Security

Since announcing the Trillion Dollar Security project, we have surveyed the ecosystem to understand which improvements are highest priority to every layer of the Ethereum stack and community. Now it is time to begin the next phase of this initiative: acting on the highest priority issues we face. For this first wave of actions, we will mostly focus on UX issues. Our research showed these to be the most urgent issues facing both individual and institutional users of Ethereum and Ethereum-based applications. During this first wave we will kick off a range of work targeting crucial areas in UX security. The work we begin today is a combination of high leverage short-term actions and long-term projects that we expect will continue for years. We intend to regularly

Ethereum is the most secure blockchain ecosystem. This is the result of 10 years of progress and iteration across every level of Ethereum’s technology stack, from wallet UX to developer tooling to consensus protocol security. But being the most secure platform in the crypto ecosystem isn’t enough. Ethereum’s ambition is far greater: to be civilization-scale infrastructure that securely underpins the internet and global economy, surpassing the safety and trustworthiness of the world’s legacy systems. Today we are announcing the Trillion Dollar Security initiative, an ecosystem-wide effort to upgrade Ethereum’s security to help bring the world onchain. Reaching “Trillion Dollar security” means a world where: Billions of individuals are each comfortable storing more than $1000 onchain, collectively amounting to trillions of dollars secured on Ethereum. Companies, institutions or governments

Thanks to Marius Van Der Wijden for creating the test case and statetest, and for helping the Besu team confirm the issue. Also, kudos to the Besu team, the EF security team, and Kevaundray Wedderburn. Additionally, thanks to Yuxiang Qiu, Justin Traglia, Marius Van Der Wijden, Benedikt Wagner, and Kevaundray Wedderburn for proofreading. If you have any other questions/comments, find me on twitter at @asanso tl;dr: Besu Ethereum execution client version 25.2.2 suffered from a consensus issue related to the EIP-196/EIP-197 precompiled contract handling for the elliptic curve alt_bn128 (a.k.a. bn254). The issue was fixed in release 25.3.0. Here is the full CVE report. N.B.: Part of this post requires some knowledge about elliptic curves (cryptography).

The Ethereum Protocol Security (EPS) Research Team is pleased to announce the launch of the first Ethereum protocol Attackathon, hosted by Immunefi. This four-week event aims to enhance the security of the Ethereum protocol through a large-scale crowdsourced security audit competition. Our goal is to raise over 2 million USD for the reward pool, the EF has seeded the pool with an initial 500,000 USD.

On 2024-06-23, 00:19 AM UTC, a phishing email was sent out to 35,794 email addresses by updates@blog.ethereum.org with the following content Users who clicked the link in the email were sent to a malicious website: This website had a crypto drainer running in the background, and if a user initiated their wallet and signed the transaction requested by their website their wallet would have been drained. Our internal security team immediately launched an investigation to help determine who launched the attack, what the aim of the attack was, when it happened, who was affected, and how it happened. Some of the intial actions taken were: Prevented the threat actor from sending additional emails. Sent out notifications via twitter and email to not click the link in question. Closed down the

This blog post discloses a threat against the Ethereum network that was present from the Merge up until the Dencun hard fork.

With this blog post, the intention is to officially disclose a severe threat against the Ethereum platform, which was a clear and present danger up until the Berlin hardfork.