3DOↃ Security

You can measure how vulnerable the code is after a contest. This can help: - Projects and users to estimate hack risk - Bug hunters to scope targets - Ecosystem to track what works best - Platforms to manage reputation risk TL;DR: More solo findings -> more hidden bugs. This works for most formats: flat pot, conditionals, invitationals, reserved auditors. As long as duplicates are allowed. ### Recent examples: - Cork exploit: last private contest had 4 solo mediums (out of 4 total mediums). "Chao 1 bias-corrected" estimates 6 unfound bugs. Jackknife 8 more bugs. - BeraBorrow's Recon's recent post about a critical: private contest had 8 solo mediums (out of 15 mediums), 6 doubletons (doubletons = found by two auditors). Chao 1: 4.5 more bugs, Jackknife: 9 more bugs. ### The science of capture-recapture There are many disciplines that use this approach: software engineering, quality control, biology & ecology, epidemiology, criminology, linguistics. Similarly, there are many estimator formulas: Lincoln-Petersen, Chapman, Schnabel, Schumacher–Eschmeyer, Jolly–Seber, Chao 1 & 2, ACE, ICE, Jackknife 1 & 2, Bootstrap, Zelterman, Good–Turing, etc. Will post some links below. Two simple examples are Jackknife 1 & 2, Chao 1 & 2 which roughly say : - Jackknife 2 (second-order, simplified): `unfound = 2 * uniques - doubletons`. Jackknife is more popular in software-inspection studies. - Chao 1: `unfound = (uniques^2) / (2 * doubletons)`. (A slightly different version for no doubletons) Specifics don't matter really - pick your favorite from the long list. What's important is they all say: more unique findings -> more hidden bugs. ### Intuitions Math is not always intuitive, so here are some intuitions. 1. Parallel worlds: If a bug is unique to one finder, there’s a parallel world where it stayed hidden because he got sick, or was booked on an audit, or just missed it. Maybe you're in that parallel world. In contrast, if there are many duplicates - in most worlds the same bugs are found. 2. Serial auditing: If you imagine auditors working in sequence, the contest is just a stopping point for the sequence. The contest with uniques stopped when new bugs were still being found, so more like these remain. In contrast, the contest with only duplicates stopped after finding most bugs of similar rarity. ### What can we do?! 1. Measure: what platforms, pot sizes, contest formats give the best coverage? 2. Educate clients on the more secure formats with data. 3. If you're a project, check if your contest was weak. ### No solo findings = code is safe? No. It's possible whole classes of niche bugs (e.g. cryptography) or higher complexity bugs were not found because pot was too low. That's always a risk. This rule doesn't tell as what's safe, but it tells us what's LIKELY still vulnerable. --------- See next tweet for links and statistical nitpicking

Code4rena will run audit contests for free, as public goods. 100% of funds from sponsors will go directly to auditors and judges. We won't take any cut. Why? 1. Competitions are commodities. They're CRUD apps. Why should builders pay premium for a website just to submit bugs? Especially smaller teams without VC funding. 2. Everyone deserves competitions. We tell all our clients to get a competition after their audit. That's because competitions simulate real world conditions, where there's thousands of eyes on a protocol. We want to make competitions as affordable as possible so everyone can get one. 3. It benefits our wardens. In 2021, we invented the competition format. We're still the platform with the largest auditor pool (10,000+ registered). Not only should builders have access to the best security talent, we believe auditors should have opportunities to work with great projects. Opening up our platform benefits our wardens. How will you afford this? Zellic is a profitable business. We make money doing traditional private audits through Zellic and Zenith. This benefits us because: (1) our clients are more secure after they run contests, and (2) Code4rena is a talent pipeline for Zenith. Will you stop maintaining the platform? Of course not. Since we acquired Code4rena, we've shipped several features and have several more already underway. C4 has a dedicated dev team that we're fully committed to. Besides, many of our clients at Zellic use C4. We're incentivized to make sure the platform works well. It's just that now we're allowing everyone to benefit from our investments in Code4rena. In conclusion: Run a contest on Code4rena! We won't take a cut, your prizes will go directly to wardens and judges. For full details, check out our blog post here: https://t.co/IaqxFLZ7rq