ETHEREUM Bounty Program

Protocol security

The idea for Ethereum was initially published in the White Paper. This concept has been realized in a few protocols and algorithms up for scrutiny:

• The blockchain consensus protocol, state engine and virtual machine as well as encodings and Merkle Patricia trees as specified in the Yellow Paper

Help identify flaws such as ones found in the yellow paper, relating to:

• Conceptual security issues in the formal specification of the Ethereum protocol.

• Misaligned / unintended economic incentives and game theoretic flaws.

• Security weaknesses / attacks on the PoW algorithm.

• A concrete example could be a contract that consumes very little gas but leads to a lot of computational effort effectively opening the door for DoS attacks.

Client protocol implementation security

Assuming that the protocols and algorithms are flawless, does a client implementation conform to the formal protocol specification? Issues could include:

• Validations of blocks, transactions and messages

• Ethereum Virtual Machine code execution

• Transaction execution

• Contract creation

• Message calls

• Calculation and enforcement of gas and fees

An example of a potential issue in this category is Bitcoin’s “zero-day” flaw, which required a hard-fork.

Network security

This category focuses on generalized attacks on the whole network or a subset of it:

• 51% and other X% attacks.

• Finney attacks.

• Sybil attacks.

• Replay attacks.

• Transaction / messages malleability.

• (global) DoS.

Here is an example from bitcoin of a global network based DoS scenario.

Node security

Attacks on a single Go client relating to the Ethereum protocol:

• DoS / resource abuse

• Account / wallet address gathering/probing

• Broadcast / withhold attacks

DoS example from bitcoin. DoS / Resource abuse example from bitcoin.

Solidity language security