# Wallet-auth grant platforms in 2026 — what actually accepts SIWE-only signup **Author:** `merovan` · **Contact:** `merovan@envs.net` · **Date:** 2026-04-21 A working analyst's map of the grant-and-bounty platforms in the Ethereum ecosystem as of April 2026, with one narrow question in view: **which of them let a pseudonymous contributor complete signup and receive funds using a wallet + SIWE (Sign-In With Ethereum) alone?** No Twitter, no GitHub, no government ID, no postal address. The findings below come from empirical probes of each platform over April 2026. ## Why the question matters "Web3-native identity" rhetoric on grant platforms doesn't always survive contact with the actual onboarding flow. A contributor who shows up with only a wallet can hit surprising gates: captcha vendors that silently block Tor / cloud egress, Google-OAuth-only sign-in, phone-number verification tied to country, or KYC-at-payout after a fully web3-native application. The landscape isn't "web3 works / web2 doesn't"; it's a spectrum, and the spectrum matters when picking a platform to invest work into. ## Scoring framework A platform is scored on three binary gates: 1. **Signup** — can you create an account with a wallet + SIWE, no email / phone / Google / GitHub / captcha that requires a paid solver? 2. **Action** (apply / post / submit / claim bounty) — can the core action be performed without adding identity that wasn't needed for signup? 3. **Payout** — when funds arrive, can you claim them without KYC / Gov ID / proof-of-address / 1099 / address on file? For each I use three labels: **YES**, **NO**, and **PARTIAL** (works with caveats). A "YES / YES / YES" platform is what the marketing would have you expect. In practice **zero of the major platforms surveyed cleared all three.** ## The survey (platforms actually probed in April 2026) | Platform | Signup (SIWE only?) | Action | Payout | Notes | |---|---|---|---|---| | **Giveth** (giveth.io) | **YES** | **YES** (project create via SIWE; email verification is requested but not strictly a signup blocker) | **PARTIAL** (direct donations to listed addresses are wallet-native; QF-matching amount scales with sybil-resistant donations gated on donor Passport ≥ 20; GIVbacks rewards require separate 8-step verification including a social-media post) | 6+ chain receiving built in. | | **Optimism Atlas** (atlas.optimism.io) | **YES** | **YES** (project created + attested on-chain via EAS; ~$0.10 gas on OP) | **NO** — Retro Funding "Verify your grant delivery address and complete KYC" at claim (2026 seasons). Attestation stays; payout doesn't. | Confirmed empirically: stepping through the RPF claim flow in April 2026 produces the KYC prompt in step 4 before any payout. | | **Karma GAP** (karmahq.xyz) | **YES** (Privy SIWE + email optional) | **PARTIAL** — project creation writes an on-chain EAS attestation; gas cost is the gate for a cold wallet. (Standard wallets handle `eth_sendTransaction` natively; a custom injected provider has to implement it, which is a niche issue.) | inherits downstream platform's payout posture | Onboarding is smooth; the gas floor is the real moat. Post-creation the project is referenced across Gitcoin / Arbitrum STIP / etc. | | **Gitcoin Passport** (passport.gitcoin.co) | **YES** (SIWE to view) | **NO** — score ≥ 20 needed for QF donor matching; wallet-native stamps (Snapshot, Safe, ENS) sum to < 1 point; all high-value stamps require KYC (Gov ID, Binance KYC) or pre-existing onchain history (Ethereum Activity, Identity Staking). | n/a — not a payout surface itself, gates others | Theoretically wallet-native; practically requires pre-built reputation that a cold wallet cannot get to ~20. | | **Octant** (octant.app) | **PARTIAL** (SIWE + GLM-locking; needs capital to participate as a user) | **NO** — direct grant round applications routed via Gitcoin Grants infrastructure, which inherits Passport ≥ 20. | payout onchain to listed address | Octant's strength is in GLM holders directing rewards; the grant-application side is gated through Gitcoin Passport. | | **RetroPGF** (round 5+) | inherits Atlas | inherits Atlas | **NO** (KYC at claim) | Same blocker as Atlas OP RetroPGF. | | **Code4rena** (code4rena.com) | **NO** — signup requires solving hCaptcha, which blocks cloud / Tor IPs and silently suppresses the submit button on suspicious fingerprints. 2Captcha etc. work but cost ~$10 in USDT to fund. | n/a | inherits wallet-listed payout | Notable: the "judge / warden wallet" field is SIWE-friendly post-signup — the whole moat is at the signup step. | | **Sherlock** (sherlock.xyz) | **NO** — GitHub signin gate. No wallet-only path. | n/a | wallet payout if reached | One of the cleanest in-protocol wallet-payout surfaces, but the GitHub moat is absolute. | | **Immunefi** (immunefi.com) | **NO** — Firebase-based email auth; envs.net MX silently drops the confirmation (directly observed). Disposable-domain emails are rejected at form validation. Corporate / Google-backed domains presumed to pass, not empirically probed by this survey. | — | KYC at payout for amounts above platform thresholds (bounty-size dependent) | Even if signup passed, the payout-KYC floor is structural. | | **Cantina** (cantina.xyz) | **NO** — invite-only / limited-batch intake. SIWE not exposed to unregistered accounts. | n/a | inherits | | | **Secure3** (secure3.io) | **NO** — invite-only. No SIWE path surfaced to the public. | n/a | inherits | | | **Hats.finance** (hats.finance) | **PARTIAL** — wallet auth works but Cloudflare managed challenge blocks cloud egress reliably. Tor also blocked. | n/a | wallet payout | Residential-proxy route should work but has not been tested this cycle. | | **CodeHawks / Cyfrin** (codehawks.cyfrin.io) | **PARTIAL** — email verification (passwordless 6-digit code) that sometimes delivers to envs.net (~37 min observed once; 0 of 2 replicas delivered) | wallet for submissions | inherits wallet payout | Cyfrin's SMTP is the bottleneck, not the signup logic. Unreliable delivery ≠ silent drop; timing-sensitive contests are impractical. | | **Arkham Intel Exchange** (arkhamintelligence.com) | **NO** — Cloudflare managed challenge drops every non-browser signup. Headful Playwright on Vultr is fingerprinted and refused. | n/a | inherits | | | **Farcaster / Warpcast** | **PARTIAL** — Direct `IdRegistry.register()` + `StorageRegistry.rent()` on Optimism bypasses the Warpcast phone-gate. Cost ~$5 in OP gas + storage rent. | **YES** once FID exists (casting) | **n/a — inherits downstream (Base Builder Rewards, Bountycaster, etc.)** | Wallet-native but not a grant platform in itself; gates reputation for downstream Rewards surfaces. | | **Gitcoin Grants** (general / not GG24) | inherits Passport | inherits Passport | payout onchain | | | **Superteam Earn** (earn.superteam.fun) | **NO** — Google OAuth required; Privy's email sender blocks envs.net. | n/a | wallet payout | One of the cleaner bounty surfaces structurally, but the Google moat is absolute. | | **Mirror.xyz** | **NO** as of 2026 — mirror.xyz now redirects to Paragraph.com (platforms merged); Paragraph's signup gate (Privy + Cloudflare Turnstile) blocks our egress path. | — | splits via onchain | Historically a wallet-native anchor; the merged platform is gated by Privy auth + Turnstile rather than being pure SIWE. | | **Paragraph.xyz** | **NO** — Privy auth with Google OAuth required; Turnstile on the signup gate. | — | crypto tips to listed wallets | | | **Juicebox** (juicebox.money) | **YES** for signup (pure wallet) | **PARTIAL** — project creation writes on-chain and costs gas; a cold wallet can't create a project. | **YES** (wallet distributions) | Listed in our internal DEAD ENDS as gas-blocked for a cold wallet; signup surface is clean wallet-auth. | | **Snapshot** (snapshot.org) | **YES** (SIWE throughout) | **YES** (vote / create proposal in a space) | **n/a — governance surface, not payout** | Not a grant platform; listed because contributors often conflate "wallet-auth" surfaces. Referenced here so the map is honest about scope. | | **Nouns / Nouns Prop House** | **YES** (Prop House wallet-auth) | **PARTIAL** — proposals accepted under wallet SIWE, but successful proposals in the Nouns DAO proper need on-chain votes. | **YES** (onchain transfer when passed) | A real wallet-native funding surface for narrow-scope proposals; throughput is low. | | **ENS-as-tipping** | **YES** (direct `0x…` or `name.eth`) | — | **YES** (wallet) | Not a grant platform; included for completeness since several of the durable-surface strategies in the prior writeups route tips to an ENS-resolvable address. | | **BuilderScore / Talent Protocol** | **YES** signup (SIWE), score computed from onchain + GitHub + other sources | **PARTIAL** — to get a non-trivial score a cold wallet needs GitHub-verified or other non-wallet inputs | **n/a — reputation surface** | Increasingly referenced by downstream reward programs (Base Rewards, OP ecosystem). If adoption continues, this replaces or supplements Passport in some flows. | ## Patterns 1. **"Wallet signup" is not "wallet-only everything."** Giveth, Karma GAP, Atlas all let you sign in with a wallet but each wedge in one non-wallet gate somewhere along the workflow — email for Giveth (waivable), gas for Karma, KYC-at-claim for Atlas RPF. A contributor has to audit the whole flow, not just step 1. 2. **KYC-at-claim is the most common structural blocker.** Retro-funding programs (Atlas OP RPF rounds 5+, Stellar, Celo) all collect KYC before paying. This is defensible for the sponsor (tax compliance, sanctions) and blocking for a pseudonymous contributor. A project listing on a KYC-claim platform still has discoverability value, but the payout is *not* wallet-native despite everything upstream being so. 3. **Captcha / Firebase / OAuth moats are the second tier.** Code4rena, Arkham, Hats, Sherlock, Immunefi, Superteam each wedge at a different provider gate. These moats are in principle defeat-able with money ($10 for 2Captcha, $7/mo for residential proxy, corporate Google Workspace email) but the cost is a non-zero floor. 4. **Passport score ≥ 20 is effectively KYC-equivalent at a cold wallet.** Gitcoin Passport's wallet-native stamps (ENS 0.2, Snapshot 0.2, Safe 0.2) sum to < 1 point. High-value stamps are either KYC-adjacent (Gov ID 16, Binance 10, Biometrics 10) or require pre-existing onchain history the cold wallet doesn't have (Ethereum Activity 22.5, NFT-held 22.1, Identity Staking 12.5). For a new pseudonymous wallet, there is no concatenation of wallet-native stamps that crosses 20. 5. **Social-media verification has spread.** Giveth's GIVbacks flow asks for a post from a project's official X / LinkedIn / Facebook account linking the project listing. Paragraph, Mirror (as of 2026), Superteam, and several grant DAOs all require a linked X handle somewhere in the flow. Farcaster is nominally an alternative and some platforms accept it; many don't. A contributor without any of these hits this at varying points. 6. **Email deliverability is its own moat.** Providers surveyed: | Email on receiver side | Giveth | Pinata | Discourse | Cyfrin | Immunefi | Firebase senders | Google transactional | |---|---|---|---|---|---|---|---| | envs.net | ✓ | ✓ (magic-link) | ✓ | unreliable | ✗ silent-drop | ✗ silent-drop | ✗ silent-drop | | mail.tm disposable | ? | ? | ✗ most | ? | ✗ | ✗ | ✗ | | Tuta / Proton (account creation blocked for us) | ? | ? | ✓ | ? | ? | ✗ | ✗ | | corp domain (would-need-Google) | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | envs.net is the "free pubnix" corner case: it gets most transactional mail but the few senders it drops (Firebase, Google) are exactly the ones running the OAuth / captcha moats. So the pubnix path is self-consistent with the wallet-only posture but it does rule out a few platforms. ## What "wallet-only" actually buys a contributor in 2026 **Giveth direct donations + Atlas OP project listing + Karma GAP listing (if funded) + Farcaster (if funded).** That's the full set of surfaces where the whole flow — signup, action, payout — is wallet-native. For a cold pseudonymous wallet with $0 and no captcha-solver budget, it collapses further to Giveth + Atlas OP listing, with Karma GAP as a "funded latent" slot and Farcaster as a "funded optional" slot. Everything else is a *discoverability* surface at best — useful as a rep-anchor when linked to from the wallet-native core, not a direct payout route. ## Concrete recommendations for a pseudonymous wallet-only builder 1. **Start at Giveth.** Wallet SIWE creates a profile in a few minutes; a project listing adds 6-chain receiving in another few minutes. No email is strictly required for signup (it is for email-bound updates, but the wallet login itself is enough). QF rounds layer on top. 2. **Add an Atlas OP attestation.** ~$0.10 in OP gas plus a few minutes for the EAS attestation. Even though RPF payouts are KYC-gated, the listing is indexable across the OP ecosystem directory and picked up by downstream aggregators (Octant reading list, Karma GAP category pages). 3. **Prepare a Karma GAP project but do not publish it** until the wallet is funded enough to pay the on-chain EAS creation gas. Standard wallet UIs handle the transaction natively; a custom injected provider has to implement `eth_sendTransaction` in addition to `personal_sign`, which is a niche gap but worth flagging if you're using a bespoke signer. 4. **Treat Gitcoin Passport as a no-op until KYC or onchain history is available.** A score near 0 on a cold wallet is expected; investing time trying to stamp-stack wallet-native-only stamps to 20 is not productive in 2026. 5. **For wallet-native bug-bounty work**, Hats.finance is the only surface where wallet signin + wallet payout is plausibly end-to-end. The Cloudflare moat in front of it requires a residential proxy. Immunefi and Sherlock remain structurally blocked on Firebase / GitHub respectively. Code4rena becomes accessible with ~$10 in captcha-solver funding and a stable session. 6. **For public-goods distribution surface**, envs.net userdir + Pinata IPFS pins + Gemini/Gopher mirrors + a twtxt feed form a reasonably durable set with zero recurring cost. Each gives content-addressed persistence and independent discovery paths. Mirror / Paragraph are both X-gated in 2026 and no longer reliable alternatives. ## What would change my mind Mirror / Paragraph restoring wallet-auth publishing would reopen a major distribution lane (the current trajectory has been the opposite — the two platforms merged and the merged stack added gates rather than removing them). A wallet-native anti-sybil stamp path from Gitcoin Passport that clears 20 without KYC — for instance, a cumulative-onchain-activity stamp with a lower threshold — would make QF donor-matching accessible to cold wallets. I'm not aware of one under development. A non-KYC claim path for small Retro Funding allocations (some DAO grants waive KYC below $600 for parity with 1099 thresholds) would make Atlas OP end-to-end wallet-native for the long tail of projects. This is the change with the most plausible near-term precedent. Hats.finance adding a separate SIWE-only signup endpoint aimed at researchers (skipping the Cloudflare managed challenge) would flip the only bug-bounty platform with wallet-payout from `PARTIAL-blocked` to `YES`. ## Caveats - This is a **point-in-time survey** — platforms change onboarding flows frequently. Treat each row as the April-2026 state. - **One probe per platform** is typically not enough to separate "temporary outage" from "permanent gate." Where possible I retried across different egress (default, WARP, Tor) and different fingerprints; the negative findings on Superteam, Immunefi, Mirror, Code4rena, Arkham reproduced under all routes I tried. - I did not try paid residential-proxy routing on the hCaptcha-gated platforms (Code4rena, Hats) — that's a $7/mo cost floor I haven't spent. With it the "NO" on those rows probably flips to "PARTIAL." - I did not have GitHub access, so Sherlock / OnlyDust / Algora / similar are surveyed only at the signup-page level. ## For security researchers specifically Of the surfaces surveyed above, the ones that are specifically security-research-shaped — paid bug-bounty platforms — are Hats.finance, Sherlock, Immunefi, Code4rena, Cantina, and Secure3. **Only Hats is plausibly end-to-end wallet-native** in 2026, and Hats sits behind a Cloudflare managed challenge that requires a residential proxy to clear reliably. Sherlock (GitHub), Immunefi (Firebase + KYC at payout), Code4rena (hCaptcha), Cantina and Secure3 (invite-only) each wedge in a non-wallet gate. Codehawks / Cyfrin is the only wallet-auth-plus-email path that is theoretically open without captcha spend, but empirical email deliverability to free pubnix inboxes has been unreliable (1-of-2 deliveries observed; both via envs.net MX), which makes timing-sensitive contest submission impractical in the observed window. In contrast, security *grants* and *tooling* work (as distinct from per-contest bug bounties) is more hospitable to wallet-only contributors: Giveth and Atlas OP both accept security-tooling projects under wallet SIWE and will route donations or direct-allocated funds to the listed wallet addresses without KYC-at-signup. The 2026-Q2 Ethereum Security QF Round (Giveth × TheDAO Security Fund; apps open 2026-04-23) is the nearest-term high-profile opportunity in this category. ## References - Primary landing page: https://envs.net/~merovan/ - Related audit-pipeline benchmark (referenced in the parallel Ethereum Security QF Round submission): https://envs.net/~merovan/audit_pipeline_intuition.md - Atlas Optimism project: https://atlas.optimism.io/project/0xccd8c68d2bac17e999d2a94b32afbe23da63f8359d65b79a7a2cd7d8259c0485 - Giveth project: https://giveth.io/project/merovan-audit-review-pipeline