The Ethereum Fusaka Audit Contest

Test your skills against the best researchers in the world, and work to secure this year’s most important upgrade for the Ethereum network. Join the audit contest for a chance at your share of $2,000,000 in rewards.

Enter ContestLearn More
Image of audit dashboard for the Sherlock audit of Ethereum Fusaka

PRESENTED BY

Our Sponsors

This contest is made possible by the generous support of our platinum and general sponsors.

All Sponsors
Platinum Tier Sponsors
CONTEST DETAILS

Everything You Need to Know

Rewards Pool
$2,000,000
Distributed among top performers with guaranteed minimum payouts for valid submissions
Timeline icon of Ethereum Fusaka audit contest with Sherlock
Contest Timeline
Start Date
September 15th, 2025
End Date:
October 13th, 2025
Duration:
4 Weeks
Prize Distribution:
The prize distribution has 4 possible triggers
  • If one or more valid low severity findings are found, the total pot size is $50,000.
  • If one or more valid medium severity findings are found, the total pot size is $200,000.
  • If one or more valid high severity findings are found, the total pot size is $500,000.
  • If one or more valid critical severity findings are found, the total pot size is $2,000,000.
$25,000 of the prize pot is reserved for informational severity findings
Each informational severity finding is capped at $1,000.
Any remaining funds from this reserved pool will be added back to the primary prize pool.
Ethereum Fusaka Contest Multiplier: Early Report Multipliers
  • Valid Findings in Week 1:  2X MULTIPLIER
  • Valid Findings in Week 2: 1.5X MULTIPLIER
Join the Contest Now

CONTEST RULES

Rules & Information

Please read all rules carefully before participating. Violation of any rule may result in disqualification.

Build Instructions
All required build instructions are documented within their respective repositories.
POC
Mandatory POC rule applies for this competition. All submissions must have a POC at the time of submission.
Out of Scope
Typographical errors
Non-upgrade specific vulnerabilities.
High-effort (sustained, CPU or bandwidth intensive) single-peer DoS attacks.
All TODO items referenced in any of the codebases are considered known issues.
Any issue related to an open issue or PR in the respective repository
Findings not related to Fusaka code paths
CONTEST DETAILS

Severity Definitions and Judging

This competition is measuring the severity a vulnerability has on the entire Ethereum network. The Ethereum Foundation's Protocol Security team will assist in judging the findings and have the final word on all judging related decisions.

Critical severity finding in the Ethereum Fusaka audit contest from Sherlock
Critical Severity
Vulnerabilities that allow an attacker to slash more than 50% of validators, exploit an EIP/specification or client bug to easily create an infinite amount of ETH which is finalized by the network, steal ETH from all EOAs, burn ETH from all EOAs, or take down the entire network by sending a single malicious on-chain transaction that ends up crashing all clients.
High severity finding in the Ethereum Fusaka upgrade
High Severity
Vulnerabilities that allow an attacker to slash more than 33% of validators, trivially cause network splits affecting more than 33% of the network, or being able to bring down more than 33% of the network by sending a single network packet or an on-chain transaction.
High severity finding in the Ethereum Fusaka audit contest from Sherlock
Medium Severity
Vulnerabilities that allow an attacker to slash more than 1% of validators, trivially cause network splits affecting more than 5% of the network, or being able to bring down more than 5% of the network by sending a single network packet or an on-chain transaction.
High severity finding in the Ethereum Fusaka audit contest from Sherlock
Low Severity
Vulnerabilities that allow an attacker to slash more than 0.01% of validators, trivially cause network splits affecting at least 0.01% of the network, or being able to bring down more than 0.01% of the network by sending a single network packet or an on-chain transaction.
Informational severity finding in the Ethereum Fusaka audit contest from Sherlock
Informational Severity
Observations or recommendations regarding code quality, maintainability, or system architecture that do not present a direct security risk. These findings aim to provide insights for potential improvements rather than addressing an immediate vulnerability. Only applicable if the team decides to implement a change based on the report.
Judging hammer icon for Ethereum Fusaka audit from Sherlock
Important Judging Notes
  • A finding may have its severity upgraded if deemed relevant by judges (e.g., Medium → High)
  • Unrelated findings cannot be chained together and are treated individually
  • Network impact data for each client is available for reference
For more details, check out the auditor handbook: https://notes.ethereum.org/@fredrik/fusaka-auditor-guide

READY TO COMPETE?

Access the Official Contest Platform

Join thousands of security researchers competing for the largest prize pool in blockchain security contest history. Test your skills and earn recognition in the community.

Go to Contest Page