Immunefi Vulnerability Severity Classification System - v1.2

Being Phased Out

Severity Classification System v1.2 is being phased out and is no longer in use by new projects. Please see the Immunefi Severity Classification Systems page to find active and updated classification systems.


At Immunefi, we classify bugs on a simplified 5-level scale:

  • Critical
  • High
  • Medium
  • Low
  • None

This scale encompasses all the aspects of a bug, from the consequence of a successful exploit, to the level of access required to exploit it, to the probability that an exploitation attempt will be successful.

For example:

  • A bug that results in loss of contract funds is more severe than a bug that temporarily prevents token holders from transferring their tokens.

  • A bug that can be triggered by any token holder is more severe than a bug that requires a pricing oracle to go rogue.

  • A bug that can be triggered by a third party invoking a particular function/method is more severe than a bug that requires the affected token holder to invoke that same function/method.

The table below is mostly concerned with the consequence of a successful exploit. Keep in mind that if the exploit requires elevated privileges or uncommon user interaction, the level of the bug may be downgraded to reflect that.

Blockchain/DLT

LevelExamples
5. Critical- Network not being able to confirm new transactions (Total network shutdown)
- Unintended permanent chain split requiring hard fork (Network partition requiring hard fork)
- Direct loss of funds
- Permanent freezing of funds (fix requires hardfork)
- RPC API crash
4. High- Unintended chain split (Network partition)
- Transient consensus failures
3. Medium- High compute consumption by validator/mining nodes
- Attacks against thin clients
- DoS of greater than 30% of validator or miner nodes and does not shut down the network
2. Low- DoS of greater than 10% but less than 30% of validator or miner nodes and does not shut down the network
- Underpricing transaction fees relative to computation time
1. None- Best practices

Smart Contracts

LevelExamples
5. Critical- Empty or freeze the contract's holdings (e.g. economic attacks, flash loans, reentrancy, MEV, logic errors, integer over-/under-flow)
- Cryptographic flaws
4. High- Token holders temporarily unable to transfer holdings
- Users spoof each other
- Theft of yield
3. Medium- Contract consumes unbounded gas
- Block stuffing
- Griefing denial of service (i.e. attacker spends as much in gas as damage to the contract)
- Gas griefing
2. Low- Contract fails to deliver promised returns, but doesn't lose value
1. None- Best practices

Websites and Apps

LevelCWEExamples
5. CriticalCWE-78- Remote Code Execution
- Code Injection
- LDAP Injection
CWE-611XML External Entity (XXE)
CWE-89SQL Injection
CWE-91XML Injection
CWE-829- Server Side Includes Injection (SSI)
- Local File Inclusion(LFI)
- Directory/Path Traversal
CWE-918Server-Side Request Forgery(SSRF)
4. HighCWE-862- Indirect Object Reference(IDOR)
- Horizontal Privilege Escalation
- Vertical Privilege Escalation
CWE-200- Confidential Information Exposure
- Private Key Leaks
CWE-79Cross-Site Scripting (XSS)
CWE-93CRLF Injection
CWE-444HTTP Request Smuggling
CWE-434Unfiltered File Upload with execution
CWE-16- Subdomain Takeovers
- Dangling DNS Record
3. MediumCWE-494Cloud Bucket Uploads
CWE-352Authenticated Cross-Site Request Forgery(CSRF)
CWE-798Hardcoded Credentials
CWE-863Authentication Bypass
CWE-16Broken Link Bypass
2. LowCWE-1021Clickjacking State-Changing
CWE-400Denial of Service
1. NoneCWE-16SPF/DMARC/DKIM records
CWE-601Open Redirects