, to t](https://assets-global.website-files.com/5e39239f2e417c1a357f71f5/660d205ff7cf9f78bf492b2a_bug-bounty-geth.png "Smart Contract Auditing")
Smart Contract Auditing
On the 15th of February 2024 iosiro reported a vulnerability, identified by security researcher [Jason Matthyser](https://twitter.com/pleasew8t), to the Ethereum Foundation that affected the Go Ethereum (geth) client from post-merge to [Edolus (v1.13.12)](https://github.com/ethereum/go-ethereum/releases/tag/v1.13.12).
The bug could reliably crash geth nodes configured for Ethereum Mainnet with a payload sent through `eth_call` at zero cost. At the time of disclosure, the issue affected the majority of Ethereum Mainnet RPC providers, including Infura, Alchemy, QuickNode, Ankr, and Flashbots.
The vulnerability was initially disclosed to the Ethereum Foundation, but they determined the issue to be out of scope of their bug bounty program. They indicated that they would, however, forward the information on to the geth development team to address the issue.
The Ethereum Foundation explicitly excludes issues triggered through RPC from execution bugs in their [bug bounty program](https://ethereum.org/en/bug-bounty/#:~:text=Only%20the%20targets%20listed%20under%20in,scope%20of%20the%20bug%20bounty%20program.), as it is said to be privileged functionality. Despite this distinction, exploitation of the vulnerability could have had a significant impact on end-users, as the vast majority of users interact with Ethereum through public RPC providers.
