1 year ago
223
Today, we person disclosed the 2nd acceptable of vulnerabilities from the Ethereum Foundation Bug Bounty Program! 🥳 These vulnerabilities were antecedently discovered and reported straight to the Ethereum Foundation.
When bugs are reported and validated, the Ethereum Foundation coordinates disclosures to affected teams and helps cross-check vulnerabilities crossed each clients. The Bug Bounty Program presently accepts reports for the pursuing lawsuit software:
- Erigon
- Go Ethereum
- Lodestar
- Nethermind
- Lighthouse
- Prysm
- Teku
- Besu
- Nimbus
In summation to lawsuit software, the Bug Bounty Program besides covers the Deposit Contract, Execution Layer & Consensus Layer Specifications and Solidity. 🙏
Repository & vulnerability list
Since the past vulnerability disclosure has been rather eventful with events specified arsenic the Merge 🐼 and the max bounty reward summation to $250,000. 💰
The highest paid reward during this play was $50,000. This was awarded to scio for reporting an contented successful which Lighthouse beacon nodes crashed via malicious BlocksByRange messages containing an overly ample count value. You tin work much astir this circumstantial vulnerability here. 💥
Another notable acceptable of vulnerabilites has been astir fork prime attacks. EF researchers and lawsuit teams investigated and patched attacks that were capable to origin agelong reorgs. 👀
Guido Vranken holds the apical spot astir affirmative reports successful this period. At the aforesaid time, Guido managed to cod the astir points for the Bug Bounty Leaderboard! 🏆
We besides person 2 bounty hunters who decided to donate their rewards to charities: nrv and PwningEth! 🔥
The afloat database of caller vulnerabilities, on with afloat details, tin beryllium recovered successful the disclosures repository.
All vulnerabilities added to the disclosures catalogue were patched anterior to the latest hardforks connected the Execution Layer and Consensus Layer.
For much information, and to larn much astir disclosure policies, timelines, and cataloging, caput implicit to the disclosures repository.
Thank you 🙏
We would similar to springiness a monolithic outcry retired to everyone progressive successful the find and reporting of vulnerabilities, arsenic good arsenic to the teams liable for fixing them. While we person attempted to see the names oregon aliases of each reporters, determination are galore developers and researchers wrong the lawsuit teams and successful the Ethereum Foundation who recovered and corrected vulnerabilities extracurricular of the bounty program. There are besides galore unsung heroes specified arsenic lawsuit squad developers, assemblage members, and galore much who person spent countless hours triaging, cross-checking, and mitigating vulnerabilities earlier they could beryllium exploited.
Your immense efforts person been instrumental to ensuring Ethereum's security. Thank you!
English (US) 