In late 2024, the Ethereum Foundation, together with Secureum, The Red Guild, and Security Alliance (SEAL), launched the ETH Rangers Program, an initiative to provide stipends for individuals doing public goods security work in the Ethereum ecosystem.
The goal of the program was straightforward: to fund independent efforts that enhance the resilience of the Ethereum ecosystem, and to recognize people with demonstrated track records of meaningful contributions to important security work that benefits Ethereum as a whole.
Now that the six month ETH Rangers Program has wrapped up, we want to share the outcomes of the 17 stipend recipients’ work. The breadth of their output is impressive, from vulnerability research and security tooling, to education, threat intelligence, and incident response.
Across recipient initiatives, consolidated outcomes include:
- Over 5.8 million dollars in funds recovered or frozen
- Over 785 vulnerabilities, client bugs, and proof of concepts reported or cataloged
- Approximately 100 state sponsored operatives identified across more than teams
- Over 209,000 views and users reached with threat awareness and investigative content
- 800+ teams engaged in sponsored security challenges and investigations
- Over 80 workshops, talks, and technical or educational resources delivered
- 36+ incident responses handled
- 7+ open source tooling repositories, frameworks, and implementations developed or improved
These ETH Rangers Program results demonstrate the reality that securing a decentralized network requires a decentralized defense.
From protocol-level vulnerability research to global developer education, these independent researchers built infrastructure that will multiply security effects across the entire ecosystem.
Project Highlights
SunSec – DeFiHackLabs
SunSec, with the DeFiHackLabs community, delivered an extraordinary volume of security education and tooling work. Over the stipend period, DeFiHackLabs:
- Built an Incident Explorer platform for searching and analysing DeFi incidents with proof-of-concept (PoC) exploits and root cause analysis, covering 620+ PoCs to date.
- Ran a PoC Summer Contest that received 43 new proof-of-concept submissions from the community.
- Delivered six workshop sessions at Korea University covering smart contract bug classes, auditing, and attack case analysis.
- Partnered with HITCON CTF (717 participating teams) to create a Web3 security challenge.
- Had seven talks selected at COSCUP 2025, covering topics from phishing to formal verification.
- Ran CTF training sessions, writing campaigns, a Web3 Security Club, and a talent referral program to connect white hats with employment opportunities.
The sheer scale of community activation here is notable. DeFiHackLabs operates as a multiplier, turning one stipend into educational output that reaches hundreds of security researchers.
Ketman Project – DPRK IT Worker Investigations
One recipient used their stipend to build and scale the Ketman Project, focused on discovering and expelling North Korean (DPRK) IT workers who have infiltrated blockchain projects under fake identities.
Over the stipend period, they:
- Reached out to approximately 53 projects and identified around 100 different DPRK IT workers operating within Web3 organizations.
- Published investigative articles on ketman.org that reached over 3,300 active users and 6,200 page views, covering topics such as account takeover tactics, freelance platform infiltration, and DPRK-Russia connections.
- Developed and open-sourced gh-fake-analyzer, a GitHub profile analysis tool for detecting suspicious activity patterns, now available on PyPI.
- Co-authored the DPRK IT Workers Framework with SEAL, which has become a standard reference document for the industry.
- Contributed data to the Lazarus.group threat intelligence project, with their work featured in a presentation at DEF CON.
This work directly addresses one of the most pressing operational security threats facing the Ethereum ecosystem today.
Nick Bax – Incident Response and Threat Intelligence
Nick Bax contributed across multiple fronts, primarily through SEAL 911 incident response, DPRK threat mitigation, and public awareness.
- Contributed to over 36 SEAL 911 tickets, including assisting with the Loopscale exploit incident response that resulted in the return of $5.8M.
- As part of a team, identified and notified 30+ teams that they were employing DPRK IT workers, and coordinated the freezing of mid-six-figures of funds received by those workers.
- Created an awareness video about DPRK “Fake VC” scams that received 200,000 views on X, with multiple crypto executives publicly crediting it for helping them avoid being hacked.
- Identified and disclosed a homoglyph attack used by the “ELUSIVE COMET” threat group to evade Zoom’s suspicious name detection, resulting in the vulnerability being patched.
- Represented SEAL at a US Department of Treasury roundtable on DPRK hacker mitigations and spoke at a conference at Interpol Headquarters in Lyon.
Guild Audits – Security Education in Africa and Beyond
Guild Audits ran intensive smart contract security bootcamps, training the next generation of Ethereum security researchers.
- Bootcamp cohorts trained researchers across Africa, Asia, Europe, and the Americas, who went on to report 110+ vulnerabilities across major audit contest platforms, including Sherlock, Code4rena, Codehawks, Cantina, and Immunefi, with several students ranking in the top 10 on leaderboards.
- Students published 55+ technical articles, proposed EIPs, replayed real-world hacks, and conducted pro-bono audits for open-source projects such as Coinsafe and SIR.
- On 8 November 2025, Guild Audits hosted Africa’s first Web3 Security Summit, bringing together security researchers, auditors, and developers from across the continent.
The capacity-building impact of Guild Audits’ smart contract security bootcamps is significant, creating a pipeline of skilled security researchers in regions that have been historically underrepresented in the Ethereum security community.
Palina Tolmach – Kontrol: Usable Formal Verification
Palina Tolmach of Runtime Verification worked on improving Kontrol, a formal verification tool for Ethereum smart contracts, to make the tool more accessible to developers and security researchers.
Key Kontrol improvements delivered include:
- Improved output clarity – cleaner error messages, decoded failure reasons, console.log support in proofs, and pretty-printed path conditions, making proof results far easier to interpret.
- Counterexample generation – when a proof fails, Kontrol can now automatically generate a runnable Foundry test demonstrating the failure, drastically reducing the iteration time for formal verification.
- Structured symbolic storage – automated generation of typed storage representations via a new kontrol setup-storage command, simplifying proof setup.
- Comprehensive documentation overhaul – created new guides for bytecode verification, dynamic types, debugging, and all supported cheatcodes.
- Lemma improvements – upstreamed critical lemmas to KEVM for better automated reasoning, including support for immutable variables and whitelist cheatcodes.
All of this work is open source at github.com/runtimeverification/kontrol, improving the formal verification tooling landscape for all security researchers.
Ethereum Execution Client DoS Research
A research team developed a testing framework to systematically evaluate the robustness of Ethereum execution clients under message-flooding denial-of-service attacks.
By testing all five major execution clients (Geth, Besu, Erigon, Nethermind, and Reth) they discovered 14 bugs across different network protocol layers. These bugs can lead to:
- Asymmetric CPU consumption – where an attacker consumes far less CPU than the victim (up to 4x asymmetry in some cases).
- Denied information propagation – where a victim node becomes unresponsive to peer discovery or blockchain data requests (affecting Besu, Erigon, and Nethermind).
- Node crashes – where flooding attacks cause out-of-memory errors and crash the victim node (affecting Nethermind, Reth, and Erigon).
The findings highlight that no execution client is completely immune to message-flooding attacks, and further efforts are needed to develop effective countermeasures (e.g., adaptive rate-limiting). The testing framework and results have been shared with the Ethereum Foundation’s Protocol Security team to inform further client security research.
Other Stipend Recipients
For brevity we could not do a full write-up on all recipient projects. The remaining recipients contributed across a wide range of security-related public goods:
| Recipient | Output |
|---|---|
| Kelsie Nabben | Wrote a book based on 2.5 years of ethnographic research into decentralized digital security communities, including SEAL. |
| Mothra team | Built Mothra, a Ghidra extension for EVM bytecode reverse engineering, including support for EOF decompilation. Published detailed technical write-ups on the development process. |
| SomaXBT | Published a four-part series on blockchain forensics and the crypto threat landscape, covering fund tracing, attribution techniques, and OSINT methods. |
| Peter Kacherginsky | Published BlockThreat, a platform for blockchain threat intelligence that analyzes past blockchain security incidents and their root causes. |
| Attack Vectors | Built attackvectors.org, an open-source, continuously updated guide covering the top attack vectors in DeFi with prevention strategies. Also contributed to SEAL’s Wallet Security Framework and became a SEAL Steward. |
| Tim Fan | Developed D2PFuzz, a DevP2P protocol fuzzing framework with differential testing across multiple execution layer clients. Found bugs through both single-client and cross-client testing. |
| nft_dreww | Published security articles, hosted educational classes through Boring Security, and completed audits on Ethereum public goods projects. |
| Jean-Loïc Mugnier | Developed a Web3 transaction simulation Chrome extension that intercepts and simulates transactions before they reach the wallet, along with simulation spoofing research. |
| Alexandre Melo | Produced security workshop videos covering fuzzing, smart accounts, AI-driven auditing, Solana security, and zero-knowledge proofs. |
| Ho Nhut Minh | Enhanced CuEVM, a GPU-accelerated EVM implementation, with multi-GPU support and a Golang library for integration with the Medusa fuzzer. Benchmarked on Nvidia H100 GPUs. |
| Sergio Garcia | Built the Tracelon Monitoring Bot, a Telegram bot for real-time block monitoring on Ethereum, Bitcoin, and Base with ERC20 balance change alerts. Also continued contributing to SEAL 911 incident response. |
Looking Ahead
The ETH Rangers Program set out to support people doing unglamorous but essential security work for Ethereum.
The variety of their contributions reflects the breadth of what “public goods security” means in practice. It’s about more than finding bugs; it’s also about building tools, training people, documenting knowledge, responding to incidents, and making the ecosystem more resilient.
By supporting public goods security work, the program integrated new tools, research, and intelligence into the broader Ethereum ecosystem. This decentralized approach to defense provides a stronger foundation for builders and users worldwide.
We are grateful to all 17 stipend recipients for their contributions, and especially to The Red Guild for their hands-on involvement in reviewing submissions, structuring milestones, and providing detailed feedback throughout the process. Thanks also to Secureum and Security Alliance for their collaboration in establishing the Program.
