Wormhole

Submit a Bug
11 February 2022
Live since
Yes
KYC required
$10,000,000
Maximum bounty

Program Overview

Wormhole is a generic cross-chain messaging protocol that allows smart contracts on various blockchains to communicate with each other. Messages are routed from chain to chain by a decentralised group of guardian nodes who sign attestations of on-chain state.

For more information about Wormhole, please visit https://wormholenetwork.com.

This bug bounty program is focused on the prevention of negative impacts to the Wormhole ecosystem, which currently covers their smart contracts, web UI, guardian nodes, and Wormhole integrations and is focused on preventing:

  • Exploits resulting in the locking, loss, or theft of user funds.
  • General forging of unverified data, or validation of forged messages.
  • Determinism bugs that could lead to inconsistent bridge states.
  • Governance manipulation.
  • Exposure of infrastructure private keys and/or PII.
  • Vulnerabilities in the node operating software resulting in invalid behaviour.
  • Remote code execution.
  • Bugs that can facilitate Sybil attacks.

Rewards by Threat Level

Rewards are distributed according to the impact of the vulnerability based on the Immunefi Vulnerability Severity Classification System. This is a simplified 5-level scale, with separate scales for websites/apps and smart contracts/blockchains, encompassing everything from consequence of exploitation to privilege required to likelihood of a successful exploit.

All rules and notes and tiers below for Rewards override the Immunefi Vulnerability Severity Classification System.

All web/app bug reports must come with a PoC in order to be considered for a reward. Explanations and statements are not accepted as PoC and code is required. Additionally, all smart contract and guardian node bug reports must come with log components, reproduction, and data about vulnerabilities to support learnings and bug fixes. This can be satisfied by providing relevant screenshots, docs, code, and steps to reproduce the issue.

Rewards for Critical smart contract and guardian node vulnerabilities are further capped at 10% of economic damage, with the main consideration being the funds affected in addition to PR and brand considerations, at the discretion of the team. However, there is a minimum reward of USD 100 000 for Critical smart contract and guardian node bug reports.

Wormhole requires all bug bounty hunters to complete the program’s KYC requirements if they are submitting a report and wanting a reward. The information needed is an ID photo along with a scan of a utility bill to show residency proof.

Payouts are handled by the Wormhole Foundation team directly and are denominated in USD. However, payouts are done in USDC. The decision whether to make a payout, and the determination of the amount and manner of any payout, will be made by Terraform Labs Ltd in its sole and absolute discretion.

Critical Smart Contracts and Blockchain Bounty Tiers:

  • Tier 1: Ability to Extract the complete TVL of all chains: Up to $10,000,000 USD

  • Tier 2: Ability to Extract the complete TVL of a single chain: Up to $5,000,000 USD

  • Tier 3: Ability to Brick the complete TVL of one or many chains: Up to $2,500,000 USD

The tiers above represent the narrow and explicit scope of critical bounty tiers 1-3 and you should have no expectation of receiving a critical payout without demonstrating the ability to perform one of the above objectives. In cases where the report achieves more than one of the above objectives, rewards will be tiered to the higher of the two objectives and will not be aggregated (eg. if you have the ability to extract and brick a complete TVL for a chain, you will be awarded a bounty as if you were able to only extract the complete TVL for that chain).

The following person(s) are ineligible to receive bug bounty payout rewards: Staff, Auditors, Contractors, and others with privileged information.

Note that the above payouts stipulate “Up to” and payouts will scale at the sole and absolute discretion of the Wormhole team. Similarly, partial achievement of the above tiered objectives will be scaled accordingly at the sole and absolute discretion of the Wormhole team.

Smart Contract

Critical
Level
Up to USD $10,000,000
Payout
High
Level
USD $100,000
Payout
Medium
Level
USD $10,000
Payout
Low
Level
USD $2,500
Payout

Websites and Applications

Critical
Level
USD $50,000
Payout
PoC Required
High
Level
USD $10,000
Payout
PoC Required
Medium
Level
USD $5,000
Payout
PoC Required
Low
Level
USD $1,000
Payout
PoC Required

Assets in scope

All smart contracts of Wormhole can be found at https://github.com/certusone/wormhole. However, only those in the Assets in Scope table are considered as in-scope of the bug bounty program.

Prioritized Vulnerabilities

Impacts in Scope

Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.

General

  • Missing authorization logic in governance flows.
  • Cryptographic Issues (Key security, replayability, signature malleability).
  • Governance consensus failures.
  • Incorrect logic in contracts and guardian node software.

Smart Contracts

  • Significant loss of user funds, such as unrestricted access to custody accounts.
  • Destruction or burning of Wormhole assets.
  • Transaction and/or VAA Replay attacks.
  • Minting Wormhole assets without an equivalent transfer from a source chain.
  • Recovering assets from a custody account without valid authorization.
  • Replacement or spoofing of Guardian signing keys and signatures.
  • Processing of VAA's with invalid signatures.
  • Attacks on Consensus.
  • Insecure Deserialization / Account Confusion.
  • Blockchain runtime specific exploits, such as re-entrancy bugs.
  • Insufficient verification of account constraints/access constraints.
  • Performing governance operations without a governance super majority.
  • Exploits in dependencies that can be exploited at contract level.

Guardian Nodes

  • Attacks against RPC endpoints.
  • Remote Code Execution in guardian node software.
  • Exfiltration of guardian private keys via the node software.
  • Causing nodes to produce VAA's for messages that are expired or invalid.
  • Preventing nodes from accessing or otherwise processing messages.
  • Disrupting access to public node RPC.
  • Deletion/destruction of any persistent data (such as VAA's) maintained by nodes.
  • Denial of Service via exploitation of the node software.
  • Censorship attacks, and other methods disrupting message delivery.
  • Recovery of guardian private key material.

Note that network-based DDoS attacks are not considered valid under the Wormhole bug bounty program, however DoS amplification attacks that utilize an issue in the node software itself do fall under this program's scope.

Web/App

  • XSS Attacks or any other DOMbased user exploits.
  • XSRF Attacks
  • Access/Exploitation of user wallets via the web application.
  • SSL or server misconfiguration issues (must be shown to be insecure).

Out of Scope & Rules

The following vulnerabilities are excluded from the rewards for this bug bounty program:

  • Attacks that the reporter has already exploited themselves, leading to damage
  • Attacks requiring access to leaked keys/credentials
  • Attacks requiring access to privileged addresses (governance, strategist)

Smart Contracts and Blockchain

  • Network denial of service on Guardians is not eligible for bug bounty rewards
  • Frontrunning, including backrunning and sandwich attacks.
  • Incorrect data supplied by third party oracles
  • Not to exclude oracle manipulation/flash loan attacks
  • Basic economic governance attacks (e.g. 51% attack)
  • Lack of liquidity
  • Best practice critiques
  • Sybil attacks
  • Centralization risks
  • Bugs in dependencies (unless they lead to equivalently direct attacks on Wormhole).
  • Any secret data checked into the repository. Such as API/AUTH tokens.

Websites and Apps

  • Theoretical vulnerabilities without any proof or demonstration
  • Content spoofing / Text injection issues
  • Self-XSS
  • Captcha bypass using OCR
  • CSRF with no security impact (logout CSRF, change language, etc.)
  • Missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”)
  • Server-side information disclosure such as IPs, server names, and most stack traces
  • Vulnerabilities used to enumerate or confirm the existence of users or tenants
  • Vulnerabilities requiring unlikely user actions
  • URL Redirects (unless combined with another vulnerability to produce a more severe vulnerability)
  • Lack of SSL/TLS best practices
  • DDoS vulnerabilities
  • Attacks requiring privileged access from within the organization
  • Feature requests
  • Best practices

The following activities are prohibited by this bug bounty program:

  • Any testing with mainnet or public testnet contracts; all testing should be done on private testnets
  • Any testing with pricing oracles or third party smart contracts
  • Attempting phishing or other social engineering attacks against our employees and/or customers
  • Any testing with third party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
  • Any denial of service attacks
  • Any violation of privacy of network users, other bounty hunters or Wormhole Foundation
  • Automated testing of services that generates significant amounts of traffic
  • Public disclosure of an unpatched vulnerability in an embargoed bounty