The Ethereum Bounty Program gives bounties for bugs. We call on our network ETHEREUM and all trojan horse bounty hunters to assist pick out insects inside the protocols and customers. Earn rewards for finding a ETHEREUM vulnerability and get a place on our leaderboard. See Rules & Rewards phase for details. ETHEREUM
Martin Holst Swende*
Yoonho Kim (team Hithereum)
John Youngseok Yang (Software Platform Lab)
ten thousand pts
Ming Chuan Lin
a thousand pts
one thousand pts
a thousand pts
one thousand pts
ETHEREUM Alex Groce
one thousand pts
Marcin Noga (Cisco/Talos Security)
Feeker – 360 ESG Codesafe Team
2 hundred pts
* No longer eligible for bounties, on account that October 2016. Martin now works for the Ethereum Foundation and, among other things, manages the trojan horse bounty application.
2021-07-13: In order to get extra eyes on the modifications coming within the London upgrade, all bounties for vulnerabilites related to London upgrade will be doubled, up until the upgrade takes place. Examples of problems that would be eligible for a doubly are pass-consumer consensus problems between the following customers: Geth, Besu, Nethermind, OpenEthereum and Erigon.2021-07-12: We welcome Bob Conan to the bounty list. Team (?) Bob Conan recognized a number of as of yet undisclosed issues with pass-ethereum transaction pool internals.2021-04-09: John Toman (Certora) were given another 1K points due to “ABIDecodeTwoDimensionalArrayMemory” protection vulnerability that turned into constant in Solidity model 0.eight.four.2020-12-09: Welcome John Toman (Certora) to the bounty-list! John observed the “empty bytearray reproduction trojan horse” aswell because the “dynamic array cleanup computer virus” in Solidity, every well worth 2K points. Also, Łukasz Matczak earned every other 5K factors for a DoS within the LES server, patched for v1.nine.25.2020-10-05: We welcome John Youngseok Yang (Software Platform Lab) to the leaderboard. John mentioned two severe vulnerabilities associated with geth, every of which scored 10K points. Congratulations and nicely performed!2020-09-18: David Murdoch and Martin Ortner earned 500 points each. David determined an RPC vulnerability in geth, and Martin discovered a far flung DoS (instacrash) within the discovery implementation of Trinity.2020-08-26: Sam Sun managed to gain any other 2K factors via a protocol-stage vulnerability, the info of which wishes to remain difficult to understand for some time but. Also, we welcome Luis Schliesske to the bountylist, with 2 hundred points for findings concerning Solidity.2020-05-29: ItsUnixIKnowThis changed into provided 10K for a Clef-associated vulnerability, and 5K for a Geth-associated vulnerabilty. Another 1K factors were provided Alex Groce, for numerous vulnerabilities reported to the Solidity team.2020-03-03: Sam Sun, the prolific bounty-hunter who has managed to discover zero-days in each smart contracts and client implementations, earned any other 10K bounty factors for the ENS vulnerability which necessitated migrating all facts to a new registrar. Congratulations Sam!2020-01-07: Towards the quit of 2019, we paid out numerous bounties. ChainSecurity earned some other 8500 points, for three separate reviews; a thousand points for a sluggish execution on Geth, due to an useless copying of facts whilst CALL editions have been made with with big calldata. They additionally earned 5000 factors out of from the‘pot’ of money allotted toward EIP opinions, with their help in assessing the security of EIp-1884; which also earned Neville Gretch (agreement-library.com) 5000 points. And ultimately, collectively with Daniel Perez (split 50/50), they submitted a DoS vector for Geth/Parity which earned them 2500 points each. Congratulations to all new individuals at the top list, we’re searching forward to greater high fine bounties in the course of 2020!2019-10-16: Josselin Feist turned into offered one thousand factors for a Vyper vulnerability concerning characteristic identification collisions, said in July 2019 (sorry about the delay!). Reminder: Vyper remains taken into consideration experimental!2019-09-30: Maurelian has been offered 2000 factors for a vulnerability concerining Vyper. Vyper did now not propely handle the instances wherein two separate nonreentrant() decorators have been exact. Reminder: Vyper continues to be taken into consideration experimental!2019-08-22: The Ethereum 2.zero Team has announced a bounty concerning Legendre PRF. Head over there to test the details!2019-07-30: Ming Chuan Lin pronounced approximately bugs inside the encoding of Solidity storage arrays, earning 2000 factors. Welcome to the list!2019-06-24: Sebastian Henningsen mentioned to us about a P2P eclipse assault, and earned 8K factors for that. Well accomplished!2019-05-03: Juno Im / Theori discovered a DoS vulnerability within the Geth p2p layer, and turned into offered 10K points. Congratulations!2019-04-23: Sam Sun managed to discover a severe vulnerability in the consensus place, and earned 10K factors. Congratulations and welcome to the leaderboard! Also, The Melonport group (Travis Jacobs & Jenna Zenk) and the Melon Council (Nick Munoz-McDonald, Martin Lundfall, Matt di Ferrante & Adam Kolar) stated the Solidity ABIEncoderV2 bug which awarded them 2000 points.2019-03-09: Łukasz Matczak earned another 1000 on a peer-DoS through imparting malformed facts, Myeongjae Lee earned 500 factors through reporting a phisher-stash of stolen facts.2019-03-02: Łukasz Matczak earned 5000 points thru vulnerabilities within the p2p layers in Geth, that could cause amplification attacks. ChainSecurity and Ralph Pichler were provided 25K points for the vulnerability record that prompted suspending the Constantinople fork, which changed into nicely submitted via the bounty program earlier than launched publically. The Ethereum Foundation has chosen to double that reward, and positioned some other $25K to be used for destiny security audits of EIPs.2018-10-16: Peckshield has climbed better on the leaderboard, with another 5K factors for geth DoS vulnerabilities, and also identified Constantinople flaws (1200 factors) which were submitted via the DVP vulnerability platform. Also, Feeker earned 500 factors for a Geth DoS through RPC.2018-08-09: We have up to date the scope of the bounty application, to be greater explicit approximately what we are interested in – what’s included within the scope and what isn’t.2018-08-02: PeckShield has been offered 12000 factors for three separate reviews.Geth DoS through discovery protocol (2000 factors)LES Server DoS via malicious query (5000 points)LES Server DoS via AnnouceMsg (5000 factors)2018-03-28: Several new entries on the leaderboard! Congratulations, and thanks!First off, we’ve got offered 10 000 points to the ETHEREUM researchers from Boston University: Sharon Goldberg, Yuval Marcus and Ethan Heilman, for their research approximately eclipse attacks on geth nodes. The fixes were blanketed in 1.eight.zero.Dominic Brütsch changed into presented 7500 points for a vulnerability which might be used to trigger gradual block processing in geth, which has been fixed in 1.8.three.Two DoS vulnerabilities in geth RPC methods had been said by way of Vasily Vasiliev, awarded 500 factors every.We also offered ‘jazzybedi’ with 500 factors for alerting us approximately DNS rebind vulnerabiliites, which were additionally fixed in 22.214.171.1248-02-12: Barry Whitehat has been introduced to the leaderboard, for a discrepancy in how Geth vs Parity handled ‘future’ blocks. The discrepancy may want to doubtlessly purpose a mining minority be at a disadvantage. This has been fixed by means of aligning how Geth and Parity treats such blocks.2018-01-sixteen: See the blog for a protection declaration regarding the Mist Browser. The Mist browser is not taken into consideration production software program, and we are able to no longer pay complete rewards for upstream bugs.2017-12-13: Yoonho Kim, of crew Hithereum, has scored every other 5000 points; once more for an RCE in Mist/Electron. Also, Peter Stöckli submitted a Mist-vulnerability which granted him 5000 points. Congratulations each! A very crucial reminder: the Mist browser isn’t secure for browsing the net. Marcin Noga of Cisco/Talos security also submitted a few troubles to cpp-ethereum, which received him 500 points.2017-eleven-28: Juno Im, has scored any other 5000 factors; again for an RCE in Mist/Electron.2017-10-09: Yoonho Kim, of crew Hithereum, has scored 15000 factors for a 0-day vulnerability (far off command execution) in Mist/Electron, which become ultimately patched upstream and made into the ultimate Mist-launch. Juno Im has been offered some other 500 points for a Geth get admission to control difficulty.2017-09-19: In order to get some more eyes on the Byzantium implementations, we’ve temporarily elevated the rewards: Between now and the Byzantium mainnet hardfork, we will double the ratio of factors-to-USD for any vulnerabilities affecting cross-client consensus or Geth denial-of-carrier. A ‘High’ can for that reason yield up to $30K USD, and ‘Critical’ as much as $50K USD. All Byzantium functionality is considered in-scope, as if it changed into already enabled on the mainnet.2017-09-14: Harry Roberts has been awarded 5000 points for discovering a computer virus in how Solidity implemented ecrecover. See release notes for v0.four.14 for further information.2017-07-28: Juno Im has been awared 5000 points for a Mist-vulnerability concerning uploading of maliciously crafted pockets-files.2017-05-31: Whit Jackson has been offered 2000 factors for hex-encoding ambiguities in EthereumJS, Christoph Jentzsch has been awarded 2000 factors for the solidity optimizer malicious program, and ‘Tintin’ was provided any other 2000 factors for a trojan horse in a third-celebration component for CPP-ethereum.2017-05-02: Yaron Velner has been presented 1000 points for an ENS-submission, where by using ENS 2nd rate can be manipulated thru replay, forcing winners to pay the full quantity presented.2017-04-07: EthHead and Steve Waldman had been delivered to the leaderboard for their ENS findings. Bug 1 and malicious program 22017-04-07: ENS is now formally covered inside the software.2016-12-01:Solidity is now formally covered within the malicious program bounty application.2016-11-10 We’re please to have three new names at the leaderboard, Bertrand Masius (Solidity trojan horse), tintinweb (Mist vulnerabilities) and Yaron Velner (EXP opcode mispriced).2016-07-15: The Ethereum tough fork code is in scope of the Ethereum bounty software. Please see the trendy difficult fork specification.2016-01-26: BTC RELAY is now in scope of the Ethereum bounty program. Please see BTC RELAY Bounty Program and BTC RELAY Spec for greater info and precise scope.2015-09-02: With Martin (@mhswende) finding any other consensus protocol computer virus in the Python customer, he’s now climbed beforehand of nickler and we’ve got a new leader on the leaderboard! We’ve additionally clarified reference to the Python purchaser and it’s scope within the bounty application (see hyperlink underneath inside the references).2015-07-30: As we are launching Frontier, we can preserve the bounty software in the course of and at least till Homestead. One extension, and one alternate: From now on, center CPP libraries will be in scope as nicely. The genesis block inscription reward is altered to an entry within the namereg. Happy looking!2015-06-11: As the Ethereum customers have become more strong and secure, we’re happy to announce Proof-of-Work (Ethash) and the Go P2P implementation are actually also in scope and eligibile for rewards. The broaden department is the target.2015-03-19: The bounty program will continue to be strolling for as a minimum the period of the upcoming Ethereum frontier release. Please see the Ethereum weblog for extra statistics about Frontier!2015-02-27: These scripts through Jonas Nick can be beneficial to build the Ethereum Go purchaser and test it. Please see the bash scripts for construct instructions and the python script for a simple example of calling the JSON-RPC API. Please be aware the currently known problems2015-02-27: Another important vulnerability found by using Jonas Nick. Awarded with 5 BTC, this exploit triggers a computer virus within the Ethereum VM to create ether out of thin air.2015-01-30: Friendly reminder: Ethereum web sites are out of scope for the bounty software and not eligible for rewards. With that stated, we are grateful for submissions regarding website protection and could paintings to fix those problems.
Please have a examine the bullets under earlier than starting your hunt!
Issues which have already been submitted via every other person or are already regarded to the Ethereum team aren’t eligible for bounty rewards.Public disclosure of a vulnerability makes it ineligible for a bounty.You can start or fork a private chain for worm hunting. Please appreciate the Ethereum foremost and test networks and refrain from attacking them.Ethereum’s center improvement crew, employees and all different people paid by the Ethereum assignment, directly or in a roundabout way, are not eligible for rewards.Anyone who works with the codebase as a expert Ethereum developer isn’t eligible for rewards.Ethereum web sites or Ethereum Foundation infrastructure in fashionable, are NOT a part of the bounty application.Ethereum bounty application considers some of variables in determining rewards.Determinations of eligibility, score and all terms related to an award are at the only and very last discretion of the Ethereum Foundation worm bounty panel.
The fee of rewards paid out will range depending on Severity. The severity is calculated according to the OWASP chance score version primarily based on Impact and Likelihood :
Reward sizes are guided via the rules below, but are ultimately, determined at the only discretion of the Ethereum Foundation bug bounty panel.
Critical: up to twenty-five 000 factorsHigh: up to 15 000 pointsMedium: up to ten 000 factorsLow: up to two 000 factorsNote: up to 500 points
1 point currently corresponds to one USD (payable in ETH or BTC), something which may additionally trade with out prior notice.
OBS! Between 2017-09-19 and Byzantium hard-fork on Mainnet, every factor corresponds to 2 USD for problems associated with move-consumer consensus or geth DoS vulnerabilities.
Beyond economic rewards, each bounty is likewise eligible for listing on our leaderboard with points accumulating over the direction of this system.
In addition to Severity, other variables are also taken into consideration while the Ethereum Foundation trojan horse bounty panel comes to a decision the rating, such as (however now not restricted to):
Quality of description. Higher rewards are paid for clean, properly-written submissions.Quality of reproducibility. Please encompass check code, scripts and detailed commands. The less difficult it’s far for us to breed and affirm the vulnerability, the better the reward. Please see the wiki and repos to examine more about our take a look at suite inside the authentic documentation.Quality of repair, if covered. Higher rewards are paid for submissions with clear description of how to restoration the difficulty.
Important Legal Information
The trojan horse bounty program is an experimental and discretionary rewards application for our energetic Ethereum community to encourage and reward people who are assisting to improve the platform. It is not a opposition. You have to recognize that we are able to cancel this system at any time, and awards are at the only discretion of Ethereum Foundation computer virus bounty panel. In addition, we are not able to problem awards to those who are on sanctions lists or who are in nations on sanctions lists (e.g. North Korea, Iran, and so on). You are chargeable for all taxes. All awards are situation to applicable law. Finally, your testing must no longer violate any law or compromise any information that isn’t always yours.
Our trojan horse bounty application spans give up-to-stop: from soundness of protocols (along with the blockchain consensus model, the wire and p2p protocols, evidence of labor, and so on) and protocol/implementation compliance to network security and consensus integrity. Classical purchaser security as well as protection of cryptographic primitives also are a part of the program. When in doubt, send an e-mail to email@example.com and ask us.
Below a few guidance can be found on what we’re commonly interested by listening to about.
Geth is an Ethereum consumer written in Go. Areas that commonly are in scope are:
Consensus protocol compliance: are there any flaws that might make Geth deviate from consensus?This are consists of EVM operations, precompiles, block validation and so on.Account control flaws: flaws which could put quit-person money owed at chance.DoS issues: flaws that makes Geth crash or carry out very slowly.Includes suboptimal EVM operation, failure to address assaults on the protocol stack
Some areas of Geth are ‘experimental’, and now not but enabled by way of default. Yes, these also are covered, however the ‘Impact’ of problems inside the regions beneath can be counted as low.
The LES (mild customers) elements of Geth are twofold: server and consumer. For LES, we’re interested in
LES Server or Client: RCE-sort of vulnerabilitiesLES Server: DoS vulnerabilities
Py-evm is a python implementation of the Ethereum Virtual Machine, and the basis for Trinity. The Trinity customer is presently in an alpha release level and isn’t appropriate for undertaking crucial manufacturing use instances. Both of those additives are included inside the bounty scope, but any problems suggested may have a lowered Impact given that there are already acknowledged issues and they may be now not taken into consideration production release.
Solidity language safety
See Solidity SECURITY.MD for more information about what’s protected on this scope.
Solidity does now not hold safety guarantees concerning compilation of untrusted input – and we do not trouble rewards for crashes of the solc compiler on maliciously generated data.
Out of scopeWhisper
Whisper is out of scope.
LLL language protection
LLL isn’t always protected within the trojan horse bounty.
Pyethereum is a legacy Ethereum implementation, and the idea for the Pyethapp python customer implementation. Both of those at the moment are deprecated, in favour of py-evm/Trinity, and not now not in scope of the bounty software.
Vyper language protection
The Vyper language is a new, experimentalprogramming language for the EVM. It remains beta software program, and as such is not predicted to be malicious program-unfastened, and is consequently not covered inside the bug bounty.
Swarm was once a part of geth, but has due to the fact moved out to it’s personal organisation.
EthereumJ EthereumJ is a legacy natural-Java implementation of the Ethereum protocol, and the idea of Harmony, but is not actively maintained.
Aleth is an implementation of an Ethereum node in C++. This patron isn’t protected, as the development has ceased and Aleth isn’t always going to implement future forks.
ENS is maintained via the ENS foundation, and isn’t always a part of the bounty scope.
Clients now not developed through the Ethereum Foundation might normally not be covered by means of the bounty application. For Parity, please go to their bounty program.
ERC20 agreement bugs are normally now not protected in the bounty scope. However, we will help attain out to affected parties, which include authors or exchanges in such cases.
Our infrastructure; including webpages, dns, electronic mail and so forth, are not a part of the bounty-scope.
So, what have to an excellent vulnerability submission look like?
Here is an example of a real issue which became previously present inside the Go customer:
Description: Remote Denial-of-provider using non-verified blocks
Attack situation: An attacker can send blocks that may require a excessive quantity of computation (the maximum gasLimit) but has no evidence-of-paintings. If the attacker sends blocks constantly, the attacker may also force the victim node to 100% CPU utilization.
Impact: An attacker can abuse CPU usage on far off nodes, possibly causing full DoS.
Components: Go patron model v0.6.8
Reproduction: Send a block to a Go node that incorporates many txs but no legitimate PoW.
Details: Blocks are tested inside the approach Process(Block, dontReact). This technique plays high priced CPU-in depth duties, such as executing transactions (sm.ApplyDiff) and later on it verifies the evidence-of-work (sm.ValidateBlock()). This lets in an attacker to ship blocks that may require a excessive amount of computation (the most gasLimit) but has no evidence-of-work. If the attacker sends blocks continuously, the attacker can also pressure the sufferer node to 100% CPU usage.
Fix: Invert the order of the checks.
So, the trojan horse bounty application is time confined?
No stop date is presently set. See the “News & Updates” segment above, and the Ethereum weblog for the cutting-edge information.
How are bounties paid out?
Rewards are paid out in ETH or BTC after the submission has been established, generally a few days later. Local legal guidelines require us to ask for proof of your identity. In addition, we are able to want your ETH/BTC deal with.
Can I donate my reward to charity?
Yes. We can donate your reward to an established charitable enterprise of your desire.
I stated an problem / vulnerability however have now not acquired a reaction!
We goal to reply to submissions as speedy as feasible. Feel loose to e mail us if you have no longer acquired a response inside an afternoon or .
I need to be anonymous / I do no longer need my call or nick at the leader board.
Submitting anonymously or with a pseudonym is OK, but will make you ineligible for BTC rewards. To be eligible for BTC rewards, we require your real name and a evidence of your identity. Donating your bounty to a charity doesn’t require your identity.
Please allow us to understand in case you do no longer want your name/nick displayed on the leader board.
What are the points inside the leaderboard?
Every found vulnerability / issue is assigned a rating. Bounty hunters are ranked on our leaderboard with the aid of total points.
I have similarly questions.
Email us at firstname.lastname@example.org.
Do you have got a PGP key?
Please use AE96 ED96 9E47 9B00 84F3E17F E88D 3334 FA5F 6A0A
—–BEGIN PGP PUBLIC KEY BLOCK—–
Version: GnuPG v1mQINBFgl3tgBEAC8A1tUBkD9YV+eLrOmtgy+/JS/H9RoZvkg3K1WZ8IYfj6iIRaY
—–END PGP PUBLIC KEY BLOCK—–