Ethereum Foundation awards $50,000 to researchers who identified ‘high-severity’ attack vector

The Ethereum Foundation has awarded a $50,000 bug bounty, its maximum award, to researchers who identified a “high-severity” attack vector impacting the Ethereum blockchain.

The previously unseen attack vector, disclosed by the foundation on Thursday, affected ERC4337, the protocol that powers a feature called account abstraction.

It allowed a malicious actor to intentionally cause certain account-abstraction transactions to revert and pay for gas, even though they were valid and correctly signed.

“Huge thanks to the EF for handling the issue responsibly and granting us a $50k bounty, the maximum high-severity award,” Trust Security, the firm that identified the attack, said in an X post.

“This is a censorship and griefing vector, not a fund-theft vector,” the Ethereum Foundation said in a blog post, adding that the attack had been patched in its latest release.

At the time of discovery, use of the specific vulnerable ERC4337 transaction type was small, so the attack vector’s real-world impact was limited.

Ethereum users sent around 1.7 million vulnerable ERC4337 transactions over the past week, according to crypto data platform BundleBear.

That’s around 9% of all Ethereum transactions made during that period.

The issue was important to address before broader adoption amplifies its effects, the Ethereum Foundation said.

Bug bounties

The code that underpins the vast majority of the $135 billion DeFi sector is open source, meaning that anyone can inspect, modify, or enhance it freely.

This open-source ethos is viewed favourably by most crypto enthusiasts, as it enables community-driven audits, makes it easier for developers to collaborate, and allows users to verify that the code does what it is supposed to do.

But it’s also a double-edged sword.

Any vulnerabilities in open-source code are also visible to attackers, who could exploit them to steal funds or harm users.

That’s why bug bounties — rewards offered to people who identify errors or vulnerabilities in code — are critical to the security of open source code.

Immunefi, the largest crypto bug bounty platform, has paid out over $125 million in total, according to its website.

In addition to the $50,000 bounty from the Ethereum Foundation, Trust Security said it accepted an additional $59,500 in bounties from DeFi apps that rely on ERC4337.

Safe, the multi-signature wallet provider, and Biconomy, a crypto bridge, are among the biggest users of the vulnerable ERC4337 transaction type, though Trust Security has not yet said which apps it accepted bounties from.

Root cause

Account abstraction is a concept in Ethereum that enables programmable transactions, making features like scheduled payments possible.

The root cause of the problem was a hidden assumption in the ERC4337 code.

Developers assumed that all account abstraction transactions would run cleanly, isolated, and uninterrupted, just like normal Ethereum transactions.

In fact, an attacker could frontrun certain pending account abstraction transactions that interact with protocols with reentrancy protection, or that can be reverted through temporary state changes.

“This would cause the inner transaction to revert while paying for the spent gas, griefing account abstraction users,” the Ethereum Foundation’s blog post said.

To fix the issue, developers required that certain contract functions be called only from non-account abstraction wallets.

Protocols that use ERC4337 should upgrade to the newest release as soon as possible, the foundation said.

Tim Craig is DL News’ Edinburgh-based DeFi Correspondent. Reach out with tips at tim@dlnews.com.