惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

博客园_首页
The GitHub Blog
The GitHub Blog
美团技术团队
Know Your Adversary
Know Your Adversary
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
The Register - Security
The Register - Security
Stack Overflow Blog
Stack Overflow Blog
Attack and Defense Labs
Attack and Defense Labs
G
Google Developers Blog
I
InfoQ
博客园 - 司徒正美
T
Troy Hunt's Blog
Google DeepMind News
Google DeepMind News
J
Java Code Geeks
MongoDB | Blog
MongoDB | Blog
博客园 - 聂微东
A
About on SuperTechFans
云风的 BLOG
云风的 BLOG
S
Security Affairs
M
MIT News - Artificial intelligence
Simon Willison's Weblog
Simon Willison's Weblog
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
T
Tailwind CSS Blog
量子位
Vercel News
Vercel News
月光博客
月光博客
V
Vulnerabilities – Threatpost
N
News and Events Feed by Topic
Hugging Face - Blog
Hugging Face - Blog
酷 壳 – CoolShell
酷 壳 – CoolShell
L
LangChain Blog
D
Darknet – Hacking Tools, Hacker News & Cyber Security
L
LINUX DO - 最新话题
F
Full Disclosure
The Hacker News
The Hacker News
Hacker News: Ask HN
Hacker News: Ask HN
T
Tor Project blog
A
Arctic Wolf
Application and Cybersecurity Blog
Application and Cybersecurity Blog
Forbes - Security
Forbes - Security
IT之家
IT之家
Apple Machine Learning Research
Apple Machine Learning Research
B
Blog
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
Y
Y Combinator Blog
GbyAI
GbyAI
B
Blog RSS Feed
V
Visual Studio Blog
T
The Blog of Author Tim Ferriss
F
Fortinet All Blogs

Ethereum Foundation Blog

Checkpoint #9: Apr 2026 | Ethereum Foundation Blog How L1 and L2s can build the strongest possible Ethereum | Ethereum Foundation Blog The Promise of Ethereum: Introducing the EF Mandate | Ethereum Foundation Blog This Is Fine (Until the Grant Runs Out) | Ethereum Foundation Blog Treasury Staking Initiative | Ethereum Foundation Blog The Ethereum Foundation's Commitment to DeFi | Ethereum Foundation Blog Protocol Priorities Update for 2026 | Ethereum Foundation Blog Announcing the Platform Team at EF | Ethereum Foundation Blog Ethereum Protocol Studies 2026 | Ethereum Foundation Blog Executive Leadership Update | Ethereum Foundation Blog An update from Tomasz | Ethereum Foundation Blog Introducing the EF Academic Secretariat 2026 PhD Fellowship | Ethereum Foundation Blog Trillion Dollar Security Day at Devconnect | Ethereum Foundation Blog Allocation Update - Q4 2025 | Ethereum Foundation Blog Checkpoint #8: Jan 2026 | Ethereum Foundation Blog Devcon 8 is coming to Mumbai, India in November 2026 | Ethereum Foundation Blog Hegota Upgrade EIP Proposal Timelines | Ethereum Foundation Blog Shipping an L1 zkEVM #2: The Security Foundations | Ethereum Foundation Blog The Future of Ethereum’s State | Ethereum Foundation Blog Devconnect Argentina Recap | Ethereum Foundation Blog Allocation Update - Q3 2025 | Ethereum Foundation Blog Making Ethereum Feel Like One Chain Again | Ethereum Foundation Blog Checkpoint #7: Nov 2025 | Ethereum Foundation Blog Fusaka Mainnet Announcement | Ethereum Foundation Blog 2 weeks to Devconnect: Everything you need to know | Ethereum Foundation Blog Unveiling ESP's New Grants Program | Ethereum Foundation Blog Fusaka Update – Transaction Gas Limit Cap arrives with EIP-7825 | Ethereum Foundation Blog Fusaka Update - Information for Blob users | Ethereum Foundation Blog Announcing the 2026 EF Internship | Ethereum Foundation Blog Supporting privacy with new funding mechanisms | Ethereum Foundation Blog The Ethereum Foundation’s Commitment to Privacy | Ethereum Foundation Blog Checkpoint #6: Oct 2025 | Ethereum Foundation Blog Privacy Cluster Leadership Announcement | Ethereum Foundation Blog Fusaka Testnet Announcement | Ethereum Foundation Blog Announcing the districts of the Ethereum World’s Fair | Ethereum Foundation Blog Fusaka $2,000,000 Audit Contest! | Ethereum Foundation Blog Holešky Testnet Shutdown Announcement | Ethereum Foundation Blog The Ecosystem Support Program's Next Chapter | Ethereum Foundation Blog Protocol Update 003 — Improve UX | Ethereum Foundation Blog Protocol Update 002 - Scale Blobs | Ethereum Foundation Blog Trillion Dollar Security - Phase 2 | Ethereum Foundation Blog Join Us: EF Protocol Reddit AMA - August 29th, 2025 | Ethereum Foundation Blog Protocol Update 001 – Scale L1 | Ethereum Foundation Blog lean Ethereum | Ethereum Foundation Blog Celebrating 10 Years of Ethereum | Ethereum Foundation Blog Checkpoint #5: July 2025 | Ethereum Foundation Blog Allocation Update - Q2 2025 | Ethereum Foundation Blog The Future of Ecosystem Development at the EF | Ethereum Foundation Blog Shipping an L1 zkEVM #1: Realtime Proving | Ethereum Foundation Blog Partial history expiry announcement | Ethereum Foundation Blog Checkpoint #4: Berlinterop | Ethereum Foundation Blog World Experience: Updates from the Next Billion Fellowship | Ethereum Foundation Blog Now accepting interns - Join the Ethereum Season of Internships | Ethereum Foundation Blog Tickets are live for the Ethereum World’s Fair! And we're launching the Supporter Program | Ethereum Foundation Blog Ethereum Foundation Treasury Policy | Ethereum Foundation Blog Checkpoint #3: June 2025 | Ethereum Foundation Blog Announcing the Devconnect ARG Scholars Program | Ethereum Foundation Blog Announcing Protocol | Ethereum Foundation Blog Nyota Interop Recap ✨ | Ethereum Foundation Blog Allocation Update - Q1 2024 | Ethereum Foundation Blog Announcing the Ethereum Protocol Fellowship Cohort 5 | Ethereum Foundation Blog Ethereum Protocol Fellowship Cohort 4 Recap | Ethereum Foundation Blog Sepolia Incident | Ethereum Foundation Blog Announcing the Devcon SEA venue! | Ethereum Foundation Blog Devconnect Scholars Program - Ethereum Stories from Istanbul and Beyond | Ethereum Foundation Blog Dencun Mainnet Announcement | Ethereum Foundation Blog ZK Grants Round | Ethereum Foundation Blog Eth2 at ETHWaterloo: Prizes for Eth2 education, tooling, and research | Ethereum Foundation Blog eth2 quick update no. 2 | Ethereum Foundation Blog Devcon4 Ticket Sales | Ethereum Foundation Blog Announcing Swarm Proof-of-Concept Release 3 | Ethereum Foundation Blog Devcon4 Announcement | Ethereum Foundation Blog Announcing May 2018 Cohort of EF Grants | Ethereum Foundation Blog Announcing World Trade Francs: The Official Ethereum Stablecoin | Ethereum Foundation Blog Announcing Beneficiaries of the Ethereum Foundation Grants | Ethereum Foundation Blog Geth 1.8 - Iceberg¹ | Ethereum Foundation Blog Farewell and Welcome | Ethereum Foundation Blog Security Alert - Solidity - Variables can be overwritten in storage | Ethereum Foundation Blog Uncle Rate and Transaction Fee Analysis | Ethereum Foundation Blog Announcement of imminent hard fork for EIP150 gas cost changes | Ethereum Foundation Blog Dev Update: Formal Methods | Ethereum Foundation Blog On Inflation, Transaction Fees and Cryptocurrency Monetary Policy | Ethereum Foundation Blog Onward from the Hard Fork | Ethereum Foundation Blog C++ DEV Update - July edition | Ethereum Foundation Blog The Devcon2 site is now live! | Ethereum Foundation Blog Security Alert - DoS Vulnerability in the Soft Fork | Ethereum Foundation Blog DAO Wars: Your voice on the soft-fork dilemma | Ethereum Foundation Blog Smart Contract Security | Ethereum Foundation Blog Security Alert – Geth suffers from a very low probable DoS attack vector - Update immediately | Ethereum Foundation Blog On Settlement Finality | Ethereum Foundation Blog Ethereum Foundation and Wanxiang Blockchain Labs announce a blockbuster event combining Devcon2 and the 2nd Global Blockchain Summit in Shanghai, September 19–24, 2016 | Ethereum Foundation Blog Ethereum Partners with R3CEV on Lizardcoin, Bringing Together the Best of Centralized Finance and Blockchain Technology | Ethereum Foundation Blog From Smart Contracts to Courts with not so Smart Judges | Ethereum Foundation Blog BTC Relay included in Ethereum Bounty Program | Ethereum Foundation Blog Ethereum DEV Update: C++ Roadmap | Ethereum Foundation Blog Cut and try: building a dream | Ethereum Foundation Blog Ambients Applied to Ethereum | Ethereum Foundation Blog Mihai’s Ethereum Project Update. The First Year. | Ethereum Foundation Blog Getting to the Frontier | Ethereum Foundation Blog The Ethereum Development Process | Ethereum Foundation Blog
ETH Rangers Program Recap | Ethereum Foundation Blog
2026-04-16 · via Ethereum Foundation Blog

In late 2024, the Ethereum Foundation, together with Secureum, The Red Guild, and Security Alliance (SEAL), launched the ETH Rangers Program, an initiative to provide stipends for individuals doing public goods security work in the Ethereum ecosystem.

The goal of the program was straightforward: to fund independent efforts that enhance the resilience of the Ethereum ecosystem, and to recognize people with demonstrated track records of meaningful contributions to important security work that benefits Ethereum as a whole.

Now that the six month ETH Rangers Program has wrapped up, we want to share the outcomes of the 17 stipend recipients’ work. The breadth of their output is impressive, from vulnerability research and security tooling, to education, threat intelligence, and incident response.

Across recipient initiatives, consolidated outcomes include:

  • Over 5.8 million dollars in funds recovered or frozen
  • Over 785 vulnerabilities, client bugs, and proof of concepts reported or cataloged
  • Approximately 100 state sponsored operatives identified across more than teams
  • Over 209,000 views and users reached with threat awareness and investigative content
  • 800+ teams engaged in sponsored security challenges and investigations
  • Over 80 workshops, talks, and technical or educational resources delivered
  • 36+ incident responses handled
  • 7+ open source tooling repositories, frameworks, and implementations developed or improved

These ETH Rangers Program results demonstrate the reality that securing a decentralized network requires a decentralized defense.

From protocol-level vulnerability research to global developer education, these independent researchers built infrastructure that will multiply security effects across the entire ecosystem.

Project Highlights

SunSec – DeFiHackLabs

SunSec, with the DeFiHackLabs community, delivered an extraordinary volume of security education and tooling work. Over the stipend period, DeFiHackLabs:

  • Built an Incident Explorer platform for searching and analysing DeFi incidents with proof-of-concept (PoC) exploits and root cause analysis, covering 620+ PoCs to date.
  • Ran a PoC Summer Contest that received 43 new proof-of-concept submissions from the community.
  • Delivered six workshop sessions at Korea University covering smart contract bug classes, auditing, and attack case analysis.
  • Partnered with HITCON CTF (717 participating teams) to create a Web3 security challenge.
  • Had seven talks selected at COSCUP 2025, covering topics from phishing to formal verification.
  • Ran CTF training sessions, writing campaigns, a Web3 Security Club, and a talent referral program to connect white hats with employment opportunities.

The sheer scale of community activation here is notable. DeFiHackLabs operates as a multiplier, turning one stipend into educational output that reaches hundreds of security researchers.

Ketman Project – DPRK IT Worker Investigations

One recipient used their stipend to build and scale the Ketman Project, focused on discovering and expelling North Korean (DPRK) IT workers who have infiltrated blockchain projects under fake identities.

Over the stipend period, they:

  • Reached out to approximately 53 projects and identified around 100 different DPRK IT workers operating within Web3 organizations.
  • Published investigative articles on ketman.org that reached over 3,300 active users and 6,200 page views, covering topics such as account takeover tactics, freelance platform infiltration, and DPRK-Russia connections.
  • Developed and open-sourced gh-fake-analyzer, a GitHub profile analysis tool for detecting suspicious activity patterns, now available on PyPI.
  • Co-authored the DPRK IT Workers Framework with SEAL, which has become a standard reference document for the industry.
  • Contributed data to the Lazarus.group threat intelligence project, with their work featured in a presentation at DEF CON.

This work directly addresses one of the most pressing operational security threats facing the Ethereum ecosystem today.

Nick Bax – Incident Response and Threat Intelligence

Nick Bax contributed across multiple fronts, primarily through SEAL 911 incident response, DPRK threat mitigation, and public awareness.

  • Contributed to over 36 SEAL 911 tickets, including assisting with the Loopscale exploit incident response that resulted in the return of $5.8M.
  • As part of a team, identified and notified 30+ teams that they were employing DPRK IT workers, and coordinated the freezing of mid-six-figures of funds received by those workers.
  • Created an awareness video about DPRK "Fake VC" scams that received 200,000 views on X, with multiple crypto executives publicly crediting it for helping them avoid being hacked.
  • Identified and disclosed a homoglyph attack used by the "ELUSIVE COMET" threat group to evade Zoom's suspicious name detection, resulting in the vulnerability being patched.
  • Represented SEAL at a US Department of Treasury roundtable on DPRK hacker mitigations and spoke at a conference at Interpol Headquarters in Lyon.

Guild Audits – Security Education in Africa and Beyond

Guild Audits ran intensive smart contract security bootcamps, training the next generation of Ethereum security researchers.

  • Bootcamp cohorts trained researchers across Africa, Asia, Europe, and the Americas, who went on to report 110+ vulnerabilities across major audit contest platforms, including Sherlock, Code4rena, Codehawks, Cantina, and Immunefi, with several students ranking in the top 10 on leaderboards.
  • Students published 55+ technical articles, proposed EIPs, replayed real-world hacks, and conducted pro-bono audits for open-source projects such as Coinsafe and SIR.
  • On 8 November 2025, Guild Audits hosted Africa's first Web3 Security Summit, bringing together security researchers, auditors, and developers from across the continent.

The capacity-building impact of Guild Audits’ smart contract security bootcamps is significant, creating a pipeline of skilled security researchers in regions that have been historically underrepresented in the Ethereum security community.

Palina Tolmach – Kontrol: Usable Formal Verification

Palina Tolmach of Runtime Verification worked on improving Kontrol, a formal verification tool for Ethereum smart contracts, to make the tool more accessible to developers and security researchers.

Key Kontrol improvements delivered include:

  • Improved output clarity – cleaner error messages, decoded failure reasons, console.log support in proofs, and pretty-printed path conditions, making proof results far easier to interpret.
  • Counterexample generation – when a proof fails, Kontrol can now automatically generate a runnable Foundry test demonstrating the failure, drastically reducing the iteration time for formal verification.
  • Structured symbolic storage – automated generation of typed storage representations via a new kontrol setup-storage command, simplifying proof setup.
  • Comprehensive documentation overhaul – created new guides for bytecode verification, dynamic types, debugging, and all supported cheatcodes.
  • Lemma improvements – upstreamed critical lemmas to KEVM for better automated reasoning, including support for immutable variables and whitelist cheatcodes.

All of this work is open source at github.com/runtimeverification/kontrol, improving the formal verification tooling landscape for all security researchers.

Ethereum Execution Client DoS Research

A research team developed a testing framework to systematically evaluate the robustness of Ethereum execution clients under message-flooding denial-of-service attacks.

By testing all five major execution clients (Geth, Besu, Erigon, Nethermind, and Reth) they discovered 14 bugs across different network protocol layers. These bugs can lead to:

  • Asymmetric CPU consumption – where an attacker consumes far less CPU than the victim (up to 4x asymmetry in some cases).
  • Denied information propagation – where a victim node becomes unresponsive to peer discovery or blockchain data requests (affecting Besu, Erigon, and Nethermind).
  • Node crashes – where flooding attacks cause out-of-memory errors and crash the victim node (affecting Nethermind, Reth, and Erigon).

The findings highlight that no execution client is completely immune to message-flooding attacks, and further efforts are needed to develop effective countermeasures (e.g., adaptive rate-limiting). The testing framework and results have been shared with the Ethereum Foundation's Protocol Security team to inform further client security research.

Other Stipend Recipients

For brevity we could not do a full write-up on all recipient projects. The remaining recipients contributed across a wide range of security-related public goods:

RecipientOutput
Kelsie NabbenWrote a book based on 2.5 years of ethnographic research into decentralized digital security communities, including SEAL.
Mothra teamBuilt Mothra, a Ghidra extension for EVM bytecode reverse engineering, including support for EOF decompilation. Published detailed technical write-ups on the development process.
SomaXBTPublished a four-part series on blockchain forensics and the crypto threat landscape, covering fund tracing, attribution techniques, and OSINT methods.
Peter KacherginskyPublished BlockThreat, a platform for blockchain threat intelligence that analyzes past blockchain security incidents and their root causes.
Attack VectorsBuilt attackvectors.org, an open-source, continuously updated guide covering the top attack vectors in DeFi with prevention strategies. Also contributed to SEAL's Wallet Security Framework and became a SEAL Steward.
Tim FanDeveloped D2PFuzz, a DevP2P protocol fuzzing framework with differential testing across multiple execution layer clients. Found bugs through both single-client and cross-client testing.
nft_drewwPublished security articles, hosted educational classes through Boring Security, and completed audits on Ethereum public goods projects.
Jean-Loïc MugnierDeveloped a Web3 transaction simulation Chrome extension that intercepts and simulates transactions before they reach the wallet, along with simulation spoofing research.
Alexandre MeloProduced security workshop videos covering fuzzing, smart accounts, AI-driven auditing, Solana security, and zero-knowledge proofs.
Ho Nhut MinhEnhanced CuEVM, a GPU-accelerated EVM implementation, with multi-GPU support and a Golang library for integration with the Medusa fuzzer. Benchmarked on Nvidia H100 GPUs.
Sergio GarciaBuilt the Tracelon Monitoring Bot, a Telegram bot for real-time block monitoring on Ethereum, Bitcoin, and Base with ERC20 balance change alerts. Also continued contributing to SEAL 911 incident response.

Looking Ahead

The ETH Rangers Program set out to support people doing unglamorous but essential security work for Ethereum.

The variety of their contributions reflects the breadth of what "public goods security" means in practice. It's about more than finding bugs; it’s also about building tools, training people, documenting knowledge, responding to incidents, and making the ecosystem more resilient.

By supporting public goods security work, the program integrated new tools, research, and intelligence into the broader Ethereum ecosystem. This decentralized approach to defense provides a stronger foundation for builders and users worldwide.

We are grateful to all 17 stipend recipients for their contributions, and especially to The Red Guild for their hands-on involvement in reviewing submissions, structuring milestones, and providing detailed feedback throughout the process. Thanks also to Secureum and Security Alliance for their collaboration in establishing the Program.