| description |
|---|
Community-driven competitions for smart contract audits |
The players in the arena:
- Wardens protect the DeFi ecosystem from threats by auditing code.
- Sponsors create prize pools to attract wardens to audit their project.
- Judges decide the severity, validity, and quality of findings and rate the performance of wardens.
C4 audits are different from both bug bounties and traditional audits.
| Bug bounties | Competitive audits |
|---|---|
| Spec work. No way to have confidence that the time invested will produce a payout. | Guaranteed payouts. Auditors know it’s highly likely they can find a bug that will make it worth their time. |
| Dark forest. Who knows how much competition there is right now? Or how mature the codebase is? | Low-hanging fruit. If a project is seeking an audit, it’s likely fresh code with clear opportunities to dig in. |
| Grow on your own. Researchers have to proactively look for ways to learn and level up their skills. | Learning community. Open, competitive audits let auditors compare everyone’s findings and learn new things every single week. |
| Paradox of choice. So many projects have bounties. How does an auditor choose which to focus on? | Less FOMO. C4 runs a handful of active audits at a time and wardens can RSVP to signal to each other which audits have more participants. |
| Traditional audits | C4 audits |
|---|---|
| Constrained time. If you want a quality audit from a top firm, you’re going to have to wait. | Time flexible. Code audits can be put together quickly for teams eager to go to market. |
| Constrained cost. Audit firms must recruit and retain talent, and defensively maintain their brand. | Flexible cost. C4 scales to meet demand. Sponsors can increase pot size to attract more attention. |
| Constrained diversity. Audit firm staff have to work to stay ahead of DeFi's complex and expanding attack surface. | Diverse capability. C4 audits allow specialized security researchers to demonstrate their skill and creativity. |
| Systematic. Firms use set processes for evaluating code, which differs from the way attackers approach things. | Rigorous. C4 wardens are incentivized to work creatively to find as many rare, high risk vulnerabilities as possible. |
Details on Code4rena's incentive model and awards can now be found here.