Immunefi Vulnerability Severity Classification System - v2.1

Being Phased Out

Severity Classification System v2.1 is being phased out and is no longer in use by new projects. Please see the Immunefi Severity Classification Systems page to find active and updated classification systems.


At Immunefi, we classify bugs on a simplified 5-level scale:

  • Critical
  • High
  • Medium
  • Low
  • None

The development of this scale took into consideration multiple factors that may affect a vulnerability and its likelihood of exploitation, but finalizes them largely by the impact that they cause.

The table below is mostly concerned with the consequence of a successful exploit. Keep in mind that if the exploit requires elevated privileges or uncommon user interaction, the level of the bug may be downgraded to reflect that or rejected.

Blockchain/DLT

LevelImpact
5. Critical- Network not being able to confirm new transactions (Total network shutdown)
- Unintended permanent chain split requiring hard fork (Network partition requiring hard fork)
- Direct loss of funds
- Permanent freezing of funds (fix requires hardfork)
- RPC API crash
4. High- Unintended chain split (Network partition)
- Transient consensus failures
3. Medium- High compute consumption by validator/mining nodes
- Attacks against thin clients
- DoS of greater than 30% of validator or miner nodes and does not shut down the network
2. Low- DoS of greater than 10% but less than 30% of validator or miner nodes and does not shut down the network
- Underpricing transaction fees relative to computation time
1. None- Best practices

Smart Contracts

LevelImpact
5. Critical- Any governance voting result manipulation
- Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield
- Permanent freezing of funds
- Miner-extractable value (MEV)
- Protocol Insolvency
4. High- Theft of unclaimed yield
- Permanent freezing of unclaimed yield
- Temporary freezing of funds
3. Medium- Smart contract unable to operate due to lack of token funds
- Block stuffing for profit
- Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)
- Theft of gas
- Unbounded gas consumption
2. Low- Contract fails to deliver promised returns, but doesn't lose value
1. None- Best practices

Websites and Apps

LevelImpact
5. Critical- Execute arbitrary system commands
- Retrieve sensitive data/files from a running server such as:
        - /etc/shadow
        - database passwords
        - blockchain keys
(this does not include non-sensitive environment variables, open source code, or usernames)
- Taking down the application/website
- Taking state-modifying authenticated actions (with or without blockchain state interaction) on behalf of other users without any interaction by that user, such as:
        - Changing registration information
        - Commenting
        - Voting
        - Making trades
        - Withdrawals, etc.
- Subdomain takeover with already-connected wallet interaction
- Direct theft of user funds
- Malicious interactions with an already-connected wallet such as:
        - Modifying transaction arguments or parameters
        - Substituting contract addresses
        - Submitting malicious transactions
4. High- Injecting/modifying the static content on the target application without Javascript (Persistent) such as:
        - HTML injection without Javascript
        - Replacing existing text with arbitrary text
        - Arbitrary file uploads, etc.
- Changing sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as:
        - Email or password of the victim, etc.
- Improperly disclosing confidential user information such as:
        - Email address
        - Phone number
        - Physical address, etc.
- Subdomain takeover without already-connected wallet interaction
3. Medium- Changing non-sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as:
        - Changing the first/last name of user
        - Enabling/disabling notifications
- Injecting/modifying the static content on the target application without Javascript (Reflected) such as:
        - Reflected HTML injection
        - Loading external site data
- Redirecting users to malicious websites (Open Redirect)
2. Low- Changing details of other users (including modifying browser local storage) without already-connected wallet interaction and with significant user interaction such as:
        - Iframing leading to modifying the backend/browser state (must demonstrate impact with PoC)
- Any impact involving a publicly released CVE without a working PoC
- Taking over broken or expired outgoing links such as:
        - Social media handles, etc.
- Temporarily disabling user to access target site, such as:
        - Locking up the victim from login
        - Cookie bombing, etc.
1. None- SPF/DMARC misconfigured records
- Missing HTTP Headers without demonstrated impact
- Automated Scanner Reports without demonstrated impact
- UI/UX best practices recommendations