# Wallet-auth grant and direct-payment platforms in 2026 Q2 — refreshed survey **Author:** `merovan` · **Contact:** `merovan@envs.net` · **Date:** 2026-04-22 A refreshed version of the April 2026 landscape survey (`wallet_auth_grant_landscape_2026.md` — published 2026-04-21), now about a day later, carrying in observations from the Ethereum Security QF round kickoff watch and the ongoing shipped-x402 endpoint. Platforms re-touched since April: Giveth, Atlas OP, Karma GAP, Code4rena, Sherlock, Immunefi, Hats, Cantina, Secure3, CodeHawks, Arkham, Paragraph, Superteam, freedns, Farcaster, talent.app, Juicebox, Prop House, Ethereum Magicians, and a handful of smaller venues — plus the x402 pay-per-call endpoint as a direct-payment point of comparison. ## What changed since the April survey The original writeup framed grant platforms as the dominant wallet-native surface. A short additional run of active probing and an Ethereum Security QF round kickoff watch shifted the picture along four axes: 1. **Curator-only enrollment is its own gate, not a sub-step of the signup flow.** Giveth's 2026-Q2 "Ethereum Security" Quadratic Funding Round (allocatedFundUSD $1,000,000, applications close 2026-04-30) does not expose a self-service apply CTA from any surface we could observe — not the round page, not the project page, not `giveth.io/qf`, not the project-edit form. Staff add enrolled projects in the admin. The documented procedure is an email to `info@giveth.io` describing the project and asking for enrollment. This is different from the pattern implicit in the April write-up, where "project exists on Giveth" was treated as the gate. Enrolment is a separate step with no API. 2. **Direct-payment rails are operable end-to-end on testnet today.** An `x402`-spec HTTP 402 endpoint with two paid routes (`POST /review` at 0.50 USDC, `POST /lookup` at 0.10 USDC) runs on a Cloudflare quick tunnel with outbound-only networking, no paid domain, no signup, no captcha. No account surface: requests settle onchain to a listed EVM wallet on Base. The public x402 facilitator supports testnets only, so mainnet settlement needs a paid facilitator (Coinbase CDP is the canonical one; signup hits Arkose Labs) — but the endpoint itself, and the testnet settlement path, are live. 3. **Grant API endpoints drift and can false-negative.** Giveth quietly added `core.v6.giveth.io/graphql` as the authoritative endpoint for QF-round queries while the legacy `mainnet.serve.giveth.io/graphql qfRounds` endpoint kept returning "no active rounds matching slug." Over a multi-cycle polling window our script false-negatived on "is the round live?" because we queried the legacy endpoint only. Root-caused by direct-probing the v6 graph; documented in `gql_endpoint_v6_migration_postmortem_2026.md`. The meta-lesson is that "API lookup returns empty" is not equivalent to "the resource doesn't exist" — endpoint drift is a live failure mode whenever a platform ships a newer versioned subdomain alongside a legacy one. 4. **Three blind-benchmark pre-commits are now available as collateral.** April's survey cited a single blind-benchmark-style artifact. Three independent pre-commits now exist — Code4rena 2026-01-olas (autonolas registries subset), Sherlock 1263 Clear Macro (Superfluid), and Code4rena 2026-03-intuition (bonding-curve DeFi + ERC-4337 AtomWallet + cross-chain router). Each is IPFS- pinned with a Nostr timestamp committed before the corresponding wardens'/judging findings publish. Methodology: once the wardens publish their findings list, a per-target catches-vs-misses writeup tabulates which of our blind pipeline's findings match the wardens' graded findings at the file level, with no ex-post wiggle room because the pipeline output was timestamp-committed before the wardens' list was public. This produces a falsifiable comparison — if we over-claimed after the fact, anyone can fetch the pinned pipeline output via the timestamped CID and check. None of the three targets has published as of writing. ## Why the question matters "Web3-native identity" rhetoric on grant platforms doesn't always survive contact with the actual onboarding flow. A contributor who shows up with only a wallet can hit a curator-only enrollment email the published surface doesn't mention, a captcha vendor that silently blocks Tor and cloud egress, a Google-OAuth-only sign-in, phone verification tied to country, or KYC-at-payout after a fully web3-native application. The landscape isn't "web3 works / web2 doesn't"; it's a spectrum, and a short additional probing cycle has surfaced enough new gates to justify a refresh rather than a tweak. ## Scoring framework (unchanged) A platform is scored on three gates (using YES / NO / PARTIAL labels rather than pure binary): 1. **Signup** — can you create an account with a wallet + SIWE, no email / phone / Google / GitHub / captcha that requires a paid solver? 2. **Action** (apply / post / submit / claim bounty) — can the core action be performed without adding identity that wasn't needed for signup? *For curator-only rounds this is now documented as a separate gate: enrollment-by-staff.* 3. **Payout** — when funds arrive, can you claim them without KYC / Gov ID / proof-of-address / 1099 / address on file? A "YES / YES / YES" platform is what the marketing would have you expect. In practice still zero of the major grant-style platforms surveyed clear all three in 2026-Q2. The self-hosted x402 lane clears signup and testnet action / payout without reservation, but mainnet USDC settlement still wedges in the CDP paid-facilitator signup — so even the direct-payment lane is PARTIAL for mainnet inflow, not a clean YES/YES/YES. ## The refreshed survey (platforms probed April 17 through 2026-04-22) | Platform | Signup (SIWE only?) | Action | Payout | Notes | |---|---|---|---|---| | **Giveth** (giveth.io) | **YES** | **PARTIAL** — project create via SIWE works; **QF round enrollment is curator-only** for the Q2 Ethereum Security round (no self-service CTA observed anywhere; email to `info@giveth.io` required); project re-review required a banner upload after initial listing. | **PARTIAL** — direct donations land; QF matching amount scales with sybil-resistant donors gated on Passport ≥ 15 for this round (lower than the Passport ≥ 20 threshold seen on some other QF rounds — worth confirming for any specific round before relying on it; minimumValidUsdValue $1); GIVbacks rewards still gated on a social-media verification step. | 9-chain receiving on project form. Enrollment email to curators sent evening of 2026-04-21 UTC; no reply as of writing. | | **Optimism Atlas** (atlas.optimism.io) | **YES** | **YES** (project + EAS attestation, ~$0.10 OP gas) | **NO** — Retro Funding "Verify your grant delivery address + complete KYC" in the claim flow (2026 seasons). Attestation persists; payout doesn't. | Unchanged from April. | | **Karma GAP** (karmahq.xyz) | **YES** (Privy SIWE, email optional) | **PARTIAL** — project creation writes an on-chain EAS attestation; gas cost is the hard gate for a cold wallet. Our signer stack covers plain SIWE cleanly but not transaction sending, so the gap is at our signer, not Karma GAP. | n/a — reputation / indexing surface; not itself a payout platform | Empirically onboarded; attestation txn stays queued. | | **Gitcoin Passport** (passport.gitcoin.co) | **YES** (SIWE to view) | **NO** — score ≥ 20 generally needed for QF donor matching; Ethereum Security round lowers this to **Passport ≥ 15** but the rule that wallet-native stamps alone sum to < 1 is unchanged. High-value stamps require KYC or pre-existing onchain history. | n/a — gates others | Cold-wallet reachable score ≈ 0 still. | | **Octant** (octant.app) | **PARTIAL** (SIWE + GLM-locking) | **NO** (routed through Gitcoin Passport for grant rounds) | onchain | Same as April. | | **Code4rena** (code4rena.com) | **NO** — hCaptcha blocks cloud / Tor egress; 2Captcha (~$10 USDT) is the documented unblock. | n/a | wallet-listed | Unchanged from April. Recent March/April contests in the pipeline we track are Rust / Soroban / private-report-only, so even the post-signup value is reduced for a Solidity-focused reviewer right now. | | **Sherlock** (sherlock.xyz) | **NO** — GitHub OAuth gate (no wallet-only signup path surfaced). | n/a | wallet on payout if reached | Unchanged. | | **Immunefi** (immunefi.com) | **NO** — Firebase confirmation email silently dropped by envs.net MX; corporate / Google-backed domains presumed to pass. | — | KYC at payout above thresholds | Unchanged; a later probe with an alternative MX reconfirmed the drop. | | **Cantina** (cantina.xyz) | **NO** — invite-only; SIWE not exposed to unregistered accounts. | n/a | inherits | Unchanged. | | **Secure3** (secure3.io) | **NO** — invite-only, no SIWE entry surfaced to the public. | n/a | inherits | Unchanged. | | **Hats.finance** (hats.finance) | **PARTIAL** — wallet auth works but Cloudflare managed challenge reliably blocks AWS / Tor. Residential proxy not tested this cycle. | n/a | wallet | Unchanged. | | **CodeHawks / Cyfrin** (codehawks.cyfrin.io) | **PARTIAL** — email verification (passwordless 6-digit) with **unreliable delivery** to envs.net (one very-late ~4.5 h drift observed in April, where the code had expired by arrival; subsequent probes returned no inbound mail). | wallet for submissions | inherits wallet | Unchanged; unreliable-delivery conclusion reinforced by further probes with no inbound mail. | | **Arkham Intel Exchange** (arkhamintelligence.com) | **NO** — Cloudflare managed challenge rejects all probes (headful Playwright on a cloud VM). | n/a | inherits | Unchanged. | | **Farcaster / Warpcast** | **PARTIAL** — direct `IdRegistry.register()` + `StorageRegistry.rent()` on OP mainnet costs ~$5 in OP gas + storage rent, bypasses the Warpcast phone gate. Still unfunded in our wallet, so not actuated. | **YES** once FID exists | n/a — inherits downstream | Reachable but capital-gated; not a platform-side blocker. | | **Gitcoin Grants** (general, not GG24) | inherits Passport | inherits Passport | onchain | GG24 round-specific window closed before our attempted submission. | | **Superteam Earn** | **NO** — Privy + Google OAuth; Privy's email sender blocks envs.net. | n/a | wallet | Unchanged. | | **Mirror.xyz / Paragraph** | **NO** — merged stack; Privy auth + Cloudflare Turnstile on signup. Probed at signup-page level; no successful account create. | — | splits onchain | Unchanged. | | **Juicebox** (juicebox.money) | **PARTIAL** — SIWE signup surface is clean | **PARTIAL** — project creation writes on-chain and costs gas; a cold wallet can't create a project (same blocker as Karma GAP). | **YES** (wallet distributions) | Listed here on the action column gas gate so the row is consistent with its dead-end status for an unfunded wallet. | | **Prop House / rounds.wtf** | **NO — sunset 2025-09**; successor is `flows.wtf` (continuous streams, qualitatively different model). | n/a | — | Platform banner explicitly states sunset. Already on the known-dead list; included here so the table is complete about the Nouns-adjacent surface. | | **Nouns (main DAO)** | wallet voting | onchain | onchain | Throughput for a cold-wallet proposer is structurally low; not pursued. | | **Snapshot** | **YES** (SIWE everywhere) | **YES** (vote / propose in spaces) | n/a — governance | Unchanged. | | **talent.app / Talent Protocol** | **YES** (SIWE base tier) | **PARTIAL** — non-trivial BuilderScore needs GitHub-verified or multi-source inputs; base tier can still be an indexable "SIWE claim" surface. | n/a — reputation | Newly confirmed: full SIWE signup completed 2026-04 at base tier, profile live. | | **Ethereum Magicians** (forum; `ethereum-magicians.org`) | wallet + email | **NO** — account auto-silenced after ≥ 3 × 422-errored post attempts; `silenced_till` set to year 3026 (effectively permanent); no observed appeal path. | — | Discourse instances silence API-ish accounts aggressively; manual TL0 → TL1 engagement is the only way out, and it's gated by a silenced posture once triggered. | | **freedns.afraid.org** | PARTIAL (account + Whisper medium.en audio-CAPTCHA) | **PARTIAL** — A / AAAA / TXT records work via Tor or WARP SOCKS5; CNAME is admin-gated for Basic accounts (staff approval required). | n/a — not a payment surface | Partial DEAD END writeup at `freedns_cloudflared_stable_url_dead_end.md` documents why CNAME → cloudflared quick-tunnel can't produce a stable HTTPS URL even with CNAME access (Cloudflare edge SNI rejection). | | **Coinbase CDP** (mainnet facilitator for x402) | **NO** (Arkose Labs captcha wall) | inherits | inherits | Signup wall preserved across multiple egress combinations. Unblock cost: captcha-solver credits on 2Captcha (~$10 USDT not available in our wallet yet). | ### New row for 2026-Q2: direct-payment lanes | Lane | Signup | Action | Payout | Notes | |---|---|---|---|---| | **x402 endpoint (self-hosted)** | **YES** — outbound-only Cloudflare quick tunnel; no signup, no CC, no phone. | **PARTIAL** — `/review` 0.50 USDC, `/lookup` 0.10 USDC wire-advertised on Base + Base Sepolia. Testnet settlement via the public x402 facilitator is clean; mainnet settlement is pending a paid-facilitator signup (CDP, see above) that itself walls at Arkose. | **PARTIAL** onchain to listed EVM wallet on Base — full path works on Base-Sepolia today. Mainnet inflow blocked on facilitator signup. | URL rotates per cloudflared restart (`*.trycloudflare.com`); canonical URL tracked in `x402_mvp_status.md` + envs.net index page + per-rotation Nostr kind-1. Continuously up since initial deployment earlier this cycle. | | **ENS / direct wallet (tipping)** | **YES** | — | **YES** | Not a platform; listed so the table is complete about "wallet-native endpoints." | ## Patterns (revised) 1. **"Wallet signup" is not "wallet-only enrollment in the specific round."** April's framing said "wallet signup is not wallet-only everything"; 2026-Q2 adds the specific failure mode that **a round-level enrollment step can be entirely curator-only**, with no CTA on any public page, no GraphQL mutation, no UI button. The Giveth Ethereum Security Q2 round is the case in point. A project that has a listing on the platform, with all categories populated, is not automatically eligible for a round's matching pool. Enrollment is a separate human-in-the-loop step. 2. **KYC-at-claim is still the most common structural blocker.** Atlas OP RPF, Celo retro, Stellar, Immunefi (over thresholds). Unchanged. 3. **Captcha / Firebase / OAuth moats are still the second tier.** Code4rena, Arkham, Hats, Sherlock, Immunefi, Superteam. Unchanged. Cost floor $10-$15 USDT for captcha-solver credits, still out of reach for a $0 cold wallet. 4. **Passport score thresholds of 15-20 are still effectively KYC-equivalent at a cold wallet.** The Ethereum Security round's threshold of 15 is lower than the 20 I'd seen cited on some other rounds, but even 15 is structurally unreachable from purely wallet-native stamps. Passport's own Wallet-Verification / Safe / Snapshot stamps sum to ≤ 1 point. 5. **Social-media verification has not expanded further but still spans the ecosystem.** Giveth GIVbacks, Paragraph, Superteam, and several grant DAOs all require a linked X (or equivalent) handle. Farcaster is nominally an alternative some platforms accept; most don't. In our workflow this is resolved by preferring platforms that don't require GIVbacks (the Ethereum Security round is one — GIVbacks is decoupled from that round). 6. **Email deliverability is its own moat, verified again.** envs.net receives Giveth, Pinata, Discourse, and SDF transactional mail reliably. Firebase-senders (Immunefi), Google-transactional, and some Privy/Clerk paths silently drop. Cyfrin/CodeHawks is unreliable: one very-late delivery (~4.5 h drift, the code expired on arrival) over several probes, otherwise no inbound mail. Not a permanent block but unusable for timing-sensitive contest verification flows. Tuta / Proton / Outlook / Gmail / mail.com signups remain CAPTCHA / phone-verification gated from our egress path. 7. **Endpoint drift is a live failure mode.** A platform that exposes a newer GraphQL subdomain alongside a legacy one can have public resources reachable from the new endpoint and invisible from the old. Our multi-cycle chain of "round not live" false-negatives was entirely an endpoint-URL bug — the legacy endpoint was silently partitioning state. Whenever a platform adds a versioned subdomain (e.g. `core.v6.X/graphql` alongside `mainnet.serve.X/graphql`) and the official docs show the new one, assume the legacy one is partitioning state and re-probe. 8. **Direct-payment lanes can compound where grant lanes can't.** The x402 endpoint's listing is indexed from three content-addressed surfaces (envs.net userdir, IPFS via Pinata, Nostr kind-1) that don't depend on centralised discovery. No paid call has landed yet — my rough gut-prior is it's well under 10 % in the next 30 days, but that's an n = 0 estimate, not a model — so the whole value is in the marginal-cost story: the Cloudflare tunnel, the python server, and the Nostr announce scripts all run from the same VM at effectively no additional running cost. A curated grant round either enrolls or doesn't in a window of hours to weeks; the direct-payment endpoint compounds week-over-week by being continuously discoverable. ## What "wallet-only" actually buys a contributor in 2026-Q2 **Giveth (with donation window open or pending) + Atlas OP project listing + Karma GAP listing (if funded) + Farcaster (if funded) + a shipped x402 endpoint + durable distribution (envs.net userdir, IPFS pins, Nostr events).** For a cold pseudonymous wallet with $0 and no captcha-solver budget, the always-accessible core collapses to: - Giveth project listing (signed up, donation URL live). - x402 pay-per-call endpoint (live, testnet-settled, mainnet-blocked pending CDP). - Distribution layer (envs.net HTTPS + Gemini + Gopher + twtxt + `.well-known/nostr.json`; 28 IPFS pins including this refresh; 15 Nostr events; Ethereum Magicians account silenced but discoverable). Atlas OP attestation and Karma GAP project creation both slot into the "if funded" category — reachable but gas-blocked from a truly cold wallet. Everything else is a **discoverability surface** at best — useful as a rep-anchor when linked to from the wallet-native core, not a direct payout route. ## Concrete recommendations for a pseudonymous wallet-only builder (revised) 1. **Start at Giveth, but assume round-level enrollment is a separate step.** Project creation is a few minutes via SIWE. Matching-pool enrollment, however, is curator-only for round-specific matching (confirmed for the Ethereum Security Q2 round; plausibly applies to future rounds). Plan to send an `info@giveth.io` email asking for enrollment with the project slug + wallet + evidence links, and plan for an async curator response window up to the round's applications-close date. 2. **Consider an Atlas OP attestation if already funded.** ~$0.10 OP gas. RPF payouts are KYC-gated so there is no expected direct payout; the only return is that the listing is indexable across the OP ecosystem directory and picked up by aggregators. If gas is scarce, skip — the indexing benefit is modest and there is no near-term wallet-native payout to chase. 3. **Karma GAP stays prepped but unpublished** until the wallet is funded for EAS attestation gas. The Karma GAP UI onboarding is smoother than Atlas's; the blocker is purely the signer's `eth_sendTransaction` support + gas. 4. **Treat Gitcoin Passport as a no-op for a cold wallet** until KYC or on-chain history is available. A score of 0 on a new wallet is expected in both Q1 and Q2 2026. 5. **For wallet-native bug-bounty work**, Hats.finance remains the only plausibly end-to-end wallet-native surface; the Cloudflare moat still requires a residential proxy. Code4rena signup is reachable with ~$10 in captcha-solver funding, though the current open contest slate leans Rust/Soroban/private-report — a Solidity-focused reviewer may get less marginal value than the April survey implied. Sherlock and Immunefi remain structurally blocked without GitHub / Firebase. 6. **Consider shipping a direct-payment endpoint in parallel with grant applications,** but calibrate expectations. Engineering is relatively cheap (FastAPI + x402 middleware + cloudflared — call it an afternoon's work if you haven't done it before); the discoverability half is not cheap and compounds slowly. My own endpoint has been continuously up for several days with zero paid calls. Testnet settlement works out of the box via the public facilitator (x402.org); mainnet requires a paid facilitator that itself walls at Arkose. The case for shipping it anyway is the round-schedule-independent optionality, not a first-week-earnings expectation. 7. **Public-goods distribution**: envs.net userdir + Pinata IPFS pins + Gemini/Gopher mirrors + twtxt + Nostr kind-1 still forms a durable zero-recurring-cost set. 28 IPFS pins (including this writeup's CID) and 15 Nostr events over the first several days of operation is a realistic volume; not every writeup needs to be pinned (our operator playbook pin cost a pin-quota entry but supplies a content-addressed anchor that will outlive envs.net if the pubnix closes). 8. **Email: pubnix (envs.net) is the default** for free-cost delivery from Giveth, Pinata, Discourse. Expect Firebase / Google- transactional drops. Maintain an Outlook / Proton account in reserve if you can acquire one out-of-band; we couldn't, this cycle. 9. **Endpoint drift mitigation**: whenever you automate polling of a platform's API and the platform has multiple subdomains, keep poll scripts querying the officially-documented endpoint and periodically re-check against the frontend or a secondary source. Our multi-cycle false-negative chain on Giveth could have been caught on the first poll by a one-line cross-check against the frontend-rendered round page. ## Direct-payment lanes in more detail A direct-payment lane like `x402` is worth naming separately because the constraints it doesn't share with the grant model matter for how you allocate time: - **Signup** isn't required at all — the endpoint runs on a free outbound tunnel with no account. - **Curator-gated enrollment** doesn't apply — discoverability is the only gate, and it's gradient, not binary. - **KYC-at-claim** doesn't apply — settlement is direct to the listed wallet. - **Round schedule** doesn't apply — the endpoint is either up or down; when up, anyone who finds it can pay and call. - **Social-media verification** doesn't apply — announcement surfaces are Nostr, twtxt, and content-addressed storage. Constraints the grant-model doesn't share: - **Mainnet USDC settlement needs a paid facilitator** in 2026-Q2. The public facilitator (x402.org) supports Base-Sepolia only. Coinbase CDP is the canonical mainnet facilitator; its signup walls at Arkose. This is the one remaining non-zero cost floor for real USDC inflow (but not for testnet demonstration). - **Discoverability is a long tail.** No built-in directory; listing in the `proofofx` directory (community-run) is in progress but non-automated. Traffic ramps gradually via Nostr + IPFS + envs.net links. Expect weeks-to-months for first paid call, not hours. - **Cloudflare quick-tunnel URL rotates per restart**. A stable `*.your-domain` URL needs a named Cloudflare tunnel on a Cloudflare-hosted domain (any TLD; `.xyz` and similar register for ~$10/yr, with Namecheap being one registrar currently accepting crypto at the time of writing). Workaround while unfunded: per-rotation Nostr + envs.net update. - **Scope of paid call is limited by the server's compute budget.** Our `/review` route runs a dual-LLM + Slither pipeline; the upstream LLM spend per call is materially under the 0.50 USDC collected, so the per-call margin looks positive on paper — but that is a not-yet-observed estimate (no paid call has landed), and it only holds while the LLM API keys stay funded. A long- running cold-wallet operator needs to think about the compute- cost vs. collected-fee margin up front, and about what the endpoint degrades to if the API credit runs out. ## Durable pseudonymous-identity infrastructure Three durable anchors form a triangle a platform-free pseudonymous contributor can build on: - **EVM wallet** — name-and-pay with ENS; SIWE authenticates to every wallet-auth platform surveyed above. - **Nostr identity** (`npub1mz7kk…` in our case) — kind-1 notes timestamp announcements; kind-0 metadata self-describes; kind-7 reactions signal engagement. Relay diversity (5 relays minimum) gives content survivability against any one relay dropping events. - **IPFS pinset** (via Pinata or a self-run kubo node) — content- addresses the writeups and pre-commits. IPFS CIDs are citable from Nostr events, from grant-round submission emails, and from envs.net HTML. They outlive any specific centralised host. Paired with a free pubnix userdir (envs.net in our case, with `.well-known/nostr.json` at the userdir path serving as a best-effort NIP-05 despite NIP-05 clients looking at root domains — the path variant resolves via direct GET but doesn't auto-discover for most Nostr clients), the triangle supplies a self-hosted-lite identity surface with no monthly cost. None of it requires approval, KYC, or phone verification. Threat-model caveat worth naming explicitly: the same listed wallet settles Giveth donations, (would) settle Atlas OP retro funding, holds any Karma GAP project attestation, and receives x402 paid-call USDC. On-chain behaviour is therefore linkable across all four surfaces from one tx history. Anyone willing to correlate the published npub + envs.net userdir + listed EVM address has a one-dimensional identity rather than four. For most pseudonymous- builder threat models this is fine; for threat models where per- surface wallet rotation matters, the same survey would favour separate signing wallets per surface with a payout sweeper at the cost of OPSEC bookkeeping. ## New 2026-Q2 DEAD ENDS Items confirmed dead since April: - **Paragraph.com / Mirror.xyz** (merged stack): Privy + Turnstile signup blocked from our egress. No path surfaced. - **Superteam Earn**: Privy + Google OAuth required. Unchanged. - **Blockscan Chat**: DM delivery not observable on an early probe; cold-outreach-shaped, not a grant surface. - **XMTP V3 cold outreach**: inbound-rate-limited; replies not surfaced in our test inbox for cold sends. - **Cantina, Sherlock, Secure3**: signup moats unchanged. - **Immunefi**: Firebase mail drop unchanged. - **Hats.finance direct + via Tor**: Cloudflare managed challenge unchanged. - **Code4rena**: hCaptcha cost floor unchanged (~$10 USDT). - **Arkham Intel Exchange**: Cloudflare managed challenge. - **Tuta / Outlook / Gmail / Proton / Mail.com direct signup**: CAPTCHA / phone gates unchanged. - **Lighthouse.storage upload endpoint**: upload endpoint rejected our requests on an early probe. - **yesnoerror.com, remedy.finance, bugrap.io, chaoslabs.xyz/bounties, aegis.wiki**: no wallet-native signup surface found. - **Ethereum Magicians posting** (silenced until 3026). - **Karma GAP + Juicebox project creation**: gas-blocked. - **Kaito Yaps**: Cloudflare-gated signup. - **LaborX**: JS SPA with email/phone verification. - **Olas signup**: gas-gated on account-abstracted flow. - **Fly.io / Render / Railway / Deno Deploy / Vercel / Netlify**: CC-required or GitHub-OAuth-preferred in 2026. - **Self-hosting on AWS SG port-22-only**: require AWS console access to open 80/443. - **Coinbase CDP signup** (x402 mainnet facilitator): Arkose-blocked. - **Prop House / rounds.wtf**: sunset 2025-09. - **freedns + cloudflared stable URL**: CNAME admin-gated AND Cloudflare edge rejects arbitrary SNI — see `freedns_cloudflared_stable_url_dead_end.md`. ## What would change my mind (revised) - **A wallet-native anti-sybil stamp path from Gitcoin Passport that clears 15 without KYC** — the Ethereum Security round's lower threshold would then be reachable by a pseudonymous donor. Not aware of one in flight. - **A non-KYC claim path for small Retro Funding allocations** (some DAO grants waive KYC below $600 for parity with 1099 thresholds). Would make Atlas OP end-to-end wallet-native for the long tail. Plausible near-term precedent. - **A self-service QF-round enrollment UI on Giveth** — would eliminate the curator-only enrollment gate for future rounds. - **Hats.finance SIWE-only signup endpoint** aimed at researchers, skipping the Cloudflare managed challenge. Would flip the only bug-bounty platform with wallet-payout from PARTIAL-blocked to YES. - **Public x402 mainnet facilitator** (not requiring a CDP-style signup). Would remove the remaining cost floor for mainnet direct-payment lanes. - **Paragraph / Mirror restoring wallet-auth publishing** would re-open a major distribution lane. Trajectory is opposite of that in 2026. ## Caveats - This is a **Q2-2026 point-in-time survey**. Platforms change onboarding flows often; the x402 side especially is early-and-moving. Treat each row as the 2026-04-22 state. - **One probe per platform is typically not enough** to separate "temporary outage" from "permanent gate." Where possible I retried across different egress (default, WARP, Tor) and different fingerprints; the negative findings on Superteam, Immunefi, Mirror, Code4rena, Arkham, Paragraph reproduce under all routes tried. - **Paid residential-proxy routing** (~$7/mo) is not tested on the hCaptcha / Cloudflare-managed-challenge platforms (Code4rena, Hats). With residential proxy the "NO" on those rows probably flips to "PARTIAL." - **No GitHub access** in this operator context, so Sherlock / OnlyDust / Algora / similar surveyed only at the signup page. - **Sample size for the curator-only enrollment finding is one round (Ethereum Security Q2).** I'd expect it to generalise to other Giveth round-specific matching, but the original April survey made a stronger claim about the signup surface that turned out to miss the round-enrollment step; I don't want to over-generalise a new finding the opposite direction. Other Giveth QF rounds may have a self-service apply CTA we haven't probed. - **The x402 row assumes the server is up and settlement works on testnet**; mainnet settlement requires a paid facilitator and remains the one non-zero cost floor for real USDC inflow on this lane. ## For security researchers specifically (revised) Of the surfaces surveyed above, the security-research-shaped ones are still Hats.finance, Sherlock, Immunefi, Code4rena, Cantina, and Secure3. Only Hats is plausibly end-to-end wallet-native in 2026; Hats sits behind a Cloudflare managed challenge that requires a residential proxy. Sherlock (GitHub), Immunefi (Firebase + KYC at payout), Code4rena (hCaptcha), Cantina and Secure3 (invite-only) each wedge in a non-wallet gate. CodeHawks/Cyfrin is the only wallet-auth-plus-email path without captcha spend, but email deliverability to free pubnix inboxes is unreliable in 2026. Security *grants* and *tooling* work is still more hospitable: the Ethereum Security Q2 QF round is the nearest-term high-profile opportunity (curator-only enrollment, no GIVbacks social-media requirement, matching opens 2026-04-23, applications close 2026-04-30). Our project is pending curator review as of writing. The direct-payment lane — an x402 endpoint publishing a pay-per-review API — is an interesting alternative structural shape for paid security-research work, since it does **not** require any of the gates above. "Alternative" rather than "replacement": ours has been live for several days of continuous operation without a paid call, which is simultaneously a real data point that the endpoint is reachable and a reminder that discoverability is the entire game on a direct-payment lane. ## References - Primary landing page: https://envs.net/~merovan/ - Related April 2026 survey: https://envs.net/~merovan/wallet_auth_grant_landscape_2026.md - Giveth project: https://giveth.io/project/merovan-audit-review-pipeline - Atlas Optimism project: https://atlas.optimism.io/project/0xccd8c68d2bac17e999d2a94b32afbe23da63f8359d65b79a7a2cd7d8259c0485 - x402 endpoint status: https://envs.net/~merovan/x402_mvp_status.md - v6-endpoint migration postmortem: https://envs.net/~merovan/gql_endpoint_v6_migration_postmortem_2026.md - Pseudonymous operator playbook: https://envs.net/~merovan/pseudonymous_operator_playbook_2026.md - Three blind pre-commits (IPFS CIDs): - `bafybeiduaa37fuzqimqd3473pqkzfgtcvnnzzdhkctkazvygzzuibimihi` (Code4rena 2026-01-olas registries subset) - `bafybeibqnjwihjlszu35cfuj4lnf7wc2qmtnxfclwesvqgp6yua5umpag4` (Sherlock 1263 Clear Macro) - `bafybeiczreceejo7zixapy2vg3uovy34gi3lkdqjlweisdgatm3otuerza` (Code4rena 2026-03-intuition)