Wormhole-logo

Wormhole

Wormhole is a generic cross-chain messaging protocol that allows smart contracts on various blockchains to communicate with each other. Messages are routed from chain to chain by a decentralised group of guardian nodes who sign attestations of on-chain state.

Algorand
Aptos
Arbitrum
Aurora
Avalanche
BSC
Base
Celestia
Celo
Dymension
ETH
Evmos
Fantom
Gnosis
Injective
Klaytn
Kujira
Mantle
Moonbeam
Near
Maximum Bounty
$5,000,000
Live Since
11 February 2022
Last Updated
02 October 2024
  • PoC required

  • KYC required

Select the category you'd like to explore

Assets in Scope

Target
Type
Smart Contract - Terra
Added on
8 February 2024
Target
Type
Smart Contract - Near
Added on
17 December 2023
Target
Type
Smart Contract - Wormhole Gateway aka Wormchain
Added on
17 December 2023
Target
Type
Smart Contract - Sui
Added on
5 May 2023
Target
Type
Smart Contract - EVM, excluding the Circle Bridge
Added on
28 February 2023
Target
Type
Smart Contract - Algorand
Added on
26 September 2022
Target
Type
Smart Contract - Aptos
Added on
26 September 2022
Target
Type
Blockchain/DLT - Guardian Nodes
Added on
4 April 2022
Target
Type
Smart Contract - Mainnet
Added on
4 April 2022
Target
Type
Smart Contract - Ethereum
Added on
4 April 2022
Target
Type
Smart Contract - Solana
Added on
4 April 2022
Target
Type
Blockchain/DLT - Terra
Added on
4 April 2022

Impacts in Scope

The Governor module (https://github.com/wormhole-foundation/wormhole/tree/dev.v2/node/pkg/governor) is designed to limit the value that can be transferred out of one chain over time. Assuming a smart contract compromise on one chain, the ability to transfer all tokens in unlimited amounts to any target chain would constitute a "high" severity vulnerability.

(https://github.com/wormhole-foundation/wormhole/blob/main/whitepapers/0011_accountant.md) module under the threat model of a fully compromised chain.

Severity
Critical
Title
Forging of wormhole messages (i.e. VAAs) or circumventing VAA verification logic in the smart contracts.
Severity
Critical
Title
Exploits resulting in the locking, loss, or theft of user funds from the Portal Token Bridge
Severity
Critical
Title
Permanent Denial of Service attacks (excluding volumetric attacks)
Severity
Critical
Title
Determinism bugs that could lead to inconsistent bridge states
Severity
Critical
Title
Governance manipulation
Severity
Critical
Title
Exposure of production private keys
Severity
Critical
Title
Vulnerabilities in the node software resulting in invalid behavior
Severity
Critical
Title
Remote code execution
Severity
Critical
Title
Any other vulnerabilities that lead to the impacts described in Tier 1-3
Severity
Critical
Title
Forging of wormhole messages (i.e. VAAs) or circumventing VAA verification logic in the smart contracts
Severity
Critical
Title
Exploits resulting in the locking, loss, or theft of user funds from the Portal Token Bridge
Severity
Critical
Title
Permanent Denial of Service attacks (excluding volumetric attacks)

Out of scope

Program's Out of Scope information

The following vulnerabilities are excluded from the rewards for this bug bounty program:

  • Attacks that the reporter has already exploited themselves, leading to damage
  • Network denial of service on Guardians is not eligible for bug bounty rewards
  • Wormhole is an open source project with open development. We welcome feedback and PRs on features that are in development. Code that has not been deployed is generally out-of-scope.
  • Reports regarding bugs that the Wormhole project was previously aware of are not eligible for a reward
  • In scope assets with "pre-release" tag are exempt from the above mentioned deployed requirement and are aimed at allowing early access for white-hat community contribution. Once the chain is deployed in mainnet, the new scope is whatever is deployed on chain, which is often what is present in dev.v2 branch. Rewards for “pre-release” candidates will be eligible within the same reward structure as mainnet contracts.

The following person(s) are ineligible to receive bug bounty payout rewards: Staff, Auditors, Contractors, persons in possession of privileged information, and all associated parties.

Prohibited Activities

  • Any testing with mainnet or public testnets; all testing should be done on private nets
  • Public disclosure of a vulnerability before an embargo has been lifted
  • Any testing with third party smart contracts or infrastructure and websites
  • Attempting phishing or other social engineering attacks against our employees and/or customers
  • Any denial of service attacks
  • Violating the privacy of any organization or individual
  • Automated testing of services that generates significant amounts of traffic
  • Any activity that violates any law or disrupts or compromises any data or property that is not your own.

Submission Requirements All reports must come with sufficient explanation and data to easily reproduce the bug, e.g. through a proof-of-concept code.

For a bug report to be paid, we do require the bug reporter to comply with our KYC requirements.

This includes the following:

  • Wallet address where you’ll receive payment
  • Proof of address (either a redacted bank statement with your address or a recent utility bill with your name, address, and issuer of the bill)
  • Copy of your passport will be required.
  • W rewards are limited to those persons who are (a) not U.S. Person as defined in Rule 902(k) of Regulation S under the United States Securities Act of 1933, as amended (“Regulation S”) (b) is not domiciled in or has their principal place of business in the United States; (y) will conduct all transactions with the Tokens outside the United States and solely with non-US persons; and (z) is not acquiring the Tokens for the account or benefit of any U.S. Person and will not engage in any directed selling efforts in the United States.
  • Any and all W to which you are entitled to receive as reward will only be granted and delivered to you upon the execution by you of a Restricted Token Grant Agreement in the form required by Wormhole Foundation and subject to the terms and conditions set forth therein, including a lock-up on the W token as set forth therein.
  • You shall be responsible for reporting and paying any current and future taxes that it may incur resulting from the grant or delivery of any W or cash compensation
  • If you report a critical bounty that has a reward denominated in W you may be entitled to receive the reward in USDC at 25% of the reward value if you are unable to receive the reward in W.