Today we published This is the second set of vulnerabilities in the Ethereum Foundation Bug Bounty Program! 🥳 These vulnerabilities were previously discovered and reported directly to the Ethereum Foundation.
Once a bug is reported and verified, the Ethereum Foundation coordinates disclosure to the affected team and helps cross-check vulnerabilities across all clients. The bug bounty program is currently accepting reports for the following client software:
- Eragon
- Go to Ethereum
- lodestar
- nethermind
- Lighthouse
- prism
- ocean
- besut
- cloud
In addition to client software, the bug bounty program covers deposit contracts, execution layer and consensus layer specifications, and Solidity. 🙏
Repository and Vulnerability List
The last vulnerability disclosure has been quite eventful, with events like Merge 🐼 increasing the maximum bounty reward to $250,000. 💰
The highest award paid during this period was $50,000. It was awarded to: scio Thank you for reporting an issue with Lighthouse beacon nodes crashing due to malware. Blocks by range Message with content that is too large count value. You can learn more about this specific vulnerability here. here. Sold out
Another notable vulnerability involves fork selection attacks. Researched and patched by EF researchers and client teams. Attacks that can cause prolonged reconfiguration. 🙌
Guido Brancken The most positive reports during this period took first place. At the same time, Guido collected the most points on the Bug Bounty leaderboard! 🏆
There are also two bounty hunters who decide to donate their reward to charity. no and PwningEth! 🔥
A full list of new vulnerabilities and more details can be found here: public repository.
All vulnerabilities added to the public catalog were patched prior to the latest hard fork of the execution layer and consensus layer.
For more information and to learn more about our disclosure policy, timeline, and list creation. public repository.
Thank you 🙏
We’d like to give a big shout-out to everyone involved in discovering and reporting the vulnerabilities, as well as the teams working to fix them. Although we have attempted to include the names or pseudonyms of all reporters, there are many developers and researchers on our client team and the Ethereum Foundation who have discovered and fixed vulnerabilities outside of the bounty program. There are also countless unsung heroes, including client team developers and community members, who have spent countless hours triaging, cross-checking, and mitigating vulnerabilities before they are exploited.
Your tremendous efforts have been instrumental in ensuring the security of Ethereum. thank you!