Ethereum Foundation Bug Bounty Program

A burn in ETH is required to submit a report in order to prevent spam.

Before submitting

Visit bounty.ethereum.org to see what is and what is not in scope.

Websites and other things not listed on bounty.ethereum.org are not in scope and will be ignored.

⚠ Important A reproducible proof of concept is mandatory: either a Kurtosis-based PoC that spins up a local devnet, or a state test (EVM/goevmlab). Plain unit tests will not be accepted, as they cannot capture realistic node behavior such as inter-client interactions and in-protocol defense mechanisms.

⚠ Compiler bugs For Solidity/Vyper compiler bugs, a Kurtosis or state test is not required. Instead provide the source that triggers the miscompilation, the exact affected compiler versions, a comparison against a version that behaves correctly, and step-by-step reproduction. Optionally, point to any live contracts vulnerable to it.

The following resources should help you get started:

Important: Due to a large increase in reports, response time is likely to be multiple days.

Report details

Do not include personal identifiable information that is unrelated to the vulnerability.

Full Name Email Address Wallet Address

Address to receive potential reward.

Leaderboard name

Name to display on the leaderboard. You may use a pseudonym.

Github Username

Github account to link to on the leaderboard.

Reward

ETH or DAI for reward.

Target Severity

Vulnerable Version or Commit

Release, tag, commit SHA, or client version where the issue was confirmed.

Bug Report Title Short Description

One sentence description of the vulnerability.

Attack Scenario

In what scenario would this be an issue?

Impact

Describe the effect this may have in a production setting.

Components

Point to the files, functions, and/or specific line numbers where the bug occurs.

Proof of Concept

A clear proof of concept is required. Without a clear reproducible attack, the issue will be ignored, and there is no refund. A Kurtosis-based PoC is preferred as it makes the bug clear and easily reproducible, but a state test (EVM/goevmlab) is also accepted.

Suggested Fix

Description of suggested fix, if available.

Additional Information

Any details not covered above.

Ethereum Foundation Bug Bounty Program

Before submitting

Report details

Submit bug report

Select wallet

Report submitted

Confirm your Proof of Concept