These rules only apply when stated on the program’s page. If not mentioned, the project must freeze its code and keep all bug fixes private until the competition ends.

Audit competitions (ACs) on code already deployed, or which have ecosystem projects building upon them, cannot always freeze code. To give security researchers (SRs) the best experience securing such projects and thereby maximize project security the following mainnet AC rules apply.

Mainnet AC Rules:

• Bug Fixes: The project may make bug fixes during the competition.
  
  
• Duplicates: If someone else submits the same bug before a fix is public it’s valid.
  
  
• Out of Scope: Once a bug fix is made public it immediately becomes out of scope for the competition.
  
  
• Mitigation Competition: If a bug is fixed during the mainnet AC, a new "mitigation competition" begins immediately while the mainnet AC is ongoing, and ends 5 days after it finishes. The mitigation competition is open for everyone to participate in.
  
  
• Scope of Mitigation Competition: All project bug fixes immediately become in scope for the mitigation competition once the fix is public, including fixes to bugs found independently of SRs.

Mitigation Competition Reward Pool

The mitigation competition’s reward pool depends on how many bugs are fixed during both competitions. If the project fixes more bugs during the competitions, the reward pool increases up to a maximum amount.

The formula to determine the mitigation competition reward pool is:

• [MaxMitigationRewards] * [TotalBugFixes / BugsFoundInMainnetAC]

All fixes to bugs found, even those found independently of competing SRs, count towards increasing the reward pool.

The maximum reward amount will be stated on the mainnet AC’s program page.

Mitigation Competition Reward Distribution

Rewards are distributed according to our Standardized Competition Reward Terms, except for Insights which are invalid for mitigation competitions and won’t be rewarded.

If no bugs are found in the mitigation competition, all unlocked rewards will be added to the mainnet AC’s reward pool instead.

Any mitigation competition rewards not unlocked are returned to the project.

Example: HyruleDAO

An example project, HyruleDAO, has launched an update and gets $100M TVL, but they worry a bug might still be there. So they run a mainnet AC with $100k in rewards. The competition runs January 1st to 20th, and $80k is for the mainnet AC, while $20k is for the mitigation competition.

Key Events:

• 10 unique bugs are found in the mainnet AC.
• On January 15th, HyruleDAO starts fixing some bugs, which triggers the mitigation competition.
• The mitigation competition begins as soon as the first bug fix is made on January 15th and lasts until January 25th, which is 5 days after the mainnet AC ends.

Fixes Made:

• 3 bugs fixed were to bugs found by SRs in the mainnet AC.
• 1 bug fixed was to a bug found independently by HyruleDAO itself.
• 1 bug fix was a bypass to a bug fix which didn’t fully solve the bug.

Mitigation Competition Rewards:

• [$20k] * [5 / 10] = $10k

So, $80k goes to SRs who found bugs in the mainnet AC, $10k goes to SRs who found ways to bypass the fixes, and the remaining $10k is returned to HyruleDAO.

Bug fixes made after the competitions have ended are not included in either, or rewarded from either.