Consensus layer bug hunting bounty program

Open for submissions

Consensus layer bug bounties ðŸ›

Earn up to $50,000 USD and a place on the leaderboard by finding consensus layer protocol and client bugs.

Submit a bug Read rules

protolambda

42400 points

Quan Thoi Minh Nguyen

See full leaderboard

Clients featured in the bounties

Valid bugs

This bug bounty program is focused on finding bugs in the core consensus layer Beacon Chain specification and the Lighthouse, Nimbus, Teku, Prysm, and Lodestar client implementations.

The Beacon Chain specification bugs

The Beacon Chain specification details the design rationale and proposed changes to Ethereum via the Beacon Chain upgrade.

Read the full spec

It might be helpful to check out the following annotations:

Types of bugs

Safety/finality-breaking bugs
Denial of service (DOS) vectors
Inconsistencies in assumptions, like situations where honest validators can be slashed
Calculation or parameter inconsistencies

Specification documents

Beacon Chain

Fork choice

Solidity deposit contract

Peer-to-peer networking

Consensus layer client bugs

The clients will run the Beacon Chain once the upgrade has been deployed. Clients will need to follow the logic set out in the specification and be secure against potential attacks. The bugs we want to find are related to the implementation of the protocol.

Currently Lighthouse, Nimbus, Teku, and Prysm bugs are eligible for the full bounty rewards. Lodestar is also eligible, but until further audits have been completed the points and rewards are limited to 10% (max payout is 5,000 DAI). More clients may be added as they complete audits and become production ready.

Types of bugs

Spec non-compliance issues
Unexpected crashes or denial of service (DOS) vulnerabilities
Any issues causing irreparable consensus splits from the rest of the network

Helpful links

Not included

The Merge and shard chain upgrades are still in active development and so are not yet included as part of this bounty program.

Submit a bug

For each bug you find youâ€™ll be rewarded points. The points you earn depend on the severity of the bug. Lodestar bugs are currently being awarded 10% of points listed below, as additional audits are under way to be completed. The Ethereum Foundation (EF) determine severity using the OWASP method. View OWASP method

The EF will also award points based on:

Quality of description: Higher rewards are paid for clear, well-written submissions.

Quality of reproducibility: Please include test code, scripts and detailed instructions. The easier it is for us to reproduce and verify the vulnerability, the higher the reward.

Quality of fix, if included: Higher rewards are paid for submissions with clear description of how to fix the issue.

Points Exchange

1 point

Loading data...

The Ethereum Foundation will pay out the value of USD in ETH or DAI.

The Ethereum Foundation reserves the right to change this without prior notice.

Up to 1,000 points

Low

Up to 2,000 DAI

Severity

Low impact, medium likelihood
Medium impact, low likelihood

Example

Attacker can sometimes put a node in a state that causes it to drop one out of every one hundred attestations made by a validator

Submit low risk bug

Up to 5,000 points

Medium

Up to 10,000 DAI

Severity

High impact, low likelihood
Medium impact, medium likelihood
Low impact, high likelihood

Example

Attacker can successfully conduct eclipse attacks on nodes with peer-ids with 4 leading zero bytes

Submit medium risk bug

Up to 10,000 points

High

Up to 20,000 DAI

Severity

High impact, medium likelihood
Medium impact, high likelihood

Example

There is a consensus bug between two clients, but it is difficult or impractical for the attacker to trigger the event.

Submit high risk bug

Up to 25,000 points

Critical

Up to 50,000 DAI

Severity

High impact, high likelihood

Example

There is a consensus bug between two clients, and it is trivial for an attacker to trigger the event.

Submit critical risk bug

Bug hunting rules

The bug bounty program is an experimental and discretionary rewards program for our active Ethereum community to encourage and reward those who are helping to improve the platform. It is not a competition. You should know that we can cancel the program at any time, and awards are at the sole discretion of Ethereum Foundation bug bounty panel. In addition, we are not able to issue awards to individuals who are on sanctions lists or who are in countries on sanctions lists (e.g. North Korea, Iran, etc). You are responsible for all taxes. All awards are subject to applicable law. Finally, your testing must not violate any law or compromise any data that is not yours.

Issues that have already been submitted by another user or are already known to spec and client maintainers are not eligible for bounty rewards.
Public disclosure of a vulnerability makes it ineligible for a bounty.
Ethereum Foundation researchers and employees of consensus layer client teams are not eligible for rewards.
Ethereum bounty program considers a number of variables in determining rewards. Determinations of eligibility, score and all terms related to an award are at the sole and final discretion of the Ethereum Foundation bug bounty panel.