Roles and Terminology

The Diverge-Converge Model engages several roles.

  • Client: The individual or organization that owns the protocol and commissions the audit. The client bears the audit cost (reward pool).

  • Lead Auditor: The individual or organization involved in all audit phases. The lead auditor is responsible for conducting a comprehensive audit and producing an audit report and a system analysis report in the first phase. The lead auditor is also responsible for sharing the line-by-line comments and walkthrough explanations of the findings with the community auditors. A fixed percentage of the reward pool highly incentivizes the lead auditor. The lead auditor is also involved across all phases, and the dynamic structure of the reward pool and audit score incentivize the lead auditor to identify more vulnerabilities continuously.

  • Bounty Hunter: The individual or organization participating in the bug bounty. The bug bounty is open to all, with no limit on participant numbers. The lead auditor and bounty hunters are implicitly in competition, given the dynamic allocation of the reward pool based on findings. Valid findings are rewarded if not identified in previous phases and epochs.

  • Contestant: The individual or organization participating in the selective competition. A small group of auditors, typically 3-5, including the lead auditor, are chosen as contestants based on their performance in previous phases and scores. All valid submissions in this time-boxed competition are rewarded regardless of the duplication.

  • Judge: The individual or organization that evaluates the findings from all phases. The Judge, chosen from a reputable group in the Web3 space, is incentivized by a fixed percentage of the reward pool.

  • Host: The individual or organization overseeing the audit process. The Host sets up the audit process and ensures its timely completion. A fixed fee on top of the reward pool incentivizes the Host. It is worth noting that the Host holds the final decision-making power in the audit process.

The Diverge-Converge Model also involves several terms.

  • Protocol Difficulty: Based on subjective estimation and the SLOC and complexity defined by solidity-metrics, the Host decides the difficulty score ranging from 0 ~ 1.

  • Exploit Score: A measure representing the implicit audit quality. The exploit score is computed based on the protocol difficulty, the number of findings, the severity, and the phase of the findings.

    The severity of the findings is categorized into three levels: High Risk, Medium Risk, and Low Risk. The Judge determines the findings' severity. Note that we don't include Gas-saving findings, but an additional phase can be added to the end of Phase 3 according to the protocol's preference. See the "Additional Phases" section for more details.

    Severity points are given as High Risk: 10 points, Medium Risk: 2 points, Low Risk: 0.1 point. Phase factor is applied as Phase 1: 0.7x, Phase 2: 1x, Phase 3: 1x.

    The idea behind the points by severity is we value the ability to find severe ones rather than not impactful ones. The idea behind the points by phase is it would be easier to find bugs at an early phase than at a later phase.

    Example. If an auditor found H3 M2 L10 in Phase 1 and the difficulty is 0.8, the exploit score will be 0.7*0.8*(3*10+2*3+0.1*10)=20.72.

  • Auditor Score: A measure representing the auditor's expertise and experience used to select the lead auditor and the contestants. When all phases are finished, exploit scores are calculated for all auditors involved in the process, and the performance and collaboration scores are computed for the lead auditor.

NOTE: All formulas and parameters are only for illustration purposes and are not backed by any data. These need to go through actual experiments and be tuned.

Last updated