SJIP 6: Risks of Known issues

[Evert0x]

Description

Update: force protocols to define risks of known issues

Judging Guidelines PR

sherlock-protocol/sherlock-v2-docs#22

Rationale

A protocol team can acknowledge a specific issue but be unaware of all the risks.

For this reason, I propose to update the QA to let the protocol state the acceptable risks explicitly.

When risks are stated in the QA, and someone identifies a different risk. The report will be judged normally; it will not be discarded as a known issue.

If "Any risk is acceptable" or similar language is used, any reported risks regarding the known issue will be discarded.

Relevant Issue Discussions

sherlock-audit/2024-02-perpetual-judging#64

[Evert0x]

Considering to change the default language to "Any risk is acceptable unless it's High severity" as it unlikely protocols are okay with High severity. We don't want to introduce a foot gun.

[IllIllI000]

How about Please write "Any risk is acceptable" if you are okay with any risks, or qualify the restrictions, such as "Any risk is acceptable unless it's High severity". I think it's bad too to have a case where the sponsor actually does know all of the risks, but doesn't want to list all of them, and then a known finding is rewarded, just because the sponsor copied and pasted the only easy default provided by the question.

[joicygiore]

Yes, I think everyone will strictly follow your rules and supervise each other at the same time, and will never let some people take advantage of loopholes for their own selfish interests.🫡