How does Forta build an on-chain real-time security defense? Analysis of AI firewalls and the FORT token economic model

In the increasingly complex on-chain interactions and the continuously expanding asset scale in the Web3 world, security has long shifted from “post-incident patching” to the core proposition of “real-time defense.” Every contract deployment, every cross-chain operation, could potentially serve as a vulnerability entry point for attackers. Forta was born in this context—a decentralized real-time monitoring network that does not directly manage user assets but provides an around-the-clock early warning line for countless protocols, wallets, and DeFi applications.

As of April 22, 2026, Gate market data shows that the Forta token FORT is priced at $0.01711, with a 24-hour trading volume of $171,330, and a circulating market cap of approximately $10.74 million. Over the past 7 days, FORT’s price has increased by 22.37%, with a 30-day gain of 22.55%, but it has fallen by 76.79% over the past year.

On-Chain Security Incidents Are Frequent, Highlighting the Need for Real-Time Monitoring

On April 18, 2026, the rsETH cross-chain bridge of the liquidity re-staking protocol Kelp DAO was targeted in a large-scale attack. The attacker exploited a LayerZero cross-chain configuration vulnerability to mint about 116,500 rsETH out of thin air on the Ethereum mainnet, valued at approximately $293 million at the time, accounting for about 18% of the total rsETH circulation. This is the largest DeFi security incident of 2026 so far. The attacker subsequently collateralized this “air asset” into mainstream lending protocols like Aave V3, borrowing about $236 million in real WETH/ETH, triggering emergency freezes in at least 9 DeFi protocols.

This incident is not isolated. Industry statistics show that, within a week before the Kelp DAO attack, Drift Protocol suffered losses of about $280 million. In the first quarter of 2026, losses caused by hacks, exploits, and fraud reached approximately $482 million. The series of on-chain security events has further heightened market attention on real-time monitoring and alert infrastructure, making Forta, as a representative project of Web3 security monitoring, more visible to investors and developers.

From Incubation at OpenZeppelin to the Evolution of AI Firewalls

Forta did not emerge out of nowhere. It was initially incubated by the well-known smart contract security firm OpenZeppelin and officially launched its FORT token in June 2022. As the most widely used smart contract library provider in the Ethereum ecosystem, OpenZeppelin infused Forta with strong security DNA and industry trust.

Reviewing Forta’s development trajectory reveals a clear technical path from “passive monitoring” to “active blocking”:

• June 2022: FORT token officially launched, and the Forta network began operating with a dual-component architecture of decentralized detection bots and scanning nodes.
• 2023 to 2024: The network continued expanding, with detection bots exceeding 1,000, covering multiple EVM chains such as Ethereum, Polygon, BNB Chain, Arbitrum, Optimism, Avalanche.
• August 2024: Forta Firewall was officially released, introducing a custom neural network called FORTRESS, expanding the function boundary from “detect threats and alert” to “block before transaction on-chain.”
• November 2024: Forta Firewall was fully deployed, providing real-time transaction screening services for rollups and protocol teams, marking Forta’s transition from monitoring to prevention.
• May 2025: Forta partnered with Celo to integrate AI-driven security protections into Celo Layer 2 networks, creating a “default secure” transaction environment.
• February 2026: The Ethereum Foundation, in collaboration with SEAL, launched the “Trillion-Dollar Security Dashboard,” systematically integrating on-chain security monitoring frameworks, with Forta as a key component of the real-time monitoring layer.

This evolution path reveals a broader industry trend: on-chain security is shifting from a static model of “code audits + post-fix patches” to a dynamic system of “real-time monitoring + proactive blocking.”

Forta’s Architecture and Economic Model

The core architecture of the Forta network consists of two key components: detection bots and scanning nodes.

Detection bots are the “smart cameras” of Forta. Each bot is written and deployed by developers, running in Docker containers, continuously scanning transaction and block data on the chain to monitor specific threat conditions. The complexity varies significantly—simple bots might only monitor a single condition (e.g., multi-signature transaction amounts exceeding a threshold), while complex ones incorporate heuristic algorithms and machine learning models to identify highly sophisticated fraud patterns.

To prevent malicious or low-quality bots from occupying network resources, developers must stake at least 100 FORT tokens for each deployed detection bot. Bots that do not meet this staking threshold are marked as inactive and cannot participate in network operations.

Scanning nodes are the computational layer of Forta. Node operators run assigned detection bots, providing them with blockchain data, and publish alerts generated by the bots to the network. To ensure honest operation, node operators must stake at least 2,500 FORT tokens per node pool, establishing an economic constraint that incentivizes honest behavior. If a node commits false reporting, tampering, or suppression of alerts, its SLA score will be reset to zero, risking the forfeiture of staked tokens.

Forta employs a work token model: both node pools and detection bots must stake FORT to participate, with staking serving as both a participation threshold and an economic guarantee of honest behavior.

In terms of economic incentives, node operators earn FORT tokens by providing computational services. Bot developers gain rewards through widespread subscription and operation of their bots. Additionally, users who want access to Forta’s advanced alert data (e.g., Premium Plan) must pay subscription fees using FORT.

The table below summarizes the five core functions of the FORT token:

The total supply of FORT is 1 billion tokens, with 45.5% allocated to the community, 20% to core contributors, 24.5% to early supporters, and 10% to OpenZeppelin. As of April 22, 2026, approximately 632 million tokens are in circulation, representing about 63.19% of the total supply.

Rising Security Narratives Drive Capital Attention

Recent market discussions around Forta show three clear layers.

First layer: Event-driven attention. After the Kelp DAO attack, discussions on platforms like X (formerly Twitter), Discord, and other tech communities about on-chain real-time monitoring solutions surged. The main point: if the attacked protocol had integrated mature monitoring and alert systems beforehand, it might have detected abnormal cross-chain messages earlier and taken countermeasures. While this “what-if” reasoning cannot change past events, it significantly enhances market awareness of the value of security monitoring infrastructure.

Second layer: Long-term narrative of AI and blockchain security integration. In February 2026, Ethereum co-founder Vitalik Buterin revealed that Ethereum would upgrade its on-chain transaction monitoring with AI at its core in 2026. Simultaneously, OpenAI and Paradigm released EVMbench, a smart contract vulnerability detection benchmarking tool, pointing to over $100 billion in open-source crypto asset security needs. Industry analysis indicates that AI-driven fraud increased by about 500% in 2025, with attackers leveraging AI to lower attack barriers, prompting a strong demand for AI-based defenses. Forta Firewall’s FORTRESS neural network claims 99% detection accuracy with very low false positives, aligning well with this trend.

Third layer: Emergence of defensive configuration logic. Compared to purely narrative-driven asset stories, Forta’s business logic is more aligned with foundational infrastructure tools. During periods of frequent on-chain security incidents, some capital favoring defensive configurations seek infrastructure assets with practical use cases, leading to structural attention on FORT. Additionally, Forta’s staking mechanism—rewarding with 80% esFORT and 20% FORT—extends the unlocking period for most rewards, somewhat alleviating short-term selling pressure.

Industry Impact Analysis: Real-Time Monitoring Becomes the “Standard Layer” in Web3

Forta’s value positioning can be understood from a broader industry perspective.

The continuous growth of on-chain assets creates a structural demand for security infrastructure. As of 2026, Ethereum’s total value locked (TVL) surpassed $300 billion, with staked assets approaching $120 billion. Such vast asset distribution across thousands of smart contracts, hundreds of Layer 2 networks, and countless cross-chain bridges makes static code audits insufficient to cover all risk exposures.

The real-time monitoring layer represented by Forta is becoming a foundational component alongside consensus, execution, and data availability layers in the Web3 tech stack. It upgrades on-chain security from “periodic checkups” to “24/7 ECG monitoring,” enabling protocol operators and users to receive early warnings at the moment threats occur.

In this real-time monitoring domain, Forta’s decentralized detection bot network contrasts sharply with centralized monitoring solutions. Centralized solutions have lower operational costs and easier access but pose single point of failure risks; Forta’s distributed architecture, through node staking, ensures data tamper-resistance and service continuity. Moreover, Forta Firewall’s “pre-on-chain blocking” capability is a key differentiator—it can intercept transactions before they enter a block, rather than just alerting and waiting for manual intervention. However, this capability involves trade-offs between security and decentralization, and its long-term applicability remains to be tested by the market.

Multi-Scenario Evolution: Several Possible Paths in the On-Chain Security Race

Based on current industry trends and Forta’s existing layout, here are several potential development scenarios:

Scenario 1: Accelerated adoption driven by security incidents. If major on-chain security incidents continue to occur frequently, DeFi protocols and Layer 2 networks will be more eager to adopt real-time monitoring solutions. If Forta can expand protocol integrations and detection coverage during this phase, network usage and node revenue may grow in tandem. Data-wise, Forta Firewall is already running on Layer 2s like Mode and Plume, analyzing over 11.3 million transactions.

Scenario 2: AI-driven attack methods evolve, leading to a defensive arms race. Both attack and defense capabilities of AI are rapidly advancing. The 500% growth in AI-driven fraud in 2025 indicates attackers are leveraging AI to lower attack barriers significantly. In this “attack-defense race,” whether Forta Firewall’s FORTRESS neural network can maintain high detection rates and low false positives will be a critical factor in its competitive advantage.

Scenario 3: Regulatory compliance demands catalyze growth. As global virtual asset regulations become clearer, the need for on-chain transaction compliance screening may increase. Forta Firewall’s compliance modules (e.g., OFAC sanctions address detection) fit into this trend, potentially bringing additional demand beyond security monitoring.

Scenario 4: Evolution of the competitive landscape. On-chain security participants are not limited to Forta. Platforms like Tenderly, Guardrail, and others focus on developer monitoring and real-time alerts. Solutions like Ironblocks and Blockaid are also competing in Layer 2 security. Forta’s decentralized architecture and AI-driven prevention give it a differentiated edge, but ongoing changes in the competitive landscape require continuous attention.

Conclusion

Forta is at a critical juncture in the Web3 security paradigm shift. From the decentralized monitoring network incubated by OpenZeppelin to today’s AI firewall capable of pre-on-chain transaction blocking, its technological trajectory clearly reflects the industry’s evolution from “post-mortem fixes” to “preemptive prevention.”

It’s important to note that while the FORT token price has risen about 22.55% in the past month, it has fallen approximately 76.79% over the past year. Short-term price movements are emotionally correlated with security incidents, but there is no statistical evidence of a causal relationship.

The value of on-chain security infrastructure ultimately depends on its ability to serve real defense needs. Against the backdrop of frequent cross-chain bridge attacks, growing AI-driven fraud, and clearer regulatory requirements, Forta’s role warrants ongoing monitoring. For participants interested in the Web3 infrastructure sector, understanding its operational mechanisms and economic model is more meaningful in the long term than chasing short-term price fluctuations.