Eco-friendly upgrade sends bounties soaring as computational demands plummet

Ethereum Foundation offers $1m bug bounty payouts with proof-of-stake migration multiplier

Bug bounty rewards for the Ethereum blockchain have quadrupled for a two-week period when related to the network’s transition to proof-of-stake.

The application of a fourfold multiplier to payouts means ethical hackers could earn up to $1 million for the submission of valid critical vulnerabilities.

The Ethereum Foundation announced yesterday (August 24) that the bonus would be applied with immediate effect and last until September 8.

Bellatrix upgrade

The transition from ‘proof-of-work’ to ‘proof-of-stake’ – a more energy-efficient consensus mechanism for processing transactions – “must first be activated on the Beacon Chain with the Bellatrix upgrade,” said the non-profit organization in a blog post.

“After this, the proof-of-work chain will migrate to proof-of-stake upon hitting a specific Total Difficulty value.”


Read more of the latest bug bounty news


The Bellatrix upgrade is scheduled for September 6, with the Terminal Total Difficulty value triggering the transition – which the Ethereum Foundation has dubbed ‘The Merge’ – expected between September 10-20.

The Ethereum Foundation also confirmed the date for the sunsetting of the Kiln testnet, first announced in June, as September 6. The Kiln testnet was launched in 2022 to provide a post-merge testing environment.

Rinkeby and Ropsten are also set to be deprecated before the end of the year, with users advised to migrate to the Goerli or Sepolia testnets.

As set out in the blockchain’s independently hosted bug bounty program, hackers ordinarily earn up to $250,000 for critical issues, $50,000 for high severity flaws, $10,000 for medium severity vulnerabilities, and $2,000 for low severity bugs.

In scope for the program are specification vulnerabilities such as denial-of-service (DoS) vectors or parameter inconsistencies, client issues like spec non-compliance or remote code execution vulnerabilities, bugs in the solidity repository or third-party dependencies that result in solidity-specific flaws, and flaws related to the Beacon Chain Deposit Contract.


RECOMMENDED Security researchers blast ‘ridiculous’ CrowdStrike bug disclosure practices