Today, we have disclosed the second set of vulnerabilities from the Ethereum Foundation Bug Bounty Program! š„³ These vulnerabilities were previously discovered and reported directly to the Ethereum Foundation.
When bugs are reported and validated, the Ethereum Foundation coordinates disclosures to affected teams and helps cross-check vulnerabilities across all clients. The Bug Bounty Program currently accepts reports for the following client software:
- Erigon
- Go Ethereum
- Lodestar
- Nethermind
- Lighthouse
- Prysm
- Teku
- Besu
- Nimbus
In addition to client software, the Bug Bounty Program also covers the Deposit Contract, Execution Layer & Consensus Layer Specifications and Solidity. š
Repository & vulnerability list
Since the last vulnerability disclosure has been quite eventful with events such as the Merge š¼ and the max bounty reward increase to $250,000. š°
The highest paid reward during this period was $50,000. This was awarded to scio for reporting an issue in which Lighthouse beacon nodes crashed via malicious BlocksByRange messages containing an overly large count value. You can read more about this specific vulnerability here. š„
Another notable set of vulnerabilites has been around fork choice attacks. EF researchers and client teams investigated and patched attacks that were able to cause long reorgs. š
Guido Vranken holds the top spot most positive reports in this period. At the same time, Guido managed to collect the most points for the Bug Bounty Leaderboard! š
We also have two bounty hunters who decided to donate their rewards to charities: nrv and PwningEth! š„
The full list of new vulnerabilities, along with full details, can be found in the disclosures repository.
All vulnerabilities added to the disclosures catalogue were patched prior to the latest hardforks on the Execution Layer and Consensus Layer.
For more information, and to learn more about disclosure policies, timelines, and cataloging, head over to the disclosures repository.
Thank you š
We would like to give a massive shout out to everyone involved in the discovery and reporting of vulnerabilities, as well as to the teams responsible for fixing them. While we have attempted to include the names or aliases of all reporters, there are many developers and researchers within the client teams and in the Ethereum Foundation who found and corrected vulnerabilities outside of the bounty program. There are also many unsung heroes such as client team developers, community members, and many more who have spent countless hours triaging, cross-checking, and mitigating vulnerabilities before they could be exploited.
Your immense efforts have been instrumental to ensuring Ethereum's security. Thank you!