From f8da5d2e81c5f31a1db85e4d34bcbec06fee369c Mon Sep 17 00:00:00 2001 From: WangSecurity <134382756+WangSecurity@users.noreply.github.com> Date: Wed, 5 Nov 2025 03:32:58 +0300 Subject: [PATCH] Update the QA to add a question about Private RPCs and multicalls. --- CONTEST_QA_README.csv | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/CONTEST_QA_README.csv b/CONTEST_QA_README.csv index 6135395..3cdcbef 100644 --- a/CONTEST_QA_README.csv +++ b/CONTEST_QA_README.csv @@ -16,9 +16,11 @@ Example answer: It is common to answer ""No,"" as protocols typically trust the governance of the protocols they integrate with.",4 Is the codebase expected to comply with any specific EIPs?,"Please explain the underlying intention behind integrating with each EIP, and how compliance with these EIPs aligns with your protocol's goals.",5 "Are there any off-chain mechanisms involved in the protocol (e.g., keeper bots, arbitrage bots, etc.)? We assume these mechanisms will not misbehave, delay, or go offline unless otherwise specified.","Please provide information on how these off-chain bots (e.g., keeper bots, arbitrage bots) read and process on-chain data.",6 -What properties/invariants do you want to hold even if breaking them has a low/unknown impact?,"For example, the invariant is the amount of the underlying tokens must equal the amount of vault tokens. Even if breaking this invariant has a low impact, it could be assigned Medium severity. You can answer ""No"" if there are no specific invariants you want to hold.",7 -Please discuss any design choices you made.,"For example: ""We chose to ignore fees in some calculations because they unnecessarily overcomplicated formulas, but didn't have practically any impact on the final result. But, if this approximation may cause a serious loss of funds, it may be a valid finding.""",8 -Please provide links to previous audits (if any) and all the known issues or acceptable risks.,"Listing the audits provides context to Watsons and invalidates findings acknowledged in these audits. Additionally, issues listed in this question will also be considered Invalid as known or acceptable findings.",9 -Please list any relevant protocol resources.,"Please link to the docs, whitepaper, and the website for Watsons to gather context on the audit.",10 +What protocol roles and/or off-chain mechanisms will use private RPCs or multicalls when calling restricted functions?,"The information about internal roles and off-chain mechanisms using private RPCs and multicalls will be considered during judging and will affect the validity of the issues. For example, if the admin uses private RPCs for admin functions, we will consider that their calls can't be front-run. If the answer is No or no answer is provided, we will default to none of the roles using private RPCs and multicalls.",7 +What properties/invariants do you want to hold even if breaking them has a low/unknown impact?,"For example, the invariant is the amount of the underlying tokens must equal the amount of vault tokens. Even if breaking this invariant has a low impact, it could be assigned Medium severity. You can answer ""No"" if there are no specific invariants you want to hold.",8 +Please discuss any design choices you made.,"For example: ""We chose to ignore fees in some calculations because they unnecessarily overcomplicated formulas, but didn't have practically any impact on the final result. But, if this approximation may cause a serious loss of funds, it may be a valid finding.""",9 +Please provide links to previous audits (if any) and all the known issues or acceptable risks.,"Listing the audits provides context to Watsons and invalidates findings acknowledged in these audits. Additionally, issues listed in this question will also be considered Invalid as known or acceptable findings.",10 +Please list any relevant protocol resources.,"Please link to the docs, whitepaper, and the website for Watsons to gather context on the audit.",11 Additional audit information.,"If you'd like to specify what areas would you like Watsons to look into, this is a perfect place to do so. -In case you forked any contracts, please provide a diff from the original ones. You can also provide a diff of the contracts after your last audit(s). This will direct Watsons' focus on the least battle-tested parts.",11 +In case you forked any contracts, please provide a diff from the original ones. You can also provide a diff of the contracts after your last audit(s). This will direct Watsons' focus on the least battle-tested parts.",12 +