, or linking to it in your submission, depending on the length of the code. It's also possible to include images by linking them externally. \n\nWhile PoCs don't have to be executable or involve exact code, they should clearly demonstrate the vulnerability. If a PoC is too large to embed directly in the issue, it's advisable to provide a link instead. \n\nHaving a coded PoC with your report can increase your chances of selection and could come with a 30% bonus. However, the creation of a coded PoC will not have an effect on awards or the contest per C4 guidelines. \n\nHere are two examples of how to present a PoC for a bug and its impact: \n1. [https://github.com/code-423n4/2022-12-caviar-findings/issues/376](https://github.com/code-423n4/2022-12-caviar-findings/issues/376) \n2. [https://github.com/code-423n4/2022-12-caviar-findings/issues/343](https://github.com/code-423n4/2022-12-caviar-findings/issues/343)\n\nFor more information on how to include a PoC, check out our instructions at [https://docs.code4rena.com/roles/wardens/submission-policy#how-to-include-a-proof-of-concept](https://docs.code4rena.com/roles/wardens/submission-policy#how-to-include-a-proof-of-concept).", "Q: I have been granted backstage+ access, but when I tried to visit https://github.com/code-423n4/2023-07-axelar-findings, it said 404. My GitHub username is QiuhaoLi, could you help to check out?\n\nA: Sure, I can help you with that! Sometimes this issue can occur if there has been a recent change to your user profile information, like a Github username update, which requires a manual update to your backstage access by Code4rena Github admin. I've re-sent your invite, so please let me know if it works now. \n\nKeep in mind that backstage access is restricted to certain user privileges. One has to be a certified contributor and have a valid high submission to gain access to the 'backstage' group. If you need more information about how to get the backstage role, you can find it here: https://docs.code4rena.com/roles/certified-contributors/backstage-wardens. \n\nTo further apply or confirm your eligibility for backstage access, you can submit a help desk request at https://code4rena.com/help. After your backstage access has been granted, you should be able to access the findings repo and discuss your findings on specific issues. \n\nYou may also want to know that reports are published only on the C4 site; access to the GitHub repository is an additional feature obtained through the backstage role. If you ever encounter any similar issues in the future, don't hesitate to reach out. We're here to help!", "Question: How can I include replaced lines in my submission, format my report, and edit my findings?\n\nAnswer: You can include replaced lines in your submissions by using diff tools, such as those available on Linux. If your submission involves various lines changed, you can also choose to send a git patch or a PR to the repo.\n\nWhen formatting your report, you can use Markdown syntax, which is supported by our submission form. The Markdown syntax can be used for including images and for formatting code snippets. For adding images to your report, please follow the guidelines at [Markdown Guide](https://www.markdownguide.org/basic-syntax/#images-1). If you face issues with image submissions, you can try rendering the image correctly on another platform like GitHub and then include that link in your submission. \n\nWhen submitting through the Code4rena interface, a markdown template is proposed. You can also format the solidity code in your submissions to make it look better. If you have a tool that displays code snippets with line numbers on the left, you can certainly include that in your report as well, although we don't have explicit preference for this.\n\nOnce you submit an issue, you are able to edit your findings. You can do this on the contest page under 'your findings'. In case you need to increase the severity of a submitted bug during a contest, you can submit a help request to remove the original submission and then submit again via [Code4rena Help](https://www.code4rena.com/help). You can submit reports more than once if they are missing any items. \n\nIf you want to submit larger reports, you can send them by email and then place a placeholder in the original submission. This method has been suggested to be added to our official documentation. Valid links to code fields are needed for all submissions.", "Q: What is the process and timeline for the publication of audited reports validated by judges at CodeArena?\n\nA: After an audit competition ends at CodeArena, the reports go through a comprehensive process before they are published. Firstly, they get reviewed and triaged by judges immediately after the contest ends. Then, they await sponsor review, final judging, and a Quality Assurance process before being made public. \n\nThe turnaround time from the end of the audit competition to the release of the reports varies widely - from 2 weeks to over 6 weeks, with an average of around 4 to 6 weeks. Efforts are continually being made to decrease this time. However, certain factors such as the specifics of the contest and the number of reports under review can influence the timeline. \n\nAlso, it's important to note that not all findings submitted for contests may make it to the final report, and the reason might not be immediately known. These will only be apparent once the reports are published, which is why patience is needed during this process. \n\nLastly, the sponsors have the final say on the publication timing, to allow them sufficient time to mitigate any issues. Once the judging is complete and the results have been posted, the release of the report can sometimes take additional time as the CodeArena team needs to get the green light from the projects involved.\n\nFor more details on the process and roles, refer to this link: [https://docs.code4rena.com/roles/certified-contributors].", "Question: \nI recently accepted the invite and joined CodeArena's Discord channel, but I'm unable to access the axelar findings page as it shows a 404 error. Can you help me with this issue?\n\nAnswer:\nSure, we are aware of the occasional errors users encounter while trying to access certain resources. In particular, some users have reported a 404 error when trying to access pages like https://github.com/code-423n4/2023-07-axelar-findings. \n\nAccess to these resources is typically restricted based on user privileges. For instance, to access the findings page, you need to be part of the \"backstage\" group. If you haven't received an invite to this group yet, please let us know. \n\nIt's also worth noting that some users have reported issues with submitting findings through certain browsers like Firefox and Chrome due to permalink errors. So, if you're encountering issues, you might want to try accessing the page through a different browser. \n\nIf you've submitted your findings but don't see them reflected, please be patient as it can take some time for the submission to be confirmed via email. If the submission fails, the form should return an error. However, if you haven't received an email after submission, you can open a help desk request at https://code4rena.com/help/.\n\nPlease remember, the immediate access to findings repo is generally reserved for Certified+ users, though there might be delays in rolling out this feature to everyone. \n\nIn case you need to edit your findings, you can do so by navigating to the contest page and clicking on the 'your finding' button. \n\nWe apologize for any inconvenience caused and appreciate your patience as we work on resolving these issues.", "Question: I believe I qualify for the backstage role at CodeArena, but I'm having some issues with my account. I don't seem to appear in the list of Backstage Wardens, and I can't access Axelar. Can you guide me on how to verify and rectify this issue?\n\nAnswer: If you believe you meet the criteria to be a backstage warden at CodeArena, the first step is to ensure that you're indeed part of the \"backstage\" group on the Discord server. To become a backstage warden, you're typically required to identify your first high vulnerability and have a valid high submission.\n\nIf you think you meet these criteria, you can submit a help desk request at https://code4rena.com/help, detailing your request for the backstage role. More information on the criteria for becoming a backstage warden is detailed in the Code4Arena documentation at https://docs.code4rena.com/roles/certified-contributors/backstage-wardens.\n\nIt's worth noting that access to certain resources, such as the findings page, is restricted based on user privileges like being part of the \"backstage\" group. Therefore, if you're missing this role, you may not have access to certain areas of the platform.\n\nAdditionally, the backstage role allows users to engage in activities such as the post-judging QA period where wardens can comment on the judges' decisions. It also allows you to view reports from past contests and to discuss your findings with the community.\n\nLastly, remember that your request for backstage access may be under review if you've recently applied, as backstage access is typically granted post audit closure if it's an open audit.", "Question: \nI'm experiencing difficulty in submitting my report. I'm receiving an error message that says \"API rate limit exceeded for user ID 81770958.\" What does this mean and how can I resolve it?\n\nAnswer: \nThis error message, \"API rate limit exceeded,\" signifies that you've surpassed the number of allowed API requests within a certain timeframe. This limit is set to ensure the efficiency and integrity of our system. This error usually resolves itself after a short waiting period.\n\nIt's notable that other users have reported this issue, and it has been flagged for our developers. However, if the problem persists, there could be other underlying causes. For instance, one occurrence involved a gas report that exceeded approximately 65k characters, which is over Github's maximum character limit for issue descriptions. If your report is this large, it won't be able to be submitted through the form due to this limitation. In such a scenario, you can submit a placeholder and then email your full report to submissions@code423n4.com. Details for this process can be found at the following link: https://docs.code4rena.com/roles/wardens/qa-gas-report-faq#why-is-a-large-gas-or-qa-report-not-successfully-submitting-through-the-contest-submission-form.\n\nIf you continue to encounter difficulties, we recommend attempting to submit your report on a different browser or checking the site access at a later time as there have been reported instances of intermittent technical issues affecting submission processes. If the error persists, please reach out to our support team for further assistance.\n", "Question: How can I gain access to the findings repo on CodeArena by being added to the backstage group on GitHub?\n\nAnswer: Accessing the findings repo on CodeArena requires backstage access which is based on certain criteria. This is an additional role obtained apart from being a certified contributor, which provides you with special privileges like viewing submitted reports on Github during the triage process and discussing your findings. \n\nThis role is granted to certified wardens with an established contribution level and requires you to have at least three medium findings and four total findings, along with participation in our contests. To apply for backstage access, you must first become a certified contributor by following the guidelines detailed here: https://docs.code4rena.com/roles/certified-contributors. \n\nOnce you fulfil these criteria, you can request backstage access here: https://docs.code4rena.com/roles/certified-contributors/backstage-wardens#to-request-+backstage-access. \n\nPlease note, changes to your user profile on Code4rena, like a Github username update, will need a manual update to the backstage access by a Code4rena Github admin. Furthermore, ensure that you're logged into the correct Github account, the same one registered with C4. You will be notified once your request for backstage access has been reviewed. \n\nRemember, backstage access doesn't mean automatic access to any contest in progress, but it does allow you to view reports of past contests and access to the findings repo once a contest ends. \n\nPlease note that sharing information about findings for judging in progress with individuals who do not have backstage access can lead to your backstage access being revoked. You can find more information on the backstage role and its prerequisites at https://docs.code4rena.com/roles/certified-contributors/backstage-wardens.", "Question: What is the status and process of projects involved in C4 audit contests?\n\nAnswer: C4 audit contests typically involve projects that are yet to be deployed, although there can be exceptions where some contracts may already be live on chain and simultaneously being audited on C4. These smart contracts are real and are deployed after the audit process, with the aim to minimize vulnerabilities and optimize performance. \n\nTeams looking to have their contracts audited can inquire about operational details and pricing online, and they also have the ability to participate in the auditing contests. The specifics about ongoing and upcoming contests, including the names of the projects, can be checked on the CodeArena website (code423n4.com). The website also provides information about the status of past contests, timelines and award calculation process, which is currently being updated.\n\nUsers can also find updates regarding the contests in the \"Past Contest Status Updates\" section and in the #\u270brsvp channel. They can ask questions about findings for past projects and can take part in private competitive audits. The projects have access to submitted findings before the contest concludes and they can edit these findings while the audit is open. \n\nOnce the audit process is completed, the audit results are reviewed - the duration of this review can vary with each contest. For instance, the audit results for Biconomy Hyphen 2.0 are currently in review and are expected to be published in upcoming weeks. \n\nPlease note that the audit process takes into account the current state of the project and the scope may not include vulnerabilities pertaining to deployment or early actions like initializers, especially for projects with already deployed code. It's also worth mentioning that C4 hasn't hosted any contests for Solana as of yet, although there might be developers from Solana in the community.\n\nFor more details or specific queries, the team is always ready to assist.", "Question: I experienced an error message stating \"API rate limit exceeded for user ID 81770958\" when I tried to submit my report for the Arcade contest. What can I do to resolve this issue?\n\nAnswer: This error usually appears when the API rate limits have been exceeded. It's a problem that several users have encountered when attempting to submit their reports for contests like the Arcade contest. This issue could be due to the size limit on submissions, as GitHub, our submission platform, imposes a maximum character limit for issue descriptions. If your report is larger than ~65k characters, it might not be able to be submitted through the form. \n\nIn such cases, you can send your submission directly to our email at submissions@code423n4.com. We've flagged this issue for our developers and are working towards a resolution. \n\nIf further assistance is needed, you can submit a help ticket at https://code4rena.com/help. Please note, however, applications to backstage at CodeArena are currently paused due to an identified issue. We appreciate your patience and understanding as we work to resolve these technical issues.", "Question: How can I verify if I'm part of the Backstage group and how can I become a member if I'm not?\n\nAnswer: You can check your group membership status on CodeArena's Discord platform. If you're not a part of the \"Backstage\" group, you can apply for the '+backstage' role. This role is necessary to access certain resources like the findings page and to view issues reported for contests.\n\nTo qualify for the '+backstage' role, you need to meet certain criteria which include having a valid high submission among others. You can find detailed information about the qualifications at https://docs.code4rena.com/roles/certified-contributors/backstage-wardens.\n\nOnce you believe you meet the criteria, you can submit a help desk request to review your eligibility and apply for the '+backstage' role. The help desk request can be submitted here: https://code4rena.com/help. \n\nPlease note, all backstage applications will be reviewed and you will be notified once your request has been processed. \n\nIt's important to note that the backstage functions can sometimes be closed for new applications. If this is the case, you will have to wait until they are reopened to apply. \n\nLastly, some users may qualify to be a Backstage Warden, a distinct role from the certified contributors. Users who have over 3 mediums confirmed may be eligible for this role.", "Q: If I update my Discord username, how does it affect my CodeArena account and what steps do I need to take to ensure everything is in order?\n\nA: If you change your Discord username, it may affect your account on CodeArena, particularly if you are registered as a warden. It's important that your updated Discord username is tied to your CodeArena account to ensure you can be tagged in any award announcements. However, changing your username doesn't affect your ability to receive awards.\n\nIf you've updated your Discord username, you may need to update it on CodeArena as well. This can be done on the Account Management page of your warden profile. Your Discord name can be updated here, but your Discord nickname should remain as your registered C4 username. Despite this, usernames on CodeArena are currently immutable and can't be directly changed.\n\nIn the case you want to change your username on CodeArena, you will need to re-register. Please note that if you change your username, your statuses wouldn't carry over to the new account.\n\nIf you are having issues connecting your Discord account with your Code4Arena account, or if you have any questions or need help with a username change, you can reach out to the Code4Arena Help Desk at https://code4rena.com/help or seek help in the #auth-help channel on Discord.\n\nRemember, maintaining consistency between your CodeArena and Discord usernames helps prevent any confusion or overlap. While it's possible to change your wallet and username on Discord and have these changes reflected in your Code4Arena account, it's advised you first consult with the Code4Arena Help Desk.", "Q: How can I change my username or nickname on Code4rena or Discord? Can I create another account using the same email or GitHub address? What happens to my statuses and leaderboard standings?\n\nA: Yes, you can change your username or nickname on Code4rena and Discord. However, on Code4rena, to change your username, you'll need to re-register. Similarly, for Discord, you'll need to update your Discord nickname to your new handle. Be careful, though, because your statuses (like the certified status) and leaderboard standings from your previous handle are not transferable to the new account. \n\nYou also have the ability to change your account details, like your Twitter username, by submitting a help desk request. \n\nAs for creating another account using the same email or GitHub address, the information we have is a bit unclear. Some users have been able to create two accounts with one email and discord, but it's advisable to seek clarification from the developer team through our help desk. \n\nIt's also important to note that if you're a warden, changing your username could affect your account registration. And if you're considering creating duplicate accounts to submit the same issue for more rewards, please be aware that this is not beneficial due to our Sybil protection measures. \n\nFor any further inquiries, or if you experience a mismatch between your site username and Discord nickname, please contact us through the helpdesk.", "Question: How can I participate in and check for the results of bot race qualifiers at CodeArena?\n\nAnswer: To participate in the Bot Races at CodeArena, you have to register your bot during the qualifier. Bot qualifier events are held every few weeks and information about the next qualifier can be found in the #\u270brsvp channel on the CodeArena Discord server. The link to apply for the Bot Race is also shared in the same channel. You can find detailed instructions to participate in the Bot Race on this page: https://code4rena.com/register/bot.\n\nThe results for bot qualifiers are usually announced within a week after the event, and the announcement about the top bots is posted in the #\u270brsvp channel. You can also view your QA reports for contests that have already closed to see how your bot performed.\n\nIn terms of how the bot race works, they are held for the first hour of an audit and users are rewarded for findings made with AI. The criteria for a top-3 finish can be checked by the organization upon request. If a bot finds a high or medium finding, it only gets the bot pool reward based on the bot race rank. Bots can gain more rewards by having more points and shifting the rank cutoffs, thus bumping others to lower ranks. \n\nIf you have any further questions related to Bot Races, you can ask in the #bot-race-help channel on the Discord server.", "Question: How can I change my username in CodeArena and what are the implications?\n\nAnswer: To change your username on CodeArena, you need to re-register with the new username. Please note that while you will be able to use the same email or GitHub address during this process, your leaderboard status, warden status, and any submissions made under the previous username will not be transferred to your new account. This means you might need to reapply for certified status or register as a warden again with your new username. \n\nIf you decide to change your registered wallet (login address) on the platform, it will not affect your account. However, we encourage you to ensure consistency between your site username and Discord nickname to avoid confusion or potential credit misattribution. \n\nIf you face issues with registration or can't find your username on the list, please communicate directly with our staff. We're aware of some issues with user registration and login, as well as team registration visibility on user profiles, and are actively investigating these.\n\nPlease remember that handle registration is mandatory for submissions. Always use your handle when submitting, as findings may be incorrectly credited if you use someone else's handle. \n\nFor a step-by-step guide on the registration process, please visit [insert link for registration guide]. \n\nPlease note: this information is subject to change and users should always verify the current procedures on CodeArena's official website.", "Q: Are there any known issues with the CodeArena service that I should be aware of? \n\nA: Yes, there have been various reported issues relating to the CodeArena service. Problems were reported with the certification process, but it's important to note that this has been fixed. Users have reported difficulties with registration and login, connecting their wallet on the website, and also intermittent difficulties accessing the site. The \"Create Issue\" button has also sometimes been unresponsive, with no console errors present to help identify the issue. Some users reported problems with the password reset function. Additionally, API rate limit errors were encountered when trying to submit reports. If you experience difficulties, especially with performing tasks via mobile, you can reach out to us via submissions@code4rena.com for assistance. We have a help desk and a process in place for submitting tickets for issues. Rest assured, our team is constantly monitoring for technical glitches and works promptly towards a resolution.", "Question: How and when are the bot qualifier results announced and where can I find information about upcoming bot races?\n\nAnswer: The results for bot qualifiers are typically announced within a week following the event. You can find these results, along with updates and information about upcoming qualifiers, on the #\u270brsvp channel on our Discord server and on the #\ud83d\udce2announcements channel. In order to participate in bot races, you must first register your bot during the qualifier phase. These qualifiers are held every few weeks, so keep an eye on the aforementioned channels for updates. Once you've participated, you can check all the reports you've submitted during the competition and will receive a confirmation by email. For more detailed insights about bot races, you can visit https://code4rena.com/register/bot. The results of past contests can also be found on our website at https://code4rena.com/reports. Please note, the timeline for publishing contest results can vary due to the judging process, but typically it takes about two months for the results to be announced.", "Question: What is the process for reapplying for certified status after changing my account and what does certified status entail?\n\nAnswer: Yes, you can reapply for certified status after changing your account or username. To apply, you need to contact CodeArena through the help desk form. The application is then reviewed by provenance and once approved, it usually takes a few days for the certified status to reflect on your profile. \n\nYou will also need to complete the KYC (Know Your Customer) verification process during your application. Once you have applied for certification, you can check your application status by email communication and you will also receive an email once your certification has been finalized. \n\nBeing certified grants you access to more contests, enables you to join any contest including certified contests, and lets you edit your user profile on Code4Arena. You can also apply to be a Certified Contributor or for a Certified+ status, with the application guidelines available at https://docs.code4rena.com/roles/certified-contributors. \n\nHowever, please note that being certified does not automatically grant access to previously participated contests in progress judging repository and you may need backstage access for that. \n\nKeep in mind that if you choose to re-register to change your username, your leaderboard status and contest submissions from your previous account won't transfer to the new account. The process for certification can take between 2 to 5 business days for finalization after approval. Lastly, if you wish to display an 'Available for Hire' status on your profile, it might not immediately appear after certification due to manual steps on the backend.", "Question: What is the difference between advice and a valid issue during an audit contest, and how does the discussion with the sponsor or other wardens affect the validation of the finding?\n\nAnswer: The primary difference between advice and a valid issue in an audit contest lies in the severity and potential impact of the identified problem on the smart contract. Advice generally implies suggestions for optimizing the code or enhancing its functionality, while a valid issue refers to a flaw or vulnerability that could impair the functionality, security, or efficiency of the smart contract. \n\nWhile discussing findings with sponsors or other wardens, Code4rena encourages open dialogue. However, the final decision regarding the validity and severity of an issue lies with the contest sponsor and judges. It's beneficial to include a proof of concept and a convincing argument for how the identified issue can be exploited to avoid getting labelled as invalid. \n\nParticipants can openly discuss issues with the sponsors before the contest is finished, including severity and in-scope/out of scope questions. If a participant points out a judge-approved bug or logic flaw, it's considered an achievement. \n\nYou can review the policies related to submission and discussion of findings here: https://docs.code4rena.com/roles/wardens/submission-policy#audit-contest-guidelines\n\nAfter the contest, the company may release all unverified submissions a few days after a contest ends for learning purposes. This allows participants to learn why their submissions were not accepted, see the discussion among sponsors and judges on the specific issues, and improve their future submissions. More details can be found here: https://forum.code4rena.com/t/rfc-certified-wardens-rulebook-scout-role-contest-qa-and-mitigation-review-services/123 \n\nRemember, the level of detail in the submission, for example, the inclusion of a Proof of Concept (PoC), and the way the issue is covered in as many aspects as possible can influence the award amount. However, the order of submitting issues does not matter in the context of the discussion. The more wardens find the same issue, the less money each warden receives for this issue. More details can be found here: https://docs.code4rena.com/incentive-model-and-awards.", "Question: How do I stay updated on the upcoming contests and their status at CodeArena?\n\nAnswer: Upcoming contests at CodeArena are announced and updated primarily on our Discord server's #\u270brsvp channel. This is where you can find all the important details about each contest, including whether it's open to the public, the contest's scope, and any requirements for RSVP. \n\nIn case you notice a contest that was previously listed under \"upcoming contests\" but isn't showing up in the \"live contest\" section, it's likely due to occasional gaps in our live contest schedule. You can check the specific contest channel for any updates. In fact, each contest has its own designated channel where participants can ask general questions or interact directly with sponsor team members via Direct Message. \n\nIn addition, the \"Past Contest Status Updates\" section provides a timeline of progress for all contests, including those that are currently in the process or fully judged but awaiting award calculation. \n\nA bot will announce registrations for new contests in the #\u270brsvp channel. However, please note that some contests may be private and access details will be provided separately. \n\nLastly, while we strive to make timely updates and award announcements, there may be instances where rewards are delayed or certain contests, like JPEG'd, are not yet announced. We appreciate your patience and encourage you to connect directly with the specific contest's sponsor for any specific inquiries.\n\nPlease note that we're constantly working to improve our process and provide you with the most current information. So stay tuned to our Discord server and especially the #\u270brsvp channel for all the latest contest news!", "Question: What is the process and requirements to obtain the 'leaderboard' role on CodeArena's Discord?\n\nAnswer: To obtain the 'leaderboard' role on CodeArena's Discord, participants must meet certain criteria. Primarily, you must place on the leaderboard by having a high rank from participating in contests. It's also noted that often the top 5 participants of a contest who have received rewards are eligible for the 'leaderboard' role. The leaderboard updates when awards are announced, and your position on this board affects your chances to audit private contests and other opportunities. \n\nTo make the most out of your standing on the leaderboard, it's recommended that you also complete certification and maintain a high position on the leaderboard. This enhances your chances of qualifying for auditing private contests and may open up opportunities such as backstage access. \n\nIt's worth noting that there are potential plans to improve the leaderboard in the future, including introducing different timelines, adding badges for various achievements, and implementing leaderboard seasons.\n\nYou can check the leaderboard here: https://code423n4.com/leaderboard/. \n\nRemember, all criteria for gaining roles and privileges are considered satisfied once the awards are announced and added to the leaderboard.", "Question: How can I link and manage multiple submissions during the process of reporting an issue?\n\nAnswer: When submitting an issue in CodeArena, you can link a separate submission by referring to its number. You can locate this number on the \"Your Findings\" page by clicking on the issue, where its number is presented in the URL. After you click \"CREATE ISSUE\" in \"SUBMIT FINDING\", the form data is processed into a submission that is stored in the findings repository for the respective contest. It will be evaluated by the judges after the contest ends.\n\nIf you are reporting multiple bugs, you should make separate submissions according to the type and severity of each bug. Judges and sponsors appreciate when similar issues are grouped together. You can only submit one QA issue, but if you discover another error, you can edit your existing submission. To edit a submission, look for the \"Your findings\" button.\n\nIf you are part of a team, the submission form allows you to indicate whether you are submitting as an individual or as a team member. However, the exact process of team submissions is not well-defined. If you wish to increase the severity of a reported bug during a contest, you can submit a help request to remove the original submission and then submit again via code4arena.com/help. \n\nSubmissions require valid links to code fields and can include GitHub repositories as proof of concept. Code in the submission issue form can be formatted using Markdown. If a submission involves various lines changed, you can send a git patch or a PR to the repo. For larger reports, submitting by email and placing a placeholder in the original submission has been suggested and could be added to the official documentation. \n\nRemember, awards are distributed based on individual issues, so multiple items in one submission are counted as one submission. If you encounter issues during the analysis submission process, you can submit a help desk request. New submission mechanisms are planned for future contests. After submitting a bug, you can view or edit your own submissions on the site for open contests.", "Question: What happens if my prize money gets frozen due to KYC issues or other complications with Revolut or other payment systems?\n\nAnswer: It's important to be aware that payment processors like Revolut have been reported to freeze accounts, and in some cases, not return the money. This has been a point of discussion in our community. Also, there have been concerns about official entities flagging accounts on platforms like Binance P2P, leading to immediate bank account freezes. \n\nOur process at CodeArena acknowledges these potential hurdles. When a team wins a prize but is unable to claim it due to Know Your Customer (KYC) issues or payment complications, we aim to provide support and guidance. However, it's not entirely clear whether the prize will be on hold until the KYC or payment issues are resolved, or if the reward could potentially be lost. \n\nWe strongly recommend doing your research, understanding the involved risks, and making the decision that is best for you. It's also important to ensure the security of your private keys and wallets, as there have been instances where users have had their wallets compromised. \n\nRevolut and ZEN are suggested as alternatives for being crypto-friendly. In cases of KYC process delays, we urge patience as these are necessary steps for ensuring security and legality of the transactions. \n\nLastly, if any suspicious activity or potential scam is reported, we encourage users to inform us so we can take appropriate action.", "Question: What alternatives do I have if I can't use crypto payment channels due to my country's restrictions and how can I ensure these changes don't impact my participation in Code4rena?\n\nAnswer: In countries with crypto restrictions, you can explore alternative payment channels to exchange your crypto earnings without arousing bank suspicion. Options like Revolut and ZEN are both crypto-friendly and can help you in this process. As a last resort, Binance P2P is also suggested, but it's essential to be aware that there have been instances of official entities flagging sellers and buyers accounts on Binance P2P, leading to immediate bank account freezes.\n\nFurthermore, to ensure a smooth transition, you can change your payment wallet address on your Code4rena profile to a new one, for instance, to a new wallet address to prevent future rewards from being stolen or the Binance address. However, please note that you own the coins only if you possess the keys. \n\nKeep in mind that participating in some audits requires KYC (Know Your Customer) verification. This process may lead to some delays. If you do not have a passport for identification verification, other forms of ID may also be acceptable.\n\nLastly, you do not need to login with a wallet to participate in contests, only a payment wallet is needed. In case of any crisis related to stablecoins, swaps can be made. Rewards earned from findings can be withdrawn and sent to preferred crypto trading platforms such as Binance.", "Question: If the bot race finds an issue in a smart contract but a participant discovers another instance of that issue not picked up by the bots, is it valid to submit and how should it be handled?\n\nAnswer: Yes, it is valid to submit an issue that has been found by the bot race but with another instance not picked up by the bots. When an issue, even of the same category as a bot report, is discovered and not included in the bot report, it is regarded as a valid finding. However, it's generally advised not to include instances of the same issue reported by a bot unless they build a more complex exploit.\n\nIf a contest's bot report ranks an issue as low but a participant escalates it to high, the issue is not automatically invalid. However, submissions based on automated tools must provide strong evidence to demonstrate a relevant High or Medium severity exploit path. This is to ensure that the issue is not being overstated or understated, and proper severity rating is assigned. You can find more about the submission policy related to automated findings at [C4's Submission Policy](https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues).\n\nWhile submitting an issue, it is beneficial to include a proof of concept and a case made for how an item can be exploited. Additionally, it is important to be explicit about the issue being missed by the bot in your submission, and if possible, reference any relevant previous issues you submitted. If an issue has been identified that has not been picked up by the bot race, it should be added, particularly if the bot race report has a low vulnerability with more than two instances. \n\nConsequently, users are advised to report the issues they find and clarify any concerns in the #bot-race-help channel. We encourage our users to learn and grow from this process, and there is a process for understanding why a bug was not accepted to improve future submissions. This is all part of our commitment at Code4rena to ensure robust, secure smart contracts.", "Question: What happens if I encounter an error or wish to update my submission before the contest deadline?\n\nAnswer: If you encounter an error during your audit or wish to update your submitted QA report, you have the option to do so as long as the contest is still ongoing. CodeArena allows participants to submit bug issues. In the case of an incorrect proposed solution, you can update the submission before the contest ends. Similarly, if you find another error after your initial submission, you can edit your QA report. However, please keep in mind that there is a firm deadline for the submission of reports. Late submissions will not be accepted. A countdown timer may be implemented to help participants keep track of the submission deadline.\n\nIf you experience submission errors or issues, you can seek assistance from our team. We also have a procedure for submitting a help desk request for issues that arise during the analysis submission process. An automated confirmation email will be sent after successful submission, but please note that there may be delays in receiving this email.\n\nIf you are unable to submit due to unforeseen circumstances, such as a power outage, contact us immediately. It's worth noting that any findings submitted before the deadline are not shared with anyone, including the project team and judge, until after the deadline passes. CodeArena also provides a grace period for submissions, allowing changes to the severity of reported bugs after the closing time of the contest either through the PR or by contacting one of the judges.\n\nPlease also be aware that there is no specific timeframe for submitting high or medium issues. These can be submitted even on the last day of the contest, but it's advisable not to wait until too close to the contest close time. \n\nFor more information, visit www.codearena.com/faqs.", "Question: If I find an issue that seems similar to one found in an automated report but it's in a different instance or has a different impact, is it considered a valid submission?\n\nAnswer: \n\nYes, an issue can be valid to submit even if it appears similar to one found by the automated bot but is present in another instance not picked up by the bot. The issue's validity is further strengthened if it can describe a loss of precision within the context of the code with a potentially significant impact. Moreover, if the issue is in the same category as the bot report but isn't included in that report, it might be considered a valid finding.\n\nHowever, keep in mind that the specific severity of an issue does not matter as much as a clear, detailed explanation of the finding. If the severity is not correct, it may be re-assessed following a discussion. In some cases, issues might be upgraded to a higher severity.\n\nFurthermore, if two different issues can be resolved by fixing the same thing, they would typically be considered as one issue. However, if fixing the root cause without considering both issues will still leave one of them active, the situation might be different. \n\nIt's also relevant to note that if an issue that is submitted as high severity but is downgraded to medium by a judge, it doesn't necessarily mean it's invalidated unless it's deemed overinflated severity. You can refer to the guidelines on this in the CodeArena documentation [here](https://docs.code4rena.com/awarding/incentive-model-and-awards#satisfactory-unsatisfactory-submissions).\n\nThat being said, each issue is subject to review by the judges who may label issues as invalid if they lack enough detail, proof or are of extremely small impact. If you feel your issue has been wrongly invalidated, it's recommended to raise your concerns and ask for clarification. \n\nHere are a couple of examples of accepted submissions that could help you understand what constitutes a valid issue and how to adequately describe its impact: [example 1](https://github.com/code-423n4/2021-10-slingshot-findings/issues/82), [example 2](https://github.com/code-423n4/2022-12-caviar-findings/issues/141).\n\nPlease remember that the validity and severity of an issue are ultimately the judge's call, and even if two similar issues are found in different components of the code, they might count as separate findings or may be considered duplicates, depending on the judge's assessment.", "Question: Can you explain how the grading system works for reports and what factors influence the assignment of grades A, B, and C on my QA and gas reports?\n\nAnswer: The grading system for reports in CodeArena is a relative scoring system, where your report is graded in comparison to other submitted reports. Factors such as the number and quality of findings, as well as their validity, play a key role in the grading process. However, having a larger number of low-impact issues might not necessarily lead to a higher grade. A report could have one significant issue and be graded as B, or have multiple low-impact issues and be graded as C.\n\nNotably, a grading of 'A' indicates a high-quality report, and the users with this grade are eligible for awards. Even grade-B reports are eligible for awards, though the number of shares they receive is less than an A grade report, with grade A reports counting for 2 shares, grade B for 1 share, and the best report receiving a 30% bonus. \n\nThe grades are also determined by the correctness of the findings, with incorrect findings potentially lowering the grade. Furthermore, the classification of findings (be it QA or Medium), has an impact on the grading. However, it\u2019s important to note that not all findings or reports are guaranteed a reward. They must meet quality standards to be considered valid and satisfactory.\n\nIn some instances, your report might not have been mentioned in the responses due to it being classified as 'automated findings', rated as grade-C, or not being awarded in the judgement procedure. It\u2019s also possible that your reports are not featured in the client report, despite being valid. \n\nFor further information on the grading system including how submissions are categorized into grades A, B, C, and the bonuses each category receives, you can refer to the detailed documentation at https://docs.code4rena.com/awarding/incentive-model-and-awards and also https://docs.code4rena.com/awarding/incentive-model-and-awards/curve-logic. \n\nRemember, questions about specifics like risk rating for findings, or how to proceed after reporting an issue but being unsure about the severity can be resolved by reviewing these guidelines, looking at how similar issues were judged in the past, and making your case as clearly as possible.", "Question: Is it valid to report an issue I found in a codebase that falls under the same category as a problem identified by the bot report, but the specific instance of the problem I found isn't included in the bot report?\n\nAnswer: Yes, it is valid to report such an issue. If you find an instance of an issue that falls under the same category as a problem identified in the bot report, but the specific instance you found isn't included in the bot's report, it is considered a valid finding. This is especially true if the report by the bot race missed other instances of the same issue in the codebase. However, it's crucial to make it clear to the judge that the issue you found is related to a bot finding. \n\nIf the bot report ranks an issue as low severity but you escalate it to high severity, it doesn't automatically make your report invalid. However, you must provide strong evidence to demonstrate a relevant High or Medium severity exploit path for your submission to be considered satisfactory. You can refer to our submission policy for more details: [Code4rena submission policy](https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues).\n\nIt's also important to note that while you can report multiple instances of the same issue, these issues should not simply echo the findings of the bot report. Your report may face penalties if it's very similar to the bot report. Instead, try to build upon the bot report, perhaps by identifying a more complex exploit. Also, remember that findings listed in the best bot-generated report are considered out of scope for the contest. \n\nWhen submitting findings, a single report with all occurrences of the same issue is acceptable. If a single line of code has multiple ways of exploitation, it may be reported as separate bugs. However, it's ultimately up to the judge to determine if they're duplicates or separate issues.\n\nFinally, remember that not all findings necessitate a detailed proof of concept. If the problem is self-evident\u2014such as a typo, incorrect parameter, or uncompiled code\u2014an explanation may suffice. But if the issue is more complex, a clear PoC could strengthen your report.", "Q: Should I report the same types of issues found in multiple different places in the code together as one issue, or should I report them separately?\n\nA: If you come across the same kind of issue in multiple areas of the code, there are several factors to consider when deciding whether to report them together or separately. \n\n1. If the issues are identical in nature and can be resolved by fixing the same thing, then they should be reported as one issue. For instance, multiple instances of the same vulnerability should be reported as one. \n \n2. However, if the issues, while similar, occur in different components of the codebase and might require separate fixes, then they might count as separate findings. \n\n3. For non-critical findings such as QA/gas report issues, it is generally advised to combine them into a single report. For medium and high-risk findings, it is preferred to report each issue separately. \n\n4. If a line of code has multiple ways of exploitation, you should report all the bugs, but give priority to the one with the biggest impact. \n\n5. If two people from a team find the same issue but intend to submit it with different wallets, a problem could arise. \n\n6. It is generally not worth including instances of the same issue reported by a bot in your reports. \n\n7. If you\u2019re not sure whether to report findings separately or together, you can refer to the discussion at [https://github.com/code-423n4/org/issues/8](https://github.com/code-423n4/org/issues/8) for more clarity. \n\nIn conclusion, while there is some flexibility in how you report multiple occurrences of the same issue, it's best to consider the context of your findings, including the severity of the issues and whether they occur in the same or different components of the codebase. If you're unsure, it's advisable to seek guidance through community discussions or past discussions such as the one linked above.", "Question: What are the aspects of Web2 security that also apply to Web3 security, and are there any resources to better understand this correlation?\n\nAnswer: Several aspects of Web2 security also apply to Web3 security. For instance, vulnerabilities in Linux kernel or Remote Code Execution (RCE) on the node can be exploited to compromise an Ethereum node, demonstrating how traditional cybersecurity concepts can carry over into the Web3 space. \n\nThe importance of understanding Web2 security in the context of Web3 security is often debated. Some users believe that practical knowledge of Web2 security, including threats like DDOS attacks, is beneficial for Web3 security. However, others suggest that while the two fields share a common mindset, the specifics can significantly differ.\n\nTo understand this correlation better, you might want to look into resources like books or certification courses on smart contract security, as it's a significant part of Web3 security. Several users have also suggested studying the Geth node and Web2 security in the context of Web3. \n\nAn interesting nuance is the concept of Reentrancy, which is a common issue in both Web2 and Web3 sectors. Plus, understanding Web2 security can be crucial if you're considering a career in smart contract security or web3 security auditing. \n\nRemember, while automated tools can identify vulnerabilities in smart contracts, it's not enough. A thorough understanding of Web2 security principles can help predict and prevent novel attack vectors in the rapidly-evolving Web3 landscape.\n\nLastly, keep in mind that the field of cybersecurity values the practical application of knowledge. Participating in activities like Capture The Flag (CTF) competitions, whitebox audits, and reading vulnerability reports can also help you understand how Web2 security principles apply to Web3.", "Q: For a smart contract audit at CodeArena, is a Proof of Concept (POC) required? If so, what are acceptable formats and submission methods for a POC?\n\nA: Yes, a Proof of Concept (POC) is indeed recommended for smart contract audits at CodeArena. A POC can significantly increase the chances of your report being selected for a 30% bonus. The POCs do not have to be executable or even exact code - they can be submitted in code, plain English, or bullet points. You can also include images as part of your POC by linking them externally. \n\nIt's permissible to use external platforms like Gist for submitting long POCs or to create a public Github repository to submit your POC. Direct links to all referenced code in Github can be provided along with adding screenshots, logs, or any other relevant proof that illustrates the concept. For instance, you can take a look at this accepted POC example which involves the code along with a detailed comment about the bug itself and its impact: https://github.com/code-423n4/2022-12-caviar-findings/issues/343.\n\nWhile it's not necessary, a coded POC with a clear description of the process can increase your chances of having your report selected. If you cannot provide a POC for a medium severity bug, your finding may be disregarded unless the bug is extremely obvious. Therefore, it's generally recommended to always include a POC in your report to be certain.\n\nFor further guidance, you can refer to the instructions on how to include a POC at https://docs.code4rena.com/roles/wardens/submission-policy#how-to-include-a-proof-of-concept.\n\nRemember, the best reports focus on a specific issue or attack, feature the project's code, have an easy-to-understand POC or specific example, and include a coded test that demonstrates the vulnerability.", "Question: I am unsure about the classification of my finding between high and medium. What steps should I take to determine the severity, and will there be any consequences if I misgrade the risk?\n\nAnswer: If you are unsure about the severity of your finding, it is recommended to first review the judging criteria at https://docs.code4rena.com/roles/wardens/judging-criteria#estimating-risk-tl-dr. The classification of findings is based on the severity of loss caused by the issue. High consequences generally involve sizeable fund loss or other severe consequences and don't require pre-conditions. Medium consequences usually have lesser impact and specific preconditions such as high attack difficulty, specific market conditions, or user unawareness. \n\nYou can also look at how similar issues were judged in the past and make the best and clearest case using evidence for your chosen severity. It is possible to submit a medium/high report without recommended mitigation steps, but an explanation as to why it cannot be feasibly mitigated should be included. \n\nNote that if a finding is submitted as medium severity but the judges believe it is high, the severity of the finding can be upgraded, unless there is a reason to penalize it such as it being incomplete, lacking detail, or not as accurate. If a High severity bug turns out to be only Medium, you will still receive the reward for a Medium bug. The rewards can be calculated using the formula provided at https://docs.code4rena.com/incentive-model-and-awards#high-and-medium-risk-bugs.\n\nRemember, the judges have the ability to upgrade or downgrade the severity of your findings. A strategy of rating everything as high risk is discouraged as it may affect your credibility. Rather, make a case to the judge in your submission if you believe a high risk finding should be considered. \n\nIn summary, the best approach is to review the guidelines, use your judgment based on previous cases, and make a clear and comprehensive case in your submission. The ultimate decision rests with the judges and they have the flexibility to adjust the severity grading where they see fit. Finally, though it's important to strive for accuracy, don't be overly concerned about the potential for misgrading. Judges are aware of gray areas and will take your case into account when making their determination.", "Question: Is CodeArena planning on increasing the number of web2 whitebox audits and how can individuals or teams participate in these audits?\n\nAnswer: Yes, there has been a significant interest and suggestions from our community to host more web2 whitebox audits. CodeArena is actively considering adding website and other infrastructure pentesting audits in the crypto space to our service catalog. We are also in discussions about potential audits with a Rust focus. \n\nCodeArena has a dedicated booking team that can assist users with setting up audits. In order to participate in private audits, users need to be certified as wardens, more details can be found on this [link](https://mirror.xyz/c4blog.eth/Ww3sILR-e5iWoMYNpZEB9UME_vA8G0Yqa6TYvpSdEM0). Users and teams can also take part in audit contests, with more contests being planned for the future with varying structures including initial audit prize pools and mitigation review pools.\n\nThe exact timing of the next audit event or contest is yet to be announced, but we typically host 2-5 audit projects per week. We will keep our community posted about upcoming audit contests in our #\u270brsvp channel. For those who desire additional resources for studying web2 security in the context of web3, we are actively working on providing these.\n\nThere has also been interest in a bug bounty for web applications, and we are considering this proposal. For future audits, we are planning to expand our scope to Solana audits.\n\nIn terms of participation, it is possible to ask questions about past project findings and also engage in the audit process before the code is complete. There is a tool under development to aid in running audits, which can be found [here](https://github.com/HardlyCodeMan/audit_helper/). In any case, users are encouraged to reach out to us with their inquiries about auditing projects.", "Question: \nI was submitting my analysis on Code4rena and encountered an error, so I tried again and now I have duplicate analyses in my findings. I can't seem to remove the extra one through the user interface, what should I do?\n\nAnswer: \nIf you've accidentally submitted an analysis more than once, you can submit a help desk request to withdraw the extra analysis. Please go to https://code4rena.com/help to submit your request. However, please note that currently, users are unable to send in updates to their analyses as highlighted in the Guidelines and FAQ. \n\nIf the analysis was accidentally submitted from your personal account instead of the team account, you should re-submit it from the team's account. \n\nYou can check your submissions by viewing your Analysis Report. For more information about submitting an Analysis Report please visit https://code4rena.notion.site/Analyses-Guidelines-and-FAQ-2808a71e08e44c81a985527194f5f118. \n\nPlease remember that the ability to edit an analysis after submission has been reported as an issue, and it's being looked into by our development team. In the meantime, you can view the findings of your submitted analysis through the \"View Context\" function or by checking the respective email confirmation. \n\nLastly, to understand how the Analysis report works and what needs to be filled out, please refer to https://docs.code4rena.com/awarding/judging-criteria#analysis.", "Question: What is the process for submitting my findings or reports for the CodeArena contests?\n\nAnswer: You can submit your findings for a contest using the submission form provided on our website for each contest. To make a submission, handle registration is mandatory. If you encounter any issues using the submission form, you can also send your submissions to submissions@code4rena.com. Please note, you can submit at any time prior to the contest ending. We have a policy of accepting only the first (or last) entry that a person or team sends. You have the flexibility of editing your submissions until the contest close, and if you decide to make a new submission for the same issue, you can withdraw your old one. If you're part of a team, you can choose to submit solo findings whenever you want. The submission form allows you to select whether you're submitting as an individual or as a team member. \n\nOnce you submit, you will normally receive a confirmation email, though there may occasionally be delays. You can view or edit your own submissions for open contests on the site, and after the contest, you can review all the reports you submitted during the competition. Please be aware that submissions cannot be made more than 3 hours prior to the contest stop time, as per our submission policy. \n\nWe are also working on implementing a countdown timer for the submission deadline and an updated submission mechanism for upcoming contests to enhance the user experience. After the contests end, our certified Wardens get to view other contest submissions. \n\nIf you have any concerns about your submissions or need to withdraw one, you can directly message our moderators for assistance.", "Question: What is happening with the Chainlink Staking v0.2 contest that was listed on the CodeArena website? There appears to be a discrepancy between the start dates listed on the RSVP and Code4Arena website. \n\nAnswer: The Chainlink Staking v0.2 contest has been delayed. The dates will be confirmed and the contest will be re-posted on the CodeArena website. Please note, there was a discrepancy between the start date of this contest on the RSVP and the date on the Code4Arena website. The correct date will be listed on the Code4Arena website once confirmed. In this contest, all participants are welcome. However, to receive awards, participants will need to become certified which includes successful completion of Know Your Customer (KYC) procedures. Further information about this procedure can be found on our website at https://docs.code4rena.com/roles/certified-contributors/backstage-wardens. In the meantime, feel free to explore other available contests related to staking platform contracts.", "Q: As someone seeking to pursue a career in web3 security, how important is a practical understanding of web2 security? Should I also learn about DDOS attacks in a web2 codebase or just focus primarily on smart contract auditing?\n\nA: The importance of web2 security knowledge in the context of web3 security is a topic of debate. While some believe that a practical understanding of web2 security, including DDOS attacks, can be beneficial, others suggest that the two areas primarily share a common security mindset. Therefore, it might be helpful to have a basic understanding of web2 security, particularly as certain topics from web2 security also apply to web3 security. For instance, instances of exploiting a Linux kernel 0day and RCE on the node have been used to compromise an Ethereum node.\n\nWhen considering your career path, it's essential to focus on what interests you the most and aligns with your career goals. If you're considering smart contract auditing, resources like The Ethernaut challenges and Damn Vulnerable DeFi can be helpful in honing your skills: https://ethernaut.openzeppelin.com/ and https://www.damnvulnerabledefi.xyz/. Other resources for beginners include https://cryptozombies.io/ for learning Solidity and https://capturetheether.com/ for Capture the Flag challenges. \n\nFor those seeking a junior auditor role or interested in smart contract bug bounty hunting, it's essential to have a solid understanding of the basics and the ability to identify vulnerabilities. The time it takes to learn this can vary greatly depending on your prior experience and learning capabilities. \n\nRemember, if you're struggling with catching vulnerabilities during Capture the Flag exercises, practice is key. Don't be discouraged if it doesn't come easy at first. \n\nAlso, while there has been an inquiry about a roadmap or resources to learn about web2 security in the context of web3 security, no definitive answer is given. It's best to continue learning and exploring both areas as they continue to evolve.", "Question: What is the significance of web2 security knowledge in the context of web3 and smart contract security, and are there any recommended resources or roadmaps to learn about it?\n\nAnswer: The importance of web2 security knowledge in web3 security is subjective and depends on an individual's career path and interests. Some components of web2 security do apply to web3, such as the example of exploiting a Linux kernel 0day and RCE on the node to compromise an Ethereum node. However, it's important to note that most cases in web2 are black box, while web3 operates on a white box model. \n\nIf you are considering a career in smart contract auditing or web3 security, gaining practical understanding of both web2 and web3 security could be beneficial. However, the decision should be based more on what you enjoy and are interested in, rather than potential earnings or market demand.\n\nWhile we've seen inquiries about a roadmap or resources to learn about web2 security in the context of web3 security, one resource to study the Geth node and Web2 security in the context of Web3 has been requested by users. Additionally, there are resources available for smart contract security, including books and certifications.\n\nIf you are an undergraduate IT student, you could consider focusing on smart contract auditing while continuing with traditional hacking and web2 security as a side project. This would allow you to expand your skills in both areas. \n\nIt's also worth noting that the time it takes to learn the basics and start finding bugs in smart contracts varies greatly depending on an individual's prior experience and learning capabilities.\n\nRemember, this platform is not only focused on auditing, but also hosts discussions and contests related to general security topics, including web2 and web3 security.\n\nRemember to check back frequently for more resources, discussions and opportunities in this rapidly evolving field.", "Question: \nWhat does the process of smart contract auditing entail at CodeArena, and how does it help in identifying and resolving vulnerabilities in smart contracts?\n\nAnswer:\nSmart contract auditing at CodeArena involves a systematic examination of the smart contracts to identify potential vulnerabilities and bugs. We analyze smart contracts that are real and will be deployed after the auditing process, including products built on Polygon. The smart contracts can be compiled and function independently of the backend.\n\nThe auditing process involves using several tools to find vulnerabilities. One such tool mentioned in our discussions is Slither, a static analysis tool for smart contracts. Another tool mentioned is a smart contract scanning tool that can detect price manipulation vulnerabilities, which can be accessed here: https://app.metatrust.io/project. Furthermore, we also discuss the application of advanced techniques like machine learning for auditing. An engaging idea shared suggests that smart contract auditing can be converted into an image task where a smart contract is visualized into respective shapes, and a model is trained based on these shapes to predict the vulnerability of future contracts. \n\nDuring the auditing process, we also focus on the optimization of smart contracts to reduce gas costs, not just for protocol contracts, but also for other contracts and non-view/non-pure functions. We've also seen questions about the categorization of severity related to state variable changes in smart contracts. These are all important aspects that are considered during the auditing process. \n\nMoreover, we encourage a two-step process for making critical changes in smart contracts, to ensure that any changes made do not introduce new vulnerabilities. We also entertain questions about the role of a minter or burner in smart contracts, and about how DDOS attacks can affect smart contracts, all of which is part of our comprehensive audit process.\n\nDespite the availability of automated tools, it is common for people to get their smart contracts audited by experts. This is because questions about smart contract issues can be reported differently based on the judgment of the reviewer. Also, an expert can provide context to issues within smart contracts, particularly in relation to slot collisions and the inheritance of upgradeable contracts. \n\nCodeArena also runs contests for analyzing smart contracts. This offers an opportunity for smart contract developers to have their code examined by the community, increasing the chances of identifying and resolving any potential issues. \n\nIn addition to auditing, we also guide users seeking resources on smart contract security, including books and certifications to further their understanding of smart contract security. However, it's worth noting that our main focus is on auditing, although we welcome suggestions on other relevant areas as well.", "Question: What core topics should we focus on learning to improve our understanding of web3 security, and how does web2 security knowledge apply in this context?\n\nAnswer: It's crucial to understand that while web2 security and web3 security share a common mindset, the focus for web3 security broadly tends to be more on smart contracts. However, elements of web2 security can still apply in a web3 context. For instance, compromising an Ethereum node through exploiting a Linux kernel 0day and RCE on the node was a mentioned example. \n\nLearning about DDoS attacks is important for web2 security, but it's debatable whether DDoS attacks can directly affect smart contracts in the same way. Instead, one might focus on understanding how users could potentially break system functionality, for example, by pushing to an array arbitrarily causing a DoS for everyone else.\n\nAs for resources to study more about these topics, the following were suggested by users in our chat:\n\n- For beginners: \n - CryptoZombies.io provides a fun and interactive way of learning Solidity.\n - CaptureTheEther.com offers Capture the Flag challenges for honing smart contract skills.\n\n- For more advanced studies:\n - The Ethernaut challenges and Damn Vulnerable DeFi are recommended to learn advanced solidity and defi industry standards: [Ethernaut](https://ethernaut.openzeppelin.com/) and [Damn Vulnerable DeFi](https://www.damnvulnerabledefi.xyz/).\n\nIt's important to note that the learning path and the time it takes to grasp these concepts would greatly depend on your prior experience and learning capabilities. For those considering a career path, whether to focus on smart contract security or web2 security should be based on your interest and enjoyment, not just potential earnings. In terms of practical application, participating in events like Capture the Flag or exploring blockchain forensics analysis for hacks and incidents in smart contracts can help you apply what you've learned. Additionally, while the focus is on smart contracts, knowledge in website and other infrastructure pentesting audits in the crypto space could also be beneficial.", "Question: How can I understand the reasons for my submission rejections in the Nouns DAO contest, and is there a process to appeal the decision?\n\nAnswer: After the Nouns DAO contest concludes, participants can access their submission feedback to understand why their submissions were rejected. The process involves waiting for the final report to be published and the findings repository to be made public. This allows participants to view the discussions among sponsors and judges about their specific issues. You can access this information at https://code4rena.com/reports.\n\nIn cases where your submission is not rewarded, there is indeed an opportunity to discuss or appeal your case. For example, you can refer to this [link](https://github.com/code-423n4/2022-08-nounsdao-findings/issues/315) as a case where a question about a finding in the Nouns DAO contest was raised for appeal. \n\nPlease note that incorrect or unsatisfactory submissions may result in penalties, so it's crucial to review and understand the submission rules before participating and submitting your findings. If you experience issues while submitting, such as API rejection or power cuts, you can seek assistance from the CodeArena team. \n\nRemember, the objective is not just to submit but also to learn and improve for future contests. Therefore, it's encouraged to use this process as a learning opportunity to improve your future submissions.", "Q: How can I change my profile picture on Code4Arena?\n\nA: To change your profile picture on Code4Arena, you would need to submit a help desk request with the new picture attached. You can do this through our help page at https://code4rena.com/help. Once you've submitted your request, it's typically addressed within a week. Please note, changes to other account details like Twitter username or Github user requests can also be made via the same process. However, if you encounter any errors when submitting your request, please let us know so we can assist you.", "Question: How can I make a request to change my profile picture on Code4Arena, and how can I check the status of my request?\n\nAnswer: You can make a request to change your profile picture on Code4Arena by submitting a help desk request. Please include the link to your new picture in your request. You can submit this help desk request by visiting: https://code4arena.com/help. Profile picture change requests are typically addressed within a week. At this time, we're unable to directly check the status of your specific request, but rest assured that it's likely in the queue for processing. We are currently working through a backlog so there may be some delay. We appreciate your patience in this matter.", "Question: Can I modify or submit bug reports after the contest has ended?\n\nAnswer: No, it's important to note that all bug reports must be submitted prior to the closing of the audit. However, you can update or alter the severity of reported bugs after the contest has closed either through a Pull Request or by contacting a judge. It's also worth noting that entries can be edited until the end of the contest if needed, including instances where a correct bug issue is submitted with an incorrect proposed solution. \n\nOnce the contest is over, participants cannot view or discuss the status of their submissions until the results are published and the findings repository is made public. After the leaderboard is shown and rewards are sent, it may take some time for the final report of the contest to appear on the C4 site. Therefore, we recommend waiting until the full public report is published before doing any write-ups on discovered issues or bugs. \n\nLastly, all participants' submissions will likely be made available after the contest ends, and the possible exploits have been patched. Certified contributors may also have the opportunity to view and comment on these issues right after contest closure during the judging process. For further information or updates on your submissions, you can check your QA reports for closed contests on the contest page by clicking on the findings and editing them if necessary. \n\nPlease bear in mind that while there is no specific timeframe for submitting high or medium issues to CodeArena, they should not be submitted too close to the contest close time to ensure they are processed correctly. For more help or inquiries about bug submissions, you can visit code4rena.com/help.", "Question: How does CodeArena handle Gas Optimization reports, their submission, judging, and rewards?\n\nAnswer: At CodeArena (C4), gas optimization reports are handled with a high level of scrutiny to ensure fair and quality-based awards for participants. \n\nParticipants are allowed to submit only one gas optimization report per contest. However, they can add more findings to their report while the contest is open. They can do this by visiting the contest page and clicking on the 'Your Findings' button. If a participant submits multiple gas optimization reports for a single contest, the report will be voided and it will count as 3 rejected reports. \n\nGas optimization reports are judged based on their quality, accuracy, and the presence of a working proof of concept. Not all reports are guaranteed rewards. The reports must meet our quality standards to be considered satisfactory and valid. \n\nThe rewards for gas optimizations are awarded from a separate pool specified on the C4 website and each contest's page. The rewards are divided into grades A, B, and C based on the quality of the report and the gas savings. Grade A and B are eligible for rewards. It should be noted that findings that are valid but non-critical, such as the presence of \"Open Todos\" or the \"use of Block.timestamp\", are not rewarded. \n\nFor the cases where multiple participants, including members of the same team, identify a gas optimization, the reward split can be calculated using our formula, which you can find at https://docs.code4rena.com/incentive-model-and-awards#high-and-medium-risk-bugs. \n\nIn case of any dispute over the decisions of the judges, there's a post-judging QA period where wardens can comment on the judges' decisions. However, this is only available for our backstage wardens. More information about being a backstage warden can be found here: https://docs.code4rena.com/roles/certified-contributors/backstage-wardens\n\nLastly, we are aware of the concerns about the validity of gas optimization reports and the calculation of bounties, and we are working to address these in the most transparent and fair manner possible.", "Question: Do I need to be a developer or have experience in writing smart contracts on DeFi Projects before I can start auditing with CodeArena?\n\nAnswer: While having a background in software development or familiarity with smart contract development can be beneficial, it's not explicitly required to begin auditing with CodeArena. The ability to understand and audit smart contracts is certainly a skill that can be nurtured over time, and practice plays a significant role in this. \n\nSeveral resources have been suggested by the CodeArena community for beginners interested in smart contract auditing, including this comprehensive guide on how to become a smart contract auditor (https://cmichel.io/how-to-become-a-smart-contract-auditor/) and the list of tools and resources available at https://docs.code4rena.com/roles/wardens/tools-and-resources. \n\nThe level of mathematical expertise required for auditing varies greatly depending on the complexity of the smart contract. For some projects, basic mathematics will suffice, but others, particularly those involving complex formulas, may require a more advanced understanding of financial mathematics. \n\nFurthermore, it's worth noting that being a smart contract auditor doesn't necessarily mean you need to focus solely on the front end of the blockchain. It's possible to be a security auditor without this focus. \n\nMinimum PC requirements for auditing DeFi protocols are relatively low, so you don't necessarily need a high-end computer to get started. \n\nLastly, it's important to bear in mind that auditing is not limited to completed code. Engaging in the audit process before code completion can also be beneficial. \n\nNonetheless, becoming a proficient auditor is a journey that depends greatly on an individual's prior experience, learning capabilities, and commitment.", "Question: Why do some wardens ask sponsors to accept friend requests on the CodeArena platform?\n\nAnswer: Wardens may ask sponsors to accept friend requests in order to build trust and maintain better communication. This is crucial as the relationship between wardens and sponsors involves disclosing vulnerabilities found in smart contract audits. The friend request functionality is a part of the new Warden profiles on CodeArena, which also allows users to apply for certified Warden status or even a backstage Warden. \n\nBecoming a certified Warden involves a process that includes participating in a certain number of contests and providing valid findings or reports. Certified Wardens are eligible for benefits such as participating in private contests and receiving payments from KYC-required sponsors like Chainlink. Certain contests are even exclusive to Certified Wardens. Participants can check their acceptance as a Warden on CodeArena's platform. \n\nIt's important to note that CodeArena takes trust, privacy, and integrity of the auditing process very seriously. Any concerns raised about the potential misuse of disclosed vulnerabilities are addressed promptly. More information on this can be found on CodeArena's official leaderboard [https://code423n4.com/leaderboard/] which also keeps track of Warden performance.\n\nIn case of any issues or queries, assistance can be sought from CodeArena, with help requests made for various purposes, including becoming a backstage Warden. Users can also choose to participate in code contests as Wardens, and if there are any concerns or issues with a report, clarification can be sought from other Wardens.", "Question: Can I change my account name, wallet login, and Discord username on CodeArena, or alternatively, can I create another account with the same GitHub username, email address, and Discord username?\n\nAnswer: At the current time, both your account name and wallet login on CodeArena are immutable and cannot be changed. Concerning Discord usernames, they can be updated on your CodeArena account, but it's important to remember that your Discord nickname should remain as your registered CodeArena username. You can adjust this on the Account Management page of your warden profile. If you wish to change your Login Address for your CodeArena account, instructions can be found at https://docs.code4rena.com/roles/wardens/warden-auth#can-i-change-the-wallet-address-i-log-in-with\n\nAs for creating a new account with the same credentials, it appears there have been instances where users have been able to create more than one account with the same email and Discord username, but this seems to be inconsistent and it's recommended to contact the Help Desk for review before proceeding.\n\nTo add, there are plans to enable the use of the same handle with different wallets in a single contest. And lastly, if you need to change your Twitter username on C4, you can do so by creating a help desk request. Remember, if you change your personal details on other platforms such as GitHub or your wallet, it's recommended to update these details on CodeArena to avoid any login issues.", "Q: I'm having trouble accessing the Code4rena site, experiencing intermittent difficulties and errors, what should I do?\nA: If you are experiencing difficulties accessing the Code4rena site or are encountering errors, this could be due to a range of issues, including intermittent site issues, login problems, and trouble with tasks such as submitting findings or reports. First, you can check the site's status on [https://downforeveryoneorjustme.com/code4rena.com](https://downforeveryoneorjustme.com/code4rena.com) to determine if the issue is widespread or isolated to your connection. Issues could also be related to local storage or DNS issues. \n\nIf you are having trouble logging into the site, it may be due to issues with user registration and login. If this is the case, we recommend trying to reset your password, even though we understand that there have been some reported issues with the password reset function as well. \n\nIf you are having difficulty submitting findings or reports, it could be due to an error such as \"API rate limit exceeded for user ID 81770958,\" a 500 error from api.code4rena.com, or a \"page not found\" 404 error if you are trying to access certain links. \n\nFurthermore, mobile users may experience additional difficulty performing tasks, such as viewing the console. Please try to access the site on a different device or browser, if possible. \n\nOur team is actively monitoring these issues and working towards resolving them. If you continue to experience problems, we recommend reaching out for help through our channels. Please note there might be a delay in response due to a high volume of requests. \n\nPlease also be aware that external incidents, such as an incident on Github, might cause an interruption in services like email receipts [https://www.githubstatus.com/incidents/r5qrpp2f5fc0](https://www.githubstatus.com/incidents/r5qrpp2f5fc0). \n\nFinally, please be patient with us, as we are doing our best to resolve all issues and provide you with a seamless experience on our platform.", "Question: I'm struggling to catch vulnerabilities during CTFs, and I'm wondering if I need more experience with solidity fundamentals. What resources would you recommend to improve my skills and effectively catch vulnerabilities in smart contracts?\n\nAnswer: C4 encourages continuous learning and practice to improve your skills in catching vulnerabilities during Capture the Flag (CTF) exercises. To get started or enhance your smart contract bug bounty hunting skills specifically for solidity, CryptoZombies.io (https://cryptozombies.io/) is a great resource. Another helpful platform is CaptureTheEther.com (https://capturetheether.com/) for CTF challenges. \n\nIf you're looking to learn advanced solidity and DeFi industry standards, resources like The Ethernaut challenges (https://ethernaut.openzeppelin.com/) and Damn Vulnerable DeFi (https://www.damnvulnerabledefi.xyz/) are recommended. These resources can be particularly useful for training for the Paradigm CTF. \n\nIn terms of tools used to find vulnerabilities and bugs in smart contracts, fuzzing tools were commonly used for auditing prior to Solidity 8.0. However, their usage has decreased with the implementation of an overflow/underflow check at the language level in Solidity 8.0. Fuzzing tools like Echidna may still be used in some audit contests. \n\nWhen you find vulnerabilities, they can typically be shown in two ways: 1) Providing a URL to the repository with a line inner in the text, and 2) Providing a solidity code block. The best reports are those focused on one specific attack or issue, featuring the project's code, providing a simple to understand Proof of Concept (PoC) or specific example, and offering a coded test that demonstrates the vulnerability.\n\nIf you find a vulnerability and are unsure about it, Code4rena encourages you to reach out to the sponsor team during the contest or directly disclose the vulnerability to them. Remember to submit it via the contest submission form (https://github.com/code-423n4/code-contests/tree/main/contests/01-slingshot#sharing-vulnerabilitydiscovery-poc) to make it eligible for rewards.\n\nFinally, not being able to catch vulnerabilities during CTFs doesn't necessarily mean you are not good at solidity fundamentals. The amount of time it takes to learn the basics and start finding bugs in smart contracts varies greatly depending on an individual's prior experience and learning capabilities. Persistence and continuous learning are key.", "Question: I'm not a developer and I'm finding it challenging to understand \"Patrick Collins latest foundry course.\" What resources or strategies can help me, and other non-developers, to learn from this course more effectively?\n\nAnswer: It can certainly be challenging for non-developers to grasp certain technical aspects of courses like \"Patrick Collins latest foundry course.\" However, there are several approaches you can consider:\n\n1. Foundry is a framework used to write tests and offers various tools to assist in checking features like storage. Given that, understanding the purpose of a codebase typically requires reading the documentation or possessing previous experience with similar code. Don't hesitate to experiment and learn by doing.\n\n2. If you're finding it hard to understand the Foundry framework, YouTube tutorials can be a great help. Previous users have recommended these two videos: [Link 1](https://www.youtube.com/watch?v=Rp_V7bYiTCM) and [Link 2](https://www.youtube.com/watch?v=EHrvD5c93JU). These tutorials can provide a more visual and comprehensive explanation of the concepts.\n\n3. Another approach is to focus on understanding the basics of solidity syntax and programming, as this knowledge is fundamental to comprehending smart contract audits. You can consider resources like the Codecademy Javascript testing module and the Alchemy University's Ethereum Bootcamp in week 4 to learn more about the testing framework of Hardhat, which is often used for audits.\n\n4. Lastly, remember that the learning curve varies greatly depending on an individual's prior experience and learning capabilities. Take your time and don't rush the process. If you're facing issues with specific code instances, it's advisable to make a report and reference the related issues in it. This can help you better understand the codebase.\n\nNavigating this course and learning about smart contract audits might seem daunting, but with the right resources and a curious, patient mindset, you can certainly make progress. Good luck on your learning journey!", "Q: As a warden at CodeArena, what are the best practices and guidelines for submitting findings during an audit?\n\nA: As a warden, you should aim to submit your findings before the audit closes, there's no benefit in being the first to submit. Ensure you follow our documented submission process which you can find at [https://docs.code4rena.com/roles/wardens/sub](https://docs.code4rena.com/roles/wardens/sub). \n\nYou can submit a point you deem to be a valid finding without seeking prior confirmation from the project's developers. If your findings include a high severity issue identified in an automated finding, you're advised to report it again during the contest and it may be awarded with a higher severity. \n\nYou should be aware that once your findings are submitted, they are not disclosed to other competing wardens, nor are they made public until the final contest report has been published. As per our professional conduct guidelines [https://docs.code4rena.com/roles/wardens/certified-wardens#certified-warden-professional-conduct-guidelines](https://docs.code4rena.com/roles/wardens/certified-wardens#certified-warden-professional-conduct-guidelines), you should treat all findings as private and confidential. \n\nIf you encounter the same vulnerability as another warden, we follow a certain criterion to handle such situations. We also have provisions for modifying or withdrawing findings if necessary. \n\nDo note that once submitted, your findings are visible to C4 staff, sponsors, and the judging team for review purposes. You can also review your own submissions by referring to the data folder in the findings repo. \n\nIf you're a certified+ warden, you get earlier access to the findings repositories and can assist with post-contest processes. After submitting a finding, you can expect a follow-up from our team. \n\nFinally, we encourage all wardens to assess the severity of the issues based on our guidelines available at [https://code423n4.com/judging-criteria/](https://code423n4.com/judging-criteria/). If you're partway through the Provenance's certified warden process, we recommend completing it. You can find further information on this at [https://docs.code4rena.com/roles/wardens](https://docs.code4rena.com/roles/wardens).", "Question: What is the process of setting up a public Proof of Stake (PoS) blockchain and executing smart contract audits on it, with the use of tools like Foundry and public testnet?\n\nAnswer: Setting up a public PoS blockchain and conducting smart contract audits could involve several steps. First, you might want to create a Proof of Concept (PoC) for the smart contract audit. This could be done in code or plain English. For detailed testing of the smart contract, especially in scenarios involving large numbers of users or complex state, a public testnet could be used. However, local forking is often preferred as it avoids cluttering the testnet with unnecessary data.\n\nYou could also use tools like Foundry for testing in a local environment. Foundry can fork data from a live network such as a mainnet or testnet and run it locally. This makes it more convenient for testing smart contracts. For simpler contracts or exploratory development, a private testnet might be more appropriate.\n\nIn the auditing process, automated tools could be used to verify if a contract has been initialized on the Ethereum mainnet or other chains. Sometimes, a contract environment might be difficult to set up, particularly if there is limited documentation, no test cases, or no deployment scripts. In such cases, looking at different staking contracts might provide insights into how staking functionality can be implemented. \n\nTesting scenarios could include examining block re-orgs and their effect on block confirmation time, or demonstrating potential attacks such as a re-entrancy attack. For instance, an attack contract could be written and its effects explained in plain language as a PoC.\n\nRemember, smart contract auditing can be complex, and understanding related reports and concepts might be challenging. There are also potential security risks, like front-running the init() function. A case study on this type of vulnerability, for example, can be found in a ToB Hermez audit [here](https://github.com/trailofbits/publications/blob/master/reviews/hermez.pdf).\n\nIf you're new to smart contract auditing, don't hesitate to seek help and resources, particularly on blockchain forensics analysis, to understand hacks and incidents in smart contracts better.", "Question: Who has access to the findings during and after a CodeArena competition, and when do these findings become publicly available?\n\nAnswer: During a CodeArena competition, the findings are sealed to ensure fair play among the wardens participating in the contest. These findings are not shared with other wardens, the project team, judges, or anyone else until the deadline passes. However, there are certain exceptions - The CodeArena (C4) staff, as well as the sponsors, have access to the findings, but this access is highly restricted and mostly necessary for troubleshooting submission errors or other issues.\n\nOnce the competition ends, the review process for the findings begins, which includes a review by the sponsors and the judging team. These reports or findings get reviewed and triaged immediately after the contest ends. However, they await sponsor review and final judging before being made public to ensure sponsors have time to act on the feedback given. \n\nThe findings repository becomes publicly available for discussion after a certain period of time post-competition, although the specific duration is not defined. This repository can also be accessed immediately by certified+ wardens after a contest ends. Participants are discouraged from discussing their findings publicly until the report for the particular contest has been posted.\n\nIt's noteworthy that the findings from the contest are confirmed and discussed after the contest ends. Queries about how to find which findings of a contest were rejected and why, as well as how to view others' findings after a contest finishes, can be raised. Submissions are confirmed via email and can be viewed on the C4 Contest page under the \"Findings\" tab. \n\nRemember, any findings not submitted before the end of the contest will not be considered. Please check the [C4 Contest page](insert_website_link_here) for more details.", "Question: What happens after I submit a finding before the deadline, and how is the information kept secure and confidential?\n\nAnswer: After you submit a finding before the deadline, the information is securely stored and not disclosed to any other party, including other competing wardens, the project team, and the judge, until after the contest deadline passes. The submission can only be viewed by the submitting user or their team until the final report is made public. If you need to edit your finding, you can make a helpdesk request with the necessary information and update your finding before the contest closes. \n\nIt's important to note that there is no advantage in submitting findings first; what counts is submitting before the audit closes. Submissions for a contest can be reviewed once the final report is published and the findings repository is made public. Bug reports cannot be submitted after the contest has ended; all findings must be submitted within the audit period. While you can expect a follow-up after submitting a finding, the specifics of the follow-up are not disclosed. \n\nRemember, the success of your report submission can be checked by looking out for a confirmation email and being able to edit your submitted finding. However, findings cannot be viewed after a contest ends but before the results are published. You are advised to wait for the report to be published and the findings repository made public before verifying your submissions. \n\nMake sure to complete your submission before the end of the contest, as findings not submitted before the contest concludes won't be eligible. The findings are reviewed immediately after the contest ends and are kept confidential until the final judging and sponsor review are complete. \n\nPlease note, you will need to authenticate before submitting findings, as this helps maintain the integrity of the process. The findings repository becomes publicly available for discussion a certain period after the contest closes, although the exact duration is not mentioned. \n\nFinally, the potential solution to avoid dishonest practices was proposed as revealing the findings to the project only when the contest is over.", "Question: When are the findings from a CodeArena contest made public and how can I review them?\n\nAnswer: The findings from a CodeArena contest are not immediately made public after the contest ends. They remain private to facilitate learning from others and to ensure the integrity of the competition. Specific findings should not be discussed until the report has been finalized for the contest in question. Once the final report is published, the findings repository becomes public and is posted in the same section as the contests. This publication usually occurs at least a month after a contest is closed. \n\nYou can review your submissions and feedback for your findings after the report is published and the findings repository is made public. To do this, navigate to the \"your findings\" section on the contest page. Here, you can check the status of your findings, modify them if needed or even withdraw them. It's also encouraged for new participants to review the findings of other wardens after the repository becomes public to gain more insights and improve their future performance.\n\nPlease note that all findings submitted for contests may not always make it to the final report, and the reason might not be immediately known. For a better understanding of what makes a good submission, you can compare your findings with winning reports found on our website at https://code4rena.com/reports/2022-09-artgobblers#low-risk-and-non-critical-issues.\n\nAdditionally, participants can set up notifications to be alerted when a new report is published. However, participants are discouraged from discussing their findings publicly after a contest is over, even if the final report has not yet come out.", "Q: I'm having trouble submitting and modifying my findings on CodeArena, what steps should I follow?\n\nA: We understand that you may be experiencing issues with submitting and editing your findings for a contest on CodeArena. Here's a step-by-step guide to help:\n\n1. To submit findings, navigate to the specific contest page on our website. There you will find a form for each contest to submit your findings. The form data, once submitted by clicking on \"CREATE ISSUE\" in \"SUBMIT FINDING\", goes into the findings repository for the given contest. It will later be evaluated by judges after the contest ends. More details about the process can be found at [https://docs.code4rena.com/roles/wardens/sub](https://docs.code4rena.com/roles/wardens/sub).\n\n2. If you've already submitted a finding and wish to modify it, navigate to the contest page and click on the 'Your Findings' button. You can edit and update your submissions from there. You can also withdraw your findings under the same section if you wish to cancel a submission and create another one.\n\n3. Be aware that submissions may not be immediately confirmed via email, and it might take some time. If the submission fails, the form should return an error.\n\n4. If you're unable to view your submissions on the 'Findings' tab, it may be due to an issue we're aware of. Participants have reported not seeing their submissions despite having submitted them. We are currently investigating this issue and working on a solution.\n\n5. Please note that all findings have to be submitted prior to a contest ending, as bug reports cannot be accepted after the contest has closed.\n\n6. There have been reported issues with submitting findings through certain browsers like Firefox and Chrome due to a permalink error. If you're experiencing this, we recommend trying a different browser.\n\n7. If you're unsure whether to submit findings as separate issues or as one, unfortunately, we currently do not have a clear guidance on this matter.\n\nWe hope these steps help you navigate your way through the submission and modification of findings at CodeArena. If you continue to experience issues, please reach out to us for further assistance.", "Q: I noticed the results from the #llama-jun06 contest were announced several weeks ago, but I haven't received my reward yet. Can you explain the process and timeline for reward distribution at CodeArena?\n\nA: After the conclusion of a contest at CodeArena, the process involves several stages including the contest finish, sponsor reviews, judging, and awarding. This process can take anywhere from 2 weeks to over 6 weeks. Once the awards are announced, we aim to distribute them within 1-2 weeks. The rewards are sent out manually in batches for multiple contests at a time. It's important to note that the distribution may not happen immediately upon the reward announcement. If a contest is listed as 'awarding', it means the rewards are queued at the multisig and should be distributed within a week. The rewards are transferred to the user's registered wallet address. Participants can check the announcement channel for updates on distribution. There might be instances where some rewards are pending after a contest has finished due to various reasons. Please note that all this information is based on general observations and might vary for individual contests.", "Question: Who can access the findings from the CodeArena audits and when can they access them?\n\nAnswer: The findings from the CodeArena audits are kept secure and private until certain conditions are met. Before the deadline or contest\u2019s end, only the team or user who submitted the findings can view them. The findings are sealed to other wardens. However, C4 staff, sponsors and the judging team do have access to the findings for administrative and judging purposes. Notably, sponsors may not have access to the findings repo before the contest ends. \n\nOnce the contest ends, findings are reviewed and triaged immediately, this includes a sponsor review and judge review. They await sponsor confirmation, final judging, and Quality Assurance before being made public. The specific duration before the findings report becomes publicly available for discussion is not mentioned, and it varies from contest to contest. \n\nWhile participants can view their submissions and reasons for rejection once the report is published and the findings repo is made public, they are advised not to discuss their findings publicly. Any findings not submitted before the contest's end would not be eligible. \n\nFinally, please note that the review process starts immediately after the contest ends and includes a sponsor review, judge review, sponsor confirmation, judge's final report, and announcement of the results. Participants will receive feedback from a judge if a submitted finding is marked as invalid. For transparency and fairness, all findings need to be submitted before the audit closes. Once submitted, they are not disclosed to other competing wardens until the final report is available. The sponsors need time to act on the feedback they have been given, hence the findings are kept private until the final report is available.", "Question: If a project uses Brownie for testing, can I still present my Proof of Concept (PoC) in Foundry, and how should it be submitted?\n\nAnswer: Yes, you can certainly present your Proof of Concept (PoC) in Foundry even if a project uses Brownie for testing. One of the benefits of using Foundry is its ability to test scenarios in a local environment, providing an alternative to public testnet, and it can also be used to mock contract deployments. It's important to note that a PoC can be presented in any language, as long as it clearly demonstrates the vulnerability.\n\nMoreover, if the PoC is too large to be embedded directly in the issue, it's acceptable to submit it using external platforms such as Gist, or by creating a public Github repository or providing a diff of an existing sponsor-supplied test/contract. For example, a detailed PoC for a bug and its impact can be found at [https://github.com/code-423n4/2022-12-caviar-findings/issues/376](https://github.com/code-423n4/2022-12-caviar-findings/issues/376). \n\nHowever, if you're unable to provide a PoC for a medium severity bug, your finding may be disregarded unless the bug is extremely obvious. Therefore, it's highly recommended to always include a PoC. \n\nFor projects that employ Hardhat, Foundry can be used and a base template for this can be found at [https://github.com/foundry-rs/hardhat-foundry-template](https://github.com/foundry-rs/hardhat-foundry-template). Please be aware there are reported issues with opcode support in Foundry. \n\nIn conclusion, Foundry is a versatile tool that can be used in conjunction with other testing tools like Brownie and Hardhat, and PoCs presented in Foundry are widely accepted at CodeArena.\n", "Question: How can I participate in CodeArena's bot races as a Warden and what are the qualifications required?\n\nAnswer: Participation in the bot races involves being a Warden and may require being part of a bot team or owning a bot. The races are typically held during the first hour of an audit. To become a Warden, you need to fill out the form on our website. Once you are registered, you can check your acceptance status on CodeArena's platform. To participate in certain contests, such as the PolynomialFi contest, you need to be a certified Warden. The certification process involves participating in a certain number of contests and having valid findings or reports. For private contests, you need to complete the KYC and become a certified Warden. More detailed information on becoming a Warden, forming a team, and the certification process can be found at https://docs.code4rena.com/roles/wardens#registering-a-team and https://docs.code4rena.com/roles/certified-contributors#certification-process-and-constraints. More information on bot races can be found at https://code4rena.com/register/bot. Specific queries about bot races can also be addressed in the #bot-race-help channel on our Discord.", "Question: I have been experiencing intermittent issues with the \"Create Issue\" button, how can I troubleshoot this?\n\nAnswer: We understand that some users have reported difficulties with the \"Create Issue\" button on our platform. We recommend the following steps to resolve this issue:\n\n1. Refresh your page: This is a common solution that often helps to resolve minor glitches. \n\n2. Try a different browser: Some users have found success by switching to a different web browser. \n\n3. Check for console errors: While it has been noted that this issue doesn't always result in console errors, it's worth checking just to be sure. \n\n4. Submit a help desk request: If the issue persists, you can submit a help desk request. This will allow our team to look into the issue more closely. \n\n5. Check for potential API limitations: API rate limits could potentially affect the submission of issues, particularly if you're submitting a significant number of issues in a short span of time. \n\nPlease note that there could be a slight delay in the visibility of reported issues in the Issues section of your repo after submitting, this is normal and your issue should appear shortly. If the issue isn't resolved after trying these steps, please create a ticket so we can investigate further. \n\nAlso, if you are part of a team trying to submit an issue, please note that there have been some reported issues when adding team members, and you may find it helpful to try again at a later time. \n\nRemember, if you're unsure about the severity of an issue after reporting it, we encourage you to ask questions through the platform or create a help desk ticket. We're here to assist you.", "Question: What are the penalties for submitting invalid issues or incorrectly assessing the severity of issues during a CodeArena contest?\n\nAnswer: At CodeArena, the system is structured to ensure the fair assessment of all issues submitted during smart contract audits. If an issue is submitted and is determined to be invalid, there are penalties that can be applied. \n\nIf you submit an invalid issue, there is a possibility of facing a penalty if you submit more than three such issues per contest. Moreover, if the report is very similar to a bot report, it may be further penalized. However, if an issue is submitted with what is initially thought to be high severity and the judge disagrees, the issue might be downgraded, but you would still receive an award for the found issue, unless judges invalidate it for overinflating the severity. \n\nIt is worth noting that there is a process in place for querying an issue marked as invalid. This involves monitoring the backstage channel for the post-judging phase of the concerned contest. \n\nThere's also a concern among users about getting penalized for too many unsatisfactory submissions. A valid issue can include the loss of precision described in the context of the code with better impact, and an issue is still valid to submit even if it is found by the bot race but another instance of that issue is not picked up by the bots. \n\nParticipants will receive feedback from a judge if a submitted finding is marked as invalid, and the severity of issues can be updated post-submission by the judges. \n\nFor more detailed information on penalties, please refer to this link: [https://discord.com/channels/810916927919620096/810931711609143326/1134522735507292230](https://discord.com/channels/810916927919620096/810931711609143326/1134522735507292230) \n\nFor more details on how to correctly assess the severity of an issue and the criteria for judging, refer to this link: [https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues](https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues) \n\nRemember, it's essential to read and understand the guidelines to avoid potential penalties and ensure your submissions are valid and correctly assessed.", "Question: How is the grading system for QA and gas reports established at CodeArena, and what criteria determine an \"A\" grade?\n\nAnswer: The grading system for QA (Quality Assurance) and gas reports at CodeArena is based on both the quantity and quality of the submissions. An \"A\" grade signifies a high-quality report that demonstrates significant gas savings and efficient issue resolutions. An \"A\" grade report counts for 2 shares, while a \"B\" grade report counts for 1 share. The top report also receives a 30% bonus. It's important to note that the number of issues reported in a Gas and QA report doesn't necessarily determine the grade. For instance, a report could have one well-resolved issue and achieve a grade B, or it could contain multiple low-impact issues and still receive a grade C.\n\nIn terms of submissions, it's recommended to have one comprehensive report each for gas and QA. Writing the reports as separate entities will facilitate the grading process. It's also worth noting that judges have the ability to downgrade or upgrade issues depending on their severity. \n\nUsers are often interested in how to improve their reports, and some guidance can be found via a YouTube tutorial (https://www.youtube.com/watch?v=nady250cNo4) and in examples of the top QA/Gas report for previous contests (https://code4rena.com/reports). More specific details about the grading system, award division, and the handling of duplicate or downgraded issues can be found on the Code4Rena help page at https://docs.code4rena.com/awarding/incentive-model-and-awards.\n\nRemember, the goal is to provide a comprehensive, quality assurance report demonstrating efficient gas usage and effective issue resolutions, rather than focusing solely on the number of issues reported. Good luck with your submissions!", "Q: What does \"1936 SLOC in 137 contracts\" mean? Is the number 137 a typo?\n\nA: No, the number 137 is not a typo. In this context, \"1936 SLOC in 137 contracts\" means that there are 1936 Source Lines of Code (SLOC) spread across a total of 137 contracts. SLOC, in the context of smart contracts, is a measure of the size of a software program by counting the number of lines in the text of the program's source code. It excludes comments and blank lines. It's important to note that the duration of contests or audits is not directly proportional to the size of the source code (SLOC). There have been cases where participants have noticed a discrepancy between the number of lines of code (LOC) mentioned in the README.md and the actual lines in the contract files, as was the case with Sherlock finance's repo. Also, the SLOCs for certain projects like Dopex were reported incorrectly, including spaces etc. It's advisable to use tools for comparing differences between contracts to ensure accuracy. You can also check out this [video](https://www.youtube.com/watch?v=wCD3fOlsGc4) that explains some aspects of contract auditing.", "Question: What is the process, capacity, and responsibilities of CodeArena's judges?\n\nAnswer: CodeArena's judging process involves an estimated 10 judges, including 5 lookout judges. However, these judges also have full-time jobs and other commitments, which may influence the timing of contest reviews. As part of their responsibilities, judges review the findings after contests to decide their severity, validity, and quality. This review process can take anywhere from 2-4 weeks, or sometimes up to six weeks, depending on the number of submissions and the complexity of the code. Notably, there is no penalty for judges for delayed judging of contests.\n\nJudges also receive a share of the prize pool as an incentive. Further, if a judge cannot complete their work in a timely fashion, the contest is reassigned to another judge. Participants can ask judges for feedback about issues to understand the reasoning behind the ruling and to see how they can improve. However, the identities of the judges for a specific contest are not known ahead of time, and direct contact with judges is not encouraged. \n\nFor more information on how to become a judge and the roles of judges, you can visit our documentation at https://docs.code4rena.com/roles/judges. Please be aware that the judging process, while thorough, can lead to an increase in issues and a backlog due to limited judge availability, especially with an increase in contest submissions and complex codebases.", "Question: How can I handle an issue with my rewards on CodeArena?\n\nAnswer: If you're experiencing a problem with your rewards on CodeArena, you can open an issue ticket for review. This includes concerns about why rewards are pending after a contest, questions about the rewarding formula for specific contests, or changes to wallet addresses for reward distribution. If you've submitted issues for a contest but didn't make the award list, it's possible your issues were rejected and you can review the available report for confirmation. For any discrepancies, changes, or unresolved issues, you can submit a Help Desk request through this link: https://code4rena.com/help. The CodeArena team will review your request and assist accordingly. If you're curious about the reward distribution process, such as how rewards are distributed among wardens who find the same issue, you can read more on our FAQ page: https://docs.code4rena.com/awarding/incentive-model-and-awards/awarding-process.", "Q: I applied for certification and was expecting an email from Provenance, but I haven't received anything yet. What could be the issue, and how can I resolve it?\n\nA: After submitting an application to become a certified warden, you can expect to receive an email from Provenance. However, there have been instances where users don't receive these emails. It's important to note that the initial email from Provenance in the Certified Warden verification process doesn't have a specified timeframe for delivery. In some cases, it might take 2-3 weeks to receive the KYC email from Provenance. The email is typically sent from compliance@provenance.company or kobus@provenance.company. \n\nIf you haven't received the email yet, it's recommended to check your spam folder as the email might have been directed there. If you still can't find the email, it's possible there might be inconsistencies in the Certified Warden application and response email.\n\nThe status of the certification process will be updated via email, and once your certification has been finalized, you should receive a confirmation email. If you have received this confirmation email and have applied for KYC, you should also receive an invitation link via email from Provenance.\n\nIf you have any doubts about the legitimacy of the email, you can confirm it at https://discord.com/channels/810916927919620096/810931711609143326/1135988921906495620. In some cases, after a Provenance application is approved, it generally takes a few days for the role to reflect on your profile.\n\nPlease remember the certification process involves sending your identity for verification. If you're unsure about the status of your application or other issues related to the verification process, please reach out to our team or Provenance directly for further assistance.", "Question: Am I eligible for the arbitrum audit payment if I complete certification within the contest period but after its start?\n\nAnswer: Yes, participants can become eligible for arbitrum audit payment if they complete their certification within the contest period but after it has started. However, keep in mind that certification must be completed within 30 days of the end of the audit to receive the payout. This certification is called Certified Contributor status, which requires successful completion of a Know Your Customer (KYC) process.\n\nIn the case of team participation, every member of the team needs to be certified to qualify for the payout. If a team wins an audit but cannot claim the prize due to KYC issues, it's uncertain whether the prize will be held or lost.\n\nFurthermore, even if you've become a Certified Contributor and are eligible, there might be a delay between the award announcement and the payout. This is because awards cannot be distributed until after the entire process is completed, including post-judging Quality Assurance (QA). \n\nThere are also instances where payment amounts may be adjusted (increased or decreased) after a payout, but these situations are evaluated on a case-by-case basis. In some cases, the rewards may appear as pending after the contest has ended due to the use of multisig wallets, which require multiple parties to sign off before funds can be released.\n\nPlease note: the specifics for each contest, including certification requirements and payout procedures, may vary based on the contest rules and sponsor decisions. Always check the specific rules for the contest you're participating in.", "Q: How does CodeArena manage payments for teams participating in audits, and how can teams distribute the earnings among team members?\n\nA: CodeArena (C4) only supports payments to one address for a team's audit findings. When a team registers for an audit contest, a single wallet is used for registering and all rewards for the team's findings are sent to this single address. The team is then responsible for distributing the funds among themselves as they see fit. \n\nTo manage the distribution of these funds, teams can use features such as multisig wallets or a contract like OpenZeppelin's PaymentSplitter. This way, they can set up an agreement in advance about how to divide the winnings fairly among team members. More detailed information about this can be found on the Code4Arena's documentation at https://docs.code4rena.com/roles/wardens and https://docs.code4rena.com/incentive-model-and-awards. \n\nThere has also been a discussion about the option to update your payment address from your C4 account screen at https://code4rena.com/account. However, if two people are part of a team and they find the same issue but submit it with different wallets, the system currently does not support splitting the payment between multiple addresses. \n\nIt's also significant to note that tax reporting for C4 bounty earnings is the individual's responsibility, and C4 does not handle this. Always make sure to consider the tax implications when distributing the funds among team members. \n\nC4 is continually considering ways to improve the process, such as implementing a system for using different wallets for different submissions in a single contest. However, these updates are not yet in place. Please check the Code4Arena website regularly for updates or ask for support if needed.", "Question: Why wasn't my finding included in the audit process, and how can I improve my chances of successful participation in future audits?\n\nAnswer: Your finding may not have been included in the audit process not because you were penalized or removed, but likely because it did not rank high for that particular issue. The ranking can vary based on the severity of the bug found, the quality of your report, or the timing of your submission among other factors.\n\nTo improve your chances of successful participation in future audits, here are a few suggestions:\n\n1. Always ensure to submit your findings before the audit contest ends as your findings may not be accepted after the audit period has closed.\n2. Stay updated with the timing of the next audit event or contest. You can do this by regularly checking the CodeArena website or joining our Discord chatroom. \n3. Participate in both public and private audits. After confirmation from Provenance, you can participate in a private audit. For most audits, you don't necessarily need to be a certified contributor.\n4. Understand that even if your findings are not accepted, the whole process is a good learning opportunity.\n5. You could also check the findings report repositories to understand why certain findings were not accepted. This could help you improve your auditing skills.\n6. Consider becoming a certified auditor. Questions about how long it takes to become a certified auditor and the process involved can be answered in our Discord chatroom.\n7. Participate in team audits, but also consider taking part solo if you wish to challenge yourself.\n8. If you're interested in using 'brownie' or any other tool in auditing, feel free to seek help in our chatroom.\n9. Do not worry about understanding the entire codebase. You can ask questions about specific audit reports in our chatroom.\n10. Lastly, remember that not all audits at CodeArena have office hours. So, it's important to manage your time efficiently.\n\nRemember, auditing is not just about finding bugs, but also about understanding the projects and learning from the process. The more audits you participate in, the more you'll learn and the higher your chances of successful participation.", "Q: What is the Mitigation Review for Chainlink CCIP that was mentioned in the original RSVP message, and how does it work?\n\nA: Yes, a Mitigation Review for Chainlink CCIP is still planned. This review is specific to the auditors who participated in the original Invitational audit. The process involves inviting top auditors back after the contests to review the bug mitigations made by the project team. The top three auditors are selected during this review.\n\nIt's important to note that the Mitigation Review is not just about reviewing the code but also about understanding how to handle different scenarios, such as medium-risk vulnerabilities in upgradeable contracts or providing mitigations for an issue when submitting findings. \n\nFor more detailed information about the general Mitigation Review process at Code4Arena, please check out this article: https://medium.com/code-423n4/a-look-at-code4rena-audits-mitigation-review-3e05f8b7acb7 and for specifics about Mitigation Reviews visit https://code4rena.com/how-it-works \n\nRemember, information about future qualifiers can be found in the #\u270brsvp Discord channel: https://discord.com/channels/810916927919620096/958800160870240286/1142165149050998784. The review will be limited to the top wardens of the corresponding initial contest, so if you want to participate, keep an eye out for future contests.", "Question: I saw the results of a finished audit and with one high and one medium issue, I was ranked last. Was I removed from the audit process for some reasons or was my report not up to standard?\n\nAnswer: No, you were not removed from the audit process. In CodeArena, the ranking system works based on the quality of findings in your report and whether they were chosen for inclusion in the final audit report. For each unique High or Medium finding, the submission selected for inclusion in the audit report receives a 30% share bonus. Your ranking may be influenced by factors such as the number of high or medium findings you reported, and whether they were unique and determined to be accurate. Also, for each report, it is evaluated based on completeness, detail, and accuracy. If it is found lacking in these aspects, it may be deemed of lesser value, hence the lower ranking. However, reports deemed as low in the initial submission but raised to medium or high after review are also eligible for respective rewards [Link](https://docs.code4rena.com/awarding/incentive-model-and-awards/qa-gas-report-faq#what-happens-when-an-issue-submitted-by-the-warden-as-part-of-their-qa-report-an-l-or-n-does-get-bum).\n\nPlease note that in private contests, there might be a ranking cutoff, with only the top 3 or 5 taken for mitigation review or invitational. Lastly, the leaderboard and your ranking might take about up to 8 weeks to be finalized after an audit ends, due to the review process. The audit contest is followed by a review period where judges review the findings, and this process can influence the final rankings.", "Question: How do I submit a help desk request regarding issues with my rewards and track its status?\n\nAnswer: If you encounter issues with your rewards, you can submit a help desk request at https://code4rena.com/help. This platform is designed for users to report issues or concerns that require attention from our contest administrators. The process of submitting a ticket includes a confirmation that your request has been received. \n\nOnce you have submitted a help desk request, it usually gets reviewed within 1-2 business days, although please allow up to a week in case of high volume. You can use the same link to track the status of your request or any unresolved issues. \n\nIf you've submitted issues for a contest but did not make the award list, it is possible that your issues were rejected. Confirmation can be done by reviewing your submitted report. If you need to update your wallet address after the report has been submitted and before the reward payout, this can be done by submitting a help desk request.\n\nRemember, if you have any further questions about the rewarding formula, the distribution of rewards, or why some rewards are still pending after a contest has finished, you can also raise these in your help desk request.\n\nFor inquiries about creating an invoice for contest rewards, you can refer to the bottom of this page: https://docs.code4rena.com/awarding/incentive-model-and-awards/awarding-process#tax-and-legal-questions.", "Question: What is the timeline and process for completing an audit with CodeArena, and what steps do I need to take to receive my payout upon completion?\n\nAnswer: After completing an audit with CodeArena, participants have 30 days to become a Certified Contributor by successfully completing a Know Your Customer (KYC) process in order to receive their payout. This certification process can be initiated within 48 hours of the contest conclusion. After an audit, the judges' review process will typically take about 8 weeks, during which time you can generally see the findings immediately upon the audit's close. You can find details on this full process [here](https://docs.code4rena.com/roles/certified-contributors). \n\nThe average turnaround time from the end of the audit competition to the release of reports is roughly a month, although efforts are being made to decrease this time. The report compilation after the audit payout also usually takes a few more weeks. \n\nPlease note, the longest duration for an audit at CodeArena has been three weeks, but some project teams may opt to extend this duration, like it was done for Maia to 5 weeks. \n\nIf you are interested in participating in upcoming audit contests, they are listed on our website, [code423n4.com](https://code423n4.com). \n\nKeep in mind, if a team wins an audit but encounters issues during the KYC process, there are concerns about whether the reward will be held or lost. In the event of such situations, it's crucial to contact us for clarification as soon as possible.", "Question: I am interested in the Arbitrum contest starting on the 3rd of August but I am not yet certified. Can I still participate, and under what conditions can I receive a payout if I get certified later?\n\nAnswer: Yes, you can participate in the Arbitrum contest even if you are not yet certified. However, if you wish to be eligible for a payout, you need to initiate your certification process within 48 hours of the contest starting, and complete it within 30 days of the end of the audit. It's important to note that each individual team member needs to become a Certified Contributor by successfully completing Know Your Customer (KYC) requirements to be eligible for the payout. Once certified, you not only gain access to more contests but also to private contests, provided you RSVP in the rsvp-certified channel and secure a high position on the leaderboards from the last 90 days. Do also note that payment for the contest is usually processed on the Monday or Tuesday following the announcement of the award. For more detailed information on the process and timelines, you can check out this link: https://docs.code4rena.com/structure/our-process.", "Question: How and where are my rewards from CodeArena audits sent and can I update my wallet address?\n\nAnswer: Your rewards from CodeArena audits are sent to your wallet on the Polygon network, not on the Ethereum network. They are paid out in USDC. This is linked to your Discord username and the specific wallet address you have provided. If you have changed your wallet address, it's important to note that rewards are sent to the wallet address on file at the time awards are calculated for an audit. \n\nSo, it is possible to use a new wallet address in your reports going forward, and future rewards will then be distributed to the new address. You can update your wallet address after the finding has been submitted and before the reward payout by submitting a request through our Help Desk at https://code4rena.com/help. \n\nOnce a submission is confirmed and the reward amounts are announced, you just need to wait for it to arrive in your wallet. The rewards are not distributed immediately after computation due to the use of multisignature (\"multisig\") wallets which require signatures from multiple parties before funds can be released. However, the team is working on distributing awards via smart contract in the future.\n\nPlease note that there have been instances of users' MetaMask wallets being hacked, resulting in the theft of rewards. Always ensure the security of your wallet. If you forget the wallet address to receive the bounty, you can refer to the email received when the bug report was submitted.\n\nOnce the rewards are received, they can be withdrawn and sent to preferred crypto trading platforms such as Binance for conversion and withdrawal. For example, you can receive awards on Polygon that can be connected to MetaMask for conversion and withdrawal. The conversion process from Polygon Token to EUR can be done through MetaMask bridge and Coinbase. \n\nUpdates regarding the distribution of awards are posted on our announcement channel, so make sure to check that regularly.", "Question:\nWhen CodeArena releases reports, are both valid and invalid issues included, and how can these be accessed?\n\nAnswer:\nYes, when CodeArena releases reports after a contest, both valid and invalid issues are made public. These can be accessed through the entire findings repository, which includes all of the judge's decisions on the reports. The issues in the published reports may be the same as those initially reported, but the judge has the discretion to deem certain reports as out of scope or already known. \n\nYou can access these reports in the reports section on the CodeArena website, however, be aware that there have been occasional reports of issues accessing the site. Each report links multiple times to the findings repository, or you can go directly to https://github.com/code-423n4 to start browsing. \n\nWhen the final report is released, the issue numbers will match the findings.csv. It's worth noting that if a vulnerability is found in an out-of-scope contract, it can be included in the C4 report as an unrewarded finding or the project can be directly informed. \n\nCodeArena recognizes the importance of transparency and learning, hence, every contest releases a report about the bugs found and these reports can be used for learning. Users can check previous reports to get an idea of what a high-quality submission looks like. Also, it's possible to report a variety of findings based on different combinations of issues found to create different attacks.\n\nFinally, please remember there is a process for submitting an issue using the C4 form and all wardens, the first to report a certain finding as well as others who found the same issue, are recognized in the reports.", "Question: How can I become a Certified Warden at CodeArena and what are the requirements?\n\nAnswer: Becoming a Certified Warden at CodeArena involves a detailed process. You need to participate in a certain number of contests and have a certain number of valid findings or reports. In particular, you need to have at least 3 top finishes in either the QA or gas report from past contests. To initiate the process, you're required to apply, and the application involves a Know Your Customer (KYC) process, which might require a passport or a certified copy of your identity.\n\nOnce you become a Certified Warden, you are eligible to attend private audits, and also participate in private contests. However, to attend these private audits, there might be additional conditions to meet. Also, versus contests are only for certified wardens. Being a certified warden also makes you eligible for a judge role, although certification may not be required at all times. \n\nAn important point to note is that eligibility does not equate to automatic selection; the criteria for acceptance may involve competing in audit contests. The process for applying to be a Certified Warden and subsequent communication regarding the KYC is essential. You can find detailed information about the process and eligibility requirements on the official CodeArena documentation pages [here](https://docs.code4rena.com/roles/wardens/certified-wardens#who-is-eligible-to-be-a-certified-contributor) and [here](https://docs.code4rena.com/roles/certified-contributors#certification-process-and-constraints).", "Question: What do HM awards signify and how are they distributed in a contest?\n\nAnswer: HM awards, referred to as High and Medium awards, are rewards for identifying high and medium severity bugs in a smart contract during a contest. The reward for a medium/high finding can be calculated using this formula: [link](https://docs.code4rena.com/incentive-model-and-awards#high-and-medium-risk-bugs). If a finding is misclassified in terms of severity, it can be adjusted by Code4Rena judges. Even if a high severity bug is downgraded to medium, the reward for a medium bug still applies. The same rule applies to QA reports; if an issue is initially reported as low but the judges reclassify it as medium, it becomes eligible for medium rewards ([link](https://docs.code4rena.com/awarding/incentive-model-and-awards/qa-gas-report-faq#what-happens-when-an-issue-submitted-by-the-warden-as-part-of-their-qa-report-an-l-or-n-does-get-bum)).\n\nIn cases where no high or medium severity bugs are found, the entire rewards may move down to Quality Assurance (QA), and the awards will be divided based on the QA Report curve. This is rare though, as there are usually at least medium vulnerabilities found. In contests, the awards pool is divided into several categories, including HM awards, QA report awards, Bot race awards, Gas report awards, Judge awards, Lookout awards, and Scout awards.\n\nFor each unique high or medium finding selected for inclusion in the audit report, a 30% share bonus is given. Classifying a finding's severity involves balancing the consequence and likelihood of the issue. If the consequences are substantial, such as significant fund loss, it's usually classified as high. Medium consequences usually require specific preconditions and have a lesser impact. \n\nPlease note, reward distribution in a contest where only one high and one medium issue are found can be explored further at this link: [link](https://docs.code4rena.com/awarding/incentive-model-and-awards).", "Question: There seems to be a discrepancy between the start date of Chainlink Staking v0.2 contest on the RSVP channel and the Code4rena website. Could you clarify which date is the correct one and where can I find the latest updates?\n\nAnswer: The correct start date for the Chainlink Staking v0.2 contest is as per the Code4Arena website. Any discrepancies with the RSVP channel will be resolved and the website should always be considered as the source of truth. Note that at times, contests can be delayed and will be re-posted once the dates are confirmed. For the most up-to-date and accurate information, please refer to Code4Arena's official website [https://code4rena.com]. Also, keep in mind that Certified Wardens can access reports like the Chainlink Staking v0.1 on C4 if they have a backstage role. Details about this role can be found on our documentation page at [https://docs.code4rena.com/roles/certified-contributors/backstage-wardens].", "Question: How are individual and team statistics handled on CodeArena, and how do they impact rewards and leaderboard rankings?\n\nAnswer: At CodeArena, both individual and team statistics are considered. An individual's name can appear twice on the leaderboard - once for their individual stats and again as part of their team's stats. When submitting findings as a team, all team members receive the bug stats, and the team is rewarded evenly among the members. However, if a single member of the team submits the same finding separately, it decreases the overall value of the submission.\n\nIf a participant belongs to a team, they have the option to submit solo findings whenever they prefer. The submission form allows wardens to specify if they are submitting as an individual or a team member. Despite being part of a team, participants are not obligated to always participate as a team. \n\nThe leaderboard ranking is influenced by both the current contest and the total participation of a contestant. Teams are also taken into account when comparing leaderboard ranks for selecting people for RSVP certified jobs. The leaderboard also displays the total number of valid findings of all severity levels by a specific individual or team.\n\nIf a warden receives rewards both individually and as part of a team, they will appear separately on the leaderboard. Teams and individuals are treated the same by CodeArena. Changes to teams, such as the removal or addition of members, are possible and users can register as a team and submit findings as a team. For more details on reward distribution and team participation, refer to https://docs.code4rena.com/incentive-model-and-awards. \n\nIt's important to note that there's ongoing discussion about changes to the leaderboard to primarily show current year statistics while keeping all-time stats visible.", "Question: Can someone explain the concept of vault rebalancing and how it functions in the context of smart contracts?\n\nAnswer: Unfortunately, there isn't a direct answer found in the chat history, but I can provide some general insights. Vault rebalancing is a mechanism used in DeFi protocols to manage the risks associated with the digital assets held within the vaults. In the context of smart contracts, this could involve automated processes to distribute assets among different strategies or contracts to optimize returns and minimize risks. \n\nFor a more detailed study, you may refer to the main contracts in the Vault explained in this video https://youtu.be/D-hSiGeNpuY. Additionally, you can find more information about vaults for individual users in CodeArena's documentation at: https://github.com/code-423n4/2022-04-mimo/tree/main/supervaults/docs. Please note that these resources may not specifically address vault rebalancing but can give you a broader understanding of how vaults operate in the DeFi ecosystem, which could indirectly help you understand the concept of rebalancing. \n\nFor specific implementation details or potential risks associated with vault rebalancing, it can greatly vary depending on the design of the protocol. It is always suggested to get audits for the smart contracts involved, like the audits provided by CodeArena.", "Question: I've submitted a help desk ticket on CodeArena but didn't receive a ticket number or email confirmation. How can I follow up or check the status of my request?\n\nAnswer: After submitting a help desk ticket through CodeArena, it's important to know that while you might not always receive an email confirmation, the ticket should have been received and will usually be reviewed within a week. If you don't receive an email confirmation after registration or after submitting a finding, you can open a new help desk request at https://code4rena.com/help to follow up.\n\nIf you've submitted a help desk request for any unresolved issues, status updates, KYC confirmation, analysis submission process, backstage role application, or for any discrepancies found in the reports, your request should be handled in a timely manner. In some cases, it may take a few business days for a help desk request to be reviewed. If there's no response within a few days, we recommend opening another help desk request.\n\nPrivate inquiries can also be submitted to a member of the Code4rena team via the help desk form. If you meet certain qualifications based on published contest results and wish to gain backstage access, you can submit a help desk request specifically for that. \n\nWhile it's rare, there have been reports of users not receiving a response after sending a ticket, so we urge you to remain patient as our team works to address all incoming requests. It's our aim to ensure the smooth operation of all our services, and we appreciate your understanding and cooperation.", "Q: What is the procedure for submitting a bug issue and what considerations should I make regarding the proposed solution, severity classification, and proof of concept (PoC)?\n\nA: When submitting a bug issue at CodeArena, your submission should clearly identify the bug and include a proposed solution. You are allowed to edit your submission if the contest has not ended. If you happen to submit a correct bug issue with an incorrect solution, you can still update your submission. When classifying the bug's severity, ensure you correctly assess it by providing clear evidence. If a high severity bug turns out to be of medium severity, you'd still receive a reward for a medium bug. \n\nIt is advisable to include a proof of concept (PoC) in your submission. Without a PoC, a finding may be disregarded unless the issue is extremely obvious, like a wrong parameter, typo, or code that doesn't compile. Submitting a high severity issue without working code that demonstrates the impact may lead to a high severity issue being downgraded or deemed ineligible for awards. \n\nYou can view or edit your own submissions on the site for open contests. If you need to increase the severity of a submitted bug during a contest, you can submit a help request to remove the original submission and then submit again via code4rena.com/help. \n\nRemember to make separate submissions depending on the type and severity of the bugs found. Additionally, the grading criteria for quality submissions include: correct identification of the highest severity impact of the bug, making the case for the severity and validity chosen with evidence, and clear and understandable writing. For a simpler example of a bug report, you can refer to this link: https://github.com/code-423n4/2022-12-caviar-findings/issues/141.", "Question: How should I handle and submit vulnerabilities that depend on fixing another definite bug or vulnerabilities that are related?\n\nAnswer: When you identify vulnerabilities in the codebase, you should make separate submissions depending on the type and severity of the bugs found. If two separate vulnerabilities can be combined to create a more potent one, you should submit a third finding explaining the proof of concept. The grading criteria for quality submissions include the correct identification of the highest severity impact of the bug, making the case for the severity and validity chosen with evidence, and clear and understandable writing. \n\nWhen submitting reports on vulnerabilities, you're encouraged to attach screenshots in the vulnerability details section by copying the GitHub permalink and the lines of code for the affected code. If the same vulnerability is found in multiple different components of the codebase, it might count as two separate findings, but it's ultimately the judge's call to determine if they're duplicates. \n\nIf a single line of code has multiple ways of exploitation, there's a question whether it should be reported as one bug or multiple. Multiple instances of the same vulnerability should also be reported as one issue. Duplicate submissions of the same vulnerability are subject to some sybil resistance, with each instance awarded a share of one point depending on the number of duplicates. \n\nIf a vulnerability is difficult to fix without major changes to the protocol, it can still be reported. Recommendations for fixing are appreciated but not a must. If you've written a Proof of Concept (POC) script for a vulnerability, you can include the link in the submission wherever relevant.\n\nIn terms of automated findings, submissions based on automated tools must provide strong evidence to demonstrate a relevant High or Medium severity exploit path to be considered satisfactory. The submission policy related to automated findings is provided [here](https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues).\n\nPlease note, the reward and contest criteria may vary for different contests. For more information about the submission policy, please refer to our [documentation](https://docs.code4rena.com/roles/wardens/submission-policy).", "Q: How is the announcement and distribution of contest awards handled on CodeArena?\n\nA: Contest winners are announced in the #\ud83d\udce2announcements channel on our Discord chatroom. The timeline for announcing contest results typically depends on several factors, including the time taken for judging which usually lasts for about 2 months. After the judging process, the results are reviewed by sponsors and then posted in the contest channel. \n\nAn awards list and leaderboard for participants are also updated at this time. The announcement of the winners is separate from the disbursement of the awards. Prizes for contest winners are generally distributed between 1-2 weeks after the winners have been announced. The rewards are sent out manually in batches, often for multiple contests at the same time, to the user's registered wallet address. \n\nAfter the announcement, participants can apply for backstage access and check the leaderboard for updates. Remember, the process after a contest is completed typically includes Sponsor Review, Judging, Awarding, and then Reporting. The final published report allows participants to see the results of their submissions. Please keep an eye on the #\ud83d\udce2announcements channel for updates on distribution.", "Question: Can auditors share their test environment and methods with each other during the auditing process?\n\nAnswer: At CodeArena, auditors can create a test environment if none exists in the repository. Experienced auditors might use the existing test environment in the repository to confirm code functionalities or write new test cases. If there's no test setup in the C4 repo, auditors may look for a potential test setup in the sponsor's GitHub or isolate parts of the code for testing. While specific methods and strategies may vary, it's common for auditors to use a combination of using the existing test environment, forging new ones, or isolating the code for testing. In certain team audits, it's acceptable to collaborate through sharing these environments and methods.\n\nHowever, it's important to note that concerns have been raised about managing team members who want to participate solo in a contest that their team is also auditing. In the interest of fairness, sharing of resources and methods may be regulated or discouraged in these specific scenarios. Furthermore, auditors must ensure they are not disclosing any sensitive information. For instance, auditors may fork the codebase and create a private repository on GitHub, but this should not be considered as information disclosure, as the submitted findings will be created as a GitHub issue.\n\nIt's always best to check with the contest rules or reach out to CodeArena for specific guidelines before sharing any resources or methods. The full process of participating in the audit, even if not successful in finding bugs, is considered a good learning opportunity by many users. Always ensure you and your team are following the best practices and guidelines to make the audit process fair and effective.", "Question: How can I know if I have successfully completed the KYC process and what are the steps involved in it?\n\nAnswer: The KYC (Know Your Customer) process is a crucial requirement for participating in certain activities at CodeArena, such as audits that require KYC, Chainlink contests, and becoming a certified warden or contributor. You can initiate your KYC application process by visiting our page at https://docs.code4rena.com/roles/certified-contributors.\n\nOnce you have applied for KYC, you will receive an email from Provenance and C4. Typically, Provenance sends the KYC email within one business day after the application is submitted. However, please note that the entire KYC process can take a few days to a week or longer to complete. \n\nYou can also check if you are certified by clicking your name to see assigned roles. If you have not received any communication regarding your KYC status, it is recommended to submit a help desk request to track your KYC confirmation. \n\nPlease be patient as there may be delays in the KYC process due to various verification checks. If you wish to participate in an audit or contest that requires KYC, make sure to plan accordingly and complete your KYC process in advance.", "Question: I mistakenly submitted an analysis from my personal account instead of my team account. What steps should I take to correct this?\n\nAnswer: If you've accidentally submitted an analysis from your personal account instead of your team account, don't worry, we can help rectify the situation. Follow the steps below:\n\n1. Resubmit the analysis from your team's account. Teams can make submissions on behalf of their team members. If you have trouble submitting an analysis from your team's account due to errors like a saved polygon address, please refer to our [Analyses Guidelines and FAQ](https://code4rena.notion.site/Analyses-Guidelines-and-FAQ-2808a71e08e44c81a985527194f5f118) or ask for assistance through the help desk.\n\n2. After resubmitting the analysis from your team's account, submit a help desk request to withdraw the previous submission made from your personal account. You can do this at [Help Desk Link](https://code4rena.com/help). \n\n3. If you encounter issues with editing your analysis report after submission, you can reach out to the help desk again. Although users cannot directly edit an analysis report, they can create a help desk request including a secret gist to have edits added to the comments of their analysis report before the audit closes.\n\nPlease note, if you mistakenly submitted an analysis to the wrong contest, you should also submit a help desk request after re-submitting the analysis to the correct contest. An individual can choose to submit either as a solo participant or as a team member, the submission form allows for this selection. If you need to modify your team, you can also do this through a help desk request.", "Question: How can I make the Activity Stream available on my profile, and what is required to participate in different types of audits on CodeArena?\n\nAnswer: The specific number of audits needed to make the Activity Stream available on your profile hasn't been explicitly stated. However, participating in more audits tends to increase user activity on the platform. Participation can be as an individual or as part of a team. \n\nThere are different types of audits available on CodeArena, including public, private, restricted, and invitational audits. For most audits, you don't need to be a certified contributor, although certification may be required for participation in private, restricted, or invitational audits. \n\nThe certification process involves the KYC process and is described in detail at https://docs.code4rena.com/roles/certified-contributors. You can also sign up as a certified contributor with multiple accounts, but remember to participate with only one account. \n\nFor private audits specifically, you typically need to be certified and to rank on the leaderboard. Additional details for participating in private audits can be found at https://docs.code4rena.com/roles/certified-contributors#certification-process-and-constraints. \n\nIn addition to certification, backstage access which might be beneficial in the auditing process, is based on the certified contributor role, the number of findings (at least three medium findings and four total findings), and participation in contests. \n\nRemember to check the #\u270brsvp channel to see upcoming public audits and raise a hand if planning to participate. CodeArena typically has 2-5 audit projects per week. \n\nPlease note that specific requirements or conditions for audits might be specified in the applicable channels.", "Q: I haven't received a reply to my help desk request that was submitted a week ago. How can I follow up or get assistance?\n\nA: If you've not received a response to your help desk request within a week, you can follow up the status of your request. Help desk requests are typically replied to within 1-2 business days, and are often resolved within 24-48 hours on business days. Please note that responses may not be sent during weekends. If the issue persists, you can direct message us or submit another request explaining the issue in detail. Also, if your request is related to not receiving an email after registration or submitting a finding, or issues with your status, or to track the status of your KYC confirmation, you can specify these details in your request. You can submit your help desk request at [https://code4rena.com/help](https://code4rena.com/help). We assure you that your request will be reviewed and fulfilled in a timely manner.", "Question: \nWhy isn't the total prize money for the new GMX contest in the #\u270brsvp channel adding up to $40,000, and where do these discrepancies come from?\n\nAnswer:\nThe discrepancy you noticed in the total prize money for the GMX contest was due to an unintentional typing error. We appreciate your patience and understanding as we strive to eliminate such errors. \n\nPlease note that as soon as mistakes are identified, they are corrected promptly. You can check the updated information on our website [https://code4rena.com]. \n\nIt is important to understand that contest prize amounts are sponsored, and sometimes there might be adjustments or discrepancies due to various factors, including updates to the judging pot and changes from the sponsors. \n\nIf you ever notice a discrepancy like this in future, feel free to raise it in our channels. We are committed to ensuring accuracy and transparency in all our contests and we value feedback from our community. \n\nLastly, we encourage you to check the #\u270brsvp channel for updates on upcoming contests and any changes related to them.", "Question: What is the process to become an eligible contributor at Code4rena, and what benefits and responsibilities does it entail?\n\nAnswer: An eligible contributor at Code4rena, also referred to as a Certified Contributor, is a participant who has completed the application process and gained approval. The application process involves a specific procedure detailed at [https://docs.code4rena.com/roles/certified-contributors](https://docs.code4rena.com/roles/certified-contributors). Participants can apply to be a Certified Contributor using GitHub sign up and may need a username and password to submit a finding.\n\nAfter becoming a Certified Contributor, one can participate in private contests and potentially have access to the backstage area, given they meet specific criteria. The backstage access criteria include having at least three medium findings and four total findings, along with participation in contests. Once these criteria are met and the results are published on the leaderboard, Certified Contributors can apply for backstage access. Backstage access allows contributors to access the contest repo post closure and pre-public report release. This process is detailed at [https://docs.code4rena.com/roles/certified-contributors/backstage-wardens](https://docs.code4rena.com/roles/certified-contributors/backstage-wardens).\n\nCertified Contributors are allowed to submit findings, either as an individual or as part of a team. Submission of findings involves providing direct links to all referenced code in GitHub and adding screenshots, logs, or any other relevant proof that illustrates the concept. The submission can vary from high-level reports to gas optimizations, as long as the report is of high quality, the findings are accurate, and there is a working proof of concept.\n\nWhile one can sign up as a Certified Contributor with multiple accounts, participation is limited to one account only. Some contests may require contributors to clear KYC (Know Your Customer) to receive prizes. KYC can be cleared by becoming a Certified Contributor, as explained at [https://docs.code4rena.com/roles/certified-contributors](https://docs.code4rena.com/roles/certified-contributors).", "Question: What is the bot crew role in CodeArena and how can one participate in bot races?\n\nAnswer: A bot crew role in CodeArena implies that the individual is part of a bot team or owns their own bot. This is directly related to a unique feature of CodeArena called 'bot races.' Bot races are events held usually for the first hour of an audit where bots, which are considered the intellectual property of the warden, identify issues and propose fixes. However, it's worth mentioning that there's a concern that fixes proposed by bots might introduce more damaging exploits.\n\nThe process to create a bot team and participate in bot races involves registering the bot during a qualifier. More information about bot races, including the registration process and rules, can be found on CodeArena's bot registration page [here](https://code4rena.com/register/bot). \n\nRemember, Bot crews differ from typical teams and require special registration during the qualifier. Some audits require bot crews to be KYC'ed to receive payments, but not all. If a bot finds a high or medium finding, it only gets the bot pool reward based on the bot race rank. To gain more rewards, bots need to accrue more points and shift rank cutoffs, thereby potentially bumping others to lower ranks.\n\nTo clarify any issues related to bot races, users can refer to the #bot-race-help on Discord. It's also important to note that the presence of unique vulnerabilities or their number, as well as the accuracy of the bot (no false positives), may provide an advantageous edge in bot races, although more concrete details on this aspect are not specified in the observations provided.\n\n[Bot Registration Link](https://code4rena.com/register/bot)", "Question: I'm encountering several broken file path errors in the Pool Together competition and having trouble running the contest on Windows. I'm also unsure about the submission limits and validity of the issues. Can you help?\n\nAnswer: Sure, let's address your concerns one by one. \n\nFirstly, the broken file path errors might be because of the operating system, as some users have reported issues when running the GoGoPool contest (which is similar to Pool Together) on Windows. It may also be due to incorrect links to the repositories in the contests, as reported by other users.\n\nIf you're running the contest in VSCode, make sure that you've correctly cloned the repository and are following the required instructions for running the tests. You could also try to check for missing imports on the .sol files as they might cause errors. Some users have shared that these errors appear at the top of every .sol file.\n\nRegarding submission limits, there's a general consensus that it's unlikely for a contest to have no high or medium issues found because no code is perfect. However, there can be around 150-300 submissions per contest including QA, gas, duplicates, and invalid ones. It's not clear if there's a limit to the number of high/medium bug reports that can be submitted per contest, but there are concerns about penalties for too many unsatisfactory submissions. The penalty system at Code4rena involves a high bar for satisfactory performance, which might trigger more penalties, and there are many strikes for reports.\n\nIn terms of the validity of the issues, it's important to remember that not all bugs/gas optimizations stated in publicly known issues are valid for other files within the same repo. Participants often review the \"Known Findings\" section on the Readme Page of each contest for information about automated findings not accepted in the contests. An example of a finding from a previous competition can be found at this link: https://github.com/code-423n4/2022-09-artgobblers-findings/issues/137\n\nIf you need further assistance, please post your queries in the relevant Discord channel, like the #pooltogether-aug02 channel, where your fellow participants working on the audit may be able to assist you.", "Question: How should I report multiple findings in my smart contract audit? Should I group them into a single report or separate them based on their nature and severity?\n\nAnswer: It seems there are different approaches to reporting multiple findings from a smart contract audit. If the findings are of the same nature or related to the same function or vulnerability, it can be beneficial to group them into a single report. For instance, all findings related to gas optimization should be compiled into one report and multiple occurrences of the same issue can also be combined into one report as discussed in the chatroom and detailed here: https://github.com/code-423n4/org/issues/8. \n\nHowever, if a single line of code or function has multiple ways of exploitation, or if the same vulnerability is found in different components of the codebase, there's a debate whether they should be reported as one bug or multiple. The final decision often depends on the judge's discretion. \n\nWhen submitting bug findings, it may be useful to make separate submissions based on the type and severity of the bugs found. Different issues for different optimizations should also ideally be reported separately as single issues will be evaluated as such.\n\nThere was also uncertainty about categorizing findings that could fit into two categories (mechanism and architecture) in a report. Generally, it is advised to be as clear and specific as possible in your reporting to avoid rejections, and the reasons for findings rejections are usually provided in some form.\n\nIn summary, it's recommended to group similar findings but report different issues separately. However, there is some leeway depending on the specific circumstances of each finding. You should always follow the guidelines provided by CodeArena when reporting your findings to ensure accuracy and clarity.", "Question: If a hacker compromises C4's mail server or other parts of the infrastructure, can they read all findings and potentially submit them as their own? How does C4 handle such security concerns?\n\nAnswer: CodeArena takes the security of its infrastructure very seriously. There are a handful of places in our infrastructure and tooling that require additional diligence for exactly this reason, and we are very focused on it. We have a Chief Security Officer (CSO) overseeing the process, procedural, and application security, along with a team member with a deep background in securing infrastructure from an architectural perspective. This rule applies not only to our mail server but also other critical points in our infrastructure like our GitHub access.\n\nWe understand the potential risks associated with centralization, and if users perceive a centralization risk, they can report it, stating all their reasons, and let the judge make the final call. Additionally, we have mechanisms in place to manage vulnerabilities reported by multiple people or those that could potentially be combined to create more powerful ones. \n\nPast contest reports that revealed vulnerabilities are made available for educational purposes, and steps are taken to ensure fairness, such as preventing sponsors from having early access to vulnerability submissions to exploit this information. If a vulnerability is identified outside of our scope, it can still be reported and will be included in the C4 report as an unrewarded finding.\n\nIn terms of findings, we handle a variety of them based on different combinations of issues found to create different attacks. For automated findings, there is a higher burden of proof to demonstrate a relevant exploit path. More information regarding this can be found at https://github.com/code-423n4/org/discussions/50. \n\nIf you identify a potential vulnerability, it may still count when submitting it, depending on the judge's judgement, even if it has been confirmed by the sponsor via private DMs. If a user has written a Proof of Concept (POC) script for a vulnerability, they can include the link in the submission wherever relevant. \n\nAs part of our commitment to maintain a robust security posture, we offer assistance in the unlikely event of a C4 wallet being hacked. You can submit a help desk request for assistance via https://code4rena.com/help/. \n\nWe also welcome any recommendations for fixing difficult-to-fix vulnerabilities, though it's not a requirement. We encourage users to report any vulnerabilities they find, regardless of whether solutions are readily available or not. It is also within our policy to consider social engineering attacks on the owner and take them into account. \n\nLastly, we understand the concerns about the potential for dishonest cloning of white-hat reports by projects to cut down on their payouts, and we have measures in place to mitigate such risks.", "Question: How can I check the status of my Lybra report submission and read the judgement on my findings for the contest?\n\nAnswer: You can track the status of your Lybra report submission and read how your findings were judged through a couple of steps. The ability to view the status and edit your findings is found in the \"findings\" tab next to the contest description on the contest page. You can also view your Analysis Report for your submission.\n\nAfter a contest is completed, the process includes Sponsor Review, Judging, Awarding, and then Reporting. The final published report allows participants to see the results of their submissions. If your submission was not awarded or if you wish to understand why certain findings were rejected, you can review the published report and the public repository to see the discussion among sponsors and judges on the specific issue. \n\nReports from past contests are available at [Code4rena Reports](https://code4rena.com/reports). Information on how the Analysis report works and what needs to be filled in it can be found at [Judging Criteria](https://docs.code4rena.com/awarding/judging-criteria#analysis). Keep in mind that you will receive a confirmation email for all the reports you submitted during the competition.\n\nIf you're new to auditing and looking for recommendations on past contests to practice on and to read old reports, you can find useful information in the same links provided above. This can help you better understand the judging process and improve your future submissions.", "Q: Where can I find detailed information about the issue types, their severity rankings, the submission process, and the policy on 'known issues' at CodeArena?\n\nA: Information about issue types, their severity, and the 'known issues' policy can be found in various locations. \n\nThe criteria for categorizing the severity of issues as low, medium, and high are available at our judging criteria page: https://docs.code4rena.com/awarding/judging-criteria/severity-categorization\n\nOur 'known issues' policy can be seen at this link: https://github.com/code-423n4/org/discussions/50\n\nFor more information on submitting issues, you can refer to our submission guidelines at: https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues\n\nIf you're unsure about how to categorize your findings, you can create a help desk request. There is also a process for submitting an issue using the C4 form. \n\nIn case of findings that could fit into two categories in an analysis report, or you find issues in multiple places in the codebase, you can find answers on our discord server: \nhttps://discord.com/channels/810916927919620096/810936719003090974/1134472653437145149\n\nIf you need information on how to modify submitted findings or how issues could possibly be upgraded to a higher severity, feel free to engage in our chat or check on Github. For in-depth discussions on specific issues, you can visit our GitHub page: https://github.com/code-423n4/2023-06-lybra-findings/issues/364#issuecomment-1689165295\n\nAnd lastly, you can always review your issues before submitting them, and if concerns focus on inconsistency, process, or lack of clarity in rules, you are encouraged to review and comment on the issues on our Github page: https://github.com/code-423n4/org/issues\n\nRemember, a well-structured report should contain the issue, description, Proof of Concept (where necessary), and mitigation (where necessary).", "Question: As a warden, how can I access and understand the findings of my report and other wardens' reports on CodeArena?\n\nAnswer: At CodeArena, audit reports are accessible under the reports section with each title acting as a link to one of the warden's reports on GitHub. The findings repository becomes public once the final contest report is published, allowing all participants to review the findings. However, certified wardens with established contributions are granted early access to see these reports on GitHub during the triage process. This backstage access allows them to view the findings repo immediately after a contest ends. \n\nTo understand and review your findings, you can refer to the data folder in the findings repo where you will find JSON files named as [warden-handle]-[issue number]. These issue numbers can be used to look up your findings directly. You can also check your findings by looking at the 'findings.csv' file at https://github.com/code-423n4/code423n4.com/tree/main/_data/findings. This table lists all wardens with their deduplicated findings. \n\nFor wardens who wish to see how their findings were judged, they can also view the comments in their submission after the announcement. If they notice any issues, they can raise them to the judge for reconsideration before the findings are published.\n\nPlease note that all wardens are required to abide by our professional conduct guidelines at https://docs.code4rena.com/roles/wardens/certified-wardens#certified-warden-professional-conduct-guidelines, which mandates that all findings are treated as private and confidential until the contest report is made public. \n\nFor more information on submission guidelines and policies, please refer to https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues and https://docs.code4rena.com/roles/wardens/sub.", "Q: I'm having trouble with the Analysis Report preview, the embedded images are not displaying correctly and I've even used the same syntax I did for my previous submissions. Additionally, I seem to have issues with how inline math and numbered lists are displayed in the preview. Could these be known issues and is there a way to resolve them?\n\nA: Yes, we've had other users report similar issues, particularly with embedded images, inline math, and numbered lists not displaying correctly in the preview. It seems to be a known issue with our Analysis Report preview. However, these issues do not affect the final submission - your numbered lists will show the numbers and your embedded images and inline math should render correctly in the final report. \n\nWhen embedding images or code in your report, you can use Markdown. For a helpful formatting tool, we'd recommend Visual Studio's preview tool as suggested in our chat discussions. Additionally, if you're unsure about how to embed images using markdown, we've had a discussion on that in our chat, which may be useful to you.\n\nPlease note that at present, our platform does not support editing of an analysis report after submission although we're working on adding that feature. If there's an issue with your report after submission, you can create a help desk request for assistance.\n\nFor a guide on submitting an Analysis Report, you can check out our Analyses Guidelines and FAQ at [Analyses Guidelines and FAQ](https://code4rena.notion.site/Analyses-Guidelines-and-FAQ-2808a71e08e44c81a985527194f5f118).\n\nWe appreciate your patience as we work to improve the report preview functionality.", "Question: Who are the judges for C4 contests and how does the judging process work?\n\nAnswer: The judging process for CodeArena (C4) contests involves a team of around ten judges, with about five lookouts. The specific identities of the judges for a contest are not disclosed ahead of time. These judges are chosen based on their experience and reputation. During a contest, the bugs are evaluated by a C4 judge while the rules are judged by Certora. The findings need to be visible to C4 staff, sponsors, and the judging team for the judging process to occur. \n\nIf a report's severity is misclassified as medium, it can be upgraded to high by C4 judges. The judges review the findings to decide their severity, validity, and quality. After the contest concludes, the judges' decisions on a bounty are shared. \n\nA post-judging QA period exists where comments can be made on the judges' decisions. Wardens can see the judging results before they are published. If they see any issues, they have the opportunity to raise them to the judge for reconsideration. \n\nThe judging process can take a lengthy time period, with factors beyond the judge's control contributing to delays. Sponsors also play a role in the delays of contest judgement. \n\nParticipants can expect feedback from a judge if a submitted finding is marked as invalid. The judges also receive a share of the prize pool as an incentive. For more details about the C4 judging process, refer to this thread on Twitter: https://twitter.com/sayan_011/status/1629011044516655104?t=DJz16iE54QkwLxkc3MrQtw&s=19.", "Question: What does the participation reward involve in a formal verification contest at CodeArena?\n\nAnswer: The participation reward in a formal verification contest is a benefit provided to all participants, regardless of whether their submissions are awarded or not. The reward amount is provided by the contest sponsor and is shared among all participants. To receive the reward, participants may need to verify their identity after the contest ends. This process is known as Know Your Customer (KYC) verification and forms part of the contest context. Some contests may require participants to be certified to be eligible for payouts. Certification also grants access to more contests. \n\nFor team participants, a single wallet is used during registration, and the prize, if won, is sent to a single address. It is then the team's responsibility to distribute it amongst themselves. The focus of contests is on providing value from a security perspective, which is delivered by the results participants produce.\n\nInterested individuals can participate to improve their skills, gain a better understanding of audit reports, and potentially identify and rectify vulnerabilities in smart contracts. If a participant thinks they've found a vulnerability, they can reach out to the sponsor team during the contest, but they must submit it via the contest submission form for it to be eligible for awards.\n\nWhen a submission is not rewarded, participants can review why their submission was not accepted once the report is out and the repository is fully opened. This allows them to see the discussion among sponsors and judges on the specific issue. \n\nYou can get more information on participation and rewards for a formal verification contest by visiting the contest repository at https://github.com/code-423n4/2023-01-blockswap-fv and general information on awards can be found here: https://docs.code4rena.com/incentive-model-and-awards.", "Q: I have applied for KYC verification and I'm expecting an email from Provenance. Can you clarify what I should expect, and from what email address?\n \nA: After applying for KYC verification, you should typically receive an email from Provenance. The email will be sent from either of the two addresses: kobus@provenance.company or compliance@provenance.company. Please remember to check your spam folder, as emails from these addresses might end up there. \n\nThe email is part of the Certified Warden application process, indicating either the submission of your application or confirmation of your KYC request. There's no specified timeframe for delivery of this initial email from Provenance after your application submission. However, once you start the process with Provenance, it usually takes around 1-2 business days.\n\nIn some cases, you may have to wait for a certain period after receiving a confirmation email from Provenance to get your role updated on the C4 side. If you have not received any response from Provenance within a couple of days or up to a week, you can open a help desk request at [Code4Rena Help](https://code4rena.com/help).\n\nRelevant updates about your application status, submission confirmations, or private audit applications are also sometimes sent by Provenance. Please keep an eye on these emails as they are legitimate and related to your activities on the platform. \n\nIf you have more detailed requirements or any issues with your application, remember that Provenance, as our chosen KYC provider, may require additional documentation beyond what is outlined in C4's guidelines.\n\nFor more details, please refer to the [Discord Community Chat](https://discord.com/channels/810916927919620096/810931711609143326/1135988921906495620).", "Q: Is the email address kobus@provenancecompliance.com associated with Provenance as referenced in the C4 guidelines? \n\nA: Yes, the email address kobus@provenancecompliance.com is associated with Provenance, who is the Know Your Customer (KYC) provider for CodeArena. After applying for KYC, you will receive an email from both Provenance and C4. Provenance is responsible for sending the KYC email, which typically arrives within one business day after submitting an application to become a certified warden. However, some users have experienced delays of up to 2-3 weeks. The email may come from various addresses, such as compliance@provenance.company, and it's recommended to check your spam folder. If you don't receive a response within a reasonable time, you can open a help desk request at [Code4rena Help](https://code4rena.com/help). It's worth noting that Provenance might have more detailed requirements for documentation than what's outlined in C4's guidelines, and that the selection of Provenance as the KYC provider was based on recommendations from other Cayman-based vendors. As for the email kobus@provenancecompliance.com, one observation confirmed it as legitimate in relation to certification. However, some users have found inconsistencies in the Certified Warden application and response email, which might be due to updates in the documentation regarding Provenance's email communications. Please remain patient as the process can take a while depending on the interaction between you and Provenance.", "Question: Can I change the wallet I am registered with, both for login and payment purposes, on CodeArena?\n\nAnswer: At present, CodeArena does not allow users to change their login wallet address. However, if you're using Metamask, you have the option to link multiple addresses. For more detailed instructions, refer to: https://docs.code4rena.com/roles/wardens/warden-auth#can-i-change-the-wallet-address-i-log-in-with.\n\nWhen it comes to the payment wallet address, you can update this in the 'Manage Account' section of your profile on CodeArena. This is the wallet where you will receive any awards or rewards from audits. If your wallet has been compromised or you have a specific need to change your wallet address, you can submit a help desk request at https://code4rena.com/help. Please be aware that any changes to wallet addresses are significant undertakings and should only be considered if absolutely necessary. \n\nIf a report is submitted using a new wallet address, rewards for that report will be distributed to the new address. This wallet address can be updated after the report has been submitted and before the reward payout by submitting a request through the Help Desk. \n\nIf you forget your registration wallet address, or encounter login issues potentially related to the wallet used for registration, you can seek help through the same link: https://code4rena.com/help. Please remember that your login success might depend on using the correct wallet or email associated with your account. \n\nLastly, it's crucial to handle wallet changes responsibly to prevent potential theft or loss of rewards. If your wallet is hacked and you need to change your payment address, you can create a help desk request and provide necessary details for further assistance.", "Q: Can participants, sponsors or others view and manage findings before, during and after a CodeArena contest?\n\nA: Before a CodeArena contest ends, only the participants have access to their individual findings and can manage them through the \"Your Findings\" button on the contest page. Participants are able to edit or withdraw their findings at any time during the contest. It's important to note that any findings not submitted before the end of the contest will not be eligible. \n\nMeanwhile, sponsors do not have access to the findings repo until the contest ends. The submissions are kept private to maintain the contest's integrity, and specific findings should not be discussed until the final report has been posted.\n\nOnce the contest ends, a review process begins which includes sponsor reviews and judge reviews. During this period, findings are confirmed and discussed, but are still kept private from the public and participants. After these reviews, \"Backstage\" wardens are added and get access to the findings for triaging purposes. \n\nFindings may not always make it to the final report, and the reason for that might not be immediately known. Also, a query about a finding's rejection might not be answered until the final report is published. \n\nAfter the review process and final judging, the findings repo becomes publicly available for discussion. However, the specific duration of this period is not mentioned. At this stage, participants can track their report status and view others' findings in the \"Findings\" tab next to the contest description.\n\nFinally, the submissions for a contest can be reviewed by anyone after the final contest report is published. Also, the platform permits viewing of reports from other wardens even after contests have ended. But there might be visibility issues in case there is no table with contest results.\n\nPlease note that to check any specific information regarding findings, it's advisable to wait until the reports are published, which usually takes at least a month after the contest ends.", "Question: How does the submission and confirmation process work for audits and reports on CodeArena?\n\nAnswer: When you submit an audit or report on CodeArena, you should receive an email confirmation acknowledging the successful submission of your report. This email is typically sent within a few minutes of submission but can sometimes be delayed. If the submission fails, the form should return an error. You can also check the success of your report submission and review all the reports you've submitted during a competition on the C4 Contest page under the \"Findings\" tab [InsertLinkHere]. If you need to modify your submitted findings, you can do so by direct messaging certain identified individuals or you can revise and resubmit your analysis reports. If you submitted a Certified Warden application, you will also receive feedback via email, including from the email address @provenance.company. However, please note that there have been some inconsistencies in the Certified Warden application and response email documents, which we are continuously working to correct.", "Q: How can I become a Certified Warden at Code4rena, and what is involved in the process?\n\nA: To become a Certified Warden with Code4rena, you must complete an application and undergo a Know Your Customer (KYC) process, which is delegated to Provenance. The certification process involves meeting certain eligibility requirements and may include participation in a certain number of contests and having a certain number of valid findings or reports. \n\nIf you are interested in a backstage role, there are additional criteria to meet. The application for becoming a Certified Warden can be made at https://code4rena.com/certified-contributor-application/. More detailed information about the process, requirements, and backstage roles can be found in Code4rena's documentation at the following links: \n- General process and requirements: https://docs.code4rena.com/roles/certified-contributors\n- Specific information on Certified Wardens: https://docs.code4rena.com/roles/wardens/certified-wardens\n- Information on backstage roles: https://docs.code4rena.com/roles/certified-contributors/backstage-wardens\n\nPlease note that the process to access private contests involves becoming a Certified Warden. Once you've completed the process, you can check your acceptance as a Warden on CodeArena's platform. If you have any further questions about becoming a Certified Warden, you can ask directly to Code4rena.", "Question: How can I update or change my payment or wallet address on Code4rena?\n\nAnswer: Users have the ability to update or change their payment or wallet addresses on Code4rena. The platform allows two types of wallets - a login wallet and a payment wallet. The login wallet is set up when creating the account, and the payment wallet can be updated in the profile. To update your payment or wallet address, visit the Manage Account section on your Code4rena account screen at https://code4rena.com/account.\n\nYou can also change the registered wallet (login address) on the platform, instructions for which can be found at https://docs.code4rena.com/roles/wardens/warden-auth#can-i-change-the-wallet-address-i-log-in-with. If you want to change the wallet address where you receive awards, you can follow the information provided at https://docs.code4rena.com/roles/wardens/warden-auth#can-i-change-the-wallet-address-where-i-receive-awards.\n\nIn case your wallet is compromised and you need to change your payment address, you can create a help desk request if you logged in via the same wallet. You can submit your request through the Help Desk at https://code4rena.com/help. Remember to update your wallet address in your reports moving forward to ensure that the rewards for your report will be distributed to the new address.\n\nIf you receive an unexpected email about updates to your payment address, it's advised to report it as it could be an issue that needs to be checked by the team.\n\nPlease note, it is important to keep your payment addresses updated as wallet addresses used in a finding can be updated after the finding has been submitted and before the reward payout. Always ensure you have access to the keys of your wallet addresses to maintain ownership of your coins.\n", "Question: How can I locate and understand the automated findings in a contest at CodeArena?\n\nAnswer: Automated findings for a contest can be found pinned in the respective contest's channel on Discord. These are generated by a tool that is currently run by CodeArena, known as the C4audit output or Picodes/4naly3er, the link to which is https://github.com/Picodes/4naly3er. Please note that the specific tool used for automated findings is not provided to run locally. \n\nYou can understand these findings better through the submission policy guidelines provided at https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues and https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-ineligible. Automated findings are considered to be those that are performed by a robot and are typically classified as known issues outside of the contest\u2019s scope. \n\nThough some users have raised questions about the escalation of issues in the automated findings report, we do not yet have a clear answer. Contest announcements and public results are shared in the #announcements channel on Discord. A proposal has also been made to create an #audit-reports announcements channel where new reports would be published. \n\nA note of importance, automated findings are ineligible for rewards. Users can edit their submissions by navigating to the contest page and clicking on the 'Your Findings' button, where they can also add more findings to their gas report. However, the immediate access to the findings repository is limited to Certified+ users.", "Question: Can I edit the format or content of my submitted findings in a contest, and if so, how can I do it?\n\nAnswer: Yes, users are allowed to update the format and content of their findings in a contest. To edit your submitted findings, navigate to the contest page and click on the 'Your Findings' button. This should allow you to modify any submitted findings while the audit is still open. However, please note that there have been discussions about whether findings are editable by the original author, indicating that this function may be subject to change. Also, while you can submit additional findings after an initial submission, please be aware that the submission of analysis along with findings is not mandatory. Participants can also track their report status and view their edited findings in the 'findings' tab next to the contest description. If a finding was deemed invalid, you can still update it in your C4 profile for visibility. Updates can also be made to a QA report by selecting the 'My findings' option. Once the findings are edited, users will be able to see the changes.", "Question: How can I change my profile avatar or update my profile details at Code4Arena (C4)?\n\nAnswer: Users can change their profile avatar or update other account details such as their Twitter username on Code4Arena by submitting a help desk request. To do this, visit https://code4rena.com/help and provide all the necessary information. Please note that change requests for profile avatars and account details are typically addressed within a week. Moreover, if you are a warden, you can also edit your profile (including adding profile picture, Twitter handle) via the same help desk link. For any profile-related issues or inquiries, you can also seek assistance in our #profile-help channel. Please be aware that the team usually processes these requests when they return from the weekend. Therefore, if you submit a request towards the end of the week, it is likely to get actioned on the following Monday.\n", "Question: Who can access the findings repository and when does it become publicly accessible in the context of CodeArena's audit process?\n\nAnswer: The findings repository is initially private to maintain confidentiality during the audit process. Only the bots used for transporting findings from mail to the repository can access it during this period, but the findings submitted by a user or their team are visible to them. Certified contributors, including judges and wardens, can see findings immediately upon audit close [link: https://docs.code4rena.com/roles/certified-contributors]. Access to the findings repository for Certified+ users is being considered, but as of the time of the chat, this feature has not been rolled out.\n\nAfter an audit is finished and the judging process is underway, the findings repository remains private. The exact timing for the repository to be made public is not specified, but usually, it happens after the issues have been mitigated and cleared for publication by the sponsors. The report, along with the findings repository, becomes public, allowing users to see the status of their submissions and the reasons for their rejection, if applicable. It should be noted that users cannot edit the analysis report directly once the audit is closed, but they can create a help desk request including a secret gist to have edits added to the comments of their analysis report before the audit closes.\n\nPlease remember that the organization's policy is not to discuss findings publicly until the report is published. The reports are published only on the C4 site, with each report title being a link pointing to the report, and having access to the GitHub repository is an additional feature obtained through the backstage role. Also, the possibility of participating in a private audit might be available after confirmation from provenance.", "Question: How is the risk level of trapped or inaccessible funds in smart contracts determined at CodeArena, and what factors influence this classification?\n\nAnswer: The risk level of trapped or inaccessible funds within smart contracts is assessed based on its impact on the protocol and the end-user. This determination is made through a balance of consequence and likelihood, considering the size of potential fund loss and other severe repercussions. \n\nIf the situation is rare and affects an individual end-user, it's typically classified as a medium risk. However, if it locks all assets within a protocol, it's classified as high risk. An example of this is the potential for a ransom attack where an attacker takes ownership of an uninitialized contract and demands a ransom to release it. \n\nOther factors influencing the risk classification include the difficulty of the attack, specific market conditions, or user unawareness. Another crucial element is the assessment of whether the finding causes a direct loss of assets, such as substantial yields or rewards. The loss of rewards is considered a \"loss of assets\", and it can be designated as high or medium depending on whether there are external conditions or attack difficulty.\n\nThe severity classification can potentially change for non-defi protocols. Moreover, it is essential to note that high-risk issues typically demand a higher burden of proof, and the vulnerability's verification process may involve proof of concepts and test codes. \n\nFinally, if no high or medium vulnerabilities are found during a contest, the remaining funds are divided based on the QA Report curve. This situation is considered rare since there have been very few contests without high vulnerabilities and no contests without a medium vulnerability. More details about the risk evaluation and rewards for findings can be found in the following links: https://docs.code4rena.com/incentive-model-and-awards#high-and-medium-risk-bugs and https://raw.githubusercontent.com/code-423n4/code423n4.com/main/_data/findings/findings.csv.", "Question: What happens if a user doesn't submit an analysis or findings to the contest on CodeArena? \n\nAnswer: The submission of an analysis along with findings is not mandatory for users on CodeArena, so no penalty is exacted for non-submission. However, any findings that are not submitted before the contest ends will not be eligible for consideration. If a user does submit an analysis or findings, they can check their submissions via their Analysis Report. The users can also edit their submitted findings on the contest page under 'your findings'. The participants will receive feedback from a judge if a submitted finding is marked as invalid. It's also worth noting that only the findings submitted by a user or their team will be visible to them until the final report for that contest is made public. For further information, please refer to the Analyses Guidelines and FAQ at https://code4rena.notion.site/Analyses-Guidelines-and-FAQ-2808a71e08e44c81a985527194f5f118.", "Question: Can I access reports like the Chainlink Staking v0.1 if I have the certified role at CodeArena, or is backstage access also required?\n\nAnswer: While being certified is a crucial first step, you'll also need to obtain backstage access to view reports like the Chainlink Staking v0.1 at CodeArena. The backstage role is granted to certified contributors who meet certain qualifications, including identifying high vulnerabilities and participation in past contests. Backstage access allows users to discuss their findings, observe the report submission and triage process, and access the contest repository post-closure and pre-public report release. More information about the backstage role and its prerequisites can be found on CodeArena's documentation for certified contributors and backstage wardens [here](https://docs.code4rena.com/roles/certified-contributors/backstage-wardens). If you believe you meet the criteria, you can confirm your eligibility by submitting a help desk request via this [link](https://code4rena.com/help).", "Question: I'm having trouble while trying to submit in my browser, what steps should I take to resolve this?\n\nAnswer: We're sorry to hear you're having issues with submitting. There are several things you can try:\n\n1. Refresh the page.\n2. Try using a different browser. There have been reported issues with Firefox and occasionally Chrome, but some users have found success with Opera.\n3. Make sure you have unblocked captcha in your browser, as this can sometimes cause submission errors.\n4. If you're trying to submit from a mobile device and having trouble, you can send your request to submissions@code4rena.com for assistance.\n5. Check if there are any ongoing issues with GitHub, as this can affect the contest submission form.\n6. If you're experiencing errors with submission size, there might be a potential size limit on submissions. \n7. Be aware of possible API limitations that might affect the submission process.\n8. If you're experiencing difficulties with the submission form, particularly the \"Create Issue\" button not responding or errors related to the \"Risk rating *\" menu, it might be a known technical issue we're addressing.\n\nIf the problem persists, please submit a help ticket at https://code4rena.com/help. If you're unable to submit a help request through the form, you can forward your request to submissions@code4rena.com. Please be aware that there have been instances of errors when trying to submit help requests, but our team is actively working to resolve them. \n\nAlso, please check https://github.com/code-423n4/code423n4.com/pull/2338, where a potential fix for the submission issue has been proposed. \n\nWe're working hard to iron out these intermittent issues, and we appreciate your patience.", "Question: How does the Certified Warden verification process work with Provenance and when can I expect to receive an email from them?\n\nAnswer: After submitting a Certified Warden application to CodeArena (C4), the application goes through a Know Your Customer (KYC) process that is delegated to Provenance. The initial email from Provenance doesn't have a specific timeframe for delivery, but it may take around 2-3 weeks based on user experiences. The email is sent from compliance@provenance.company or kobus@provenance.company and could possibly appear in your spam folder, so make sure to keep an eye on it. \n\nFollowing the initial email, you can expect to receive feedback and further communications from Provenance within 1-2 business days. The certification status is typically updated within 5 business days by the C4 team. If approved, it can take a few additional days for the Certified Warden role to reflect on your profile. \n\nPlease note that there may be inconsistencies in the Certified Warden application and response email, as the documentation has been updated across various instances. If you have not received an expected email from Provenance within these timeframes, it is recommended to reach out to them directly. Also, it is strongly advised to complete the Provenance's Certified Warden process if you are partway through to ensure your application is processed timely.\n\nKeep in mind that this timeline is based on previous user's experiences and may vary. If you have applied and are yet to receive your KYC email, know that some users are in the same situation and your application is likely in queue. Stay patient and keep checking your email for updates.", "Q: I submitted a help desk request a day ago but have not received any response yet. What should I do?\n \nA: Help desk requests at CodeArena are usually reviewed within 1-2 business days, and most issues are typically resolved within 24-48 hours on business days. However, please note that responses are not sent during weekends. If you've submitted a request and haven't received an update within this timeframe, you can follow up on the status of your request. As well, while it's possible you may not receive an email notification, rest assured that the process of submission includes a confirmation that your request has been received. If your issue remains unresolved or you require further assistance, feel free to submit another help desk request at https://code4rena.com/help outlining the issue you're experiencing. Please remember to check your email for responses and updates regarding your help desk request.", "Question: Where can I locate and understand the status of my submitted bug report, particularly if it has been rejected?\n\nAnswer: After you have submitted a bug report, you can view, edit, and check the status of your submission on the site for open contests. If your report has been rejected, you can locate it in Github's closed issues at https://github.com/search?q=org%3Acode-423n4+is%3Aissue+label%3Ainvalid. \n\nYou can also view and understand the reasons for the rejection of your bug report once the report is published and the findings repository is made public. This process allows you to understand why a bug was not accepted, which can be useful for improving your future submissions. \n\nExamples of past submissions, both accepted and rejected, can be found at https://code423n4.com/reports. Reviewing these reports can give you an idea of what a high-quality submission looks like. \n\nAdditionally, if you've submitted a bug report for the first time and are unsure about its status, you can check your email for confirmation. If you need to edit your submission or alter the severity of reported bugs after the contest has closed, you can do so either through the PR or by reaching out to one of the judges. \n\nRemember, if your bug report hasn't made the award list, it's likely been rejected. You can confirm this by reviewing the available report. You can also access direct links to rejected (and accepted) issues in multiple .json files located in the /data/ directory of the published repo. \n\nFor more details on our submission policy, please refer to https://docs.code4rena.com/roles/wardens/submission-policy.", "Question: I updated my Github username in my Code4rena profile but need backstage access, which needs to be manually enabled by a Code4rena Github admin. How can I request assistance for this?\n\nAnswer: Any profile changes, such as a Github username update, on Code4rena require a manual backend adjustment by a Code4rena Github admin. In order to request backstage access, you need to be a certified contributor. Comprehensive details about becoming a certified contributor, the prerequisites for backstage access, and instructions on how to apply can be found at: https://docs.code4rena.com/roles/certified-contributors.\n\nOnce you are eligible for a backstage role, you can submit a help desk request at https://code4rena.com/help. In your request, please include your warden name and any relevant updates like your new Github username. If you believe you meet the criteria for '+backstage' but are unsure, you can also use the help request to check your eligibility. \n\nKeep in mind that backstage access allows you to read reports on Code4rena and requires access to the GitHub repository, which is granted upon being awarded the backstage role. \n\nThe procedure to gain access to Code4rena's backstage, the benefits, and the link for help desk requests can be found in the document. Be sure to review all the guidelines before making a request.", "Question: Is it acceptable and beneficial to use external resources, such as Notion links, competitor links, or proofs of concept, when submitting findings on CodeArena?\n\nAnswer: Absolutely, you are encouraged to use external resources to provide a thorough and convincing analysis of your findings. This can include Notion links for your analysis report, competitor links as mitigations for issues, and even citing similar findings from other contests to justify the severity and validity of your submissions. However, remember that proof of concept (PoC) is important when reporting potential medium findings or higher. If an issue is too large to be embedded directly in your report, it is acceptable to provide a link towards it. If an issue is extremely obvious, such as a wrong parameter, typo, or code that doesn't compile, it may be considered even without a PoC. Overall, we value a rigorous process and thorough work, so feel free to use all necessary means to present your findings as convincingly as possible.", "Question: Can I reference other contests or platforms in my submission report to justify the severity of my findings? \n\nAnswer: Yes, it is permissible to refer to other contests or platforms in your submission reports to justify the severity of your findings. However, it's important to note that CodeArena tends towards a more rigorous judging and QA process than other platforms. Therefore, citing examples from CodeArena itself would generally be more convincing. You can gain insight by comparing your findings with winning reports on our platform, such as the one found [here](https://code4rena.com/reports/2022-09-artgobblers#low-risk-and-non-critical-issues).\n\nIn the context of severity classification, a low severity finding in a contest's bot report can be escalated to a high severity. However, submissions based on automated tools must provide strong evidence to demonstrate a relevant High or Medium severity exploit path. More details on this policy can be found [here](https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues). \n\nIf a finding is originally submitted as a low in QA report, but judges determine it to be of medium severity, it could be eligible for medium rewards according to [this](https://docs.code4rena.com/awarding/incentive-model-and-awards/qa-gas-report-faq#what-happens-when-an-issue-submitted-by-the-warden-as-part-of-their-qa-report-an-l-or-n-does-get-bum) policy. \n\nRemember that our judges consider the entire context when judging, and both the quantity and quality of your findings factor into the scoring. For additional information and clarification, consider reviewing the official documentation on [Code4rena](https://docs.code4rena.com/).", "Q: How can I access the CodeArena audit reports and what is the process of their publication?\n\nA: Audit reports are published and made accessible solely through the CodeArena (C4) website. However, there can be occasional issues accessing the website. The entire findings repository is also made public and a link to this can be found in each respective report on the C4 website. You can also find a link to the report in the Discord channel when it is published.\n\nPlease note, C4 has a policy of not discussing findings publicly until the report is published, and the findings repository remains private until then. Participants are encouraged to wait for the report to go live, even if they've submitted their findings. We aim to publish both valid and invalid issues when reports are out at Code4rena. It's also important to note that after the leaderboard is shown and rewards are sent, the final report of the contest may not be immediately available on the C4 site. \n\nWe also have a suggestion to create an announcements channel named #audit-reports where a new message is posted whenever a report gets published on the C4 website. You can also find updates in #\ud83d\udce2announcements and the C4 newsletter. \n\nIt's worth mentioning that discussing potential findings with a sponsor over Discord or other private messages does not invalidate the finding. However, be aware that the issues in the published reports might be the same as those initially reported, and the published reports might be a summary of what was submitted by the wardens.\n\nAccess to the GitHub repository is an additional feature obtained through the backstage role. This role also allows you to check the \"C4 output\" for the contest which can be found within an hour of contest opening. It includes issues reported, but at the Judge's discretion, reports that look like copy-pastes or use the same underlying risk may be deemed out of scope/already known.\n\nC4 audit reports: https://github.com/code-423n4\nDiscord link for updates: https://discord.com/channels/810916927919620096/810936719003090974/1098620465897021490", "Question: How can I properly include and format GitHub code in my reports, especially capturing file names and line numbers?\n\nAnswer: CodeArena strongly encourages the use of Markdown (MD) format when submitting reports, as it supports the inclusion of code blocks, imagery, and a range of other formatting options. To include GitHub code in your report, you may refer to this guide: https://docs.github.com/en/get-started/writing-on-github/working-with-advanced-formatting/creating-and-highlighting-code-blocks.\n\nIn the 'Links to Affected Code' section for high or medium findings, you should add the GitHub permalink for the respective code block. When referencing specific parts of the code, it's recommended to include both the URL to the repository with the line number and a code block. Code blocks can be created in Markdown by surrounding your code with three backticks (```) on either side. To apply syntax highlighting to your code block, specify the language immediately after the opening backticks. For instance, for Solidity syntax, you would use ```solidity.\n\nFor users unfamiliar with Markdown, this resource may be helpful: https://markdown-it.github.io/. Remember to choose a tool for writing your report that supports Markdown, such as GitHub, Joplin, VScode, or Notion. Lastly, be aware that adding a link to a sponsor's Github repo code in a findings report doesn't automatically pull in that code snippet to the report.", "Question: How can I apply to become a Certified Warden at CodeArena and can I direct message (DM) staff regarding the application?\n\nAnswer: You can apply to become a Certified Warden at CodeArena via this link: https://code4rena.com/certified-contributor-application. The process of becoming a certified warden involves verification and an application. More details about the process can be found at https://docs.code4rena.com/roles/wardens/certified-wardens and https://docs.code4rena.com/roles/certified-contributors#certification-process-and-constraints. After you apply, you will receive feedback via an email from @provenance.company, including the information related to the Know Your Customer (KYC) process. Unfortunately, we don't have a specific timeline for when you will receive the KYC email. \n\nAs for direct messaging, participants can direct message CodeArena staff members. However, please note that most of the Certified Wardens process related questions can be asked directly to Code4rena. \n\nMoreover, once you become a Certified Warden, you are eligible to join the private channel for certified+ wardens on Discord, here is the link: https://discord.com/channels/810916927919620096/810931711609143326/1092556195337863309. This is a workspace where you can assist with various process-related tasks and have access to private audits, as well as backstage access to observe the report submission and triage process. However, there might be other conditions to meet for these privileges. \n\nLastly, there was a question about the possibility of foreigners becoming certified wardens. As of now, all the information we have does not suggest any restrictions based on location or nationality. It's also important to note that certified wardens are eligible for payouts, although the eligibility criteria are not elaborated in the observations.", "Question: Can you provide an example of a widely used token that does not use the decimals() function?\n\nAnswer: In terms of ERC-20 tokens, almost every token commonly implements the decimals() function. According to the EIP-20 documentation, the decimals() function is technically valid but optional, meaning that other contracts should not expect these values to be present (https://eips.ethereum.org/EIPS/eip-20). However, it's important to note that while this function might not be used in all tokens, its absence is relatively rare in practice. For example, ZRX is a highly used token that does not revert on failure but just returns false. Not all tokens have the same functionalities, as tokens can vary based on whether they are fee-on-transfer, rebase tokens, or other types. Considering this, there could be a non-zero possibility that a token might not implement the decimals() function. As always, when dealing with tokens and smart contracts, it's crucial to understand the specific features and functionalities of the token you're working with.", "Q: How are duplicate issues handled in CodeArena contests, and how does this affect reward distribution?\n\nA: Duplicate issues in CodeArena contests are determined not by the order of submissions but by the quality of the report. For instance, even if users A, B, and C report the same issue, and B's report is chosen to be included in the final publication, it doesn't necessarily mean that A's and C's are duplicates because they were not first. The judges pick the primary issue based on the best write-up and not on the order of submission.\n\nIf the same vulnerability is discovered in different components of the codebase, it may be considered as separate findings, but ultimately, the judge will decide if they're duplicates. If the root cause is the same, they will be considered duplicates. However, only the best report beyond a certain quality threshold will receive a reward. If a duplicate report does not meet this threshold, it might not be eligible for a reward.\n\nMultiple instances of the same issue can also be reported as one if they are related. A single report with all occurrences of the same issue is acceptable. If an issue is labeled as \"primary issue\", it means it is used to cluster duplicates around it. \n\nThe judging criteria for duplicate submissions can be found at the link provided: https://github.com/code-423n4/code-contests/blob/main/JUDGING_CRITERIA.md#duplicate-submissions\n\nLastly, if two people from a team discover the same issue and submit it using different wallets, or if two people submit the same or similar bugs, each instance is awarded a share of one point, depending on the number of duplicates, as part of sybil resistance. This is to encourage high-quality submissions and discourage multiple submissions of the same vulnerability.", "Question: \nHow can I use Foundry to call an internal function in the context of smart contracts?\n\nAnswer: \nDirectly calling internal functions in Foundry is not possible. However, you can write a child contract and use it like wrappers. This would essentially allow you to call the internal function indirectly. \n\nIn the context of Foundry, a child contract is any contract that is created by another contract, often termed as the parent contract. Wrappers are basically functions that are used to call other functions and are used for abstraction and simplification of complex function calls.\n\nIt is worth noting that Foundry is a framework used for writing tests and offers other tools to assist in checking things like storage. Foundry can also be used to fork data from a live network such as a main or test net, and once forked, it runs locally. This can be particularly useful for testing scenarios in a local environment, providing an alternative to public testnet.\n\nA useful feature of Foundry is its ability to print local variables that are declared inside a function by using console.log. This is part of the default library that Foundry comes with.\n\nFor more information on how to use Foundry, you may find these YouTube tutorials helpful: \n1. https://www.youtube.com/watch?v=Rp_V7bYiTCM \n2. https://www.youtube.com/watch?v=EHrvD5c93JU\n\nLastly, there seems to be an ongoing discussion about whether it is best practice to prepend all internal functions with an underline and whether the same applies for function parameters. While this might not directly answer your question, you might find the discourse useful in writing your contracts. \n\nAlso, please note that there are reported issues with opcode support in Foundry, so that's something to keep in mind when working on your smart contracts. If you plan on utilizing Foundry alongside Hardhat, a base template can be found at https://github.com/foundry-rs/hardhat-foundry-template. \n\nWhen using Foundry, be sure to familiarize yourself with its features and potential issues. It's a powerful tool but like any software, it has its limitations and potential bugs.", "Question: How can I showcase and reference my code effectively in a report for CodeArena, including line numbers, file names and syntax highlighting?\n\nAnswer: In CodeArena, you can effectively represent your code in a report using a combination of Markdown syntax and certain tools. Markdown syntax can be used to create code blocks for your code snippets. Simply wrap your code on either side with three backticks (```). If you're using Solidity, for example, you can highlight syntax in your code block by typing ```solidity before your code snippet. More on creating and highlighting code blocks in MD format can be found [here](https://docs.github.com/en/get-started/writing-on-github/working-with-advanced-formatting/creating-and-highlighting-code-blocks).\n\nTo display line numbers alongside your code, you can use the VS code extension \"Copy With Line Numbers\" or a tool like 'cloc' to calculate the lines of code. To reference a code file or specific lines of code from GitHub, you can create a direct link by simply clicking on the line of code in question. This changes the URL to represent that specific line. If you need to represent a range of lines, hold down SHIFT while clicking on the lines you need.\n\nWhen showing places of vulnerabilities, it's often a good practice to provide both the direct URL to the GitHub repository with the specific line number and a code block in your report. Participants also discuss whether to leave direct links to the code on GitHub or to refer to a specific file and line number, indicating different ways to reference code in reports.\n\nRemember, the reporting section supports Markdown (MD) format, so you can structure your report accordingly. Also, in high/medium findings, you can add the GitHub permalink for the affected code block in the 'Links to Affected Code' section.\n\nLastly, please note that 'Sloc' or Source Lines of Code refers to the total number of Lines of Code excluding comment lines. This information can be helpful if you want to calculate or refer to the amount of actual code present.\n", "Question: How can I submit a gas optimization report in a contest on CodeArena, and can I include multiple findings in a single report?\n\nAnswer: As per CodeArena's guidelines, you are allowed to submit only one Gas Optimization report per contest. However, this report can include multiple findings related to gas optimization. To include more findings in your report, go to the contest page and click the 'Your Findings' button. \n\nWhile compiling your report, it's important to note that some judges may require you to specify how much gas is being saved for each optimization. You can view examples of top QA/Gas reports for previous contests at this link: [https://code4rena.com/reports](https://code4rena.com/reports). \n\nPlease ensure your report doesn't exceed ~65k characters, as this is Github's max character limit for issue descriptions. If your report is larger, you can submit a placeholder and send the report via email to submissions@code423n4.com. More details on this can be found at: [https://docs.code4rena.com/roles/wardens/qa-gas-report-faq#why-is-a-large-gas-or-qa-report-not-successfully-submitting-through-the-contest-submission-form](https://docs.code4rena.com/roles/wardens/qa-gas-report-faq#why-is-a-large-gas-or-qa-report-not-successfully-submitting-through-the-contest-submission-form).\n\nRemember, you have the liberty to submit findings you are unsure about, but if more than three of your reports get rejected in a contest, you will be ineligible for any payout for that competition. \n\nIt's also worth noting that not all contests may require a gas optimization report. For instance, in some contests like the one referred to at [https://code4rena.com/reports/2022-04-dualityfocus](https://code4rena.com/reports/2022-04-dualityfocus), there were no gas optimizations in the final report as there wasn't a gas pool for that particular contest.\n\nBe aware that the criterion for a report to get selected in a contest and the reward distribution for gas optimization varies; you can refer to this example spreadsheet for reference: [https://docs.google.com/spreadsheets/d/1qTQ7PApFMwpUFikcHHtww7p1oncPLj_y-UY_SZq6qFg/edit#gid=0](https://docs.google.com/spreadsheets/d/1qTQ7PApFMwpUFikcHHtww7p1oncPLj_y-UY_SZq6qFg/edit#gid=0). \n\nLastly, you can edit your submitted gas report findings on the C4 page while the contest is open.", "Question: How can I format my findings reports on the CodeArena platform, and how can I modify them after submission?\n\nAnswer: At CodeArena, we have observed that the Findings Report page does not support HTML tags, hence we encourage users to format their reports in Markdown. Markdown allows for a variety of formatting options, including embedding code snippets in your reports. The detailed guide on using it can be found here: [https://docs.github.com/en/get-started/writing-on-github/working-with-advanced-formatting/creating-and-highlighting-code-blocks](https://docs.github.com/en/get-started/writing-on-github/working-with-advanced-formatting/creating-and-highlighting-code-blocks).\n\nRegarding modifications after submission, there's been discussions about potentially implementing this feature. As of now, users can modify their findings through the \"Your Findings\" button on the contest page. Please note that the access to this feature might be restricted based on your user privileges, like being a part of the \"backstage\" group. However, there has been a request for a feature that allows users to edit their findings more conveniently to reduce the burden on our team handling tickets, and this is under consideration.\n\nIt's worth noting that there have been reported issues with submitting findings, particularly when using Firefox and Chrome due to permalink errors, and with the display of submitted findings under the Escher contest despite successful submission. We are aware of these concerns and are working towards their resolution. \n\nLastly, please note that adding a link to a sponsor's Github repo code in a findings report will not automatically pull in that code snippet to the report. You will need to manually insert these codes using Markdown.", "Question: Are escalated issues in the automated findings report invalid? For instance, if an issue in the report such as \"function X needs nonReentrant modifier\" is found to have a reentrancy bug, what happens?\n\nAnswer: Escalating an issue from the automated findings report does not automatically make it invalid. If a lower severity finding in the report is escalated to a higher severity, it's still considered. For instance, if a bot report ranks an issue as low but you escalate it to high, it's not automatically invalid. However, submissions based on automated tools must provide strong evidence demonstrating a relevant High or Medium severity exploit path to be considered satisfactory. \n\nAlso, if an issue is found to be in the same category as a bot report but wasn't included in the report, it can be treated as a valid finding. This applies even if the bug was identified by the bot race but another instance of it wasn't picked by the bots. But if there's a question about the validity of a vulnerability involving an external function with the transfer of ERC20 tokens without reentrancy protection, it might not be eligible for medium or high categorization without a clear explanation of the exploit path. \n\nIn the case of a low-impact Quality Assurance (QA) report potentially becoming a high-impact report, it could be upgraded. However, demonstrating an understanding of how an issue could be exploited is a crucial part of the auditing process. Without such understanding, the job is considered only half-done. \n\nMoreover, if there are the same vulnerabilities on separate functions, they can be reported in one entry. It's also important to note that the severity of an issue does not matter as much as providing a comprehensive explanation of the finding. \n\nYou can find more information on our submission policy related to automated findings at https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues.", "Question: What is CodeArena's policy for submitting bug reports with varying severity levels and how can I ensure my submissions are high quality?\n\nAnswer: At CodeArena, you can submit more than one bug report per contest, with each report focusing on a specific type and severity of bug. According to our submission policy (https://docs.code4rena.com/roles/wardens/submission-policy), you are encouraged to make separate submissions for high severity and medium/low severity issues. If a single line of code has multiple ways of exploitation, you may report it as one bug or multiple depending on the situation. \n\nYou could also include both high severity and medium/low severity issues in the same report, but primary focus should be given to high severity issues. If you misclassify a bug's severity, the reward will be adjusted accordingly. If a medium severity bug is reassessed as high severity and there's no reason to penalize your report (such as it being incomplete, lacking in detail, or inaccurate), the bug report can be escalated.\n\nWhen submitting bug findings, your reports are expected to be specialized. Quality Assurance (QA) findings and Gas findings should be submitted separately. One big report for gas and one big report for QA is the recommended way to submit. If a bug affects both medium severity and gas findings, it can be reported in both categories. \n\nFor low or non-critical issues, they should be submitted collectively in one QA report. You can submit one combined gas and one combined QA report, and you can edit existing findings if necessary.\n\nWhile you don't necessarily have to propose mitigation steps for a bug, if you choose not to, it's important to include an explanation as to why it can't be feasibly mitigated. \n\nTo ensure the quality of your submission, make sure you correctly identify the highest severity impact of the bug, provide evidence to justify the severity and validity chosen, and ensure your report is clear and easy to understand. \n\nIn case two participants submit the same bug, our policy regarding duplicate submissions can be found at https://github.com/code-423n4/code-contests/blob/main/JUDGING_CRITERIA.md#duplicate-submissions.\n\nRemember, quality submissions are preferred over quantity and you can refer to past submissions on our website (https://code423n4.com/reports) to get a sense of what a high-quality submission looks like. \n\nIf you need to escalate the severity of a bug during a contest, you can submit a help request to remove the original submission and then resubmit via code4rena.com/help.", "Q: My wallet was compromised and I had to change my payment address. How should I proceed with Code4rena?\n\nA: If your wallet got compromised and you had to change your payment address, it's important to immediately update your details on Code4arena to prevent any loss of rewards.\n\n1. You can change your wallet address within your user profile on Code4rena. You can find the option to update your payment address in the \"Manage Account\" section.\n\n2. In case you used the compromised wallet to log in, you need to remove the compromised address from your logins. You can do this by generating a new private key for a new wallet and using it for future transactions, as it's safer and can prevent further attacks.\n\n3. If you logged in via the same wallet that got hacked, you should create a help desk request to get assistance from the Code4rena team. You can submit a request through the Help Desk at https://code4rena.com/help/. Wallet address updates are handled through the help desk.\n\n4. If rewards were stolen due to the compromised wallet, you can use your new wallet address in future vulnerability reports and the rewards for those reports will be distributed to the new address.\n\n5. If your wallet address was used in a finding, you can update it after the finding has been submitted and before the reward payout by submitting a request through the Help Desk.\n\n6. If you receive any unexpected emails regarding the updating of your payment address, you should report it to the team, as there have been instances of users receiving such emails without their knowledge.\n\nRemember, it's important to secure your wallet and its private key. It has been suggested that bots could have access to new GitHub repos, leading to compromised wallets. It's advised to verify your payout for vulnerability issues by checking the wallet address with which you registered, using polygonscan.com or wallet trackers like debank.com.\n\nFor more details on how to change your wallet address, you can refer to this guide: https://docs.code4rena.com/roles/wardens/warden-auth#can-i-change-my-wallet-address", "Q: What are the consequences for submitting incorrect or unsatisfactory M/H submissions on CodeArena? \n\nA: Currently, CodeArena does not impose penalties for submitting incorrect or unsatisfactory M/H findings. However, users are advised to read discussions about grading and awarding, which may include future penalty implementations. In certain competitions, if more than three of your reports are rejected, you will not receive any payout. \n\nIf an M/H submission is incorrectly marked (e.g., a High severity bug turns out to be only Medium), the reward for a Medium bug is still received. Similarly, if a Medium severity issue is deemed High by a judge, the submission may get raised to high unless it's incomplete, lacking detail, or inaccurate.\n\nFurthermore, if your submission is marked as invalid, you will receive feedback from a judge and you can query your issue by monitoring the backstage channel for the post-judging stage of the concerned contest. If a correct bug issue is submitted with an incorrect proposed solution, the submission can be updated if the Contest hasn't ended. \n\nIt's worth noting that you should receive an email about your submission whether it is valid or not. If you have concerns or errors with your submission, you can seek assistance from the CodeArena team. \n\nFor more detailed information on submission guidelines and consequences, you can refer to this link: [https://docs.code4rena.com/awarding/incentive-model-and-awards#satisfactory-unsatisfactory-submissions](https://docs.code4rena.com/awarding/incentive-model-and-awards#satisfactory-unsatisfactory-submissions).", "Q: If there are no significant findings from an audit, is it still possible to submit an analysis report? How should this report be structured and what kind of information can be included?\n\nA: Yes, it is possible to submit an analysis report even if no significant findings have been made. This report can include advice on aspects to consider for future development of the project. Even if you are uncertain about some findings due to lack of specification in documents, you are advised to submit these or direct message the sponsor team for additional context.\n\nIn your report, you could categorize findings into different sections such as mechanism and architecture. Non-critical findings and suggestions for project improvements can be left in the non-critical findings section. Even if a finding could potentially fit into two categories, it's up to your discretion where to categorize it. If you come across a vulnerability that's difficult to fix without major changes to the protocol, it can still be reported. Recommendations are appreciated but not mandatory.\n\nIf you notice something that could be a valid finding but are unsure, you don't need to confirm this with the project's developers before submitting; it's up to you as the warden to decide whether to submit it or not. In the case of a low-impact report potentially becoming a high-impact report, you may choose to upgrade the report. However, part of the auditing process involves demonstrating an understanding of how an issue could be exploited.\n\nYour report should ideally include the issue, description, proof of concept (if necessary), and mitigation (if necessary) in a semi-professional format. You do not need to fill the \"Recommended Mitigation Steps\" in the bug template, but doing so can improve the value of the report. A bug report without Proof of Concept (PoC) may be disregarded unless the issue is extremely obvious.\n\nAfter submitting an initial finding, you can also submit additional findings later. If a test lacks coverage of significant functionality, you could list this as a non-critical issue in your report. \n\nFinally, note that the submission of an analysis report is not mandatory. For more guidance on how to submit an Analysis Report, you can refer to the Guidelines and FAQ at: https://code4arena.notion.site/Analyses-Guidelines-and-FAQ-2808a71e08e44c81a985527194f5f118.", "Question:\nHow can I change my profile details, including the photo, on Code4Arena?\n\nAnswer:\nYou can change your Code4Arena profile details including your photo, username, and the linkage of your C4 handle to a Twitter handle through a help desk request. This includes the ability to change your profile icon on the Code4Arena leaderboard and also update your payment addresses. If you are a certified user, you have the additional advantage of editing your profile. \n\nTo submit a request, visit the help desk at [https://code4rena.com/help](https://code4rena.com/help). Provide the necessary details and ensure to include the link to the new photo if you wish to change your profile photo. After your request has been submitted, changes are typically addressed within a week. \n\nPlease note that while you can update your Discord name on the Account Management page of your warden profile, your Discord nickname should remain as your registered C4 username. Lastly, if you wish to change your C4 ID, you would need to re-register, but be aware that your leaderboard status would not follow.\n\nFor further support, you can direct message C4 staff members, or ask for support from the C4 website.", "Question: Are detailed QA reports that expand upon QA bot findings from bot races eligible for QA report rewards, and how are these reports evaluated?\n\nAnswer: No, detailed QA reports that include QA bot findings from bot races are not eligible for QA report rewards, because they share the same root cause. However, it's important to note that all types of accepted reports, from high-level down to gas optimizations, are eligible for payouts, provided that the report is high-quality, the findings are accurate, and there is a working proof of concept.\n\nJudges consider both the quality and quantity of the submissions when grading QA reports, meaning a single item in a QA submission is unlikely to receive a high grade. If a bot race report indicates a low vulnerability with more than two instances, it should be included in the QA report. Furthermore, findings listed in non-winning, unpublished bot-generated reports are still eligible for submission.\n\nBot race participants are rewarded for findings made with AI, but if a bot finds a high or medium finding, it only gets the bot pool reward based on the bot race rank. Bots can only gain more rewards by having more points and shifting the rank cutoffs, thus bumping others to lower ranks. On the other hand, if a finding is initially submitted as a low in QA report and the judges determine that it's a medium, it will be eligible for medium rewards.\n\nTo improve your QA reports, you can update them after submission by going to the contest page, clicking on the findings, and editing them. Also, consider that if a low severity finding in a contest's bot report is escalated to a high severity, it is not automatically invalid. However, submissions based on automated tools must provide strong evidence to demonstrate a relevant High or Medium severity exploit path to be considered satisfactory. \n\nFor more information on grading criteria and incentive models, you can check the following links: \n\n- [Judging Criteria](https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical)\n- [Incentive Model and Awards](https://docs.code4rena.com/awarding/incentive-model-and-awards#qa-and-gas-optimization-reports)\n- [Submission Policy](https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues)\n- [QA and Gas Report FAQ](https://docs.code4rena.com/awarding/incentive-model-and-awards/qa-gas-report-faq#what-happens-when-an-issue-submitted-by-the-warden-as-part-of-their-qa-report-an-l-or-n-does-get-bum)", "Question: What is the protocol if a bot race identifies an issue in the codebase but fails to report all instances of the issue? Can these unreported instances be added to the report as eligible findings?\n\nAnswer: If a bot race identifies a problem but does not report all actual instances of the issue within the codebase, such instances can be included in your report and are eligible for consideration. An issue can be deemed valid even if it was initially identified by a bot race but additional instances of the same issue were not discovered by the bot. \n\nIt's important to note that sometimes bots propose fixes to identified issues, but these fixes may introduce more harmful exploits. As such, it's crucial to consider this when evaluating bot-identified issues.\n\nIf a bot race report flags an issue as low vulnerability but multiple instances are found, it should indeed be added to the QA report. If an issue is of the same category as a bot report but wasn't included in the bot report, it can still be considered a valid finding.\n\nHowever, if you escalate a low severity issue identified in a bot report to a high severity one, your submission must provide strong evidence to demonstrate a relevant high or medium severity exploit path to be considered satisfactory. The policy on this matter is further explained at [Link](https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues).\n\nIf the same vulnerability is found in different components of the codebase, it might count as separate findings. But, it's ultimately up to the judge to decide if they're duplicates. Findings from non-winning, unpublished bot-generated reports are still eligible for submission. \n\nWhile submitting a high severity issue, it's recommended to include working code that demonstrates the impact. Failing to do so may result in the issue being downgraded or deemed ineligible for awards.\n\nFor more comprehensive guidance on reporting issues found in multiple parts of the codebase, refer to this [Link](https://discord.com/channels/810916927919620096/810936719003090974/1134472653437145149).\n", "Question: What is the best practice for submitting findings from an audit if I am uncertain about their validity, severity or the process itself?\n\nAnswer: If you come across a finding during an audit and you're unsure about its validity, it's recommended to submit it anyway. CodeArena encourages participants to submit all findings, even those they're uncertain about, as every submission helps the broader community improve. Feedback from judges on the findings, including those marked as invalid, can provide valuable insights for learning and improvement. \n\nHowever, if you're unsure about the severity of the finding or whether to submit findings as separate issues or as one, it's recommended to review guidelines, look at how similar issues were judged in the past, and make the clearest case possible in your submission. If you're still uncertain, you can direct message the sponsor team for additional context.\n\nRegarding high-risk findings, their inclusion depends on the specific contest and the judge. It's advised to make a case to the judge in your submission if you believe it should be considered. Citing similar findings from other contests is allowed to justify the severity and validity within submissions.\n\nContest participants need to make a strong case to escalate a known low from the automated findings to a high. There's no negative consequence for accidentally reporting something that turns out not to be an issue, although it is recommended to withdraw such reports to save the judges' time.\n\nIn terms of submission process, you can check the success of your report submission by looking out for an email and the ability to edit submitted findings. If the submission fails, the form should return an error. After submitting a finding, participants can expect a follow-up. To verify if a bug is valid, one suggestion is to write a test for it.\n\nRemember, you do not need to confirm findings with the project's developers before submitting them and discussing potential findings with a sponsor over Discord or other private messages does not invalidate the finding.", "Question: I am encountering issues while trying to update or edit my analysis report on the CodeArena site. What might be the cause and how can I resolve this?\n\nAnswer: Currently, the CodeArena platform does not support the functionality to edit or update an analysis report once it has been submitted. This limitation has been acknowledged in the community and our team is actively working to introduce this feature in the future. \n\nIn the meantime, you can view your submitted analyses by checking your Analysis Report and if you're trying to submit a report for the first time and are encountering errors, it may be due to some known intermittent issues with the submission process. If you're seeing something like \"API rate limit exceeded for user ID\", it might be due to the server's API rate limits. Trying to submit the report again after some time usually resolves the issue. \n\nMoreover, some users have reported seeing a purple screen when clicking a dropdown in the submission form, or have had trouble submitting a finding. Trying a page refresh or using a different browser might help in these cases. If you're still having trouble, please submit a help desk request.\n\nYou can find more information, including guidelines for submitting an analysis report, on our FAQ page at https://code4rena.notion.site/Analyses-Guidelines-and-FAQ-2808a71e08e44c81a985527194f5f118.", "Question: \n\nAs a user, how can I update or edit my submitted analysis report?\n\nAnswer:\n\nAt the present time, it's not possible to directly update or edit an analysis report after it has been submitted on our platform, as stated in the Guidelines and FAQ (https://code4rena.notion.site/Analyses-Guidelines-and-FAQ-2808a71e08e44c81a985527194f5f118). \n\nHowever, you are able to update your submissions by directly messaging certain identified individuals, if necessary. Also, if there are technical issues with performing tasks, you can send requests to submissions@code4rena.com for assistance. Note that once a contest has ended, no changes to your report submission can be made.\n\nWhile there is currently no official process for updating or resubmitting an analysis report, this is a feature we are planning to implement in the future. Keep in mind that there are no notifications sent out regarding updated issues, so it's important to be proactive in checking for updates. \n\nYou can also check the status of your report submission by looking out for an email from us. While we send out submission confirmation emails, please note that there might be delays. \n\nLast but not least, while you can submit findings as a team, the exact process for doing so hasn't been clarified yet. \n\nFor any other queries or concerns, feel free to reach out to us in the chatroom or create a help desk request for status updates.", "Question: Can I discuss potential findings with a sponsor over a private message, like on Discord, without invalidating the finding? What about if there's disagreement over the finding?\n\nAnswer: Yes, you can discuss potential findings with a sponsor over a private message, including platforms like Discord. Doing so will not invalidate the finding based on the conversations observed in our Discord chatroom. If you discover a potential vulnerability and have it confirmed by the sponsor via private messages, depending on the judgement, it may still count when you submit it. \n\nHowever, it is important to note that there may be cases of disagreement over the findings between the user, judge, and sponsor. If a participant points out a bug or logic flaw approved by the judge, it's seen as an achievement. But when it comes to mitigation, if the judge and sponsor disagree with the participant's proposal, the sponsor has the final say.\n\nIf you are unsure about the validity or scope of a finding, it's encouraged to submit it anyway or direct message the sponsor team for additional context. And if there's a disagreement about the scope of a particular issue, you should still report it.\n\nAlso, it's worth noting that specific findings should not be discussed publicly until a report for the contest has been posted. After submitting a finding, you can expect a follow-up. Trust in the sponsors is vital and while we discourage public discussion of findings after a contest, there are specific channels where you can ask general questions and sponsors' team members are available for direct messaging.\n\nRemember that all findings during a contest are kept private until the report is published to give sponsors enough time to act on the feedback. If you have any questions or need further clarification, feel free to ask in the designated channels on our Discord or direct message the relevant sponsor team.", "Q: Are findings submitted to CodeArena before the contest deadline publicly available and can I review or edit my own findings without modifying the submission?\n\nA: Once a finding is submitted, it is not immediately made public. Only the findings submitted by you or your team are visible to you until the final report is published. The findings are not shared with anyone, including the project team and judge, until after the contest deadline passes. Submitted findings can be modified as needed until the contest closes. You can edit your submitted findings by navigating to the contest page and clicking on the 'Your Findings' button. \n\nAfter a contest is closed, the findings repository will become publicly available after a certain period of time (though the exact timing is not specified). This is when the findings for an already paid contest are made public, which is when the final report is posted. You can check on your submissions, the success of your report submission, and the reasons for their rejection once the report is published and the findings repository is made public.\n\nAn email confirmation will be sent upon successful submission. You can also track the status of your report and view your findings in the 'findings' tab next to the contest description on the C4 Contest page. \n\nCertified+ wardens have the opportunity to view the findings repository immediately after a contest ends. However, general participants are advised to wait for the official report to be published. It's worth noting that bug reports cannot be submitted after the contest has ended, all findings have to be submitted prior to the audit closing. \n\nFor any additional queries or requests to edit a finding, you can raise a helpdesk request with all the relevant information and the proposed update to the finding before the contest closes.", "Question: Can you provide a detailed explanation of the difference between flash minting and flash loans in the context of smart contracts? \n\nAnswer: Flash loans and flash minting have similar uses, but there are key differences between them. Flash loans are a feature of some DeFi protocols that allow you to borrow an asset without collateral, with the stipulation that the loan must be repaid within the same transaction block. This mechanism allows users to take advantage of arbitrage opportunities where they can buy an asset at a lower price in one market and sell it at a higher price in another, all within a single transaction. \n\nOn the other hand, flash minting is a process where a certain amount of token is instantly minted and then burned within the same transaction. This process can be useful in creating certain kinds of financial mechanisms.\n\nIt's the responsibility of the recipient contract of a flash loan to perform any necessary validations to ensure they don't lose any funds by the end of the operation. In the case of flash loans, a good practice is to use a flag to allow or disallow the flash loan, similar to a reentrancy guard, but bear in mind this would incur gas overheads.\n\nFor more insights, you can refer to [FEG token flashloan exploit analysis](https://www.certik.com/resources/blog/w6AxRmf6l2ow4zL884gr8-feg-token-flashloan-exploit-analysis), which provides a detailed explanation of how flash loans work, and various ways they can be exploited. \n\nRemember, the roles of a minter or burner in smart contracts are subject to various conditions and are not always related to flash minting or loans. CodeArena conducts audits similar to the Venus protocol (lending, borrowing, etc.) to ensure the security of these operations.\n\nIt's important to understand these concepts to effectively audit smart contracts and ensure their security.", "Q: How can I apply for backstage access at CodeArena?\n\nA: To apply for backstage access at CodeArena, there are several steps you need to take:\n\n1. Become a certified contributor. Details on how to qualify as a certified contributor can be found here: https://docs.code4rena.com/roles/certified-contributors. \n\n2. Meet certain qualifications based on contest results. Participants can apply for backstage access once the contest results are published. These results typically release shortly after the awards are announced. \n\n3. After meeting the qualifications, submit a help desk request for backstage access by visiting https://code4rena.com/help. Make sure to have your status evaluated.\n\nPlease note that a valid high submission or having participated in three contests with either one high or three medium findings is necessary to qualify for backstage access. You can find further details about the requirements here: https://docs.code4rena.com/roles/certified-contributors/backstage-wardens.\n\nKeep in mind, however, there may be times when backstage applications are paused, and new applications are not being accepted. When this happens, you should watch for updates from CodeArena to know when applications reopen. Once your request has been reviewed, you will be notified of the outcome.\n\nRemember, if you need assistance with your application, you can always request help through our helpdesk.", "Question: Can you tell me more about the role and quantity of Lookouts in a C4 contest?\n\nAnswer: In a CodeArena (C4) contest, there is typically one Lookout assigned. The responsibility of a Lookout is crucial to the smooth functioning of the contest, involving the evaluation of submissions and providing insights on the code. However, the specific identity or information about Lookouts is not disclosed before or during the contest to maintain an unbiased competition environment. \n\nOur platform offers a variety of contest rewards, including the Lookout award. To gain a deeper understanding of the role and the associated reward, you can visit our documentation at https://docs.code4rena.com/roles/certified-contributors/lookouts#lookouts. \n\nIt's also important to note that the quantity and role of Lookouts can vary based on the contest type. For instance, in our \"vs contest\", which is competitive access for a limited number of the highest performing wardens, the structure may be different. \n\nThe final number of participants, including Lookouts, in a contest is revealed only after the contest ends, ensuring maximum fairness and impartiality throughout the competition.", "Question: I've submitted an analysis report and I've noticed that the inline math double-rendered in the preview. Will this affect how my submission appears on GitHub or elsewhere, and could this potentially impact the judging process?\n\nAnswer: From what we've observed in our chat, some users have reported similar issues with Markdown rendering in previews, including problems with inline math and numbered lists. However, this seems to only affect the preview and not the final submission. Your report will be appropriately rendered when viewed on GitHub or other platforms, so it should not impact the judging process. \n\nIt's worth noting that our submission form supports Markdown, and the preview also supports mermaid syntax. So you can use these to appropriately format code and embed images in your report.\n\nIf you run into any issues with GitHub affecting your submission, or if your report exceeds Github's max character limit for issue descriptions (around 65k characters), you can email your submission to submissions@code423n4.com. More details about this process can be found at https://docs.code4rena.com/roles/wardens/qa-gas-report-faq#why-is-a-large-gas-or-qa-report-not-successfully-submitting-through-the-contest-submission-form.\n\nKeep in mind that high-quality submissions often include proof of how much gas the refactoring saves, and may reference similar findings from other contests to justify the severity and validity of the submitted issues. Also, remember that the results of submitted bugs to the contests in Code4 are revealed once the report is made public. \n\nLastly, it's worth mentioning that there's been a proposed fix for the submission issue at https://github.com/code-423n4/code423n4.com/pull/2338. Until then, don't worry about the preview rendering issues; they won't affect the final display of your report or the judging process.", "Question: What happens to the rewards for a submission if it is downgraded from medium to QA, or if it is judged differently than the original submission?\n\nAnswer: Rewards for submissions in CodeArena can be adjusted based on the evaluation made by the judges. If a submission is downgraded from medium to Quality Assurance (QA), it will still be rewarded unless it's further downgraded to grade-c. A QA submission will be rewarded based on the QA Report curve. Judges have the authority to downgrade medium issues to QA, or upgrade issues from QA if they believe the severity should be higher. \n\nIt's worth noting that if a finding is submitted as low risk in a QA report but is judged as medium risk, it is eligible for medium rewards. This is explained in detail in the [Incentive Model and Awards section](https://docs.code4rena.com/awarding/incentive-model-and-awards/qa-gas-report-faq#what-happens-when-an-issue-submitted-by-the-warden-as-part-of-their-qa-report-an-l-or-n-does-get-bum) of our documentation. \n\nIssues in the QA report can be downgraded from High/Medium to Low/QA, and these are added to the warden's QA report. The QA and Gas awards are given according to judges\u2019 scores, and duplicates are disregarded. However, downgraded issues need to be paired up with wardens\u2019 QA reports, which can be challenging.\n\nIf a submitted high-risk finding is downgraded to low risk, the submitter will still be rewarded. Similarly, unless there's a reason to penalize a report (such as it being incomplete, lacking detail, or not accurate), a medium report that is deemed high will be raised to high and rewarded accordingly.\n\nIn rare situations where no Medium/High vulnerabilities are found in a contest, the remaining contest funds will be divided based on the QA Report curve. All A graded QA reports receive the same award, regardless of the actual number of Low findings. The reward system is further discussed in our [Judging Criteria documentation](https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical).\n \nKeep in mind that judges consider both the quantity and quality of submissions when grading QA reports, and a single item in a QA submission is unlikely to receive a high grade. Despite this, there's a process to review why a submission was not accepted once the report is out and the repo is fully opened. This assures a fair and transparent reward system.", "Question: Can I register multiple accounts as a Certified Contributor on CodeArena, provided I only actively participate with one account?\n\nAnswer: Yes, you can register multiple accounts as a Certified Contributor on CodeArena as long as you only actively participate with one account. However, please note that being a Certified Contributor involves a specific application process which you can find detailed at https://docs.code4rena.com/roles/certified-contributors. \n\nBeing a Certified Contributor allows you to participate in any contest, including certified contests, and in some cases, it is a requirement for contest participation and payouts. Additionally, Certified Contributors who meet certain criteria, such as the number of findings and contest participations, can join the backstage to access the contest repo post closure and pre-public release. \n\nAdditionally, you can choose to participate as part of a team in auditing contests using a single wallet during registration, and as a team member, you can also make submissions on behalf of your team or choose to submit solo findings. \n\nRemember, Certified Contributors have done KYC and are bound by an agreement that includes a non-disclosure agreement (NDA). There's also an option to become a Certified+ contributor, the process of which can be found at https://docs.code4rena.com/roles/wardens/certified-wardens#certified+-contributors. \n\nPlease ensure to follow these guidelines to maintain the integrity of the CodeArena community.", "Question: I have a full-time job and might not be able to participate in every certified event. Will this non-participation affect my certified role in CodeArena? \n\nAnswer: No, it will not. Being a certified contributor at CodeArena does not require a full-time commitment nor does it mean you have to participate in every contest. Your certified role is not affected by non-participation in events. However, please note that if you sign up for a contest and do not show up, it could have implications. \n\nRemember, the certification process is primarily about verifying your identity, and it grants you access to more contests, including private ones, to a certain extent. You can still be employed elsewhere and participate in CodeArena as a side project. You can also join any contest, including certified contests, once you are certified. \n\nIt's also okay to sign up as a certified contributor with multiple accounts, as long as you only participate with one account. Once you join a team, you are not obligated to always participate as a team. \n\nBeing a certified warden could make you eligible for a judge role and grants you backstage access under certain conditions, like the number of contest participations and valid findings. However, it does not automatically give you backstage access to the judging repository of contests you participated in previously.\n\nIt is important to note that some contests require certification, especially for payouts if any submissions are awarded. But for most audits, being a certified contributor is not necessary. You can check your certified status by clicking on your name to see assigned roles, or via email communication.\n\nIn case your name isn't mentioned in a report, it doesn't affect your future submissions, although it might slightly impact your leaderboard ranking. \n\nIn case of private contests, the eligibility criteria for each contest is listed in #\ud83d\udd96rsvp-certified, and to participate in such contests after certification, you need to RSVP in the same channel and ensure a high position on the leaderboards from the last 90 days.\n\nCertification is granted by provenance and once approved, it takes a few days for the role to reflect on your profile. You will be updated about the status of the certification process via email. Lastly, remember that sponsors may also influence contest schedules.", "Question: Can a judge also serve as a lookout in a CodeArena contest?\n\nAnswer: Yes, a judge could potentially serve as a lookout, although this is not typically the case. At CodeArena, we aim to maintain bias-free competitions, and therefore, the identities of judges or lookouts are not disclosed before or during the contest. In order to ensure a fair, unbiased environment, the judges for a contest, including high-profile ones such as the Aragon contest, are not known ahead of time and cannot be contacted by participants. \n\nJudges are chosen carefully based on their experience and reputation, and their decisions on a contest are only shared after it concludes. Also, please note that if a judge cannot complete their work in a timely fashion, the contest is reassigned to another judge. \n\nDespite this, wardens have the ability to view the judging results before they are published and raise any concerns to the judge for reconsideration. However, we maintain strict confidentiality about the findings to other wardens, with visibility only to CodeArena staff, sponsors, and the judging team for the contest.\n\nThe contest pot size, which includes a judging pot, depends in part on the number of lines, and it's up to the judge to decide on the details of the award distribution. Since the judge has the authority to mark an issue to have a higher or lower risk than the proposed risk by wardens, participants are advised to make a case to the judge in their submission if they believe a high-risk finding should be considered. \n\nLastly, it's important to note that judges' comments on contest submissions may be visible, but it is purely based on the specific contest. For more insights, refer to the Asymmetry contest page at https://code4rena.com/contests/2023-03-asymmetry-contest.\n\nWhile our estimated number of judges at C4 is around 10, with around 5 lookouts, roles may vary. Queries about whether judge payment and lookout/scout payment are included in leaderboard ranking calculations and other specifics can be addressed to CodeArena directly. However, once the contest payouts have been sent, the outcome cannot be changed, although overlooked issues can be flagged to the judge and sponsor for future reference.", "Question: What is the process and obligations for a Warden when they receive a private invite for a solo audit on the CodeArena platform?\n\nAnswer: When a Warden receives a private invite for a solo audit, the first requirement is that they should be certified. Certification allows wardens to participate in private contests, although there may be additional conditions to fulfill. More details about becoming a Certified Warden can be found here: https://mirror.xyz/c4blog.eth/Ww3sILR-e5iWoMYNpZeb9UME_vA8G0Yqa6TYvpSdEM0.\n\nThe types of audits available include public, private (where certification is generally sufficient), and invitational ones where only select wardens are invited. It is also worth mentioning that there is a professional conduct guideline for certified wardens that mandates all findings to be treated as private and confidential until the contest report is made public. More information can be found here: https://docs.code4rena.com/roles/wardens/certified-wardens#certified-warden-professional-conduct-guidelines.\n\nParticipation in private audit contests may not be limited only to top-ranking wardens. The eligibility criteria for each opportunity are listed in the #\ud83d\udd96rsvp-certified channel.\n\nLastly, all Wardens should be aware that their emails and GitHub usernames will not be publicly listed by CodeArena. However, they will be part of a permissions group/team on GitHub to grant them access to private repositories. It's up to individual users if they want to make their membership on these private teams public.\n", "Question: What can I do if I've made a typo or error in my submission for a contest on Code4rena, and the contest hasn't ended yet?\n\nAnswer: If you have made a typo or error in your submission for a contest that is still ongoing, you are able to edit your submission. To do so, navigate to the contest page and click on the \"Your Findings\" button. Here, you can edit your submitted findings. For example, if you have submitted for the Ethos Reserve contest, you would go to this page: https://code4rena.com/contests/2023-02-ethos-reserve-contest. \n\nAdditionally, if you've submitted a bug severity that needs to be increased, or if you've found another error after submission, you can submit a help request to remove the original submission and then resubmit. This can be done via https://code4rena.com/help/. \n\nIn some cases, for example, if you've accidentally submitted to the wrong contest, you can fill out a form to let the Code4rena staff know about the incorrect submissions and then resubmit to the correct contest. \n\nPlease note that it's only possible to edit submissions for ongoing contests. Once a contest has ended, you cannot edit your submissions. If you experience any issues while editing your submission, feel free to reach out to the platform support team.", "Question: Where can I find updates on upcoming contests for non-KYC participants and what do I need to know about participating in such contests? \n\nAnswer: You can find updates on upcoming contests for non-KYC participants on the #\u270brsvp channel. It's important to note that most contests do not require KYC (Know Your Customer) certification, and if a contest does require it, it will be explicitly stated. However, please be aware that there may be upcoming contests that might not have been updated on the specific channels yet. If you win a prize but are unable to claim it due to KYC issues, it is currently unclear whether the prize will be on hold until KYC is completed or if it's forfeited. Additionally, please note that the completion of KYC doesn't grant automatic access to private contests. Certain private contests may not be accessible if they have already been assigned, regardless of your KYC status. For more information on KYC and contests, you can visit https://docs.code4rena.com/roles/certified-contributors.", "Question: Can you explain what is meant by the term 'reasonBytes' and its role in evaluating smart contracts?\n\nAnswer: The term 'reasonBytes' typically refers to the reason a transaction failed or was reverted in the context of Ethereum smart contracts. When analyzing a transaction, if the Ethereum Virtual Machine (EVM) reverts with Out Of Gas (OOG), you might get a '0x' against reasonBytes. \n\nHowever, it's important to note that a 'bytes' variable in Solidity is an array of bytes32, not just 32 bytes. One byte consists of 8 bits. For example, 'address' which can be casted to 'bytes20' is 160 bits, and 'uint256' is 32 bytes. Each slot in the EVM is 32 bytes, and any extra space in an address field is filled with left padding filled with zeroes. When a string exceeds size byte32, reaching 33 bytes, with one byte per character, it becomes a string and another word is added for the length. \n\nCharacters such as emojis or any non-ASCII character may require more than one byte. It's also important to remember that a function can run out of gas if the input is large enough, a common solution is to have a start offset and a maximum length to process it in batches.\n\nIn the context of a transaction, the reason for the transaction being reverted can often be found from the decompiled bytecode as seen here: https://snowtrace.io/tx/0x0806bc0a28e4d808ac4dba25997e4b68b40595e003adbaa758ce4894ee20e15a.\n\nMore information about the 'bytes' type in Solidity can be found here: https://docs.soliditylang.org/en/v0.5.12/types.html#dynamically-sized-byte-array.", "Question: Who can participate in upcoming Chainlink contests on Code4rena and what is the process for receiving rewards?\n\nAnswer: Chainlink contests on Code4rena are open to all participants. However, to be eligible for rewards, participants are required to become certified, which includes successfully completing Know Your Customer (KYC) procedures. This certification can be done either before submitting the contest entry or after the contest ends but before the payout. Note that all team members participating in the contest must undergo the KYC verification. Once certified, participants can compete in all kinds of contests, including public ones like the Frankencoin contest or private ones, the details of which will be shared as they are announced. Contest details are usually posted in the #\u270brsvp channel for wardens to decide on participation. It's important to note that some contests may have specific requirements, such as those not allowing the use of bots not registered in the Chainlink protocol. As a participant, you can freely ask questions and engage in open discussions about the contests. You can also view all submissions after a contest, provided you have the backstage role. More information can be found on our website, for example, this link covers the details of an upcoming contest - https://code4rena.com/contests/2023-04-party-protocol-versus-contest.", "Question: Can you provide a detailed explanation of the try-catch functionality in Solidity 0.6, including aspects related to syntax, gas efficiency, and error handling?\n\nAnswer: The try-catch functionality in Solidity 0.6 allows you to handle failed external function calls more gracefully. The mechanism works such that if the callback function reverts due to an error that fits within the gas limit, you'll receive the error message. However, if the callback function reverts due to running out of gas or if the error message is too large to pass back given the gas limit, you'll receive an out-of-gas error.\n\nYou can find a detailed analysis of this new functionality at https://forum.openzeppelin.com/t/a-brief-analysis-of-the-new-try-catch-functionality-in-solidity-0-6/2564. It's important to note that the gas efficiency of error handling in Solidity can be improved by using custom errors as opposed to require statements with a string. Custom errors save approximately 50 gas each time they're hit by avoiding having to allocate and store the revert string. You can learn more about this here: https://gist.github.com/IllIllI000/ad1bd0d29a0101b25e57c293b4b0c746 and here: https://blog.soliditylang.org/2021/04/21/custom-errors/#errors-in-depth.\n\nWhile Solidity's try-catch functionality helps manage errors during the execution of smart contracts, it's vital to ensure the validity of accounts before making calls on them. For further resources on Solidity 0.6 syntax and programming, you can check out https://solidity-by-example.org/0.6 and https://docs.soliditylang.org/en/v0.7.5/.\n\nFurthermore, when constructing smart contracts, a keen understanding of syntax and error handling, as well as mitigation strategies against potential issues such as unbounded loops, is important. For an exploration of these topics, see https://blog.b9lab.com/getting-loopy-with-solidity-1d51794622ad. \n\nSolidity's functionality can sometimes be challenging to grasp fully, particularly for complex systems and functions. If you encounter any difficulties or have further questions, CodeArena's community is always open to assist.", "Question: How can I participate in the Certora audits or contests at CodeArena?\n\nAnswer: To participate in Certora audits or contests, you must first become a certified warden. The certification process includes completion of the certification process with ProvenanceDAO and participation in more than three contests. Once you're certified, you have the ability to participate in any contest, including those specifically for certified wardens such as the \"FV contest\", which is usually judged by Certora. \n\nThe status of these contests might not be visualized regularly due to the different working mechanisms, but there are participation rewards for these formal verification contests. Also, remember that some contests or audits may require you to complete a Know Your Customer (KYC) form to receive prizes. \n\nTo get certified, you can apply at [here](https://docs.code4rena.com/roles/certified-contributors) and to participate in restricted audits, apply [here](https://medium.com/code4rena/new-to-code4rena-test-coverage-c548645404f9). \n\nAfter completing the certification, you'll gain backstage access, which allows you to discuss your findings. CodeArena is also planning to phase in certified+ post-contest \"triage swarm\" for increased collaboration among larger groups. \n\nLastly, please note that all bugs during a contest will be judged by a CodeArena judge and the rules will be judged by Certora.", "Question: How can I better understand and calculate the gas cost of a contract, and how do errors and gas limits impact this?\n\nAnswer: When a smart contract is executed, it consumes gas, a unit of computation effort in Ethereum. Understanding and calculating the gas cost of a contract can be complex, but there are resources available to support this.\n\nPrimarily, the gas cost of a contract depends on the complexity of the operations it performs. If the contract performs a lot of computations or stores a lot of data, it will require more gas.\n\nWhen it comes to error handling, if a callback in the contract reverts due to an error that is small enough, you'll receive the specific error message. However, if the callback reverts because it runs out of gas, you'll get an out of gas error. Moreover, if the error message is too large to pass back given the gas limit, you'll also get an out of gas error. Understanding this can be helpful in optimizing the gas usage of your contract.\n\nFor more details and examples of this, you can visit this link: [https://blog.theredguild.org/catch-me-if-you-can/](https://blog.theredguild.org/catch-me-if-you-can/)\n\nFurthermore, the CodeArena community regularly discusses topics like this and you can find many useful insights from these discussions. For instance, there may be discussions about how to calculate the optimal amount of tokens using the automated market maker's (AMM) price formula, which can be useful in understanding how to optimize a contract's gas usage.\n\nAdditionally, there are bounty programs such as the CodeArena contests where you can earn rewards for performing advanced analysis on contracts, including optimizing gas usages. Guidelines for these contests can be found here: [https://code4rena.notion.site/Analyses-Guidelines-and-FAQ-2808a71e08e44c81a985527194f5f118](https://code4rena.notion.site/Analyses-Guidelines-and-FAQ-2808a71e08e44c81a985527194f5f118)\n\nLastly, if you're interested in delving deeper into smart contract security and Solidity programming, resources like [Smart Contract Programmer](https://www.youtube.com/@smartcontractprogrammer) on YouTube provide valuable learning materials. \n\nRemember, cost optimization is a key aspect when it comes to smart contract auditing. It's always a good idea to ask for clarification from the community if you're uncertain about anything.", "Question: What factors influence the scheduling and frequency of contests at CodeArena (C4)?\n\nAnswer: The scheduling and frequency of contests at CodeArena are influenced by a variety of factors, primarily based around the timing and specific needs of our customers or sponsors. Contests can fluctuate in number, and there can occasionally be gaps where no live contests are running. It is also common for a pause in contests to occur around significant conferences. \n\nThe possibility of running multiple contests simultaneously is explored, with aspirations mentioned of handling up to 20 contests a week. However, C4 typically does not operate on weekends, therefore, scheduling of contests usually occurs during weekdays. \n\nMoreover, the order in which the contests are processed signifies the order of contest progression. If a contest that was previously in the upcoming contest section is not shown in the live contest section, it might be due to the fact that the contests are not yet updated on the specific channels. \n\nAudience or community members can inquire about the progress and schedule of final reports, but the final decision on scheduling lies with the sponsors. Sponsors can also contribute to contest delays and in addition, high issue counts or limited judge availability may lead to a backlog in contests. \n\nPlease note that other variables that may affect the completion of a contest such as the adjustment of the prize pool and the offer for judging compensation are not always visible to all participants. Our team is continuously working on improving the scheduling process, and we appreciate your understanding and patience. For more information, please visit our website: [Insert website link].", "Q: If I have a question about a past project, specifically Ajna finding which was classified as solo high risk and can be found at https://github.com/code-423n4/2023-05-ajna-findings/issues/329. The sponsor disputed too late after the distribution of rewards. Is this subject for refund, deducted in future earnings, or is there no return at all and we treat the result as final?\n\nA: After the contest payouts have been distributed, the outcome is generally treated as final. However, any overlooked issues can still be flagged to the judge and sponsor. It's worth noting that the reward distribution does not occur immediately after the reward computation due to the involved sponsors' time. In case of a dispute, if the participant points out a judge-approved bug or logic flaw, it's considered an achievement. The sponsor's decision is final on the mitigation part. If a finding is disputed by the sponsor as 'won't fix', but is a valid one, it will still get rewarded. As in your case, if the sponsor disputes late after the distribution of the rewards, the most likely scenario is treating the result as final with no deductions in future earnings or refunds. The reward distribution timeline or any delays can often be due to slow sponsor review. For more specific details about a contest's rules and process, you can review the contest documentation or reach out to the contest sponsor.", "Question: How can I participate in a Chainlink contest and ensure I receive my payout?\n\nAnswer: To participate in a Chainlink contest, you can register and submit your contributions without initial certification or KYC (Know Your Customer) verification. However, in order to be eligible for rewards, you are required to complete the KYC process and become certified. This can be done after the contest ends but must be completed before submitting for some contests. The certification process involves filling out the form at https://code4rena.com/certified-contributor-application and going through an ID verification process run on behalf of CodeArena by Provenance. This process can be started within 48 hours of the contest and upon completion, if your submission is awarded, the payout will be sent to your registered wallet address. Please note that the payout distribution takes place by the end of a specified week after the contest ends. You can check the announcement channel for updates on distribution. It's important to note that some contests may require KYC or certification for participation, and this will be stated in the contest rules. For more information on the process, please visit https://docs.code4rena.com/roles/certified-contributors and for information on judging and payout timelines, please visit https://docs.code4rena.com/structure/our-process.\n", "Q: How can I access and view reports, like the one for Chainlink's past contest, and other information about past and upcoming contests on CodeArena?\n\nA: To access reports for past contests, including Chainlink's past contest, you need to have the backstage role. More about this role and how to acquire it can be found on our official documentation at https://docs.code4rena.com/roles/certified-contributors/backstage-wardens. Once you have the backstage role, you can view the reports at https://code4rena.com/reports. \n\nApart from the reports, you can also view the results of past contests, leaderboard updates, and details of issues reported at the same link. If you are a beginner, it's recommended to start with reports from smaller bounty contests which have smaller codebase sizes and less complexity. \n\nInformation on judging and payout timelines after a contest ends can be found at https://docs.code4rena.com/structure/our-process. If you have issues related to rewards distribution, you can submit a Help Desk request through this link: https://code4rena.com/help/. \n\nDetails of upcoming contests can be found at https://code4rena.com/contests. This page contains valuable information and links to all open competitions. You can also check whether your submissions were accepted by visiting https://code4rena.com/reports. \n\nFor more in-depth information on how audit contests work at Code4rena, you can visit our official documentation at https://docs.code4rena.com/.\n", "Question: Can you provide more detailed information about the address type length in Ethereum and the Solidity language?\n\nAnswer: In Ethereum and the Solidity language, the address type length is 20 bytes. This is equivalent to 160 bits, since one byte consists of 8 bits. An address can be casted to \"bytes20\" in Solidity. \n\nAddress variables are stored in the Ethereum Virtual Machine (EVM) which uses 32-byte slots. If an address variable doesn't fill the whole slot, the remaining space is filled with left padding filled with zeroes. \n\nWhen interacting with the address type, certain practices are recommended for safety and efficiency. For instance, a two-step change process with critical addresses is considered safer and better practice than a one-step change, as it can help prevent errors such as passing in the wrong address. Also, Solidity stores state variables in 32 bytes storage slots, and multiple variables can potentially be packed into a single slot if they are declared next to each other, which can reduce gas costs. \n\nThe architecture of the EVM and the way it handles address type length does not affect the performance overhead regardless of the size due to its constant complexity. \n\nWhen it comes to checking for account existence, considered methods include the use of OpenZeppelin's Address library and checking the length of the account's code. \n\nFor further reading and understanding about encoding the address values, you may refer to an issue discussed on our GitHub page at https://github.com/code-423n4/2022-03-maple-findings/issues/16. Other relevant resources include information about how Solidity handles storage layout: https://docs.soliditylang.org/en/v0.8.17/internals/layout_in_storage.html and details about dynamically-sized byte arrays in Solidity: https://docs.soliditylang.org/en/v0.5.12/types.html#dynamically-sized-byte-array.\n\nPlease note that this explanation is technical in nature and understanding it might require familiarity with the Ethereum and Solidity language fundamentals.", "Q: How can I update or alter my Discord username in my CodeArena account, and what are the implications of this action?\n\nA: If you've changed your Discord username, it's recommended to update it in your CodeArena account. This is crucial as it ensures you can be tagged in for any award announcements. However, it's important to note that your updated Discord username does not affect your ability to receive awards.\n\nTo change your username, you would need to re-register on CodeArena. You can update your Discord name on the Account Management page of your warden profile. However, it\u2019s necessary for your Discord nickname to remain as your registered C4 username.\n\nIf you encounter any issues or need help with updating your Discord username or connecting your Discord account with your CodeArena account, you can reach out for help at https://code4rena.com/help or in the #auth-help channel on our Discord server.\n\nPlease note that the Discord update might ask you to use your name without the discriminator. This could potentially affect your warden role. In such cases, you need to update your new Discord handle in your profile on the site. Remember, in Code4Arena, your user's profile name should match your name in the chat.\n\nOverall, maintaining consistency between your Discord and CodeArena usernames helps streamline communication and recognition within the CodeArena community.", "Question: Can a single issue submitted in a QA report be upgraded to QA grade-A? What factors influence the grading of QA reports?\n\nAnswer: Yes, a single issue submitted as part of the Quality Assurance (QA) report can potentially be graded as QA grade-A. However, it is important to note that the grading process considers both the quantity and quality of the submitted issues. Although you can submit only one issue in your QA report, you have the option to edit your existing submission if you find another error. \n\nThe severity of an issue can be categorized as high, medium, or QA, and this categorization could impact your grade. Judges have the authority to downgrade or upgrade the severity of the issues you report. For example, if you submit a finding as part of your QA report, but the judges determine that its severity should be higher (medium or high), the issue can be upgraded. Likewise, if you submit an issue as high severity but it's downgraded to medium by a judge, it doesn't necessarily invalidate your submission. \n\nThe number of issues in your QA report does not directly determine your grade. A report could include one highly impactful issue and receive a high grade or multiple low-impact issues and receive a lower grade. It's worth noting that incorrect findings in a QA report can negatively affect your grade, and obsolete code could potentially be considered a QA issue.\n\nGrades are given according to judges\u2019 scores and duplicates are disregarded. If a low issue/non-critical (QA) bug that also reduces gas is discovered, it should be included in the QA category and mention the gas savings. If the issue is only related to gas savings, it could be downgraded from QA to Gas.\n\nIn the unlikely event that no high or medium issues are found in a contest, the entire rewards may be allocated to QA. All A-graded QA reports receive the same award, regardless of the number of low findings. However, participants with a grade-B in QA are still eligible for awards.\n\nFor further information on the subject, you're encouraged to explore these resources: [Judging Criteria](https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical) and [Incentive Model and Awards](https://docs.code4rena.com/awarding/incentive-model-and-awards#qa-and-gas-optimization-reports).", "Question: I've submitted my documentation for smart contract audit and haven't received a confirmation email yet. What could be the potential reasons and what should I do next?\n\nAnswer: There could be several reasons why you haven't received a confirmation email yet. One reason could be a delay in reviewing your submission, as it sometimes takes time for these to be processed. Also, the confirmation email might have ended up in your spam folder - we've had instances of this happening. You should check your spam folder to see if the confirmation email is there. You can also check the status of your submission by looking for the ability to edit submitted findings. \n\nIf you have done all these and still have not received an email, you may want to open a help desk request at [https://code4rena.com/help/](https://code4rena.com/help/). The help desk will confirm receipt of your request, so rest assured that your inquiry will be attended to. \n\nPlease remember that once your submission has been reviewed and approved, you should expect to receive an email from us. If the submission fails, the form should return an error. Also, keep in mind, the approval of a Provenance application may involve an ID and address verification process, so it's essential to ensure that all your submitted documentation is accurate.\n\nFinally, please note that it's not customary to contact judges directly regarding submissions. If you have any further questions or issues, feel free to reach out to us via the help desk.", "Question: How can I effectively communicate with the C4 team to inform them that I am raising a query or submitting a finding on behalf of my team and not as an individual participant?\n\nAnswer: CodeArena encourages clear communication and you have various options to let the C4 team know about your team's involvement. \n\n- If there's an existing discussion thread, you can respond in there or reply to the RSVP indicating you are representing your team. \n- You can direct message the C4 staff members. \n- You can also create a Help Desk request at https://code4rena.com/help, clearly stating your situation and providing as many details as possible. \n\nRemember, team members can make submissions on behalf of their teams, and they can choose whether to use their solo handle or team handle for submitting a finding. If there are any changes to your team membership or if your team is facing any issues, these can be addressed by opening a help desk request as well.", "Question: What is the preferred method for pasting and formatting code when submitting issues at CodeArena?\n\nAnswer: When submitting issues at CodeArena, code can be pasted and formatted using Markdown. The submission form on Code4rena accepts Markdown for formatting the text, and this can be used to embed code in your reports, and even in issue titles. You can use a tool like this one: https://marketplace.visualstudio.com/items?itemName=yassh.copy-with-line-numbers, or create your issue in Notion, format it there, and then copy-paste the formatted text to maintain necessary markdown formatting. \n\nIf your submission involves multiple lines of code, you could consider sending a git patch or a PR to the repo. For report submissions, paste your report in the Vulnerability details section in .md format. If your report involves specific types of code like Solidity, CodeArena provides a method to format the code to enhance its readability. \n\nAfter you submit your first issue, you can find an ID at the end of the URL (which is your GitHub issue ID) and you can edit your submission if necessary. If you want to link separate submissions, you can do so by referring to its number on the \"your findings\" page. \n\nIn case you encounter any issues while submitting, you may submit a help ticket at https://code4rena.com/help. If you have a proof of concept for each bug, it can be either added directly under 'Proof of concept' or linked to a private Github repository, the choice largely depends on the length of the code. For more details, check the submission policy at https://docs.code4rena.com/roles/wardens/submission-policy#how-to-include-a-proof-of-concept. \n\nPlease note, we do not have any specific guidance on whether judges prefer the inclusion of line numbers in code snippets for h/m issues.\n", "Question: I've submitted my Know Your Customer (KYC) application with Provenance, and it's been over a week without getting a response. What should I expect, how long does this process usually take, and what can I do if I don't receive any reply?\n\nAnswer: The time for receiving a response to a KYC request through Provenance can vary. For some users, it takes about a week, but it can sometimes take 2-3 weeks or even longer. A few factors can influence this timeline. After submitting your KYC application to become a Certified Warden, Provenance typically sends the KYC mail within one business day. However, the completion of the KYC process, which involves a back and forth between you and Provenance, can take a week or more. Once you've received and complied with the KYC mail from Provenance, there's another 48-hour deadline for a response.\n\nTo ensure you haven't missed their email, it's essential to check your spam folder. Look for an email from \"compliance@provenance.company\". If you've not received a communication within five business days of submitting your KYC request, you can raise a help request through the form on Code4rena's website at https://code4rena.com/help. \n\nOnce your KYC is approved by Provenance, there is a further processing period on Code4rena's end to assign your role. If there's no response after a few days, feel free to open a help desk request on our website. Remember, KYC is a complex process and delays can happen, so your patience is appreciated.", "Question: What impacts do changes to my Discord username or wallet address on CodeArena (C4) have on my rewards and account status?\n \nAnswer: Changing your Discord username or wallet address on CodeArena does not directly affect your ability to receive rewards. However, it might affect our ability to tag you in the award announcement if your Discord username is not updated in your CodeArena account. Payouts to participants are linked to the Discord usernames and specific wallet addresses associated with their accounts at the time that awards are calculated for an audit. If you change your wallet address, you may need to update it in your CodeArena account to ensure that rewards are distributed to the correct location. You can do this by using the new wallet address in your reports going forward.\n\nWhen changing your Discord username, it is important to update it on the Account Management page of your warden profile to avoid discrepancies. Please remember your Discord nickname should remain as your registered C4 username. If you decide to change your username, you will need to create a new registration/discord handle and start over with the new name, especially if you have leaderboard status. The same applies if you are considering changing your nickname by registering another account with the same email or Github address. This is because your statuses won't carry over to the new account.\n\nIf you have any further questions or issues with updating your Discord username or wallet address, it is advised to submit these questions via the Help Desk for the developer team review. For more information about changing wallet addresses where rewards are received, visit https://docs.code4rena.com/roles/wardens/warden-auth#can-i-change-the-wallet-address-where-i-receive-awards.\n\nThe reported findings that were rewarded can be viewed at https://discord.com/channels/810916927919620096/1095308824354758696/1130212982094299246. We also encourage you to check the announcement channel for updates on distribution.", "Question: Are private audit contests and #\ud83d\udd96rsvp-certified opportunities accessible to teams or are they exclusive to solo wardens? \n\nAnswer: Private audit contests and #\ud83d\udd96rsvp-certified opportunities are open to both teams and solo wardens, given they meet the eligibility criteria. For teams to be considered, they must be completely certified and meet the qualifications of the specific audit. Details of the contests including eligibility criteria, are available in the #\ud83d\udd96rsvp-certified channel. It's essential to note that certain contests may be exclusively open to certified wardens or those who participated in the original audit.\n\nThere's also a specific contest type called \"vs contest\" which involves only three wardens and follows an RSVP process. The highest performing wardens are given priority in these contests. However, wardens must be certified to take part. \n\nFor those who are new or interested in becoming a warden, the certification process and contribution information can be found at https://docs.code4rena.com/roles/certified-contributors#certification-process-and-constraints. Wardens can participate as individuals or as part of a team in code contests, and the method of registering a team can be found at https://docs.code4rena.com/roles/wardens#registering-a-team. \n\nPlease note that high-ranked teams are eligible to compete in invitation audits that prioritize the highest-ranked wardens. Also, keep in mind that participation in test-coverage is currently open only to certified wardens, and more information on this can be found at https://medium.com/code4rena/new-to-code4rena-test-coverage-c548645404f9. \n\nOnce certified, wardens have access to a private channel for certified+ wardens, which serves as a workspace for the various processes they assist with. Private contest participation is to a certain extent allowed for certified wardens, and for certain contests like PolynomialFi contest, all team members need to be certified wardens. Remember that the privacy of all wardens is respected, and emails or GitHub usernames are not listed publicly, but wardens may be part of a permissions group on GitHub for access to private repositories.", "Question: What is the process to get backstage access on Code4Rena's Github and how can I check if I've been added to the group?\n\nAnswer: To gain backstage access at Code4Rena, you must first be a certified contributor as detailed here: https://docs.code4rena.com/roles/certified-contributors. Once you meet this criterion, you can then request backstage access by submitting a help desk request. Detailed information on this process can be found on our website at https://docs.code4rena.com/roles/certified-contributors/backstage-wardens. \n\nAfter you've submitted your request, it will be reviewed and you will be notified of the outcome. Please be aware that any changes to your Code4Rena profile, such as a Github username update, will require manual updating to your backstage access by Code4Rena Github admin. \n\nOnce you have backstage access, you will be able to view reports on Code4rena, and gain access to the GitHub repository and other additional features. It's important to know that backstage access is a privilege, and access to certain resources, such as the findings page, is restricted to users in the \"backstage\" group.\n\nTo check if you've been added to the backstage group after your request has been reviewed and approved, please check your GitHub invites.", "Question: What is the process for KYC verification in contests and audits, and when is this required to receive bounties or rewards with CodeArena?\n\nAnswer: At CodeArena, participation in most contests and receiving payouts does not require KYC (Know Your Customer) verification or certification. However, some activities, such as specific audits or contests like the Chainlink contest and the Base audit, do require KYC verification. When required, this will be explicitly stated in the relevant channels like #\u270brsvp or the audit channel. \n\nTo become KYC verified, you need to apply for certification as a Certified Contributor on our platform. This process involves providing some personal identification information, which can be started at this link: https://docs.code4rena.com/roles/certified-contributors. Once the verification is complete, you will receive a notification from Provenance. \n\nIf you're part of a team participating in an audit, all members of the team should undergo KYC verification for the team to qualify for payment. Certification is also required to participate in private contests or to access the contest repo post-closure and pre-public report release as a backstage member. \n\nHowever, it's important to note that you can still submit reports without being certified, but certification is needed to receive certain rewards. Some individuals have raised concerns about the potential anonymity of users in cybersecurity spaces and on the bounty leaderboard, which are addressed under our certification process. For more details about this process and its requirements, please refer to our guide at this link: https://docs.code4rena.com/roles/certified-contributors#certification-process-and-constraints.", "Question: How does CodeArena handle instances where two different vulnerabilities originate from the same root cause?\n\nAnswer: At CodeArena, vulnerabilities that stem from the same root cause are generally considered as duplicates, regardless of whether they can be exploited differently or if they are found in separate components of the codebase. This approach is maintained to avoid the duplication of issues and to ensure a fair process. However, there are certain exceptions and nuances. \n\nFor instance, if two separate vulnerabilities can be combined to yield a more powerful exploit, a third finding explaining the proof of concept can be submitted. If a single line of code has multiple ways of exploitation, there may be a question of whether it should be reported as one bug or multiple, with priority often given to the most impactful. Also, if fixing the root cause does not resolve the issues completely, meaning one of them still persists, the situation may be treated differently. \n\nWhen the same vulnerability is identified by multiple participants but with different severities, they are all given the same severity for award calculation, due to the deduplication process and subsequent severity judgement. In instances where a bot identifies an issue and proposes a fix, it's important to note that the proposed fix may inadvertently introduce a more damaging exploit. \n\nHigh-risk findings during an audit are counted as one if their root causes are the same. If wardens report the same vulnerability but with different severities, they are given the same severity for award calculation, to maintain fairness within the process. \n\nFor more detailed information on this topic, refer to these discussions https://github.com/code-423n4/org/issues/8 and https://github.com/code-423n4/org/discussions/50.", "Question: \nCan high-ranking teams participate in an invitation audit that prioritizes highest ranked wardens?\n\nAnswer: \nYes, high-ranked teams can participate in CodeArena's invitation audits that prioritize the highest ranked wardens. These teams or groups of wardens are eligible to compete. However, to participate in these auditing contests, they need to be certified as wardens.\n\nCertification requires competing in audit contests and it may involve meeting certain other conditions. Once certified, wardens gain access to private audit contests, although there might be additional requirements for some opportunities. The details about each opportunity, including eligibility criteria, are listed in the #\ud83d\udd96rsvp-certified channel.\n\nContests like the \"vs contest\" involve a limited number of the highest performing wardens who RSVP. In these contests, certified wardens have the opportunity to compete for access. These are invitational contests where opportunities are offered to wardens based on their rank in either specific contests or during a recent window.\n\nTeams can register themselves as wardens at https://docs.code4rena.com/roles/wardens#registering-a-team. It's worth noting that for some audits like mitigation review or invitational, there might be a ranking cutoff, with only the top 3 or 5 wardens usually considered.\n\nWhile the top wardens in the 90-day leaderboard are prioritized for contests, it's worth noting that all contests aren't strictly open to only top-ranking wardens. For example, for private audits, certification is usually sufficient, while for invitational audits, only specific wardens are invited.\n\nTo decide whether they want to compete, wardens can check the contest details in the #\u270brsvp channel. Having certification as a warden also grants earlier access to the findings repositories, allowing them to assist with post-contest processes.\n\nIn summary, high-ranking teams can participate in invitation audits. However, they need to be certified as wardens and meet any other requirements as specified by each opportunity.", "Question: How can I gain backstage access at CodeArena, what criteria do I need to meet, and how can I apply?\n\nAnswer: Gaining backstage access at CodeArena requires meeting certain criteria outlined at [CodeArena's documentation](https://docs.code4rena.com/roles/certified-contributors/backstage-wardens). Firstly, you need to be a certified contributor. To qualify for such status you need to have participated in a minimum of 3 contests and obtain either one high severity finding or three medium severity findings. Notably, these findings need to be publicly acknowledged and added on the leaderboard. Once you meet these requirements, you can apply for the backstage role by submitting a help desk request at [CodeArena's help desk](https://code4rena.com/help). The decision regarding your request will be communicated to you once it has been reviewed. As a backstage warden, you'll gain access to the findings repository immediately after an audit. However, this role requires compliance with Know Your Customer (KYC) and Non-Disclosure Agreement (NDA) procedures for security reasons. Please note, access may be temporarily suspended at times, following management decisions.", "Question: How do payouts work on CodeArena and what is the process to receive and convert the rewards?\n\nAnswer: CodeArena provides payouts on the Polygon network. All rewards, including contest prizes, are sent in USDC, a type of cryptocurrency. The rewards are linked to participants' Discord usernames and specific wallet addresses on the Polygon network, not on the Ethereum network. \n\nIf one of your reports is accepted, the USDC reward will be sent to your Polygon wallet. Note that to receive the funds, you need to have a Polygon address set up in your account. You can verify the payout for vulnerability issues by checking your registered wallet address using platforms like polygonscan.com or wallet trackers like debank.com.\n\nOnce the rewards are in your Polygon wallet, they can be connected to MetaMask for conversion and withdrawal. To move funds back to the Ethereum Mainnet, if necessary, you can use the Polygon bridge, which can be found at https://wallet.polygon.technology/. Please note that to bridge from Polygon to Ethereum and later withdraw USDCs on Coinbase, both Matic and Eth are needed if using the Polygon bridge. If you prefer to use the Hop Bridge, only Matic is required, but you should be aware that you will receive less USDC on the Ethereum Mainnet.\n\nFurthermore, you can convert your USDC rewards to BTC over Coinbase, if desired. If you face an issue of zero balance on your Metamask wallet, you could consider adding USDC on Polygon to your wallet. Also, remember that regardless of wallet settings, funds will be sent to your address and you control the key to that address. To move the funds, you will need to send a transaction on Polygon. \n\nPlease stay vigilant about the security of your Polygon wallet, as there have been instances of unauthorized transactions being reported.", "Question: If I've participated in a contest, submitted two or more issues, and I'm not on the award list, does that mean my issues were rejected? How can I confirm this and understand why they were rejected?\n\nAnswer: Yes, if you've participated in a contest and you're not on the award list, it's likely that your issues were rejected. The confirmation can be done by reviewing the available report. It's essential to note that the order of reported issues doesn't necessarily go according to submission time. The judges prioritize the primary issue based on the quality of the write-up rather than the order of submission.\n\nYou can understand why your submission was not accepted once the report is out and the repository is fully opened. This allows you to see the discussion among sponsors and judges regarding your specific issue. For example, if your finding was mentioned in the known issues section in the contest, it would likely be disqualified.\n\nEach issue submitted in a contest is evaluated strictly based on what was submitted, and judges do not have the capability to \"multiply\" an issue. If you've submitted more than one issue in a single submission, it will count as one submission since awards are distributed based on individual issues. Additionally, remember that each finding submitted for contests may not always make it to the final report, and the reason might not be immediately known. You'll need to wait until the reports are published, which usually takes at least a month.\n\nIf you're unsure if findings should be submitted as separate issues or as one, and you want to understand how to improve future submissions, monitoring the backstage channel for the post-judging stage of the concerned contest can be beneficial. \n\nIn some cases, technical issues may affect submissions, such as when GitHub failed to take in issues in the past or when users experienced issues when submitting findings to specific contests. The final report for a contest doesn't include wardens whose submissions/findings are not accepted.\n\nPlease remember that submitting invalid issues could result in punishment if you submit more than three of them per contest. Always strive for high-quality submissions to ensure your findings are valuable and valid.", "Q: How are Quality Assurance (QA) reports graded at CodeArena and what influences the grading system?\n\nA: At CodeArena, the grading of QA reports is influenced by several factors including the number and nature of findings and their impact. Grades are assigned as A, B, C based on the quality of the report and gas savings achieved. \n\nAn 'A' grade report, which is considered good, is typically characterized by a lower number of findings (2-3 low findings for example). It is important to note that even if an 'A' grade report has more findings (like 5-6 low findings), it receives the same award as any other 'A' grade report. On the other hand, a 'B' grade report could have one good issue or multiple low-impact issues. \n\nIncorrect findings in a report can negatively affect the grading. The judges have the discretion to downgrade medium issues to QA and consider them alongside your QA report when grading. They can also upgrade items from your QA report if they feel severity should be higher. Therefore, the number of issues reported in a Gas and QA report doesn't necessarily determine the grade.\n\nIn terms of rewards, Grade A reports count as 2 shares, Grade B as 1 share, and the best report receives a 30% bonus. It's also worth mentioning that users with a grade-B in QA are eligible for awards.\n\nFor more details, you can review the documentation of the grading system and other relevant information at the following links: \n- [Incentive Model and Awards](https://docs.code4rena.com/awarding/incentive-model-and-awards)\n- [Judging Criteria for QA reports](https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical)\n- [FAQ for QA and Gas reports](https://docs.code4rena.com/awarding/incentive-model-and-awards/qa-gas-report-faq) \n\nPlease note that the grade for a QA report is relative, as it's based on a comparison with other reports. It's also possible for a submission to receive a 0 grade, if a judge decides it merits that grade.", "Q: I participated in multiple audits but their results haven't been announced yet, when can I expect the results and what is the process once an audit ends?\n\nA: Once an audit contest ends, it generally takes about 2 to 8 weeks for the judges to review the findings and create the leaderboard. However, timelines can sometimes be longer depending on the number of submissions and the complexity of the audit. The stages that follow an audit contest include contest completion, sponsor reviews, judging, awarding, and finally, report publishing. Some audit reports, such as those for Yaxis and Base, have experienced delays due to high participation rates or other factors. For example, in the case of the Biconomy Hyphen 2.0 contest, the audit results are currently under review and expected to be published soon. \n\nWhile waiting for the report to be published, it's important to note that participants' findings may not always make it to the final report, and the reason might not be immediately clear. You will only be able to check your submissions once the report is published and the findings repo is made public. After the results have been posted, the release of the report can sometimes take additional time because the CodeArena team needs to get the approval from the projects involved. \n\nShould you rank amongst the top auditors, such as the top three in the mitigation review, you may also be selected for further review or invitational. It's important to note that currently, findings of a contest cannot be viewed after it finishes but before the results are published. This means participants will need to wait for the report to go live. \n\nOnce the judging process is complete, awards are distributed. For example, there was a delay in the distribution of awards for the Nested Finance audit contest. If you placed in a contest, such as the participant who placed 2nd in the Nested Finance audit contest, you can expect your award to be sent to your MetaMask wallet. \n\nFuture audit events or contests are dependent on sponsors confirming details and dates. Currently, there are no upcoming competitions, but the team is in talks with several people about potential audits. If you have further questions or need additional information, feel free to reach out to us.", "Q: What are the requirements and benefits of participating in auditing contests at CodeArena, and how does the process work?\n\nA: Participating in auditing contests at CodeArena offers various benefits and comes with certain requirements. Participation in a minimum of 3 contests is necessary to meet the requirement for backstage+ access. However, backstage access can also be obtained if a participant has participated in three contests with either one high or three medium fundings. \n\nIt's important to note that some contests require certification for payouts if any submissions are awarded. The criteria for certification could be more stringent, such as being in the Top 3 in 3 contests or making a high finding. To become a certified warden, you'll need to compete in the audit contests. Participants must complete certification within 30 days of the end of the audit to receive their payout.\n\nAuditing contests can be a great way to gain a better understanding of audit reports, and improve your skills. You can participate as an individual or as part of a team. If participating as a team, a single wallet is used during registration.\n\nThe audit reports for contests are typically published after the stages of the contest finish, which include sponsor reviews, judging, and awarding. This process can take anywhere from 2 weeks to over 6 weeks, depending on the contest and the number of reports on review concurrently.\n\nTo participate in private contests, you usually need to be certified and also rank on the leaderboard. There may also be a ranking cutoff for auditing private contests, with the top 3 or 5 typically taken for mitigation review or invitational.\n\nCurrent ongoing contests can be found by checking CodeArena's platform, or by contacting the team, which is regularly in contact with various projects about upcoming audits. Auditor rankings and more information about the contests are also available on the platform. \n\nLastly, please keep in mind that while you're encouraged to submit findings you're unsure about, submitting more than three invalid issues per contest could result in punishment.", "Question: What is the process of receiving and managing payouts from CodeArena on the Polygon network and how can I convert them to other forms of currency?\n\nAnswer: Payouts at CodeArena are received in USDC on the Polygon network. This means contest winnings, rewards, and payments are made via this cryptocurrency on Polygon\u2019s Mainnet. If a report is accepted, USDC will start flowing into the contributor's wallet. It's important to note that rewards are sent to the Polygon address, not to the Ethereum address. To ensure you receive your rewards, you should put your Polygon address in your account.\n\nAfter receiving your rewards in USDC, you can deposit them into Coinbase directly from Polygon. Moreover, if you wish to convert USDC on Polygon into BTC, or any other currency, you can do so via relevant exchanges.\n\nIf you want to bridge funds from Polygon to Ethereum and later withdraw USDCs on Coinbase, both Matic and Eth are needed if using the Polygon bridge. However, if using the Hop Bridge, only Matic is needed but you will receive less USDC on the Ethereum Mainnet. To move funds back to the mainnet, you can use the polygon bridge. Here is the link: https://wallet.polygon.technology/.\n\nOnce the funds are received, they will be sent to your address and you control the key to that address. To move the funds, you need to send a transaction on the Polygon network. Remember, the process of conversion from Polygon Token to other currencies can be done through MetaMask bridge and Coinbase. You can verify your payout for vulnerability issues by checking the wallet address you registered with, using polygonscan.com or wallet trackers like debank.com.\n\nDo remember that the amount of rewards for finding issues can vary significantly, with some wardens getting thousands of USDC while others only get hundreds. Please also be aware of any potential unauthorized transactions on your Polygon wallet and secure it accordingly.", "Question: \nWhat should I do if I spot a mistake in the contest prize amount on the CodeArena website, and how are such errors typically handled and corrected?\n\nAnswer: \nIf you observe an error in the prize amount for a contest on the CodeArena website, you should immediately flag the issue. The team prioritizes error corrections, as demonstrated in past instances such as the Dopex contest, where a similar error was promptly corrected. \n\nKeep in mind that the prize pool for a contest includes a judging pot and comes directly from the sponsor. There have been cases where the prize pool was adjusted to account for changes in the judging fee. Changes to the award calculation process are also currently underway to improve efficiency and accuracy.\n\nOnce contest payouts have been sent, the outcome cannot be changed. However, overlooked issues can be flagged to the judge and sponsor for review. If a contest is still ongoing and you've submitted a correct bug issue but with an incorrect solution, you are allowed to update your submission. \n\nIf you make a submission to the wrong contest accidentally, you should resubmit it to the correct contest and fill out a form to notify the C4 staff about the incorrect submissions. This form can be found at https://code4rena.com/help/. \n\nPlease send any invoices regarding the contest payouts to the Code4rena Foundation and feel free to reach out to the respective sponsor with specific questions about the scope for a contest. Our aim is always to process and distribute multiple contest rewards by the end of a specified week. However, there can be delays in the distribution of awards, as happened with the Nested Finance audit contest.\n\nRemember, it's essential to keep an eye on the public report page, which is updated mid-contest. It also helps to communicate any concerns about contest-related issues in our chatroom.", "Question: What are SLOCs and how are they determined? Are there any known discrepancies in the SLOCs reported for Dopex?\n\nAnswer: SLOC, or Source Lines of Code, is a metric that represents the size of a software program by counting the number of lines in the text of the program's source code. It excludes comment lines. The tool used to calculate SLOCs in CodeArena is 'cloc'. \n\nHowever, it's important to note that there have been instances of discrepancies in the SLOC count, such as the case with Dopex. The original reported SLOC count for Dopex included spaces and other non-code elements, resulting in an incorrect count. The correct SLOC count for Dopex is 2200.\n\nThis has prompted discussions about standardizing the way SLOCs are reported across different contests to avoid such confusion. For instance, a concern was raised about the mismatch between the number of lines of code (LOC) mentioned in the README.md and the actual lines in the contract files in Sherlock finance's repo.\n\nMoreover, the duration of contests does not directly correlate with the size of the source code (SLOC). For example, there were concerns about the limited duration (20 days) for the audit of a project named Maia, which has 12K SLOC, and it was later extended to 4 weeks for a contest involving over 12k SLOC.\n\nFor more information about SLOC, you can visit this link https://www.google.com/search?q=SLOC+meaning&oq=SLOC+meaning. If you have more queries about SLOCs or any other aspects of the contests, feel free to ask in our Discord channel.", "Question: What are the requirements and process to obtain the backstage role for a team or an individual at CodeArena (C4)?\n\nAnswer: The backstage role at CodeArena is available to certified contributors who meet certain qualifications based on their performance in contests. For a team or an individual to be eligible, they need to have either a valid high finding or three medium severity findings. Another way to qualify is by having a QA or Gas report that scored over 85. In addition, participants who have participated in at least three contests are also considered for the backstage role. \n\nOnce these criteria are met, the participant or team can submit a help desk request to have their status evaluated. The criteria for obtaining the backstage role are considered satisfied when the awards are announced and added to the leaderboard. It should be noted that all findings should be public before the backstage role can be received.\n\nIn the past, backstage access was based on a trust model, but future access may involve some constraints or consequences. This is due to instances of backstage privilege abuse, where information about findings for judging was shared with others who did not have backstage access.\n\nFor more details about the backstage role and how to apply, visit: https://docs.code4rena.com/roles/certified-contributors/backstage-wardens and for information about the certification process, visit: https://docs.code4rena.com/roles/certified-contributors#certification-process-and-constraints.", "Q: How can I apply for backstage access at CodeArena and when will I hear back about my application?\n\nA: To apply for backstage access at CodeArena, you must first ensure you meet the criteria, which includes having participated in three contests with either one high or three medium findings. You would also need to become a certified contributor as described in our documentation found at https://docs.code4rena.com/roles/certified-contributors#certification-process-and-constraints. \n\nOnce you've ensured you meet these qualifications, you can submit a help desk request at https://code4rena.com/help. Your request will be reviewed and you will be notified about the status of your application. \n\nYou can find more detailed information about backstage access and its requirements at https://docs.code4rena.com/roles/certified-contributors/backstage-wardens.\n\nPlease note that the backstage+ role requires meeting four minimum criteria as stated in our documentation. If you have further questions or need assistance regarding your application, you can get help through the help desk.", "Question: Can you provide more details about the grading system for QA and gas reports at CodeArena, specifically what does an 'A' grade report signify?\n\nAnswer: An 'A' grade report at CodeArena signifies a high-quality report, indicating good performance. The grade is assigned based on a relative comparative score amongst other reports. Reports are generally graded between 0 to 100, and the grading involves considering the number, quality, and impact of issues reported. However, the number of issues alone doesn't necessarily determine the grade. For instance, a report could have one impactful issue to be recognized as 'Grade B', or it could have multiple low-impact issues and still be recognized as 'Grade C'. \n\nIn the context of QA and gas reports, rewards are classified into grades A, B, C, based on the quality of findings and gas savings. Grade A reports equate to 2 shares, Grade B equates to 1 share, and the best report is subject to a 30% bonus. It's noteworthy that not all reports or findings guarantee a reward. Reports must meet certain quality standards to be considered valid and satisfactory. Incorrect findings can affect the final grade. In some rare cases, a submission may even receive a grade of 0 if a judge deems that it merits such a grade.\n\nIt's also important to highlight that all 'A' graded QA reports receive the same award, regardless of the number of low findings. While grading, judges consider both the quantity and quality of findings, and a single item in a QA submission is unlikely to receive a high grade. \n\nYou can find more detailed information about the grading and incentive model at CodeArena at https://docs.code4rena.com/awarding/incentive-model-and-awards. For specific judging criteria, you can refer to https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical and https://docs.code4rena.com/awarding/incentive-model-and-awards#qa-and-gas-optimization-reports. You can also review winning reports to understand what high-quality and high-quantity findings look like, for instance, check out this report: https://code4rena.com/reports/2022-09-artgobblers#low-risk-and-non-critical-issues.", "Question: How can I start the process of becoming a certified warden and get access to the findings repo on C4?\n\nAnswer: To begin the process of becoming a certified warden, you can start by reading the document available at https://docs.code4rena.com/roles/certified-contributors. This document includes all the necessary information about the certified wardens and the certification process. It's also worth noting that access to the findings repo is reserved for Certified+ users, but as of the current time, this feature hasn't been rolled out to anyone yet. Also, if there's a mismatch between the documentation and the code, it's mostly considered a QA issue if it doesn't have an impact. If you have any proposed edits to the CodeArena documentation, you can submit them on Github at github.com/code-423n4/docs. Additionally, you can learn more about Code4rena and the teams at https://docs.code4rena.com/. For more context on the process and what you should expect, you can review the organization's process timeline at https://docs.code4rena.com/structure/our-process. Lastly, remember that understanding the purpose of a codebase may require reading the documentation or having previous experience with similar code.\n", "Question: How can I obtain backstage access at CodeArena after identifying high vulnerabilities?\n\nAnswer: Backstage access at CodeArena permits certain user privileges, like access to the findings page. It is granted based on the certified contributor role. To qualify, you need to satisfy one or multiple of the following criteria: identify a high severity finding, three medium severity findings, or a QA or Gas report with a score of over 85. Once the results are published to the leaderboard and you believe you meet the criteria, you can request backstage access through a helpdesk request. Please note that the access was once disabled due to an incident of privilege abuse, but has since been reopened with certain constraints and consequences. Make sure you follow all ethical guidelines when using your backstage access, as any violation could lead to the disabling of this privilege. More information about backstage access, the criteria, and how to request it can be found [here](https://docs.code4rena.com/roles/certified-contributors/backstage-wardens). After you apply, notification will be provided once your request has been reviewed.", "Question: I've recently gained certified status. What does this mean for my access to previously participated contest judging repositories and what are the benefits of this certification? \n\nAnswer: Congratulations on your certification! Being certified as a contributor at CodeArena offers you several benefits. You will be able to access a greater number of contests, including private ones, provided you have completed KYC. You would also need to RSVP in the rsvp-certified channel and maintain a high position on the leaderboards from the last 90 days. However, to gain access to the judging repositories of contests you've participated in, you would need backstage access. This allows you to see other submissions immediately after contests end, assisting in your learning process and potentially speeding it up. \n\nBackstage access is based on your certified contributor role, and you also need to meet certain criteria such as having at least three medium findings and four total findings as well as having participated in a few contests. Applications for backstage access are currently suspended until further notice. Once you have backstage access, you can assist with post-contest processes by viewing submitted issues right after contest closure and providing input or comments during judging. \n\nAfter a contest has closed, all wardens, including those with certified+ status, can view other submissions, thus accelerating their learning process. Certified+ wardens also gain earlier access to the findings repositories and can assist with post-contest processes. \n\nOnce the contest report is published and the repo becomes public, everyone can access all the submissions and see the discussion among sponsors and judges about specific issues. For more information about backstage wardens, visit this link: https://docs.code4rena.com/roles/certified-contributors/backstage-wardens.", "Question: I submitted a help desk request through CodeArena, how will I know if something goes wrong or needs my attention?\n\nAnswer: After submitting a help desk request at https://code4rena.com/help, you should receive a confirmation that your request has been received. This acts as an initial verification that your request has been accepted for review. If there are any issues with your request, or if additional information is needed, you will be notified via email. It's also important to note that you may need to respond to any clarifying questions or requests for additional information arising from the review of your ticket. The status of your request can be tracked and typically, you can expect a response within a week. If you do not receive any form of confirmation or further communication within this time frame, it may be advisable to submit another request outlining the issue you're experiencing. As always, if you feel there's a security risk to public issue contents or if you didn't receive an email after registration or submitting a finding, you can further utilize the help desk request system. It's designed to help with a variety of issues, whether it's tracking the status of your KYC confirmation or even applying for special roles if you meet certain qualifications. It is our priority to ensure your requests are addressed promptly and accurately.", "Question: Can I apply for a backstage role if one of my first three contests was with a team? \n\nAnswer: Yes, you can apply for a backstage role at CodeArena even if one of your first three contests was with a team. The key requirement to obtain a backstage access is to have participated in at least three contests, regardless of whether it was individual participation or as part of a team. If your team submits 3+ medium findings and they are accepted, then all team members become eligible for the backstage role. \n\nAdditionally, you should have at least three medium findings or one high finding. Once you meet these requirements, you can apply for backstage access via a help desk request on the CodeArena website [https://code4rena.com/help]. This procedure can be initiated as soon as the contest results are published on the leaderboard. \n\nIt's important to note that backstage access allows you to view findings repo when a contest ends, aiding in triaging. Moreover, the backstage role isn't granted for every contest, but its scope is broader than just where the wardens have submitted issues.\n\nPlease refer to this document for more information about the backstage role and how to request it: [https://docs.code4rena.com/roles/certified-contributors/backstage-wardens].", "Question: What does 'solo' mean in the context of findings and submissions in a contest by CodeArena?\n\nAnswer: In CodeArena, 'solo' refers to a finding that is discovered exclusively by one auditor, also referred to as a warden, without any duplicate discoveries from other participants. This implies that if a finding is marked as 'solo', it means only that specific warden found the issue in the contest. If the finding is accepted and validated, the warden who made the solo finding secures all the share of that finding, including a possible 30% bonus, leading to a 1.3 share. Auditors have the option to participate in a solo or team capacity in a contest. If an individual is part of a team, they have the flexibility to submit solo findings as they wish. Their submission form allows them to indicate whether they're submitting as an individual or as a team member. However, it's important to note that for team participants, all rewards go to the team as a whole, and the team is then responsible for dispersing the funds among its members.", "Q: What are the requirements for getting backstage access at CodeArena (C4) and how can I apply?\n\nA: Backstage access at CodeArena, which allows you access to the findings repo post-contest and before public report release, is granted to certified contributors who meet certain criteria. These criteria include participation in at least three contests and a certain number of findings: one high severity finding, three medium severity findings, or a QA or Gas report with a score of over 85. Please note that the findings should be public for the backstage role to be received. \n\nOnce you meet these criteria and have confirmed your eligibility, you can submit a help desk request to apply for backstage access. Being certified, however, does not automatically grant you access to the previously participated contest in progress judging repository. Applications for backstage access are reviewed and granted based on the contest results published to the leaderboard. \n\nPlease be aware that the applications for backstage access are occasionally suspended until further notice. You can track updates and learn more about the backstage role and its requirements by visiting the official document [here](https://docs.code4rena.com/roles/certified-contributors/backstage-wardens). \n\nTo become a certified contributor, which is a prerequisite to getting backstage access, you can follow the guidelines detailed [here](https://docs.code4rena.com/roles/certified-contributors). The help desk request page for backstage access can be found [here](https://code4rena.com/help). \n\nIt's important to remember that participating in the audit process, even if you aren't successful in finding bugs, is considered a valuable learning opportunity by many users in the CodeArena community.", "Question: How can I check and manage my reported findings, and understand the rewarding process in the CodeArena?\n\nAnswer: All your reported findings, which have been rewarded, can be viewed at this [link](https://discord.com/channels/810916927919620096/1095308824354758696/1130212982094299246). You can also track the status of your findings and manage them on our website. To do so, navigate to the contest page and click on the \"Your Findings\" button. \n\nHere, you can edit your findings or even withdraw them if necessary. If you've submitted an issue for a contest but didn't make it to the award list, it's likely that your issue was rejected. You can confirm this by reviewing the available report on the same page. \n\nNot all reports or findings are guaranteed a reward. They are graded and must meet a certain quality standard to be considered valid. Best reports in a contest are given bonus rewards. \n\nRegarding the rewarding formula, it takes into account the count of findings and whether they received full or partial credit. The formula might also vary depending on the severity of the findings. However, it's important to note that submitting duplicate reports might affect the payout. The reward is usually given to the first reporter of a unique issue. \n\nRewards for each finding used to be in a CSV file, but this can now be accessed online at https://code4rena.com/community-resources/findings.csv. After the leaderboard is shown and rewards are sent out, the final report of the contest might not immediately appear on the C4 site. Please wait until the full public report is published before doing a write-up of some issues or bugs found on a project. \n\nFinally, you will receive an email confirmation for all the reports you submitted during the competition. If you have submitted a report for the first time and want to check the submission status, you can do so at https://code4rena.com/reports.\n", "Question: Can I reference a previously submitted issue in a new submission within a single active context, and if so, how?\n\nAnswer: Yes, you can reference a previously submitted issue when submitting a new one within the same active context. Upon submitting your first issue, you will need to edit it to find an ID at the end of the URL, which corresponds to the GitHub issue ID. When submitting your subsequent issue and you wish to reference the first, you simply write \"#\" followed by the first issue's ID. For example, if your first issue's ID was 13, you would write \"#13\" in your new submission. \n\nPlease note, even after editing an issue, the initial (pre-edited) issue may remain available in the edit history. You can also withdraw an old issue or edit an existing submission if you find another error. If two different issues can be resolved by fixing the same thing, they would be considered as one issue. Similar issues can be grouped together, and multiple issues of the same type in a code can be reported as one. \n\nYet, it's important to be aware that awards are distributed on an individual issue basis, so multiple items in one submission count as a single submission. If two participants submit the same issue, the one who submits first will not necessarily have an advantage. The severity of issues can also be updated post-submission by judges. If you're unsure about whether to submit findings as separate issues or as one, it is best to refer to the guidelines for handling multiple occurrences of the same issue [here](https://github.com/code-423n4/org/issues/8). \n\nFinally, if you're part of a team, you can submit issues as a team, but the process for doing so has not been clearly defined yet, particularly if two team members find the same issue but submit it with different wallets. Also, when multiple similar issues are reported, judges choose the primary issue based on the best write-up rather than the order of submission, to encourage high-quality submissions.", "Q: How does team submission work on CodeArena, and how can I check my submission status?\n\nA: Users have the ability to register as a team on CodeArena and submit findings collectively. Once a team is approved, any team member can make submissions on behalf of the team. When making a submission, users can choose their solo handle or their team handle. Submissions can be made through a PR, and users should add their team handles when reporting issues. All members of a team will receive the bug stats once a finding has been submitted as a team. \n\nThere is a step-by-step process for submitting findings available at this link: [https://docs.code4rena.com/roles/wardens/sub](https://docs.code4rena.com/roles/wardens/sub), and examples of past submissions can be found here: [https://code423n4.com/reports](https://code423n4.com/reports). If your report exceeds the character limit of the submission form, you can submit a placeholder and send an email with the full report instead. \n\nAfter submission, you will receive an email confirmation. Only the team has access to these submissions before a contest ends. After that, those with the \"backstage\" role get access to findings for triage purposes. You can check the status of your submission by finding your report in your email. If any issues arise during the submission process, you can submit a help desk request. \n\nPlease note that teams can be modified by submitting a request through the help desk. If you have reported an issue but are unsure about its severity, there is a process to help determine this. There's also a process in place to review why a submission was not rewarded once the report is public and the repo is fully opened.", "Q: What is the process and benefits of becoming a Certified Warden at Code4rena? \n\nA: Becoming a Certified Warden at Code4rena involves a specific application process, which includes Know Your Customer (KYC) requirements. It is likely that certain criteria may need to be met, such as participating in audit contests and having a certain number of valid findings or reports. \n\nOnce certified, you gain several benefits, such as eligibility to attend private audits and the possibility to become a judge. You also become eligible to receive payments from KYC-required sponsors like Chainlink. Certified Wardens also get access to private repos after a contest is finished. However, the full specifics of the privileges of Certified Warden status have not been detailed. \n\nForeigners are allowed to apply to be Certified Wardens. The verification process might need a passport or a certified copy of an individual's identity. \n\nFor more detailed information about the eligibility requirements and certification process, you can visit the official Code4rena documentation on Certified Wardens at https://docs.code4rena.com/roles/wardens/certified-wardens#who-is-eligible-to-be-a-certified-contributor and https://docs.code4rena.com/roles/certified-contributors#certification-process-and-constraints. If you are ready to apply, you can visit https://code4rena.com/certified-contributor-application. \n\nPlease note that the information provided may change, so it's always best to check the official site for the most up-to-date information.", "Question: Can I maintain my current employment while participating in CodeArena's smart contract auditing as a side project?\n\nAnswer: Yes, maintaining existing employment while participating in CodeArena's smart contract auditing as a side project is definitely possible. CodeArena primarily targets auditors for contributions and encourages both individual and team participation in auditing projects. Certification does not prohibit you from being employed elsewhere and you are free to engage in the auditing process even before a code is complete. \n\nTo participate in private audits, however, you need to become a certified contributor. You can get certified through multiple paths, such as reverse engineering and understanding old audit reports. Here is an example set of reports available at: [https://chainsecurity.com/audits/](https://chainsecurity.com/audits/). \n\nOnce certified, you may be able to join private auditing contests. To apply to become a certified contributor for participating in restricted audits, you can apply at [https://docs.code4rena.com/roles/certified-contributors](https://docs.code4rena.com/roles/certified-contributors). \n\nPlease note that if you're auditing as part of a team, all rewards go to the team and the team is responsible for dispersing the funds. You can find more information on how to approach auditing of big projects from this blog post at [https://blog.bytes032.xyz/p/audit-like-a-pro-my-3-step-game-plan](https://blog.bytes032.xyz/p/audit-like-a-pro-my-3-step-game-plan). \n\nThe frequency of auditing projects varies, but on average, there are 2-5 audit projects per week. So, you can choose projects that fit around your main employment schedule.", "Question: What does it mean to be a Certified Contributor at CodeArena and how does one fulfill the expectation of conducting activities in a timely and professional manner?\n\nAnswer: A Certified Contributor at CodeArena is a participant who has undergone a specific certification process and has agreed to conduct all CodeArena-related activities in a timely, professional manner. This role comes with certain perks, such as the ability to participate in invitational audits and gain backstage access. \n\nTo become a Certified Contributor, you must fulfill certain criteria and prerequisites which are detailed at https://docs.code4rena.com/roles/certified-contributors. The certification process may include signing a non-disclosure agreement (NDA) and going through a KYC (Know Your Customer) process. \n\nOnce certified, contributors are expected to participate in audits and contests professionally, adhering to the agreed timelines. It's also worth noting that while a participant can sign up as a certified contributor with multiple accounts, they can only participate with one account. \n\nAdditionally, Certified Contributors who believe they meet the criteria for backstage access can confirm their eligibility by submitting a help desk request. Backstage access allows participants to discuss their findings. More information on backstage access can be found at https://docs.code4rena.com/roles/certified-contributors/backstage-wardens. \n\nRemember, the key to being a successful Certified Contributor is to maintain the professional conduct expected of you, and to remain active and timely in your participations.", "Question: When and how will Arcade and Pool Together rewards be distributed?\n\nAnswer: The rewards for activities such as Arcade and Pool Together are expected to be distributed in the following week from their announcement. Our team aims to process and distribute these contest rewards by the end of a specified week, usually the same week they're announced. However, please bear in mind that payments are batched and typically completed once a week, so the actual distribution might take place between 1-2 weeks after the announcement. \n\nThe rewards are queued at the multisig and should be issued within a week if a contest is listed as 'awarding'. The distributions are made to the user's registered wallet address, so please make sure your details are updated. For updates on reward distribution, you can check the announcement channel. \n\nIt's worth noting that different reward pools for distinct reports will be announced separately to clarify the reward for each pool. For instance, rewards for specific contests like Fairside or Stakehouse are expected to be announced and distributed separately. \n\nMoreover, the specific rewarding formula can vary depending on the contest. For instance, in a contest where only one high and one medium issue are found, the reward distribution might be different. \n\nFinally, please be assured that we are working hard to reduce turnaround times for rewards, and two months after the end of a competition would be a worst-case scenario. The upcoming audit contests are listed on our website, [code423n4.com](http://code423n4.com).", "Question: In an audit, if a contract A.sol is the scope of the contract but it inherits from another contract B.sol, should both contracts be audited and will there be a payout if there is a vulnerability found in the inherited contract B.sol? \n\nAnswer: Yes, if a contract A.sol is within the scope of an audit and it inherits another contract B.sol, both contracts should be audited. This is because vulnerabilities affecting the main contract (A.sol) can be found in the inherited contract (B.sol). However, the payout for vulnerabilities found in the inherited contract B.sol could be subjected to the discretion of the judge, especially if B.sol is not explicitly included in the audit scope.\n\nIf a vulnerability is found that impacts an out-of-scope contract, the impact might be considered for the award, but this decision is generally up to the judge. If a vulnerability is found in an out-of-scope contract, it can be included in the CodeArena (C4) report as an unrewarded finding or the project can be directly messaged.\n\nIf multiple auditors report the same bug, they all get a portion of the bounty. Common findings are usually out of scope as they are picked up by the C4udit tool. The findings are linked in each contest readme and if they're not picked up by the tool, they should be submitted.\n\nKeep in mind that the severity of the vulnerability also plays a role in the award process. Judges determine the severity of a bug in a smart contract. A bug that relies on a user making a mistake in interaction with a contract may be valid but will probably not have the same severity as if it does not require a mistake.\n\nThe term \"in scope\" refers to the elements that should be audited. An audit of a project takes into account the current state of the project. The scope may not include vulnerabilities pertaining to deployment or early actions like initializers, especially for projects with already deployed code. Tests in solidity are needed to check certain things in the Contracts being audited.\n\nFinally, it's worth noting that if no Medium/High vulnerabilities are found in the smart contracts, remaining contest funds will be divided based on the Quality Assurance (QA) report curve.", "Question: Why do I need to be certified in order to receive payments from some projects on CodeArena, and what are the exceptions?\n\nAnswer: While certification is not always required to participate in contests on CodeArena, it is a necessary step to receive rewards from specific projects. The need for certification or KYC (Know Your Customer) verification arises from certain anti-money laundering laws and specific project requirements. If you are participating in a contest as a team, all team members need to be certified to be eligible for payment. However, it's important to note that not all contests require certification. Contests requiring certification will specifically state so. \n\nBecoming certified also grants you access to more contests and an opportunity to participate in more complex audits. You can start the certification process at any time, but in case you are participating in a contest, it is recommended to complete it within 30 days of the end of the audit to receive any potential payout. \n\nThere have been instances where participants faced delays in payments or pending rewards after a contest. It is not always an issue with certification but could be due to the process not being completed or the quality of the report submitted not meeting the required standards. \n\nPlease note that being certified does not prohibit you from being employed elsewhere, and you can participate in CodeArena as a side project. More information about becoming a certified contributor can be found here: https://docs.code4rena.com/roles/certified-contributors.", "Question: What are the benefits and requirements of becoming a Certified Contributor in CodeArena?\n\nAnswer: Becoming a Certified Contributor in CodeArena opens up a wider range of opportunities compared to non-certified participation. As a Certified Contributor, you gain access to more contests, including Certified contests and Versus contests. You also gain eligibility to participate in private audits and apply for a judge role, conditions permitting.\n\nCertification does not require full-time commitment or prohibit employment elsewhere, meaning that you can participate in CodeArena as a side project. You can apply to be a Certified Contributor, and even sign up with multiple accounts, as long as you only participate with one account.\n\nWhile it is possible to participate and receive payouts without certification, some activities such as receiving rewards, participating in contests that require KYC verification, or participating in audits that require KYC, do necessitate certification. \n\nFurthermore, if you are competing as part of a team, all members must be certified in order to be eligible for a payout. \n\nThe certification process can be initiated within 48 hours of the contest, and upon completion, you may be awarded if eligible. Users can also apply for certification after a high finding by contacting CodeArena through the help desk form. \n\nHowever, there may be specific requirements to become a certified participant, such as participation in a certain number of contests or having a certain number of valid findings or reports.\n\nPlease note that while certification grants access to more opportunities, not participating in certified events does not negatively affect your role. However, signing up but not participating can impact your status. \n\nFor more detailed information on becoming a certified contributor, please refer to our certification documents.", "Question: How can I become a certified auditor with CodeArena and what are the benefits of certification?\n\nAnswer: Becoming a certified auditor with CodeArena offers several benefits. Being certified grants you access to more contests, including private audits and Versus contests. Once certified, you can edit your profile, join any contest including certified ones, and even participate in CodeArena as a side project - it does not require a full-time commitment.\n\nTo become certified, you need to apply after making a high finding by contacting the organization through the help desk form. You may also be eligible to apply for Certified Contributor status or become a certified warden. The certification process involves sending your identity for verification which can take approximately 2-3 weeks. \n\nAdditionally, being a certified warden might make you eligible for a judge role. However, for most audits, it's not necessary to be a certified contributor. It's also important to note that you can submit a report without being certified, but in order to receive rewards or payouts, certification is necessary.\n\nThere have been suggestions and queries about making the criteria for certification more stringent, such as being in the Top 3 in 3 contests or making a high finding, and about the ability of a foreigner to become a certified warden. Currently, there's no formal process for requesting Certified+ status, and a query was raised about becoming a certified warden and eligibility for payout. But this is all part of an ongoing discussion, and we'll provide updates when there are changes to the process.\n\nFor more details on the certification process and its requirements, you can check the certification documents on our website [insert link].", "Question: What does becoming a certified Warden involve, and what does it mean for my participation in CodeArena?\n\nAnswer: Becoming a certified Warden in CodeArena involves the process of Know Your Customer (KYC) verification. This certification does not mandate a full-time commitment to CodeArena, and it doesn't prohibit you from being employed elsewhere. In fact, many participants engage with CodeArena as a side project alongside their primary jobs and commitments.\n\nThe certification process involves submitting your identity for verification, which can begin within 48 hours of a contest. It approximately takes 2-3 weeks to become certified after filling up forms. For some regions, proof of residence might be required for certification, but in several cases, a photo ID and a selfie have sufficed. \n\nBeing certified grants you access to more contests, including private audits, and opportunities for judging. However, for specific private audits, there might be additional conditions you need to meet. Some contests can be participated without certification, but for payouts on any awarded submissions, certification is a prerequisite. If you are participating as a team, all members need to be certified to be eligible for payout. \n\nBecoming a certified Warden also makes you eligible for a judge role, although certification may not currently be a requirement for all judging roles. Most judges balance their CodeArena responsibilities with full-time jobs and other commitments.\n\nTo maintain your certified status, you might be required to participate in a certain number of contests and have a certain number of valid findings or reports. There's also an advanced Certified+ status, and the criteria for achieving this could include high performance in contests or significant findings. The process for requesting Certified+ status is due for formalization.\n\nIt's to be noted that you need to complete your certification within 30 days of the end of the audit to receive your payout. As a certified Warden, you are also eligible for backstage access. \n\nForeign nationals are also welcome to become certified wardens, and there's also an option to apply to be a Certified Contributor. If you make a high finding, you can apply to be certified by contacting us through our help desk form.\n \nRemember, being certified is not just about identity verification, but also about proving your capability and commitment as a participant in our community. For specific details on the certification process, feel free to reach out to our team.", "Question: Can I participate in CodeArena for auditing smart contracts while being employed elsewhere or being a part of an auditing team?\n\nAnswer: Absolutely, you can participate in CodeArena while being employed elsewhere or being a part of an auditing team. CodeArena primarily targets auditors for contributions. You can participate as a solo auditor or as a member of a team. If you are a team member, you can still participate solo in a contest that your team is also auditing. However, you should be aware that all rewards for a team's successful audit go to the team, and the team is responsible for dispersing the funds. This also applies if you are a student, you can focus on traditional hacking, web2 security, or smart contract auditing as a side project. \n\nIn terms of the audit process, people can engage in the audit process even before their code is complete. Most audits do not require one to be a certified contributor. You can ask questions about past projects' findings, participate in private competitive audits, or even run an audit contest for your company. The platform is primarily focused on smart contract auditing, but there are also opportunities for smart contract gigs. \n\nWe also encourage you to understand audit reports, participate in contests for a better understanding, and use these as learning opportunities. While auditing, it's important to know that you might need to audit not only the contracts but also the script folders, depending on the project. You can be a security auditor focused on either the front or back end of the blockchain, as per your preference. \n\nAlso, remember that while auditing, it is acceptable to provide a link to a competitor as a mitigation for an issue when submitting findings, and you may fork the codebase and create a private repository on Github without it being considered as information disclosure. The findings will be created as a GitHub issue. \n\nPlease keep an eye on our channel for announcements about the next audit event or contest. Currently, there are no upcoming competitions, but we are in talks with several people about potential audits. \n\nLink: [CodeArena's Official Website](https://www.codearena.com)", "Q: What does being a certified user at CodeArena entail and how can I become one?\n\nA: Being a certified user at CodeArena opens up a range of opportunities and privileges. Certified users are allowed to participate in any contest, including certified contests, private audits and versus contests. They also gain the ability to edit their profile and are eligible for payouts. To become certified, you need to undergo a process that involves KYC (Know Your Customer) verification. \n\nIn terms of prerequisites, you need to have competed in at least three contests and encountered one high severity bug to be eligible for certification. If you are applying as a team, each member of your team needs to be certified in order to be eligible for payout. \n\nOnce you've met these prerequisites, you can apply to become certified by contacting CodeArena through the help desk form. Some users have reported waiting times to become certified auditors, but we strive to process these requests as quickly as possible.\n\nTo verify if you are already certified, you can check assigned roles by clicking on your name or via email communication. Being certified also grants you backstage access, as well as the option to apply as a Certified Contributor.\n\nThere's been a suggestion to make the criteria for Certified+ status more stringent, such as being in the top 3 in three contests or making a high finding, but this is subject to further discussions. \n\nPlease note that being certified does not require full-time commitment; it simply indicates that your identity has been verified and you meet certain competency criteria. \n\nFor more information on the certification process, you can check our certification documents [add link to certification documents here]. \n\nRemember, the certification is not only a proof of your identity and abilities, but it also allows you to access a wider range of contests and opportunities at CodeArena.", "Question: How can I add new members to an existing team on CodeArena?\n\nAnswer: Yes, it's possible to add new members to an existing team on CodeArena. If you encounter any issues during the process, such as receiving a blank page when trying to select members, it might help to try again later or on a different day. \n\nTo add a new member, you can submit a request through our help desk at https://code4rena.com/help. Besides, you can update the team information by creating a PR at https://github.com/code-423n4/code423n4.com/pull/28. \n\nThere's no technical limit to the number of members that can join a team. Once a person joins a team, they can participate in audits, help bounce ideas off each other, and learn faster, but they are not obligated to always participate as team members. \n\nIn case of persistent issues, it's advisable to ask for help in our team-building channel on the platform where you can also look for potential teammates. \n\nPlease note that to modify your team membership, team pull requests need to be accepted by an existing team member. If your team has trouble with this, please submit a help desk request. \n\nFor those looking to create a new team, you can do so at code4rena.com/register-team. However, managing the same team name with different members working on different contests at the same time or different times can be challenging. Having your team in order can positively affect your leaderboard rank, which is considered for selection for RSVP certified jobs.\n\nPlease remember that while teams can be created and modified, some users have reported technical issues with these processes, so don't hesitate to reach out if you need assistance.", "Question: I'm having trouble with Foundry installation, specifically an error saying \"Validation blockedError: Couldn't find forge binary. Performed lookup\". What could be causing this issue and how can I resolve it?\n\nAnswer: This error typically occurs when Foundry is not properly installed or its components are not correctly linked to your project. Here are few possible solutions that may help you resolve the issue:\n\n- Try running the `forge i` command, which is often recommended to install dependencies.\n- If you are working on a hardhat project with Foundry integration, make sure you have proper setup to avoid \"Source from artifact has no AST.\" error.\n- Another possible fix could be executing 'npm install foundry', as suggested by some users for running the contest.\n- The forge install command relies on git submodules, so ensuring that your git setup is correct might help.\n\nFoundry is a powerful tool for smart contract testing and offers capabilities to debug things like storage. It's a great tool for testing scenarios in a local environment, providing a much-needed alternative to public testnets. However, it seems some users are having difficulty with Foundry and Docker or issues related to running fork testing in the polygon POS network.\n\nRemember, when encountering errors, it's best to troubleshoot step by step. If these steps do not resolve your issue or if your issue is different, please provide more context or error messages to get more accurate help.\n\nFor detailed instructions on how to use Foundry, you can check the official documentation [here](https://docs.code4rena.com/roles/certified-contributors). And if you encounter any issues while utilizing Foundry for CodeArena, please reach out to the support team.", "Question: How does the Analysis Report work at CodeArena, what information needs to be filled in, and how can it be edited or checked?\n\nAnswer: The Analysis Report at CodeArena is a comprehensive document where users fill in their findings about the smart contracts they have audited. The guidelines on how to prepare the report and what needs to be filled can be found here: https://docs.code4rena.com/awarding/judging-criteria#analysis. This link also provides information about what the judgement criteria are when the analyses are evaluated.\n\nIf you need more detailed FAQs and guidelines, please refer to this link: https://code4rena.notion.site/Analyses-Guidelines-and-FAQ-2808a71e08e44c81a985527194f5f118. This page not only includes guides on how to prepare and submit your report, but also lets you know that you can send in an analysis report even if you have no significant findings, as it's useful to provide advice for the project's future.\n\nTo edit your findings or the Analysis report itself, go to the audit page and click the 'Your Findings' button. You can also add more findings to your report this way. Please note that you currently cannot send updates to your analyses directly; however, you can create a help desk request including a secret gist to have edits added to the comments of your analysis report before the audit closes.\n\nAfter submitting your report, you can check its status or view your report by going to 'Your Findings'. Also, when you submit a report for the first time, look out for a confirmation email and the ability to view and edit your submitted findings. If you face issues during the submission process, you can submit a help desk request.\n\nFor those participating in contests, you can submit your analysis report and even track its status. You can also view and edit your findings in the \"findings\" tab next to the contest description.", "Question: How can I add new members to an existing team on CodeArena, especially when encountering technical issues like blank pages when selecting team members?\n\nAnswer: Yes, adding new members to an existing team on CodeArena is possible, though some users have reported occasional issues, such as a blank page appearing when trying to select members. If you face such an issue, consider trying again on a different day as it might be a temporary glitch. If the issue persists, you are advised to submit a help desk request at https://code4rena.com/help. \n\nFurthermore, it's important to note that teams can make changes, like addition or removal of members, by submitting a request through the help desk. Just remember that team modifications, including changing team names or managing varying team members for different contests, might require approval from the Code4Arena (C4) team. For more detailed information on team registration and configuration, refer to the documentation at https://docs.code4rena.com/roles/wardens#registering-a-team. \n\nLastly, there are discussions about potential improvements to team management on the platform. If you have any suggestions, consider participating in these discussions at https://github.com/code-423n4/org/discussions/43.", "Question: If an issue I submitted in a contest is labelled as \"sponsor disputed\" in the published report without any explanation, how can I check the reasons for the dispute and understand why it was rejected?\n\nAnswer: Once the report is published and the findings repository is made public, you can review the discussions among sponsors and judges on the specific issue. This process allows you to understand why your submission was not accepted or why it was labelled as \"sponsor disputed\". If the reasons for rejection or dispute are not clear, you can look for duplicates or ask the judge for explanations. \n\nIf the issue was disputed by the sponsor, it could be due to a disagreement about the scope of a particular problem or the proposed mitigation. In such cases, users are encouraged to still report the issue. You can also check the findings report repositories to verify which of your findings were rejected and why. \n\nThe sponsors will generally review and triage the findings after the contest is over, and the judges are expected to provide reasons for classifying an issue as invalid or disputed. The delay in providing feedback could be due to slow sponsor review and final judging processes. \n\nIt's important to remember that if you submitted issues for a contest but did not make the award list, your issues are likely to have been rejected. However, it's always beneficial to confirm this by reviewing the available report. The findings repo will be made public one week after the contest is over (for old contests) or immediately after with triaged and deduped issues.\n\nIf you submitted issues but are unsure about them due to lack of specification in documents, we advise you to submit these findings or directly message the sponsor team for additional context. All reported issues can be viewed by a judge without needing a direct link sent to them.\n\nIt's worth noting that the issues in the published reports might be similar to those reported initially. There might be some uncertainty about this, and whether the published reports are a summary of what was submitted, as this point is not entirely clear from the available information.\n\nFor a detailed review of your submissions and reasons for their rejection, you can refer to the published report and the findings repository. The exact location of these resources will depend on individual contest rules and sponsor preferences. The reports are generally available and reviewed immediately after a contest ends, but they await sponsor review, final judging, and Quality Assurance before being made public.", "Question: What happens if a participant in a CodeArena contest escalates the severity of an issue from low to high in their submission, and what are the guidelines to follow in such cases?\n\nAnswer: At CodeArena, if a participant identifies an issue that is ranked as low in a contest's automated bot report but then escalates it to high in their submission, the report doesn't become automatically invalid. However, there are certain caveats that participants need to be aware of. \n\nFirstly, while the automated bot reports are used as a preliminary assessment, they don't define the final verdict. Therefore, the onus is on participants, or \"wardens\" as they're referred to at CodeArena, to provide strong evidence that demonstrates a relevant high or medium severity exploit path for their escalated issue. This is necessary because submissions based on automated findings are subject to a higher burden of proof.\n\nIf an issue is in the same category as one in the bot report but isn't included in it, it can still be considered a valid finding. Also, if an issue is submitted as high severity and the judges disagree, the severity might be downgraded but the judges will still award the submission for the found issue unless they invalidate it for overinflating the severity. \n\nHowever, if a report closely resembles the bot report or contains numerous invalid issues, it can be penalized. Additionally, if a QA issue is submitted as low severity but judged as medium, it will be eligible for medium rewards. \n\nUltimately, it's crucial for participants to understand that the decision on rewarding severity escalations in a contest report rests with the judges. They should aim to submit high-quality reports and focus their efforts on high severity issues. \n\nFor a detailed breakdown of the submission policy, participants can refer to CodeArena's official documentation available at this link: [https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues].", "Question: What are the eligibility criteria to participate in CodeArena's private audit contests?\n\nAnswer: Participation in CodeArena's private audit contests is not strictly limited to top-ranking wardens. To be eligible for these contests, a participant needs to be a certified warden, which involves competing in audit contests and possibly meeting other conditions such as having a certain number of valid findings or reports or participating in a specific number of contests.\n\nThese private contests, including Versus contests that are competitive and often invite only the highest performing wardens, list their specific eligibility criteria in the #\ud83d\udd96rsvp-certified channel on our Discord. It's important to keep an eye out there for the latest opportunities. Private contests have their RSVPs available in a channel only visible to certified wardens, and if it\u2019s in the public RSVP channel, it\u2019s a public contest.\n\nHigh-ranked teams are eligible to compete in invitation audits that prioritize highest-ranked wardens. The number of wardens participating in a contest is generally disclosed only after the contest ends. Wardens will soon have the ability to apply for the certified warden role, giving them access to findings shortly after contests end.\n\nIt's also worth noting that some contests like the mitigation-review contests and the 'vs contest' that involves only 3 wardens (with an RSVP process where the best performing wardens get first choice) are open only to certified wardens. Specific contests like the PolynomialFi and Ambire contests also require participants to be certified wardens.\n\nFor more details on becoming a certified warden and access to private audit contest, visit: https://mirror.xyz/c4blog.eth/Ww3sILR-e5iWoMYNpZEB9UME_vA8G0Yqa6TYvpSdEM0.", "Question: How are rewards allocated in cases of duplicate and misclassified submissions?\n\nAnswer: The allocation of rewards for submissions in CodeArena contests largely depends on the judges' discretion. If a participant evaluates an issue as low and it's later judged as medium, the participant may still be rewarded. Contest participants need to provide strong evidence to escalate a known low from the automated findings to a high, as detailed in our [submission policy](https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues).\n\nFor duplicate submissions, the value is typically reduced for each warden and split depending on the number of duplicates, as per our [incentive model](https://docs.code4rena.com/awarding/incentive-model-and-awards). In cases where multiple wardens find the same issue, the report of the highest quality usually gets more money, while duplicates below a certain threshold may not get any money. The submission quality also influences the distribution of bonuses.\n\nMisclassification of a bug's severity doesn't necessarily invalidate the submission. For instance, if a High severity bug is judged to be Medium, the reward for a Medium bug is still given. If an issue is submitted as high severity but downgraded to medium by a judge, it would not be considered overinflated severity and thus be invalidated, according to our [award guidelines](https://docs.code4rena.com/awarding/incentive-model-and-awards#satisfactory-unsatisfactory-submissions). \n\nRewards are also influenced by whether submissions are individual or team-based. If a team submits a non-duplicate finding, they get more rewards than if they had individually submitted the same finding. Also, there is no difference in payout between the first to find a bug and anyone else who finds the same bug; the overall value of the bug is reduced and split based on how many people find it. \n\nOverall, the reward distribution is a complex process considering various factors and is managed as fairly as possible to encourage high-quality, valid submissions. For more information, refer to our [incentive model and awards guide](https://docs.code4rena.com/#incentive-model-and-awards).", "Question: If my initial KYC application is rejected or still pending, can I reapply or expedite the process given that I don't have any primary restrictions?\n\nAnswer: If your KYC (Know Your Customer) application is rejected or still pending, the recommended step is to directly work with Provenance, the KYC provider, on the original application. The KYC process may encounter delays or rejections, and the reasons for these rejections may not always be communicated. You can submit a help desk request to track the status of their KYC confirmation or raise a help request through the form on the company's website if you don't get any reply to their KYC application within five business days. \n\nPlease note that identification verification for KYC may not necessarily require a passport; other forms of recognized ID may also be acceptable. Also, the application for KYC approval does not automatically grant access to private contests. You can start the KYC application process at https://docs.code4rena.com/roles/certified-contributors. Some activities require KYC certification or being certified, especially if they involve audits or certain contests. However, you can participate and receive payouts in most contests without being KYC'd or certified. Those that require KYC will have it stated in their guidelines.", "Question: What is the process for understanding why an issue was labeled as \"sponsor-disputed\" or rejected, and how can I engage in a discussion about this decision in the contest?\n\nAnswer: If an issue you've submitted during a contest is labeled as \"sponsor-disputed\" or rejected, and no explanation is provided, there are several steps you can follow to understand why. First, you should check for duplicates of your issue, as it's possible that your issue was already reported by another participant. After that, you can review the findings report once it's published and the repository is fully opened. \n\nThis report will show the discussions among sponsors and judges about the specific issues. It can be found on the findings report repositories, which are shared either after the contest is over, or one week after with triaged and deduped issues. If you still have queries about the decision, you're encouraged to engage in a discussion about it. You can do this by reviewing issues at https://github.com/code-423n4/org/issues, where you can add comments on existing issues, support existing suggestions, or open a new issue if your concern is not already addressed. \n\nAlso, you can monitor the backstage channel for the post-judging stage of the contest. Despite potential disagreements, it's important to trust in the sponsors' judgement, although it's recognized that potential conflicts of interest may occur. If you have further queries regarding the scope of a particular issue or if you're uncertain about the severity of your findings, you're encouraged to reach out directly to the respective sponsor for additional context. \n\nPlease remember that the judges are expected to provide reasons for classifying an issue as invalid or disputed, but delays in judging and feedback could be due to the sponsor review process. Also, there's a process for you to argue your case if you disagree with their decision, but this should be conducted respectfully and professionally. Finally, the system is continuously improved based on user feedback, so your input is valued and appreciated.\n", "Q: How are rewards distributed in Code4rena, especially in the context of duplicated reports, team submissions, and changing wallet addresses?\n\nA: Rewards distribution in Code4rena is based on a variety of factors. If two people submit the same issue using the same warden but different wallets, each person gets less than half of the reward. Also, if you submit a duplicated report, the payout may be affected. More on the incentive model and awards can be found at [here](https://docs.code4rena.com/#incentive-model-and-awards).\n\nWhen part of a team, if you submit a non-duplicate finding, the team gets more rewards than if each team member had individually submitted the same finding. Moreover, it's important to note that if a user changes their wallet address, rewards are sent to the wallet address on file at the time awards are calculated for an audit. Participants can use a new wallet address in reports going forward and rewards for the report will be distributed to the new address. More information about changing wallet addresses can be found [here](https://docs.code4rena.com/roles/wardens/warden-auth#can-i-change-the-wallet-address-where-i-receive-awards).\n\nRemember that rewards from contests are distributed to the user's registered wallet address and updates about distribution can be checked in the announcement channel. After rewards are confirmed and announced, participants have to wait for the rewards to be transferred to their wallets. Some rewards may be pending after a contest has finished, possibly due to the use of multisignature wallets which require signatures from multiple parties before funds can be released. \n\nLastly, it's important to mention that users can submit a report without being certified, but certification is necessary to receive rewards. And if you're unsure whether you have submitted an address for rewards, you can check it using the help form at [Code4rena's help page](https://code4rena.com/help).", "Q: Can you explain the process of reward distribution at CodeArena, particularly how rewards are calculated, when they are distributed, and how duplicate issues and changes in wallet addresses affect these rewards?\n\nA: Sure, the reward distribution at CodeArena is a complex process that takes several factors into account. First, we calculate rewards based on the value of the bugs found and the quality of the reports submitted. If the same issue is found by multiple participants, the overall value of that bug is split among them, reducing the payout for each individual. However, the best report typically receives a larger share of the rewards. If a report is considered a duplicate below a certain threshold, it might not receive any reward at all. More details on this can be found at [our incentive model and awards page](https://docs.code4rena.com/#incentive-model-and-awards).\n\nThe distribution of rewards does not occur immediately after the reward computation, largely due to the use of multisignature (\"multisig\") wallets, which require signatures from multiple parties before funds can be released. Also, there might be some delay due to the involved sponsors' time. We're working on a system to distribute rewards via smart contract, which should streamline the process once it's in place.\n\nIf you change your wallet address, the rewards for your reports will be sent to the address on file at the time the awards are calculated for an audit. There can sometimes be delays in rewards being paid out, and in a worst-case scenario, you might wait up to two months to receive your rewards. However, reducing these turnaround times is a high priority for us.\n\nThere are also instances where rewards may be pending after a contest has finished due to unspecified reasons. In the event that a team wins a reward but can't claim it due to KYC issues, it's currently unclear whether the reward will be held until the KYC process is completed or if it will be forfeit.\n\nWe understand that our reward distribution process can be confusing and we're committed to providing more clarity, especially in relation to how rewards are split for teams and how the rewarding formula works in terms of finding count and partial credits. We hope this explanation has been helpful and we encourage you to check out our [FAQ](https://docs.code4rena.com/#incentive-model-and-awards) for more information.", "Question: What is the process to appeal or discuss a finding that has been classified as invalid in the CodeArena audit?\n\nAnswer: If you believe a valid finding has been misclassified as invalid, there is an established appeal process. This process is detailed in the CodeArena documentation at [https://docs.code4rena.com/awarding/fairness-and-validity#if-you-disagree-with-a-judges-decision](https://docs.code4rena.com/awarding/fairness-and-validity#if-you-disagree-with-a-judges-decision). \n\nPart of this process involves receiving feedback from the judge who classified your finding. Judges are expected to provide reasons for their decision, and this feedback is seen as crucial for learning. However, there have been concerns about findings being labelled as invalid without an explanation. If you encounter such an issue, you should bring it up during the appeal process. \n\nIf you initially submitted a finding with a certain severity but the judges believe it to be of a different severity, there will be a discussion about re-assigning the severity. For instance, if a finding is submitted as medium severity but the judges believe it is high, the severity can be upgraded, unless a penalty is necessary.\n\nIn cases where there is a disagreement about the validity of a finding between the user, judge, and sponsor, this can be discussed according to the policy at the provided link above. \n\nUsers also have the ability to monitor the backstage channel for the post-judging stage of the concerned contest to query an issue marked as invalid. If a user realizes that a finding was a false positive after submission, they can retract the submission on the contest page under the findings tab. \n\nRemember, even if a finding is deemed invalid, the individual's C4 profile findings can be updated for visibility. And if a finding is disputed by the sponsor as 'won't fix', but is indeed a valid finding, it will still get rewarded. \n\nIn case of any concerns or further questions during the contest, you can access backstage to speak with the judge and comment on your finding to gain clarity or argue your case.", "Q: How does the Know Your Customer (KYC) process work at CodeArena and what should I do if my application is rejected or pending for a long time?\n\nA: At CodeArena, the Know Your Customer (KYC) process is an important part of becoming a certified contributor or taking part in a contest. After applying for KYC through our website [https://docs.code4rena.com/roles/certified-contributors](https://docs.code4rena.com/roles/certified-contributors), you will receive an email from our KYC provider, Provenance and from C4. \n\nPlease note that the KYC process may take more than a week due to background checks and Office of Foreign Assets Control (OFAC) sanctions. Some users may have to wait for 10 days or more. Also, note that passing the KYC does not automatically grant access to private contests. \n\nIf your KYC application is rejected, the specific reasons may not be communicated due to privacy and security reasons. However, you are encouraged to work again with Provenance, the originator of the application. They may have more detailed requirements for documentation than what is outlined in C4's guidelines. Identification verification for KYC may not necessarily require a passport; other forms of ID may also be acceptable.\n\nIf you don't get any reply to your KYC application within five business days, or if it is still pending after a significant time, you can raise a help request through the form on our website. Remember that processing of backstage access requests could take up to 24 hours after KYC is admitted. \n\nPlease understand that this process is necessary to ensure the integrity of our platform, but we acknowledge that not everyone desires to go through this process to become a backstage warden.", "Question: What happens if I disagree with a judge's decision about the evaluation of an issue in the Code4Arena contest? \n\nAnswer: The judges at Code4Arena have the responsibility to review findings, and their decisions regarding the issue's validity, severity, and quality are final. They have the authority to decide the severity of escalations in a contest report and can choose to downgrade an issue they believe has been overinflated. However, if you are unhappy with a judge's decision, there is a process in place to handle such disagreements. You can discuss the matter according to the policy provided in Code4Arena's documents, found at this link: https://docs.code4rena.com/awarding/fairness-and-validity#if-you-disagree-with-a-judges-decision. \n\nYou can ask the judges for feedback on the ruling to better understand their reasoning, and if you believe that your finding has been wrongly classified as invalid, there is an appeal process in place. However, it is important to note that once the contest payouts have been sent, the outcome cannot be changed. In case of overlooked issues, they can be flagged to the judge and sponsor. \n\nIf a judge labels an issue as invalid, they are expected to provide a reason for their decision. If you feel that a judge has failed to do so, you can raise a discussion on this matter. In case of findings where the judge and sponsor disagree with your proposed mitigation, the final decision lies with the sponsor. Despite the disagreement, if you have pointed out a judge-approved bug or logic flaw, it will still be considered an achievement. \n\nIn sum, while judges' decisions are final, participants in the Code4Arena contest can engage in a dialogue with judges, appeal decisions they believe to be wrong and receive feedback on their findings.", "Question: What should I do if my KYC application is rejected due to incorrect documents or a mistake in uploaded files?\n\nAnswer: If your Know Your Customer (KYC) application is rejected due to incorrect documents or a mistake in the uploaded files, it's suggested to respond directly to the rejection email asking for more clarity. However, if you don't receive any response within five business days, you can raise a help request through the form on our website [https://docs.code4rena.com/contact-us] for further assistance. \n\nRemember, the KYC application process allows for reapplication. If you had an error in your initial application, you can correct it and reapply. The KYC process, provided by Provenance, may have more detailed requirements for documentation than what is outlined in C4's guidelines, so make sure to review this thoroughly. Also, it's important to note that you don't necessarily need a passport for identification verification, other forms of ID can also be acceptable. \n\nPlease be patient after reapplying as there may be delays in the process due to the volume of applications. If your application is still pending after a considerable time, you can submit a help request. Be aware, the certification process can move more quickly if you promptly supply the necessary documents to the KYC provider. \n\nFor more information about the KYC process, you can visit our page dedicated to Certified Contributors [https://docs.code4rena.com/roles/certified-contributors].", "Question: What happens if my KYC application is rejected at CodeArena and can I reapply?\n\nAnswer: Yes, you can reapply if your KYC (Know Your Customer) application is rejected at CodeArena. The initial result may likely be the same unless there are changes in the information you submit. However, it's recommended to work directly with the originator of the application if your KYC application is rejected. The reasons for rejection are not always communicated, but you can submit a help request through the form on the company's website if you don't receive any reply to your KYC application within five business days. \n\nIt's important to note that the KYC process is required to participate in certain audits and the application for the KYC approval does not automatically grant access to private contests. Some users have experienced delays in the process, which can take a week or longer to complete. If you have been waiting for a considerable time and your application is still pending, you can submit a help request.\n\nKYC certification is also required if you wish to apply for Certified+ status following a high finding. Furthermore, if you win a prize but are unable to claim it due to pending KYC issues, it is unclear whether the prize will be held or lost. \n\nYou can initiate your KYC application at https://docs.code4rena.com/roles/certified-contributors. After submitting the application, an email confirmation will be sent from Provenance and C4. \n\nPlease be aware that in order to participate in an audit that requires KYC, you need to be a certified participant. The details regarding this will be specified in the applicable channels. \n\nIn case of any queries or delays, feel free to raise a help request to track the status of your KYC confirmation.", "Question: How can I become certified on Code4Arena and what benefits does this certification provide?\n\nAnswer: Becoming certified on Code4Arena allows you access to a range of exclusive features such as editing your profile, gaining backstage access, auditing private contests, and the ability to display \"Available for Hire\" on your profile. To become certified, you need to follow a process and fulfill certain prerequisites detailed at https://docs.code4rena.com/roles/certified-contributors. Here, you will find information on the process of becoming a Certified Contributor and the specific guidelines for certification. \n\nOnce you submit your application, it goes through an approval process which is updated via email. Please note, it may take a few days for your certification to reflect on your profile after approval. If you wish to gain backstage access or permission to audit private contests, additional qualifications may be needed and you should create a help desk request to have your status evaluated. Also, be aware that the option to add \"Available for Hire\" status on a profile may not immediately appear, even after certification, due to manual steps on the backend. \n\nYou can check if you are certified by clicking your name to see your assigned roles. More detailed information about the certification process, benefits, and constraints can be found at https://docs.code4rena.com/roles/certified-contributors#certification-process-and-constraints.", "Q: What do I need to know about the Know Your Customer (KYC) process at CodeArena?\n\nA: The Know Your Customer (KYC) process is an important part of CodeArena's protocol for certain contests, audits, and roles such as wardens. It is primarily used for identity verification and involves compliance with OFAC sanctions and background checks. Provenance, a third-party provider, handles the KYC process and they may have more detailed requirements for documentation than what is outlined in C4's guidelines. \n\nKYC verification is essential for participation in certain activities such as the Base and Chainlink contests, private audits, and in order to obtain the Certified+ status after a high finding. All members of a team participating in these events need to go through and pass the KYC process for the team to be eligible for rewards. Also, backstage wardens, who have access to findings soon after an audit, need to undergo KYC and Non-Disclosure Agreement (NDA) procedures for security reasons.\n\nIn terms of timeline, the KYC process can potentially take a week or longer to complete and responses from Provenance may take some time, so patience may be required. Please note there may be delays and potential rejections in this process. The reasons for rejections are not always communicated back to the user.\n\nLastly, not all identification verification requires a passport for KYC; other forms of ID like national identification cards may also be acceptable. However, some activities like the Maia DAO Ecosystem contest do not require KYC verification. Also, it is possible to participate and receive payouts without being certified, but certain activities still require certification or KYC verification.\n\nYou can learn more about the certification process and constraints at https://docs.code4rena.com/roles/certified-contributors#certification-process-and-constraints. Please remember, even after KYC approval, certain private contests may not be accessible if they have already been assigned.", "Question: How can I dispute a judge's decision, modify my findings, and update my QA report?\n\nAnswer: If you disagree with a judge's decision, you can open a discussion for re-evaluation according to the policy specified at [https://docs.code4rena.com/awarding/fairness-and-validity#if-you-disagree-with-a-judges-decision](https://docs.code4rena.com/awarding/fairness-and-validity#if-you-disagree-with-a-judges-decision). If you had backstage access during post-judging, you can directly speak with the judge to re-evaluate your finding with factual comments. \n\nTo modify your submitted findings, navigate to the contest page and click on the \"your findings\" button. You are allowed to update the format of your findings before the contest closes. If required, you can also submit a helpdesk request with all the information and the update.\n\nTo update your QA report, select the \"My findings\" option on the contest page. You can review issues, add comments on existing issues, support existing suggestions or open a new issue if your concern is not already addressed at [https://github.com/code-423n4/org/issues](https://github.com/code-423n4/org/issues). \n\nIf your submission is rejected, there is an appeal process in place for valid findings that have been classified as invalid. Feedback from judges will help you understand the reasoning behind the ruling and how to improve. Even if a finding was deemed invalid, it can still be updated on your C4 profile for visibility. The inclusion of high-risk findings depends on the contest and the judge. If you believe your finding should be considered, it's advised to make a case to the judge in the submission.", "Question: What is the process and timeline for help desk requests at CodeArena?\n\nAnswer: Help desk requests at CodeArena are typically reviewed within 1-2 business days, provided that the request is submitted during business hours and on business days. Once a help desk ticket is submitted, you will receive a confirmation that the request has been received. The status of the request can be followed up and should generally receive a response within a week. Please note that the timeframe can vary depending on the nature of the request, and there could be occasional delays. It\u2019s important to note that responses are not issued on weekends. For special requests such as becoming a certified warden or approving a team for contest participation, processing can take up to a few business days. Specific inquiries about project findings or contest results may take longer due to the complexity and number of reports under review. These can range from 2 to 6 weeks or even longer in some instances.", "Question: How can I create a complete profile on Code4Arena, including linking it to my Twitter account, changing my profile picture, and editing my username?\n \nAnswer: To create and edit your profile on Code4Arena, you first need to be a certified user. Once certified, you can add or change various elements of your profile, including linking to your Twitter account and changing your profile picture.\n \nTo link your Twitter account to your Code4Arena profile, you will need to create a help desk request [here](https://code4rena.com/help). In your request, include your Warden name and Twitter URL. You can also link your profile to the Code4Arena leaderboard this way. Similarly, if you want to change your avatar or profile picture, you can submit a help desk request at the same link. For a detailed guide on attaching Twitter handle and profile picture, you can follow the instructions [here](https://github.com/code-423n4/code423n4.com/tree/main/_data/handles) and make a pull request for your handle. \n \nTo update your username or other profile details, a manual update might be necessary by the Code4Arena admin. For any changes related to your username in the leaderboard or contest results, you can also create a help desk request. \n \nRemember, your profile name on Code4Arena should match with your name in the chat for consistency. If you encounter any issues, such as connecting your Discord account with your Code4Arena account, you can reach out for help via the same help desk link. If you are a part of a team or wish to create one, you can do so [here](https://code4rena.com/register-team). Changes to team names and other related issues can also be addressed via the help desk.\n \nFor aspiring contributors, applications can be submitted [here](https://code4rena.com/certified-contributor-application) to become a certified contributor at CodeArena.", "Q: When can I expect the \"Arbitrum Security Council Election System\" results to be published on the website, and how will I know the status of my bug reports submission and activity?\n\nA: We appreciate your patience, as the \"Arbitrum Security Council Election System\" results are currently in the post-judging QA phase and are expected to be published on the website once they are finalized. The exact timeline is hard to predict, but we hope to start awarding within the next week. We update the Warden Activity Streams on our website once the report is published and the findings are made public. \n\nIn the interim, to familiarize yourself with what a high-quality submission looks like, you can examine previous reports at https://code423n4.com/reports. We strongly recommend reviewing our submission policy at https://docs.code4rena.com/roles/wardens/submission-policy and our audit contest reports at https://code4rena.com/reports. \n\nPlease remember to submit all bug reports before the audit contest closes. After the contest, you will be able to review submissions when the report is published and the findings repo is made public. While we do update our public report page mid-contest, the final report may not appear immediately after the leaderboard is shown and rewards are dispatched. We suggest waiting until the full public report is published before doing a write-up of some issue or bug you found on a project.\n\nThere is currently a proposal to release all unverified submissions a few days after a contest ends for learning purposes, which you can find more about here: https://forum.code4rena.com/t/rfc-certified-wardens-rulebook-scout-role-contest-qa-and-mitigation-review-services/123. We are also considering implementing a system that allows certified contributors to view submitted issues right after contest closure and to comment or give input on these issues during judging. \n\nLastly, we take confidentiality very seriously and all bugs found during the competition are kept confidential until the contest is over and the judging process has been completed. Feedback for submitted issues typically comes within a couple of months, once the contest has closed and the report is published. For changes in the severity of reported bugs after contest closure, these can be conveyed to the judge through designated contact points.", "Q: How do I dispute an issue that has been marked as invalid, and what is the process I should follow to appeal against the decision?\nA: If an issue you submitted is marked as invalid, you can dispute this decision by monitoring the backstage channel for the post-judging stage of the relevant contest. Judges are expected to provide reasons for marking an issue as invalid, and a discussion can be opened if you disagree with the decision. \n\nIf an issue is labeled as \"sponsor-disputed\" without an explanation, you should check for duplicates and ask the judge for clarification after the judging phase. If you have concerns about a particular contest, such as the golom contest, you may resubmit the issue and create a help desk request to withdraw the invalid submission. \n\nIt's important to note that while submitting an issue, it is beneficial to include a proof of concept and a case for how an item can be exploited to avoid being marked as invalid. If an issue is submitted with what you think is a high severity issue, and the judge disagrees, the issue might be downgraded but you will still be awarded for the found issue, unless judges invalidate it for overinflating severity.\n\nIf you firmly disagree with a judge's decision about a contest judgment, you are encouraged to review issues at https://github.com/code-423n4/org/issues. You can add comments on existing issues, support existing suggestions, or open a new issue if your concern is not already addressed. \n\nRemember, there is an appeal process in place for valid findings that have been classified as invalid. This appeal process is further detailed in a section of our documentation at https://docs.code4rena.com/awarding/fairness-and-validity#if-you-disagree-with-a-judges-decision.", "Question: What tools are available to read on-chain storage slot values, including the private state, and what precautions should be taken?\n\nAnswer: Yes, there are several tools available that can read on-chain storage slot values, including the private state. \n\nThe most notable ones suggested by our community are EVM.storage and the Metadock chrome extension from BlockSec, which not only allow you to read the values but also reveal these values in etherscan. These tools can be particularly helpful in understanding the opcode usage on-chain. \n\nPlease be aware of potential scams with chrome extensions imitating legitimate tools. Also, understanding how Solidity stores state variables can be vital. Solidity stores state variables in 32 bytes storage slots and packing variables into fewer slots can reduce gas costs, more about this can be read at the Solidity documentation [here](https://docs.soliditylang.org/en/v0.8.17/internals/layout_in_storage.html).\n\nAnother approach is using a smart contract testing framework like Foundry, which can log the gas remaining after the state variable update. However, you might need tools like \"foundry debug\" to introspect contract execution at the EVM opcode level.\n\nThough not a tool, understanding how functions like delegatecall work with storage is also crucial, which you can find in the Solidity docs and the Geth source code [here](https://github.com/ethereum/go-ethereum/blob/master/core/vm/evm.go#L302).\n\nFor those starting with smart contract auditing, there is a good resource available at [Code4rena](https://docs.code4rena.com/roles/wardens/tools-and-resources).\n\nRemember to always verify if a contract has been initialized on the Ethereum mainnet using automated tools before proceeding with auditing or analysis.", "Q: What is the process and timeline for a Github organization invite to be sent to a certified warden at CodeArena? \n\nA: The process to become a certified warden involves several steps and timelines. After submitting an application to become a certified warden, it may take 2-3 weeks to receive the Know Your Customer (KYC) email from compliance@provenance.company. This email may appear in your spam folder, so be sure to check it. The estimated wait time to become a certified warden after sending a request is approximately 2 business days. However, after approval, it can take around 2 weeks to mark a warden as certified. \n\nOnce certified, you will be part of a permissions group/team on GitHub to give you access to private repositories. It's up to individual users to decide whether to make their membership on private teams public or not. Keep in mind that your email and GitHub username will not be listed publicly by CodeArena. \n\nFinally, the review process post-audit by judges can take about 8 weeks. Certified wardens can generally see findings immediately upon audit closure. \n\nThe full process can be found at https://docs.code4rena.com/roles/certified-contributors. To apply, please visit https://code4rena.com/certified-contributor-application. Be aware, the initial email from Provenance in the Certified Warden verification process does not have a specified timeframe for delivery but the process after working with Provenance usually takes around 1-2 business days. \n\nWe appreciate your patience and interest in becoming a certified warden.", "Question: How can I edit or modify a submitted analysis in a CodeArena contest?\n\nAnswer: At the moment, the ability to directly edit or modify a submitted analysis is not available on the platform. However, findings submitted for a contest can be edited while the audit is open. To do this, navigate to the contest page and click on the 'Your Findings' button. Take note that this option may not be available after the audit has closed. If you need to make modifications to your analysis report after submitting, it is suggested to create a help desk request including a secret gist to have your edits added to the comments of your analysis report before the audit closes. It's worth noting that the platform is working on the functionality to allow editing or resubmitting of an analysis report in the future. For more details, you can refer to the Guidelines and FAQ on this link: https://code4rena.notion.site/Analyses-Guidelines-and-FAQ-2808a71e08e44c81a985527194f5f118.", "Question: How can I earn the leaderboard role at CodeArena?\n\nAnswer: To earn the leaderboard role at CodeArena, you need to rank on the leaderboard, which typically involves actively participating in contests and earning rewards. Specifically, if a user places in the top 5 of a contest and has received the reward, the \"leaderboard\" tag should be updated in the roles on their profile. Once you earn some reward and appear on the leaderboards, you can get the \"leaderboard\" Discord role. \n\nIt's also possible to make changes to your leaderboard profile, for example, to change your profile icon or username link, by submitting a help desk request at https://code4rena.com/help. You can also check your acceptance as a warden and view your leaderboard standings at https://code4rena.com/leaderboard/. \n\nPlease note that to gain permission to audit private contests, you usually need to be certified, in addition to earning a rank on the leaderboard. You can apply to become a certified contributor at CodeArena via this link: https://code4rena.com/certified-contributor-application. \n\nRemember, your leaderboard standing is not transferable, meaning any findings submitted under your current handle or username will not be moved to another account. For more detailed information, feel free to check CodeArena's guidelines or submit any queries through their help desk.", "Question: I submitted a help desk request last Friday but have not received a response yet. Should I follow up with an additional request?\n\nAnswer: At CodeArena, help desk requests are typically processed within 1-2 business days during the business hours. However, if you submitted your request on a Friday, bear in mind that our team may not respond during the weekend. You can expect a response within a week of submission. If you haven't received a response within this timeframe, it's appropriate to follow up. \n\nTo submit or follow up on a help desk request, you should visit https://code4rena.com/help. After submitting your request, you will receive a confirmation of receipt. If you are awaiting a status update, raising an unresolved issue, or addressing problems with registration, analysis submission, or even profile updates, our help desk is equipped to assist you. \n\nRemember, you can also raise a help request if you have not received an email after submitting a finding or if you are having difficulty adding new team members. Furthermore, if you need assistance with your KYC application, you can submit a help desk request if you don't receive a reply within five business days. \n\nIt's also worth noting that help desk requests have been successfully used for a variety of matters, so don't hesitate to reach out for assistance when needed. We strive to resolve requests within 24-48 hours on business days. Your patience and understanding are appreciated.", "Question: How can I test the effects of block re-orgs on the block confirmation time in the Chainlink VRF v2 requestRandomness? \n\nAnswer: Testing the effects of block re-orgs on the block confirmation time in the Chainlink VRF v2 requestRandomness requires specific knowledge in blockchain technology and smart contracts. One approach could be to create a proof of concept against a block number known to work on a testnet fork, triggering state changes to observe the impact on the block confirmation time. A public testnet could be used for this purpose, allowing for a complex state and a large number of users. However, it's essential to consider the ethical and security implications of demonstrating actual attacks like re-entrancy attacks on a public testnet. \n\nTo further understand the details, you might want to investigate tools that can read on-chain storage slot value, including private states, or check for opcode usage on-chain. You may also study case studies on smart contract vulnerabilities, such as this ToB Hermez audit example that discusses front-running the init() function: [https://github.com/trailofbits/publications/blob/master/reviews/hermez.pdf](https://github.com/trailofbits/publications/blob/master/reviews/hermez.pdf). Some of these case studies might provide insights into how state changes can affect block confirmations. \n\nFor a comprehensive understanding of testing smart contracts, you may want to explore resources on Web2 security in the context of Web3, like studying the Geth node, and consider automated tools to verify contract initialization. \n\nPlease note that the above suggestions imply a level of uncertainty due to the complexity of the topic and the specific nature of each smart contract. We recommend further study and possibly seeking expert assistance to ensure a thorough and accurate test.", "Question: How do judges make decisions about issue validity and severity at CodeArena, and can these decisions be queried or appealed?\n\nAnswer: Judges at CodeArena have the responsibility of reviewing all findings submitted during a contest, and determining their severity, validity, and quality. The basis for their decisions is not disclosed ahead of or during the contest to maintain fairness in the process. However, if participants have concerns about a judge's decision, they have several options:\n\n1. They can ask the judges for feedback to better understand the reasoning behind their decision and to learn what could be improved. \n2. Disagreements with a judge's decision can be discussed as per the policy outlined at [CodeArena's Fairness and Validity policy](https://docs.code4rena.com/awarding/fairness-and-validity#if-you-disagree-with-a-judges-decision).\n3. CodeArena has an appeal process in place for valid findings that may have been classified as invalid. \n4. Wardens have the opportunity to see the judging results before they are published and can raise any issues to the judge for reconsideration.\n5. Post-judging, a QA period exists where participants can comment on the judges' decisions.\n6. If an issue is labeled as \"sponsor-disputed\" without an explanation, participants can check for duplicates and ask the judge after judging.\n\nIt's important to note that only the sponsor, not the judges, see the findings early. The judges are expected to provide reasons for classifying an issue as invalid or disputed, and their comments on contest submissions may be visible. However, the identity of the judges for a contest is not disclosed ahead of time to maintain impartiality. If a participant wholly disagrees with a judgment decision, they should be aware that there is no recourse if the contest has already been judged.\n\nFor more guidance on the judging process, participants can refer to [CodeArena's Certified Contributors](https://docs.code4rena.com/roles/certified-contributors) page.", "Question: I am a Certified user on CodeArena, but I am having difficulties editing my profile. What could be the issue and how can I resolve it?\n\nAnswer: As a certified user, you should have the ability to edit your profile on CodeArena, including updating your status to \"Available for Hire\". If you recently completed your certification process, please note that it might take a few days for the role to reflect on your profile due to manual steps on the backend. You will receive the status of your certification process via email. \n\nIf you believe that you should have already been granted editing access, please ensure that you have completed all necessary processes. For example, to be marked as \"Available for Hire\", you must be a Certified Warden and edit your status through the profile editing screen.\n\nIf you are looking to apply for a Certified+ status, there are additional application guidelines available at https://docs.code4rena.com/roles/certified-contributors. If you have filled out any form incorrectly or need to update your profile picture, you will need to create a help desk request.\n\nAdditionally, if you have changed your username or intend to link your C4 profile to a Twitter profile, you might need to reapply for certified status.\n\nFinally, please confirm your certification status by clicking on your name to view assigned roles. If you are still facing issues, consider reaching out to the organization through the help desk form for further assistance. Please remember that being a certified user grants access to more contests, but it does not require a full-time commitment. It only indicates that your identity has been verified.", "Question: What is a Bot Race at CodeArena and how can I participate in it?\n\nAnswer: Bot Races are competitive events held at CodeArena where participants compete using AI to identify potential code vulnerabilities. These races are typically held during the first hour of an audit. To participate, you would need to be part of a bot team or create your own bot. You can find more detailed information on how to participate in Bot Races on this page: https://code4rena.com/register/bot.\n\nBot Races are not always open for registration, they have qualifiers that take place every few weeks. Information about upcoming qualifiers and updates can be found in the #\u270brsvp channel on our Discord. If your bot finds a high or medium finding during a race, it will earn a reward from the bot pool based on its ranking in the race. It's important to note that bots can only gain more rewards by accumulating more points and shifting the rank cutoffs, which could potentially lower the ranks of other participants.\n\nPlease note that the reward structure for Bot Races is subject to change, and updates will be announced on our Discord. As of the current structure, if you wish to participate and use AI in auditing, we highly recommend entering the Bot Races instead of using ChatGPT, as you cannot receive a reward for findings made with it.\n\nShould you have any more queries related to Bot Races, you can reach out in the #bot-race-help channel on our Discord.", "Q: What happens to the reward if the severity of a finding is misclassified in my submission, and what should I consider when classifying the risk of a bug?\n\nA: The reward for your submitted finding depends on how it\u2019s ultimately classified by the judge, even if it differs from your initial submission. If you submit a high-risk finding that is judged as low-risk, or vice versa, you'll still be rewarded. If you evaluate an issue as low and include it in a QA report but it is judged as medium, it would be eligible for medium rewards. Similarly, a high severity bug that turns out to be only medium will still receive the reward for a medium bug. However, it is crucial to provide sufficient evidence and reasoning in your report to support your classification of risk. \n\nDeciding between high and medium risk can be based on the severity of loss caused by the issue. If all rewards can be lost, it's typically MED/HIGH. If there's a risk of losing some rewards, it's probably medium. If rewards are lost due to roundings, it's usually classified as QA. A high risk issue could include a finding that breaks the protocol, even if no funds get stolen. \n\nIt's important to note that the final decision lies with the judge and can vary depending on the specific contest. You are advised to make a strong case in your submission if you believe a high-risk finding should be considered. If a finding is classified as low risk in your QA report but is judged as medium by other wardens, the judge usually upgrades it automatically. \n\nRemember, for each unique High or Medium finding that's selected for inclusion in the audit report, a 30% share bonus is added to your reward. If no Medium/High vulnerabilities are found, the full award pool would be divided based on the QA Report curve. \n\nIn the case of an automated finding that can lead to a high severity finding, you could report it again during the contest and potentially be rewarded with a higher severity. \n\nFor more detailed information on risk classification and rewards, refer to: \n- Risk Estimation: https://docs.code4rena.com/roles/wardens/judging-criteria#estimating-risk-tl-dr\n- Reward Calculation: https://docs.code4rena.com/incentive-model-and-awards#high-and-medium-risk-bugs\n- QA Report Eligibility: https://docs.code4rena.com/awarding/incentive-model-and-awards/qa-gas-report-faq#what-happens-when-an-issue-submitted-by-the-warden-as-part-of-their-qa-report-an-l-or-n-does-get-bum", "Q: How do I edit my analysis report after submission on CodeArena?\n\nA: Currently, you have the ability to edit your findings after submission as long as the audit is still open. This can be done by navigating to the audit page and clicking on the 'Your Findings' button. This feature is outlined in detail at https://code4rena.notion.site/Analyses-Guidelines-and-FAQ-2808a71e08e44c81a985527194f5f118. \n\nHowever, it's important to note that right now, the platform does not support direct editing or resubmission of the full analysis report. If you need to make significant changes to your analysis report after submission, you may need to create a help desk request. This request should include a secret gist (a space where you can store and share parts of the report) to have your edits added to the comments of your analysis report before the audit closes. \n\nWe are working to improve this functionality and will potentially include direct editing of the analysis report in the future. We recommend regularly checking your email and the guidelines (https://code4rena.notion.site/Analyses-Guidelines-and-FAQ-2808a71e08e44c81a985527194f5f118) for updates on this aspect. \n\nFor more information on the submission and judging criteria of the Analysis report, you may refer to https://docs.code4rena.com/awarding/judging-criteria#analysis.", "Question: I missed the registration for the Bot Race, how can I participate in future events and where can I get more information?\n\nAnswer: The Bot Race at CodeArena is a unique event where participants compete in auditing with their AI bots. Registration for these bot races is not always open, but we do hold qualifiers every few weeks. The best way to stay updated about upcoming qualifiers or bot race events is by keeping an eye on the #\u270brsvp channel on our Discord server, where all announcements and updates are posted. Those interested in participating can find more information about the bot races and the registration process on our website at this link: https://code4rena.com/register/bot. \n\nPlease note that only registered bots are eligible for competition, and the bots are considered the intellectual property of the wardens and are hence, unlikely to be open-sourced by CodeArena. Also, the winning bot's code will not be made public, only their report will be. \n\nThe bot races usually take place in the first hour of an audit and participants are rewarded for their findings. It's also important to remember that bots not registered in the chainlink protocol can't be used for certain contests, and users cannot receive a reward for findings made with ChatGPT. Instead, they're advised to enter the bot races if they wish to use AI in auditing. \n\nFor any queries or discussions regarding bot races, you can also join the #bot-race-help channel on our Discord server. We look forward to your participation in our next Bot Race!", "Q: I applied for KYC a few days ago but haven't received an email (invitation link) from Provenance. What should I do?\n\nA: After you've applied for Know Your Customer (KYC) certification through Provenance, a confirmation email is typically sent to you within one business day. However, sometimes it can take up to two to three weeks to receive this email. The duration can vary depending on the back and forth between you and Provenance. The email will be sent from either compliance@provenance.company or kobus@provenance.company, so please check your spam folder to ensure you haven't missed it.\n\nIf you've received a KYC confirmation email from Provenance, there may be a waiting period before your role is processed on Code4rena's end. If you haven't received an email or any reply to your KYC application within five business days, you can raise a help request through the form on Code4rena's website: https://code4rena.com/help. \n\nPlease note that if your KYC application is rejected, it's suggested to work directly with the originator of the application. After getting your KYC approved and registering with Provenance, there might be a processing period before your role is processed by Code4rena. Remember, you can always open a help desk request at https://code4rena.com/help if you experience a delay.\n\nAlso, be aware that some users have experienced delays in the KYC process and some have not received emails from Provenance. The company is actively working on these issues and appreciates your patience during this process.", "Question:\nWhere can I find comprehensive resources to learn about buying and selling options, particularly put options, related to the Dopex audit and start my journey in smart contract auditing?\n\nAnswer:\nTo begin with, you can learn about put options from this helpful Twitter post: https://twitter.com/DegenShaker/status/1693630283499651386 related to the Dopex audit. \n\nFor those interested in diving into smart contract auditing, resources such as https://cmichel.io/how-to-become-a-smart-contract-auditor/ and https://docs.code4rena.com/roles/wardens/tools-and-resources are highly recommended. In addition, the OpenZeppelin webinars are also regarded as useful for auditors, with the first video available at https://youtu.be/6GaCt_lM_ak. \n\nFor more hands-on experience, you could also consider participating in private audits or audit contests. Reading old reports or practicing on past contests can provide some practical insights. A set of such reports can be found here: https://chainsecurity.com/audits/. \n\nTo learn about advanced Solidity and DeFi industry standards, you may want to take up challenges such as The Ethernaut at https://ethernaut.openzeppelin.com/ and Damn Vulnerable DeFi at https://www.damnvulnerabledefi.xyz/. \n\nLastly, the CodeArena Discord has a dedicated #\ud83c\udfebeducation channel where you can find more resources and discuss smart contract auditing with the community.", "Question: What is CodeArena's recommended approach for system isolation when reviewing downloaded packages from sponsors? \n\nAnswer: CodeArena encourages users to take several steps when reviewing downloaded packages from a sponsor to ensure system isolation. A commonly used solution is VirtualBox, with Ubuntu as a frequently-used operating system for running tests, as seen in the GoGoPool contest. \n\nHowever, setting up a full environment might not always be necessary. It's often recommended to run tests in the existing test environment or create new test cases. If there's no test setup in the C4 repository, it might be worthwhile to check the sponsor's GitHub for a potential test setup or isolate parts of the code for testing. \n\nIt's also essential to trust the sponsors, although potential conflicts of interest, such as sponsors hiding bugs, have been discussed. CodeArena provides sponsors with a set of example READMEs and a checklist of items to include, which can provide additional guidance.\n\nFor software problems, using Bash commands for environmental variables and docker images have been suggested. Auditors often create their own tests or isolate parts of the code for testing if there's no test environment. \n\nEnsure you are aware of the higher burden of proof for demonstrating a relevant high or medium severity exploit path if you are using automated tools for initial findings. More information can be found in this [discussion](https://github.com/code-423n4/org/discussions/50). \n\nRemember that setting up the environment for contest repositories can be time-consuming due to multiple interrelated contracts and limited documentation. Scouts are responsible for preparing the contest repo to ensure that the provided files by the sponsor are in order and that the test files don't create any security vulnerabilities.\n\nFinally, there are resources like Mythril and Slither available for testing contracts downloaded from Github. A two-tier system for access to code has also been suggested. Always follow the guidelines given in the README.md for each contest, outlining what is in scope for auditing and what is not. Repositories are usually private until they are made public after the issues have been mitigated and cleared for publication by the sponsors. \n\nPlease note, the above strategies are based on discussions and suggestions in our community and might not be the perfect solution for all scenarios. Stay cautious and use your best judgement.", "Question: What constitutes a valid issue in the CodeArena auditing process, particularly relating to assumptions made in the code or bugs that are not explicitly mentioned in the README or code comments?\n\nAnswer: A valid issue in the CodeArena auditing process generally requires clarity, a proof of concept, and consideration of the contest's rules. When dealing with assumptions made in the code that aren't explicitly mentioned in the README/code comments, it's crucial to provide an understanding of the potential security impact and a case for how it can be exploited. Lack of these might result in the finding being marked as invalid. \n\nFor bugs, it's advisable to write a test to verify if the bug is valid. If there is no test setup in the C4 repo, you can check the sponsor's GitHub for a potential test setup or pull out the code to test it in isolation. It's also important to point out that not all bugs/gas optimizations stated in publicly known issues are valid for other files within the same repo. \n\nMoreover, if your findings pertain to missing functionalities, those will be considered as long as they highlight security impacts, given the evaluations are performed on the submitted repository assuming it is complete. \n\nFor each contest, the README.md file should explain what is in scope and what is not. Concerns related to inconsistency, process, or lack of clarity in rules can be reviewed at https://github.com/code-423n4/org/issues. For more details on how to provide a proof of concept, refer to https://docs.code4rena.com/roles/wardens/submission-policy#how-to-include-a-proof-of-concept. \n\nKeep in mind that while valid findings with incorrect severity ratings are discussed, it's recommended to read https://github.com/code-423n4/org/discussions/34 for insight on severity judgement. Lastly, to understand which findings are no longer valid, refer to the conversations at https://github.com/code-423n4/org/issues?q=is%3Aissue+is%3Aopen+label%3Arules.", "Question: Can I use my bot which is not registered in the Chainlink protocol for Code4rena contests and where can I get more information on participation?\n\nAnswer: No, unregistered bots are not eligible for certain contests. However, Code4rena has introduced a new feature called the 'Bot Race' which allows the use of bots in auditing. If you wish to use your bot, you are advised to enter it in the Bot Race instead. Please note that to participate in the Bot Race or Chainlink contests, you must go through a KYC process before submitting your entries. More information about Bot Race, its rules, and how to participate can be found on this page: https://code4rena.com/register/bot. Users have also inquired about tools to verify if a contract has been initialized on the Ethereum mainnet and to check the results of the qualifier for the Bot Race. Unfortunately, specific information on these topics wasn't available in the provided chat excerpt. If you have any more questions, consider reaching out on our Discord channel: https://discord.com/channels/810916927919620096/1093914558776758403/1132679460437639248.", "Question: Can I submit separate findings for different issues that have the same root problem, and how are duplicate vulnerabilities handled?\n\nAnswer: Generally, you may not submit separate findings for different issues that have the same root cause. If two different exploits originate from the same root issue, they are considered as duplicates and should be reported as one issue. However, if two separate vulnerabilities can be combined to create a more powerful exploit, you can submit a third finding explaining the proof of concept. If the same vulnerability is found in different components of the codebase, it may count as separate findings, but it's ultimately up to the judge's discretion to determine if they are duplicates.\n\nIt's also important to note that multiple instances of the same vulnerability should be reported as one issue. If two different issues can be resolved by fixing the same thing, especially if the root causes are the same, they would be considered as one issue.\n\nWhen submitting your findings, it is beneficial to include a proof of concept and an explanation of how the vulnerability can be exploited. If you're unsure whether findings should be submitted as separate issues or as one, it's recommended to err on the side of caution and report them separately, giving priority to the exploit with the biggest impact.\n\nIf there's a situation where a known issue can be used to create a more complex exploit, or a line of code has multiple ways of exploitation, it is advised to report all the bugs but give priority to the one with the most significant impact. If you find the same issue that automated findings have identified but in a different instance, you can still submit it, as these findings are still valid.\n\nPlease be aware that submitting the same issue found by you and another team member using different wallets could potentially result in duplication. Also, it's crucial to report any bugs introduced through mitigation efforts, even if they are identified by bots. \n\nFinally, remember that all occurrences of the same issue can be included in a single report when submitting findings. If you are uncertain, favor treating each occurrence of the same bug appearing in multiple places separately.", "Question: I was halfway through the Know Your Customer (KYC) process to become a certified warden with CodeArena (C4), but I created a new C4 account to change my username. Can I transfer my ongoing KYC process to my new account?\n\nAnswer: At the moment, it's unclear whether the KYC process can be directly transferred between C4 accounts. Changing your username might indeed impact your registration as a warden. We recommend you to get in touch with us at compliance@provenance.company about this specific issue. Remember that to become a Certified Warden with C4, you must complete an application and the KYC process, which is delegated to Provenance. It can take 2-3 weeks to receive the KYC email after submitting your application. More information about our certification process is available at [https://docs.code4rena.com/roles/wardens/certified-wardens](https://docs.code4rena.com/roles/wardens/certified-wardens). It's also worth noting that you can edit your warden profile once you are certified. Also, if you wish to change the associated wallet or your Discord username, it should be reflected in your C4 account. However, your Discord nickname should still remain as your registered C4 username.", "Question: What is the potential impact of a contract issue like price cumulative reverts due to additions, and how would it affect the overall system functionality?\n\nAnswer: The impact of a contract issue like price cumulative reverts due to additions can vary significantly depending on the specific context of the smart contract and its use cases. However, an issue like this could potentially create a system functionality breakdown, akin to a Denial of Service (DOS) scenario. \n\nFor instance, if a user can push to the array arbitrarily causing price cumulative reverts, this can break system functionality for everyone else, thereby resulting in a DOS. The severity of this issue would depend on the maximum value that could possibly be lost in the reversion and how likely the event is to occur. \n\nIn addition, if this problem arises due to a bug in a contract that impacts another contract, even if it's out of scope, the impact may still be counted and the severity classification would generally be up to the judge. \n\nMoreover, it's important to note that reentrancy is a common issue in both web2 and web3 sectors. If you find multiple similar issues like a Reentrancy attack, they should be reported all together. While automated tools can help identify such vulnerabilities, it's still crucial to have your smart contracts audited as these tools may not provide a complete or contextual understanding of the potential impact of such issues.\n\nLastly, it's worth mentioning that if a contract issue like this impacts a staking pool, the severity classification would depend on whether the client doesn't receive a promised amount of rewards, or doesn't receive any rewards at all. For example, an issue related to a potential reentrancy risk without any actual vulnerability was marked as low [here](https://code4rena.com/reports/2022-12-caviar#l-01-missing-reentrancy-guard-to-withdraw-function). \n\nFor more detailed context, consider reading the discussions [here](https://code4rena.com/reports/2022-05-sturdy/#n-10-event-is-missing-indexed-fields) and [here](https://blog.audius.co/article/audius-governance-takeover-post-mortem-7-23-22).", "Q: When submitting a QA report, should I include findings classified as medium or high-level severity, or should these findings be reported separately? \n\nA: According to Code4Rena guidelines, it is recommended to compile your Quality Assurance (QA) findings into a single report and submit it separately from the gas report. Please note that this QA report should encompass all low and non-critical issues. As for findings of medium or high severity, these should each be submitted in separate reports with detailed information such as the impact, proof of concept (POC), and recommended mitigation steps if feasible. It is also possible for judges to upgrade issues from QA if they deem the severity should be higher, or potentially downgrade medium issues to be included in your QA report when grading. You can find further information regarding this in our documentation [here](https://docs.code4rena.com/awarding/incentive-model-and-awards/qa-gas-report-faq#what-happens-when-an-issue-submitted-by-the-warden-as-part-of-their-qa-report-an-l-or-n-does-get-bum). \n\nIt's important to note that judges take both the quantity and the quality of submissions into account when grading QA reports. A single item in a QA report is unlikely to receive a high grade. You can read more about judging criteria [here](https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical) and [here](https://docs.code4rena.com/awarding/incentive-model-and-awards#qa-and-gas-optimization-reports). If in doubt about whether a finding is QA or medium, it is generally recommended to file it as QA unless the POC is coded. \n\nRemember, you can edit your QA report until the audit deadline, so if you identify any other issues of the same severity level, you can include them in the same report. If the report exceeds the character count for regular submissions, you can submit it via a help ticket. \n\nPlease take these guidelines into consideration to ensure your reports are compiled and submitted correctly.", "Question: How can teams participate in auditing contests on CodeArena and manage the distribution of the prize money?\n\nAnswer: At CodeArena, we allow both individuals and teams to participate in our auditing contests. When you participate as a team, the process requires a single wallet for registration. It's important to note that all audit findings belong to the team and the prize money is sent to a single registered address after winning a contest. \n\nThe responsibility of distributing the prize money amongst team members falls on the team itself. This distribution can be managed through multisig wallets or by using smart contracts such as OpenZeppelin's PaymentSplitter: https://docs.openzeppelin.com/contracts/4.x/api/finance#PaymentSplitter. If two team members simultaneously discover the same issue and submit it using different wallets, the reward will be less than half for each person as per our incentive model and awards structure: https://docs.code4rena.com/#incentive-model-and-awards.\n\nWe understand there are concerns about team management, especially when a team member wants to participate in a contest individually that their team is also auditing. Currently, we are considering implementing a system that allows the use of different wallets for different submissions in the same contest. However, these changes are still under consideration and updates will be posted in our announcement channel.\n\nFor further details on how to join as wardens in a contest as groups or teams, you can find information at https://docs.code4rena.com/roles/wardens#registering-a-team. To participate in private contests, one needs to complete KYC and become a certified warden. More information on this can be found at https://mirror.xyz/c4blog.eth/Ww3sILR-e5iWoMYNpZEB9UME_vA8G0Yqa6TYvpSdEM0. Remember, a login with a wallet is not required to participate in contests, only a payment wallet is needed.", "Question: How can I add members to my team on CodeArena?\n\nAnswer: Yes, you can add members to your team on CodeArena. If you have an existing team, you can make changes such as adding or removing members, or even changing your team name. To add members, you might experience some technical issues, such as a blank page appearing when selecting members. If you face such issues, you can try again later or submit a help desk request at https://code4arena.com/help. \n\nIf you haven't created a team yet, you can do so at code4rena.com/register-team, or follow the instructions at https://docs.code4rena.com/roles/wardens#registering-a-team. Once your team is approved, you can log in and submit findings as a team or as an individual, depending on your preference. \n\nIn case you need to find team members, there's a team-building channel on the platform where you can look for likeminded individuals. \n\nIt's important to note that while you can participate and submit findings as part of a team, you're not obligated to always participate as a team member. You can choose to submit solo findings whenever you want. The submission form allows you to select whether you're submitting as an individual or as a team member. \n\nPlease note that there is no technical limit to how many members can be part of a team. However, if you face issues with adding members, don't hesitate to reach out for assistance through the help desk.", "Q: How can I transfer coins from my wallet in the Polygon network without having Matic for the transaction fee? \n\nA: Transferring or sending coins from a wallet requires Matic, a type of cryptocurrency, to pay the gas fee. If you're out of Matic, you can swap Matic without a gas fee at this link: https://wallet.polygon.technology/polygon/gas-swap. Alternatively, you can obtain potentially free Matic from https://wallet.polygon.technology/gas-swap/. \n\nRemember, bridging from Polygon to Ethereum and later withdrawing USDC on Coinbase needs both Matic and Eth if using the Polygon bridge. If you use the Hop Bridge, only Matic is needed, but you may receive less USDC on the Ethereum Mainnet. \n\nFor the withdrawal process, you will need your Polygon and Ethereum addresses. Once you have these details, you can use the polygon bridge at https://wallet.polygon.technology/ to move funds back to the mainnet. \n\nIf you are monitoring your tokens at https://polygonscan.com/address/, you can also use the same polygon bridge to move your funds back to the mainnet. \n\nPlease make sure to secure your wallet as there have been instances of unauthorized transactions made from compromised wallets. Ensure your Metamask or any other connected wallet is secure and do not share your private keys with anyone.", "Question: What is the procedure if a participant escalates a known low (general, poorly explained) from the automated findings to a high (contract logic specific)? Is such a finding still eligible, and what criteria or proof is required?\n\nAnswer: If a participant escalates a known low from the automated findings to a high, it is not automatically ineligible. However, it's important that a strong and compelling case for the escalation is made. This usually involves demonstrating a clear and relevant high or medium severity exploit path. \n\nIt's crucial that the participant provides strong evidence, such as an explanation of the exploit path or a working proof of concept. Even if a low severity issue is escalated to a high severity, it will not be automatically invalidated. If the issue is indeed of higher severity, the participant could be awarded with higher severity rewards. \n\nIf a finding is submitted as a low in a QA report, but the judges determine that it's a medium, it will be eligible for medium rewards. However, if a submitted high-risk finding is judged as low risk, the submitter will still be rewarded and vice versa. \n\nIn some cases, issues can even be upgraded from a QA report to medium or high, as explained in our help page: https://docs.code4rena.com/awarding/incentive-model-and-awards/qa-gas-report-faq#what-happens-when-an-issue-submitted-by-the-warden-as-part-of-their-qa-report-an-l-or-n-does-get-bum. \n\nHowever, it's important not to overinflate the severity, as this could potentially lead to the submission being invalidated. All submissions should adhere to the guidelines provided: https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues and https://docs.code4rena.com/awarding/incentive-model-and-awards#satisfactory-unsatisfactory-submissions. \n\nRemember, the specific severity of an issue does not matter as much as a good explanation of the finding. The platform advises against submitting a high volume of low-quality reports, where low quality is defined as having no clear explanation or path to the finding. \n\nTo summarize, a clear explanation of the exploit path and a demonstration of understanding of how an issue could be exploited is essential when escalating an issue from a low to a high.", "Question: Can I revise, edit, or resubmit my analysis report once it has been submitted to CodeArena? \n\nAnswer: Yes, in CodeArena, you have the flexibility to revise, edit, or resubmit your analysis reports. You can modify your submitted findings by navigating to the contest page and clicking on the 'your findings' button. If your report was accidentally submitted from a personal account, you can resubmit it from the team's account. You can also update the format of your findings according to your preferences. \n\nYou can edit a submitted QA report until the audit deadline. If you find another error after submitting once, you may edit your QA submission. If you submit a QA report for a contest, you are allowed to edit it if needed. You may cancel a submission and create another one, by withdrawing the findings under the \"your findings\" on the contest page. \n\nYou can confirm the success of your report submission by looking out for an email and the ability to edit submitted findings. Your submissions can be reviewed after the report is published and the findings repo is made public. \n\nIf you run into issues while editing your report, you can create a help desk request for assistance. However, please note that currently the functionality to edit or resubmit an analysis report is planned for the future, so it may not be available right now. \n\nTo get more information about submitting an Analysis Report, please visit: https://code4rena.notion.site/Analyses-Guidelines-and-FAQ-2808a71e08e44c81a985527194f5f118.", "Question: Why isn't the Object type highlighted, and why aren't the annotations @notice and @param being highlighted in the bottom when reading Chainlink's contest using VSCode + Solidity by Nomic Foundation, even after a successful forge build? Is there a tool or plugin to check Solidity code for syntax mistakes and checks, similar to the functionality of the online Remix IDE?\n\nAnswer: When using VSCode + Solidity by Nomic Foundation, the annotations @notice and @param or the Object type might not be highlighted due to the limitations in the syntax highlighting feature of the IDE. Syntax highlighting depends on the color theme, extensions installed, and the language mode set in the VSCode. If you encounter a problem with syntax highlighting, you can try changing the color theme or installing a new extension that supports Solidity.\n\nIn the context of checking Solidity code for syntax errors, as discussed in our chat, there's no direct answer available in the excerpt provided. However, tools like Slither, a static analysis tool for smart contracts, can be useful for this purpose. It's also noteworthy that syntax highlighting in a code block in a finding report can be achieved using three backticks and specifying the language (e.g., ```solidity).\n\nFor those struggling with understanding Solidity syntax and programming, resources for learning the Solidity compiler were requested in the chat, but unfortunately, no specific resources were provided in the excerpt. \n\nThere is also a tool used for viewing on-chain contracts of etherscan in an IDE like Remix, which could be beneficial in some cases. Here is the link shared in the chat: https://discord.com/channels/810916927919620096/810931711609143326/1012727690396176484.\n\nPlease remember that understanding and properly formatting Solidity code in the submissions is crucial for the contests organized by CodeArena. Additional help can be found in our submission policy: https://github.com/code-423n4/code-contests/blob/main/SUBMISSION_POLICY.md.", "Question: What happens to a warden's reward when a high or medium finding is downgraded to low or QA, and can a low or QA finding be upgraded?\n\nAnswer: When a high or medium finding by a warden is downgraded to low or QA, this finding is added to the warden's QA report unless it's downgraded to a C grade finding. The rewards for these downgraded findings are determined by judges' scores. For an issue to be classified as high, medium, or QA, it depends on the severity of loss caused by the issue. If there's a risk of losing all rewards, it's most likely classified as high or medium. A QA classification usually occurs when the loss is negligible or due to rounding errors. Also, if a warden initially classifies a finding as low in their QA report but later the judges determine it to be a medium risk, the warden will be eligible for medium rewards. However, if the submission is downgraded to grade-c, it may not be eligible for rewards. Duplicate findings, where more than one warden identifies the same issue, can also affect the reward amount. In such cases, the reward is typically divided among the wardens. You can find more details about the incentive model and awards [here](https://docs.code4rena.com/awarding/incentive-model-and-awards) and about the QA report process [here](https://docs.code4rena.com/awarding/incentive-model-and-awards/qa-gas-report-faq#what-happens-when-an-issue-submitted-by-the-warden-as-part-of-their-qa-report-an-l-or-n-does-get-bum). Please note that this information is subject to judges' decisions and contest-specific rules.\n", "Question: Are the new Low/Quality Assurance (L/QA) findings that result from the re-evaluation of High/Medium (H/M) findings included in a Quality Assurance (QA) report?\n\nAnswer: Yes, new L/QA findings that result from the re-evaluation of H/M findings can be included in the QA report. As observed in the community discussions, findings in the QA report can be downgraded from H/M to L/QA and these are added to the warden's QA report. Non-critical and low severity findings of a given auditor are consolidated into a single QA report. If a finding is submitted as a low in QA report, but the judges determine that it's a medium, it will be eligible for medium rewards as per [Code4Rena's guidelines](https://docs.code4rena.com/awarding/incentive-model-and-awards/qa-gas-report-faq#what-happens-when-an-issue-submitted-by-the-warden-as-part-of-their-qa-report-an-l-or-n-does-get-bum). However, it is also important to note that incorrect findings in a QA report can affect the QA grade. Therefore, it is crucial to have a proper understanding and classification of findings. Judges consider both quantity and quality of submissions when grading QA reports. Therefore, the evaluation of QA reports is based on both the quantity and quality of findings. Participants can submit one combined gas report and one combined QA report, and they also have the ability to edit existing findings.", "Question: How are the findings integrated into the warden's QA report in Code4rena?\n\nAnswer: Findings in the QA report can be downgraded from High/Medium to Low/Quality Assurance (QA) and are added to the warden's QA report. If an issue is identified in an automated finding that can lead to a high severity finding, it can be reported again during the contest by a warden and could be rewarded with a higher severity. The QA and Gas awards are given according to judges\u2019 scores, and duplicates are disregarded, although handling downgraded issues, which need to be paired up with wardens\u2019 QA reports, can be challenging. Wardens who are the first to report a finding, as well as those who also found the same finding, are recognized in reports. If there are concerns or issues with a report, clarification may be sought from the wardens. The process to see how findings were judged involves checking the data folder in the findings repo and looking for json files named as [warden-handle]-[issue number]. The findings.csv file can be parsed to create a table with all wardens and their deduplicated findings. Incorrect findings in a QA report can affect the QA grade. Backstage wardens are added after an audit closes, if it is an open audit, and these wardens can comment on the judges' decisions during a post-judging QA period. More details about the submission policy and guidelines can be found at the following link: https://docs.code4rena.com/roles/wardens/submission-policy#automated-findings-considered-known-issues.", "Question: What is the process and requirements to become a Certified Warden at CodeArena?\n\nAnswer: The process to become a Certified Warden at CodeArena involves undergoing a Know Your Customer (KYC) process. This process may require identity documents such as a passport or a driver's license. Other proofs of residence, such as bank account details, can also be used. It's possible that foreigners can become certified wardens as well, given they provide the appropriate documentation. The specific details of the process can be found on our website at https://docs.code4rena.com/roles/certified-contributors#certification-process-and-constraints and https://docs.code4rena.com/roles/wardens/certified-wardens. \n\nBecoming a Certified Warden enables you to participate in private contests and makes you eligible for a judge role. However, there might be additional conditions to meet, such as participating in a certain number of contests and delivering valid findings or reports. Versus contests, for example, are reserved exclusively for certified wardens. After you complete your application, it will be placed in a queue and you will be notified once it has been processed. Please note it might take some time for your status to be updated as certified, even after approval.", "Question: What happens when a finding is submitted as a high (H) or medium (M) severity issue but is re-evaluated as a low severity or quality assurance (QA) issue?\n\nAnswer: Findings submitted as high (H) or medium (M) severity issues can be downgraded to low (L) severity or QA issues based on the judges' evaluation. If this happens, the findings are added to the warden's QA report. However, it's important to note that vice versa can also occur. For instance, if a finding is classified as low risk in a QA report but is judged and confirmed as medium risk by other wardens, the judge will usually upgrade it automatically. In such a case, the finding is eligible for medium rewards as explained in this guide: [https://docs.code4rena.com/awarding/incentive-model-and-awards/qa-gas-report-faq#what-happens-when-an-issue-submitted-by-the-warden-as-part-of-their-qa-report-an-l-or-n-does-get-bum](https://docs.code4rena.com/awarding/incentive-model-and-awards/qa-gas-report-faq#what-happens-when-an-issue-submitted-by-the-warden-as-part-of-their-qa-report-an-l-or-n-does-get-bum). \n\nPlease note, this re-evaluation process is part of ensuring the quality and accuracy of audit reports. It might also be worth mentioning that incorrect findings in a QA report can affect the QA grade, while audit concerns marked as 'Lookout' category of findings can be included in the QA report. The evaluation of QA reports is based on both the quantity and quality of findings. Participants will receive feedback if a submitted finding is marked as invalid and have the opportunity to revise and resubmit their reports.", "Q: What is the status of the Basin audit? I noticed it was cancelled without any notice and there is no information on when the correct results will be available. \n\nA: We apologize for any confusion regarding the Basin audit. It's true that the audit was cancelled without prior notice. We understand that such situations can cause uncertainty among our users. We want to assure you that we're committed to transparency and keeping our community informed. As of now, we don't have a specific timeframe for when the corrected results will be available, but we're working diligently to rectify the situation. \n\nThe delay in the Basin audit is not unique, as we've recently seen delays in other projects as well, such as Nested Finance and Base. This is often due to the complex nature of these audits and the high participation rate, as in the case of Yaxis, that require thorough review of numerous submissions.\n\nWe also want to clarify that the upcoming contest for the Bean Money protocol mentioned in our channels is indeed the Basin audit. More information on this can be found on our website [here](https://code4rena.com/contests/2023-07-basin). \n\nWhile we understand the eagerness to know about the results, it's important to note that findings from these audits remain private until the report is published. This is to allow sponsors sufficient time to mitigate issues raised during the audit. Also, currently, findings of a contest cannot be viewed after it finishes but before the results are published. \n\nOur team is continuously working on creating a more streamlined and timely process for our audits and the subsequent distribution of awards. We appreciate your patience and understanding in this regard.", "Q: When and how does CodeArena distribute competition rewards after the announcement of winners?\n\nA: CodeArena aims to distribute competition rewards within 1-2 weeks after the announcement of winners. The rewards are not distributed immediately after the announcement due to the use of multisignature wallets, which require signatures from multiple parties before funds can be released. \n\nThe process typically starts with reward computation and confirmation of submissions. This is followed by the announcement of rewards, which users can check in the announcement channel. After the announcement, the rewards are sent out manually in batches for multiple contests at a time. \n\nThe signatures for the award distribution are generally rounded up in a standing Monday meeting, so any announced awards should usually get processed Monday or Tuesday. However, there have been instances where the turnaround times have been longer, with two months being the worst-case scenario. \n\nCodeArena is working to reduce these times and plans to eventually distribute awards via smart contracts for more efficiency. Please note that if no high or medium issues are found in a contest, there are different processes for reward distribution, which will be communicated accordingly.\n\nIt's important to mention that the timing of a bug discovery does not affect the reward amount or distribution. Also, if your reward is pending even after the contest has finished, it could be due to various reasons, which will be addressed on a case-by-case basis. \n\nPlease note that reward distribution times can vary, and the above timeline is a general estimate. Keep an eye on our announcement channel for updates on reward distribution times for specific contests.", "Question: What happens when a high or medium finding is down-ranked to a low or QA grade in a warden's report and how does this affect rewards?\n\nAnswer: Yes, a warden can indeed receive a payout when a high or medium finding is down-ranked to a low or QA grade. These downgraded findings are added to the warden's Quality Assurance (QA) report, provided that they are not of grade C. \n\nApart from this, there are a few other aspects that could influence the rewards. If a finding is initially submitted as low in a QA report but is later evaluated and determined to be of medium severity by the judges, the finding could be upgraded and the warden will be eligible for medium rewards as per the rules outlined [here](https://docs.code4rena.com/awarding/incentive-model-and-awards/qa-gas-report-faq#what-happens-when-an-issue-submitted-by-the-warden-as-part-of-their-qa-report-an-l-or-n-does-get-bum).\n\nIn cases where no High or Medium (H/M) issues are found during a contest, the entire reward pool can potentially move down to the Quality Assurance (QA) category. However, if more wardens find the same issue, the reward for that issue is typically divided among them. This is particularly relevant when duplicate reports are submitted, which can result in a reduced reward for each warden. \n\nFurthermore, if an issue identified in an automated finding can lead to a high severity finding, it could potentially be reported again during the contest by a warden and be awarded with higher severity. On the other hand, if an issue is submitted as a QA, a judge has the discretion to elevate its severity to medium or high if deemed necessary. \n\nThe QA and Gas awards are given according to judges\u2019 scores, and duplicates are generally disregarded. However, handling downgraded issues, which need to be paired up with wardens\u2019 QA reports, can be a challenging process. For more information about the role of wardens and how findings are handled, you can refer to the [Wardens page](https://docs.code4rena.com/roles/wardens) on Code4Rena's website.", "Question: How are Quality Assurance (QA) reports evaluated and graded at CodeArena, and how can the grading impact the awards received for the reports?\n\nAnswer: QA reports at CodeArena are evaluated and graded based on both the quantity and quality of findings. This grading takes into account the number of findings, the quality of writing, and the severity of the issues identified. It's important to note that a single low-severity item in a QA submission is unlikely to receive a high grade, and incorrect findings can negatively affect your QA grade. However, a well-detailed issue can be elevated in severity by the judges, potentially impacting its rewards.\n\nWhen it comes to compiling your findings, it's recommended to group all issues into one combined QA report per contest. Even non-critical and low-severity findings should be consolidated into this single report, and a separate report should be made for Gas optimization issues. If an issue is relevant to both QA and gas savings, it can be included in either report, with judges deciding where it fits best.\n\nKeep in mind that not all reports or findings are guaranteed a reward. They must meet certain quality standards and adhere to the grading criteria, which include correct identification of the highest severity impact of the bug, backing up the severity and validity chosen with evidence, and clear and understandable writing. To further understand the grading system, you can refer to the judging criteria on the CodeArena website: [https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical](https://docs.code4rena.com/awarding/judging-criteria#qa-reports-low-non-critical)\n\nAlso consider that all A-graded QA reports receive the same award, regardless of the number of Low findings. However, if a finding is submitted as a low in a QA report, but the judges determine that it's a medium, it will be eligible for medium rewards. \n\nLastly, remember that there's a post-judging QA period where you can make comments on the judges' decisions, and it's also possible to have your report featured in the client report based on the judges' discretion.\n\nFor more information on the incentive model and awards for QA reports, refer to: [https://docs.code4rena.com/awarding/incentive-model-and-awards#qa-and-gas-optimization-reports](https://docs.code4rena.com/awarding/incentive-model-and-awards#qa-and-gas-optimization-reports)", "Question: \nWhat steps do I need to take to gain backstage access as a working team at CodeArena?\n\nAnswer: \nTo gain backstage access at CodeArena, you must be a certified contributor and meet specific qualifications. Certification is a prerequisite and is described in detail at: https://docs.code4rena.com/roles/certified-contributors#certification-process-and-constraints. \n\nOnce certification is achieved, you'll need to qualify for the backstage role. This typically involves a proven track record of participation in 3 or more contests or having a valid high submission. There are other criteria too, such as a certain number of findings in different areas or of different scores. All the requirements are listed in detail at: https://docs.code4rena.com/roles/certified-contributors/backstage-wardens. \n\nIf you meet the qualifications and believe you're eligible for backstage access, you can confirm your eligibility by submitting a help desk request at: https://code4rena.com/help. Your status will then be evaluated, and you'll be notified once your request has been reviewed. \n\nPlease note that the approach to granting backstage access has evolved over time. While it was once based on a trust model, it currently involves specific constraints and requirements. However, as the process may continue to change, it's always best to check the latest information.", "Q: How can I become a Certified Warden at Code4Arena and what are the benefits and requirements of this role?\n\nA: Becoming a Certified Warden at Code4Arena involves a specific process and certain eligibility requirements. You first have to participate in a number of contests and have a certain number of valid findings or reports. This will be followed by a Know Your Customer (KYC) process which might require you to provide some identification documents, such as a passport. \n\nBeing a Certified Warden comes with several privileges such as the eligibility to attend private audits and participate in exclusive contests like the PolynomialFi contest. In addition, it also makes you eligible for a judge role, enables you to access private repositories after a contest is finished (for Certified Plus Wardens), and allows you to mark yourself as \"Available for Hire\".\n\nThe specific details about the certification process, eligibility requirements, and the difference between a Certified Warden and a Certified Plus Warden can be found in the following documents: \n- [Certified Contributors Information](https://docs.code4rena.com/roles/certified-contributors)\n- [Certification Process and Constraints](https://docs.code4rena.com/roles/certified-contributors#certification-process-and-constraints)\n- [Eligibility to be a Certified Contributor](https://docs.code4rena.com/roles/wardens/certified-wardens#who-is-eligible-to-be-a-certified-contributor)\n\nPlease note that there might be additional conditions to meet for specific contests and roles. It's also important to mention that being a Certified Warden is not a permanent status - the requirements and benefits may change over time.", "Q: I'm having trouble registering and logging in on the CodeArena website. Is this a known issue and how can it be resolved?\n\nA: Yes, quite a few users have reported intermittent issues with registering and logging into the CodeArena platform. The reasons for these troubles can vary. Some difficulties may arise due to original architecture choices made during the initial site and tool setup which affect registration mode. Also, users may struggle if they're not using the correct wallet or email while logging in. Some users have encountered issues when creating submissions or joining private contests, even after passing the KYC. If you're experiencing difficulty running a contest with the provided instructions or if you can't find your username on the list during the registration process, know that these issues are being investigated.\n\nIt's also been observed that some users are having trouble with the site's password reset function. If you've forgotten your password, please reach out to us for assistance. Also, if you don't receive an email after registering with CodeArena, you're advised to open a help desk request.\n\nIf you're having trouble with the site on your mobile device, please send a request for assistance to submissions@code4rena.com. If you face issues related to team registration visibility on your profile or if you get a blank page when selecting members for your team, we're aware of these technical problems and we're working on resolving them.\n\nRemember, if you wish to change your username, you may need to re-register. Also, during the new warden registration process or bug submission, if you face any issues, please directly communicate with our staff for further clarification. If there's an issue where the system shows you as logged in, but the interface does not change, we recommend trying to refresh the page or changing your browser.\n\nWe appreciate your patience and understanding as we work to resolve these intermittent issues with our platform. Your participation and feedback are crucial to making CodeArena a better platform for everyone.", "Question: What are the requirements for participants to be eligible for rewards in Chainlink contests, specifically concerning the KYC process and certification?\n\nAnswer: While you can participate in Chainlink contests and submit reports without being certified or going through Know Your Customer (KYC) verification, to be eligible for rewards, certain conditions need to be met. Most contests do not require KYC, however, any contest that does will clearly state it in its contest requirements. For contests requiring KYC, such as the Chainlink or BASE audits, all participants or team members should undergo KYC verification before they can receive their awards. \n\nParticipants can verify their identity either before or after the contest ends to receive the payout, but it is important to note that if a team wins a prize but cannot claim it due to KYC issues, it's unclear whether the prize will be held until they complete the KYC or if it will be forfeited.\n\nFor some activities, such as private contests and certain audits, you need to become a Certified Contributor, which includes successful completion of the KYC process. Certified contributors can also receive additional benefits, such as backstage access and payments from KYC-required sponsors like Chainlink. \n\nIt is also possible to participate and receive payouts without being certified, but some activities require certification or KYC verification. To become a Certified Contributor or apply for KYC, refer to the guidelines provided on the Code4rena website: https://docs.code4rena.com/roles/certified-contributors.\n\nPlease note, certification and KYC processes do not grant automatic access to private contests. Lastly, while a wallet login is not required to participate in contests, bots not registered in the chainlink protocol cannot be used for certain contests.", "Question: As a beginner, can I start with Damn Vulnerable DeFi as the first Capture the Flag (CTF) challenge to learn about smart contract vulnerabilities?\n\nAnswer: Yes, beginners can certainly start with the Damn Vulnerable DeFi CTF challenge, available at https://www.damnvulnerabledefi.xyz/. However, it is often recommended to first complete The Ethernaut challenges, which are another excellent resource for learning advanced solidity and defi industry standards. You can access them at https://ethernaut.openzeppelin.com/. \n\nFor those who are completely new to smart contract development and want to start bug bounty hunting, resources like CryptoZombies (https://cryptozombies.io/) for learning solidity and Capture the Ether (https://capturetheether.com/) for CTF challenges can be highly beneficial.\n\nDuring these exercises, if you experience difficulty catching vulnerabilities or finding an attack path that can cause a medium or high impact, it may indicate that you need more solid understanding of solidity fundamentals or more developer experience. It's okay, you are encouraged to practice and improve your skills. You can even write a Proof of Concept (PoC) in any language and then explain the effects of the contract in plain writing as a way of learning.\n\nRemember, the amount of time it takes to learn the basics and start finding vulnerabilities greatly depends on your prior experience and learning capabilities. So, don't be discouraged if you find things difficult at first. Also, don't hesitate to reach out to the community if you need help understanding a certain vulnerability or exploit. Past contest reports are also a valuable learning resource as they reveal vulnerabilities and how they were exploited. \n\nWhile participating in these exercises, remember that the main goal is to learn and improve your skills. You don't need to find high impact vulnerabilities right from the start. Even finding medium or low vulnerabilities is valid and can help you learn and improve.\n\nLastly, always remember that the tools used to find vulnerabilities, such as fuzzing tools like Echidna, can be of great help. However, they may require a relatively powerful computer to run efficiently. Nonetheless, the minimum PC requirements for auditing DeFi protocols are relatively low, indicating that you can start learning even with modest resources.", "Question: How can a participant gain backstage access in CodeArena and what are the qualifying criteria?\n\nAnswer: Backstage access at CodeArena is granted based on a contributor's qualifications and certifications. The backstage role allows participants to access the findings repo after a contest ends and discuss grading before the rewards are announced. \n\nTo qualify for backstage access, a participant needs to meet certain criteria such as being a certified contributor, having participation in at least three contests, and providing a certain number of findings. Specifically, these include at least one high severity finding, three medium severity findings, or a QA or Gas report with a score of over 85. \n\nOnce these requirements are met, and the contest results are published on the leaderboard (usually shortly after the awards are announced), participants can apply for backstage access through a help desk request. The exact details of the qualifications and the process of application can be found in our official documentation at https://docs.code4rena.com/roles/certified-contributors/backstage-wardens.\n\nOnce a request for backstage access is submitted, it will be reviewed, and the participant will be notified of the decision. It's important to note that there have been instances of backstage privilege abuse in the past, which involved sharing information about findings for judging in progress with others who did not have backstage access. As a result, the process of backstage access is continuously reviewed, and there may be changes to this process in the future.\n\nLastly, besides backstage access, there currently aren't any other methods of providing additional context on reported issues.", "Question: How does the _mintFee function operate in PancakeSwap V2, which is a fork of Uniswap v2, and are its numerator and denominator correct? \n\nAnswer: The _mintFee function in PancakeSwap V2 involves calculating protocol fees. PancakeSwap V2 employs a different formula for these fees compared to Uniswap V2. Uniswap V2 uses a 5 basis point (0.05%) protocol fee, while PancakeSwap V2 formula engages 8/25 of the growth in the square root of K for its fee. To determine the correctness of the numerator and denominator in the _mintFee function, it's necessary to understand this formula and the expected outcomes of the function. \n\nFor further examination of the code, you can refer to the PancakeSwap V2 contract on BscScan: https://bscscan.com/address/0xcA143Ce32Fe78f1f7019d7d551a6402fC5350c73#code. Please remember that the suitability of using a specific function (like safeTransferFrom) can depend on the token being used and the expectation of the code, as discussed in our community chat. \n\nAs an additional resource, the Uniswap documentation may also be of help in understanding the basics of such functions: https://docs.uniswap.org/protocol/V1/reference/exchange. Please note that information about functions such as totalSupply(), decimals(), and the role of a minter or burner can also be important in understanding how these contracts work. \n\nFinally, it's important to note that the specifics of the code can affect the outcome of token swaps, the purchase of tokens, and the possibility of arbitrage opportunities. This is illustrated in our chat through discussions on topics like Automated Market Maker's (AMM) price formula, the meaning of \"input\" and \"output\" in Uniswap methods, and how tokens received by a contract could possibly be less than the amount in a report.", "Question: How can I embed code and images within a report on CodeArena?\n\nAnswer: CodeArena supports embedding code within reports using the Markdown (MD) format. To display code snippets with line numbers on the left, use code blocks formatted in Markdown. This guide on GitHub explains how to create and highlight code blocks: https://docs.github.com/en/get-started/writing-on-github/working-with-advanced-formatting/creating-and-highlighting-code-blocks. \n\nRemember to specify the language after the initial three backticks (e.g., ```solidity) for syntax highlighting. For longer codes, you can provide the code for a test directly to the report under 'Proof of Concept' or link it to a private repo on Github. More information can be found at https://docs.code4rena.com/roles/wardens/submission-policy#how-to-include-a-proof-of-concept. \n\nFor images, they can be embedded within reports using Markdown. This tutorial explains the process: https://docs.github.com/en/get-started/writing-on-github/getting-started-with-writing-and-formatting-on-github/basic-writing-and-formatting-syntax#images. However, note that adding a link to a sponsor's Github repo code within a findings report will not automatically pull that code snippet into the report. It was also mentioned that Visual Studio's preview tool can be helpful for formatting reports. \n\nReports can be submitted through the Code4Arena interface with a markdown template proposed, or larger reports can be submitted by email with a placeholder in the original submission. \n\nFor examples of winning reports, you can visit https://code4rena.com/reports. Lastly, please note that issues have been reported with the Analysis Report preview displaying embedded images, and the use of a \"CodeArena Report Generator\" tool is still under consideration.", "Question: \nCan I receive rewards as a Certified Contributor from any country?\n\nAnswer: \nYes, Certified Contributors can receive rewards regardless of their country of residence. Anyone can apply to become a Certified Contributor at Code4rena by following the guidelines provided here: https://docs.code4rena.com/roles/certified-contributors. While participants do not need to be certified or have completed KYC (Know Your Customer) verification to participate in most contests and receive rewards, some contests do specify these requirements. It's important to note that you can sign up as a Certified Contributor with multiple accounts, but you can only participate with one account. In instances where KYC verification is required to receive prizes, the necessary forms can be found at the same link. Once you are certified, you are not obligated to apply to every contest. However, being certified does grant access to more contests, leading to more opportunities for rewards. If you are competing with a team, note that all team members need to be certified to receive the payout. Also remember that the certification process can be initiated within 48 hours of a contest, and upon completion, you can be awarded if you are eligible.", "Question: What resources can I use and what strategies should I follow if I want to start with Damn Vulnerable DeFi for my first Capture the Flag (CTF) event and enhance my skills for detecting vulnerabilities in smart contracts?\n\nAnswer: While it is possible to start with Damn Vulnerable DeFi, it is generally recommended to start with Ethernaut (https://ethernaut.openzeppelin.com/) as it offers a good foundation for understanding smart contracts and their potential vulnerabilities. After that, you can proceed to Damn Vulnerable DeFi (https://www.damnvulnerabledefi.xyz/).\n\nYou can also consider resources like CryptoZombies.io for learning Solidity and CaptureTheEther.com for Capture the Flag challenges, as these are excellent ways to sharpen your skills as a beginner. Users have mentioned these as good starting points for smart contract bug bounty hunting.\n\nDetecting vulnerabilities in smart contracts can be complex and requires a thorough understanding of the language and the industry standards. You might also find it beneficial to understand and practice using fuzzing tools like Echidna for auditing in contests. Other strategies include writing an attack contract and then explaining the effects of the contract in plain writing as it can serve as a proof of concept. \n\nFor those interested in participating directly in competitions, you can take part in CodeArena's competitions. However, always remember to submit a proof of concept and a case made for how an item can be exploited to avoid being marked as invalid. \n\nRemember, it's important to practice and improve your skills, especially if you are struggling with catching vulnerabilities during CTFs. Users also encourage learning from past contest reports as they reveal vulnerabilities and can be useful for learning purposes. If you think you've found a vulnerability during a contest, don't hesitate to reach out to the sponsor team for clarification. However, make sure to submit your findings via the contest submission form to be eligible for awards. \n\nLastly, always keep an eye out for unique vulnerabilities, as identifying these can give you an edge in competitions. Good luck!", "Question: Can I participate in contests without being a Certified Contributor and what does being certified entail at Code4rena?\n\nAnswer: Yes, you can participate in most contests at Code4rena without being certified. However, some contests may require you to be certified to receive any potential payouts. It's important to note that being a Certified Contributor grants you more access to contests, including private and certified contests. You can easily apply to become a Certified Contributor at any time.\n\nHowever, bear in mind that being certified does not automatically grant you access to all areas, like the previously participated contest in progress judging repository, which requires backstage access. Also, participation in Versus contests and private contests generally requires certified status.\n\nSome contests may require KYC (Know Your Customer) verification to receive prizes, and any contests with this requirement will state this clearly. You can view more information about the certification process, KYC, and more at this link: https://docs.code4rena.com/roles/certified-contributors.\n\nAlso, if you're looking to contribute and improve your skills, participating in code contests is highly recommended, including participating as a warden in upcoming contests. Just remember, you can sign up as a Certified Contributor with multiple accounts, but ensure to only participate with one account.", "Q: I've submitted several bug reports but haven't received any feedback. What could be the issue and how can I improve my submission process?\n\nA: There could be several reasons why you haven't received feedback on your bug reports. One possibility is that feedback for submitted issues typically comes within a couple of months, once the contest has closed and the report is published. It's also possible that your report was not accepted due to user error affecting the grading or it being classified as automated findings which are not awarded or rated as grade-c in the judgement procedure. \n\nWhen submitting bug reports, you should make separate submissions depending on the type and severity of the bugs found. If you are unsure of the severity, there is a process for understanding why a bug was not accepted to improve future submissions. You can check previous reports at [https://code423n4.com/reports](https://code423n4.com/reports) to see what a high-quality submission looks like. All bug reports have to be submitted before the closing of the audit. \n\nIf you encounter issues like \"API rate limit exceeded,\" intermittent issues with the submission process, or errors with the 'Create Issue' button, you can submit help desk requests for unresolved issues. \n\nLastly, if you submitted a report and it was rejected, you can find it in Github's closed issues. Remember, it's possible to submit issues as a team but the exact process of doing so is not clarified. \n\nPlease note that the platform is considering adding the severity of bugs to the emails sent out after issue submission, which might assist you in the future.", "Question: How can we participate in the process of enhancing the rulebook at CodeArena, and what are some topics we might consider discussing?\n\nAnswer: Yes, it's certainly beneficial to contribute suggestions to the rulebook found at https://github.com/code-423n4/rulebook/. Topics for discussion could range from clarity in submission rules, protocol interaction with contracts, justifying severity and validity within submissions based on similar findings from other contests to markdown formatting in issue titles and how to submit additional findings after an initial low-risk finding. \n\nIf there are concerns around inconsistency, process, or lack of clarity in rules, you can review and comment on existing issues, support suggestions, or open new issues at https://github.com/code-423n4/org/issues. \n\nThere has been talk about releasing all unverified submissions a few days after a contest ends for learning purposes. If you have thoughts, join the discussion here: https://forum.code4rena.com/t/rfc-certified-wardens-rulebook-scout-role-contest-qa-and-mitigation-review-services/123. \n\nAlso, if you disagree with a judge's decision, a discussion can be opened. Users are encouraged to ask judges for feedback about issues to understand the reasoning behind the ruling and to see what could be improved. \n\nAdditionally, there is a suggestion box for sharing ideas on improving the website, leaderboard systems, contest processes, and Discord setup. It's also worth noting that key information might be pinned to specific channels to help newcomers find necessary information, and a new page for contests, listing wardens, judges, and sponsors, has been suggested. \n\nHowever, please keep in mind that these discussions should be fact-based and respect the diverse opinions within the CodeArena community.", "Question: What is the process for accessing, reviewing, and discussing findings in the repos after a contest ends?\n\nAnswer: Sponsors do not have access to the findings repo before the contest ends. After the contest is over, access to the findings repo is granted. This could be immediate for old contests, or after a week for new ones. The findings get reviewed and triaged immediately after the contest ends and await sponsor review and final judging before being made public. However, the exact duration before the findings repo becomes publicly available for discussion is not specified. \n\nParticipants whose submissions were not rewarded can review why their submission was not accepted once the report is out and the repository is fully opened. They can then see the discussion among sponsors and judges on the specific issue. \n\nAt this stage, it's important to note that discussing findings shortly after a contest ended is not allowed to give sponsors time to fix the issues. It's also worth noting that only the team has access to submissions before a contest ends. After the contest ends, those with the \"backstage\" role get access to findings to help with triaging. \n\nUsers may also have queries about how to find which findings of a contest were rejected and why, as well as how to view others' findings after a contest finishes. These details will be available once the report is published and the findings repo is made public. \n\nUnfortunately, applications for backstage access to access findings repo when a contest ends are currently suspended until further notice. However, one can locate the analysis findings from contests in the findings repo once the report is published. \n\nPlease note, any findings that are not submitted before the end of the contest will not be eligible. Furthermore, findings can be withdrawn under \"your findings\" on the contest page and contest participants can upgrade the risk level of their submitted findings if the contest is still open.", "Question: What are the safeguards against dishonest practices such as cloning white-hat reports to cut down on payouts at CodeArena?\n\nAnswer: CodeArena operates with principles of transparency and effectiveness. While the possibility of a dishonest project cloning white-hat reports theoretically exists, several factors make this scenario unlikely. Firstly, projects have no financial incentive to hide reports as they pre-pay the full amount once the contest launches. The audits function similarly to a bug bounty platform, where prize pools and fees are defined upfront.\n\nMoreover, CodeArena has processes in place to deal with potential misuse. For instance, a potential solution to avoid dishonest practices includes revealing findings to the project only when the contest is over. Additionally, linking to other contests in a report to demonstrate findings is acceptable, but citing examples from Code4rena is more convincing due to a more rigorous judging and QA process. Code4rena's model differs from a traditional bug bounty model where the second person to report a bug receives no reward due to duplication.\n\nThere is also a high level of community involvement in CodeArena's audit contests. High quantity and high-quality reports tend to be successful in these contests, and participants are encouraged to compare their findings with winning reports found at https://code4rena.com/reports/2022-09-artgobblers#low-risk-and-non-critical-issues.\n\nIt's important to note that trust in sponsors is vital, and CodeArena is committed to maintaining this trust by managing potential conflict of interest scenarios. For further details on the submission policy, you can refer to: https://docs.code4rena.com/roles/wardens/submission-policy#findings-in-parent-of-forked-projects.", "Question: How does Code4Arena interact and differentiate itself from other platforms such as Immunefi in terms of auditing smart contracts and the reward system?\n\nAnswer: Code4Arena, similar to platforms like Immunefi, Spearbit, and Hats.finance, rewards auditors for auditing smart contracts. However, with Immunefi, only the first valid submission gets a reward, whereas Code4Arena operates differently. Code4Arena uses a process that consistently finds more bugs faster than other methods, thanks to their \"more auditors, more findings\" approach. \n\nWhen there is a contest for a project that also has the same code on Immunefi, users cannot submit the same bug to gain rewards from both platforms. More info on this can be found in Code4Arena's submission policy [here](https://docs.code4rena.com/roles/wardens/submission-policy#findings-in-parent-of-forked-projects).\n\nOn Code4Arena, an individual or their team can submit findings once their wallet is connected. The platform provides several types of contest rewards, such as Scout, Lookout, and Judge awards. A good proof of concept is critical when submitting a finding, and direct links to all referenced code in GitHub, screenshots, logs, or any other relevant proof that illustrates the concept can be beneficial.\n\nMoreover, Code4Arena is working on procedures for sensitive disclosures and participants can expect updates soon. They also offer auditors the opportunity to use information about protocols they have audited on other bug bounty platforms to fill their profiles. \n\nFor beginners in smart contract auditing, Code4Arena provides support and resources such as automated tools and instructions on how to initiate the verification process [here](https://docs.code4rena.com/roles/certified-contributors). \n\nIn terms of timelines, an estimated schedule for the process is provided in the organization's docs [here](https://docs.code4rena.com/structure/our-process). The certification process involves identity verification and usually takes a few days for the role to reflect on the profile after approval. \n\nMore information on Code4Arena's process, including Mitigation Reviews, can be found [here](https://code4rena.com/how-it-works).", "Question: Is it possible for a sponsor to hide bugs in the code base, report them first, and hope that no one else finds them? How does Code4rena handle this potential conflict of interest?\n\nAnswer: Theoretically, it's possible for a sponsor to hide bugs in the smart contract code base, report them first, and hope that no one else identifies them. However, this scenario is considered unlikely mainly due to two reasons. \n\nFirst, reputable projects would likely not risk their reputation by attempting to save a small amount of remuneration in this way. Secondly, simple bugs are likely to be discovered by multiple auditors, thereby negating any potential advantage obtained by being the first to report them. Complex bugs, on the other hand, would require significant time and effort to create, making them an unattractive option from a cost-benefit perspective.\n\nIt's worth noting that trust in the integrity of sponsors is crucial in the Code4rena community. There is a concern of fairness if sponsors are provided early access to vulnerability submissions, as they could potentially exploit this information. However, Code4rena encourages participants to communicate directly with the sponsor team during a contest if they believe they've discovered a potential vulnerability. This communication does not, however, exempt the requirement to submit findings via the contest submission form to be eligible for awards.\n\nIn terms of reporting bugs, there's a question about whether bugs introduced during mitigation efforts should be reported and whether all bugs/gas optimizations stated in publicly known issues are valid for other files within the same repository. Each vulnerability or bug discovered needs to be provided with a proof of concept (PoC), which can be submitted either as a zip file or through a private Github repository. Without a PoC, a finding may be disregarded unless the issue is extremely obvious.\n\nYou can find examples of past submissions at [https://code423n4.com/reports](https://code423n4.com/reports). Remember, no code is perfect, so it's highly unlikely that a contest will conclude with no high or medium severity issues found.\n\nFor further clarity and guidance, participants are encouraged to reach out to Code4arena directly.", "Question: Can the findings from a contest be kept private until the contest concludes and the final report is published to prevent potential dishonest acts, and when are they made available for public viewing and discussion?\n\nAnswer: Yes, in order to maintain the integrity of the contest and prevent dishonest practices, the findings from a contest are kept private until the contest concludes. Once the contest ends, the findings are reviewed and triaged by the team at CodeArena, and they await sponsor review and final judging before they are made public. \n\nParticipants are discouraged from discussing their findings publicly before the final report is published, and it is against submission rules to make findings public before the contest is finalised. There's a period of time after a contest is closed, but before the findings repository becomes publicly available for discussion, although the exact duration is not specified. \n\nProjects have access to submitted findings before the contest completion, however, sponsors do not have access to them until the contest ends. Team members with the \"backstage\" role get access to findings for triaging after the contest ends. After the final report is out and the repository is fully opened, participants can review why their submission was not accepted, as they can see the discussion among sponsors and judges on the specific issue. \n\nThe findings are not shared with anyone, including the project team and judge, until after the deadline passes. The number of wardens participating in a contest is disclosed only after the contest ends. The time taken for project findings to get reviewed varies with each contest. \n\nDiscussions about potential submissions should not be in the contest channel to prevent revealing for others, and it's important to note that participants can edit their submitted security findings for a contest. All project findings are reviewed at the end of the audit period, and users are able to edit their findings until the contest closes. \n\nFindings from the contest are confirmed and discussed only after the contest ends. The understanding is that by the time the contest starts, projects have already paid in full, providing no financial incentive to hide reports. Once the report is posted, the findings from the contest are made public and are open for viewing all submissions and discussions."] \ No newline at end of file