Adding exploit categories to contest submission form

[CloudEllie]

Suggestions have been made to add categories to our finding submission form; this will be a simple drop-down menu indicating the category of hack.

Based on this classification list, C4's dev team is proposing the following set of options:

options: [
    {
      label: "Blockchain - Block content manipulation",
      value: "Block content manipulation",
    },
    {
      label: "Blockchain - Contract interaction",
      value: "Contract interaction",
    },
    {
      label: "Blockchain - Gas limitations",
      value: "Gas limitations",
    },
    {
      label: "Blockchain - Message structure",
      value: "Message structure",
    },
    {
      label: "Blockchain - Ether transfer",
      value: "Ether transfer",
    },
    {
      label: "Language - Arithmetic",
      value: "Arithmetic",
    },
    {
      label: "Language - Storage access",
      value: "Storage access",
    },
    {
      label: "Language - Internal control flow",
      value: "Internal control flow",
    },
    {
      label: "Model - Authorization",
      value: "Authorization",
    },
    {
      label: "Model - Trust",
      value: "Trust",
    },
    {
      label: "Model - Privacy",
      value: "Privacy",
    },
    {
      label: "Model - Economy",
      value: "Economy",
    }
  ]

Comments are welcome re: the proposed list of classification labels - both in terms of naming, and depth of classification.

[indijanc]

Would it make sense to also have "Other" for a certain time period? I imagine the categories would evolve over time or sometimes a warden just couldn't determine a category outright.

Otherwise I believe this would bring some benefits and would outweigh the setbacks of wardens having to think about the issue a bit more and be bothered to select it :)

[IllIllI000]

I don't have specific alternate suggestions for naming, but some of these, e.g. Message Structure, aren't self-explanatory, and since a lot of wardens don't read the docs in the first place, I think a lot of issues will be tagged incorrectly, or there will be lots of questions in discord

[OpenCoreCH]

In my opinion, it would make sense to also link the classification GitHub repo (or to fork it with some C4 specific annotations) in the submission form. Because I think it is quite hard to judge the correct category from the title only, but the explanations / examples help.

The classification "Trust" is also quite often out-of-scope in my experience. Some contest descriptions (e.g., VTVL) even state it explicitly that all findings regarding extended admin privileges / the associated risks are invalid. So I am not sure if having this category would not lead to more out-of-scope findings. Or maybe it would make sense to clarify clearly what should be considered out-of-scope and in-scope for that category.

[Tomosuke0930]

@CloudEllie
I'm categorized the past bug like this. You can see my category to duplicate my page.
https://tom-sol.notion.site/94b7e5e531464b2ab0a4f705338a1893?v=e320c83b874c468cbd50f80545c221c6