top of page
  • Idan Levin

Forta - The Decentralized Cyber Security Network

Disclaimer: This is not financial or investment advice. We hold exposure to FORT tokens and recommend you do your own research.


In this research report, we explore the core principles and technology behind Forta, a decentralized threat detection network designed to enhance the security and resilience of web3.

The objectives of this report are:

  1. Attract more bot builders and scan node runners to join the Forta ecosystem, contributing to its growth and effectiveness;

  2. Encourage potential subscribers to leverage the network's capabilities to bolster their own security and risk management strategies;

  3. Provide valuable insights for long-term investors in the FORT token, empowering them to make well-informed decisions and heightening awareness around the project's potential and utilityץ


Forta's history can be traced back to its origins within OpenZeppelin, one of the leading and most known security companies in the crypto space. The concept of creating a decentralized security platform emerged from OpenZeppelin around 2019 and subsequently evolved into a project incubated internally. By 2021, Forta had gained significant momentum and was ready to be spun out of OpenZeppelin as an independent project.

The emergence of the DeFi ecosystem in 2020 marked the birth of a vibrant application landscape in the crypto world, which was soon followed by a series of high-profile hacks resulting in billions of dollars in losses. This highlighted the urgent need for improved cybersecurity measures within web3.

Since its official launch in mid-2021, Forta has transformed from a mere idea into a fully functional, community-driven network. Boasting over 4,000 active nodes covering seven networks, Forta continues to expand and mature. The network is currently undergoing a process of progressive decentralization, aiming to further empower its community and strengthen its decentralized foundation.

Network / Product

Forta Network is a decentralized monitoring network that detects threats and anomalies on various web3 systems in real-time. It consists of independent node operators who scan the blockchain (transactions and state changes) and that are sending alerts to subscribers when potential risks are detected.

Forta supports multiple L1 and L2 chains, including Ethereum, Avalanche, Polygon, BNB Chain, Fantom, Arbitrum, and Optimism. Its need has arisen due to the growing complexity of the web3 economy and the increasing number of security threats. Billions of dollars stolen in DeFi in the past few years have emphasized the need to build better and robust security for web3, which Forta aims to resolve.

Users can subscribe to Forta data feeds through different applications or use the public Forta API. The network comprises two main components: detection bots and scan nodes. Detection bots (also called agents) are code scripts that process blockchain data and detect specific threat conditions, while scan nodes execute detection bots for every transaction and new block on a specific blockchain network.

Forta can be used for threat detection monitoring, operational monitoring, and other use cases, as well as private monitoring. The network ensures reliable monitoring through detection bot redundancy and community-enforced scan node service levels. Forta alerts can be validated, and the network's components undergo regular security reviews.

The 3 main participants in the Forta Network

  1. Detection bots builders - bot builders write detection bots - a script that follows events on the blockchain in one of four possible contexts: (i) cybersecurity (ii) financial (iii) operational (iv) governance. These bots are then submitted to a bot registry with their Docker image* where scan nodes can run them.

  2. Scan Nodes runners – Scan nodes are assigned to execute the detection bots and emit alerts. They are being rewarded in fees and measured by their level of service (SLA) and uptime for running the bots assigned to them by the network.

  3. Subscribers - Projects/users that subscribe to receive alerts

*(lightweight, standalone, and executable software package that includes everything needed to run a piece of software)

Bot Example – attack-detector-feed

The Attack Detector bot is designed to detect and analyze potential threats in the blockchain ecosystem by monitoring various stages of cyber attacks, including preparation, funding, exploitation, and money laundering. It leverages a combination of alerting mechanisms, such as on-chain anomaly detection, off-chain data sources, and the monitoring of suspicious activities. By observing these metrics, the Attack Detector bot can identify potential threats and alert the relevant parties to take appropriate action.

To perform its functions, the Attack Detector bot utilizes a range of base bots that focus on specific aspects of the attack lifecycle. These bots monitor events such as ice phishing, suspicious contract creation, blocklisted account transactions, reentrancy, high gas usage, and high-value transactions, among others. By mapping these base bots to the appropriate stages in the attack lifecycle, the Attack Detector bot can provide a comprehensive analysis of potential threats and risks within the blockchain ecosystem. This enables organizations and users to take preventive measures and maintain the security and integrity of their digital assets.

The bot went live on Jaunary 2023 and is ran by 21 node operators, covering myriad networks such as Ethereum, Optimism, BSC and more.

Protocols like Lido, Maker, Compound, Liquity and Aave use Forta’s Attack Detector to be the first to know when their protocols are targets of future attacks enabling them to take action before exploitation.

Attack detector feed:

Case Studies

Euler Finance - In the largest hack of 2023 so far, $197 million was lost from Euler Finance despite having six audits, a bug bounty program, and monitoring in place. Just before the attack, the hacker funded the attack and deployed their contract. Forta flagged these events with its Tornado Cash bot and ML-based malicious contract bot. After the attack was frontrun by an MEV bot, one of Forta's holistic attack detectors identified Euler as the victim.

Forta’s holistic attack detectors detected the attack and correctly identified Euler as the victim of the attack

Yearn Finance - On April 2023, one of the old vaults of Yearn Finance suffered an $11 million flash loan attack. Forta detected the hack and identified Yearn as the victim 20+ minutes before funds were drained, thanks to its machine learning-powered suspicious contract bot. The bot fired three times, indicating that malicious contracts were ready to attack Yearn. Forta's Attack Detectors fired several times, also identifying Yearn as the victim, one minute after exploitation. Additionally, the BlockSecTeam Attack Detector fired twice in the minutes after the attack, specifying that 3564 ETH ($7M+) had been hacked.

If pool investors had been using Forta, they would have received an early warning sign, prompting the withdrawal of funds and leading to millions of dollars saved.

Scam Detector - The scam detector is one of the most used bots on the Forta network, and is being used by different players in the industry for different use cases:

  • Wallets like Zengo use Forta’s Scam Detector via API to obtain threat intelligence and protect users with augmented active transaction screening.

  • Security & compliance tools like Solidus Labs, Blockfence, and Staging Labs query Forta’s Scam Detector via API to get data feed of malicious addresses, which they then use to protect their customers.

Machine Learning on Forta

One of the frontiers being developed within the Forta Network is the usage of machine learning in threat detection.

ML on the Forta Network leverages advanced machine learning algorithms to detect and prevent security threats in web3. By analyzing transactional data across multiple blockchains in real-time, ML models can identify anomalies, predict potential attacks, and enhance the overall security of the blockchain ecosystem. A notable example is the ML-based Forta detection bot, which successfully detected hundreds of millions of dollars worth of incoming hacks before they occurred. This breakthrough highlights the potential of ML in proactively safeguarding Web3 platforms, and it serves as an invitation to developers and data scientists to explore further ML opportunities on Forta to strengthen Web3 security.

The ML model deployed on Forta is specifically designed to detect malicious smart contract creations, enabling early threat detection and prevention. By analyzing opcode patterns within contracts, the model can differentiate between benign and malicious contracts, even before they are exploited. The ML model's capability to identify suspicious contract deployments has proven effective in detecting notable hacks, providing valuable insights and potential prevention of significant losses. Deploying ML models on Forta's extensive scan nodes ensures continuous monitoring and timely alerts, empowering blockchain protocols to take immediate action against potential threats.

ML on Forta represents a significant advancement in web3 security by harnessing the power of machine learning to detect and mitigate security risks in real-time. The successful detection of hacks before their occurrence demonstrates the potential impact of ML in fortifying the resilience of Web3 platforms.

Forta Governance Council

The Forta Governance Council was formed as a result of FP-1, which proposed three actions for the Forta Network to become fully permissionless. The first action was for FORT token holders to elect the initial seven Council members, while the second was for the Forta Foundation to transfer ownership of its material Forta Gnosis Safe multi-signature wallets and any custodial accounts to the Council. The final action required the Council to take any necessary actions to accomplish the Permissionless Launch successfully, including signing any wallet transactions required to remove the whitelist restriction from the FORT token contracts.

Full details about FP-1 and related discussions can be found at

The Foundation has compiled the following seven candidates, who were nominated by early members of the Forta community to serve on the initial Council:

  1. Demian Brener - Founder & CEO @ OpenZeppelin, the company that founded and incubated Forta

  2. Hart Lambur - Co-Founder @ UMA and active Forta user

  3. Jeremy Sklaroff - GC @ Celestia, seasoned crypto lawyer passionate about decentralized technology

  4. Jonathan Alexander - CTO @ OpenZeppelin, the company that founded and incubated Forta

  5. Juan Garre - Director @ the Forta Foundation, a serial entrepreneur running operations for the Forta Foundation since its inception

  6. Mat Travizano - Founder @ Rewilder, serial entrepreneur now focused on tackling environmental issues with blockchain technology

  7. Tomasz Stańczak - Founder @ Nethermind, one of the earliest members of the Forta community, developing detection bots, contributing to core development, running scan nodes and being actively involved in the ecosystem.

Networks Metrics

To evaluate the success of the network, we can examine both supply-side and demand-side metrics, as well as other qualitative factors.

Supply-side metrics:

  • Number of developers running bots

  • Number of scan nodes operating in the network

  • Number of startups/companies utilizing Forta Network within their tech stack

Demand-side metrics:

  • Number of users subscribed to the bots

  • List of projects that have integrated Forta

Other qualitative factors:

  • Degree of community participation

  • % of hacks being detected by Forta bots

Current network metrics:

  • 97% accuracy in detecting end-user scams

  • Detection of over $2B worth of smart contract exploits

  • Protection of more than 1 million end users through Forta's Scam Detector to date

  • Over 50 DeFi protocols using Forta to monitor and detect threats and security issues, including Lido, MakerDAO, Liquity, Balancer, and Compound

  • More than 4,000 Forta nodes scanning 7 blockchains

  • Over 1,000 bots operating on the network

  • Over 21 million FORT delegated within the Forta Network

For more real-time data, please visit Dune Analytics here.


The Forta network relies on the FORT token, a crucial part of its incentive structure that helps secure and improve its real-time detection network while also serving as a governance tool. The token addresses two primary challenges: ensuring alert integrity and maintaining network reliability (i.e. liveness).

The FORT token is being used by different network participants:

  1. Node Runner Staking: Node runners must deposit FORT tokens as economic security for the work they carry out. If a node fails to complete its assigned work or acts maliciously, the staked FORT can be slashed. Active node operators who maintain the minimum stake, issue alerts, and correctly execute their assigned work can earn FORT rewards from the network. This mechanism promotes honest behavior and preserves the integrity of alerts sent by the nodes.

  2. Delegated Staking: Token holders can delegate their stake to Node Runners, and share the risks and rewards of running a node. This mechanism reinforces the signaling of the network towards better scan nodes.

  3. Detection Bot Signaling: Developers can stake FORT tokens on Detection Bots, signaling their quality to the network and providing a Sybil resistance mechanism. This method helps distinguish high-quality bots from fake or low-quality ones, allocating additional resources to higher-signal bots to enhance security, reliability, and performance.

  4. Subscribers: in the future, users will be able to pay subscription fees to the network using the FORT token.

The FORT Token is an ERC-20 token on the Ethereum network.

For more information about the token, please visit here.


The staking program's goal is to ensure sufficient capacity to run all demanded bots while maintaining high economic security that incentivizes node operators to act honestly and perform well. Node runners create their own pools and register nodes within them, depositing a stake to participate. Other ecosystem participants can delegate their FORT tokens to the pool, with the minimum stake per scan node currently set at 2.5k FORT. Scanner pools contain groups of nodes scanning specific chains, belonging to particular owners and minted as NFTs (ERC-721) upon registration.

When choosing a scanner pool, delegators should consider the pool's SLA score, uptime, commission set by the pool owner, and available stake allocation capacity. After each reward epoch (1 week), FORT rewards are distributed to pools and then between owners and delegators through a reward distribution smart contract. There is no limit to how much stake can be made in a pool, but there is a limit to how much can be allocated. Each node in a pool has an allocation capacity of 15,000 FORT, and the pool owner decides the allocation of owner and delegated stake.


Forta's collaborative community is composed of over 100 independent developers and security experts actively contributing to the platform's evolution. Esteemed security firms including OpenZeppelin, Nethermind, Blocksec, ScamSniffer, and Halborn, are among those developing on the Forta platform, thereby enhancing its standing within the cybersecurity sector. Additionally, organizations such as Blockfence, Staging Labs, Solidus Labs, and Zengo have harnessed the Forta API to deliver advanced threat intelligence to their users. Joining the Forta community offers an opportunity to contribute to the security of the web3 ecosystem and earn rewards in the process. Get involved by visiting the Forta registration Threat Research Initiative.


The Forta network is currently undergoing progressive decentralization, attracting an increasing number of startups, individual builders, protocols, and cybersecurity experts over time.

  • Companies utilizing the Forta network: Blocksec, Solidus Labs, Zengo, and BlockFence are just a few examples of firms that have chosen to build on the Forta platform.

  • Individual bot builders: As of the time of this report, nearly 500 bot developers have joined Forta's unique community of agent writers, contributing to the project's growth and security capabilities.

  • Node runners: more than 4,200 scan nodes operating at the time of this report

  • Subscribers: Leading DeFi protocols have adopted Forta's security solutions to protect their platforms and users

  • Cybersecurity enthusiasts: The Forta community also includes a diverse group of cybersecurity enthusiasts who contribute their expertise to advance the project's mission of securing the web3 ecosystem

This wide range of stakeholders reflects the inclusive and collaborative nature of the Forta network, as it continues to grow and drive innovation in decentralized security.

Future of Forta

The Forta Network is governed by FORT token holders and ensures that any upgrades or changes to the network are determined by its community members. A Network Fees proposal, FP-5, was just reviewed and approved by the community, and will introduce fees to the network.

The Forta Foundation remains committed to creating state-of-the-art threat detection tools, continuously improving the different bots. Throughout 2023, additional threat intelligence feeds are anticipated to be launched. As the Forta Network community expands, the Foundation envisions the emergence of a marketplace for Web3 threat intelligence that serves a wide range of users, from web3 wallet holders to financial institutions. This evolving ecosystem highlights the power of a decentralized, community-driven approach to enhancing security within the web3 space.


Forta is a decentralized threat detection network designed to address the pressing need for enhanced cybersecurity in the rapidly evolving web3 landscape.

The theft of over $5 billion during the past 3 years highlights the urgent demand for more effective security measures in the space. Given the fast-paced nature of the industry, a decentralized solution is crucial, as no centralized approach can adequately manage the constantly changing risks. In a world where open-source technology is increasingly prevalent, Forta's open-source cybersecurity model is uniquely positioned to empower the community in safeguarding the web3 ecosystem against emerging threats and vulnerabilities.

We believe that the Forta network is just at the beginning of its journey, with the potential to become one of the largest cybersecurity communities in the world. As the network continues to decentralize and attract more stakeholders, the opportunities for growth and impact are limitless.


bottom of page