Help update this page

🌏

There’s a new version of this page but it’s only in English right now. Help us translate the latest version.

Open for submissions

Eth2 bug bounties 🐛
Earn up to $50,000 USD and a place on the leaderboard by finding Eth2 protocol and client bugs.

Clients featured in the bounties

Valid bugs

This bug bounty program is focused on finding bugs in the core Eth2 Beacon Chain specification and the Prysm, Lighthouse, and Teku client implementations.

📒

The beacon chain specification bugs

The beacon chain specification details the design rationale and proposed changes to Ethereum via the beacon chain upgrade.

Read the full spec

It might be helpful to check out the following annotations:

Types of bug

  • safety/finality-breaking bugs.
  • denial of service (DOS) vectors
  • inconsistencies in assumptions, like situations where honest validators can be slashed.
  • calculation or parameter inconsistencies.
💻

Eth2 client bugs

The clients will run the beacon chain once the upgrade has been deployed. Clients will need to follow the logic set out in the specification and be secure against potential attacks. The bugs we want to find are related to the implementation of the protocol.

Currently Lighthouse, Nimbus, Teku, and Prysm bugs are currently eligible for this bounty. More clients may be added as they complete audits and become production ready.

Types of bug

  • spec non-compliance issues.
  • unexpected crashes or denial of service (DOS) vulnerabilities.
  • any issues causing irreparable consensus splits from the rest of the network.

Not included

The merge and shard chain upgrades are still in active development and so are not yet included as part of this bounty program.

Submit a bug

For each bug you find you’ll be rewarded points. The points you earn depend on the severity of the bug. The Ethereum Foundation (EF) determine severity using the OWASP method. View OWASP method

The EF will also award points based on:

Quality of description: Higher rewards are paid for clear, well-written submissions.

Quality of reproducibility: Please include test code, scripts and detailed instructions. The easier it is for us to reproduce and verify the vulnerability, the higher the reward.

Quality of fix, if included: Higher rewards are paid for submissions with clear description of how to fix the issue.

Points Exchange

1 point

Loading data...

The Ethereum Foundation will pay out the value of USD in ETH or DAI.

The Ethereum Foundation reserves the right to change this without prior notice.

Up to 1,000 points

Low

Up to 2,000 DAI

Severity

  • Low impact, medium likelihood
  • Medium impact, low likelihood

Example

Attacker can sometimes put a node in a state that causes it to drop one out of every one hundred attestations made by a validator
Submit low risk bug
Up to 5,000 points

Medium

Up to 10,000 DAI

Severity

  • High impact, low likelihood
  • Medium impact, medium likelihood
  • Low impact, high likelihood

Example

Attacker can successfully conduct eclipse attacks on nodes with peer-ids with 4 leading zero bytes
Submit medium risk bug
Up to 10,000 points

High

Up to 20,000 DAI

Severity

  • High impact, medium likelihood
  • Medium impact, high likelihood

Example

There is a consensus bug between two clients, but it is difficult or impractical for the attacker to trigger the event.
Submit high risk bug
Up to 25,000 points

Critical

Up to 50,000 DAI

Severity

  • High impact, high likelihood

Example

There is a consensus bug between two clients, and it is trivial for an attacker to trigger the event.
Submit critical risk bug

Bug hunting rules

The bug bounty program is an experimental and discretionary rewards program for our active Ethereum community to encourage and reward those who are helping to improve the platform. It is not a competition. You should know that we can cancel the program at any time, and awards are at the sole discretion of Ethereum Foundation bug bounty panel. In addition, we are not able to issue awards to individuals who are on sanctions lists or who are in countries on sanctions lists (e.g. North Korea, Iran, etc). You are responsible for all taxes. All awards are subject to applicable law. Finally, your testing must not violate any law or compromise any data that is not yours.

  • Issues that have already been submitted by another user or are already known to spec and client maintainers are not eligible for bounty rewards.
  • Public disclosure of a vulnerability makes it ineligible for a bounty.
  • Ethereum Foundation researchers and employees of Eth2 client teams are not eligible for rewards.
  • Ethereum bounty program considers a number of variables in determining rewards. Determinations of eligibility, score and all terms related to an award are at the sole and final discretion of the Ethereum Foundation bug bounty panel.

Questions?

Email us: eth2bounty@ethereum.org

✉️