Immunefi Vulnerability Severity Classification System - v2.2
At Immunefi, we classify bugs on a simplified 5-level scale:
- Critical
- High
- Medium
- Low
- None
The development of this scale took into consideration multiple factors that may affect a vulnerability and its likelihood of exploitation, but finalizes them largely by the impact that they cause.
The table below is mostly concerned with the consequence of a successful exploit. Keep in mind that if the exploit requires elevated privileges or uncommon user interaction, the level of the bug may be downgraded to reflect that or rejected.
Blockchain/DLT
| Level | Impact | |||
|---|---|---|---|---|
| 5. Critical | - Network not being able to confirm new transactions (Total network shutdown) - Unintended permanent chain split requiring hard fork (Network partition requiring hard fork) - Direct loss of funds - Permanent freezing of funds (fix requires hardfork) - RPC API crash | |||
| 4. High | - Unintended chain split (Network partition) - Transient consensus failures | |||
| 3. Medium | - High compute consumption by validator/mining nodes - Attacks against thin clients - DoS of greater than 30% of validator or miner nodes and does not shut down the network | |||
| 2. Low | - DoS of greater than 10% but less than 30% of validator or miner nodes and does not shut down the network - Underpricing transaction fees relative to computation time | |||
| 1. None | - Best practices |
Smart Contracts
| Level | Impact | |||
|---|---|---|---|---|
| 5. Critical | - Any governance voting result manipulation - Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield - Direct theft of any user NFTs, whether at-rest or in-motion, other than unclaimed royalties - Permanent freezing of funds - Permanent freezing of NFTs - Miner-extractable value (MEV) - Unauthorized minting of NFTs - Predictable or manipulable RNG that results in abuse of the principal or NFT - Unintended alteration of what the NFT represents (e.g. token URI, payload, artistic content) - Protocol insolvency | |||
| 4. High | - Theft of unclaimed yield - Theft of unclaimed royalties - Permanent freezing of unclaimed yield - Permanent freezing of unclaimed royalties - Temporary freezing of funds - Temporary freezing NFTs | |||
| 3. Medium | - Smart contract unable to operate due to lack of token funds - Block stuffing for profit - Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol) - Theft of gas - Unbounded gas consumption | |||
| 2. Low | - Contract fails to deliver promised returns, but doesn't lose value | |||
| 1. None | - Best practices |
Websites and Apps
| Level | Impact | |||
|---|---|---|---|---|
| 5. Critical | - Execute arbitrary system commands - Retrieve sensitive data/files from a running server such as: - /etc/shadow - database passwords - blockchain keys (this does not include non-sensitive environment variables, open source code, or usernames) - Taking down the application/website - Taking down the NFT URI - Taking state-modifying authenticated actions (with or without blockchain state interaction) on behalf of other users without any interaction by that user, such as: - Changing registration information - Commenting - Voting - Making trades - Withdrawals, etc. - Changing the NFT metadata - Subdomain takeover with already-connected wallet interaction - Direct theft of user funds - Malicious interactions with an already-connected wallet such as: - Modifying transaction arguments or parameters - Substituting contract addresses - Submitting malicious transactions - Direct theft of user NFTs - Injection of malicious HTML or XSS through NFT metadata | |||
| 4. High | - Injecting/modifying the static content on the target application without Javascript (Persistent) such as: - HTML injection without Javascript - Replacing existing text with arbitrary text - Arbitrary file uploads, etc. - Changing sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as: - Email or password of the victim, etc. - Improperly disclosing confidential user information such as: - Email address - Phone number - Physical address, etc. - Subdomain takeover without already-connected wallet interaction | |||
| 3. Medium | - Changing non-sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as: - Changing the first/last name of user - Enabling/disabling notifications - Injecting/modifying the static content on the target application without Javascript (Reflected) such as: - Reflected HTML injection - Loading external site data - Redirecting users to malicious websites (Open Redirect) | |||
| 2. Low | - Changing details of other users (including modifying browser local storage) without already-connected wallet interaction and with significant user interaction such as: - Iframing leading to modifying the backend/browser state (must demonstrate impact with PoC) - Taking over broken or expired outgoing links such as: - Social media handles, etc. - Temporarily disabling user to access target site, such as: - Locking up the victim from login - Cookie bombing, etc. | |||
| 1. None | - SPF/DMARC misconfigured records - Missing HTTP Headers without demonstrated impact - Automated Scanner Reports without demonstrated impact - UI/UX best practices recommendations - Non-future-proof NFT rendering | |||