Wormhole
Wormhole is a generic cross-chain messaging protocol that allows smart contracts on various blockchains to communicate with each other. Messages are routed from chain to chain by a decentralised group of guardian nodes who sign attestations of on-chain state.
PoC required
KYC required
Select the category you'd like to explore
Assets in Scope
Impacts in Scope
The Governor module (https://github.com/wormhole-foundation/wormhole/tree/dev.v2/node/pkg/governor) is designed to limit the value that can be transferred out of one chain over time. Assuming a smart contract compromise on one chain, the ability to transfer all tokens in unlimited amounts to any target chain would constitute a "high" severity vulnerability.
(https://github.com/wormhole-foundation/wormhole/blob/main/whitepapers/0011_accountant.md) module under the threat model of a fully compromised chain.
Out of scope
The following vulnerabilities are excluded from the rewards for this bug bounty program:
- Attacks that the reporter has already exploited themselves, leading to damage
- Network denial of service on Guardians is not eligible for bug bounty rewards
- Wormhole is an open source project with open development. We welcome feedback and PRs on features that are in development. Code that has not been deployed is generally out-of-scope.
- Reports regarding bugs that the Wormhole project was previously aware of are not eligible for a reward
- In scope assets with "pre-release" tag are exempt from the above mentioned deployed requirement and are aimed at allowing early access for white-hat community contribution. Once the chain is deployed in mainnet, the new scope is whatever is deployed on chain, which is often what is present in dev.v2 branch. Rewards for “pre-release” candidates will be eligible within the same reward structure as mainnet contracts.
The following person(s) are ineligible to receive bug bounty payout rewards: Staff, Auditors, Contractors, persons in possession of privileged information, and all associated parties.
Prohibited Activities
- Any testing with mainnet or public testnets; all testing should be done on private nets
- Public disclosure of a vulnerability before an embargo has been lifted
- Any testing with third party smart contracts or infrastructure and websites
- Attempting phishing or other social engineering attacks against our employees and/or customers
- Any denial of service attacks
- Violating the privacy of any organization or individual
- Automated testing of services that generates significant amounts of traffic
- Any activity that violates any law or disrupts or compromises any data or property that is not your own.
Submission Requirements All reports must come with sufficient explanation and data to easily reproduce the bug, e.g. through a proof-of-concept code.
For a bug report to be paid, we do require the bug reporter to comply with our KYC requirements.
This includes the following:
- Wallet address where you’ll receive payment
- Proof of address (either a redacted bank statement with your address or a recent utility bill with your name, address, and issuer of the bill)
- Copy of your passport will be required.
- W rewards are limited to those persons who are (a) not U.S. Person as defined in Rule 902(k) of Regulation S under the United States Securities Act of 1933, as amended (“Regulation S”) (b) is not domiciled in or has their principal place of business in the United States; (y) will conduct all transactions with the Tokens outside the United States and solely with non-US persons; and (z) is not acquiring the Tokens for the account or benefit of any U.S. Person and will not engage in any directed selling efforts in the United States.
- Any and all W to which you are entitled to receive as reward will only be granted and delivered to you upon the execution by you of a Restricted Token Grant Agreement in the form required by Wormhole Foundation and subject to the terms and conditions set forth therein, including a lock-up on the W token as set forth therein.
- You shall be responsible for reporting and paying any current and future taxes that it may incur resulting from the grant or delivery of any W or cash compensation
- If you report a critical bounty that has a reward denominated in W you may be entitled to receive the reward in USDC at 25% of the reward value if you are unable to receive the reward in W.