RAROSS (Risk-Adjusted Return on Security Spending) is a framework for optimizing how protocols allocate their security budgets between preventative measures like audits and reactive measures like insurance. The core insight is that security spending follows the law of diminishing returns, and rational budget allocation requires weighing marginal costs against marginal risk reduction.

The Diminishing Returns Problem

Every additional audit provides less incremental security than the previous one. A first audit might catch 80% of vulnerabilities; a second audit might catch 15% of remaining issues; a third audit might find only minor gas optimizations. Meanwhile, the cost of each audit remains roughly constant.

At some point, the marginal cost of finding additional bugs through audits exceeds the expected loss from leaving those bugs undiscovered. This does not mean audits are unnecessary—it means that beyond a certain threshold, security budget is better allocated elsewhere.

The RAROSS Calculation

RAROSS provides a structured way to think about this trade-off. The framework considers several factors when determining optimal allocation between audits and insurance.

Expected loss reduction measures how much each dollar spent on audits reduces the probability and severity of potential exploits. This calculation requires estimating both the likelihood of undiscovered vulnerabilities and their potential impact if exploited.

Insurance efficiency compares the cost of premiums against the coverage they provide. For most protocols, insurance premiums are significantly lower for audited codebases—often 10-50x cheaper than for unaudited contracts—creating a natural synergy between the two approaches.

Residual risk represents the vulnerabilities that remain undiscovered regardless of audit intensity. The state explosion problem and specification gap ensure that some risk always remains. Insurance provides the only practical mitigation for this irreducible tail risk.

Practical Budget Allocation

The RAROSS framework suggests an allocation around 70% audits and 30% insurance for most protocols, though optimal ratios vary based on protocol complexity, TVL, and risk tolerance.

Consider a protocol with a $300,000 security budget. Under RAROSS, they might allocate $210,000 to two thorough audits from reputable firms, covering comprehensive audit scope including manual review, fuzzing, and formal verification of critical invariants. The remaining $90,000 funds insurance premiums that provide coverage for the residual risk that audits cannot eliminate.

This allocation outperforms spending the entire $300,000 on a third audit because the marginal security improvement from audit number three is far less than the protection provided by insurance coverage for the bugs that all three audits might miss.

Integration with Defense-in-Depth

RAROSS complements defense-in-depth thinking by providing quantitative guidance for layered security investments. Rather than ad-hoc allocation, protocols can systematically evaluate where each additional dollar provides the greatest risk reduction.

The framework also highlights the importance of bug bounty programs as a third allocation category. Bug bounties provide ongoing security coverage at variable cost—you only pay when vulnerabilities are found—and can be particularly cost-effective for mature codebases where audit diminishing returns are most pronounced.

Limitations

RAROSS requires estimates that are inherently uncertain. The probability of undiscovered vulnerabilities and their potential impact cannot be precisely calculated. However, even rough estimates provide better guidance than ignoring the trade-off entirely.

The framework also assumes that audit quality is comparable across firms, which may not hold in practice. A third audit from a specialized firm with domain expertise may provide more value than a second audit from a generalist firm, complicating simple allocation rules.

Despite these limitations, RAROSS provides a principled approach to security budgeting that acknowledges the economic realities of smart contract security: audits are necessary but not sufficient, and insurance is not a substitute for audits but a complement to them.