Live code rules
Wardens are encouraged to submit High-risk submissions affecting live code promptly, to ensure timely disclosure of such vulnerabilities to the sponsor and guarantee payout in the case where a sponsor patches a live critical during the audit.
Competitions that include live/deployed code are treated differently than Code4rena's typical audit process, to ensure that projects' security needs are prioritized alongside efficient and timely judging and award distribution. Submissions are treated with greater sensitivity, since they may affect deployed contracts.
When an audit includes live code:
After submissions close, all submissions are automatically be considered
sensitive, i.e. hidden from all wardens (SR and non-SR alike)Only the assigned judge, sponsor team, and C4 staff have access.
This ensures that no issues affecting live code are erroneously shared.
By default, there is no post-judging QA phase.
This ensures that awards can be distributed in a timely fashion, without compromising the security of the project.
Senior members of C4 staff will review the judges’ decisions per usual.
Exception: if the sponsor indicates that no submissions affect live code, then submissions are made visible to all authenticated wardens, and PJQA is opened to wardens per the usual C4 process.
By default, submissions are not shared publicly until the report is published.
Last updated
Was this helpful?