Today, we have revealed the second batch of vulnerabilities from the Ethereum Foundation Bug Bounty Program! ๐ฅณ These vulnerabilities were previously identified and directly reported to the Ethereum Foundation.
When bugs are submitted and confirmed, the Ethereum Foundation facilitates disclosures to impacted teams and assists in validating vulnerabilities across all clients. The Bug Bounty Program currently receives reports for the following client applications:
- Erigon
- Go Ethereum
- Lodestar
- Nethermind
- Lighthouse
- Prysm
- Teku
- Besu
- Nimbus
Alongside client software, the Bug Bounty Program also encompasses the Deposit Contract, Execution Layer & Consensus Layer Specifications, and Solidity. ๐
Repository & vulnerability list
Since the last vulnerability announcement has been quite eventful with occasions such as the Merge ๐ผ and the maximum bounty reward raised to $250,000. ๐ฐ
The largest paid reward during this timeframe was $50,000. This was conferred to scio for reporting an issue that resulted in Lighthouse beacon nodes crashing due to malicious BlocksByRange messages containing a excessively large count value. More information about this specific vulnerability can be found here. ๐ฅ
Another significant range of vulnerabilities has emerged regarding fork choice attacks. EF researchers and client teams investigated and resolved attacks that could induce lengthy reorgs. ๐
Guido Vranken maintains the top ranking for the most positive reports in this timeframe. Concurrently, Guido succeeded in accumulating the most points for the Bug Bounty Leaderboard! ๐
We also have two bounty hunters who opted to donate their rewards to charitable organizations: nrv and PwningEth! ๐ฅ
The complete list of new vulnerabilities, with full details, can be accessed in the disclosures repository.
All vulnerabilities included in the disclosures catalogue have been resolved before the recent hardforks on the Execution Layer and Consensus Layer.
For additional information, and to learn more about disclosure policies, timelines, and cataloging, please visit the disclosures repository.
Thank you ๐
We would like to extend our heartfelt thanks to everyone involved in the discovery and reporting of vulnerabilities, as well as to the teams responsible for addressing them. While we have aimed to include the names or aliases of all reporters, there are numerous developers and researchers within the client teams and the Ethereum Foundation who identified and rectified vulnerabilities outside of the bounty initiative. Additionally, many unsung heroes such as client team developers, community members, and numerous others have invested countless hours on triaging, validating, and mitigating vulnerabilities before they could be exploited.
Your tremendous efforts have been crucial in ensuring Ethereum’s security. Thank you!
