Standards
Editorial standards
These rules are the product. A teardown is only worth pasting into an engineering channel if the reader already knows what it is not going to do.
Mechanism, never character
A teardown describes code and the sequence of transactions that acted on it. It does not describe people. We do not name individuals. We do not assess a team's competence, diligence, or intent. We do not identify, profile, or speculate about attackers. We do not allege wrongdoing by any person or organisation.
This is not politeness. An account of a defect is useful for exactly as long as it is trusted, and an account that reaches for blame is read as an argument rather than a record. If a statement cannot be established from the chain, the contract source, or a public disclosure, it does not appear here.
Disclosed and resolved only
We publish after public disclosure — never before, and never while a comparable vulnerability is believed to be live and unpatched elsewhere. Where a fix is still rolling out, we wait.
Teardowns show the vulnerability pattern and its standard remediation, at the level of detail you would find in a security curriculum. They do not contain runnable exploits, proof-of-concept attack contracts, weaponised snippets, tooling, or step-by-step instructions for reproducing an attack against any system. We will decline to publish a detail whose only use is offensive, even if it is already public.
Published within 48 hours
Our standard is to publish within 48 hours of public disclosure. That is a commitment about how we work. It is not a claim about being first, and we will miss it rather than publish an account we cannot stand behind.
Corrections
Teardowns are corrected in place, with the change and its date noted at the foot of the page. We do not silently edit, and we do not delete a record because a better account has emerged — we amend it. If you can show that a mechanism described here is wrong, write to the editor and it will be fixed.
Sources
Every claim in a teardown resolves to something a reader can check: a transaction, a contract address, a verified source file, or a public post-incident disclosure. Where a teardown is an illustrative sample — a fictional protocol used to demonstrate the format — it says so on the page, its transaction hashes are synthetic, and it links to nothing.
What we do not accept
No sponsored teardowns. No protocol pays to be covered, and none pays to be left out. We do not accept payment, tokens, or equity from any party involved in an incident we cover, and we do not offer audits, reviews, or consulting to them.
Disclosure
Root Cause is an educational publication about software defects. It is not investment advice, and nothing on this site is a recommendation to buy, sell, or hold any asset, token, or security. It is not a security audit and does not certify, endorse, or vouch for the safety of any codebase, protocol, or organisation. Digital assets carry significant risk, up to and including the total loss of capital.
The self-audit checklist is a prompt for your own review. It is not exhaustive, it is not a substitute for a professional security review, and passing it is not a guarantee of anything. You remain responsible for the code you ship.