Consensus - Phylax

What Consensus Is

For each task that gathered at least three valid SSSAs, the validator computes a per miner consensus score in [0, 1]. This score multiplies the miner’s per task emission.

emission = composite_Q * base_weight * tier_multiplier * early_bonus * role * consensus * bootstrap

The score is computed by comparing each miner’s SSSA against the rest of the group on seven independent dimensions. A miner who agrees across all dimensions earns near 1.0. A miner who only matches the verdict but diverges on findings, capabilities, or dependencies earns much less.

The Seven Components

consensus = 0.30 * findings_recall
          + 0.15 * findings_precision
          + 0.15 * verdict_agreement
          + 0.15 * capabilities_agreement
          + 0.10 * risk_agreement
          + 0.10 * dependencies_agreement
          + 0.05 * policy_agreement

Component	Weight	Compares
Findings recall	0.30	Did this miner find what most others found?
Findings precision	0.15	Did this miner avoid spurious findings?
Verdict agreement	0.15	Same ALLOW / BLOCK / REVIEW?
Capabilities agreement	0.15	Same declared capability set?
Risk score agreement	0.10	Same risk number?
Dependencies agreement	0.10	Same SBOM with same CVE annotations?
Policy agreement	0.05	Same enforcement policy?

Findings dominate (0.30 + 0.15 = 0.45 of total weight). This is intentional: the verdict alone is too easy to copy, and the network needs miners to converge on the same underlying detections, not just the same headline outcome.

Canonical Finding Keys

Comparing findings across miners requires matching findings that describe the same risk even when miner A and miner B use different description text or id values. Each finding is reduced to a canonical key:

canonical_key = sha256(
    category + "|" +
    severity + "|" +
    normalised(evidence_ref) + "|" +
    sorted_cve_ids + "|" +
    target_pattern
)

Where:

normalised(evidence_ref) strips the per miner span ID prefix and keeps just the file path + line range
sorted_cve_ids is the sorted CVE list referenced by the finding, if any
target_pattern is the resource (file path, URL, package) the finding refers to

Two miners flagging the same prompt injection at the same span will produce the same canonical key. Two miners flagging the same dependency CVE on the same package will produce the same canonical key. Two miners flagging different lines (or different CVEs on the same package) will produce different keys.

Findings Recall

group_key_set = union of canonical keys reported by majority of the group

findings_recall = | this_miner.keys ∩ group_key_set | / | group_key_set |

If the group as a whole reported five distinct findings and this miner reported three of them, recall is 0.6.

Findings Precision

findings_precision = | this_miner.keys ∩ group_key_set | / | this_miner.keys |

If this miner reported five findings but only three of them appear in the group consensus set, precision is 0.6. A miner who reports many findings to inflate recall will lose precision proportionally.

Verdict Agreement

group_verdict = majority verdict in the group

if this_miner.verdict == group_verdict:        verdict_agreement = 1.0
elif this_miner.verdict == "REVIEW":           verdict_agreement = 0.5
else:                                          verdict_agreement = 0.0

A miner who returns REVIEW gets half credit when the group agrees on ALLOW or BLOCK. This compensates lightly for declining to commit.

Capabilities Agreement

group_caps = capabilities reported by majority of the group

capabilities_agreement = | this_miner.caps ∩ group_caps | / | group_caps ∪ this_miner.caps |

Jaccard similarity over capability sets. Both missing capabilities and over reporting penalise.

Risk Score Agreement

group_risk_mean = mean of risk_score across the group

risk_agreement = max(0.0, 1.0 - |this_miner.risk_score - group_risk_mean|)

Linear penalty for divergence. A miner returning risk_score 0.8 when the group mean is 0.5 gets 0.7.

Dependencies Agreement

group_deps = (package, version) tuples reported by majority of the group
group_cves = canonical CVE key set for those dependencies

miner_deps_match = | this_miner.deps ∩ group_deps | / | group_deps |
miner_cves_match = | this_miner.cves ∩ group_cves | / | group_cves |

dependencies_agreement = 0.5 * miner_deps_match + 0.5 * miner_cves_match

The SBOM (package + version) and the CVE annotations are weighted equally.

Policy Agreement

group_rules = the (resource, action, pattern) tuples reported by majority

policy_agreement = | this_miner.rules ∩ group_rules | / | group_rules ∪ this_miner.rules |

Jaccard similarity over policy rule sets.

Worked Example

A mcp_server task receives three SSSAs from primaries P1, P2, P3 and two from auditors A1, A2. Group canonical findings union (with majority threshold of 3 out of 5):

Canonical key	P1	P2	P3	A1	A2
tool_poison(getfile)	Y	Y	Y	Y	Y
dependency_cve(requests, CVE-X)	Y	Y	Y	Y	N
prompt_injection(manifest)	Y	N	Y	N	Y

Group consensus set: {tool_poison(getfile), dependency_cve(requests, CVE-X), prompt_injection(manifest)} (each appears in at least 3 of 5). For P1:

Component	Value
Findings recall	3/3 = 1.0
Findings precision	3/3 = 1.0
Verdict agreement	1.0 (matched group verdict)
Capabilities agreement	0.83 (one tool missing)
Risk agreement	0.92
Dependencies agreement	1.0
Policy agreement	0.80
Consensus	0.95

For A2:

Component	Value
Findings recall	2/3 = 0.67 (missed dependency CVE)
Findings precision	2/2 = 1.0
Verdict agreement	1.0
Capabilities agreement	0.83
Risk agreement	0.85
Dependencies agreement	0.50
Policy agreement	0.50
Consensus	0.78

A2 still earns a meaningful portion of the per task emission, but the gap to P1 reflects the missed dependency CVE.

Why the Weighting Is Skewed Toward Findings

Verdict and risk score are scalar outputs that are easy to guess or copy. A miner who returns the majority verdict and the mean risk on every task earns 0.25 from those two components alone without doing any analysis. Findings (and their canonical keys) are the actual evidence the miner found. Weighting findings 0.45 in total forces miners to produce diverse, specific findings rather than just guessing the verdict. This is also why canonical keys include evidence_ref. A miner who guesses “there is a tool poisoning finding” without identifying which tool would produce a different canonical key from miners who identified the specific tool, and would not match.

Collusion Resistance

The consensus score uses the whole group, not just the primaries. This means an auditor who diverges from the primaries reduces every primary’s consensus score by a small amount. For collusion to succeed, the colluding miners would need to:

Land in the same group together more than half the time (no, validators randomise auditor sampling)
Predict the auditors in advance (no, auditors are random per round)
Bias the validator’s group selection (no, deterministic primary selection plus random auditor sampling)

See Verification Groups for the broader collusion detection signal that complements the consensus penalty.

What’s Next

Verification Groups

Group composition and rotation.

Scoring

Per type Q axis formulas the consensus is layered on top of.

Reputation

How per type reputation evolves based on round outcomes.

Sandbox Reruns

The async layer that catches miners who diverge after the fact.

​What Consensus Is

​The Seven Components

​Canonical Finding Keys

​Findings Recall

​Findings Precision

​Verdict Agreement

​Capabilities Agreement

​Risk Score Agreement

​Dependencies Agreement

​Policy Agreement

​Worked Example

​Why the Weighting Is Skewed Toward Findings

​Collusion Resistance

​What’s Next