The Foundation's security team now includes specialists in cryptography, security architecture, exploit development, risk management, and red and blue team operations.

Team members bring experience securing internet services, national healthcare systems, and central banks.

The expansion appears to reflect the elevated risk profile surrounding Ethereum's upcoming shift from proof-of-work to proof-of-stake consensus, known as The Merge.

Five Areas of Active Security Work

The team currently operates across five functions. First, it runs automated code scanning on client implementations using tools including CodeQL, semgrep, ErrorProne, and Nosy, alongside manual audits of BLS cryptography (the signature scheme underpinning proof-of-stake), the libp2p networking layer, and sync committees.

Second, it conducts fuzz testing on RPC handlers and state transitions. Fuzz testing works by throwing large volumes of malformed or random inputs at software to surface unexpected failures.

The team also operates "attacknets," which are isolated network environments designed to simulate real attacks without affecting the live chain. The public attacknet repository is available at github.com/ethereum/public-attacknets for readers who want to go deeper.

Third, two bug bounty programs currently accept reports at bounty.ethereum.org and eth2bounty.ethereum.org, covering the Execution Layer and the Consensus Layer respectively. Cross-client vulnerability verification is part of the process, meaning a reported bug is tested across multiple clients before a payout is confirmed.

Fourth, the Foundation is building a network monitoring system that functions similarly to a Security Information and Event Management (SIEM) platform. As the Foundation described it in Secured #3: "The new monitoring system works like a SIEM and is built to listen to and monitor the Ethereum network for pre-configured detection rules as well as dynamic anomaly detection that scans for outlier events."

Fifth, the Ethereum Client Security Group coordinates incident response across both layer teams, with war room protocols available for emergencies.

Public Disclosures and the Merge Threat Model

In March 2022, the Foundation published its first public vulnerability disclosure list on GitHub, a development that formed the subject of Secured #2. The list covers patched issues across nine clients: Nimbus, Teku, Lighthouse, Prysm, Lodestar, Go Ethereum, Nethermind, Erigon, and Besu. The full repository is available at github.com/ethereum/public-disclosures/.

The current security team's primary analytical focus is threat modelling specific to The Merge. The coupling of the consensus and execution layers during the transition period creates a temporarily unverified attack surface, with known risk categories including finality delay attacks, avalanche scenarios (which require an attacker to control multiple consecutive block proposers), and nothing-at-stake scenarios, in which validators face no cost for simultaneously endorsing multiple conflicting chain histories.

Industry Context: 2022 Is Already a Record Year for Theft

The transparency update comes at a particularly costly moment for the industry. According to 4IRE Labs, approximately $1.2 billion was stolen from crypto protocols in Q1 2022 alone, an 823% increase year-over-year.

Cross-chain bridges have become the dominant attack vector. The Ronin bridge lost $625 million in March 2022, Wormhole lost $320 million in February, and the broader bridge category is on pace to account for roughly 70% of annual crypto theft, according to analysis from Halborn and Elliptic.

These are not abstract figures. They represent capital lost by retail users, with legal recourse varying considerably by jurisdiction and remaining extremely limited in practice across many emerging markets.

Why This Matters Outside the United States

The protocols and attack vectors at the centre of 2022's exploit wave are particularly consequential for users in South Asia and sub-Saharan Africa. A Consensys Web3 and Crypto Global Survey conducted in 2024 placed wallet ownership in Nigeria, South Africa, and India at 84%, 66%, and 50% respectively, ranking those countries among the highest in global crypto adoption. These figures post-date this article's publication window and are included here as retrospective context; the directional trends they describe were already visible in earlier adoption data from these markets.

Indian users face an additional pressure point. A 30% flat tax on crypto gains with no loss offsetting, effective April 2022, may have driven some users and developers toward less regulated and less audited alternatives.

The security due diligence the Ethereum Foundation is publishing here represents a standard that many protocols competing for that displaced activity have not publicly demonstrated meeting.

In sub-Saharan Africa, where peer-to-peer crypto use is rapidly intersecting with DeFi-adjacent tools, it is worth noting that the region accounted for approximately 13% of global DeFi activity in the 2021 to 2022 period, with usage concentrated primarily in P2P models rather than DeFi-native ones. That lower DeFi footprint shapes the nature of the exposure, but the absence of comparable security infrastructure in many competing ecosystems remains a direct risk factor for users whose losses are not easily recoverable through institutional channels.

What Comes Next

The Foundation's bug bounty structure is expected to see significant changes in the coming months as The Merge draws closer. Payouts for consensus layer bugs, currently capped at $25,000, are set to increase to a consolidated cap of $250,000, a tenfold rise, with payouts reaching $500,000 during testnet periods.

Developers building on Ethereum across emerging markets can use the Foundation's newly public vulnerability disclosure repository as a practical reference for known weakness patterns. The repository is available at github.com/ethereum/public-disclosures/.

The security apparatus being built here is not a guarantee of safety. It is, however, a documented baseline that, in the judgment of this publication, much of the broader ecosystem has not yet matched.