News
2022: The rise of the competitive audit
2022 has been a wild ride. Outside of the crypto industry, there’s been seismic shifts in the everyday happenings of the world. In the crypto space, there have been black-swan events, ups, and downs. The good news is that tempestuous situations like this can oftentimes be the best to settle in and build. And that’s exactly what the Code4rena community has done this year.
In 2022, the C4 community:
- ran 134 audit competitions
- found 349 unique high-severity vulnerabilities
- gave out over $9 million USD in rewards
In January, 56 Wardens had found at least one high-severity vulnerability. That number is now 323 — an increase of 477% in just under a year.
This is just one example of the increase in both the quality and quantity of Warden activity. Thanks to all the hard work, competitive audits are becoming increasingly (and rightfully) known as the best option out there.
The C4 Mission
Code4rena’s mission is to leverage our community of skilled security researchers and smart contract experts to help make DeFi platforms more secure. There are three key groups within the C4 community: Sponsors, Wardens, and Judges. Sponsors create prize pools to attract auditors to review their code. Wardens protect the DeFi ecosystem from threats by auditing code, and Judges decide the severity, validity, and quality of Warden’s findings. This intentional structure allows C4 to provide cost-effective and rigorous code reviews in a gamified manner, rewarding Wardens and Judges for their efforts, and Sponsors for their diligence.
In any type of dev work, there will always be the need to secure the code. When smart contracts are involved, the level of risk increases exponentially. Where web2 audits secure data, web3 audits secure actual user funds.
By harnessing the power of the Code4rena community, projects have access to unmatched value when considering engineer hours of code review. As an example, one project that engaged in both a C4 audit and a more traditional audit saw a 983% increase in engineer hours spent reviewing code, even though the C4 competition was completed in a third of the time. “The more eyes on the code, the more bugs found” is one of the C4 team’s favorite phrases. With the volume and proven quality of C4 Wardens, this auditing process is not only faster but also more efficient.
Wardens
None of what the C4 community provides would be possible without the time and hard work of Wardens, so now, let’s take a look at the Wardens who found the most solo high-severity vulnerabilities in 2022.
🥇 WatchPug: 28 solo high-severity findings
🥈 leastwood: 9 solo high-severity findings
🥉 0x52: 7 solo high-severity findings
🏅 xiaoming90: 5 solo high-severity findings
🏅 cmichel: 5 solo high-severity findings
There’s no doubt that 2023 holds huge potential for all of the up-and-coming Wardens already climbing up the ranks, and we’re so excited to see what is accomplished. One of the top-ranked Wardens actually started participating in C4 competitions as a fun challenge with a friend, continued to level up their skills, and are now in web3 auditing as a full-time gig. This goes to show that the possibilities are endless. In the coming year, the C4 team will also be working on providing more resources to help develop smart contract auditing skills. This means more accessible knowledge, and more ways for devs to upskill.
IRL
The world started to get back to normal this year: flight routes opened back up, and the C4 team wanted to facilitate the opportunity for our community to meet up IRL as much as possible. DevConnect, Secureum TrustX, EthereumRio, EthSecurite, DevCon, and Sub0 were just some of the events where we had the pleasure of hanging out together.
To everyone we met, thank you for making our community what it is! Hanging out with like-minded individuals who are passionate about securing the DeFi ecosystem was an unforgettable experience.
Product
From a more product-oriented perspective, 2022 was a year full of releases and upgrades. A huge focus for the C4 team was to make quality-of-life improvements for Wardens, Judges and Sponsors. An example of this focus was taking the responsibility for de-duping and triaging issues identified in C4 audits away from the Sponsors. Now, the C4 team and community work together to pre-sort issues so that projects don’t have to stop building.
It was also identified that a wider range of offerings was needed to suit Sponsors’ needs, so in came the new Classified, Versus and Mitigation Review audit categories.
Classified: An audit competition structure designed to allow Sponsors to customize their privacy needs, featuring wardens who have met the conditions of the C4 Certified Warden program. All the benefits of a typical audit competition, with all the reassurance that sensitive information won’t get leaked.
Versus: This new category facilitates positioning the top wardens against each other to find the highest-severity vulnerabilities. 3, 5 or 10 of the highest-ranking wardens who choose to RSVP to the competition will be assigned to audit the code put forward by the Sponsor.
Mitigation Review: After an initial competition has finished and a project has been alerted to various types of vulnerabilities found by C4 Wardens, Sponsors tend to get to work making refactors and updates to mitigate the bugs found. Once the new code is ready for review, what better way to vet it than working with the highest-performing Wardens who found the vulnerabilities in the first place?
What’s next?
We’ve got some key goals in mind for the new year.
Facilitate talent development
In a space as fast-paced as ours, it’s often difficult for newcomers to get a proper handle on things. We want to help empower our community to be able to learn and level up in the industry to benefit themselves and the ecosystem as a whole. The C4 team has got some ideas in mind for how to do this, but if you’ve got any, we’d love to hear them.
Continue to grow the C4 ecosystem
Going back to one of our favourite phrases from earlier: “the more eyes on the code, the more vulnerabilities found”. We want to continue to grow the C4 ecosystem so that more code is being vetted by more eyes, making the DeFi spaces as a whole more secure.
Demonstrate how DAOs like C4 can contribute to the wider crypto ecosystem
In 2022, C4 aimed to contribute something positive to the crypto ecosystem by providing security to projects building in the space. In 2023, the C4 team will be creating opportunities to share our collective wins more publicly, so that more people understand the advantages DAOs can offer.
I want to finish up this post by reiterating just how grateful the C4 team is to be a part of this amazing community. The drive for improvement, shared passion and creativity seen at play every day are just some of the things that make me excited for 2023. C4 Wardens and Judges have proven time and again that competitive audits are the way forward, and the industry couldn’t ask for a more dedicated, talented group of people. Sponsors are setting a new standard by acknowledging the importance of security and actually doing something to protect their communities. We’re working together to change the landscape for the better here, and I can’t wait to see what we do next.
This new year is an opportunity for us to collectively continue to grow and secure the ecosystem in a meaningful and impactful way, and that makes me excited. If you’re curious about how you could contribute, we’d love to hear from you. Come visit our Discord and start your own journey.