Wormhole

Submit a Bug
11 February 2022
Live since
Yes
KYC required
$10,000,000
Maximum bounty

Program Overview

Wormhole is a generic cross-chain messaging protocol that allows smart contracts on various blockchains to communicate with each other. Messages are routed from chain to chain by a decentralised group of guardian nodes who sign attestations of on-chain state.

For more information about Wormhole, please visit https://wormhole.com/.

This bug bounty program is focused on the prevention of negative impacts to Wormhole and the Portal Token Bridge, which currently covers their smart contracts, guardian nodes, and Wormhole integrations with blockchains and is focused on preventing:

  • Exploits resulting in the locking, loss, or theft of user funds.
  • Forging of wormhole messages (i.e. VAAs) or circumventing VAA verification logic in the smart contracts.
  • Permanent Denial of Service attacks (excluding volumetric attacks)
  • Determinism bugs that could lead to inconsistent bridge states.
  • Governance manipulation.
  • Exposure of production private keys and/or PII
  • Vulnerabilities in the node operating software resulting in invalid behaviour.
  • Remote code execution.
  • Bugs that can facilitate Sybil attacks.

Rewards by Threat Level

Rewards are distributed according to the impact of the vulnerability based on the Immunefi Vulnerability Severity Classification System v2. This is a simplified 5-level scale, with separate scales for websites/apps and smart contracts/blockchains, encompassing everything from consequence of exploitation to privilege required to likelihood of a successful exploit.However, please refer to the Impacts in Scope section for information on the categorization of severity levels per impact.

All web/app bug reports must come with a PoC in order to be considered for a reward. Explanations and statements are not accepted as PoC and code is required. Additionally, all smart contract and guardian node bug reports must come with log components, reproduction, and data about vulnerabilities to support learnings and bug fixes. This can be satisfied by providing relevant screenshots, docs, code, and steps to reproduce the issue.

Wormhole requires all bug bounty hunters to complete the program’s KYC requirements if they are submitting a report and wanting a reward. The information needed is an ID photo along with an acceptable proof of residency, e.g. a utility bill.

All rewards for the Wormhole bug bounty program are scaled based on an internally established team criteria, taking into account the exploitability of the bug, the impact it causes, and the likelihood of the vulnerability presenting itself, which is especially factored in with bug reports requiring multiple conditions to be met that are currently not in-place. Though there are no minimums with regards to each severity level, rewards will be provided at the determined fair value by the team depending on these conditions, assuming that the bug report is in-scope of the bug bounty program.

Additionally, critical smart contract and blockchain bug reports are further distributed according to the following tier system:

  • Tier 1: Ability to Extract the complete TVL of all chains: Up to $10,000,000 USD

  • Tier 2: Ability to Extract the complete TVL of a single chain: Up to $5,000,000 USD

  • Tier 3: Ability to Brick the complete TVL of one or many chains: Up to $2,500,000 USD

Rewards for Critical vulnerabilities are further capped at 10% of extractable value during a 24h period. Rewards for vulnerabilities resulting in the indefinite locking of funds are further capped at 1% of destroyable value. The tiers above represent the narrow and explicit scope of critical bounty tiers 1-3 and you should have no expectation of receiving a critical payout without demonstrating the ability to perform one of the above objectives. In cases where the report achieves more than one of the above objectives, rewards will be tiered to the higher of the two objectives and will not be aggregated (eg. if you have the ability to extract and brick a complete TVL for a chain, you will be awarded a bounty as if you were able to only extract the complete TVL for that chain).

As with other severity levels, other factors will be taken into account in determining the final reward amount and the published amounts are only the maximum payouts that are possible. In cases where only a partial achievement of the above tiered objectives are met, the reward will be scaled accordingly at the discretion of the Wormhole team.

Rewards for bugs in dependencies and 3rd party code are at the discretion of the Wormhole team and will be based on the impact demonstrated on Wormhole. If the dependency has its own bug bounty program, your reward for submitting this vulnerability to Wormhole will be lowered by the expected payout of that other program. If the vulnerability is in a connected blockchain itself rather than the Wormhole code, the locked and wrapped assets on that chain are not included in the impact calculation.

Wormhole is an open source project with open development. We welcome feedback and PRs on features that are in development. Awards for bugs in code that has not been deployed yet is entirely at the discretion of the Wormhole team.

Reports regarding bugs that the Wormhole project was previously aware of are not eligible for a reward.

The following person(s) are ineligible to receive bug bounty payout rewards: Staff, Auditors, Contractors, persons in possession of privileged information, and all associated parties.

Payouts are denominated in USD. However, payouts are done in USDC. The decision whether to make a payout, and the determination of the amount and manner of any payout, will be made by the Wormhole team in its sole and absolute discretion.

Blockchain/DLT

Critical
Level
Up to USD $10,000,000
Payout
High
Level
Up to USD $100,000
Payout
Medium
Level
Up to USD $10,000
Payout
Low
Level
Up to USD $2,000
Payout

Smart Contract

Critical
Level
Up to USD $10,000,000
Payout
High
Level
Up to USD $100,000
Payout
Medium
Level
Up to USD $10,000
Payout
Low
Level
Up to USD $2,000
Payout

Websites and Applications

Critical
Level
Up to USD $50,000
Payout
PoC Required
High
Level
Up to USD $10,000
Payout
PoC Required
Medium
Level
Up to USD $5,000
Payout
PoC Required

Assets in scope

All smart contracts of Wormhole can be found at https://github.com/certusone/wormhole. However, only those in the Assets in Scope table are considered as in-scope of the bug bounty program.

Impacts in scope

Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.

Blockchain/DLT

  • Critical Blockchain/DLT impact
    Critical
    Impact
  • High Blockchain/DLT impact
    High
    Impact
  • Medium Blockchain/DLT impact
    Medium
    Impact
  • Low Blockchain/DLT impact
    Low
    Impact

Smart Contract

  • Critical smart contract impact
    Critical
    Impact
  • High smart contract impact
    High
    Impact
  • Medium smart contract impact
    Medium
    Impact
  • Low smart contract impact
    Low
    Impact

Websites and Applications

  • Critical Web/App impact
    Critical
    Impact
  • High Web/App impact
    High
    Impact
  • Medium Web/App Impact
    Medium
    Impact

Out of Scope & Rules

The following vulnerabilities are excluded from the rewards for this bug bounty program:

  • Attacks that the reporter has already exploited themselves, leading to damage
  • Attacks requiring access to leaked keys/credentials
  • Attacks requiring access to privileged addresses (governance, strategist)

Smart Contracts and Blockchain

  • Network denial of service on Guardians is not eligible for bug bounty rewards
  • Frontrunning, including backrunning and sandwich attacks.
  • Incorrect data supplied by third party oracles
  • Not to exclude oracle manipulation/flash loan attacks
  • Basic economic governance attacks (e.g. 51% attack)
  • Lack of liquidity
  • Best practice critiques
  • Sybil attacks
  • Centralization risks
  • Bugs in dependencies (unless they lead to equivalently direct attacks on Wormhole).
  • Any secret data checked into the repository. Such as API/AUTH tokens.

Websites and Apps

  • Theoretical vulnerabilities without any proof or demonstration
  • Content spoofing / Text injection issues
  • Self-XSS
  • Captcha bypass using OCR
  • CSRF with no security impact (logout CSRF, change language, etc.)
  • Missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”)
  • Server-side information disclosure such as IPs, server names, and most stack traces
  • Vulnerabilities used to enumerate or confirm the existence of users or tenants
  • Vulnerabilities requiring unlikely user actions
  • URL Redirects (unless combined with another vulnerability to produce a more severe vulnerability)
  • Framing sensitive pages leading to financial loss (ClickJacking)
  • Lack of SSL/TLS best practices
  • DDoS vulnerabilities
  • Attacks requiring privileged access from within the organization
  • Feature requests
  • Best practices

The following activities are prohibited by this bug bounty program:

  • Any testing with mainnet or public testnet contracts; all testing should be done on private testnets
  • Any testing with pricing oracles or third party smart contracts
  • Attempting phishing or other social engineering attacks against our employees and/or customers
  • Any testing with third party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
  • Any denial of service attacks
  • Any violation of privacy of network users, other bounty hunters or Wormhole Foundation
  • Automated testing of services that generates significant amounts of traffic
  • Public disclosure of an unpatched vulnerability in an embargoed bounty