The foundation's new subsidy programme covers up to 30 per cent of audit costs for any Ethereum mainnet team, with more than 20 firms including Certora, Quantstamp and Spearbit ready to take on the work.
The Ethereum Foundation on Monday committed $1 million to a new audit subsidy programme designed to lower the cost of smart contract security reviews for builders deploying on mainnet.
The initiative — announced through the foundation's security team alongside partners Areta Market, Nethermind and Chainlink Labs — is structured as a first-come, first-served fund with no fixed application deadline. Teams can apply through Areta Market's platform, where an expert committee drawn from the foundation and its partners will assess each submission. Approved projects receive the subsidy automatically, then request quotes from any of more than 20 participating audit firms.
Those firms read like a directory of the industry's most established security shops: Certora, BlockSec, Quantstamp, Spearbit, Sherlock, Zellic, Hacken, Cyfrin, Dedaub and Nethermind Security among them. The subsidy covers up to 30 per cent of total audit costs as standard, with higher support available on a case-by-case basis for projects the committee deems particularly aligned with the foundation's CROPS principles — censorship resistance, open source, privacy and security.
The timing makes sense. Crypto lost $1.4 billion to hacks and exploits over the past twelve months, and the single largest incident of 2026 so far — the Drift Protocol breach on Solana, attributed to North Korean state-linked group UNC4736 — drained $270 million through social engineering rather than a code vulnerability. But the broader pattern is clear: protocols that skip or delay audits tend to be the ones that end up in post-mortems.
A full smart contract audit from a top-tier firm can run anywhere from $50,000 to $500,000 depending on codebase complexity, a cost that puts it out of reach for many early-stage teams. The foundation's position is that this creates a perverse incentive — projects that most need scrutiny are the ones least able to afford it. By subsidising the review process, the programme aims to catch vulnerabilities before they become nine-figure headlines.
It's worth placing this against the broader security push that has followed the Drift exploit. The Solana Foundation announced its own security overhaul days after the attack; Ethereum's programme takes a different approach by targeting the economics of prevention rather than the mechanics of response. The distinction matters. Post-hack security reviews and bug bounties address symptoms; cheaper audits address the root cause.
Priority goes to teams working on infrastructure the foundation considers critical. That means protocols handling significant value, novel cryptographic implementations and anything touching cross-chain bridging — the attack surface that produced the $625 million Ronin bridge hack in 2022 and the $611 million Poly Network exploit before it. The expert committee will weigh each application against the CROPS framework, but the foundation has signalled it wants breadth as much as depth; small teams building genuinely useful tools are as welcome as large protocols managing billions.
The programme also reflects a quiet shift in how the foundation allocates resources. Under its restructured leadership, the organisation has moved towards targeted, measurable interventions rather than broad research grants. A million dollars won't cover every audit Ethereum's builder community needs — the DeFi sector alone probably generates that much in audit demand every quarter — but it creates a template. If the programme produces measurable results, expanding the pool or attracting matching funds from protocol treasuries becomes a straightforward proposition.
There are limitations. The fund covers audit costs, not remediation; a team that receives a devastating audit report still needs the engineering resources to fix what's broken. And 30 per cent coverage, while meaningful, still leaves smaller teams bearing the majority of a bill that can exceed six figures. The foundation has left room for higher subsidies in exceptional cases, but the default rate suggests this is designed as a nudge rather than a full solution.
Applications are open now through Areta Market, with no deadline set beyond the fund's exhaustion. The foundation has not committed to replenishing the pool, though the programme's structure — a committee, a platform, a network of vetted firms — looks built for permanence rather than a one-off gesture. The $1 million ceiling may be the starting point, not the limit.
