The Auditing process

Cyfrin CodeHawks ensures the security of the protocols and teams we assist through an innovative private and community code review process.

To learn more about how competitive audit works from an auditor's perspective, check out Auditors.

Ensuring the security of protocols and their users is our top priority, and making the process for developers and protocol teams as smooth as possible is our second:

This page outlines your journey to securing your code base and what you'll need to ensure complete coverage of your protocol.

Here's what our auditing process looks like:

1. Request an audit

Request an audit by going to codehawks.com and submitting the "Request an Audit" form under “Request Audit” - you can schedule an audit with at least three days' notice.

Our team will contact you within two days to arrange a screening call and assess the properties of your project and code base.

2. Screening interview and code base assessment

The CodeHawks team will contact you to discuss your audit scope, expected timeline, and requirements necessary to initiate an audit. They will also provide recommendations on the ideal auditing path to take.

Check out our guidelines for more information on what is required to start an audit.

3. Pricing and timelines

The CodeHawks team will conduct an initial assessment of your code base and project, and provides you with a quote based on the length of time required for the audit and its complexity.

You can learn more about pricing and timelines on our guide.

4. Code freeze

At least, 2 days before the audit starts, protocol's teams are required to send CodeHawks the final:

  • commit

  • branch

  • known issues

  • contracts.

After that a code freeze is required to establish a standard - This means that everyone will be looking at the same code for the entire duration of the audit.

Please note that this includes your own repository as a pull request can leak alpha information to our community.

Take a look at the Preparing for an Audit guide to learn more on what you'll need to get the auditing started

5. Audit begins

In case of an auditing comeptition, we ask for a member(s) of your engineering team to be available on the CodeHawks Discord server in order to answer Auditors questions via the dedicated channel.

Each member will be given a special "sponsor" role to make sure you're recognisable.

In any case, our community managers will be always available to help you in the process and answer auditors' questions.

6. Judging and appeal

Immediately after the audit contest ends, the judging phase commences. The duration of the judging contest varies depending on the number of issues submitted. During this phase, security experts thoroughly evaluate the submissions. Once the judging phase is complete, the Appeal period begins. In this stage, security experts have the opportunity to flag any issues they believe were not categorized correctly during the initial judging, seeking a second opinion. To know more about the Appeal period you can refer to this guide.

7. Initial report

A day or so after the appeal period ends, the CodeHawks team, will compile and meticulously organize a curated, de-duplicated list of all High, Medium and low-severity findings for your team. This compilation will enable your team to effectively prioritize and address these critical vulnerabilities

Note: The following steps are only present in protocols opting in for Competitive reviews or Private Audits.

8. Mitigation phase - Fix the code

First, our teams will agree on a suitable time frame to tackle these issues.

Once we've set the time, your team can start implementing the necessary fixes in your code base. It's crucial to ensure that these vulnerabilities are addressed promptly and effectively to enhance the security of your systems.

Additionally, you may opt for a Mitigation Review Contest, following your initial audit to verify your implementations. These are much faster than the initial audit phase!

Through these steps, you'll be sure to strengthen your code and safeguard your applications against potential threats.

9. Final report

Post-fix review, our team will meticulously review your code once more to compile a detailed final report, ensuring all the fixes have been implements and your code is ready to be shipped.

Last updated