Wormhole-logo

Wormhole

Wormhole is a generic cross-chain messaging protocol that allows smart contracts on various blockchains to communicate with each other. Messages are routed from chain to chain by a decentralised group of guardian nodes who sign attestations of on-chain state.

Algorand
Aptos
Arbitrum
Aurora
Avalanche
BSC
Base
Celestia
Celo
Dymension
ETH
Evmos
Fantom
Gnosis
Injective
Klaytn
Kujira
Mantle
Moonbeam
Near
Maximum Bounty
$5,000,000
Live Since
11 February 2022
Last Updated
22 October 2024
  • PoC required

  • KYC required

Select the category you'd like to explore

Assets in Scope

Target
Type
Smart Contract - Terra
Added on
8 February 2024
Target
Type
Smart Contract - Near
Added on
17 December 2023
Target
Type
Smart Contract - Wormhole Gateway aka Wormchain
Added on
17 December 2023
Target
Type
Smart Contract - Sui
Added on
5 May 2023
Target
Type
Smart Contract - EVM, excluding the Circle Bridge
Added on
28 February 2023
Target
Type
Smart Contract - Algorand
Added on
26 September 2022
Target
Type
Smart Contract - Aptos
Added on
26 September 2022
Target
Type
Blockchain/DLT - Guardian Nodes
Added on
4 April 2022
Target
Type
Smart Contract - Mainnet
Added on
4 April 2022
Target
Type
Smart Contract - Ethereum
Added on
4 April 2022
Target
Type
Smart Contract - Solana
Added on
4 April 2022
Target
Type
Blockchain/DLT - Terra
Added on
4 April 2022

Impacts in Scope

The Governor module (https://github.com/wormhole-foundation/wormhole/tree/dev.v2/node/pkg/governor) is designed to limit the value that can be transferred out of one chain over time. Assuming a smart contract compromise on one chain, the ability to transfer all tokens in unlimited amounts to any target chain would constitute a "high" severity vulnerability.

(https://github.com/wormhole-foundation/wormhole/blob/main/whitepapers/0011_accountant.md) module under the threat model of a fully compromised chain.

Severity
Critical
Title

Forging of wormhole messages (i.e. VAAs) or circumventing VAA verification logic in the smart contracts.

Severity
Critical
Title

Exploits resulting in the locking, loss, or theft of user funds from the Portal Token Bridge

Severity
Critical
Title

Permanent Denial of Service attacks (excluding volumetric attacks)

Severity
Critical
Title

Determinism bugs that could lead to inconsistent bridge states

Severity
Critical
Title

Governance manipulation

Severity
Critical
Title

Exposure of production private keys

Severity
Critical
Title

Vulnerabilities in the node software resulting in invalid behavior

Severity
Critical
Title

Remote code execution

Severity
Critical
Title

Any other vulnerabilities that lead to the impacts described in Tier 1-3

Severity
Critical
Title

Forging of wormhole messages (i.e. VAAs) or circumventing VAA verification logic in the smart contracts

Severity
Critical
Title

Exploits resulting in the locking, loss, or theft of user funds from the Portal Token Bridge

Severity
Critical
Title

Permanent Denial of Service attacks (excluding volumetric attacks)

Out of scope

Program's Out of Scope information

The following vulnerabilities are excluded from the rewards for this bug bounty program:

  • Network denial of service on Guardians is not eligible for bug bounty rewards
  • Wormhole is an open source project with open development. We welcome feedback and PRs on features that are in development. Code that has not been deployed is generally out-of-scope.
  • Reports regarding bugs that the Wormhole project was previously aware of are not eligible for a reward
  • In scope assets with "pre-release" tag are exempt from the above mentioned deployed requirement and are aimed at allowing early access for white-hat community contribution. Once the chain is deployed in mainnet, the new scope is whatever is deployed on chain, which is often what is present in dev.v2 branch. Rewards for “pre-release” candidates will be eligible within the same reward structure as mainnet contracts.

The following person(s) are ineligible to receive bug bounty payout rewards: Staff, Auditors, Contractors, persons in possession of privileged information, and all associated parties.

Prohibited Activities

  • Violating the privacy of any organization or individual
  • Any activity that violates any law or disrupts or compromises any data or property that is not your own.
Default Out of Scope and rules

All categories

  • Impacts requiring attacks that the reporter has already exploited themselves, leading to damage
  • Impacts caused by attacks requiring access to leaked keys/credentials
  • Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed
  • Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code
  • Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production
  • Best practice recommendations
  • Feature requests
  • Impacts on test files and configuration files unless stated otherwise in the bug bounty program
  • Impacts requiring phishing or other social engineering attacks against project's employees and/or customers