A smart contract security auditing competition or contest is where security researchers, Hawks, review a smart contract or codebase to identify vulnerabilities, inefficiencies, and potential issues.
Auditors then submit their findings to be rewarded based on their validity, quality, and severity.
Don't want to miss any of our competition announcements?
Make sure to follow us on Twitter and join our Discord server!
How does a Cyfrin CodeHawks auditing competition work?
Every smart contract auditing competition is comprised of seven periods:
1. Competition announcement
This is the initial phase in which we announce the upcoming competition, detailing the smart contract(s) to be audited.
Learn how to subscribe and submit your first vulnerability following the quick start guide.
2. Kick-off
This is the official start of the competition, and it will last 48 hours. From now on, participants can access the contract repo on the contests page and begin looking for bugs, issues, and vulnerabilities. Findings can be submitted through the contest page on the web portal.
During the kick-off period, auditors can also raise issues with the codebase, the scope, or any other contest's details.
3. Auditing
Auditors delve deep into the provided smart contract(s), using their expertise to uncover vulnerabilities, inefficiencies, and other issues and recommendations. In the next phase, these findings are submitted to judges for assessment.
This period is time-bound, ensuring a level playing field.
The time allotted for a competition is determined mainly by the size of the audited code base.
4. Community judging and lead judging
Once the auditing period concludes, the community judging period will start, followed by the lead judging period, during which the Cyfrin CodeHawks team or appointed judges will review the submissions. This will validate the findings, rank them based on severity, and prepare for the appeals phase.
The length of this period is primarily determined by the number of submissions received.
5. Appeals
For 48 hours after the initial judging, auditors can raise concerns and appeals about the decisions made during the judging phase. This window allows the community to ensure transparency and fairness.
6. Rewards
After addressing escalations, the final results are announced, and rewards are distributed to auditors based on the quality and significance of their findings.
Payouts are distributed within 72 hours of the escalation period's closure and are currently paid in USDC on ZKsync.