According to the Ethereum Foundation, identifying “critical bugs” — those that have a high impact or likelihood of a high impact on the blockchain — will be worth up to $1 million.
The Ethereum Foundation has announced it will be increasing the network’s bug bounty payouts fourfold ahead of the blockchain’s transition to proof-of-stake.
In a Wednesday blog post, the Ethereum Foundation said between Aug. 24 and Sept. 8, all “Merge-related bounties for vulnerabilities” will be quadrupled for white hats testing the network. According to the foundation, identifying “critical bugs” — those that have a high impact or likelihood of a high impact on the blockchain — will be worth up to $1 million. The bounty program also allows submissions for low, medium and high-risk bugs.
• Merge Bug Bounty Bonus: There is a 4X MULTIPLIER between now and 08 September on all bounties and vulnerabilities, with critical bugs worth up to $1mm USD— Joseph Schweitzer | (@JBSchweitzer) August 24, 2022
• See full post for updated Execution Layer (EL) and Consensus Layer (CL) client links, more on The Merge, and an FAQ
As part of the transition to proof-of-stake, the foundation said the Ethereum Network “must first be activated on the Beacon Chain with the Bellatrix upgrade,” an event expected to happen on Sept. 6, with the Merge likely following between Sept. 10 and 20. Core developers previously announced a tentative Merge date of Sept. 15 when the Total Terminal Difficulty, or TTD — the difficulty of the final mined block — will trigger the end of proof-of-work and the start of proof-of-stake.
“The incremental difficulty added per block is dependent on the network hash rate, which is volatile,” said the foundation. “If more hash rate joins the network, TTD will be reached sooner. Similarly, if hash rate leaves the network, TTD will be reached later."
The foundation added that Ether (ETH) holders and users largely did not need to take any action prior to the Merge other than to “be on the lookout for scams.” Mining will no longer be possible following the transition, while stakers and node operators will both need to run an execution layer client, with the latter doing so with a consensus layer client.
In July 2020, the Ethereum Foundation announced it had launched public “attack networks” for Ethereum 2.0 for white hats to attempt to exploit potential issues in the clients, offering a $5,000 bounty at the time. However, in August 2021, a vulnerability affecting earlier versions of one of Ethereum's software clients, Geth, caused more than half the network’s nodes to split. The Merge will require the latest version of Geth as an execution client.
Other projects have offered up to $1 million or more in bug bounties aimed at finding exploits resulting in the theft or risk of losing millions, as Sky Mavis did in April 2022 following a $600-million hack on the Ronin Network. In June, Ethereum bridging and scaling solution Aurora paid a $6-million bounty to a white hat hacker who discovered a critical bug.