Wormhole
Wormhole is a generic cross-chain messaging protocol that allows smart contracts on various blockchains to communicate with each other. Messages are routed from chain to chain by a decentralised group of guardian nodes who sign attestations of the on-chain state.
PoC required
KYC required
Select the category you'd like to explore
Assets in Scope
Impacts in Scope
For the impact to be permanent, it must result in an effect that the Wormhole team can’t directly fix and must be perpetual. For instance, making a smart contract on Ethereum completely unusable and un-upgradable. An anti-example is taking down Wormchain or the Guardian network—the Wormhole team controls both codebases and can be updated to remediate the reason for the outage. All other effects of denial of service are considered temporary in this program.
Bugs that are only triggerable against oneself and don’t affect other users, but are reasonable to be done on accident as an end user or application developer will be considered as no higher than low severity on a case-by-case basis. This excludes sending funds to unintended addresses which will not be rewarded.
Native Token Transfer (NTT) is an open, flexible, and composable framework for transferring tokens across blockchains without liquidity pools. Only the listed GitHub repository is in the scope of this bounty program. Any forks or modifications are out of scope. Furthermore, only tagged releases with version v1.x.x are considered in-scope. The severity of NTT-related findings will be dropped by a single category on the payout scale, such as a critical to a high or a medium to a low.
Forging of wormhole messages (i.e. VAAs) or circumventing VAA verification logic
Exploits resulting in the locking, loss, or theft of user funds from the Portal Token Bridge
Permanent Denial of Service attacks (excluding volumetric attacks)
Determinism bugs that could lead to inconsistent bridge states
Unauthorized changes to protocol parameters through governance resulting in direct loss of funds
Theft of funds from exposure of production private keys.
Gaining control of multiple Guardian nodes by exploiting a vulnerability that leads to Remote Code Execution.
Any other vulnerabilities that lead to the impacts described in Tier 1-3
Forging of wormhole messages (i.e. VAAs) or circumventing VAA verification logic in the smart contracts
Exploits resulting in the locking, loss, or theft of user funds from the Portal Token Bridge
Permanent Denial of Service attacks (excluding volumetric attacks)
Determinism bugs that could lead to inconsistent bridge states
Out of scope
The following vulnerabilities are excluded from the rewards for this bug bounty program:
- Vulnerabilities that have been exploited, leading to damage.
- Network denial of service on Guardians is not eligible for bug bounty rewards.
- Wormhole is an open source project with open development. We welcome feedback and PRs on features that are in development. Code that has not been deployed in production is generally out-of-scope.
- Reports regarding bugs that the Wormhole project was previously aware of are not eligible for a reward.
- In-scope assets with a "pre-release" tag are exempt from the above-mentioned deployed requirement and are aimed at allowing early access for white-hat community contribution. Once the chain is deployed in the mainnet, the new scope is whatever is deployed on the chain, which is often what is present in the main branch. Rewards for “pre-release” candidates will be eligible within the same reward structure as mainnet contracts.
The following person(s) are ineligible to receive bug bounty payout rewards: Staff, Auditors, Contractors, persons possessing privileged information, and all associated parties.
Prohibited Activities
- Any testing with mainnet or public testnets; all testing should be done on private nets.
- Public disclosure of a vulnerability before an embargo has been lifted. Wormhole follows the category 3 requirements for Immunefi Disclosure, requiring all public disclosure of valid bugs to be approved for publication.
- Any testing with third-party smart contracts or infrastructure and websites.
- Attempting phishing or other social engineering attacks against our employees and/or customers.
- Any denial of service attacks.
- Violating the privacy of any organization or individual.
- Automated testing of services that generate significant amounts of traffic.
- Any activity that violates any law or disrupts or compromises any data or property that is not yours.
All categories
- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage
- Impacts caused by attacks requiring access to leaked keys/credentials
- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed
- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code
- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production
- Best practice recommendations
- Feature requests
- Impacts on test files and configuration files unless stated otherwise in the bug bounty program
- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers