Competitions

Code4rena invented the competitive audit to provide thorough security reviews for Web3 projects, fast. With a community of over 10,000 auditors and an average of 100+ security researchers participating in each audit, C4's competitive audits provide an unparalleled level of trust, depth, and breadth.

Who can participate?

The Code4rena community includes both seasoned professionals and emerging researchers, with diverse backgrounds and specializations. Anyone can register as a Warden, and join a competition.

As Wardens build experience on Code4rena's platform, they can advance up the leaderboard and earn credibility through different roles, which unlock a variety of privileges.

How competitive audits work

C4's competitive audits are designed to uncover bugs that may be overlooked in traditional audits, resulting in more robust security outcomes. Our public competitions follow a process honed by running hundreds of audits:

• Sponsors establish prize pools to attract wardens to audit their project.

• During the Submission phase, the project code is opened to the community, and Wardens compete to identify vulnerabilities in the project's codebase.

  • Submissions must be entered before the deadline.

  • This phase typically lasts 1-3 weeks.

  • The judge and sponsor review submissions during the submission phase.

• Judging phase: Once the submission deadline passes, all submissions to the audit are judged. The judge determines the severity, validity, and quality of findings.

  • The sponsor team may continue to add input during this phase.

  • Wardens usually have access to all submissions during this phase as well, unless the audit's scope includes live/deployed contracts, or the sponsor requests stricter privacy.

  • Wardens are not permitted to comment during the judging phase.

• Post-judging QA: Once preliminary judging decisions are reached, there is a 48-hour QA period when the sponsor team and wardens may add comments for the judge, to ensure fair and rigorous judging.

  • After the QA period ends, the judge finalizes their decisions.

  • Exception: by default, audits that include live code do not have a post-judging QA phase, unless the sponsor confirms that no submissions affect live code.

• Awards are calculated and distributed using C4's awarding algorithm.

  • Awards are distributed in two batches, to allow the winners sufficient time to satisfy payout requirements.

• The Audit report compiles valid findings from the competition and is typically published on the Code4rena website for the benefit of both the project's users and the broader Web3 security community.

  • All audit submissions are usually made public when the report is published.

• Viewing audit results: Once an audit's results have been finalized, they’ll be shared in our #c4-updates channel in Discord. The audit's page in the Audits section on our website will also be updated to show results.

When sponsors have stricter privacy requirements, they may opt to keep their code and/or findings private; if this is the case, it will be noted in the audit documentation and/or announced in the C4 Discord.

Competition guidelines for wardens

• Comply with the Code4rena Terms of Service

• Wait until the audit report has been published before you disclose any findings or submissions publicly.

• Do not submit a high volume of low-quality reports.

In the event that you encounter a critical vulnerability that the sponsor project would want to know about, even before the end of the audit, please refer to "How to submit Zero-day or otherwise highly sensitive bugs."

Without explicit permission from Code4rena staff, publishing or discussing findings publicly prior to report publication is grounds for immediate forfeit of award and disqualification from any future C4 events and activities.