@DianaPerkinsDesign
No awards on slingshot (1) or ElasticDAO

No artwork on anything before Reality Cards (round 1), except maple.
https://code4rena.com/contests/2021-04-vader-protocol-contest

Currently, if the sponsor link field is not filled out, the site will still create an empty anchor tag.

As part of fixing this issue, we should also fill out any missing sponsor links if we think we have the data.

In https://code423n4.com/reports/2021-04-basedloans/

1_000_000 is shown as 1000000 with some zeros in italic

I guess this is a markdown feature and can probably be fixed by escaping the _:
1_000_000

Let's make 'em match the background a little better.

The findings submission form submits the actual contest title as the ID field instead of the numeric value, which creates a bit of a headache when processing judging sheets.

From warden Alex (axic) on discord:

Not sure if this is the right place, but a suggestion for the site: include a status page, which lists every campaign/project and its current status (paid out, judge review, sponsor review, in progress, preview week, planned).

Currently this information is scattered between the reports page, the main page, and the #📢announcements channel.

Can we encourage new wardens to head over to our Discord after they've completed the registration form? Currently the process relies on them remembering to complete two disparate steps, as outlined in the docs: "Pop into Discord and give us a howl in #i-want-to-be-a-warden and register using this form."

Would be helpful to point them to Discord as soon as they register using the form, so instead of this:

…maybe a message something like this?

One more step…

Your handle has been registered -- now (if you haven't already done so) head over to the C4 Discord and give us a howl in #i-want-to-be-a-warden

Noticed at least a few builds ago that I've got a few console.log() statements that we need to remove.

Currently, the leaderboard is updated by manually updating the _data/findings/findings.json file by copy/pasting in the contents of the [sponsor]-results.json output from running the award.ts script in the awardCalc repo. There are then some manual data validation steps:

1. Verify it's still valid json.
2. Verify contest IDs are integers not strings.
3. Validate warden handles against the registered handles found in _data/handles.

Ideally, the contents of [sponsor]-results.json from the awardCalc repo is automatically appended to the findings.json file in this repo and has the data validation done automatically. When successful it should automatically build and deploy. This should probably be done separately from running the award.ts and report.ts scripts so that there aren't superfluous site deploys.

Errors from a fresh build that disappear on the second:

ERROR #11321  PLUGIN

"gatsby-node.js" threw an error while running the onCreateNode lifecycle:

Not Found

  67 |
  68 | async function fetchReadmeMarkdown(contestNode) {
> 69 |   const { data } = await octokit.request("GET /repos/{owner}/{repo}/readme", {
     |                    ^
  70 |     owner: "code-423n4",
  71 |     repo: `${getRepoName(contestNode)}`,
  72 |     headers: {

File: gatsby-node.esm.js:69:20



  HttpError: Not Found

  - fetch-wrapper.js:68
    [code423n4.com]/[@octokit]/request/dist-src/fetch-wrapper.js:68:27

  - task_queues:96 processTicksAndRejections
    node:internal/process/task_queues:96:5

  - gatsby-node.esm.js:69 fetchReadmeMarkdown
    /Users/josh/Workspace/code-423n4/code423n4.com/gatsby-node.esm.js:69:20

  - gatsby-node.esm.js:171 Proxy._e57‍.r.exports.onCreateNode
    /Users/josh/Workspace/code-423n4/code423n4.com/gatsby-node.esm.js:171:28

  - api-runner-node.js:430 runAPI
    [code423n4.com]/[gatsby]/src/utils/api-runner-node.js:430:16

Site Updates

• logo added to site @DianaPerkinsDesign
• hero copy change (#341) @DianaPerkinsDesign
• contest pages (#48) @DianaPerkinsDesign
• Update favicon
• update any references to twitter handle??

DNS/Netlify/redirects

• Netlify C4 website config making code4rena.com the main site
• Netlify DNS config making code423n4.com point to redirect repo
• Netlify redirects app config point to code4rena.com/* instead

Twitter

• announcement tweet
• new avatar designed @tealtigrrr
• new header art designed
• new images uploaded @CloudEllie
• name/handle updated

Other sites/tools

• Update Discord avatar/name/links @CloudEllie @itsmetechjay
• Update Discourse avatar/name/links
• Update Gitbook docs avatar/name/links @CloudEllie @itsmetechjay
• Update GitHub avatar/name/links

Moving to a later release:

• routing emails? @ninek9
• get an audit page page (#342)
• compete page (#343)
• minor ux style updates (if time allows)

Description:
Define c4 brand

Requirements:

• logo
• color scheme
• typography
• basic ui elements

From Warden Kenzo:

This is quite small, but I would love if on the main page we would have after the "View Contest" button a "View Repo" button.
Anyway as a warden I always have to go to the repo itself, so having to enter contest page first just adds an unnecessary step

I think we should write sales pages (so to speak) that lay out the value of participating for each of the audiences we're serving:

• sponsors
• pro solidity devs
• advanced white hats
• security researchers new to smart contracts
• solidity devs new to security research

(the last two might be the same page)

Description:
Create page that explains how the C4 audit process works and provide potential sponsors with next steps.

Content Needed:

• Contest role definitions (from previous homepage hero)
• How a contest works
• ??

Design Mockup:

It has a moire effect to it right now.

Would be nice if the code blocks (wrapped in triple backtics with a designated language) in the reports published on the website, showed up with the easier to read syntax highlighting they do on GitHub. e.g.

function _seedMarketInitially(uint256 initialMarketSeedForEachMarketSide, uint32 marketIndex) internal virtual {

markdown rendering of the same file with website (sans syntax-highlighting) on left

It would be nice to have a page showing the awards from a given contest on a nice social-media-sharable page.

Let the wardens proof what they're writing before they send it. Suggested by warden Gerard Persoon.

We don't have one set up yet! We'll need:

• Design / Writing (Something funny, maybe?)
• Development

In addition to having a source of truth for where to send awards to, it reduces repetitive data input on findings forms.

• should potentially do a test transaction to validate?

For the sake of clarity, let's rename this repo to code423n4.com to match the public version of the site.

This is a low priority item. We can handle it as part of configuring the new site.

ElasticDAO report: http://bafybeicvxkopnuuxzitpf6vfh5gvglfooxr5fos36327gilky5nvqz757y.ipfs.localhost:8080/?filename=Code%20423n4%20ElasticDAO%20Findings%20and%20Analysis.pdf

ElasticDAO medium post: https://medium.com/code-423n4/40k-awarded-30-smart-contract-bugs-found-in-helping-elasticdao-launch-more-securely-c30df67593dd

This is generated in countdown.js

Description:
Update text on homepage hero section and add two CTA buttons.

Content:
Text:

• Possible headline: “The Future of Audits is decentralized”
• Remove the role definitions (we'll re-add them somewhere else!)

CTAs - both link to pages of the same title

• Get an Audit >
• Compete in a contest >

Design:

Sometimes after an automatic deploy of the site, contest urls and images are mismatched. This is a serious problem because it can result in active contest pages not being accessible via links from the home page.

The easiest and thus far 100% effective method of resolving this issue is visiting the site's Netlify build page and triggering a new deploy using the "Clear cache and deploy site" option.

If it was possible to just force a cache clear on every netlify deploy (it doesn't seem to be?), that would absolutely resolve it -- but that's not ideal anyway as it eliminates the value of cacheing in the first place.

Based on my limited understanding, there seem to be multiple potential culprits:

• Netlify site — It may work to just completely delete the current setup and re-initialize a new netlify site config. this needs a bit of coordination though as it will take the site offline for a bit in order to remove the domain config associated with the old site config and set it up for the new one
• Gatsby cache — we might try updating to a newer version of gatsby or digging deeper into any known gatsby cache issues
• serviceworker config — browsers cache service workers for 24h and don’t update on reload. A serviceworker could be interfering somehow
• npm vs yarn — we are using yarn but netlify uses npm by default. I have seen some people talk about inconsistent results from netlify builds based on yarn. haven't reviewed whether netlify is actually running yarn -- it's supposed to if it detects a yarn.lock file.
• Netlify cache bug — maybe there's a bug here somewhere? (seems least likely)

Some references:

• Netlify's options for custom cache headers
• HTTP cache control documentation
• Harry's piece on Cache Control for Civilians is a pretty thorough reference and explainer of these configuration options.

Sketching graphql schema pseudocode here using the rough idiom of gatsby schemas.

From this we should be able to derive a historical leaderboard, too.

Anything seem missing?

Person {
  name:           String
  link:           String
  image:          String
  contests:       [ Contest ] @link
  findings:       [ Finding ] @link
  award_total:    (calculated)
  finding_total:  (calculated)
}

Org {
  name:           String
  link:           String
  image:          String
  description:    String
  contests:       [ Contest ] @link
}

Contest {
  start_time:     Date
  end_time:       Date
  sponsors:       [ Org ] @link
  wardens:        [ Person ] @link
  judges:         [ Person ] @link
  awards:         [ Award ] @link
  active:         Boolean
  details:        String
}

Finding { 
  contest:       Contest @link
  recipient:     [ Person ] @link  
  type:          String
  award:         Int
}

Description:
Create a page explaining how to become a warden, compete in contests & the benefits of doing so

Content Needed:

• Contest role definitions (from previous homepage hero)
• How a contest works
• ??

Design Mockup:

When looking at a glance at the current contest, its difficult to see the difference between the current contest and the next contest.

Last time there was no contest, I looked at the page and thought I had overlooked the active contest.
See snippets below:

This could easily be fixed by giving the current contest a (slightly) different visual

We should check that required fields are filled out before calling the function to submit findings. Without this, a warden can fill out all but one required field, submit the form, and then an error is thrown, which shows a vague error message that requires them to reload the page and lose all of the content that they filled out.

Side note - the descriptive error message isn't shown, but it should be. When info is missing, instead of showing the error message from the function "Email, handle, address, risk, title, body, and labels are required." we just show "An error occurred"

Near-term:

• Add readme content to website
• Add judging criteria to website
• Add submission policy to website
• Add current contest info to home page

Next:

• Create page for each sponsors’ contest
• List avatars / social links / (bios?) of wardens and judges
• Create ‘register’ page for participants to submit their info for inclusion

Later:

• Build site on gatsby (or similar) to allow easy content edits

Thoughts?

The current list of wardens is long, and it'd be nice to have a way to search for a name to filter the select content.

When sponsors or judges enter an image as part of their comment, the full-size image is displayed, regardless of screen size

Let's discuss some ways we can encourage wardens to submit higher-quality findings, via nudges on the findings submission form.

Some things we want to encourage:

• Accuracy
  • cite the location (contract + line(s) of code)
  • confirm the finding is within scope (per the repo's readme)
  • appropriate risk assessment
• Thoroughness
  • Well-articulated and well-explained findings are more likely to be accepted by sponsors
  • They are also more likely to be selected for inclusion in the report.
• Proof of Work
  • Provide an explicit description of the possible attack(s) -- not just a general type of vulnerability
  • Describe the potential damage as clearly and concretely as possible.

At one point I started drafting up a "How to report a vulnerability" document but then Sock suggested (and I agreed) it would be better integrated into the submission form.

Here is a message that judge ghoul.sol posted in our Discord to encourage higher quality submissions from wardens:

I noticed that in some bug reports you are not providing explicit descriptions of the attack. I'm a solidity dev too and I know that you see patterns and you can quite quickly identify places that look like they have an exploit but that's not enough for sponsor to be valuable. You have to provide explicit description how to exploit the protocol.

For example, if you see a function that does some external calls in the middle of the logic, you can quickly think "ok, there might be some reentrancy issues here". However, if you create an issue and just say that "there's a possible reentrancy" and mark it as high risk, I have no choice but disagree and make it non-critical as reentrant function does not equal exploit and in the end you are just providing best practices recommendation. You have to explain in the description how you can perform the attack and what damages you can do to the protocol. Only then, it's a high risk.

We want to add competitors' links and avatars to the website.

If you're participating in the Slingshot Finance contest, drop a comment here with your:

• handle / name
• preferred avatar
• link

Thanks! 🌈

NOTE: If you've already added an avatar and are participating in a new contest, just drop a comment.

Should disable the submit button if no handle is selected in the form.

We should also update the info to direct users to the new warden signup form rather than instructing them to submit a PR.

• Add to contest data json
• If contest is active, show form link in box on home page

Steps:

• goto https://code423n4.com (observe the sort order of the contests)
• click on Leaderbord
• click on the "back" button
• now the contests are sorted in reverse order
  See screenshot:
  

I suggest active contests are prioritized in the contest list on the home page over future and completed contests. Completed contests could also be hidden once they're no longer active.

Currently we use a plain <a> element to link to the report page for a specific contest, which triggers a full page reload. We should switch to using <Link> so that we can benefit from the optimizations that Gatsby does automatically.

With repeat sponsors and sponsors getting different projects audited, just the sponsor name is no longer sufficient.

Because of outdated docs, we have some wardens not showing up on the leaderboard who have findings in the data set.

The contents of the data/handles folder simply needs to get moved from _data/handlesinstead. It would be ideal to double check that these handles match the handles in_data/findings/findings.json`.

And we should update the docs, too, as @alexon1234 pointed out in #33:

If [json files] should be added inside _data, we should update the README.md because in there it says
1. Add a JSON file for yourself at data/handles

• update readme for correct path to data
• relocate data folder to _data
• check that warden handles in _data/findings/findings.json match the handles added to _data/handles
• identify any handles that are in findings.json but aren't yet on the leaderboard and create an issue with any wardens who haven't added data to handles folder yet.

Warden elprofesor suggested: is it possible to get the severity of the bug added to the C4 emails that are sent out after we submit an issue?

Create an 'everything you need to know about participating in this contest' template for active / upcoming contests which includes:

• start / end time
• prize pool(s)
• links to docs
• links to repo
• links to examples of past contests
• links to tools, tips, educational material re: smart contract vulnerabilities

Update: This page will be built based on Diana's mockups (linked in the comments)

functions formatted with backticks to look like code just look like plain text on the final report pages hosted on the website. not sure whats up, but I'm pretty sure we want them to

e.g. https://code423n4.com/reports/2021-04-vader/