HomeEthereumSecured #5: Public Vulnerability Disclosures Update

Secured #5: Public Vulnerability Disclosures Update

-



Today, we have disclosed the second set of vulnerabilities from the Ethereum Foundation Bug Bounty Program! πŸ₯³ These vulnerabilities were previously discovered and reported directly to the Ethereum Foundation.

When bugs are reported and validated, the Ethereum Foundation coordinates disclosures to affected teams and helps cross-check vulnerabilities across all clients. The Bug Bounty Program currently accepts reports for the following client software:

  • Erigon
  • Go Ethereum
  • Lodestar
  • Nethermind
  • Lighthouse
  • Prysm
  • Teku
  • Besu
  • Nimbus

In addition to client software, the Bug Bounty Program also covers the Deposit Contract, Execution Layer & Consensus Layer Specifications and Solidity. πŸ™

Repository & vulnerability list

Since the last vulnerability disclosure has been quite eventful with events such as the Merge 🐼 and the max bounty reward increase to $250,000. πŸ’°

The highest paid reward during this period was $50,000. This was awarded to scio for reporting an issue in which Lighthouse beacon nodes crashed via malicious BlocksByRange messages containing an overly large count value. You can read more about this specific vulnerability here. πŸ’₯

Another notable set of vulnerabilites has been around fork choice attacks. EF researchers and client teams investigated and patched attacks that were able to cause long reorgs. πŸ‘€

Guido Vranken holds the top spot most positive reports in this period. At the same time, Guido managed to collect the most points for the Bug Bounty Leaderboard! πŸ†

We also have two bounty hunters who decided to donate their rewards to charities: nrv and PwningEth! πŸ”₯

The full list of new vulnerabilities, along with full details, can be found in the disclosures repository.

All vulnerabilities added to the disclosures catalogue were patched prior to the latest hardforks on the Execution Layer and Consensus Layer.

For more information, and to learn more about disclosure policies, timelines, and cataloging, head over to the disclosures repository.

Thank you πŸ™

We would like to give a massive shout out to everyone involved in the discovery and reporting of vulnerabilities, as well as to the teams responsible for fixing them. While we have attempted to include the names or aliases of all reporters, there are many developers and researchers within the client teams and in the Ethereum Foundation who found and corrected vulnerabilities outside of the bounty program. There are also many unsung heroes such as client team developers, community members, and many more who have spent countless hours triaging, cross-checking, and mitigating vulnerabilities before they could be exploited.

Your immense efforts have been instrumental to ensuring Ethereum’s security. Thank you!

LEAVE A REPLY

Please enter your comment!
Please enter your name here

LATEST POSTS

Ethereum Whale Accumulation Continues despite Selling Pressure, ETH Price Recovery Soon?

Ethereum is also following the same trajectory that Bitcoin did after the approval of the spot BTC ETFs earlier this year. While the spot Ethereum...

Understanding the Abilities and Limitations of ChatGPT

Everyone who uses the internet must have come across the term β€˜ChatGPT’ at some point in their online experience. The generative AI tool has...

Is CrowdStrike’s (CRWD) Stock Drop an Opportunity for Investors?

CrowdStrike Holdings, Inc. (CRWD) experienced a steep decline in its stock price last Friday following a software update that triggered widespread technical outages. This...

Large holders cashed out ahead of Ethereum ETF launch

The market has been gearing up for volatility before the launch of spot ETH ETFs in the US today. While ETH’s price action has...

Most Popular