Celo SHIELD 2025 H1 Report

Announcements Security Announcements
, , ,
1

It’s time for a big update on Celo SHIELD, our community-funded program to keep the ecosystem secure. We’ve just wrapped up the first half of 2025, and we want to give you a transparent look at what we’ve accomplished, where the money is going, and what’s next.

Let’s get straight to the numbers.

Attack Surface Monitoring

image
image1580×756 80.7 KB

Findings Details

  • Vulnerable apache http_server with 18 associated CVEs, closed.
  • We closed 3 openbsd ssh findings, associated with 6 critical CVEs
  • Decommissioned an exposed FTP server and exposed MySQL server
  • Severities have been adjusted for Web3

Brand Protection

image
image893×803 94.2 KB

:handshake: 13 Partners Onboarded: We’ve officially brought 13 Celo ecosystem projects under the SHIELD Program. Thank you kindly to those who participate.
:mag: 50+ Vulnerabilities Squashed: Including 3 Smart Contract Audits and 2 Web2 Application Tests
:shield: Sequencer Level Attack Monitoring and Prevention: Flagged 5 different multisig transaction. 2 Malicious Contracts, and 34 Malicious Transactions.
:moneybag: $221,801 Deployed for Defense: We’ve invested over $221k of our H1 budget into concrete security measures. This includes $184,510 already spent on services and $37.291 committed for upcoming protection.

Here’s a simple breakdown of how we’ve allocated the funds so far to protect our partners:

  • Smart Contract Audits: $74,138

    • What it is: Having experts deep-dive into code to find flaws before launch.

  • Static/Dynamic Security Testing: $41,994

    • What it is: Using finely-tuned software to constantly scan for bugs while code is being written and run.

  • Brand Protection: $40,000

    • What it is: Shutting down fake social media accounts and phishing sites that try to scam our users.

  • Attack Surface Monitoring: $40,400

    • What it is: Watching our partners’ entire online presence for any potential weak spots.

  • Sequencer Security: $24,000

    • What it is: Protecting the very core of our transaction process.

  • Secrets Management: $1,269

    • What it is: Making sure sensitive info like API keys doesn’t leak. This is the biggest cause of loss in Web3 hacks.

image
image882×472 14.8 KB

What’s coming up for 2025 H2?

  • A couple of Smart Contract Audits are planned but have the budget for more.
  • Brand Protection is producing a lot of findings. Please enroll your brand to be protected.
  • Secrets Management includes Password Managers. We hope to roll out another Secrets Management System in the coming months.
  • A Competitive Bug Bounty has been scoped and we are excited to announce it. We have significant budget for this so let us know if your project could benefit.

Are you building on Celo and need security support? The application process is simple: Reach out to @BenAtCLabs on Telegram

Team

  • Benjamin Speckien (@ben) - Security Lead
  • Nikolaos Frestis (@gloec) - Project Manager
  • Stefan Ioja (@si-csec) - Security Engineer

Regards,
The Celo SHEILD Team

4 Likes