The Ethereum Foundation has awarded a $50,000 bug bounty—the highest possible amount—to researchers who uncovered a significant security vulnerability affecting the Ethereum blockchain. This flaw, revealed on Thursday, pertains to the ERC4337 standard, which facilitates account abstraction features.
The vulnerability allowed malicious actors to deliberately cause specific account-abstraction transactions to revert, resulting in unnecessary gas fees despite the transactions being valid and properly signed. Trust Security, the firm that reported the issue, expressed gratitude in a post on X, stating, “Huge thanks to the EF for handling the issue responsibly and granting us a $50k bounty, the maximum high-severity award.”
According to the Ethereum Foundation, this vulnerability is categorized as a “censorship and griefing vector,” rather than a direct threat to funds. The foundation confirmed that the issue has been addressed in the latest software release. At the time of the discovery, the usage of the affected ERC4337 transaction type was relatively low, limiting the potential real-world impact. In the last week, approximately 1.7 million transactions of this kind were executed, representing 9% of all Ethereum transactions during that timeframe.
The importance of rectifying this vulnerability before broader adoption cannot be overstated, as warned by the Ethereum Foundation. The code underpinning most decentralized finance (DeFi) applications is open source, allowing anyone to examine and modify it. While this transparency supports community-driven audits and collaboration, it also exposes potential vulnerabilities to malicious actors.
Bug bounty programs play a crucial role in safeguarding open-source projects by incentivizing the discovery of errors or weaknesses. The platform Immunefi, a leader in crypto bug bounties, reports over $125 million in total payouts. Alongside the Ethereum Foundation”s $50,000 bounty, Trust Security also accepted an additional $59,500 from various DeFi applications utilizing ERC4337.
Account abstraction enhances the functionality of Ethereum by enabling programmable transactions, which can facilitate features like scheduled payments. The root cause of the identified vulnerability stemmed from an erroneous assumption within the ERC4337 code; developers believed all account abstraction transactions would execute smoothly, akin to standard Ethereum transactions. However, attackers could exploit certain pending transactions that interact with protocols featuring reentrancy protection, causing them to revert while incurring gas costs.
To mitigate this issue, developers mandated that specific contract functions be executed solely from non-account abstraction wallets. The Ethereum Foundation has urged all protocols utilizing ERC4337 to upgrade to the latest version immediately.
