Immunefi Vulnerability Severity Classification System - v2

At Immunefi, we classify bugs on a simplified 5-level scale:

  • Critical
  • High
  • Medium
  • Low
  • None

The development of this scale took into consideration multiple factors that may affect a vulnerability and its likelihood of exploitation, but finalizes them largely by the impact that they cause.

The table below is mostly concerned with the consequence of a successful exploit. Keep in mind that if the exploit requires elevated privileges or uncommon user interaction, the level of the bug may be downgraded to reflect that or rejected.

Blockchain/DLT

LevelImpact
5. Critical- Network not being able to confirm new transactions (Total network shutdown)
- Unintended permanent chain split requiring hard fork (Network partition requiring hard fork)
- Direct loss of funds
- Permanent freezing of funds (fix requires hardfork)
- RPC API crash
4. High- Unintended chain split (Network partition)
- Transient consensus failures
3. Medium- High compute consumption by validator/mining nodes
- Attacks against thin clients
- DoS of greater than 30% of validator or miner nodes and does not shut down the network
2. Low- DoS of greater than 10% but less than 30% of validator or miner nodes and does not shut down the network
- Underpricing transaction fees relative to computation time
1. None- Best practices

Smart Contracts

LevelImpact
5. Critical- Any governance voting result manipulation
- Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield
- Permanent freezing of funds
- Miner-extractable value (MEV)
- Protocol Insolvency
4. High- Theft of unclaimed yield
- Permanent freezing of unclaimed yield
- Temporary freezing of funds
3. Medium- Smart contract unable to operate due to lack of token funds
- Block stuffing for profit
- Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)
- Theft of gas
- Unbounded gas consumption
2. Low- Contract fails to deliver promised returns, but doesn't lose value
1. None- Best practices

Websites and Apps

LevelImpact
5. Critical- Ability to execute system commands
- Extract Sensitive data/files from the server such as /etc/passwd
- Taking Down the application/website
- Stealing User Cookies
- Bypassing Authentication
- Signing transactions for other users
- Redirection of user deposits and withdrawals
- Subdomain takeover resulting in financial loss (applicable for subdomains with addresses published)
- Wallet interaction modification resulting in financial loss
- Direct theft of user funds
- Tampering with transactions submitted to the user’s wallet
- Submitting malicious transactions to an already-connected wallet
4. High- Spoofing content on the target application (Persistent)
- Users Confidential information disclosure such as Email
- Subdomain Takeover without financial loss (applicable for subdomains with no addresses published)
- Privilege escalation to access unauthorized functionalities
3. Medium- Changing details of other users without direct financial impact (CSRF)
- Third-Party API keys leakage that demonstrates loss of funds or modification on the website
- Redirecting users to malicious websites (Open Redirect)
2. Low- Framing sensitive pages leading to financial loss (ClickJacking)
- Any impact involving a publicly released CVE without a working PoC
- Broken Link Hijacking
1. None- SPF/DMARC records modification
- Missing Headers
- Automated Scanner Reports without demonstrated impact
- UI/UX best practices recommendations