Code complexity vs audit coverage

Orca's assessment for RD-F-024 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Six audit engagements over 4 years on a codebase of moderate complexity (programs/whirlpool/src/ with ~15 modules including math, state, instructions). Three Sec3 quarterly audits in 2025 demonstrate incremental coverage of changes. Active development continues with recent commits (2026-05-14). PDF metadata for exact audit duration not publicly accessible; cannot compute LOC/audit-day ratio. Code size and audit cadence appear adequate based on available evidence but cannot be quantitatively confirmed.

Sources #

GitHub
Orca Whirlpools .audits directory (6 audit PDFs)https://github.com/orca-so/whirlpools/tree/main/.auditsretrieved 2026-05-16
GitHub
Whirlpool program source directory (module structure)https://github.com/orca-so/whirlpools/tree/main/programs/whirlpool/srcretrieved 2026-05-16

Methodology #

Determine whether the cyclomatic complexity or LOC-per-audit-day ratio exceeds the curator-declared credibility threshold for the audit to be meaningful.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol orca factor RD-F-024 score yellow collected_at 2026-05-16 02:39:16