We have today a statement The second set of vulnerabilities from the Ethereum Foundation’s Bounty Program! 🥳 These vulnerabilities were previously discovered and reported directly to the Ethereum Foundation.
When bugs are reported and validated, the Ethereum Foundation coordinates disclosures to affected teams and helps verify vulnerabilities across all clients. The Bug Bounty Program currently accepts reports for the following client program:
- Go to Ethereum
In addition to client software, Bug Bounty software also covers deposit nodes, execution layer, compatibility layer specification, and hardness. 🙏
List of repositories and vulnerabilities
Since the last vulnerability disclosure has been eventful as the merger 🐼 and the maximum bounty reward increased to $250k. 💰
The highest bonus paid out during this period was $50,000. This was awarded to scio To report an issue where Lighthouse nodes are crashed via malware BlocksByRange Messages that contain too much volume number value. You can read more about this specific vulnerability here. 💥
Another set of notable vulnerabilities exists around options fork attacks. EF researchers and customer teams investigated and corrected Attacks that were able to cause a long comeback. 👀
Guido Franken It takes the lead in most positive reports in this period. At the same time, Guido manages to collect the most points on the Bug Bounty Leaderboard! 🏆
We also have two bounty hunters who have decided to donate their bounties to charity: nrv And PwningEth! 🔥
The full list of new vulnerabilities, along with full details, can be found at Disclosures repository.
All vulnerabilities added to the detection catalog prior to the latest hard fork have been patched at the implementation layer and compatibility layer.
For more information and to learn more about disclosure policies, schedules, and indexing, go to Disclosures repository.
Thank you 🙏
We’d like to give a huge shout out to everyone involved in finding and reporting vulnerabilities, as well as to the teams responsible for fixing them. While we have tried to include names or aliases for all reporters, there are many developers and researchers within client teams and in the Ethereum Foundation who have discovered and patched vulnerabilities outside of the bounty program. There are also many unsung heroes such as customer team developers, community members, and others who have spent countless hours sorting, verifying, and mitigating vulnerabilities before they can be exploited.
Your tremendous efforts have been instrumental in ensuring the security of Ethereum. Thank you!