2022 Ⓒ Wormhole. All Rights Reserved.
White hats don’t always need a reason to seek a bug bounty.
(But here are ten million, just in case)
Wormhole is not only offering up to $10,000,000 USDC to white hats, but we’ve already paid several bounties out. That’s how important security is to us. Here’s your chance to get in on this one.
Check out all the details below.
Here’s some crystal clear information about the payout structure.
Smart Contracts / Guardians
In addition to critical bounties, we also award high, medium, and low bounties.
Up to $100,000 USDC
Up to $10,000 USDC
Up to $2,000 USDC
Here’s some fine print.
Wormhole Foundation will maintain full discretion on the payouts for vulnerabilities. We do encourage bug reporters to submit issues outside of the above-mentioned payout structure, though we want to be clear that we’ll exercise discretion on a case-by-case basis -- whether an issue warrants a payout and what that ultimate payout would be.
Additionally, for a bug report to be paid, we do require the bug reporter to comply with our [ KYC ] requirements.
This includes the following:
- Wallet address where you’ll receive payment
- Proof of address (either a redacted bank statement with your address or a recent utility bill with your name, address, and issuer of the bill)
- If you are a U.S. person, please send us a filled-out and signed W-9
- If you are not a U.S. person, please send us a filled-out and signed W-8BEN
- Copy of your passport will be required.
These details will only be required upon determining that a bug report will be rewarded and they will remain strictly confidential within need-to-know individuals (basically, only individuals required to verify KYC and process the payment).
Please note: a copy of your passport will be required.
Here’s a list of assets in scope.
- Blockchain/DLT - Guardian Nodes
- Smart Contract - Smart Contracts in Mainnet
- Smart Contract - Ethereum
- Smart Contract - Terra
- Smart Contract - Solana
- Smart Contract - CosmWasm
- Smart Contract - Algorand
- Smart Contract - Aptos
All smart contracts of Wormhole can be found at https://github.com/wormhole-foundation/wormhole. However, only those in the Assets in Scope table are considered as in-scope of the bug bounty program.
Here’s a list of assets that are out-of-scope.
Attacks that the reporter has already exploited themselves, leading to damage
Network denial of service on Guardians is not eligible for bug bounty rewards
Wormhole is an open source project with open development. We welcome feedback and PRs on features that are in development. Code that has not been deployed is generally out-of-scope.
Reports regarding bugs that the Wormhole project was previously aware of are not eligible for a reward.
The following person(s) are ineligible to receive bug bounty payout rewards: Staff, Auditors, Contractors, persons in possession of privileged information, and all associated parties.
In scope assets with "pre-release" tag are exempt from the above mentioned deployed requirement and are aimed allowing early access for white-hat community contribution. Once the chain is deployed in mainnet, the new scope is whatever is deployed on chain, which is often what is present in dev.v2 branch. Rewards for “pre-release” candidates will be eligible within the same reward structure as mainnet contracts.
Here's a list of some activities that are prohibited.
Any testing with mainnet or public testnets; all testing should be done on private nets
Public disclosure of a vulnerability before an embargo has been lifted
Any testing with third party smart contracts or infrastructure and websites
Attempting phishing or other social engineering attacks against our employees and/or customers
Any denial of service attacks
Violating the privacy of any organization or individual
Automated testing of services that generates significant amounts of traffic
Any activity that violates any law or disrupts or compromises any data or property that is not your own.
Here are the submission requirements.
All reports must come with sufficient explanation and data to easily reproduce the bug, e.g. through a proof-of-concept code.
All rewards are decided on a case-by-case basis, taking into account the exploitability of the bug, the impact it causes, and the likelihood of the vulnerability presenting itself if it is nondeterministic or some of the conditions are not present at the time. The rewards presented in the payout structure above are the maximum rewards and there are no minimum rewards.
Rewards for critical vulnerabilities are further capped at 10% of extractable value during a 24h period. Rewards for vulnerabilities resulting in the indefinite locking of funds are further capped at 1% of destroyable value. Value is calculated based on the current market value and available liquidity for widely-used tokens in the Portal Token Bridge, e.g. ETH and SOL.
In cases where the report achieves more than one of the above objectives, rewards will be tiered to the higher of the two objectives and will not be aggregated (eg. if you have the ability to extract and brick a complete TVL for a chain, you will be awarded a bounty as if you were able to only extract the complete TVL for that chain).
Rewards for bugs in dependencies and third party code are at the discretion of the Wormhole team and will be based on the impact demonstrated on Wormhole. If the dependency has its own bug bounty program, your reward for submitting this vulnerability to Wormhole will be lowered by the expected payout of that other program. If the vulnerability is in a connected blockchain itself rather than the Wormhole code, the locked and wrapped assets on that chain are not included in the impact calculation.
And finally, here’s where you submit your bug.
Examples by severity.
• Bugs that allow forging of wormhole messages (i.e. VAAs) or circumventing VAA verification logic in the smart contracts but are outside of the “critical” category.
• Bugs that are very capital-intensive to carry out but could be critical.
• Attacks that would be critical if a minority of Guardians was malicious.
• Unrestricted bypass of the Governor module: The Governor module is designed to limit the value that can be transferred out of one chain over time. Assuming a smart contract compromise on one chain, the ability to transfer all tokens in unlimited amounts to any target chain would constitute a "high" severity vulnerability.
• Denial of Service attacks against the Guardian network (excluding volumetric attacks) resulting in an extended but not permanent total network shutdown.
• Exploit chains requiring user interaction
• Compromising a single guardian node
• Cryptographic implementation flaws and flaws in random number generation with limited impact.
• Bugs that allow forging signed messages from a minority of Guardians
• Bugs that are unlikely to occur but would have a large impact if so, e.g. race conditions
• Lack of defense-in-depth (must send PR with improvements and get it merged)
• Bugs that are likely to occur in future stages of development but do not manifest themselves yet
• Denial of Service attacks against the Guardian network (excluding volumetric attacks) resulting in an extended degradation of performance.