Comments (3)
I think it should be considered in scope only if it's a known library (like OZ) and the bug is known.
If it's just some library that the sponsor wrote and they've omitted it from scope then any bug found in the library should be OOS imo.
Otherwise, the sponsor can refactor most of the code to a library and reduce the official scope size without reducing the actual scope.
Also note that on Immunefi the scope has a different meaning than on C4. On C4 the bigger the scope is the bigger the pool of the contest (as there's more code to review). On Immunefi it just means that the sponsor is committed to paying a bounty if any bug is found - so in that case it makes sense to say that any bug that affects the contract should be considered in scope.
from org.
A comment on twitter should not be looked at proof that the finding was actually awarded and paid out
By definition if Library B is used in Contract A, then the functions used are part of the scope
A function that is not used cannot be claimed into scope
The finding would be judged on the impact on Contract A, if B can impact it then I think it would be considered
from org.
Per the Autumn 2023 C4 Supreme Court verdicts, the Supreme Court's verdict on this issue is:
We would like to clarify the situation where an in-scope contract composes/inherits with an OOS contract, and the root cause exists in the OOS contract. In such cases, the finding is to be treated as OOS, while exceptional scenarios are at the discretion of the judge.
At the consultative level, we advise that the sponsor (not the scout) must be held responsible for the final list of files in scope (scope.txt). This would remove any gray areas around scope when contracts are interdependent. The Sponsor must understand that adding a file to scope.txt means it’s in scope, while the omission of a file means it’s out of scope, even if the file will be part of the deployed contracts.
Link to verdict: https://docs.google.com/document/d/1Y2wJVt0d2URv8Pptmo7JqNd0DuPk_qF9EPJAj3iSQiE/edit#heading=h.3dpk76zh9wl5
from org.
Related Issues (20)
- To ensure accurate assessment of performance, a gas benchmark must be included in all gas reports. HOT 1
- Invitation audits should take into account Gas auditors HOT 1
- The bot-race pot should be splitted like the contest-pot
- Analysis without other submissions HOT 9
- Attacks which only waste gas and cost the attacker more than the victim HOT 3
- Uniques as partial credit HOT 2
- Duplicates labeled with partials (partial-25/50/75) decrease duplicates weigth, but also reduce the primary finding weigth in the overall award calculation HOT 70
- Advance Knowledge of Bot Race Judge HOT 3
- Bot Problems HOT 4
- Bot Benefits HOT 4
- ERC compliance on non-EVM rollups and blockchains (e.g. Starknet) HOT 1
- Can't log in my code4rena account. HOT 2
- Disposing of warden/sponsor severity agenda in pipeline HOT 2
- Bias in Judging HOT 1
- ERC Compliance Absurdity HOT 2
- Issue identified the root causes and effects, but was considered ineffective, hoping for justice. HOT 2
- ❗️PJQA Guidelines❗️
- Discussion about Hunter/Gatherer Role HOT 7
- Validator role HOT 30
- Submissions invalidated despite being duplicates of valid reports HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from org.