Wormhole

Submit a Bug
11 February 2022
Live since
Yes
KYC required
$10,000,000
Maximum bounty

Program Overview

Wormhole is a generic cross-chain messaging protocol that allows smart contracts on various blockchains to communicate with each other. Messages are routed from chain to chain by a decentralised group of guardian nodes who sign attestations of on-chain state.

For more information about Wormhole, please visit https://wormholenetwork.com.

This bug bounty program is focused on the prevention of negative impacts to the Wormhole ecosystem, which currently covers their smart contracts, web UI, guardian nodes, and Wormhole integrations and is focused on preventing:

  • Exploits resulting in the locking, loss, or theft of user funds.
  • General forging of unverified data, or validation of forged messages.
  • Determinism bugs that could lead to inconsistent bridge states.
  • Governance manipulation.
  • Exposure of infrastructure private keys and/or PII.
  • Vulnerabilities in the node operating software resulting in invalid behaviour.
  • Remote code execution.
  • Bugs that can facilitate Sybil attacks.

Rewards by Threat Level

Rewards are distributed according to the impact of the vulnerability based on the Immunefi Vulnerability Severity Classification System. This is a simplified 5-level scale, with separate scales for websites/apps and smart contracts/blockchains, encompassing everything from consequence of exploitation to privilege required to likelihood of a successful exploit.However, please refer to the Impacts in Scope section for information on the categorization of severity levels per impact.

All web/app bug reports must come with a PoC in order to be considered for a reward. Explanations and statements are not accepted as PoC and code is required. Additionally, all smart contract and guardian node bug reports must come with log components, reproduction, and data about vulnerabilities to support learnings and bug fixes. This can be satisfied by providing relevant screenshots, docs, code, and steps to reproduce the issue.

Rewards for Critical smart contract and guardian node vulnerabilities are further capped at 10% of economic damage, with the main consideration being the funds affected in addition to PR and brand considerations, at the discretion of the team. However, there is a minimum reward of USD 100 000 for Critical smart contract and guardian node bug reports.

Wormhole requires all bug bounty hunters to complete the program’s KYC requirements if they are submitting a report and wanting a reward. The information needed is an ID photo along with a scan of a utility bill to show residency proof.

All rewards for the Wormhole bug bounty program are scaled based on an internally established team criteria, taking into account the exploitability of the bug, the impact it causes, and the likelihood of the vulnerability presenting itself, which is especially factored in with bug reports requiring multiple conditions to be met that are currently not in-place. Though there are no minimums with regards to each severity level, rewards will be provided at the determined fair value by the team depending on these conditions, assuming that the bug report is in-scope of the bug bounty program.

Additionally, critical smart contract and blockchain bug reports are further distributed according to the following tier system:

  • Tier 1: Ability to Extract the complete TVL of all chains: Up to $10,000,000 USD

  • Tier 2: Ability to Extract the complete TVL of a single chain: Up to $5,000,000 USD

  • Tier 3: Ability to Brick the complete TVL of one or many chains: Up to $2,500,000 USD

The tiers above represent the narrow and explicit scope of critical bounty tiers 1-3 and you should have no expectation of receiving a critical payout without demonstrating the ability to perform one of the above objectives. In cases where the report achieves more than one of the above objectives, rewards will be tiered to the higher of the two objectives and will not be aggregated (eg. if you have the ability to extract and brick a complete TVL for a chain, you will be awarded a bounty as if you were able to only extract the complete TVL for that chain).

The following person(s) are ineligible to receive bug bounty payout rewards: Staff, Auditors, Contractors, and others with privileged information.

As with other severity levels, other factors will be taken into account in determining the final reward amount and the published amounts are only the maximum payouts that are possible. In cases where only a partial achievement of the above tiered objectives are met, the reward will be scaled accordingly at the discretion of the Wormhole team.

Blockchain/DLT

Critical
Level
Up to USD $10,000,000
Payout
High
Level
Up to USD $100,000
Payout
Medium
Level
Up to USD $10,000
Payout
Low
Level
Up to USD $2,000
Payout

Smart Contract

Critical
Level
Up to USD $10,000,000
Payout
High
Level
Up to USD $100,000
Payout
Medium
Level
Up to USD $10,000
Payout
Low
Level
Up to USD $2,000
Payout

Websites and Applications

Critical
Level
Up to USD $50,000
Payout
PoC Required
High
Level
Up to USD $10,000
Payout
PoC Required
Medium
Level
Up to USD $5,000
Payout
PoC Required

Assets in scope

All smart contracts of Wormhole can be found at https://github.com/certusone/wormhole. However, only those in the Assets in Scope table are considered as in-scope of the bug bounty program.

Impacts in scope

Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.

Blockchain/DLT

  • Critical Blockchain/DLT impact
    Critical
    Impact
  • High Blockchain/DLT impact
    High
    Impact
  • Medium Blockchain/DLT impact
    Medium
    Impact
  • Low Blockchain/DLT impact
    Low
    Impact

Smart Contract

  • Critical smart contract impact
    Critical
    Impact
  • High smart contract impact
    High
    Impact
  • Medium smart contract impact
    Medium
    Impact
  • Low smart contract impact
    Low
    Impact

Websites and Applications

  • Critical Web/App impact
    Critical
    Impact
  • High Web/App impact
    High
    Impact
  • Medium Web/App Impact
    Medium
    Impact

Out of Scope & Rules

The following vulnerabilities are excluded from the rewards for this bug bounty program:

  • Attacks that the reporter has already exploited themselves, leading to damage
  • Attacks requiring access to leaked keys/credentials
  • Attacks requiring access to privileged addresses (governance, strategist)

Smart Contracts and Blockchain

  • Network denial of service on Guardians is not eligible for bug bounty rewards
  • Frontrunning, including backrunning and sandwich attacks.
  • Incorrect data supplied by third party oracles
  • Not to exclude oracle manipulation/flash loan attacks
  • Basic economic governance attacks (e.g. 51% attack)
  • Lack of liquidity
  • Best practice critiques
  • Sybil attacks
  • Centralization risks
  • Bugs in dependencies (unless they lead to equivalently direct attacks on Wormhole).
  • Any secret data checked into the repository. Such as API/AUTH tokens.

Websites and Apps

  • Theoretical vulnerabilities without any proof or demonstration
  • Content spoofing / Text injection issues
  • Self-XSS
  • Captcha bypass using OCR
  • CSRF with no security impact (logout CSRF, change language, etc.)
  • Missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”)
  • Server-side information disclosure such as IPs, server names, and most stack traces
  • Vulnerabilities used to enumerate or confirm the existence of users or tenants
  • Vulnerabilities requiring unlikely user actions
  • URL Redirects (unless combined with another vulnerability to produce a more severe vulnerability)
  • Framing sensitive pages leading to financial loss (ClickJacking)
  • Lack of SSL/TLS best practices
  • DDoS vulnerabilities
  • Attacks requiring privileged access from within the organization
  • Feature requests
  • Best practices

The following activities are prohibited by this bug bounty program:

  • Any testing with mainnet or public testnet contracts; all testing should be done on private testnets
  • Any testing with pricing oracles or third party smart contracts
  • Attempting phishing or other social engineering attacks against our employees and/or customers
  • Any testing with third party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
  • Any denial of service attacks
  • Any violation of privacy of network users, other bounty hunters or Wormhole Foundation
  • Automated testing of services that generates significant amounts of traffic
  • Public disclosure of an unpatched vulnerability in an embargoed bounty