Ethereum Foundation Security Team x Sherlock: A Final Stress Test Before Mainnet

Introduction

This case study shows how the Ethereum Foundation’s Protocol Security Team partnered with Sherlock for a large-scale audit contest as the final stress test before Fusaka’s mainnet launch - why the contest model was chosen, how incentives were designed, and what participation looked like at full scale.

About The Ethereum Foundation Protocol Security Team

The Ethereum Foundation (EF) is a non-profit that supports the Ethereum ecosystem. 

The Protocol Security Research team protects Ethereum’s integrity by securing the network and its core components through research, rigorous code review, advanced tooling, real-world simulations, continuous monitoring, bug bounty management, and close collaboration with client teams to identify and mitigate mainnet risks.

Fusaka Upgrade

Fusaka follows the Pectra upgrade and introduces improvements across both layers of Ethereum. The name combines Osaka (execution layer) and Fulu (consensus layer), reflecting coordinated changes that advance scaling, security, and the developer / user experience.

Fusaka’s headlining feature is PeerDAS (Peer Data Availability Sampling), designed to increase blob throughput. The upgrade also includes additional execution- and consensus-layer optimizations aimed at improving L1 performance. For a more comprehensive overview, see ethereum.org's guide to the upgrade.

Security Goals: The Trillion Dollar Security Project

Fusaka wasn’t treated like a normal protocol upgrade. With Ethereum supporting millions of users and hundreds of billions of dollars already onchain, the standard for pre-mainnet assurance keeps rising.

To meet that bar, the Ethereum Foundation launched the Trillion Dollar Security (1TS) project: an ecosystem-wide effort to raise Ethereum’s security standard for the next phase of adoption. Fusaka was the first major protocol upgrade after 1TS was announced, which made it an early benchmark for how upgrades would be stress-tested under that agenda.

The ambition behind 1TS is simple. Ethereum must become a network where:

• Billions of individuals feel comfortable holding more than $1,000 onchain, collectively securing trillions of dollars on Ethereum.
  
  
• Companies, institutions, and governments feel comfortable storing more than $1 trillion of value inside a single contract or application, and transacting in comparable amounts.
  
  

Smart contract security is a core pillar of 1TS, which is why the audits behind each protocol upgrade carry so much weight going into activation.

Why an Audit Contest with Sherlock?

Ahead of the Fusaka upgrade, the Ethereum Foundation’s Protocol Security Team partnered with Sherlock to run a large-scale adversarial security contest across the relevant codebase. The intent was to broaden pre-launch review by bringing in independent researchers operating under competitive incentives, alongside EF’s existing internal review process.

Audit contests are widely used as a final pre-launch check for high-stakes deployments. For Fusaka, the decision to work with Sherlock was driven by:

• Protocol-level expertise. Fusaka required auditors familiar with consensus and execution layer implementations, not just application-level smart contracts. Sherlock's researcher network has that depth.
• Custom incentive design. Sherlock supported the EF's tiered unlocking structure ($50K to $2M based on severity) and early report multipliers - incentives tailored to push speed and impact, not just participation.
  
  
• Rigorous judging. With protocol-level findings and a $2M prize pool, accurate severity assessment mattered. Sherlock's lead judge system handles complex triage and filters noise at scale.
  
  
• Structured fix review. Sherlock's workflow includes formal fix review to validate that remediations actually resolve issues without introducing new risks - critical for an upgrade securing hundreds of billions onchain.
  

Fusaka Upgrade: Audit Contest Setup

The contest ran for 28 days, from September 15th, 2025, until October 13th, 2025.

The maximum prize pool was $2,000,000, with the unlocked amount determined by the highest severity of any valid finding:

• Low validated: $50,000 unlocked
  
  
• Medium validated: $200,000 unlocked
  
  
• High validated: $500,000 unlocked
  
  
• Critical validated: $2,000,000 unlocked
  

Because the contest served as the final stress test before mainnet, early reporting mattered. To push faster disclosure and accelerate fixes, Sherlock applied an Early Report Multiplier:

• Week 1: 2x multiplier on valid reports
  
  
• Week 2: 1.5x multiplier on valid reports

Fusaka Audit Contest Results

The Fusaka Audit Contest drew over 510 participants across the full 4-week window.

By the time the Fusaka scope reached the contest, it had already been through extensive internal review. This contest was designed as the last adversarial check before mainnet: fresh eyes, parallel coverage, and incentives that reward real impact.

Even at that stage, researchers still surfaced meaningful issues, including 4 high-severity findings.

Summary of the Results:

• Criticals: 0
• Highs: 4
• Mediums: 2
• Lows: 8
• Informational: 85

The audit contest produced concrete and impactful findings that the EF team addressed leading into launch. Issues were resolved in the codebase and reviewed during a formal fix review period. With that process complete and the final commit signed off, Ethereum's highly anticipated Fusaka upgrade went live on December 3, 2025, meeting the security standard expected.

Because 1 or more Highs were uncovered, $500,000 of the prize pool was unlocked. 

Full results can be found here.

Ongoing Security: Bug Bounty

The contest was designed to concentrate adversarial scrutiny in the final stretch before activation. After mainnet, the security work continues in a different form.

The Ethereum Foundation backs ongoing review with a $250,000 bug bounty, keeping incentives active as the codebase evolves and new attack surfaces emerge. 

In practice, the two programs play distinct roles: the audit contest forces deep, time-boxed focus on an upgrade scope before launch, while the bug bounty keeps responsible disclosure open year-round. Together, they extend the same security posture from “pre-mainnet stress test” into sustained, post-launch scrutiny.

Conclusion

The Fusaka upgrade raised the bar for what it means to secure Ethereum at protocol scale.

As Ethereum moves toward securing a trillion dollars in value and beyond, security can’t be a one-time exercise. It has to be adversarial, collaborative, and continuous.

Sherlock’s audit contest helped meet that bar by mobilizing more than 500 security researchers to scrutinize the Fusaka codebase under strong incentives designed to surface real risk. The contest produced four high-severity findings that were remediated and verified before activation.

The EF’s ongoing bug bounty extends that work by keeping incentives live as the codebase changes and new attack surfaces appear: turning pre-launch scrutiny into sustained security.

Fusaka now sets a strong template for how major Ethereum upgrades can be secured, and Sherlock is proud to have supported the Ethereum Foundation in this effort.