Skip to main content

Help update this page

🌏

There’s a new version of this page but it’s only in English right now. Help us translate the latest version.

No bugs here!🐛

This page is not being translated. We've intentionally left this page in English for now.

Open for submissions

Bug Bounty Program 🐛
Earn up to $250,000 USD and a place on the leaderboard by finding protocol, client and Solidity bugs affecting the Ethereum network.
Submit a bugRead rules
1
protolambda GitHub avatar
protolambda
42400 points
🏆
2
holiman GitHub avatar
Martin Holst Swende
36000 points
🥈
3
guidovranken GitHub avatar
Guido Vranken
35600 points
🥉
4
samczsun GitHub avatar
Sam Sun
35000 points
5
chainsecurity GitHub avatar
ChainSecurity
21000 points
See full leaderboards

Clients featured in the bounties

In Scope

Our bug bounty program spans end-to-end: from soundness of protocols (such as the blockchain consensus model, the wire and p2p protocols, proof of work, proof of stake, etc) and protocol/implementation compliance to network security and consensus integrity. Classical client security as well as security of cryptographic primitives are also part of the program. When in doubt, send an email to bounty@ethereum.org and ask us.

📒

Specification bugs

The Ethereum Specifications detail the design rationale for the Execution Layer and Consensus Layer.

Consensus Layer Specifications
Execution Layer Specifications

It might be helpful to check out the following annotations:

Types of bugs

  • Safety/finality-breaking bugs
  • Denial of service (DOS) vectors
  • Inconsistencies in assumptions, like situations where honest validators can be slashed
  • Calculation or parameter inconsistencies
💻

Client bugs

Clients run the Ethereum Network, and they need to follow the logic set out in the specification and be secure against potential attacks. The bugs we want to find are related to the implementation of the protocol.

Currently execution layer clients (Besu, Erigon, Geth and Nethermind) and consensus layer clients (Lighthouse, Lodestar, Nimbus, Teku and Prysm) are included in the Bug Bounty Program. More clients may be added as they complete audits and become production ready.

Types of bugs

  • Spec non-compliance issues
  • Unexpected crashes, RCE or denial of service (DOS) vulnerabilities
  • Any issues causing irreparable consensus splits from the rest of the network

Helpful links

Besu
Erigon
Geth
Lighthouse
Lodestar
Nimbus
Nethermind
Prysm
Teku
📖

Solidity bugs

See the Solidity SECURITY.MD for more details about what is included in this scope.

Solidity does not hold security guarantees regarding compilation of untrusted input – and we do not issue rewards for crashes of the solc compiler on maliciously generated data.

Helpful links

SECURITY.md
📜

Deposit Contract bugs

The specificiations and source code of the Beacon Chain Deposit Contract is part of the bug bounty program.

Out of scope

Only the targets listed under in-scope are part of the Bug Bounty Program. This means that for example our infrastructure; such as webpages, dns, email etc, are not part of the bounty-scope. ERC20 contract bugs are typically not included in the bounty scope. However, we can help reach out to affected parties, such as authors or exchanges in such cases. ENS is maintained by the ENS foundation, and is not part of the bounty scope.

Submit a bug

For each valid bug you find you’ll earn rewards. The quantity of rewards awarded will vary depending on Severity. The severity is calculated according to the OWASP risk rating model based on Impact on the Ethereum Network and Likelihood. View OWASP method

The EF will also provide rewards based on:

Quality of description: Higher rewards are paid for clear, well-written submissions.

Quality of reproducibility: A Proof of Concept (POC) must be included to be eligible for rewards. Please include test code, scripts and detailed instructions. The easier it is for us to reproduce and verify the vulnerability, the higher the reward.

Quality of fix, if included: Higher rewards are paid for submissions with clear description of how to fix the issue.

Up to 2,000 USD

Low

Up to 2,000 USD

Up to 1,000 points

Severity

  • Low impact, medium likelihood
  • Medium impact, low likelihood

Example

Attacker can sometimes put a node in a state that causes it to drop one out of every one hundred attestations made by a validator
Submit low risk bug
Up to 10,000 USD

Medium

Up to 10,000 USD

Up to 5,000 points

Severity

  • High impact, low likelihood
  • Medium impact, medium likelihood
  • Low impact, high likelihood

Example

Attacker can successfully conduct eclipse attacks on nodes with peer-ids with 4 leading zero bytes
Submit medium risk bug
Up to 50,000 USD

High

Up to 50,000 USD

Up to 10,000 points

Severity

  • High impact, medium likelihood
  • Medium impact, high likelihood

Example

There is a consensus bug between two clients, but it is difficult or impractical for the attacker to trigger the event.
Submit high risk bug
Up to 250,000 USD

Critical

Up to 250,000 USD

Up to 25,000 points

Severity

  • High impact, high likelihood

Example

There is a remote code execution in a majority client, and it is trivial for an attacker to trigger the vulnerability.
Submit critical risk bug

Bug hunting rules

The bug bounty program is an experimental and discretionary rewards program for our active Ethereum community to encourage and reward those who are helping to improve the platform. It is not a competition. You should know that we can cancel the program at any time, and awards are at the sole discretion of Ethereum Foundation bug bounty panel. In addition, we are not able to issue awards to individuals who are on sanctions lists or who are in countries on sanctions lists (e.g. North Korea, Iran, etc). Local laws require us to ask for proof of your identity. You are responsible for all taxes. All awards are subject to applicable law. Finally, your testing must not violate any law or compromise any data that is not yours and must take place on local running testnets.

  • Issues without a POC or that have already been submitted by another user or are already known to spec and client maintainers are not eligible for bounty rewards.
  • Public disclosure of a vulnerability makes it ineligible for a bounty.
  • Employees and contractors of the Ethereum Foundation or client teams in scope of the bounty program may participate in the program only in the accrual of points and will not receive monetary rewards.
  • Ethereum bounty program considers a number of variables in determining rewards. Determinations of eligibility, score and all terms related to an award are at the sole and final discretion of the Ethereum Foundation bug bounty panel.

Execution Layer Bug Bounty leaderboard

Find execution layer bugs to get added to this leaderboard

1
samczsun GitHub avatar
Sam Sun
35000 points
🏆
2
holiman GitHub avatar
Martin Holst Swende
33500 points
🥈
3
chainsecurity GitHub avatar
ChainSecurity
21000 points
🥉
4
junorouse GitHub avatar
Juno Im
20500 points
5
uknowy GitHub avatar
Yoonho Kim (team Hithereum)
20000 points
6
johnyangk GitHub avatar
John Youngseok Yang (Software Platform Lab)
20000 points
7
guidovranken GitHub avatar
Guido Vranken
18000 points
8
peckshield GitHub avatar
PeckShield
17000 points
9
itsunixiknowthis GitHub avatar
ItsUnixIKnowThis
15000 points
10
catageek GitHub avatar
Bertrand Masius
15000 points
11
tintinweb GitHub avatar
Tin
12500 points
12
Ralph Pichler
12500 points
13
Bob Conan
12000 points
14
lukaszmatczak GitHub avatar
Łukasz Matczak
11000 points
15
Heilman/Marcus/Goldberg
10000 points
16
jonasnick GitHub avatar
Jonas Nick
10000 points
17
jtoman GitHub avatar
John Toman
10000 points
18
Sebastian Henningsen
8000 points
19
Dominic Brütsch
7500 points
20
HarryR GitHub avatar
Harry Roberts
5000 points
21
p- GitHub avatar
Peter Stöckli
5000 points
22
Dedaub GitHub avatar
Neville Grech
5000 points
23
EthHead GitHub avatar
EthHead
5000 points
24
SergioDemianLerner GitHub avatar
Sergio Demian Lerner
2500 points
25
danhper GitHub avatar
Daniel Perez
2500 points
26
yaronvel GitHub avatar
Yaron Velner
2000 points
27
whitj00 GitHub avatar
Whit Jackson
2000 points
28
Ming Chuan Lin
2000 points
29
melonport GitHub avatar
Melonport team
2000 points
30
maurelian GitHub avatar
Maurelian
2000 points
31
Cjentzsch GitHub avatar
Christoph Jentzsch
2000 points
32
DVPNET GitHub avatar
DVP (dvpnet.io)
1200 points
33
Vasily Vasiliev
1000 points
34
talko GitHub avatar
talko
1000 points
35
swaldman GitHub avatar
Steve Waldman
1000 points
36
ptk GitHub avatar
Panu Kekäläinen
1000 points
37
montyly GitHub avatar
Josselin Feist
1000 points
38
henrit GitHub avatar
Henrit
1000 points
39
BlameByte GitHub avatar
Marc Bartlett
1000 points
40
Barry Whitehat
1000 points
41
badmofo GitHub avatar
Lucas Ryan
1000 points
42
agroce GitHub avatar
Alex Groce
1000 points
43
n0thingness GitHub avatar
Daniel Briskin
750 points
44
daenamkim GitHub avatar
Daenam Kim
750 points
45
Myeongjae Lee
500 points
46
Marcin Noga (Cisco/Talos Security)
500 points
47
jazzybedi
500 points
48
feeker GitHub avatar
Feeker - 360 ESG Codesafe Team
500 points
49
ethernomad GitHub avatar
Jonathan Brown
500 points
50
davidmurdoch GitHub avatar
David Murdoch
500 points
51
wadeAlexC GitHub avatar
Alexander Wade
500 points
52
gitpusha GitHub avatar
Luis Schliesske
200 points

Consensus Layer Bug Bounty leaderboard

Find consensus layer bugs to get added to this leaderboard

1
protolambda GitHub avatar
protolambda
42400 points
🏆
2
cryptosubtlety GitHub avatar
Quan Thoi Minh Nguyen
19650 points
🥈
3
jrhea GitHub avatar
Jonny Rhea
18700 points
🥉
4
guidovranken GitHub avatar
Guido Vranken
17600 points
5
sifraitech GitHub avatar
Grandine team
9000 points
6
kilic GitHub avatar
Onur Kılıç
6000 points
7
atoulme GitHub avatar
Antoine Toulme
5000 points
8
asanso GitHub avatar
Antonio Sanso
4000 points
9
itsunixiknowthis GitHub avatar
ItsUnixIKnowThis
2850 points
10
AlexSSD7 GitHub avatar
Alexander Sadovskyi
2500 points
11
tintinweb GitHub avatar
tintin
2500 points
12
holiman GitHub avatar
Martin Holst Swende
2500 points
13
Akincibor
1750 points
14
mcdee GitHub avatar
Jim McDonald
200 points

Frequently asked questions

What should a good vulnerability submission look like?

See a real example of a quality vulnerability submission.

Description: Remote Denial-of-service using non-validated blocks

Attack scenario: An attacker can send blocks that may require a high amount of computation (the maximum gasLimit) but has no proof-of-work. If the attacker sends blocks continuously, the attacker may force the victim node to 100% CPU utilization.

Impact: An attacker can abuse CPU utilization on remote nodes, possibly causing full DoS.

Components: Go client version v0.6.8

Reproduction: Send a block to a Go node that contains many txs but no valid PoW.

Details: Blocks are validated in the method Process(Block, dontReact). This method performs expensive CPU-intensive tasks, such as executing transactions (sm.ApplyDiff) and afterward it verifies the proof-of-work (sm.ValidateBlock()). This allows an attacker to send blocks that may require a high amount of computation (the maximum gasLimit) but has no proof-of-work. If the attacker sends blocks continuously, the attacker may force the victim node to 100% CPU utilization.

Fix: Invert the order of the checks.

Is the bug bounty program is time limited?

No.

No end date is currently set. See the Ethereum Foundation blog for the latest news.

How are bounties paid out?

Rewards are paid out in ETH or DAI.

Rewards are paid out in ETH or DAI after the submission has been validated, usually a few days later. Local laws require us to ask for proof of your identity. In addition, we will need your ETH address.

Can I donate my reward to charity?

Yes!

We can donate your reward to an established charitable organization of your choice.

I reported an issue / vulnerability but have not received a response!

Please allow a few days for someone to respond to your submission.

We aim to respond to submissions as fast as possible. Feel free to email us at bounty@ethereum.org if you have not received a response within a day or two.

I want to be anonymous / I do not want my name on the leader board.

You can do this, but it might make you ineligble for rewards.

Submitting anonymously or with a pseudonym is OK, but will make you ineligible for ETH/DAI rewards. To be eligible for ETH/DAI rewards, we require your real name and a proof of your identity. Donating your bounty to a charity doesn’t require your identity.

Please let us know if you do not want your name/nick displayed on the leader board.

What are the points in the leaderboard?

Every found vulnerability / issue is assigned a score

Every found vulnerability / issue is assigned a score. Bounty hunters are ranked on our leaderboard by total points.

Do you have a PGP key?

Yes. Expand for details.

Please use AE96 ED96 9E47 9B00 84F3 E17F E88D 3334 FA5F 6A0A

PGP Key

Questions?

Email us: bounty@ethereum.org

✉️

Was this page helpful?