The Ethereum Bounty Program provides bounties for bugs. We call on our community and all bug bounty hunters to help identify bugs in the protocols and clients. Earn rewards for finding a vulnerability and get a place on our leaderboard. See Rules & Rewards section for details.
1. |
![]() |
Martin Holst Swende*
holiman
33500 pts
|
2. |
![]() |
Sam Sun
samczsun
22000 pts
|
3. |
![]() |
ChainSecurity
chainsecurity
21000 pts
|
4. |
![]() |
Juno Im
junorouse
20500 pts
|
5. |
![]() |
Yoonho Kim (team Hithereum)
uknowy
20000 pts
|
6. |
![]() |
John Youngseok Yang (Software Platform Lab)
johnyangk
20000 pts
|
7. |
![]() |
PeckShield
peckshield
17000 pts
|
8. |
![]() |
ItsUnixIKnowThis
itsunixiknowthis
15000 pts
|
9. |
![]() |
Bertrand Masius
catageek
15000 pts
|
10. |
![]() |
Tin
tintinweb
12500 pts
|
11. | ||
12. |
![]() |
Łukasz Matczak
lukaszmatczak
11000 pts
|
13. | ||
14. |
![]() |
Jonas Nick
jonasnick
10000 pts
|
15. | ||
16. | ||
17. |
![]() |
Harry Roberts
HarryR
5000 pts
|
18. |
![]() |
Peter Stöckli
p-
5000 pts
|
19. |
![]() |
Neville Grech
Dedaub
5000 pts
|
20. |
![]() |
EthHead
EthHead
5000 pts
|
21. |
![]() |
John Toman
jtoman
4000 pts
|
22. |
![]() |
Daniel Perez
danhper
2500 pts
|
23. |
![]() |
Yaron Velner
yaronvel
2000 pts
|
24. |
![]() |
Whit Jackson
whitj00
2000 pts
|
25. | ||
26. |
![]() |
Melonport team
melonport
2000 pts
|
27. |
![]() |
Maurelian
maurelian
2000 pts
|
28. |
![]() |
Christoph Jentzsch
CJentzsch
2000 pts
|
29. |
![]() |
DVP (dvpnet.io)
DVPNET
1200 pts
|
30. | ||
31. |
![]() |
talko
talko
1000 pts
|
32. |
![]() |
Steve Waldman
swaldman
1000 pts
|
33. |
![]() |
Panu Kekäläinen
ptk
1000 pts
|
34. |
![]() |
Josselin Feist
montyly
1000 pts
|
35. |
![]() |
henrit
henrit
1000 pts
|
36. |
![]() |
Marc Bartlett
BlameByte
1000 pts
|
37. | ||
38. |
![]() |
Lucas Ryan
badmofo
1000 pts
|
39. |
![]() |
Alex Groce
agroce
1000 pts
|
40. |
![]() |
Daniel Briskin
n0thingness
750 pts
|
41. |
![]() |
Daenam Kim
daenamkim
750 pts
|
42. | ||
43. | ||
44. | ||
45. |
![]() |
Feeker - 360 ESG Codesafe Team
feeker
500 pts
|
46. |
![]() |
Jonathan Brown
ethernomad
500 pts
|
47. |
![]() |
David Murdoch
davidmurdoch
500 pts
|
48. |
![]() |
Alexander Wade
wadeAlexC
500 pts
|
49. |
![]() |
Luis Schliesske
gitpusha
200 pts
|
* No longer eligible for bounties, since October 2016. Martin now works for the Ethereum Foundation and, among other things, manages the bug bounty program.
CALL
variants were made with with large calldata. They also earned 5000 points out of from the
‘pot’ of money allocated towards EIP reviews, with their help in assessing the security of EIp-1884; which also earned Neville Gretch (contract-library.com) 5000 points. And finally, together with Daniel Perez (split 50/50), they submitted a DoS vector for Geth/Parity which earned them 2500 points each. Congratulations to all new members on the top list, we’re looking forward to more high quality bounties during 2020!nonreentrant()
decorators were specified. Reminder: Vyper is still considered experimental!1.8.0
.1.8.3
.1.8.0
.Please have a look at the bullets below before starting your hunt!
The value of rewards paid out will vary depending on Severity. The severity is calculated according to the OWASP risk rating model based on Impact and Likelihood :
Reward sizes are guided by the rules below, but are in the end, determined at the sole discretion of the Ethereum Foundation bug bounty panel.
1 point currently corresponds to 1 USD (payable in ETH or BTC), something which may change without prior notice.
OBS! Between 2017-09-19 and Byzantium hard-fork on Mainnet, each point corresponds to 2 USD for issues related to cross-client consensus or geth DoS vulnerabilities.
Beyond monetary rewards, every bounty is also eligible for listing on our leaderboard with points accumulating over the course of the program.
In addition to Severity, other variables are also considered when the Ethereum Foundation bug bounty panel decides the score, including (but not limited to):
Important Legal Information
The bug bounty program is an experimental and discretionary rewards program for our active Ethereum community to encourage and reward those who are helping to improve the platform. It is not a competition. You should know that we can cancel the program at any time, and awards are at the sole discretion of Ethereum Foundation bug bounty panel. In addition, we are not able to issue awards to individuals who are on sanctions lists or who are in countries on sanctions lists (e.g. North Korea, Iran, etc). You are responsible for all taxes. All awards are subject to applicable law. Finally, your testing must not violate any law or compromise any data that is not yours.
Our bug bounty program spans end-to-end: from soundness of protocols (such as the blockchain consensus model, the wire and p2p protocols, proof of work, etc) and protocol/implementation compliance to network security and consensus integrity. Classical client security as well as security of cryptographic primitives are also part of the program. When in doubt, send an email to bounty@ethereum.org and ask us.
Below some guidance can be found on what we are typically interested in hearing about.
Geth is an Ethereum client written in Go. Areas that typically are in scope are:
Some areas of Geth are ‘experimental’, and not yet enabled by default. Yes, these are also included, but the ‘Impact’ of issues in the areas below will be counted as low.
The LES (light clients) parts of Geth are twofold: server and client. For LES, we are interested in
Whisper is also not yet production ready, and has very limited bounty scope.
Py-evm is a python implementation of the Ethereum Virtual Machine, and the basis for Trinity. The Trinity client is currently in an alpha release stage and is not suitable for mission critical production use cases. Both of these components are included in the bounty scope, but any issues reported will have a lowered Impact since there are already known issues and they are not considered production release.
This category includes:
Here is an example of a submitted Solidity bug.
Solidity does not hold security guarantees regarding compilation of untrusted input – and we do not issue rewards for crashes of the solc
compiler on maliciously generated data.
LLL is not included in the bug bounty.
Pyethereum is a legacy Ethereum implementation, and the basis for the Pyethapp python client implementation. Both of these are now deprecated, in favour of py-evm/Trinity, and not not in scope of the bounty program.
The Vyper language is a new, experimental programming language for the EVM. It is still beta software, and as such is not expected to be bug-free, and is therefore not included in the bug bounty.
Swarm used to be part of geth, but has since moved out to it’s own organization.
EthereumJ EthereumJ is a legacy pure-Java implementation of the Ethereum protocol, and the basis of Harmony, but is no longer actively maintained.
Aleth is an implementation of an Ethereum node in C++. This client is not included, as the development has ceased and Aleth is not going to implement future forks.
ENS is maintained by the ENS foundation, and is not part of the bounty scope.
Clients not developed by the Ethereum Foundation would typically not be covered by the bounty program. For Parity, please visit their bounty program.
ERC20 contract bugs are typically not included in the bounty scope. However, we can help reach out to affected parties, such as authors or exchanges in such cases.
Our infrastructure; such as webpages, dns, email etc, are not part of the bounty-scope.
Here is an example of a real issue which was previously present in the Go client:
Description: Remote Denial-of-service using non-validated blocks
Attack scenario: An attacker can send blocks that may require a high amount of computation (the maximum gasLimit) but has no proof-of-work. If the attacker sends blocks continuously, the attacker may force the victim node to 100% CPU utilization.
Impact: An attacker can abuse CPU utilization on remote nodes, possibly causing full DoS.
Components: Go client version v0.6.8
Reproduction: Send a block to a Go node that contains many txs but no valid PoW.
Details: Blocks are validated in the method
Process(Block, dontReact)
. This method performs expensive CPU-intensive tasks, such as executing transactions (sm.ApplyDiff
) and afterward it verifies the proof-of-work (sm.ValidateBlock()
). This allows an attacker to send blocks that may require a high amount of computation (the maximumgasLimit
) but has no proof-of-work. If the attacker sends blocks continuously, the attacker may force the victim node to 100% CPU utilization.Fix: Invert the order of the checks.
No end date is currently set. See the “News & Updates” section above, and the Ethereum blog for the latest news.
Rewards are paid out in ETH or BTC after the submission has been validated, usually a few days later. Local laws require us to ask for proof of your identity. In addition, we will need your ETH/BTC address.
Yes. We can donate your reward to an established charitable organization of your choice.
We aim to respond to submissions as fast as possible. Feel free to email us if you have not received a response within a day or two.
Submitting anonymously or with a pseudonym is OK, but will make you ineligible for BTC rewards. To be eligible for BTC rewards, we require your real name and a proof of your identity. Donating your bounty to a charity doesn’t require your identity.
Please let us know if you do not want your name/nick displayed on the leader board.
Every found vulnerability / issue is assigned a score. Bounty hunters are ranked on our leaderboard by total points.
Email us at bounty@ethereum.org.
Please use AE96 ED96 9E47 9B00 84F3 E17F E88D 3334 FA5F 6A0A
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1
mQINBFgl3tgBEAC8A1tUBkD9YV+eLrOmtgy+/JS/H9RoZvkg3K1WZ8IYfj6iIRaY
neAk3Bp182GUPVz/zhKr2g0tMXIScDR3EnaDsY+Qg+JqQl8NOG+Cikr1nnkG2on9
L8c8yiqry1ZTCmYMqCa2acTFqnyuXJ482aZNtB4QG2BpzfhW4k8YThpegk/EoRUi
m+y7buJDtoNf7YILlhDQXN8qlHB02DWOVUihph9tUIFsPK6BvTr9SIr/eG6j6k0b
fUo9pexOn7LS4SojoJmsm/5dp6AoKlac48cZU5zwR9AYcq/nvkrfmf2WkObg/xRd
EvKZzn05jRopmAIwmoC3CiLmqCHPmT5a29vEob/yPFE335k+ujjZCPOu7OwjzDk7
M0zMSfnNfDq8bXh16nn+ueBxJ0NzgD1oC6c2PhM+XRQCXChoyI8vbfp4dGvCvYqv
QAE1bWjqnumZ/7vUPgZN6gDfiAzG2mUxC2SeFBhacgzDvtQls+uuvm+FnQOUgg2H
h8x2zgoZ7kqV29wjaUPFREuew7e+Th5BxielnzOfVycVXeSuvvIn6cd3g/s8mX1c
2kLSXJR7+KdWDrIrR5Az0kwAqFZt6B6QTlDrPswu3mxsm5TzMbny0PsbL/HBM+GZ
EZCjMXxB8bqV2eSaktjnSlUNX1VXxyOxXA+ZG2jwpr51egi57riVRXokrQARAQAB
tDlFdGhlcmV1bSBGb3VuZGF0aW9uIFNlY3VyaXR5IFRlYW0gPHNlY3VyaXR5QGV0
aGVyZXVtLm9yZz6JAj4EEwECACgCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheA
BQJaCWH6BQkFo2BYAAoJEOiNMzT6X2oK+DEP/3H6dxkm0hvHZKoHLVuuxcu3EHYo
k5sd3MMWPrZSN8qzZnY7ayEDMxnarWOizc+2jfOxfJlzX/g8lR1/fsHdWPFPhPoV
Qk8ygrHn1H8U8+rpw/U03BqmqHpYCDzJ+CIis9UWROniqXw1nuqu/FtWOsdWxNKh
jUo6k/0EsaXsxRPzgJv7fEUcVcQ7as/C3x9sy3muc2gvgA4/BKoGPb1/U0GuA8lV
fDIDshAggmnSUAg+TuYSAAdoFQ1sKwFMPigcLJF2eyKuK3iUyixJrec/c4LSf3wA
cGghbeuqI8INP0Y2zvXDQN2cByxsFAuoZG+m0cyKGaDH2MVUvOKKYqn/03qvrf15
AWAsW0l0yQwOTCo3FbsNzemClm5Bj/xH0E4XuwXwChcMCMOWJrFoxyvCEI+keoQc
c08/a8/MtS7vBAABXwOziSmm6CNqmzpWrh/fDrjlJlba9U3MxzvqU3IFlTdMratv
6V+SgX+L25lCzW4NxxUavoB8fAlvo8lxpHKo24FP+RcLQ8XqkU3RiUsgRjQRFOqQ
TaJcsp8mimmiYyf24mNu6b48pi+a5c/eQR9w59emeEUZqsJU+nqv8BWIIp7o4Agh
NYnKjkhPlY5e1fLVfAHIADZFynWwRPkPMJSrBiP5EtcOFxQGHGjRxU/KjXkvE0hV
xYb1PB8pWMTu/beeiQI+BBMBAgAoBQJYJd7YAhsDBQkB4TOABgsJCAcDAgYVCAIJ
CgsEFgIDAQIeAQIXgAAKCRDojTM0+l9qCplDD/9IZ2i+m1cnqQKtiyHbyFGx32oL
fzqPylX2bOG5DPsSTorSUdJMGVfT04oVxXc4S/2DVnNvi7RAbSiLapCWSplgtBOj
j1xlblOoXxT3m7s1XHGCX5tENxI9fVSSPVKJn+fQaWpPB2MhBA+1lUI6GJ+11T7K
J8LrP/fiw1/nOb7rW61HW44Gtyox23sA/d1+DsFVaF8hxJlNj5coPKr8xWzQ8pQl
juzdjHDukjevuw4rRmRq9vozvj9keEU9XJ5dldyEVXFmdDk7KT0p0Rla9nxYhzf/
r/Bv8Bzy0HCWRb2D31BjXXGG05oVnYmNGxGFxYja4MwgrMmne3ilEVjfUJsapsqi
w41BAyQgIdfREulYN7ahsF5PrjVAqBd9IGtE8ULelF2SQxEBQBngEkP0ahP6tRAL
i7/CBjPKOyKijtqVny7qrGOnU2ygcA88/WDibexDhrjz0Gx8WmErU7rIWZiZ5u4Y
vJYVRo0+6rBCXRPeSJfiP5h1p17Anr2l42boAYslfcrzquB8MHtrNcyn650OLtHG
nbxgIdniKrpuzGN6Opw+O2id2JhD1/1p4SOemwAmthplr1MIyOHNP3q93rEj2J7h
5zPS/AJuKkMDFUpslPNLQjCOwPXtdzL7/kUZGBSyez1T3TaW1uY6l9XaJJRaSn+v
1zPgfp4GJ3lPs4AlAbQ0RXRoZXJldW0gRm91bmRhdGlvbiBCdWcgQm91bnR5IDxi
b3VudHlAZXRoZXJldW0ub3JnPokCPgQTAQIAKAIbAwYLCQgHAwIGFQgCCQoLBBYC
AwECHgECF4AFAloJYfoFCQWjYFgACgkQ6I0zNPpfagoENg/+LnSaVeMxiGVtcjWl
b7Xd73yrEy4uxiESS1AalW9mMf7oZzfI05f7QIQlaLAkNac74vZDJbPKjtb7tpMO
RFhRZMCveq6CPKU6pd1SI8IUVUKwpEe6AJP3lHdVP57dquieFE2HlYKm6uHbCGWU
0cjyTA+uu2KbgCHGmofsPY/xOcZLGEHTHqa5w60JJAQm+BSDKnw8wTyrxGvA3EK/
ePSvOZMYa+iw6vYuZeBIMbdiXR/A2keBi3GuvqB8tDMj7P22TrH5mVDm3zNqGYD6
amDPeiWp4cztY3aZyLcgYotqXPpDceZzDn+HopBPzAb/llCdE7bVswKRhphVMw4b
bhL0R/TQY7Sf6TK2LKSBrjv0DWOSijikE71SJcBnJvHU7EpKrQQ0lMGclm3ynyji
Nf0YTPXQt4I+fwTmOew2GFeK3UytNWbWI7oXX7Nm4bj9bhf3IJ0kmZb/Gs73+xII
e7Rz52Mby436tWyQIQiF9ITYNGvNf53TwBBZMn0pKPiTyr3Ur7FHEotkEOFNh1//
4zQY10XxuBdLrYGyZ4V8xHJM+oKre8Eg2R9qHXVbjvErHE+7CvgnV7YUip0criPr
BlKRvuoJaSliH2JFhSjWVrkPmFGrWN0BAx10yIqMnEplfKeHf4P9Elek3oInS8WP
G1zJG6s/t5+hQK0X37+TB+6rd3GJAj4EEwECACgFAlgl4TsCGwMFCQHhM4AGCwkI
BwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEOiNMzT6X2oKzf8P/iIKd77WHTbp4pMN
8h52HyZJtDJmjA1DPZrbGl1TesW/Z9uTd12txlgqZnbG2GfN9+LSP6EOPzR6v2xC
OVhR+RdWhZDJJuQCVS7lJIqQrZgmeTZG0TyQPZdLjVFBOrrhVwYX+HXbu429IzHr
URf5InyR1QgqOXyElDYS6e28HFqvaoA0DWTWDDqOLPVl+U5fuceIE2XXdv3AGLeP
Yf8J5MPobjPiZtBqI6S6iENY2Yn35qLX+axeC/iYSCHVtFuCCIdb/QYR1ZZV8Ps/
aI9DwC7LU+YfPw7iqCIoqxSeA3o1PORkdSigEg3jtfRv5UqVo9a0oBb9jdoADsat
F/gW0E7mto3XGOiaR0eB9SSdsM3x7Bz4A0HIGNaxpZo1RWqlO91leP4c13Px7ISv
5OGXfLg+M8qb+qxbGd1HpitGi9s1y1aVfEj1kOtZ0tN8eu+Upg5WKwPNBDX3ar7J
9NCULgVSL+E79FG+zXw62gxiQrLfKzm4wU/9L5wVkwQnm29hLJ0tokrSBZFnc/1l
7OC+GM63tYicKkY4rqmoWUeYx7IwFH9mtDtvR1RxO85RbQhZizwpZpdpRkH0DqZu
ZJRmRa5r7rPqmfa7d+VIFhz2Xs8pJMLVqxTsLKcLglmjw7aOrYG0SWeH7YraXWGD
N3SlvSBiVwcK7QUKzLLvpadLwxfsuQINBFgl3tgBEACbgq6HTN5gEBi0lkD/MafI
nmNi+59U5gRGYqk46WlfRjhHudXjDpgD0lolGb4hYontkMaKRlCg2Rvgjvk3Zve0
PKWjKw7gr8YBa9fMFY8BhAXI32OdyI9rFhxEZFfWAfwKVmT19BdeAQRFvcfd+8w8
f1XVc+zddULMJFBTr+xKDlIRWwTkdLPQeWbjo0eHl/g4tuLiLrTxVbnj26bf+2+1
DbM/w5VavzPrkviHqvKe/QP/gay4QDViWvFgLb90idfAHIdsPgflp0VDS5rVHFL6
D73rSRdIRo3I8c8mYoNjSR4XDuvgOkAKW9LR3pvouFHHjp6Fr0GesRbrbb2EG66i
PsR99MQ7FqIL9VMHPm2mtR+XvbnKkH2rYyEqaMbSdk29jGapkAWle4sIhSKk749A
4tGkHl08KZ2N9o6GrfUehP/V2eJLaph2DioFL1HxRryrKy80QQKLMJRekxigq8gr
eW8xB4zuf9Mkuou+RHNmo8PebHjFstLigiD6/zP2e+4tUmrT0/JTGOShoGMl8Rt0
VRxdPImKun+4LOXbfOxArOSkY6i35+gsgkkSy1gTJE0BY3S9auT6+YrglY/TWPQ9
IJxWVOKlT+3WIp5wJu2bBKQ420VLqDYzkoWytel/bM1ACUtipMiIVeUs2uFiRjpz
A1Wy0QHKPTdSuGlJPRrfcQARAQABiQIlBBgBAgAPAhsMBQJaCWIIBQkFo2BYAAoJ
EOiNMzT6X2oKgSwQAKKs7BGF8TyZeIEO2EUK7R2bdQDCdSGZY06tqLFg3IHMGxDM
b/7FVoa2AEsFgv6xpoebxBB5zkhUk7lslgxvKiSLYjxfNjTBltfiFJ+eQnf+OTs8
KeR51lLa66rvIH2qUzkNDCCTF45H4wIDpV05AXhBjKYkrDCrtey1rQyFp5fxI+0I
Q1UKKXvzZK4GdxhxDbOUSd38MYy93nqcmclGSGK/gF8XiyuVjeifDCM6+T1NQTX0
K9lneidcqtBDvlggJTLJtQPO33o5EHzXSiud+dKth1uUhZOFEaYRZoye1YE3yB0T
NOOE8fXlvu8iuIAMBSDL9ep6sEIaXYwoD60I2gHdWD0lkP0DOjGQpi4ouXM3Edsd
5MTi0MDRNTij431kn8T/D0LCgmoUmYYMBgbwFhXr67axPZlKjrqR0z3F/Elv0ZPP
cVg1tNznsALYQ9Ovl6b5M3cJ5GapbbvNWC7yEE1qScl9HiMxjt/H6aPastH63/7w
cN0TslW+zRBy05VNJvpWGStQXcngsSUeJtI1Gd992YNjUJq4/Lih6Z1TlwcFVap+
cTcDptoUvXYGg/9mRNNPZwErSfIJ0Ibnx9wPVuRN6NiCLOt2mtKp2F1pM6AOQPpZ
85vEh6I8i6OaO0w/Z0UHBwvpY6jDUliaROsWUQsqz78Z34CVj4cy6vPW2EF4
=r6KK
-----END PGP PUBLIC KEY BLOCK-----