Octane Receives Ecosystem Grant to Help Put the S in Ethereum’s CROPS

‍

In February, we announced the finding of a high-severity vulnerability in the Nethermind execution client. This bug had the potential to halt local block production for 38% of mainnet validators. We reported it through responsible disclosure, it was patched, and we published our findings.

We found this bug during the Fusaka upgrade audit contest, where we ultimately placed 4th overall, with 16 confirmed findings, nine of which were unique.

Why the Client Layer

Ethereum's clients are the most critical infrastructure the network runs on. Execution clients process every transaction and validate every block. Consensus clients are the other half of the equation. They determine what gets finalized, coordinate the validator set, manage fork choice, and ensure the network agrees on a single canonical chain. A vulnerability at either level can undermine the finality guarantees that make Ethereum trustworthy in the first place. Unlike a smart contract bug, a client-layer vulnerability threatens the network itself. Octane's grant covers both.

The Ethereum Foundation's recently-published mandate lists Security as one of the four non-negotiable properties Ethereum must always uphold. These four properties are acronymically grouped together as CROPS.

CR – Censorship Resistance

O – Open source code

P – Privacy

S – Security

The mandate is written, in their own words, for a thousand-year horizon. Standards, it notes, "like water, tend to flow from high to low, and are far easier to lose than to regain." 

The Ethereum Foundation understands that security can never be something you audit once and consider fixed forever. It requires continuous, adversarial analysis, which is exactly what we built Octane to deliver.

What We're Building Toward

Under this grant, Octane is onboarding clients across Ethereum's client layer to provide the same AI-native DevSecOps tooling and adversarial security analysis that caught the Nethermind vulnerability earlier this year. We'll share more details as this work progresses.

What we can say for now is that this engagement represents something we've been building toward since Octane's founding: the application of AI-native security analysis to infrastructure that billions of people will eventually depend on – whether they know it or not.

Octane was forged in smart contract security, one of the most adversarial environments in software. An overlooked bug is often only discovered after a realized loss, visible on a public block explorer forever. 

That environment produces a specific way of reasoning about code. This isn’t static analysis against a checklist, you need to think the way an attacker would: across layers, across assumptions, across the divide between what the developer intended and how the system actually works once it’s deployed. That’s exactly how we trained Octane to approach security analysis.

The Nethermind finding proved that this approach generalizes to clients. Other findings, like our recent discovery of vulnerabilities in the engines powering 99.7% of all web browser traffic, are further proof that our AI-native model applies to application security and beyond.

Putting the S in Ethereum’s CROPS

The EF's mandate includes what it calls the "Only-EF Rule": a commitment to focus on critical work that "no other ecosystem actor can or will reliably undertake," including "public-good security work." 

Octane's role here is to be the ecosystem actor that undertakes exactly that kind of work at the client layer: continuous, independent, adversarial analysis that doesn't depend on a single team's assumptions about their own code.

The world computer deserves world-class security. Octane is proud to provide it.

Learn more about the Ethereum Foundation's Ecosystem Support Program at esp.ethereum.foundation.  Read our original Nethermind disclosure at octane.security/post/ethereum.