Wormhole

Submit a Bug
11 February 2022
Live since
Yes
KYC required
$10,000,000
Maximum bounty
04 November 2022
Last updated

Program Overview

Wormhole is a generic cross-chain messaging protocol that allows smart contracts on various blockchains to communicate with each other. Messages are routed from chain to chain by a decentralised group of guardian nodes who sign attestations of on-chain state.

For more information about Wormhole, please visit https://wormhole.com/.

This bug bounty program is focused on the prevention of negative impacts to Wormhole and the Portal Token Bridge, which currently covers their smart contracts, guardian nodes, and Wormhole integrations with blockchains.

Submission Requirements All reports must come with sufficient explanation and data to easily reproduce the bug, e.g. through a proof-of-concept code.

For a bug report to be paid, we do require the bug reporter to comply with our KYC requirements.

This includes the following:

  • Wallet address where you’ll receive payment
  • Proof of address (either a redacted bank statement with your address or a recent utility bill with your name, address, and issuer of the bill)
  • If you are a U.S. person, please send us a filled-out and signed W-9 (https://www.irs.gov/pub/irs-pdf/fw9.pdf)
  • If you are not a U.S. person, please send us a filled-out and signed W-8BEN (https://www.irs.gov/pub/irs-pdf/fw8ben.pdf)
  • Copy of your passport will be required.

Rewards by Threat Level

Tier 1: Ability to Extract the complete TVL of all chains: Up to $10,000,000 USDC Tier 2: Ability to Extract the complete TVL of a single chain: Up to $2,500,000 USDC Tier 3: Ability to Brick the complete TVL of one or many chains: Up to $1,000,000 USDC

All rewards are decided on a case-by-case basis, taking into account the exploitability of the bug, the impact it causes, and the likelihood of the vulnerability presenting itself if it is nondeterministic or some of the conditions are not present at the time. The rewards presented in the payout structure above are the maximum rewards and there are no minimum rewards.

Rewards for critical vulnerabilities are further capped at 10% of extractable value during a 24h period. Rewards for vulnerabilities resulting in the indefinite locking of funds are further capped at 1% of destroyable value.

Value is calculated based on the current market value and available liquidity for widely-used tokens in the Portal Token Bridge, e.g. ETH and SOL.

In cases where the report achieves more than one of the above objectives, rewards will be tiered to the higher of the two objectives and will not be aggregated (eg. if you have the ability to extract and brick a complete TVL for a chain, you will be awarded a bounty as if you were able to only extract the complete TVL for that chain).

Rewards for bugs in dependencies and third party code are at the discretion of the Wormhole team and will be based on the impact demonstrated on Wormhole. If the dependency has its own bug bounty program, your reward for submitting this vulnerability to Wormhole will be lowered by the expected payout of that other program. If the vulnerability is in a connected blockchain itself rather than the Wormhole code, the locked and wrapped assets on that chain are not included in the impact calculation.

Wormhole Foundation will maintain full discretion on the payouts for vulnerabilities. We do encourage bug reporters to submit issues outside of the above-mentioned payout structure, though we want to be clear that we’ll exercise discretion on a case-by-case basis -- whether an issue warrants a payout and what that ultimate payout would be.

Blockchain/DLT

Critical
Level
Up to $10,000 000 USDC
Payout
PoC Required
High
Level
Up to $100,000 USDC
Payout
PoC Required
Medium
Level
Up to $10,000 USDC
Payout
PoC Required
Low
Level
Up to $2,000 USDC
Payout
PoC Required

Smart Contract

Critical
Level
Up to $10,000 000 USDC
Payout
PoC Required
High
Level
Up to $100,000 USDC
Payout
PoC Required
Medium
Level
Up to $10,000 USDC
Payout
PoC Required
Low
Level
Up to $2,000 USDC
Payout
PoC Required

Assets in scope

All smart contracts of Wormhole can be found at https://github.com/wormhole-foundation. However, only those in the Assets in Scope table are considered as in-scope of the bug bounty program.

Impacts in scope

Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.

Blockchain/DLT

  • Forging of wormhole messages (i.e. VAAs) or circumventing VAA verification logic in the smart contracts.
    Critical
    Impact
  • Exploits resulting in the locking, loss, or theft of user funds from the Portal Token Bridge
    Critical
    Impact
  • Permanent Denial of Service attacks (excluding volumetric attacks)
    Critical
    Impact
  • Determinism bugs that could lead to inconsistent bridge states
    Critical
    Impact
  • Governance manipulation
    Critical
    Impact
  • Exposure of production private keys and/or PII
    Critical
    Impact
  • Vulnerabilities in the node software resulting in invalid behavior
    Critical
    Impact
  • Remote code execution
    Critical
    Impact
  • Any other vulnerabilities that lead to the impacts described in Tier 1-3
    Critical
    Impact
  • Bugs that allow forging of wormhole messages (i.e. VAAs) or circumventing VAA verification logic in the smart contracts but are outside of the “critical” category
    High
    Impact
  • Bugs that are very capital-intensive to carry out but could be critical
    High
    Impact
  • Attacks that would be critical if a minority of Guardians was malicious.
    High
    Impact
  • Unrestricted bypass of the Governor module: The Governor module (https://github.com/wormhole-foundation/wormhole/tree/dev.v2/node/pkg/governor)
    High
    Impact
  • Denial of Service attacks against the Guardian network (excluding volumetric attacks) resulting in an extended but not permanent total network shutdown
    Medium
    Impact
  • Exploit chains requiring user interaction
    Medium
    Impact
  • Compromising a single guardian node
    Medium
    Impact
  • Cryptographic implementation flaws and flaws in random number generation with limited impact
    Medium
    Impact
  • Bugs that allow forging signed messages from a minority of Guardians
    Medium
    Impact
  • Bugs that are unlikely to occur but would have a large impact if so, e.g. race conditions
    Low
    Impact
  • Lack of defense-in-depth (must send PR with improvements and get it merged)
    Low
    Impact
  • Bugs that are likely to occur in future stages of development but do not manifest themselves yet
    Low
    Impact
  • Denial of Service attacks against the Guardian network (excluding volumetric attacks) resulting in an extended degradation of performance
    Low
    Impact

Smart Contract

  • Forging of wormhole messages (i.e. VAAs) or circumventing VAA verification logic in the smart contracts
    Critical
    Impact
  • Exploits resulting in the locking, loss, or theft of user funds from the Portal Token Bridge
    Critical
    Impact
  • Permanent Denial of Service attacks (excluding volumetric attacks)
    Critical
    Impact
  • Determinism bugs that could lead to inconsistent bridge states
    Critical
    Impact
  • Governance manipulation
    Critical
    Impact
  • Exposure of production private keys and/or PII
    Critical
    Impact
  • Vulnerabilities in the node software resulting in invalid behavior
    Critical
    Impact
  • Remote code execution
    Critical
    Impact
  • Any other vulnerabilities that lead to the impacts described in Tier 1-3
    Critical
    Impact
  • Bugs that allow forging of wormhole messages (i.e. VAAs) or circumventing VAA verification logic in the smart contracts but are outside of the “critical” category
    High
    Impact
  • Bugs that are very capital-intensive to carry out but could be critical
    High
    Impact
  • Attacks that would be critical if a minority of Guardians was malicious
    High
    Impact
  • Unrestricted bypass of the Governor module: The Governor module (https://github.com/wormhole-foundation/wormhole/tree/dev.v2/node/pkg/governor)
    High
    Impact
  • Denial of Service attacks against the Guardian network (excluding volumetric attacks) resulting in an extended but not permanent total network shutdown
    Medium
    Impact
  • Exploit chains requiring user interaction
    Medium
    Impact
  • Compromising a single guardian node
    Medium
    Impact
  • Cryptographic implementation flaws and flaws in random number generation with limited impact
    Medium
    Impact
  • Bugs that allow forging signed messages from a minority of Guardians
    Medium
    Impact
  • Bugs that are unlikely to occur but would have a large impact if so, e.g. race conditions
    Low
    Impact
  • Lack of defense-in-depth (must send PR with improvements and get it merged)
    Low
    Impact
  • Bugs that are likely to occur in future stages of development but do not manifest themselves yet
    Low
    Impact
  • Denial of Service attacks against the Guardian network (excluding volumetric attacks) resulting in an extended degradation of performance
    Low
    Impact

The Governor module (https://github.com/wormhole-foundation/wormhole/tree/dev.v2/node/pkg/governor) is designed to limit the value that can be transferred out of one chain over time. Assuming a smart contract compromise on one chain, the ability to transfer all tokens in unlimited amounts to any target chain would constitute a "high" severity vulnerability.

Out of Scope & Rules

The following vulnerabilities are excluded from the rewards for this bug bounty program:

  • Attacks that the reporter has already exploited themselves, leading to damage
  • Network denial of service on Guardians is not eligible for bug bounty rewards
  • Wormhole is an open source project with open development. We welcome feedback and PRs on features that are in development. Code that has not been deployed is generally out-of-scope.
  • Reports regarding bugs that the Wormhole project was previously aware of are not eligible for a reward
  • In scope assets with "pre-release" tag are exempt from the above mentioned deployed requirement and are aimed at allowing early access for white-hat community contribution. Once the chain is deployed in mainnet, the new scope is whatever is deployed on chain, which is often what is present in dev.v2 branch. Rewards for “pre-release” candidates will be eligible within the same reward structure as mainnet contracts.

The following person(s) are ineligible to receive bug bounty payout rewards: Staff, Auditors, Contractors, persons in possession of privileged information, and all associated parties.

Prohibited Activities

  • Any testing with mainnet or public testnets; all testing should be done on private nets
  • Public disclosure of a vulnerability before an embargo has been lifted
  • Any testing with third party smart contracts or infrastructure and websites
  • Attempting phishing or other social engineering attacks against our employees and/or customers
  • Any denial of service attacks
  • Violating the privacy of any organization or individual
  • Automated testing of services that generates significant amounts of traffic
  • Any activity that violates any law or disrupts or compromises any data or property that is not your own.