The release marks the second time the Foundation has publicly catalogued confirmed and fixed security flaws, following the first batch published in March 2022. The disclosures cover bugs across nine Ethereum client implementations, including Geth, Lighthouse, Prysm, Teku, Besu, Nimbus, Lodestar, Nethermind, and Erigon. The Bug Bounty Program's scope extends beyond client software to include the Deposit Contract, Execution Layer and Consensus Layer specifications, and Solidity, among other components. All findings are archived in the public repository at github.com/ethereum/public-disclosures.

Highest Payout: $50,000 for a Beacon Node Crash

The largest single reward in this disclosure period went to a researcher identified only as "scio," who received $50,000 for finding that Lighthouse beacon nodes could be taken offline remotely. The attack involved sending a maliciously crafted BlocksByRange message with an abnormally large count value, which would cause the node to crash. This is a denial-of-service vulnerability: an attacker does not need to compromise a node directly but can simply send it a request it cannot handle. The Foundation confirmed the flaw was patched before the relevant network upgrades went live.

The Foundation also disclosed a class of consensus-layer attacks capable of triggering extended chain reorganizations, meaning blocks that were already added to the blockchain could be set aside in favour of a competing chain.

Two specific variants were identified: unrealized justification reorgs and justification withholding reorgs. The first allowed a block proposer to orphan up to nine blocks from a prior epoch. The second could displace an arbitrary number of blocks at epoch boundaries. The root cause was a timing gap in how Ethereum's Casper FFG (Friendly Finality Gadget) processes data: FFG information is only processed on-chain at epoch boundaries, creating an exploitable window during which the attack could be mounted. The technical details of the fork choice vulnerability are documented in a disclosure post by Ethereum researcher djrtwo at notes.ethereum.org/@djrtwo/2023-fork-choice-reorg-disclosure.

Researchers began analyzing these attack vectors in April 2022, and all patches were in place by early 2023.

"All vulnerabilities added to the disclosures catalogue were patched prior to the latest hardforks on the Execution Layer and Consensus Layer," the Foundation stated in the blog post.

Program Scale and Leaderboard

The bug bounty program offered a base maximum payout of $250,000 as of the disclosure period. During active upgrade windows, that ceiling doubles to $500,000. During the lead-up to The Merge in 2022, the program briefly offered up to $1,000,000 per valid report. This represents a 10x increase over the previous consensus-layer maximum and a 20x increase over the prior execution-layer cap, both of which were raised when the two separate programs merged in May 2022.

Researcher Guido Vranken held the top position on the Bug Bounty Leaderboard during this period, accumulating the highest points total through multiple valid reports. Vranken is known for using differential fuzzing, a technique that runs the same operation across multiple cryptographic libraries simultaneously and flags discrepancies that often indicate bugs. Two other researchers, identified as "nrv" and "PwningEth," chose to donate their bounty rewards to charity.

Why Client Diversity Is Not Just Theory

Eight days after the Secured #5 publication, on May 11, 2023, the Ethereum Beacon Chain lost finality twice within a single 24-hour period.

Finality refers to the point at which a block is considered permanently confirmed and cannot be reversed.

Bugs in how the Prysm and Teku clients processed old-target attestations (validator votes) caused both outages, lasting 25 minutes and over an hour respectively.

On-chain data from Glassnode recorded 253 missed blocks over the two-day window.

Critically, nodes running other clients, including Lighthouse, continued operating normally. At the time, Prysm held roughly 39.8% of the consensus-layer validator market and Geth approximately 58% of the execution layer, according to clientdiversity.org. Teku held a smaller but significant share of the consensus layer, meaning the combined exposure from the two failing clients was substantial.

Post-mortems noted that client diversity prevented a far worse outcome: because not all implementations were affected, the network remained recoverable.

India, Nigeria, and Kenya

For node operators and developers in India, Nigeria, and Kenya, where Ethereum developer communities are expanding rapidly, the practical implications of these disclosures are concrete. India ranks second globally for Web3 developers. According to web3africa.tech, Nigeria added over 16,000 developers to the Ethereum ecosystem, accounting for roughly half of Africa's Web3 talent.

Validators in these regions running Prysm or Teku during the May 2023 incident would have experienced the consequences of client concentration directly.

Shifting toward minority clients such as Lighthouse, Nimbus, or Lodestar reduces exposure when dominant-client bugs surface. Regional training infrastructure, including Web3Bridge in Nigeria and bootcamp ecosystems in India, provides developers with established pathways into the ecosystem. The bug bounty program also represents a direct income opportunity for skilled security researchers in these markets, where the $250,000 ceiling compares favorably to local tech compensation benchmarks.

The Ongoing Process

The Foundation targets public disclosure within 90 days of receiving and validating a report. The coordinated process involves cross-checking whether a given flaw affects multiple clients before any public announcement.

The May 2023 finality incident, arriving so soon after a disclosure batch confirming that the patching process works, illustrates that Ethereum's security posture is a continuous, distributed effort.

Running patched, diverse client software is the most direct way developers and validators anywhere in the world can contribute to that effort.