Auditing Department: per contract reward calculation v2

[Dexaran]

Abstract

The following describes the proposed payment scheme for security auditors for their work. The developed scheme is universal and is based on the length of the code of the auditable smart contract.

Motivation

One of the main goals of Callisto is to develop a self-sustaining DAO-like security auditing department structure. Therefore, the payment schema should ensure a high level of automatization and formalization.

The previously used reward calculation formula relied on "contract complexity" variable, which was manually assigned by security auditing manager. As we plan to scale the structure of security department, we need to introduce a flexible way of contract complexity evaluation.

Therefore, it is proposed to use the length of the contract code as a measure of the complexity of the contract.

Specification

In the Security Department of Callisto, smart-contract auditors are paid once a month, on the 15th day of each month.

The total amount of payment is calculated based on the amount of tasks performed during the last month. Each security audit is evaluated separately and a security auditor receives payment for each audit performed.

Each finding has a certain weight in points. The following values will be used to evaluate findings according to its severity:

Severity	Weight in points
Critical	100
High	45
Medium	8
Owner privileges	2
Low/Note	1

The following formula is used to calculate the auditor's reward for the assigned task:

Where:

reward - the amount of CLO that will be paid to the auditor for his(her) contribution to this security audit.

audit reward = $1 * [number of lines]

sum (auditor points) - all points earned by the auditor.

sum (total points) - sum of the all points earned by each auditor individually.

The [number of lines] of code in the source code of the auditable smart-contract which is calculated excluding empty lines and comments. SLOC Counter will be used for this purpose.

Auditors will receive the reward depending on the quality and quantity of the work done.
If a contract has only low severity issues or no issues then it’s reward will be divide equally between all auditors who worked at the security audit of this contract.

Example

Calculating the results of LuckyStrike audit (assuming that this would be the first request, not a request for re-audit).

• Lines of code: 1612

• 1 high severity issue

• 3 medium severity issues

• 5 low severity issues

• 2 minor observation

Auditor's findings

• Auditor 1 reported 4 low and 3 medium findings. (He did not report one high severity mistake).

• Auditor 2 reported 2 low, 1 medium and 1 high findings. (He did not report two medium severity mistakes).

• Auditor 3 reported 5 low findings. (He did not report any medium or high severity mistakes).

Auditor's points

• Auditor 1 = 28

• Auditor 2 = 55

• Auditor 3 = 5

Auditor's salaries

• Auditor 1 = 1612 * 100 * 28 / (28 + 55 + 5) = 512.9 USD

• Auditor 2 = 1612 * 100 * 55 / (28 + 55 + 5) = 1007.5 USD

• Auditor 3 = 1612 * 100 * 5 / (28 + 55 + 5) = 91.59 USD

[gorbunovperm]

As written above: audit reward = 100 * [number of lines]
But below that: Auditor 1 = 1612 * 400 * 28 / (28 + 55 + 5) = 205163.63 CLO

Is audit reward equal to 100 * 1612 or 400 * 1612 ?

[Dexaran]

@gorbunovperm Audit reward is equal to 100 * [number of lines]

400 was just an experimental coefficient. 100 CLO per line will be used now.

[MrToph]

The resulting numbers in Auditor's salaries are off and in $. (Auditor 2 earns less than Auditor 1 even though he/she has more points.)

[Dexaran]

You are right, this was a typo. Fixed now.