Bug Bounty
Details of the Ethereum Foundation's bug bounty program for Account Abstraction.
The Ethereum Foundation (EF) launched a dedicated bug bounty program in September 2024 to help secure the Account Abstraction (ERC-4337) ecosystem. The program is hosted on HackenProof and offers rewards of up to $250,000 for critical vulnerabilities.
๐ฏ Scope and Goals
The bounty program encourages security researchers to:
Identify vulnerabilities in the ERC-4337 and ERC-7562 specs
Find bugs in the reference implementation
Help prevent denial-of-service and validation bypass exploits
๐ In-Scope Targets
Reference Implementation (core and utils directories)
๐จ Only versions v0.6.0, v0.7.0, and v0.8.0 are eligible for rewards.
๐งช Focus Areas
Critical validation flaws
Inconsistencies in simulation vs on-chain behavior
Gas griefing or refund abuse
Low-cost attack vectors to ban staked actors
๐ฐ Reward Tiers
Critical
$100,000 โ $250,000
Bypass validation, steal deposits
High
$25,000 โ $50,000
DoS a bundle post-validation
Medium
$5,000 โ $10,000
Mempool attack not covered by 7562
Low
$1,000 โ $2,000
Minor overpayment bugs
โ Out of Scope
Attacks on specific bundlers or Paymasters
Network-level DoS (e.g. flooding peers)
General libp2p vulnerabilities
๐ Rules
Submit reproducible reports through HackenProof
Testing must avoid harming live deployments
KYC required for reward disbursement
First reporter wins โ no duplicate rewards
Public disclosure requires EF approval
๐ Timelines
Response: Within 3 business days
Triage: 14 business days
Reward: 14 business days
Fix: Within 90 business days
For full terms and submission portal, visit: ๐ Account Abstraction Bug Bounty on HackenProof
โ
Summary
The bug bounty protects the ERC-4337 ecosystem at the infrastructure level. With high rewards and focused targets, it invites researchers to help harden smart wallet safety and simulation integrity.
Last updated