In late 2024, the Ethereum Basis, along with Secureum, The Red Guild, and Security Alliance (SEAL), launched the ETH Rangers Program, an initiative to offer stipends for people doing public items safety work within the Ethereum ecosystem.
The purpose of this system was simple: to fund unbiased efforts that improve the resilience of the Ethereum ecosystem, and to acknowledge folks with demonstrated observe information of significant contributions to necessary safety work that advantages Ethereum as a complete.
Now that the six month ETH Rangers Program has wrapped up, we wish to share the outcomes of the 17 stipend recipients’ work. The breadth of their output is spectacular, from vulnerability analysis and safety tooling, to training, menace intelligence, and incident response.
Throughout recipient initiatives, consolidated outcomes embody:
- Over 5.8 million {dollars} in funds recovered or frozen
- Over 785 vulnerabilities, consumer bugs, and proof of ideas reported or cataloged
- Roughly 100 state sponsored operatives recognized throughout greater than groups
- Over 209,000 views and customers reached with menace consciousness and investigative content material
- 800+ groups engaged in sponsored safety challenges and investigations
- Over 80 workshops, talks, and technical or instructional assets delivered
- 36+ incident responses dealt with
- 7+ open supply tooling repositories, frameworks, and implementations developed or improved
These ETH Rangers Program outcomes show the truth that securing a decentralized community requires a decentralized protection.
From protocol-level vulnerability analysis to world developer training, these unbiased researchers constructed infrastructure that may multiply safety results throughout your entire ecosystem.
Mission Highlights
SunSec – DeFiHackLabs
SunSec, with the DeFiHackLabs group, delivered a rare quantity of safety training and tooling work. Over the stipend interval, DeFiHackLabs:
- Constructed an Incident Explorer platform for looking and analysing DeFi incidents with proof-of-concept (PoC) exploits and root trigger evaluation, overlaying 620+ PoCs so far.
- Ran a PoC Summer season Contest that acquired 43 new proof-of-concept submissions from the group.
- Delivered six workshop periods at Korea College overlaying sensible contract bug courses, auditing, and assault case evaluation.
- Partnered with HITCON CTF (717 collaborating groups) to create a Web3 safety problem.
- Had seven talks chosen at COSCUP 2025, overlaying matters from phishing to formal verification.
- Ran CTF coaching periods, writing campaigns, a Web3 Safety Membership, and a expertise referral program to attach white hats with employment alternatives.
The sheer scale of group activation right here is notable. DeFiHackLabs operates as a multiplier, turning one stipend into instructional output that reaches tons of of safety researchers.
Ketman Mission – DPRK IT Employee Investigations
One recipient used their stipend to construct and scale the Ketman Project, centered on discovering and expelling North Korean (DPRK) IT employees who’ve infiltrated blockchain initiatives beneath pretend identities.
Over the stipend interval, they:
- Reached out to roughly 53 initiatives and recognized round 100 totally different DPRK IT employees working inside Web3 organizations.
- Revealed investigative articles on ketman.org that reached over 3,300 lively customers and 6,200 web page views, overlaying matters reminiscent of account takeover ways, freelance platform infiltration, and DPRK-Russia connections.
- Developed and open-sourced gh-fake-analyzer, a GitHub profile evaluation software for detecting suspicious exercise patterns, now available on PyPI.
- Co-authored the DPRK IT Workers Framework with SEAL, which has turn out to be an ordinary reference doc for the business.
- Contributed knowledge to the Lazarus.group menace intelligence mission, with their work featured in a presentation at DEF CON.
This work instantly addresses one of the crucial urgent operational safety threats dealing with the Ethereum ecosystem at this time.
Nick Bax – Incident Response and Menace Intelligence
Nick Bax contributed throughout a number of fronts, primarily via SEAL 911 incident response, DPRK menace mitigation, and public consciousness.
- Contributed to over 36 SEAL 911 tickets, together with aiding with the Loopscale exploit incident response that resulted within the return of $5.8M.
- As a part of a staff, recognized and notified 30+ groups that they have been using DPRK IT employees, and coordinated the freezing of mid-six-figures of funds acquired by these employees.
- Created an awareness video about DPRK “Fake VC” scams that acquired 200,000 views on X, with a number of crypto executives publicly crediting it for serving to them keep away from being hacked.
- Recognized and disclosed a homoglyph assault utilized by the “ELUSIVE COMET” menace group to evade Zoom’s suspicious identify detection, ensuing within the vulnerability being patched.
- Represented SEAL at a US Division of Treasury roundtable on DPRK hacker mitigations and spoke at a convention at Interpol Headquarters in Lyon.
Guild Audits – Safety Training in Africa and Past
Guild Audits ran intensive sensible contract safety bootcamps, coaching the following technology of Ethereum safety researchers.
- Bootcamp cohorts skilled researchers throughout Africa, Asia, Europe, and the Americas, who went on to report 110+ vulnerabilities throughout main audit contest platforms, together with Sherlock, Code4rena, Codehawks, Cantina, and Immunefi, with a number of college students rating within the prime 10 on leaderboards.
- College students printed 55+ technical articles, proposed EIPs, replayed real-world hacks, and carried out pro-bono audits for open-source initiatives reminiscent of Coinsafe and SIR.
- On 8 November 2025, Guild Audits hosted Africa’s first Web3 Safety Summit, bringing collectively safety researchers, auditors, and builders from throughout the continent.
The capacity-building affect of Guild Audits’ sensible contract safety bootcamps is important, making a pipeline of expert safety researchers in areas which have been traditionally underrepresented within the Ethereum safety group.
Palina Tolmach – Kontrol: Usable Formal Verification
Palina Tolmach of Runtime Verification labored on bettering Kontrol, a proper verification software for Ethereum sensible contracts, to make the software extra accessible to builders and safety researchers.
Key Kontrol enhancements delivered embody:
- Improved output readability – cleaner error messages, decoded failure causes, console.log assist in proofs, and pretty-printed path circumstances, making proof outcomes far simpler to interpret.
- Counterexample technology – when a proof fails, Kontrol can now robotically generate a runnable Foundry check demonstrating the failure, drastically decreasing the iteration time for formal verification.
- Structured symbolic storage – automated technology of typed storage representations through a brand new kontrol setup-storage command, simplifying proof setup.
- Complete documentation overhaul – created new guides for bytecode verification, dynamic sorts, debugging, and all supported cheatcodes.
- Lemma enhancements – upstreamed vital lemmas to KEVM for higher automated reasoning, together with assist for immutable variables and whitelist cheatcodes.
All of this work is open supply at github.com/runtimeverification/kontrol, bettering the formal verification tooling panorama for all safety researchers.
Ethereum Execution Shopper DoS Analysis
A analysis staff developed a testing framework to systematically consider the robustness of Ethereum execution shoppers beneath message-flooding denial-of-service assaults.
By testing all 5 main execution shoppers (Geth, Besu, Erigon, Nethermind, and Reth) they found 14 bugs throughout totally different community protocol layers. These bugs can result in:
- Uneven CPU consumption – the place an attacker consumes far much less CPU than the sufferer (as much as 4x asymmetry in some instances).
- Denied info propagation – the place a sufferer node turns into unresponsive to look discovery or blockchain knowledge requests (affecting Besu, Erigon, and Nethermind).
- Node crashes – the place flooding assaults trigger out-of-memory errors and crash the sufferer node (affecting Nethermind, Reth, and Erigon).
The findings spotlight that no execution consumer is totally resistant to message-flooding assaults, and additional efforts are wanted to develop efficient countermeasures (e.g., adaptive rate-limiting). The testing framework and outcomes have been shared with the Ethereum Basis’s Protocol Safety staff to tell additional consumer safety analysis.
Different Stipend Recipients
For brevity we couldn’t do a full write-up on all recipient initiatives. The remaining recipients contributed throughout a variety of security-related public items:
| Recipient | Output |
|---|---|
| Kelsie Nabben | Wrote a book primarily based on 2.5 years of ethnographic analysis into decentralized digital safety communities, together with SEAL. |
| Mothra staff | Constructed Mothra, a Ghidra extension for EVM bytecode reverse engineering, together with assist for EOF decompilation. Revealed detailed technical write-ups on the event course of. |
| SomaXBT | Revealed a four-part collection on blockchain forensics and the crypto menace panorama, overlaying fund tracing, attribution methods, and OSINT strategies. |
| Peter Kacherginsky | Revealed BlockThreat, a platform for blockchain menace intelligence that analyzes previous blockchain safety incidents and their root causes. |
| Assault Vectors | Constructed attackvectors.org, an open-source, repeatedly up to date information overlaying the highest assault vectors in DeFi with prevention methods. Additionally contributed to SEAL’s Wallet Security Framework and have become a SEAL Steward. |
| Tim Fan | Developed D2PFuzz, a DevP2P protocol fuzzing framework with differential testing throughout a number of execution layer shoppers. Discovered bugs via each single-client and cross-client testing. |
| nft_dreww | Revealed safety articles, hosted instructional courses via Boring Safety, and accomplished audits on Ethereum public items initiatives. |
| Jean-Loïc Mugnier | Developed a Web3 transaction simulation Chrome extension that intercepts and simulates transactions earlier than they attain the pockets, together with simulation spoofing analysis. |
| Alexandre Melo | Produced security workshop videos overlaying fuzzing, sensible accounts, AI-driven auditing, Solana safety, and zero-knowledge proofs. |
| Ho Nhut Minh | Enhanced CuEVM, a GPU-accelerated EVM implementation, with multi-GPU assist and a Golang library for integration with the Medusa fuzzer. Benchmarked on Nvidia H100 GPUs. |
| Sergio Garcia | Constructed the Tracelon Monitoring Bot, a Telegram bot for real-time block monitoring on Ethereum, Bitcoin, and Base with ERC20 stability change alerts. Additionally continued contributing to SEAL 911 incident response. |
Wanting Forward
The ETH Rangers Program got down to assist folks doing unglamorous however important safety work for Ethereum.
The number of their contributions displays the breadth of what “public items safety” means in observe. It is about greater than discovering bugs; it’s additionally about constructing instruments, coaching folks, documenting information, responding to incidents, and making the ecosystem extra resilient.
By supporting public items safety work, this system built-in new instruments, analysis, and intelligence into the broader Ethereum ecosystem. This decentralized strategy to protection offers a stronger basis for builders and customers worldwide.
We’re grateful to all 17 stipend recipients for his or her contributions, and particularly to The Crimson Guild for his or her hands-on involvement in reviewing submissions, structuring milestones, and offering detailed suggestions all through the method. Thanks additionally to Secureum and Safety Alliance for his or her collaboration in establishing the Program.
