CertiK Is Funding Web3’s Cybersecurity Defense Rails as Anthropic’s Mythos Changes the Game
CertiK puts $50,000 into Ethereum’s Quadratic Security Fund at exactly the moment Anthropic’s Mythos rewrites the threat model for every blockchain in existence.
Anthropic announced Claude Mythos Preview on April, 2026, a model so capable at finding and exploiting software vulnerabilities that the company refused to release it to the public. In the same week, CertiK, the largest blockchain security auditor on the planet, contributed $50,000 to the Ethereum Security Quadratic Fund via Giveth, backing a community-driven initiative to fund the security projects the ecosystem needs most.
The timing was not coincidental. When the most dangerous offensive AI tool ever built proves it can compromise every operating system and every browser that Web3 infrastructure runs on top of, the question of who funds the defense stops being theoretical.
The Threat Just Changed Shape
Before Mythos, finding a zero-day vulnerability in a major operating system required years of expertise, access to proprietary hardware emulation environments, and a level of pattern recognition that very few humans possess. Anthropic’s red team gave engineers with no formal security training a single prompt: find a remote code execution vulnerability in this program. The next morning, they had a working exploit.
The UK’s AI Security Institute ran independent evaluations. Before April 2025, no AI model could complete expert-level capture-the-flag tasks at all. Mythos completed them 73% of the time. The model found vulnerabilities in every major operating system, every major web browser, and a range of critical infrastructure software. More than 99% of those vulnerabilities remain unpatched.
Anthropic called it a watershed moment. The Council on Foreign Relations called it an inflection point for global security. Palo Alto Networks, a Project Glasswing partner, called it a game changer for uncovering hidden defects. The Pentagon said it was a separate national security moment from the DoD’s ongoing dispute with Anthropic. The NSA is reportedly already using it.
Blockchain is not exempt. The EVM, every major L2 rollup, every cross-chain bridge, every validator client, every smart contract auditing tool, every wallet SDK. All of them run on operating systems Mythos has already proved it can compromise. All of them depend on the same web infrastructure that Mythos found zero-days in. The attack surface for Web3 just became every piece of software Web3 runs on top of.
Why the Ethereum Community Built a $220M Security Endowment
On June 17, 2016, an attacker exploited a reentrancy vulnerability in The DAO’s smart contracts and drained approximately $60 million in ETH. The Ethereum community executed a hard fork to recover the funds. Ethereum Classic was born from the minority that refused. It remains one of the most consequential events in blockchain history.
What most people do not know is that approximately 75,000 ETH from that original rescue, funds from edge cases like overpayments and the ExtraBalance contract, sat unclaimed for nearly a decade. In January 2026, Griff Green, a co-founder of Giveth and one of the original DAO curators, launched TheDAO Security Fund to put those dormant assets to work. The fund stakes approximately 69,420 ETH, generating an estimated $8 million per year in staking yield. That yield funds Ethereum security through three mechanisms: Quadratic Funding, Retroactive Public Goods Funding, and Ranked-Choice RFP Voting.
The board of curators includes Ethereum co-founder Vitalik Buterin, MetaMask security researcher Taylor Monahan, ENS co-founder Alex Van de Sande, and experts from SEAL 911, ZisK, and DappNode. Giveth provides operational infrastructure. The Ethereum Security QF round runs on Giveth with a 500 ETH matching pool targeting security-focused projects across the ecosystem.
What Quadratic Funding Actually Does to CertiK’s $50,000
The Quadratic Funding mechanism was originally proposed in a 2018 paper by Vitalik Buterin, Zoë Hitzig, and E. Glen Weyl. The matching formula is this: the matching amount for a project is calculated by squaring the sum of the square roots of individual contributions. The result compresses the influence of large donations and amplifies projects with broad community support. A project that raises $500 from 100 donors of $5 each receives roughly 100 times more in matched funds than a project that raises $500 from a single donor.
CertiK’s $50,000 does not just signal financial support. In a QF round, large institutional contributions matter most when they signal direction to the community. They tell individual donors which projects to back. Every additional small donor behind a CertiK-supported project multiplies the matching allocation. CertiK is effectively casting a vote about which security projects deserve to exist, and the mechanism amplifies that vote through breadth of community agreement.
The Argument CertiK’s $50,000 Is Actually Making
CertiK’s contribution to the Ethereum Security QF is not a charity donation. The thesis is that community-driven, algorithmically governed security funding produces better outcomes than committee-selected grants. It is also a bet that the Ethereum ecosystem, specifically its developer and researcher community, has better judgment about which security projects matter than any single institution does.
Hudson Jameson, Head of Ecosystems at CertiK, points to where the firm expects the matching pool to land.
There’s a lot of great work in this round & we’re excited to support all of it, but the two areas we’re especially rooting for are operational security & open-source security tooling and infrastructure.
On the tooling and infra side, open-source security work is exactly the kind of public good every auditor and protocol benefits from but no single team wants to bankroll alone.
This matters enormously in the post-Mythos world. The Mythos threat is not static. It will proliferate. Anthropic itself acknowledged that models with comparable capabilities will not remain restricted. Project Glasswing gives access to 40 organizations plus launch partners including Microsoft, AWS, Google, and NVIDIA. At some point, some version of this capability reaches adversaries. When that happens, the security projects that survive will be the ones that achieved genuine community adoption and broad institutional backing. QF selects for exactly that.
The Question Neither Side Has Answered
CertiK’s contribution into the Ethereum Security QF is a strong institutional signal. The QF mechanism is a principled approach to allocating security funding. Mythos is a real and escalating threat to every layer of Web3 infrastructure. But the link between all three has not been made explicitly by any of the parties involved, and that is a problem.
Does the Ethereum Security QF have a mandate that explicitly covers the attack surface that Mythos demonstrates? Smart contract auditing is one slice. The OS-level, browser-level, and infrastructure-level vulnerabilities that Mythos finds are a different category. The projects that receive funding through this round will need to map their work to that broader threat model if the funding is going to matter at the scale the moment demands.
CertiK runs formal verification, smart contract auditing, SkyInsights transaction monitoring, and AML compliance infrastructure. Its contribution to the QF round signals that CertiK wants community validation to determine which security projects in the Ethereum ecosystem are worth backing, not just CertiK’s own audit pipeline. Whether the QF round produces projects operating at the scale of the Mythos threat is the open question.
The optimistic reading is that CertiK and TheDAO Security Fund are laying the institutional groundwork for a distributed, community-governed security infrastructure at exactly the moment a centralized AI threat is scaling. The pessimistic reading is that $50,000 and $8 million a year in staking yield are not serious answers to a model that found thousands of zero-days in every major OS and browser in under a month.
The realistic reading is probably somewhere in the middle, and the gap between where these initiatives are now and where the threat model demands they be is exactly the editorial beat worth watching.
Don’t forget to like and share the story!
