Skip to main content

Open for submissions

Bug Bounty Program 

Earn up to 1,000,000 USD and a place on the leaderboard by finding protocol, client and language compiler bugs affecting the Ethereum network.

Submit a bug (opens in a new tab)Read rules
See full leaderboards

Clients featured in the bounties

item-logo
item-logo
item-logo
item-logo
item-logo
item-logo
item-logo
item-logo
item-logo
item-logo
item-logo

In Scope

Our bug bounty program spans end-to-end: from soundness of protocols (such as the blockchain consensus model, the wire and p2p protocols, proof of stake, etc.) and protocol/implementation compliance to network security and consensus integrity. Classical client security as well as security of cryptographic primitives are also part of the program. All bug disclosures and vulnerability submissions must be made through our bug submission form (opens in a new tab).

Specification bugs

The Ethereum Specifications detail the design rationale for the Execution Layer and Consensus Layer.

It might be helpful to check out the following annotations:

Types of bugs

  • Safety/finality-breaking bugs
  • Denial of service (DOS) vectors
  • Inconsistencies in assumptions, like situations where honest validators can be slashed
  • Calculation or parameter inconsistencies

Specification documents

Beacon Chain (opens in a new tab)
Fork choice (opens in a new tab)
Solidity deposit contract (opens in a new tab)
Peer-to-peer networking (opens in a new tab)

Client bugs

Clients run the Ethereum Network, and they need to follow the logic set out in the specification and be secure against potential attacks. The bugs we want to find are related to the implementation of the protocol.

Currently execution layer clients (Besu, Erigon, Geth, Nethermind and Reth) and consensus layer clients (Lighthouse, Lodestar, Nimbus, Teku and Prysm) are included in the Bug Bounty Program.

Types of bugs

  • Spec non-compliance issues
  • Unexpected crashes, RCE or denial of service (DOS) vulnerabilities
  • Any issues causing irreparable consensus splits from the rest of the network

Helpful links

Besu (opens in a new tab)
Erigon (opens in a new tab)
Geth (opens in a new tab)
Lighthouse (opens in a new tab)
Lodestar (opens in a new tab)
Nimbus (opens in a new tab)
Nethermind (opens in a new tab)
Prysm (opens in a new tab)
Reth (opens in a new tab)
Teku (opens in a new tab)
Grandine (opens in a new tab)

Language compiler bugs

The Solidity and Vyper compilers are in scope of the bug bounty program. Please include all details necessary to reproduce the vulnerability such as: Input program that triggers the bug, Compiler version affected, Target EVM version, Framework/IDE if applicable, EVM execution environment/client if applicable and Operating system, Please include steps to reproduce the bug you have found in as much detail as possible.

Solidity and Vyper does not hold security guarantees regarding compilation of untrusted input – and we do not issue rewards for crashes of the compiler on maliciously generated data.

Helpful links

Solidity (opens in a new tab)
Vyper (opens in a new tab)

Deposit Contract bugs

The specifications and source code of the Beacon Chain Deposit Contract is part of the bug bounty program.

Helpful links

Dependency bugs

Certain dependencies are crucial for the Ethereum Network to function, and some of these have been added to the bug bounty program. Currently, the list of dependencies included in the bug bounty program are C-KZG-4844 and Go-KZG-4844.

Helpful links

Out of scope

Only the targets listed under in-scope are part of the Bug Bounty Program. Vulnerabilities that do NOT qualify under the program include:

  • Infrastructure bugs—such as webpages, dns, email, etc.*
  • ERC-20 contract bugs*
  • Ethereum Naming Service (ENS) bugs (maintained by the ENS foundation)
  • Vulnerabilities requiring the user to have publicly exposed an API, such as JSON-RPC or the Beacon API
  • EngineAPI is considered trusted and not meant to be publicly exposed
  • Typographical errors
  • Tests
  • High-effort (sustained, CPU or bandwidth intensive, and/or requires more than 1 packet or onchain transaction) single-peer DoS attacks
  • Any publicly known issues (includes forum posts, PRs, github issues, commits, blog posts, public discord messages, etc.)
  • Anything that does not currently have a direct impact on Ethereum mainnet.

*These are not included, however, we can sometimes help reach out to affected parties

Bug hunting rules

The bug bounty program is an experimental and discretionary rewards program for our active Ethereum community to encourage and reward those who are helping to improve the platform. It is not a competition. You should know that we can cancel the program at any time, and awards are at the sole discretion of Ethereum Foundation bug bounty panel. In addition, we are not able to issue awards to individuals who are on sanctions lists or who are in countries on sanctions lists (e.g., North Korea, Iran, etc). Local laws require us to ask for proof of your identity. You are responsible for all taxes. All awards are subject to applicable law. Finally, your testing must not violate any law or compromise any data that is not yours and must take place on local running testnets.

  1. 1Issues without a POC or that have already been submitted by another user or are already known to spec and client maintainers are not eligible for bounty rewards.
  2. 2Public disclosure of a vulnerability or reporting it to other parties without prior agreement makes it ineligible for a bounty.
  3. 3Employees and contractors of the Ethereum Foundation, Ethereum Foundation grantees, or client teams in scope of the bounty program may participate in the program only in the accrual of points and will not receive monetary rewards.
  4. 4Ethereum bounty program considers a number of variables in determining rewards. Determinations of eligibility, score and all terms related to an award are at the sole and final discretion of the Ethereum Foundation bug bounty panel.

Vulnerability severity qualifications

Severity is assessed based on a each discovered vulnerability's unique ability to do the following:

Low severity
  • Slash >0.01% of validators
  • Trivially cause network splits affecting >0.01% of the network
  • Be able to bring down >0.01% of the network by sending a single network packet or an onchain transaction
Medium severity
  • Slash >1% of validators
  • Trivially cause network splits affecting >5% of the network
  • Be able to bring down >5% of the network by sending a single network packet or an onchain transaction
High severity
  • Slash >33% of validators
  • Trivially cause network splits affecting >33% of the network
  • Be able to bring down >33% of the network by sending a single onchain transaction
Critical severity
  • Slash >50% of validators
  • Exploit an EIP/specification or client bug to easily create an infinite amount of ETH which is finalized by the network
  • Steal ETH from all EOAs
  • Burn ETH from all EOAs
  • Take down the entire network by sending a single malicious onchain transaction that ends up crashing all clients

Submit a bug

Up to 2,000 USD

Low

Up to 2,000 USD

Up to 1,000 points

Submit low risk bug (opens in a new tab)
Up to 10,000 USD

Medium

Up to 10,000 USD

Up to 5,000 points

Submit medium risk bug (opens in a new tab)
Up to 50,000 USD

High

Up to 50,000 USD

Up to 10,000 points

Submit high risk bug (opens in a new tab)
Up to 1,000,000 USD

Critical

Up to 1,000,000 USD

Up to 25,000 points

Submit critical risk bug (opens in a new tab)

Execution Layer Bug Bounty leaderboard

Find execution layer bugs to get added to this leaderboard

Consensus Layer Bug Bounty leaderboard

Find consensus layer bugs to get added to this leaderboard

Frequently asked questions

No end date is currently set. See the Ethereum Foundation blog (opens in a new tab) for the latest news.

Rewards are paid out in ETH or DAI after the submission has been validated, usually a few days later. Local laws require us to ask for proof of your identity. In addition, we will need your ETH address.

We can donate your reward to an established charitable organization of your choice.

We aim to respond to submissions as fast as possible. Due to the increase in AI submissions, please allow up to a week for us to respond to your submission.

Submitting anonymously or with a pseudonym is OK, but will make you ineligible for ETH/DAI rewards. To be eligible for ETH/DAI rewards, we require your real name and a proof of your identity to be sent, encrypted using PGP on our secure drop website, to our legal team at the Ethereum Foundation who are the sole reviewers of the documentation. Donating your bounty to a charity doesn’t require your identity.

Please let us know if you do not want your name/nick displayed on the leader board.

Every found vulnerability / issue is assigned a score. Bounty hunters are ranked on our leaderboard by total points.

Page last update: May 20, 2026

corwintinesc (opens in a new tab)
fredrik0xf (opens in a new tab)
JoeChenJJ (opens in a new tab)
+6

Was this page helpful?