Open security contests, like that of Code4rena, are interesting because they attempt to quantify how secure a contract or protocol is. How does this work?
When you start a contest with $100,000 up for grabs for people who find bugs, inefficiencies, and vulnerabilities - you are essentially saying that the contract is secured by $100,000 of value. If you had put up $1,000,000, people would have 10x the incentive to find bugs and issues, which means its 10x more likely that any issues would be found. That contract would be secured by $1,000,000 of value.
The more open the contest is (i.e how likely it is that the right people find and participate in the contest), the less "leaky" the security value is. For example, I could pay my 3-year-old nephew $10M to audit the contract. He doesn't know how to read or write *anything* yet, let alone complex Solidity, so it's not fair to say that protocol is secured by $10M. Well, it is under this framework, but the $10M is 100% leaky. a $10M bounty on Code4Rena might be only 5% leaky.
When you start a contest with $100,000 up for grabs for people who find bugs, inefficiencies, and vulnerabilities - you are essentially saying that the contract is secured by $100,000 of value. If you had put up $1,000,000, people would have 10x the incentive to find bugs and issues, which means its 10x more likely that any issues would be found. That contract would be secured by $1,000,000 of value.
The more open the contest is (i.e how likely it is that the right people find and participate in the contest), the less "leaky" the security value is. For example, I could pay my 3-year-old nephew $10M to audit the contract. He doesn't know how to read or write *anything* yet, let alone complex Solidity, so it's not fair to say that protocol is secured by $10M. Well, it is under this framework, but the $10M is 100% leaky. a $10M bounty on Code4Rena might be only 5% leaky.