3 points: Correctly identifies specific vulnerability type (e.g., "reentrancy attack" or "missing access control check") with accurate technical explanation

2 points: Identifies vulnerability category but with incomplete or partially incorrect technical explanation

1 point: Recognizes there's a security issue but cannot specify the type or mechanism

0 points: Incorrect identification or no answer

4 points: Provides detailed step-by-step attack with:

• Clear sequence of actions attacker would take
• Technical details (e.g., fallback functions, transaction ordering)
• Explanation of why vulnerability allows exploitation
• Specific outcome/impact

3 points: Describes attack scenario with most key steps but missing some technical details or clarity

2 points: General attack description without specific steps (e.g., "attacker steals funds by exploiting the bug")

1 point: Vague or partially incorrect attack scenario

0 points: No scenario or completely incorrect

1 point: Selects appropriate severity level (within 1 level of answer key)

0 points: Severity off by 2+ levels (e.g., marking critical bug as "low")

2 points: Proposes valid, specific fix that addresses root cause (code-level or architectural solution)

1 point: Suggests general direction for fix but lacks specificity or contains minor errors

0 points: No fix proposed or proposed fix doesn't address vulnerability

7-8 points: Presentation demonstrates:

• Accurate vulnerability explanation with correct technical terminology
• Clear, logical attack scenario walkthrough
• Valid security fix with justification
• Thoughtful economic analysis (attack vs. report decision)
• Answers questions correctly and confidently

5-6 points: Mostly accurate content with minor technical errors or omissions. Covers all required sections but some explanations lack depth.

3-4 points: Basic understanding shown but significant gaps in technical explanation or incorrect details. May skip economic analysis or provide weak fix.

1-2 points: Major technical errors, missing key sections, or demonstrates fundamental misunderstanding

0 points: Did not present or presentation completely incorrect

4 points:

• Clear, well-organized presentation flow
• Uses appropriate examples and analogies
• All group members contribute meaningfully
• Effectively uses visual aids (if applicable)
• Maintains audience engagement

3 points: Generally clear communication with minor organization issues. Most group members participate.

2 points: Somewhat unclear or disorganized. Uneven participation among group members.

1 point: Difficult to follow, poor organization, or single member dominates

0 points: Incomprehensible or unprofessional presentation

3 points: Completes presentation within 5-minute window (±30 seconds), well-rehearsed, smooth transitions

2 points: Slightly over/under time (±1 minute) but shows preparation

1 point: Significantly over/under time or appears under-prepared

0 points: Grossly inappropriate time usage or clearly unprepared

5 points: Exceptional engagement:

• Asks 2+ thoughtful questions during peer presentations
• Provides constructive feedback or insights
• Contributes to class discussion meaningfully
• Shows active listening and note-taking

4 points: Good engagement - asks 1-2 relevant questions, attentive throughout

3 points: Adequate engagement - pays attention, may ask 1 question

2 points: Minimal engagement - present but not actively participating

0-1 points: Disengaged, disruptive, or absent during peer presentations

Per Bonus Contract (3.33 points):

• Vulnerability identification: 1 point
• Attack scenario: 1.33 points
• Severity assessment: 0.33 points
• Proposed fix: 0.67 points

Note: Bonus contracts involve more sophisticated vulnerabilities (flash loans, oracle manipulation, timestamp dependence). Partial credit available for demonstrating understanding even if analysis is incomplete.