EF Blog

ETH top background starting image
ETH bottom background ending image
Skip to content


Security updates related to the Ethereum protocol, tooling infrastructure and applications.

July 8, 2024


Ethereum Protocol Attackathon in Collaboration with Immunefi
Ethereum Protocol Attackathon in Collaboration with Immunefi

by EPS Research Team

The Ethereum Protocol Security (EPS) Research Team is pleased to announce the launch of the first Ethereum protocol Attackathon, hosted by Immunefi. This four-week event aims to enhance the security of the Ethereum protocol through a large-scale crowdsourced security audit competition. Our goal is to raise over 2 million USD for the reward pool, the EF has seeded the pool with an initial 500,000 USD.

July 2, 2024


blog.ethereum.org mailing list incident

by EF Operational Security

On 2024-06-23, 00:19 AM UTC, a phishing email was sent out to 35,794 email addresses by updates@blog.ethereum.org with the following content Users who clicked the link in the email were sent to a malicious website: This website had a crypto drainer running in the background, and if a user initiated their wallet and signed the transaction requested by their website their wallet would have been drained. Our internal security team immediately launched an investigation to help determine who launched the attack, what the aim of the attack was, when it happened, who was affected, and how it happened. Some of the intial actions taken were: Prevented the threat actor from sending additional emails. Sent out notifications via twitter and email to not click the link in question. Closed down the

March 21, 2024


Sepolia Incident

by Marius van der Wijden, Toni Wahrstätter, Parithosh Jayanthi

This blog post discloses a threat against the Ethereum network that was present from the Merge up until the Dencun hard fork.

May 18, 2021


Dodging a bullet: Ethereum State Problems

by Martin Holst Swende & Peter Szilagyi

With this blog post, the intention is to officially disclose a severe threat against the Ethereum platform, which was a clear and present danger up until the Berlin hardfork.

November 12, 2020


Geth security release

January 15, 2019


Security Alert: Ethereum Constantinople Postponement

by Hudson Jameson

The Ethereum Core Developers and the Ethereum Security Community were made aware of the potential Constantinople-related issues identified by ChainSecurity on January 15, 2019. We are investigating any potential vulnerabilities and will follow with updates in this blog post and across social media channels. Out of an abundance of caution, key stakeholders around the Ethereum community have determined that the best course of action will be to delay the planned Constantinople fork that would have occurred at block 7,080,000 on January 16, 2019. This will require anyone running a node (node operators, exchanges, miners, wallet services, etc...) to update to a new version of Geth or Parity before block 7,080,000. Block 7,080,000 will occur in approximately 32 hours from the time of this publishing or at approximately

December 15, 2017


Security alert — Chromium vulnerability affecting Mist Browser Beta

by Everton Fraga

Due to a Chromium vulnerability affecting all released versions of the Mist Browser Beta v0.9.3 and below, we are issuing this alert warning users not to browse untrusted websites with Mist Browser Beta at this time. Users of "Ethereum Wallet" desktop app are not affected. Affected configurations: Mist Browser Beta v0.9.3 and below Likelihood: Medium Severity: High Malicious websites can potentially steal your private keys. As Ethereum Wallet desktop app does not qualify as a browser — it accesses only the local Wallet Dapp — it is not subject to the same category of issues present in Mist. For now, it is recommended to use Ethereum Wallet to manage funds and interact with smart contracts instead. Mist Browser's vision is to be a complete user-facing bridge to the ethereum blockchain

December 19, 2016


Security alert [12/19/2016]: Ethereum.org Forums Database Compromised

by Hudson Jameson

On December 16, we were made aware that someone had recently gained unauthorized access to a database from forum.ethereum.org. We immediately launched a thorough investigation to determine the origin, nature, and scope of this incident. Here is what we know: The information that was recently accessed is a database backup from April 2016 and contained information about 16.5k forum users. The leaked information includes Messages, both public and private IP-addresses Username and email addresses Profile information Hashed passwords ~13k bcrypt hashes (salted) ~1.5k Wordpress-hashes (salted) ~2k accounts without passwords (used federated login) The attacker self-disclosed that they are the same person/persons who recently hacked Bo Shen. The attacker used social engineering to gain access to a mobile phone number that allowed them

Newer posts

Older posts

Subscribe to Protocol Announcements

Sign up to receive email notifications for protocol-related announcements, such as network upgrades, FAQs or security issues. You can opt-out of these at any time.