Skip to main content

Frequently Asked Questions

FAQ For Organizations

Coming soon - questions from organizations about security services.

FAQ for Researchers

Competitions FAQ

Where can I see my results card?

On the competition page you have participated on. If you don’t see it yet, it will display soon as the feature is retroactively applied.

My issue is marked as a duplicate of another issue, but I disagree since my issue is misunderstood and not a duplicate, how do I fix this?

If your finding was marked as duplicate and you disagree, you can escalate it during the escalation phase.

Does it matter who submitted the finding first?

No, every finding is scored the same regardless of when it was submitted during the contest duration. We highly encourage you to spend time writing great findings. We also encourage submitting it as soon as you have a great write-up. This way, the team can often leave feedback on the finding and plan for fixes. We particularly want to discourage people who submit findings at the last moment.

Can I withdraw findings that I submitted?

Yes, you can withdraw findings by going to the finding context menu and clicking ‘withdraw finding’.

How are low-severity / informational / gas-optimization scored and judged?

Some competitions may have a pool reserved for low-severity, informational and gas-optimization. This would be explicitly mentioned in the competition specific page, and these prizes are awarded for the top findings. Note: only quality of the findings are considered, not quantity. Excellent writeups for high and medium severity findings can also get awards from this separate pot.

Security Audits FAQ

How to access cantina repo?

A core team member must set it up first, then share the link with you. Direct access to cantina repo from SR dashboard not yet supported. A workaround is to:
  • Access it through notifications.
  • Saving the link corresponding to the cantina repo audit.
  • If it’s related to Competitions:
    • Click on your user profile on the top right side of the interface.
    • Access it through the Security Researcher Dashboard

I am doing a security audit and not a competition. Can the client see my comments and findings?

Yes, but it may be hard to locate comments. When leaving comments, always ping @project so they receive a notification. Note that when a comment is a reply to another comment, all the users that left a comment in the thread will get a notification.

Can I ping fellow SRs?

No. It is not possible to ping the username of the security researchers in your team yet.

Can I communicate natively on a cantina repo?

Chat like functionality is not yet available. You can nevertheless:
  • Communicate via comments.
  • Communicate on the finding thread.
  • Ask the core team to set up private discord communication channels.

Can I mark finding as FIXED or ACKNOWLEDGED?

Not yet. To finalize the status of a finding it will have to be done with a comment on that finding.

Can I download a cantina repository?

Yes. You can download repository content via the sidebar. You should nevertheless have access to the original repo with the code in scope (if you do not, reach out to core team).