Cyfrin CodeHawks
HomeCyfrinSoloditUpdraftSupport
  • 👋Intro to Cyfrin Codehawks
  • ✏️Glossary
  • ⁉️FAQs
  • 🛡️Hawks (auditors)
    • What is a Competitive Audit?
    • Quick Start
    • The Kick-Off Period
    • How to Present Your Findings
    • How to Evaluate a Finding Severity
    • How to Determine a Finding Validity
    • How to Write a PoC
    • Appeals
    • Payouts
    • How Does XP Work?
  • 👩‍⚖️Judging
    • The Judging Process
    • How Community Judging Works
    • Community Judging Eligibility
    • Disqualification Criteria
    • Payouts and Rewards
  • 👩‍💻Protocol teams (sponsors)
    • The Auditing process
    • Case Studies
    • Request an Audit
  • 🦅First Flights
  • 🫂Create and Submit a First Flight
  • 🛠️Tools
  • Learn blockchain security
  • Twitter
  • LinkedIn
  • GitHub
  • Support
Powered by GitBook
On this page
  • 1. Create an account on CodeHawks
  • 2. Subscribe to your first CodeHawks competition
  • 3. Submit your first finding vulnerability
  • 5. Await for the judging results
  • 6. Appeal to the judge's results
  • 7. Get rewarded

Was this helpful?

Edit on GitHub
  1. 🛡️Hawks (auditors)

Quick Start

Cyfrin CodeHawks Quick Start Guide for Auditors

PreviousWhat is a Competitive Audit?NextThe Kick-Off Period

Last updated 10 months ago

Was this helpful?

Welcome to Cyfrin CodeHawks! Here's a quick and easy guide to get you started as an auditor and submit your first vulnerabilities.

1. Create an account on CodeHawks

First, create a new account by visiting codehawks.cyfrin.io and clicking the "sign up" button in the top right corner:

2. Subscribe to your first CodeHawks competition

Navigate to the competitions page and look for "Live" or "Upcoming" contests:

Don't want to miss any of our competition announcements?

Make sure to follow us on Twitter and join our Discord server!

Clicking on a competition will open its details page, with important information such as:

  • Prize pool severity breakdowns

  • Start and end dates

  • nSLOC and scope

  • Scoring

  • Link to the GitHub repository (if the competition is live)

Every contest also comes with details that will help you understand:

  • The codebase

  • Scope

  • compatibilities

  • How to get the codebase up and running

New contests are announced almost every week. When you find a contest that fits your skills, click on the subscribe button to join it:

3. Submit your first finding vulnerability

Once you've found your first vulnerability, navigate to the competition page, and click on the submit "submit a vulnerability" button:

To submit your vulnerability, you'll be asked to insert:

  • Title - a <250 character descriptive title of your submission

  • Severity - a matrix of likelihood and impact characterizing your finding. Read How to Evaluate a Finding Severityfor a full explanation.

  • Description - a detailed description of the vulnerability found and how to reproduce it.

Learn more on How to Present Your Findingson the dedicated guide.

5. Await for the judging results

After the auditing period ends, judges will evaluate each submission carefully to determine its validity, severity, and overall quality.

Judging is done in two steps:

  • Community Judging - a period where all eligible community judges can evaluate others' submissions

  • Lead judging - a period where the lead judge confirms or not the community judges' decisions and issue the final pre-appeal judgments.

Every phase will be communicated on the platform and via announcements on Discord.

Learn more about the judging process.

6. Appeal to the judge's results

For 48 hours following judging, appeals will be accepted to contest judgments. This period will be clearly announced across all channels.

During the 48 hours, interactions will be enabled on your GitHub submissions. During this time, you may leave comments detailing your escalation for re-assessment.

7. Get rewarded

Once the final report is released, results will be announced, and payouts will be sent to the winners.

Rewards are paid out in USDC through the ZKsync chain. Crediting the reward won't be possible without a ZKsync wallet connected to the user profile.