Immunefi Vulnerability Severity Classification System - v2.2

At Immunefi, we classify bugs on a simplified 5-level scale:

  • Critical
  • High
  • Medium
  • Low
  • None

The development of this scale took into consideration multiple factors that may affect a vulnerability and its likelihood of exploitation, but finalizes them largely by the impact that they cause.

The table below is mostly concerned with the consequence of a successful exploit. Keep in mind that if the exploit requires elevated privileges or uncommon user interaction, the level of the bug may be downgraded to reflect that or rejected.

Blockchain/DLT

LevelImpact
5. Critical- Network not being able to confirm new transactions (Total network shutdown)
- Unintended permanent chain split requiring hard fork (Network partition requiring hard fork)
- Direct loss of funds
- Permanent freezing of funds (fix requires hardfork)
- RPC API crash
4. High- Unintended chain split (Network partition)
- Transient consensus failures
3. Medium- High compute consumption by validator/mining nodes
- Attacks against thin clients
- DoS of greater than 30% of validator or miner nodes and does not shut down the network
2. Low- DoS of greater than 10% but less than 30% of validator or miner nodes and does not shut down the network
- Underpricing transaction fees relative to computation time
1. None- Best practices

Smart Contracts

LevelImpact
5. Critical- Any governance voting result manipulation
- Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield
- Direct theft of any user NFTs, whether at-rest or in-motion, other than unclaimed royalties
- Permanent freezing of funds
- Permanent freezing of NFTs
- Miner-extractable value (MEV)
- Unauthorized minting of NFTs
- Predictable or manipulable RNG that results in abuse of the principal or NFT
- Unintended alteration of what the NFT represents (e.g. token URI, payload, artistic content)
- Protocol insolvency
4. High- Theft of unclaimed yield
- Theft of unclaimed royalties
- Permanent freezing of unclaimed yield
- Permanent freezing of unclaimed royalties
- Temporary freezing of funds
- Temporary freezing NFTs
3. Medium- Smart contract unable to operate due to lack of token funds
- Block stuffing for profit
- Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)
- Theft of gas
- Unbounded gas consumption
2. Low- Contract fails to deliver promised returns, but doesn't lose value
1. None- Best practices

Websites and Apps

LevelImpact
5. Critical- Execute arbitrary system commands
- Retrieve sensitive data/files from a running server such as:
        - /etc/shadow
        - database passwords
        - blockchain keys
(this does not include non-sensitive environment variables, open source code, or usernames)
- Taking down the application/website
- Taking down the NFT URI
- Taking down the application/website
- Taking state-modifying authenticated actions (with or without blockchain state interaction) on behalf of other users without any interaction by that user, such as:
        - Changing registration information
        - Commenting
        - Voting
        - Making trades
        - Withdrawals, etc.
- Changing the NFT metadata
- Subdomain takeover with already-connected wallet interaction
- Direct theft of user funds
- Malicious interactions with an already-connected wallet such as:
        - Modifying transaction arguments or parameters
        - Substituting contract addresses
        - Submitting malicious transactions
- Direct theft of user NFTs
- Injection of malicious HTML or XSS through NFT metadata
4. High- Injecting/modifying the static content on the target application without Javascript (Persistent) such as:
        - HTML injection without Javascript
        - Replacing existing text with arbitrary text
        - Arbitrary file uploads, etc.
- Changing sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as:
        - Email or password of the victim, etc.
- Improperly disclosing confidential user information such as:
        - Email address
        - Phone number
        - Physical address, etc.
- Subdomain takeover without already-connected wallet interaction
3. Medium- Changing non-sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as:
        - Changing the first/last name of user
        - Enabling/disabling notifications
- Injecting/modifying the static content on the target application without Javascript (Reflected) such as:
        - Reflected HTML injection
        - Loading external site data
- Redirecting users to malicious websites (Open Redirect)
2. Low- Changing details of other users (including modifying browser local storage) without already-connected wallet interaction and with significant user interaction such as:
        - Iframing leading to modifying the backend/browser state (must demonstrate impact with PoC)
- Taking over broken or expired outgoing links such as:
        - Social media handles, etc.
- Temporarily disabling user to access target site, such as:
        - Locking up the victim from login
        - Cookie bombing, etc.
1. None- SPF/DMARC misconfigured records
- Missing HTTP Headers without demonstrated impact
- Automated Scanner Reports without demonstrated impact
- UI/UX best practices recommendations
- Non-future-proof NFT rendering