Security

Ethereum is the most secure blockchain ecosystem. This is the result of 10 years of progress and iteration across every level of Ethereum’s technology stack, from wallet UX to developer tooling to consensus protocol security. But being the most secure platform in the crypto ecosystem isn’t enough. Ethereum’s ambition is far greater: to be civilization-scale infrastructure that securely underpins the internet and global economy, surpassing the safety and trustworthiness of the world’s legacy systems. Today we are announcing the Trillion Dollar Security initiative, an ecosystem-wide effort to upgrade Ethereum’s security to help bring the world onchain. Reaching “Trillion Dollar security” means a world where: Billions of individuals are each comfortable storing more than $1000 onchain, collectively amounting to trillions of dollars secured on Ethereum. Companies, institutions or governments

Thanks to Marius Van Der Wijden for creating the test case and statetest, and for helping the Besu team confirm the issue. Also, kudos to the Besu team, the EF security team, and Kevaundray Wedderburn. Additionally, thanks to Yuxiang Qiu, Justin Traglia, Marius Van Der Wijden, Benedikt Wagner, and Kevaundray Wedderburn for proofreading. If you have any other questions/comments, find me on twitter at @asanso tl;dr: Besu Ethereum execution client version 25.2.2 suffered from a consensus issue related to the EIP-196/EIP-197 precompiled contract handling for the elliptic curve alt_bn128 (a.k.a. bn254). The issue was fixed in release 25.3.0. Here is the full CVE report. N.B.: Part of this post requires some knowledge about elliptic curves (cryptography).

The Ethereum Protocol Security (EPS) Research Team is pleased to announce the launch of the first Ethereum protocol Attackathon, hosted by Immunefi. This four-week event aims to enhance the security of the Ethereum protocol through a large-scale crowdsourced security audit competition. Our goal is to raise over 2 million USD for the reward pool, the EF has seeded the pool with an initial 500,000 USD.

On 2024-06-23, 00:19 AM UTC, a phishing email was sent out to 35,794 email addresses by updates@blog.ethereum.org with the following content Users who clicked the link in the email were sent to a malicious website: This website had a crypto drainer running in the background, and if a user initiated their wallet and signed the transaction requested by their website their wallet would have been drained. Our internal security team immediately launched an investigation to help determine who launched the attack, what the aim of the attack was, when it happened, who was affected, and how it happened. Some of the intial actions taken were: Prevented the threat actor from sending additional emails. Sent out notifications via twitter and email to not click the link in question. Closed down the

This blog post discloses a threat against the Ethereum network that was present from the Merge up until the Dencun hard fork.

With this blog post, the intention is to officially disclose a severe threat against the Ethereum platform, which was a clear and present danger up until the Berlin hardfork.

The Ethereum Core Developers and the Ethereum Security Community were made aware of the potential Constantinople-related issues identified by ChainSecurity on January 15, 2019. We are investigating any potential vulnerabilities and will follow with updates in this blog post and across social media channels. Out of an abundance of caution, key stakeholders around the Ethereum community have determined that the best course of action will be to delay the planned Constantinople fork that would have occurred at block 7,080,000 on January 16, 2019. This will require anyone running a node (node operators, exchanges, miners, wallet services, etc...) to update to a new version of Geth or Parity before block 7,080,000. Block 7,080,000 will occur in approximately 32 hours from the time of this publishing or at approximately