Immunefi Vulnerability Severity Classification System - v2

Being Phased Out

Severity Classification System v2 is being phased out and is no longer in use by new projects. Please see the Immunefi Severity Classification Systems page to find active and updated classification systems.

At Immunefi, we classify bugs on a simplified 5-level scale:

  • Critical
  • High
  • Medium
  • Low
  • None

The development of this scale took into consideration multiple factors that may affect a vulnerability and its likelihood of exploitation, but finalizes them largely by the impact that they cause.

The table below is mostly concerned with the consequence of a successful exploit. Keep in mind that if the exploit requires elevated privileges or uncommon user interaction, the level of the bug may be downgraded to reflect that or rejected.


5. Critical- Network not being able to confirm new transactions (Total network shutdown)
- Unintended permanent chain split requiring hard fork (Network partition requiring hard fork)
- Direct loss of funds
- Permanent freezing of funds (fix requires hardfork)
- RPC API crash
4. High- Unintended chain split (Network partition)
- Transient consensus failures
3. Medium- High compute consumption by validator/mining nodes
- Attacks against thin clients
- DoS of greater than 30% of validator or miner nodes and does not shut down the network
2. Low- DoS of greater than 10% but less than 30% of validator or miner nodes and does not shut down the network
- Underpricing transaction fees relative to computation time
1. None- Best practices

Smart Contracts

5. Critical- Any governance voting result manipulation
- Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield
- Permanent freezing of funds
- Miner-extractable value (MEV)
- Protocol Insolvency
4. High- Theft of unclaimed yield
- Permanent freezing of unclaimed yield
- Temporary freezing of funds
3. Medium- Smart contract unable to operate due to lack of token funds
- Block stuffing for profit
- Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)
- Theft of gas
- Unbounded gas consumption
2. Low- Contract fails to deliver promised returns, but doesn't lose value
1. None- Best practices

Websites and Apps

5. Critical- Ability to execute system commands
- Extract Sensitive data/files from the server such as /etc/passwd
- Taking Down the application/website
- Stealing User Cookies
- Bypassing Authentication
- Signing transactions for other users
- Redirection of user deposits and withdrawals
- Subdomain takeover resulting in financial loss (applicable for subdomains with addresses published)
- Wallet interaction modification resulting in financial loss
- Direct theft of user funds
- Tampering with transactions submitted to the user’s wallet
- Submitting malicious transactions to an already-connected wallet
4. High- Spoofing content on the target application (Persistent)
- Users Confidential information disclosure such as Email
- Subdomain Takeover without financial loss (applicable for subdomains with no addresses published)
- Privilege escalation to access unauthorized functionalities
3. Medium- Changing details of other users without direct financial impact (CSRF)
- Third-Party API keys leakage that demonstrates loss of funds or modification on the website
- Redirecting users to malicious websites (Open Redirect)
2. Low- Framing sensitive pages leading to financial loss (ClickJacking)
- Any impact involving a publicly released CVE without a working PoC
- Broken Link Hijacking
1. None- SPF/DMARC records modification
- Missing Headers
- Automated Scanner Reports without demonstrated impact
- UI/UX best practices recommendations