Roles and Terminology

The Diverge-Converge Model engages several roles.

Client: The individual or organization that owns the protocol and commissions the audit. The client bears the audit cost (reward pool).
Lead Auditor: The individual or organization involved in all audit phases. The lead auditor is responsible for conducting a comprehensive audit and producing an audit report and a system analysis report in the first phase. The lead auditor is also responsible for sharing the line-by-line comments and walkthrough explanations of the findings with the community auditors. A fixed percentage of the reward pool highly incentivizes the lead auditor. The lead auditor is also involved across all phases, and the dynamic structure of the reward pool and audit score incentivize the lead auditor to identify more vulnerabilities continuously.
Bounty Hunter: The individual or organization participating in the bug bounty. The bug bounty is open to all, with no limit on participant numbers. The lead auditor and bounty hunters are implicitly in competition, given the dynamic allocation of the reward pool based on findings. Valid findings are rewarded if not identified in previous phases and epochs.
Contestant: The individual or organization participating in the selective competition. A small group of auditors, typically 3-5, including the lead auditor, are chosen as contestants based on their performance in previous phases and scores. All valid submissions in this time-boxed competition are rewarded regardless of the duplication.
Judge: The individual or organization that evaluates the findings from all phases. The Judge, chosen from a reputable group in the Web3 space, is incentivized by a fixed percentage of the reward pool.
Host: The individual or organization overseeing the audit process. The Host sets up the audit process and ensures its timely completion. A fixed fee on top of the reward pool incentivizes the Host. It is worth noting that the Host holds the final decision-making power in the audit process.

The Diverge-Converge Model also involves several terms.

Protocol Difficulty: Based on subjective estimation and the SLOC and complexity defined by solidity-metrics, the Host decides the difficulty score ranging from 0 ~ 1.
Exploit Score: A measure representing the implicit audit quality. The exploit score is computed based on the protocol difficulty, the number of findings, the severity, and the phase of the findings.
The severity of the findings is categorized into three levels: High Risk, Medium Risk, and Low Risk. The Judge determines the findings' severity. Note that we don't include Gas-saving findings, but an additional phase can be added to the end of Phase 3 according to the protocol's preference. See the "Additional Phases" section for more details.
Severity points are given as High Risk: 10 points, Medium Risk: 2 points, Low Risk: 0.1 point. Phase factor is applied as Phase 1: 0.7x, Phase 2: 1x, Phase 3: 1x.
The idea behind the points by severity is we value the ability to find severe ones rather than not impactful ones. The idea behind the points by phase is it would be easier to find bugs at an early phase than at a later phase.
The final exploit score is calculated as follows: $ES=C_p C_d (N_H10+N_M3+N_L)$ , where $C_p$ and $C_d$ represent the phase factor and protocol difficulty.
Example. If an auditor found H3 M2 L10 in Phase 1 and the difficulty is 0.8, the exploit score will be 0.7*0.8*(3*10+2*3+0.1*10)=20.72.
Lead Performance Score: A measure representing the performance of the lead auditor. Calculated based on the lead auditor's exploit score ( $ES_L$ ) ratio to the other auditors' exploit score( $ES_P$ ) for all phases. After the audit, the lead performance score is calculated as $LS_P=ES_L/ES_P$ , capped to [0, 2]. The lead performance score is used to update the auditor score for the lead auditor.
Lead Collaboration Score: A measure representing the collaboration of the lead auditor. The Host evaluates the lead auditor's collaboration level based on the line-by-line comments and walkthrough explanation of the findings shared with the public auditors. A score $LS_C$ ranging from -10~10 is given to the lead auditor based on the evaluation, and the score is included in the final audit score of the lead auditor.
Auditor Score: A measure representing the auditor's expertise and experience used to select the lead auditor and the contestants. When all phases are finished, exploit scores are calculated for all auditors involved in the process, and the performance and collaboration scores are computed for the lead auditor.
Finally, the auditor score is updated $AS$ = $AS$ + $ES$ * $(LS_P-1)$ + $LS_C$ for the lead auditor and $AS = AS + ES$ for other auditors.
We note that the performance score can increase and decrease the auditor score for the lead auditor because $LS_P$ is capped at [0, 2].

NOTE: All formulas and parameters are only for illustration purposes and are not backed by any data. These need to go through actual experiments and be tuned.

PreviousObjectives NextPhase Details

Last updated 10 months ago