Today we have disclosed the second round of vulnerabilities in the Ethereum Foundation Bug Bounty program! 🥳 These vulnerabilities have already been discovered and reported directly to the Ethereum Foundation.
When bugs are reported and validated, the Ethereum Foundation coordinates disclosures to the relevant teams and helps verify vulnerabilities across all clients. The Bug Bounty program is currently accepting reports for the following client software:
- Erigon
- Switch to Ethereum
- North Star
- Nothing
- Lighthouse
- Prysm
- Teku
- Besu
- Nimbus
In addition to the client software, the Bug Bounty program also covers the repository contract, execution layer and consensus layer specifications, and Solidity. 🙏
Vulnerability repository and list
Since the last vulnerability disclosure, things have been quite eventful with events such as the merge 🐼 and the increase of the maximum bounty to $250,000. 💰
The highest award paid during this period was $50,000. It was awarded to Scientist to report an issue where Lighthouse beacon nodes were crashing via malware BlocksPerRange messages containing too large a count value. You can learn more about this specific vulnerability here. 💥
Another notable set of vulnerabilities are fork choice attacks. EF researchers and customer teams have investigated and patched attacks that can cause lengthy reorganizations. 👀
Guido Vranken holds the first place for the most positive reports of this period. At the same time, Guido managed to collect the most points for the Bug Bounty ranking! 🏆
We also have two bounty hunters who have decided to donate their rewards to charity: nrv And PwningEth! 🔥
The full list of new vulnerabilities, along with all details, can be found in the disclosure repository.
All vulnerabilities added to the disclosure catalog were fixed before the latest hardforks on the execution layer and consensus layer.
For more information and to learn more about disclosure policies, deadlines and cataloging, visit the website disclosure repository.
Thank you 🙏
We would like to extend our heartfelt thanks to everyone involved in discovering and reporting vulnerabilities, as well as the teams responsible for fixing them. While we have attempted to include the names or pseudonyms of all reporters, many developers and researchers within client teams and the Ethereum Foundation have discovered and fixed vulnerabilities outside of the bounty program. There are also many unsung heroes such as client team developers, community members, and many others who have spent countless hours triaging, verifying, and mitigating vulnerabilities before they can be exploited.
Your immense efforts have helped ensure the security of Ethereum. THANKS!