EthereumCommonwealth / Roadmap

GNU Lesser General Public License v2.1
57 stars 17 forks source link

Auditing Department: per contract reward calculation v2 #57

Open Dexaran opened 5 years ago

Dexaran commented 5 years ago

Abstract

The following describes the proposed payment scheme for security auditors for their work. The developed scheme is universal and is based on the length of the code of the auditable smart contract.

Motivation

One of the main goals of Callisto is to develop a self-sustaining DAO-like security auditing department structure. Therefore, the payment schema should ensure a high level of automatization and formalization.

The previously used reward calculation formula relied on "contract complexity" variable, which was manually assigned by security auditing manager. As we plan to scale the structure of security department, we need to introduce a flexible way of contract complexity evaluation.

Therefore, it is proposed to use the length of the contract code as a measure of the complexity of the contract.

Specification

In the Security Department of Callisto, smart-contract auditors are paid once a month, on the 15th day of each month.

The total amount of payment is calculated based on the amount of tasks performed during the last month. Each security audit is evaluated separately and a security auditor receives payment for each audit performed.

Each finding has a certain weight in points. The following values will be used to evaluate findings according to its severity:

Severity Weight in points
Critical 100
High 45
Medium 8
Owner privileges 2
Low/Note 1

The following formula is used to calculate the auditor's reward for the assigned task:

REWARD_FORMULA

Where:

reward - the amount of CLO that will be paid to the auditor for his(her) contribution to this security audit.

audit reward = $1 * [number of lines]

sum (auditor points) - all points earned by the auditor.

sum (total points) - sum of the all points earned by each auditor individually.

The [number of lines] of code in the source code of the auditable smart-contract which is calculated excluding empty lines and comments. SLOC Counter will be used for this purpose.

Auditors will receive the reward depending on the quality and quantity of the work done. If a contract has only low severity issues or no issues then it’s reward will be divide equally between all auditors who worked at the security audit of this contract.

Example

Calculating the results of LuckyStrike audit (assuming that this would be the first request, not a request for re-audit).

Auditor's findings

Auditor's points

Auditor's salaries

gorbunovperm commented 5 years ago

As written above: audit reward = 100 * [number of lines] But below that: Auditor 1 = 1612 * 400 * 28 / (28 + 55 + 5) = 205163.63 CLO

Is audit reward equal to 100 * 1612 or 400 * 1612 ?

Dexaran commented 5 years ago

@gorbunovperm Audit reward is equal to 100 * [number of lines]

400 was just an experimental coefficient. 100 CLO per line will be used now.

MrToph commented 5 years ago

The resulting numbers in Auditor's salaries are off and in $. (Auditor 2 earns less than Auditor 1 even though he/she has more points.)

Dexaran commented 5 years ago

You are right, this was a typo. Fixed now.