web3-triage-reportlisted

# TRIAGE, REPORT WRITING & REAL EXAMPLES --- ## PART 1: TRIAGE ### THE 7-QUESTION GATE Ask these IN ORDER before writing a single word of your report. ONE wrong answer = STOP and move on. --- #### Q1: Can an attacker use this RIGHT NOW, step by step? Complete this template: ``` 1. Setup: [what I need] 2. Call: [exact function, exact params] 3. Result: [what I have that I didn't have before] 4. Cost: [gas + capital] 5. ROI: [profit / cost ratio] ``` If you cannot complete steps 2 and 3 with specific function calls: **KILL IT.** --- #### Q2: Is the impact in the program's accepted impact list? Go to the Immunefi program page. Find "Impacts in Scope." Match your bug to one of these EXACTLY. Example impact tiers: - "Direct theft of any user funds" — Critical - "Permanent freezing of funds" — Critical - "Protocol insolvency" — Critical - "Theft of unclaimed yield" — High - "Permanent freezing of unclaimed yield" — High - "Temporary freezing of funds" — High - "Smart contract unable to operate due to lack of token funds" — Medium - "Griefing (no profit motive, but damage to users)" — Medium - "Contract fails to deliver promised returns, but doesn't lose value" — Low If your bug does not match any impact in scope: **KILL IT.** --- #### Q3: Is the root cause in an in-scope contract? Confirm the exact deployed address is in scope on the program page. If the bug is in Aave, Uniswap, OpenZeppelin, or any external dependency: **KILL IT.** --- #### Q4: Does