EF Blog

ETH top background starting image
ETH bottom background ending image
Skip to content

Security

Security updates related to the Ethereum protocol, tooling infrastructure and applications.

August 20, 2025

Sec

Trillion Dollar Security - Phase 2
Trillion Dollar Security - Phase 2

by Ethereum Foundation Team

Since announcing the Trillion Dollar Security project, we have surveyed the ecosystem to understand which improvements are highest priority to every layer of the Ethereum stack and community. Now it is time to begin the next phase of this initiative: acting on the highest priority issues we face. For this first wave of actions, we will mostly focus on UX issues. Our research showed these to be the most urgent issues facing both individual and institutional users of Ethereum and Ethereum-based applications. During this first wave we will kick off a range of work targeting crucial areas in UX security. The work we begin today is a combination of high leverage short-term actions and long-term projects that we expect will continue for years. We intend to regularly

May 14, 2025

Sec

Announcing the Trillion Dollar Security Initiative

by Ethereum Foundation Team

Ethereum is the most secure blockchain ecosystem. This is the result of 10 years of progress and iteration across every level of Ethereum’s technology stack, from wallet UX to developer tooling to consensus protocol security. But being the most secure platform in the crypto ecosystem isn’t enough. Ethereum’s ambition is far greater: to be civilization-scale infrastructure that securely underpins the internet and global economy, surpassing the safety and trustworthiness of the world’s legacy systems. Today we are announcing the Trillion Dollar Security initiative, an ecosystem-wide effort to upgrade Ethereum’s security to help bring the world onchain. Reaching “Trillion Dollar security” means a world where: Billions of individuals are each comfortable storing more than $1000 onchain, collectively amounting to trillions of dollars secured on Ethereum. Companies, institutions or governments

May 7, 2025

Sec

CVE-2025-30147 - The curious case of subgroup check on Besu

by Antonio Sanso

Thanks to Marius Van Der Wijden for creating the test case and statetest, and for helping the Besu team confirm the issue. Also, kudos to the Besu team, the EF security team, and Kevaundray Wedderburn. Additionally, thanks to Yuxiang Qiu, Justin Traglia, Marius Van Der Wijden, Benedikt Wagner, and Kevaundray Wedderburn for proofreading. If you have any other questions/comments, find me on twitter at @asanso tl;dr: Besu Ethereum execution client version 25.2.2 suffered from a consensus issue related to the EIP-196/EIP-197 precompiled contract handling for the elliptic curve alt_bn128 (a.k.a. bn254). The issue was fixed in release 25.3.0. Here is the full CVE report. N.B.: Part of this post requires some knowledge about elliptic curves (cryptography).

July 8, 2024

Sec

Ethereum Protocol Attackathon in Collaboration with Immunefi

by EPS Research Team

The Ethereum Protocol Security (EPS) Research Team is pleased to announce the launch of the first Ethereum protocol Attackathon, hosted by Immunefi. This four-week event aims to enhance the security of the Ethereum protocol through a large-scale crowdsourced security audit competition. Our goal is to raise over 2 million USD for the reward pool, the EF has seeded the pool with an initial 500,000 USD.

July 2, 2024

Sec

blog.ethereum.org mailing list incident

by EF Operational Security

On 2024-06-23, 00:19 AM UTC, a phishing email was sent out to 35,794 email addresses by updates@blog.ethereum.org with the following content Users who clicked the link in the email were sent to a malicious website: This website had a crypto drainer running in the background, and if a user initiated their wallet and signed the transaction requested by their website their wallet would have been drained. Our internal security team immediately launched an investigation to help determine who launched the attack, what the aim of the attack was, when it happened, who was affected, and how it happened. Some of the intial actions taken were: Prevented the threat actor from sending additional emails. Sent out notifications via twitter and email to not click the link in question. Closed down the

March 21, 2024

Sec

Sepolia Incident

by Marius van der Wijden, Toni Wahrstätter, Parithosh Jayanthi

This blog post discloses a threat against the Ethereum network that was present from the Merge up until the Dencun hard fork.

May 18, 2021

Sec

Dodging a bullet: Ethereum State Problems

by Martin Holst Swende & Peter Szilagyi

With this blog post, the intention is to officially disclose a severe threat against the Ethereum platform, which was a clear and present danger up until the Berlin hardfork.

November 12, 2020

Sec

Geth security release

Newer posts

Older posts

Categories