Skip to content

Latest commit

 

History

History
33 lines (19 loc) · 2.67 KB

audit-catalyst.md

File metadata and controls

33 lines (19 loc) · 2.67 KB

Audit Catalyst

Audit Catalyst is an optional feature of competitive audits designed to transfer advanced understanding from prior auditors to wardens. Its purpose is to accelerate onboarding and enhance Code4rena’s effectiveness in securing the code.

This documentation is preliminary (as of September 2024) and subject to change.

Background

One of the chronic inefficiencies in the security industry that Code4rena aims to solve is the siloing of security insight and knowledge. From day one, our intent was to make all results open. Today, Code4rena hosts the largest collection of web3 vulnerabilities alongside the original audited code, contributing to a continuous cycle of auditor improvement and industry-wide security enhancement.

But contextual security knowledge on a project-by-project basis still has a long way to go.

Unless a team has designated security experts to facilitate this transfer, most valuable insights remain untapped as code moves from auditor to auditor. Trying to reassemble auditors' understanding through their audit report is like trying to navigate a complex maze with only a snapshot of the exit.

Introducing the Audit Catalyst

An Audit Catalyst includes a well organized collection of intel and insight:

  • Fundamentals of auditing this type of project
  • Project architecture, design, and operational overview
  • Detailed threat models for the project
  • Hot spots in the codebase, including prior auditors' "what I'd focus on if I had more time" wishlist
  • Any additional internal notes from prior auditors' work

Compensation

In the future, Audit Catalysts will receive 3-10% from the pool based on the quality and level of value. Code4rena will be developing a rubric and an assessment model for these. (For the first several Catalysts, the full 10% will be allocated based on the additional work needed for helping to iterate the model.)

Prior auditors (preferably the immediately prior auditor) can reach out to Code4rena in order to coordinate a Catalyst submission for a competition. (These are selected individually and must be approved prior to scheduling the competition.)

This Catalyst model is something we have long wanted to put into place, but through our relationship with the Zellic team, we have been able to develop it for trial. In fact, part of the appeal in joining forces with Zellic has been the way they use and document threat models as a part of their engagements and the considerable depth of quality in their written guides.

We’re excited to work with the community on continuing to develop and improve the Audit Catalyst model and using it to better enhance the effectiveness of competitive audits.