Protocol Security · Ethereum Foundation

Securing Ethereum at the protocol layer.

I'm Antoine James — a security researcher at the Ethereum Foundation, where I help run the Protocol Security bug bounty program and hunt vulnerabilities in the clients and specifications that run the network.

Get in touch GitHub
500+
Findings triaged
20
Vulnerabilities disclosed

Findings

Responsibly disclosed vulnerabilities across Ethereum execution clients, consensus clients, and protocol specifications.

Critical

Chess.com

Payment System Bypass

Unauthorized premium subscription access via a payment-flow flaw.

Private
Low

Reth

EIP-2681 Nonce Validation

Missing nonce validation lets invalid transactions enter the pool.

View Fix PR
Low

Reth

Gas Limit Misconfiguration

Gas limit config deviating from network consensus parameters.

View Fix PR
Medium

Besu

P256 Curve Point Validation

Missing on-curve validation in P256Verify causes block import failures.

View Fix PR
Low

Geth

EIP-2935 Constant Mismatch

Verkle testing constant doesn't match the hardcoded 0x1FFF bytecode value.

View Issue
Low

Reth

Missing Malicious Peer Punishment

No penalty for peers spamming unwanted transaction hashes.

View Issue
Medium

Teku

TOCTOU Race Condition

Attestation-validation race lets duplicates bypass detection.

View Fix PR
Medium

Prysm

TOCTOU Race Condition

Attestation-validation race lets duplicates reach the network.

View Fix PR
Medium

Consensus Specs

Builder Withdrawal Griefing

Repeated 1 ETH deposits lock a builder's withdrawable balance.

View Fix PR
Low

Teku

MatrixEntry Parameter Order

Swapped row/column indices when building the PeerDAS matrix.

View Fix PR
Low

Lighthouse

Unsorted Data Columns in KZG

Columns not sorted before KZG, breaking cell-index ordering.

View Issue
Info

Consensus Specs

Fulu DAS Parameter Ordering

Swapped parameter order in the DAS index functions.

View Fix PR
Low

Lighthouse

Memory Leak in Column Sidecars

Missing cache pruning leaks ~7MB/day on long-running beacon nodes.

View Fix PR

Experience

Ethereum Foundation

Security Researcher · Protocol Security
May 2025 – Present1 yr 2 mos
  • Protocol security research across Execution Clients, Consensus Clients, Ethereum specifications, and EIPs.
  • Contributed to the Fusaka and Glamsterdam upgrades — reviewing EIPs and their implementation across clients (Go, Rust, Java, …).
    • Ran devnet testing with the EthPandaOps team and worked on gas repricing for Fusaka.
  • Part of the Bug Bounty Program team — triaging reports, assigning severities, coordinating with client teams, and handling finance payouts.
    • Triaged 500+ incoming reports.
    • Contributed to building the bounty deposit system, introduced to curb AI-slop submissions.
    • Built an automatic AI-Triager: swarms of AI agents that run initial triage, verify findings, and assign severities.
Bug Bounty TriageTriage AutomationSeverity ClassificationRustSecurity Research

Spearbit

Rust Engineer
Jan 2025 – Apr 20254 mos

Backend work on Cantina, Spearbit's competitive audit platform — built profile features like auditors' findings display, optimized and fixed SQL queries, and shipped API and data-layer improvements in Rust.

RustPostgreSQLActix

Formal Land

Security Researcher
Sept 2024 – Jan 20255 mos

Formal verification of the Sui blockchain type-checker and Keccak implementation — translating Rust code to Coq proofs for critical blockchain components.

CoqRustFormal Verification

Contests

Findings from competitive audit platforms.

Cantina

1 vulnerability found
0 High 0 Medium 0 Low 1 Info

Code4rena

6 vulnerabilities found
0 High 2 Medium 4 Low 0 Info

Let's talk security

Open to protocol security research, audits, and collaboration.

Get in touch GitHub