Giter VIP home page Giter VIP logo

Comments (3)

0xA5DF avatar 0xA5DF commented on July 27, 2024 1

I think it should be considered in scope only if it's a known library (like OZ) and the bug is known.
If it's just some library that the sponsor wrote and they've omitted it from scope then any bug found in the library should be OOS imo.
Otherwise, the sponsor can refactor most of the code to a library and reduce the official scope size without reducing the actual scope.

Also note that on Immunefi the scope has a different meaning than on C4. On C4 the bigger the scope is the bigger the pool of the contest (as there's more code to review). On Immunefi it just means that the sponsor is committed to paying a bounty if any bug is found - so in that case it makes sense to say that any bug that affects the contract should be considered in scope.

from org.

GalloDaSballo avatar GalloDaSballo commented on July 27, 2024

A comment on twitter should not be looked at proof that the finding was actually awarded and paid out

By definition if Library B is used in Contract A, then the functions used are part of the scope

A function that is not used cannot be claimed into scope

The finding would be judged on the impact on Contract A, if B can impact it then I think it would be considered

from org.

kartoonjoy avatar kartoonjoy commented on July 27, 2024

Per the Autumn 2023 C4 Supreme Court verdicts, the Supreme Court's verdict on this issue is:

We would like to clarify the situation where an in-scope contract composes/inherits with an OOS contract, and the root cause exists in the OOS contract. In such cases, the finding is to be treated as OOS, while exceptional scenarios are at the discretion of the judge.

At the consultative level, we advise that the sponsor (not the scout) must be held responsible for the final list of files in scope (scope.txt). This would remove any gray areas around scope when contracts are interdependent. The Sponsor must understand that adding a file to scope.txt means it’s in scope, while the omission of a file means it’s out of scope, even if the file will be part of the deployed contracts.

Link to verdict: https://docs.google.com/document/d/1Y2wJVt0d2URv8Pptmo7JqNd0DuPk_qF9EPJAj3iSQiE/edit#heading=h.3dpk76zh9wl5

from org.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.