Immunefi Vulnerability Severity Classification System - v2
At Immunefi, we classify bugs on a simplified 5-level scale:
- Critical
- High
- Medium
- Low
- None
The development of this scale took into consideration multiple factors that may affect a vulnerability and its likelihood of exploitation, but finalizes them largely by the impact that they cause.
The table below is mostly concerned with the consequence of a successful exploit. Keep in mind that if the exploit requires elevated privileges or uncommon user interaction, the level of the bug may be downgraded to reflect that or rejected.
Blockchain/DLT
Level | Impact | |||
---|---|---|---|---|
5. Critical | - Network not being able to confirm new transactions (Total network shutdown) - Unintended permanent chain split requiring hard fork (Network partition requiring hard fork) - Direct loss of funds - Permanent freezing of funds (fix requires hardfork) - RPC API crash | |||
4. High | - Unintended chain split (Network partition) - Transient consensus failures | |||
3. Medium | - High compute consumption by validator/mining nodes - Attacks against thin clients - DoS of greater than 30% of validator or miner nodes and does not shut down the network | |||
2. Low | - DoS of greater than 10% but less than 30% of validator or miner nodes and does not shut down the network - Underpricing transaction fees relative to computation time | |||
1. None | - Best practices |
Smart Contracts
Level | Impact | |||
---|---|---|---|---|
5. Critical | - Any governance voting result manipulation - Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield - Permanent freezing of funds - Miner-extractable value (MEV) - Protocol Insolvency | |||
4. High | - Theft of unclaimed yield - Permanent freezing of unclaimed yield - Temporary freezing of funds | |||
3. Medium | - Smart contract unable to operate due to lack of token funds - Block stuffing for profit - Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol) - Theft of gas - Unbounded gas consumption | |||
2. Low | - Contract fails to deliver promised returns, but doesn't lose value | |||
1. None | - Best practices |
Websites and Apps
Level | Impact | |||
---|---|---|---|---|
5. Critical | - Ability to execute system commands - Extract Sensitive data/files from the server such as /etc/passwd - Taking Down the application/website - Stealing User Cookies - Bypassing Authentication - Signing transactions for other users - Redirection of user deposits and withdrawals - Subdomain takeover resulting in financial loss (applicable for subdomains with addresses published) - Wallet interaction modification resulting in financial loss - Direct theft of user funds - Tampering with transactions submitted to the user’s wallet - Submitting malicious transactions to an already-connected wallet | |||
4. High | - Spoofing content on the target application (Persistent) - Users Confidential information disclosure such as Email - Subdomain Takeover without financial loss (applicable for subdomains with no addresses published) - Privilege escalation to access unauthorized functionalities | |||
3. Medium | - Changing details of other users without direct financial impact (CSRF) - Third-Party API keys leakage that demonstrates loss of funds or modification on the website - Redirecting users to malicious websites (Open Redirect) | |||
2. Low | - Framing sensitive pages leading to financial loss (ClickJacking) - Any impact involving a publicly released CVE without a working PoC - Broken Link Hijacking | |||
1. None | - SPF/DMARC records modification - Missing Headers - Automated Scanner Reports without demonstrated impact - UI/UX best practices recommendations | |||