Immunefi Vulnerability Severity Classification System - v1.2

At Immunefi, we classify bugs on a simplified 5-level scale:

  • Critical
  • High
  • Medium
  • Low
  • None

This scale encompasses all the aspects of a bug, from the consequence of a successful exploit, to the level of access required to exploit it, to the probability that an exploitation attempt will be successful.

For example:

  • A bug that results in loss of contract funds is more severe than a bug that temporarily prevents token holders from transferring their tokens.

  • A bug that can be triggered by any token holder is more severe than a bug that requires a pricing oracle to go rogue.

  • A bug that can be triggered by a third party invoking a particular function/method is more severe than a bug that requires the affected token holder to invoke that same function/method.

The table below is mostly concerned with the consequence of a successful exploit. Keep in mind that if the exploit requires elevated privileges or uncommon user interaction, the level of the bug may be downgraded to reflect that.


5. Critical- Network not being able to confirm new transactions (Total network shutdown)
- Unintended permanent chain split requiring hard fork (Network partition requiring hard fork)
- Direct loss of funds
- Permanent freezing of funds (fix requires hardfork)
- RPC API crash
4. High- Unintended chain split (Network partition)
- Transient consensus failures
3. Medium- High compute consumption by validator/mining nodes
- Attacks against thin clients
- DoS of greater than 30% of validator or miner nodes and does not shut down the network
2. Low- DoS of greater than 10% but less than 30% of validator or miner nodes and does not shut down the network
- Underpricing transaction fees relative to computation time
1. None- Best practices

Smart Contracts

5. Critical- Empty or freeze the contract's holdings (e.g. economic attacks, flash loans, reentrancy, MEV, logic errors, integer over-/under-flow)
- Cryptographic flaws
4. High- Token holders temporarily unable to transfer holdings
- Users spoof each other
- Theft of yield
3. Medium- Contract consumes unbounded gas
- Block stuffing
- Griefing denial of service (i.e. attacker spends as much in gas as damage to the contract)
- Gas griefing
2. Low- Contract fails to deliver promised returns, but doesn't lose value
1. None- Best practices

Websites and Apps

5. CriticalCWE-78- Remote Code Execution
- Code Injection
- LDAP Injection
CWE-611XML External Entity (XXE)
CWE-89SQL Injection
CWE-91XML Injection
CWE-829- Server Side Includes Injection (SSI)
- Local File Inclusion(LFI)
- Directory/Path Traversal
CWE-918Server-Side Request Forgery(SSRF)
4. HighCWE-862- Indirect Object Reference(IDOR)
- Horizontal Privilege Escalation
- Vertical Privilege Escalation
CWE-200- Confidential Information Exposure
- Private Key Leaks
CWE-79Cross-Site Scripting (XSS)
CWE-93CRLF Injection
CWE-444HTTP Request Smuggling
CWE-434Unfiltered File Upload with execution
CWE-16- Subdomain Takeovers
- Dangling DNS Record
3. MediumCWE-494Cloud Bucket Uploads
CWE-352Authenticated Cross-Site Request Forgery(CSRF)
CWE-798Hardcoded Credentials
CWE-863Authentication Bypass
CWE-16Broken Link Bypass
2. LowCWE-1021Clickjacking State-Changing
CWE-400Denial of Service
1. NoneCWE-16SPF/DMARC/DKIM records
CWE-601Open Redirects