The Ethereum Bounty Program provides bounties for bugs. We call on our community and all bug bounty hunters to help identify bugs in the protocols and clients. Earn rewards for finding a vulnerability and get a place on our leaderboard. See Rules & Rewards section for details.
Martin Holst Swende
Yoonho Kim (team Hithereum)
Please have a look at the bullets below before starting your hunt!
The value of rewards paid out will vary depending on Severity. The severity is calculated according to the OWASP risk rating model based on Impact and Likelihood :
Reward sizes are guided by the rules below, but are in the end, determined at the sole discretion of the Ethereum Foundation bug bounty panel.
1 point currently corresponds to 1 USD (payable in ETH or BTC), something which may change without prior notice.
OBS! Between 2017-09-19 and Byzantium hard-fork on Mainnet, each point corresponds to 2 USD for issues related to cross-client consensus or geth DoS vulnerabilities.
Beyond monetary rewards, every bounty is also eligible for listing on our leaderboard with points accumulating over the course of the program.
In addition to Severity, other variables are also considered when the Ethereum Foundation bug bounty panel decides the score, including (but not limited to):
Important Legal Information
The bug bounty program is an experimental and discretionary rewards program for our active Ethereum community to encourage and reward those who are helping to improve the platform. It is not a competition. You should know that we can cancel the program at any time, and awards are at the sole discretion of Ethereum Foundation bug bounty panel. In addition, we are not able to issue awards to individuals who are on sanctions lists or who are in countries on sanctions lists (e.g. North Korea, Iran, etc). You are responsible for all taxes. All awards are subject to applicable law. Finally, your testing must not violate any law or compromise any data that is not yours.
Our bug bounty program spans end-to-end: from soundness of protocols (such as the blockchain consensus model, the wire and p2p protocols, proof of work, etc) and protocol/implementation compliance to network security and consensus integrity. Classical client security as well as security of cryptographic primitives are also part of the program. Details on the scope follow:
The idea for Ethereum was initially published in the White Paper. This concept has been realized in a few protocols and algorithms up for scrutiny:
Help identify flaws such as ones found in the yellow paper, relating to:
Assuming that the protocols and algorithms are flawless, does a client implementation conform to the formal protocol specification? Issues could include:
An example of a potential issue in this category is Bitcoin’s “zero-day” flaw, which required a hard-fork.
This category focuses on generalized attacks on the whole network or a subset of it:
Here is an example from bitcoin of a global network based DoS scenario.
Attacks on a single Go client relating to the Ethereum protocol:
This category addresses more classical security issues:
Here is an example of a problem hidden in an external library.
This category includes:
This category includes:
Here is an example of a submitted Solidity bug.
This category includes:
Here is an example of a bug in the initial ENS registrar that would have allowed people to bid during the reveal period, thus affecting the legitimacy of auction results.
Here is an example of a real issue which was previously present in the Go client:
Description: Remote Denial-of-service using non-validated blocks
Attack scenario: An attacker can send blocks that may require a high amount of computation (the maximum gasLimit) but has no proof-of-work. If the attacker sends blocks continuously, the attacker may force the victim node to 100% CPU utilization.
Impact: An attacker can abuse CPU utilization on remote nodes, possibly causing full DoS.
Components: Go client version v0.6.8
Reproduction: Send a block to a Go node that contains many txs but no valid PoW.
Details: Blocks are validated in the method
Process(Block, dontReact). This method performs expensive CPU-intensive tasks, such as executing transactions (
sm.ApplyDiff) and afterward it verifies the proof-of-work (
sm.ValidateBlock()). This allows an attacker to send blocks that may require a high amount of computation (the maximum
gasLimit) but has no proof-of-work. If the attacker sends blocks continuously, the attacker may force the victim node to 100% CPU utilization.
Fix: Invert the order of the checks.
No end date is currently set. See the “News & Updates” section above, and the Ethereum blog for the latest news.
Rewards are paid out in ETH or BTC after the submission has been validated, usually a few days later. Local laws require us to ask for proof of your identity. In addition, we will need your ETH/BTC address.
Yes. We can donate your reward to an established charitable organization of your choice.
We aim to respond to submissions as fast as possible. Feel free to email us if you have not received a response within a day or two.
Submitting anonymously or with a pseudonym is OK, but will make you ineligible for BTC rewards. To be eligible for BTC rewards, we require your real name and a proof of your identity. Donating your bounty to a charity doesn’t require your identity.
Please let us know if you do not want your name/nick displayed on the leader board.
Every found vulnerability / issue is assigned a score. Bounty hunters are ranked on our leaderboard by total points.
Email us at email@example.com.
AE96 ED96 9E47 9B00 84F3 E17F E88D 3334 FA5F 6A0A
-----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v2 mQINBFgl3tgBEAC8A1tUBkD9YV+eLrOmtgy+/JS/H9RoZvkg3K1WZ8IYfj6iIRaY neAk3Bp182GUPVz/zhKr2g0tMXIScDR3EnaDsY+Qg+JqQl8NOG+Cikr1nnkG2on9 L8c8yiqry1ZTCmYMqCa2acTFqnyuXJ482aZNtB4QG2BpzfhW4k8YThpegk/EoRUi m+y7buJDtoNf7YILlhDQXN8qlHB02DWOVUihph9tUIFsPK6BvTr9SIr/eG6j6k0b fUo9pexOn7LS4SojoJmsm/5dp6AoKlac48cZU5zwR9AYcq/nvkrfmf2WkObg/xRd EvKZzn05jRopmAIwmoC3CiLmqCHPmT5a29vEob/yPFE335k+ujjZCPOu7OwjzDk7 M0zMSfnNfDq8bXh16nn+ueBxJ0NzgD1oC6c2PhM+XRQCXChoyI8vbfp4dGvCvYqv QAE1bWjqnumZ/7vUPgZN6gDfiAzG2mUxC2SeFBhacgzDvtQls+uuvm+FnQOUgg2H h8x2zgoZ7kqV29wjaUPFREuew7e+Th5BxielnzOfVycVXeSuvvIn6cd3g/s8mX1c 2kLSXJR7+KdWDrIrR5Az0kwAqFZt6B6QTlDrPswu3mxsm5TzMbny0PsbL/HBM+GZ EZCjMXxB8bqV2eSaktjnSlUNX1VXxyOxXA+ZG2jwpr51egi57riVRXokrQARAQAB tDlFdGhlcmV1bSBGb3VuZGF0aW9uIFNlY3VyaXR5IFRlYW0gPHNlY3VyaXR5QGV0 aGVyZXVtLm9yZz6JAj4EEwECACgFAlgl3tgCGwMFCQHhM4AGCwkIBwMCBhUIAgkK CwQWAgMBAh4BAheAAAoJEOiNMzT6X2oKmUMP/0hnaL6bVyepAq2LIdvIUbHfagt/ Oo/KVfZs4bkM+xJOitJR0kwZV9PTihXFdzhL/YNWc2+LtEBtKItqkJZKmWC0E6OP XGVuU6hfFPebuzVccYJfm0Q3Ej19VJI9Uomf59Bpak8HYyEED7WVQjoYn7XVPson wus/9+LDX+c5vutbrUdbjga3KjHbewD93X4OwVVoXyHEmU2Plyg8qvzFbNDylCWO 7N2McO6SN6+7DitGZGr2+jO+P2R4RT1cnl2V3IRVcWZ0OTspPSnRGVr2fFiHN/+v 8G/wHPLQcJZFvYPfUGNdcYbTmhWdiY0bEYXFiNrgzCCsyad7eKURWN9QmxqmyqLD jUEDJCAh19ES6Vg3tqGwXk+uNUCoF30ga0TxQt6UXZJDEQFAGeASQ/RqE/q1EAuL v8IGM8o7IqKO2pWfLuqsY6dTbKBwDzz9YOJt7EOGuPPQbHxaYStTushZmJnm7hi8 lhVGjT7qsEJdE95Il+I/mHWnXsCevaXjZugBiyV9yvOq4Hwwe2s1zKfrnQ4u0cad vGAh2eIqum7MY3o6nD47aJ3YmEPX/WnhI56bACa2GmWvUwjI4c0/er3esSPYnuHn M9L8Am4qQwMVSmyU80tCMI7A9e13Mvv+RRkYFLJ7PVPdNpbW5jqX1doklFpKf6/X M+B+ngYneU+zgCUBtDRFdGhlcmV1bSBGb3VuZGF0aW9uIEJ1ZyBCb3VudHkgPGJv dW50eUBldGhlcmV1bS5vcmc+iQI+BBMBAgAoBQJYJeE7AhsDBQkB4TOABgsJCAcD AgYVCAIJCgsEFgIDAQIeAQIXgAAKCRDojTM0+l9qCs3/D/4iCne+1h026eKTDfIe dh8mSbQyZowNQz2a2xpdU3rFv2fbk3ddrcZYKmZ2xthnzffi0j+hDj80er9sQjlY UfkXVoWQySbkAlUu5SSKkK2YJnk2RtE8kD2XS41RQTq64VcGF/h127uNvSMx61EX +SJ8kdUIKjl8hJQ2EuntvBxar2qANA1k1gw6jiz1ZflOX7nHiBNl13b9wBi3j2H/ CeTD6G4z4mbQaiOkuohDWNmJ9+ai1/msXgv4mEgh1bRbggiHW/0GEdWWVfD7P2iP Q8Auy1PmHz8O4qgiKKsUngN6NTzkZHUooBIN47X0b+VKlaPWtKAW/Y3aAA7GrRf4 FtBO5raN1xjomkdHgfUknbDN8ewc+ANByBjWsaWaNUVqpTvdZXj+HNdz8eyEr+Th l3y4PjPKm/qsWxndR6YrRovbNctWlXxI9ZDrWdLTfHrvlKYOVisDzQQ192q+yfTQ lC4FUi/hO/RRvs18OtoMYkKy3ys5uMFP/S+cFZMEJ5tvYSydLaJK0gWRZ3P9Zezg vhjOt7WInCpGOK6pqFlHmMeyMBR/ZrQ7b0dUcTvOUW0IWYs8KWaXaUZB9A6mbmSU ZkWua+6z6pn2u3flSBYc9l7PKSTC1asU7CynC4JZo8O2jq2BtElnh+2K2l1hgzd0 pb0gYlcHCu0FCsyy76WnS8MX7LkCDQRYJd7YARAAm4Kuh0zeYBAYtJZA/zGnyJ5j YvufVOYERmKpOOlpX0Y4R7nV4w6YA9JaJRm+IWKJ7ZDGikZQoNkb4I75N2b3tDyl oysO4K/GAWvXzBWPAYQFyN9jnciPaxYcRGRX1gH8ClZk9fQXXgEERb3H3fvMPH9V 1XPs3XVCzCRQU6/sSg5SEVsE5HSz0Hlm46NHh5f4OLbi4i608VW549um3/tvtQ2z P8OVWr8z65L4h6rynv0D/4GsuEA1YlrxYC2/dInXwByHbD4H5adFQ0ua1RxS+g+9 60kXSEaNyPHPJmKDY0keFw7r4DpAClvS0d6b6LhRx46eha9BnrEW6229hBuuoj7E ffTEOxaiC/VTBz5tprUfl725ypB9q2MhKmjG0nZNvYxmqZAFpXuLCIUipO+PQOLR pB5dPCmdjfaOhq31HoT/1dniS2qYdg4qBS9R8Ua8qysvNEECizCUXpMYoKvIK3lv MQeM7n/TJLqLvkRzZqPD3mx4xbLS4oIg+v8z9nvuLVJq09PyUxjkoaBjJfEbdFUc XTyJirp/uCzl23zsQKzkpGOot+foLIJJEstYEyRNAWN0vWrk+vmK4JWP01j0PSCc VlTipU/t1iKecCbtmwSkONtFS6g2M5KFsrXpf2zNQAlLYqTIiFXlLNrhYkY6cwNV stEByj03UrhpST0a33EAEQEAAYkCJQQYAQIADwUCWCXe2AIbDAUJAeEzgAAKCRDo jTM0+l9qCk44D/9aIwlchsrxzC1IJ19M8K0eUNTOUShc+pB8Cozg1S0dyLKfCPd+ aE0Ldw2O8hQyOLdBqm2EUDLcXDRG+5momp4Strawl34T7Ovy9OIoIw3+Yk3Js2pl zesZ4ecZM9OoWSSQjLruDLysQvTEBwlSgMI7MJf/R/SaiAVwGNxNpS6V+T/uYw2b j8UvOqd/pOEa3afSkxl44rhJXjN8xpc+QS1snaqLznJOwtmioduxExaQ2GNM98kO QLDycpNawK9MKx+vssJsFpc7kHsGr56y5ydjPIjBV6SIch3hCFP3+6PH/nUJO9q2 fQhs3XKooNs2vwUt82sGVoG79rwdnpTbCJZWC3Yq+OY8QTscdsrybxLruIJc+/Mu KCUwkwGAGzJZXuYFXT5FXBsr71UvbYp50moiM7r1q2BylpZdbmD5tkNQg7NOj+SO 21BgF6YEC1If10ILsv9LFxlqltxUuScz/l4HEf+1AEr8AXR8pbmym3qhKQextbPp vvAuu6jq3OxEL9yZstWAzpIRMjYoNa5o6ZS7oq97QtV/g+3R6Z+zSXu5zMBcdm9j KTJCwPYzzwBj6f3pHLubMQnvhNCf+FBfvivgkVyMYLc1NlCX6fKfcfsoG8eah4p0 dLVUXSM792ZxrF638Z1n0jmgefNnFN1UTfSDcxx2sfBE2kFQ5xjubkGvhQ== =gwRO -----END PGP PUBLIC KEY BLOCK-----