The Ethereum Foundation awarded a $50,000 bug bounty on Thursday after researchers at Trust Security disclosed a high-severity flaw in ERC4337, the account-abstraction protocol. The flaw let attackers force certain valid, correctly signed account-abstraction transactions to revert while making the sender pay gas.
The foundation patched the issue and explained the exploit mechanics in its blog post. “This is a censorship and griefing vector, not a fund-theft vector,” the foundation added.
At discovery, usage of the vulnerable transaction type was limited. Still, users sent about 1.7 million vulnerable ERC4337 transactions last week, roughly 9% of all Ethereum transactions, data shows.
Bug bounties remain central to open-source security, and platforms track major payouts. The bug-bounty platform Immunefi has paid over $125 million to security researchers, and Trust Security said it accepted an additional $59,500 from DeFi apps using ERC4337.
Major users of the vulnerable transaction type include Safe and Biconomy, though Trust Security has not specified which apps issued bounties. Developers have implemented a fix requiring certain contract functions to run only from non-account-abstraction wallets, and the foundation urged protocols to upgrade promptly.
