1. Applicant Information
- blockful
- Website: blockful.io
- Primary Contact/entity ENS Name:
blockful.eth
- Primary Contact(s)
netto.eth | telegram
- Company Overview
Blockful is a team who have been contributing to ENS development since 2022. We’ve evolved from protocol contributors to governance security specialists, combining deep smart contract expertise with advanced research methodologies to anticipate and neutralize governance attack vectors before they materialize.
Our proven track record includes identifying and preventing a potential governance attack in 2 DAOs.
- Requested Amount:
Basic budget: 400k
Extended budget: 700k total
- Size of team and commitment
In the last 2 year, blockful has +90% of metagov and ecosystem call attendence. That’s just one simple example to show our presence and constant commitment with ENS.
Beside dedicating to ENS protocol development, our main work as an organization has been around governance security — not just for ENS, but also for other DAOs like Uniswap and Optimism, with more on the way. This gives us the hands-on experience to build mature, reliable tools. The entire team is involved in the scope for this proposal:
- 2 Full-stack Engineers
- 2 Back-end/Smart Contract eng
- 2 Front-ends
- 1 Tech lead
- 1 PM
- 1 PO
- 1 Product Designer
- 1 Governance researcher
As we are totally bootstrapped, never having raised a penny from investors, this funding is crucial for us to focus on ENS and effectively address this major security problem. For that we also need to be competitive, retain and build a world-class team for the long-term.
Some moments at our office and team retreats
2. Eligibility Confirmation
2.1. Company Age & Reputation
- Blockful has been established since 2022. We began our Web3 journey with ENS innovations and have grown to become a trusted organization in the DAO ecosystem.
2.2. Team Experience
Our team has extensive experience with ENS, not only on governance, but also in-depth on the protocol. Some of our notable contributions:
- test implementation for referral fee on the ETHRegistrarController
- mitigation of a governance attack and creation of the ENS Security Council contract and proposal
- ENSIP-20, a major improvement on User Experience (UX), Developer Experience (DX) for managing domains
2.3. ENS Token Endorsement Requirement
- We’ll wait for metagov to create the endorsement snapshot vote.
2.4. OFAC Sanctions Compliance
- We, Blockful, confirm that neither our organization nor any of our employees, contractors, or executive leadership is located in, or a resident of, an OFAC-sanctioned country. We further confirm that none of our business resources are derived from or routed through any country or entity that is subject to sanctions imposed by the United States (OFAC) or equivalent regulatory bodies. We pledge to remain compliant with all applicable sanctions laws and will promptly notify the ENS DAO if our status changes.
2.5. Multi Year Stream Eligibility
Here is a great overview of what we did last year as a SP
- Application for SPP1
- Quarterly reports thread (Q1, Q2, Q3, Q4)
- Public task management
- Improving Management of Domains (talk @ frENSday) - ELI5 about ENSIP-20
- Repos (all open-source and MIT licensed)
- nameful-app - Frontend for testing the standard in production as an end user (dogfooding). Here is the live dapp.
- ensip-20-backend - The reference implementation for ENSIP-20, having contracts, indexers and gateways for L2 and databases domains. This was our main piece of work and by far the most important for effectively evolving the standards.
- ens.rent - Front and contracts for a new primitive. Here is a post about it and the live dapp.
- dao-proposals - Where we simulate all dao proposals and review the calldata.
For full transparency, the research and creation of the Security Council for preventing a governance attack was out of the scope of our SPP1 and paid as bug bounty.
3. Open Source Commitment
We are committed to build high quality open-source, not only having our code but also our task management public, bringing transparency, accountability.
In 1 year and 1 month of work, we have done 365 tasks, all open, verifiable and organized.
All code and tools developed under this program will be made available under the MIT license and hosted in public GitHub repositories under the Blockful organization. Also maintaining comprehensive documentation to support adoption by the ENS and wider ecosystem.
4. Scope of Work & Budget
Our service provider program for 2025 focuses on two goals on critical areas:
Goal #1 - Governance Security
ENS DAO is in a vulnerable position for a governance attack, and if we don’t take the actions needed before the security council expires, it will happen.
We have around 480 days to work on it.
Our goal is to reach a point where a security council is no longer necessary. Achieving this demands significant research and engineering efforts to tackle the problem from every possible angle. And it’s probably an effort that takes more than 1 year.
If you wanna understand in depth, here is our research that led to the creation of the Security Council. And here is the first version of Anticapture, already showing risks that ENS DAO have.
Goal #2 - Protocol Development
Now that EIP-7884 and ENSIP-20 where shipped by our team, after 1 year of research, prototyping and iterating with the community. We need efforts for the adoption of the standard.
Only with adoption we can unlock the benefits of making any domain (onchain and offchain) being managable on ENS manager app, ENSjs and much easier integration between them all (base, linea, uniswap, namespace, namestone and etc).
If you wanna understand in depth, here is our presentation at frENS day (which is a great ELI5).
4.1 Basic Scope of Work
4.1.1 ENSIP-20 Wildcard Writing Implementation → Goal #2 - Protocol Development
Impact: Supporting ENS Labs and subdomain providers to integrate and adapt for ENSIP-20, enabling universal domain management.
- We are already working to integrate it into ENSjs, so ENS Labs can integrate with the manager app.
- Any offchain domain could be managed by users on ens.app. Any dev could easly integrate it’s app to manage any domain with ENSjs. Unlocking huge network effects.
- Help offchain domain providers to adopt ENSIP-20 into their infrastructure. This means studying their infrastructure and guiding the to adapt. This can vary from support meetings to us creating smart contract for them. Linea and Base teams were involved in our early iterations on the standard and were waiting for it to advance.
- Maintaing documentation and repos with working examples for backend, smart contract and frontend implementations
- Maintaining the frontend (name.ful.xyz) and gateways currently running in production
| Quarter | KPIs |
|---|---|
| Q1 | ENSIP specification documentation completed - Initial ENSjs integration live |
| Q2* | Complete implementation with ENSjs + integrating ENSjs into our frontend for testing usability |
| Q3* | Integration with at least 2 major subdomain providers (base.eth or uni.eth for example) - Developer documentation and examples published |
| Q4* | Full integration support for ENS Manager App and ENSv2 - 3+ production implementations in ecosystem |
*Some KPIs inevitably depend on third-parties progress
4.1.2 Calldata and Proposal Review → Goal #1 - Governance Security
Impact: Providing critical security validation for executable proposals to prevent catastrophic errors or malicious code execution. One simple error on a proposal can cost millions.
Our past SPP term also had this scope, which had great feedback from delegates, for feeling more secure on voting and understanding what’s happening. The work developed can be found in this repo, and it’s where we’ll continue to work on.
- Structured SLA commitment:
- Initial assessment for giving the review’s timeline within 3 business days
- Review’s timeline ranging from 1 day to 2 weeks, determined by calldata complexity and our familiarity with the contracts involved
- Two-stage review process:
- First review when executable proposal is posted on the forum (requires properly tagged proposals with included calldata)
- Final verification when proposal goes on-chain (critical security checkpoint)
- The review is a set ot tests that execute proposals and validate the differences on functionality and states environments to verify intended outcomes. Here is a great example.
- We’ll provide technical details about the calldata on the proposal, if not provided by the proposer. This will help non-technical delegates to understand what is executed.
| Quarter | KPIs |
|---|---|
| Q1 | Response to 100% of tagged proposals within SLA |
| Q2 | Response to 100% of tagged proposals within SLA |
| Q3 | Response to 100% of tagged proposals within SLA |
| Q4 | Response to 100% of tagged proposals within SLA |
4.1.3 Anticapture Integration → Goal #1 - Governance Security
Impact: Building a complete monitoring system to prevent governance attacks based on research.
For the last 6 months, we have been building this product and here we have our alpha version.
These are screenshots from anticapture.com, with real-time data. And it shows how concerning the current situation is.
- Actions for security improvements need to be data-driven recommendations, if not, this can cost us resources, time, and ultimately a governance attack
- Simplify understanding for delegates about risks, redelegations, historical data. Visualizations and data you don’t get anywhere else in today tools.
- This is specific and valuable data, that you would need to attack the DAO or, to understand how to defend as well. Here, we wanna give the importance needed to make sure ENS defends first.
It’s similar to L2beat in the sense that it’s not just data-driven — it’s deeply grounded in research. We’ve analyzed over 30 governance attacks, and the metrics and framework we’ve built are directly informed by those findings.
| Quarter | KPIs |
|---|---|
| Q1 | Deploy ENS DAO prototype with core governance risk metrics and actionable security insights. |
| Q2 | Deliver the final DAO Security Staging Framework – Like L2beat – in the ENS dashboard, publicly assessing governance maturity across risk |
| Q3 | More visibility around treasury and token markets - crucial for security metrics |
| Q4 | Show risk relevant transactions and integrating offchain voting data |
This data intensive product has high infrastructure cost, RPC requests, database, servers. All of this for dev, staging and production environments.
Basic budget: $400k
4.2 Extended Scope of Work
There are two options for ENS DAO to not suffer a governance attack:
- Depend on the security council and renew it.
- Proactively solving and attacking this problem on different fronts, based on specialized research.
Here, we are exploring option 2.
4.2.1 Governor Contract Security Improvements → Goal #1 - Governance Security
Screenshot from anticapture.com. These initial risk assessement comes from research, studying other governor contracts and mapping what are parameters on governance implementation that increase risks for gov attacks.
Impact: Increase our security level on governance implementation. Go from high risk to low risk.
- anticapture dashboard and research will give us what needed to change
- Then iterating with the community to gather feedback, if there are more changes or consideration about the recommendations
- Implement changes and ship a new governor, well tested, fixing if needed after audit and only stopping when implemented onchain
| Quarter | KPIs |
|---|---|
| Q1 | Report on recommendations for governor changes |
| Q2 | Have consensus with the community about changes |
| Q3 | Governor ready to audit |
| Q4 | Onchain deploy |
We do think this whole process will take less and we’ll aim for that, since it’s a security concern.
4.2.2 Delegation Incentives System → Goal #1 - Governance Security
Impact: Creating solutions to meaningfully increase delegation rates. This is the core need for not depending on the Security Council
We don’t know how this scope will be exactly because it needs to be built with the community and research a lot. What we commit is bringing suggestion based on research and to create whatever scope DAO decides that is necessary to tackle this problem.
- Research different methods and iterate with the DAO to choose a path. This will take at least 2 months of research.
- End-to-end development of delegation incentive mechanisms
- Indexer systems to determine fair distribution
- Smart contracts for secure fund distribution
- Interface for claiming incentives
| Quarter | KPIs |
|---|---|
| Q1 | Report about research on effective delegation incentive models |
| Q2* | Iteration with community, definition of the scope to be executed |
| Q3* | Deliver scope |
| Q4* | Increasing our delegated supply by 30% (without the veto council) |
*Some KPIs depend on third-party decisions and can be delayed. We’ll aim to execute it
4.2.3 Reliable Notification System → Goal #1 - Governance Security
Impact: Developing a reliable multi-platform and alert infrastructure that ensures no stakeholder misses critical governance actions.
- Integration with email, Telegram, Slack, and Discord
- Alerts for delegators (token holders) about how their delegates voted
- Reminders for delegates about pending votes
- Voting confirmation feedback to verify transaction success
- Support for both onchain and offchain votes
| Quarter | KPIs |
|---|---|
| Q1 | Telegram integration for onchain voting reminder and token holder to warn about inactivity of their delegate |
| Q2 | Integrating email, discord and slack |
| Q3 | Support offchain votes, uptime 99% |
| Q4 | Notify security thread from anticapture and uptime 99% |
4.2.4 Security Council needs → Goal #1 - Governance Security
Impact: Keeps the DAO safe, if anticapture shows that we’re still depending on the security council and it’s near it’s expiration.
When get ~3 months close to the Security Council expiration, action is needed:
- Research and report about the necessity of renewing the security council
If the DAO is still in a vulnerable situation:
- Discuss with the community about the composition and selection of security council members
- Redeploy Security Council contract
- Propose on chain the renewal of permissions for the contract
| Quarter | KPIs |
|---|---|
| Q4 | Report about necessity of renewing the security council |
Extended budget: $300k additional funding ($700k in total)
4.3 Second Year Stream Scope of Work
The scope for the second year, if selected, would be focused on:
- Smart Contracts for Namechain governance, which would enable the DAO to vote on L2 and execute on L1. This requires extensive research, discussion and testing.
- Maintaining and evolve all the product above so they are reliable and accurate.
- Continuing to secure DAO operations through proposals calldata review
- The governance security work needed is probably bigger than we imagine, and we only stop when the anticapture dashboard tell us the DAO is secure.
5. Past Achievements & Additional Information
ENS
| Year | Description | Link | Type |
|---|---|---|---|
| 2022 | ETHRegisterControllerV2 Implementation | Github Repo | Core Protocol Contribution |
| 2024 | ENSIP-20: Wildcard Writing Interface | ENS Forum Post | SPP1 |
| 2024 | Go-ENS CCIP-Read Support | GitHub PR | SPP1 |
| 2024 | ENSIP-20 backend and contracts | GitHub Repo | SPP1 |
| 2024 | Nameful - frontend for dogfooding ENSIP-20 | GitHub Repo | SPP1 |
| 2024 | ens.rent Platform | ens.rent | SPP1 |
| 2024 | ENS DAO Security Council | Forum Post | Security contribution |
| 2024 | ENSIP-16 Improvement Proposal | Forum Post | SPP1 |
| 2024 | ENS DAO Proposal Calldata Validation - 11 proposals reviewed | GitHub Repo | SPP1 |
| 2024 | ETH Samba Workshop | Event Link | Community Education |
| 2024 | Curitiba Blockchain Weekend Workshop | Blockful Blog | Community Education |
| 2024 | Improving Management of Domains (talk @ frENSday) | YouTube | SPP1 |
| 2025 | Operation Router EIP | Ethereum Magicians | SPP1 |
| 2025 | ENSjs partial ENSIP-20 integration | GitHub PR | SPP1 |
On SPP1 we received $300k, which is on the lower end of the program and we had a great amount and quality of deliveries. Mainly ENSIP-20, which we are super excited about.
As mentioned by Avsa back in 2022, we underpromise and over-deliver!
External Contributions (relevant to this proposal)
| Year | Description | Status | Type |
|---|---|---|---|
| 2024 | Optimism - Governance Audit | In progress | Grantee |
| 2024 | Uniswap Foundation - Governance Audit | In progress | Grantee |
| 2025 | Governance Security Beyond Code @ ETH Denver | Done | Talk |
6. Video Introduction (4 min)
7. Conflict of Interest Statement
7.1. Conflicts of interest
Blockful acknowledges that our founder and CEO, netto.eth, currently serves as a metagov steward (term 6) and as a member of the ENS Security Council.
As stewards oversee service providers, netto’s dual role requires clear separation of responsibilities. To address this, Blockful commits to:
- Having netto recuse himself from any steward discussions or votes related to our service provider application or performance evaluation
- Maintaining transparent reporting of all service provider deliverables
- Implementing independent review processes for governance-related deliverables to ensure objectivity
We believe netto’s ecosystem involvement strengthens our ability to serve ENS effectively, while maintaining appropriate boundaries between his different roles.
7.2. Fundraising
Blockful is fully bootstrapped with shareholders consisting exclusively of current and former team members. We have never raised external investment even with strong interest, though we may open this oportunity in the future.
7.3. Revenue Structure
Our revenue currently comes from service contracts with various DAOs and Web3 projects, primarily focused on governance security and DAO tooling. As a team of 11 professionals with office space and standard operational expenses (legal, tax, administrative, infrastructure), we maintain a lean but sustainable operation with over 12 months of runway. We are currently profitable and financially self-sufficient.
Happy to answer any questions!