From 43974d9c80ef42ed06e6e12ae8bc5965fd61f25b Mon Sep 17 00:00:00 2001 From: WangSecurity <134382756+WangSecurity@users.noreply.github.com> Date: Tue, 4 Nov 2025 23:51:17 +0300 Subject: [PATCH 1/5] changed EIP guidelines Clarified it doesn't require Medium impact, but has to align with common sense --- audits/judging/guidelines/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/audits/judging/guidelines/README.md b/audits/judging/guidelines/README.md index 96acfa4..797f00c 100644 --- a/audits/judging/guidelines/README.md +++ b/audits/judging/guidelines/README.md @@ -153,7 +153,7 @@ If the original report does not include a Proof of Concept (PoC), it will be con ### VIII. List of Issue categories that are considered valid: 1. **Slippage** related issues showing a direct loss of funds with a detailed explanation for the same can be considered valid **high** -2. **EIP Compliance:** For issues related to EIP compliance, the protocol & codebase must show that there are important external integrations that would require strong compliance with the EIP's implemented in the code. The EIP must be in regular use or in the **final state** for EIP implementation issues to be considered valid +2. **EIP Compliance:** For issues related to EIP compliance, the protocol must mention EIP in the contest README, and issues violating "MUST" statements in the EIP specifications (excluding statements in code comments in the EIP specifications), irrspective of whether the impact is low/unknown, may be assigned Medium severity if it doesn't conflict with common sense. The EIP must be in regular use or in the **final state** and the report must show potential problems with external integrations for EIP implementation issues to be considered valid Medium. 3. **Identifies the core issue:** In case of issues that have a large number of duplicates, Issues that identify the core issue and show valid loss of funds should be grouped. 4. **Out of Gas:** Issues that result in Out of Gas errors either by the malicious user filling up the arrays or there is a practical call flow that results in OOG can be considered a valid **medium** or in cases of blocking all user funds forever maybe a valid **high**.**Exception:** In case the array length is controlled by the trusted admin/owner or the issue describes an impractical usage of parameters to reach OOG state then these submissions would be considered as **low**. 5. **Chainlink Price Checks**: Issues related to minAnswer and maxAnswer checks on Chainlink's Price Feeds are considered medium only if the Watson explicitly mentions the price feeds (e.g. USDC/ETH) for the in-scope tokens on the in-scope chains that require this check. **Additionally**, a proper attack path and at least medium severity impact must be included in the report. See [this](https://stackoverflow.com/questions/78558661/which-chainlinks-price-feeds-still-have-minanswer-and-maxanswer-checks) to know if min/maxAnswer are deprecated on the price feed. From abfddf54ef012431217db874b405ba2f7a20a1f7 Mon Sep 17 00:00:00 2001 From: WangSecurity <134382756+WangSecurity@users.noreply.github.com> Date: Wed, 5 Nov 2025 00:03:37 +0300 Subject: [PATCH 2/5] Update CONTEST_QA_README.csv EIP question to make it clearer for the contest teams that EIP issues can be Med even with no Med/High impact. --- CONTEST_QA_README.csv | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/CONTEST_QA_README.csv b/CONTEST_QA_README.csv index 6135395..642e759 100644 --- a/CONTEST_QA_README.csv +++ b/CONTEST_QA_README.csv @@ -14,7 +14,7 @@ Example answer: "Are there any limitations on values set by admins (or other roles) in protocols you integrate with, including restrictions on array lengths?","Same as above, except this applies to access-restricted functions of protocols you integrate with. It is common to answer ""No,"" as protocols typically trust the governance of the protocols they integrate with.",4 -Is the codebase expected to comply with any specific EIPs?,"Please explain the underlying intention behind integrating with each EIP, and how compliance with these EIPs aligns with your protocol's goals.",5 +What EIPs the codebase is expected to comply with if any?,"Note that the EIP-compliance issues will be considered Medium severity even if the actual impact is low/unknown even in view functions.",5 "Are there any off-chain mechanisms involved in the protocol (e.g., keeper bots, arbitrage bots, etc.)? We assume these mechanisms will not misbehave, delay, or go offline unless otherwise specified.","Please provide information on how these off-chain bots (e.g., keeper bots, arbitrage bots) read and process on-chain data.",6 What properties/invariants do you want to hold even if breaking them has a low/unknown impact?,"For example, the invariant is the amount of the underlying tokens must equal the amount of vault tokens. Even if breaking this invariant has a low impact, it could be assigned Medium severity. You can answer ""No"" if there are no specific invariants you want to hold.",7 Please discuss any design choices you made.,"For example: ""We chose to ignore fees in some calculations because they unnecessarily overcomplicated formulas, but didn't have practically any impact on the final result. But, if this approximation may cause a serious loss of funds, it may be a valid finding.""",8 @@ -22,3 +22,4 @@ Please provide links to previous audits (if any) and all the known issues or acc Please list any relevant protocol resources.,"Please link to the docs, whitepaper, and the website for Watsons to gather context on the audit.",10 Additional audit information.,"If you'd like to specify what areas would you like Watsons to look into, this is a perfect place to do so. In case you forked any contracts, please provide a diff from the original ones. You can also provide a diff of the contracts after your last audit(s). This will direct Watsons' focus on the least battle-tested parts.",11 + From 59f0ebd21b1b600035739e66fa0ea3741d5d0a7c Mon Sep 17 00:00:00 2001 From: WangSecurity <134382756+WangSecurity@users.noreply.github.com> Date: Wed, 5 Nov 2025 00:06:53 +0300 Subject: [PATCH 3/5] Further clarify EIP compliance guideline Clarified EIP compliance criteria and included view function violations in severity assessment. --- audits/judging/guidelines/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/audits/judging/guidelines/README.md b/audits/judging/guidelines/README.md index 797f00c..f4c741c 100644 --- a/audits/judging/guidelines/README.md +++ b/audits/judging/guidelines/README.md @@ -153,7 +153,7 @@ If the original report does not include a Proof of Concept (PoC), it will be con ### VIII. List of Issue categories that are considered valid: 1. **Slippage** related issues showing a direct loss of funds with a detailed explanation for the same can be considered valid **high** -2. **EIP Compliance:** For issues related to EIP compliance, the protocol must mention EIP in the contest README, and issues violating "MUST" statements in the EIP specifications (excluding statements in code comments in the EIP specifications), irrspective of whether the impact is low/unknown, may be assigned Medium severity if it doesn't conflict with common sense. The EIP must be in regular use or in the **final state** and the report must show potential problems with external integrations for EIP implementation issues to be considered valid Medium. +2. **EIP Compliance:** For issues related to EIP compliance, the protocol must mention EIP in the contest README, and issues violating "MUST" statements in the EIP specifications (including violations in view functions, but excluding statements in code comments in the EIP specifications), irrspective of whether the impact is low/unknown, may be assigned Medium severity if it doesn't conflict with common sense. The EIP must be in regular use or in the **final state** and the report must show potential problems with external integrations for EIP implementation issues to be considered valid Medium. 3. **Identifies the core issue:** In case of issues that have a large number of duplicates, Issues that identify the core issue and show valid loss of funds should be grouped. 4. **Out of Gas:** Issues that result in Out of Gas errors either by the malicious user filling up the arrays or there is a practical call flow that results in OOG can be considered a valid **medium** or in cases of blocking all user funds forever maybe a valid **high**.**Exception:** In case the array length is controlled by the trusted admin/owner or the issue describes an impractical usage of parameters to reach OOG state then these submissions would be considered as **low**. 5. **Chainlink Price Checks**: Issues related to minAnswer and maxAnswer checks on Chainlink's Price Feeds are considered medium only if the Watson explicitly mentions the price feeds (e.g. USDC/ETH) for the in-scope tokens on the in-scope chains that require this check. **Additionally**, a proper attack path and at least medium severity impact must be included in the report. See [this](https://stackoverflow.com/questions/78558661/which-chainlinks-price-feeds-still-have-minanswer-and-maxanswer-checks) to know if min/maxAnswer are deprecated on the price feed. From 3f030e0101fe420ad144f6f7aabc69c2cc21e3f6 Mon Sep 17 00:00:00 2001 From: WangSecurity <134382756+WangSecurity@users.noreply.github.com> Date: Wed, 5 Nov 2025 00:50:36 +0300 Subject: [PATCH 4/5] Update README.md --- audits/judging/guidelines/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/audits/judging/guidelines/README.md b/audits/judging/guidelines/README.md index f4c741c..8b77cec 100644 --- a/audits/judging/guidelines/README.md +++ b/audits/judging/guidelines/README.md @@ -153,7 +153,7 @@ If the original report does not include a Proof of Concept (PoC), it will be con ### VIII. List of Issue categories that are considered valid: 1. **Slippage** related issues showing a direct loss of funds with a detailed explanation for the same can be considered valid **high** -2. **EIP Compliance:** For issues related to EIP compliance, the protocol must mention EIP in the contest README, and issues violating "MUST" statements in the EIP specifications (including violations in view functions, but excluding statements in code comments in the EIP specifications), irrspective of whether the impact is low/unknown, may be assigned Medium severity if it doesn't conflict with common sense. The EIP must be in regular use or in the **final state** and the report must show potential problems with external integrations for EIP implementation issues to be considered valid Medium. +2. **EIP Compliance:** For issues related to EIP compliance, the protocol must mention EIP in the contest README, and issues violating "MUST" statements in the EIP specifications (including violations in view functions, but excluding statements in code comments in the EIP specifications), irrspective of whether the impact is low/unknown, may be assigned Medium severity if it doesn't conflict with common sense. For the issue to be considered valid Medium, the report must explicitly mention the broken EIP and show potential problems with external integrations for EIP implementation issues; and the EIP must be in regular use or in the **final state**. 3. **Identifies the core issue:** In case of issues that have a large number of duplicates, Issues that identify the core issue and show valid loss of funds should be grouped. 4. **Out of Gas:** Issues that result in Out of Gas errors either by the malicious user filling up the arrays or there is a practical call flow that results in OOG can be considered a valid **medium** or in cases of blocking all user funds forever maybe a valid **high**.**Exception:** In case the array length is controlled by the trusted admin/owner or the issue describes an impractical usage of parameters to reach OOG state then these submissions would be considered as **low**. 5. **Chainlink Price Checks**: Issues related to minAnswer and maxAnswer checks on Chainlink's Price Feeds are considered medium only if the Watson explicitly mentions the price feeds (e.g. USDC/ETH) for the in-scope tokens on the in-scope chains that require this check. **Additionally**, a proper attack path and at least medium severity impact must be included in the report. See [this](https://stackoverflow.com/questions/78558661/which-chainlinks-price-feeds-still-have-minanswer-and-maxanswer-checks) to know if min/maxAnswer are deprecated on the price feed. From eb51349ea368cf9cdacfa71b01c46ef5a6d2f830 Mon Sep 17 00:00:00 2001 From: WangSecurity <134382756+WangSecurity@users.noreply.github.com> Date: Wed, 5 Nov 2025 00:53:02 +0300 Subject: [PATCH 5/5] Update EIP Compliance criteria in README Clarified requirements for EIP compliance issues in the guidelines. --- audits/judging/guidelines/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/audits/judging/guidelines/README.md b/audits/judging/guidelines/README.md index 8b77cec..b3c2dae 100644 --- a/audits/judging/guidelines/README.md +++ b/audits/judging/guidelines/README.md @@ -153,7 +153,7 @@ If the original report does not include a Proof of Concept (PoC), it will be con ### VIII. List of Issue categories that are considered valid: 1. **Slippage** related issues showing a direct loss of funds with a detailed explanation for the same can be considered valid **high** -2. **EIP Compliance:** For issues related to EIP compliance, the protocol must mention EIP in the contest README, and issues violating "MUST" statements in the EIP specifications (including violations in view functions, but excluding statements in code comments in the EIP specifications), irrspective of whether the impact is low/unknown, may be assigned Medium severity if it doesn't conflict with common sense. For the issue to be considered valid Medium, the report must explicitly mention the broken EIP and show potential problems with external integrations for EIP implementation issues; and the EIP must be in regular use or in the **final state**. +2. **EIP Compliance:** For issues related to EIP compliance, the protocol must mention EIP in the contest README, and issues violating "MUST" statements in the EIP specifications (including violations in view functions, but excluding statements in code comments in the EIP specifications), irrspective of whether the impact is low/unknown, may be assigned Medium severity if it doesn't conflict with common sense. For the issue to be considered valid Medium, the report **must** explicitly mention the violated EIP requirement and show potential problems with external integrations; and the EIP must be in regular use or in the **final state**. 3. **Identifies the core issue:** In case of issues that have a large number of duplicates, Issues that identify the core issue and show valid loss of funds should be grouped. 4. **Out of Gas:** Issues that result in Out of Gas errors either by the malicious user filling up the arrays or there is a practical call flow that results in OOG can be considered a valid **medium** or in cases of blocking all user funds forever maybe a valid **high**.**Exception:** In case the array length is controlled by the trusted admin/owner or the issue describes an impractical usage of parameters to reach OOG state then these submissions would be considered as **low**. 5. **Chainlink Price Checks**: Issues related to minAnswer and maxAnswer checks on Chainlink's Price Feeds are considered medium only if the Watson explicitly mentions the price feeds (e.g. USDC/ETH) for the in-scope tokens on the in-scope chains that require this check. **Additionally**, a proper attack path and at least medium severity impact must be included in the report. See [this](https://stackoverflow.com/questions/78558661/which-chainlinks-price-feeds-still-have-minanswer-and-maxanswer-checks) to know if min/maxAnswer are deprecated on the price feed.