Wormhole
Wormhole is a generic cross-chain messaging protocol that allows smart contracts on various blockchains to communicate with each other. Messages are routed from chain to chain by a decentralised group of guardian nodes who sign attestations of on-chain state.
PoC required
KYC required
Select the category you'd like to explore
Assets in Scope
Impacts in Scope
The Governor module (https://github.com/wormhole-foundation/wormhole/tree/dev.v2/node/pkg/governor) is designed to limit the value that can be transferred out of one chain over time. Assuming a smart contract compromise on one chain, the ability to transfer all tokens in unlimited amounts to any target chain would constitute a "high" severity vulnerability.
(https://github.com/wormhole-foundation/wormhole/blob/main/whitepapers/0011_accountant.md) module under the threat model of a fully compromised chain.
Forging of wormhole messages (i.e. VAAs) or circumventing VAA verification logic in the smart contracts.
Exploits resulting in the locking, loss, or theft of user funds from the Portal Token Bridge
Permanent Denial of Service attacks (excluding volumetric attacks)
Determinism bugs that could lead to inconsistent bridge states
Governance manipulation
Exposure of production private keys
Vulnerabilities in the node software resulting in invalid behavior
Remote code execution
Any other vulnerabilities that lead to the impacts described in Tier 1-3
Forging of wormhole messages (i.e. VAAs) or circumventing VAA verification logic in the smart contracts
Exploits resulting in the locking, loss, or theft of user funds from the Portal Token Bridge
Permanent Denial of Service attacks (excluding volumetric attacks)
Out of scope
The following vulnerabilities are excluded from the rewards for this bug bounty program:
- Network denial of service on Guardians is not eligible for bug bounty rewards
- Wormhole is an open source project with open development. We welcome feedback and PRs on features that are in development. Code that has not been deployed is generally out-of-scope.
- Reports regarding bugs that the Wormhole project was previously aware of are not eligible for a reward
- In scope assets with "pre-release" tag are exempt from the above mentioned deployed requirement and are aimed at allowing early access for white-hat community contribution. Once the chain is deployed in mainnet, the new scope is whatever is deployed on chain, which is often what is present in dev.v2 branch. Rewards for “pre-release” candidates will be eligible within the same reward structure as mainnet contracts.
The following person(s) are ineligible to receive bug bounty payout rewards: Staff, Auditors, Contractors, persons in possession of privileged information, and all associated parties.
Prohibited Activities
- Violating the privacy of any organization or individual
- Any activity that violates any law or disrupts or compromises any data or property that is not your own.
All categories
- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage
- Impacts caused by attacks requiring access to leaked keys/credentials
- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed
- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code
- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production
- Best practice recommendations
- Feature requests
- Impacts on test files and configuration files unless stated otherwise in the bug bounty program
- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers