Wormhole Security Program — End-of-Year Update

It’s been a busy year for security in Crypto, and interoperability and bridging protocols are no different. In February 2022, the Wormhole protocol experienced a hack, which served as a massive catalyst for the growth of the Wormhole security program and helped accelerate the program at a rate that none of us could have previously imagined.

In this post, we will capture the improvements to the Wormhole Security program over the past ten months and how it has led to what we believe to be one of the best security programs in all of web3.

Contributor Update

First and foremost, one of the most significant and essential aspects of any crypto project is the contributors who help make it possible. Since February, the Wormhole project has added six new contributors with a full-time focus on security and will add another in January 2023. This is in addition to the existing and growing contributor base of engineers and developers who have taken on the challenge to level up their contributions to the security of the project because, let’s face it, security is everyone’s responsibility.

This added focus on contributors has allowed the Wormhole project to improve its security program significantly.

Bug Bounty Update

In January 2022, contributors started developing a bug bounty program for Wormhole. That program launched mid-February with a record-breaking $10,000,000 USDC bug bounty program via Immunefi. In the following months, other interoperability projects elected to establish Immunefi bug bounty programs.

• February 2022: Wormhole
• March 2022: Axelar
• March 2022: Multi-chain
• April 2022: LayerZero

The same month after its establishment, the Wormhole bug bounty program yielded its first critical win for the project, including the first-ever $10M bug bounty reward. This win solidified bug bounty as a critical component of Wormhole’s security program. It sent a clear message to the rest of the white-hat community that Wormhole is dead serious about running an industry-leading $10M program.

In September 2022, our contributors tried something new by establishing a second complimentary bug bounty program. Having multiple programs/venues for white-hat community contribution is critical to Wormhole’s bug bounty strategy, and we expect that there will be even more venues in the future. We aim to meet white-hat hackers where they are and with venues they trust, wherever possible.

To date, the Wormhole bug bounty program has rewarded the white-hat hacking community more in 2022 than Google did for Chrome and Android in 2021. We hope that sharing this helps the white-hat hacking community further understand how much we appreciate their continued support of Wormhole via the bug bounty program.

You can find more details here if you want more information about Wormhole’s bug bounty programs. Our contributors have made additional efforts to provide white-hat hacker guidance in areas where other white-hats have had success, allowing reporters to achieve a higher success rate when they are just starting.

Auditing Update

In January 2022, Wormhole already had established commitments with Neodyme and Kudelski to conduct security audits of various components of Wormhole. However, given the additional security contributors and commitment to 3rd party testing, an ambitious audit roadmap was created to increase security assurance and make this process an integral part of the Wormhole software development lifecycle (SDLC).

Since then, Wormhole has engaged 3rd party firms in over 25 different audit scopes (see the full list of 3rd party audits). Of that list of scopes and firms, 15 of those audits have been made public, and there’s currently a backlog of audits that have been completed and responded to that we are working through to make public. This was a monumental effort, and we couldn’t have made it happen without the additional support of the following audit firms:

• Certik
• Coinspect
• Hacken
• Halborn
• Kudelski
• Neodyme
• OtterSec
• Trail of Bits
• Zellic

We want to thank all of the above firms for partnering with us. Collaborating with this wide range of diverse industry talent has taught us valuable lessons and has helped us make Wormhole much safer; for that, we are deeply grateful.

Governor Update

In August 2022, Wormhole launched a new safety feature called Governor. The core reason for this feature’s creation and deployment was to help guard against the existential risk of a smart contract or L1 compromise. We also saw the interoperability competitive landscape struggle throughout the year on security. As such, we determined that an extra safety net was needed to help the protocol not take on too much risk.

This feature allows Wormhole Guardians the optional capability to rate-limit the notional flow of value for any registered token bridge on a per-chain basis. As confidence and real-world transaction volume grow, the Wormhole Guardians can adjust their cross-chain risk ceiling on behalf of token bridges accordingly.

Incident Response Update

2022 has been a hectic year for crypto security, and as such, we’ve had the opportunity to learn (firsthand) how best to do incident response in web3. As a result, we’ve established durable relationships with forensic organizations like Chainalysis and TRM to assist with our own forensics needs. This has been critically valuable in understanding what’s happening on-chain. We have had the opportunity to engage those companies and established a priceless contact list of beneficial firms and independents that genuinely want to help. We are deeply grateful for those unsung heroes.

One of the exciting side effects of having a very public incident back in February was that, over the year, countless crypto projects, including our interoperability competition, have reached out to us on their worst days for help and insights. We are very proud to say that during these moments when the proverbial shit hits the fan, we can put our competitive differences aside and put users first.

We’ve also made a larger effort to better document how the project handles incident response activities, empowers incident commanders, and follows up on lessons learned.

Social Media Monitoring Update

In October 2022, Wormhole added Social Media Monitoring to the mix as part of the social listening approach to be alerted when ecosystem security events occur that are relevant to Wormhole.

Despite our contributors being very connected to blockchains, people, and Twitter, this additional feature aims to make a more durable capability that serves multiple Wormhole project contributors in keeping our ears and eyes connected to what’s going on and whether there are any risks that contributors should immediately respond to.

This collaboration between contributors and the community has been an excellent partnership in showing that you don’t need to be a full-time security person to impact security positively. This system has alerted us to several market and chain-specific events, allowing Wormhole contributors to mobilize and determine if any action on behalf of the protocol is needed.

Trust Assumptions Update

Wormhole’s trust assumptions are essentially the same for 2022. There are 19 Guardians, all independently operated by separate organizations, some of which operate as some of the largest validators in crypto, helping protocols to secure billions of dollars on-chain.

As we reiterate Wormhole’s trust assumptions, we know that not all interoperability protocols are created equal, so we must make trust assumption information as easy to find and understand as possible. To this end, we’ve added a section to our SECURITY.md page to make it ultra-simple to understand how many Guardians are required for what specific actions.

Chain Integrators Update

As the number of chains connected to Wormhole increase, the security of the connected chains are shared with the Wormhole network. Because of this, new chains or chains with a lower average notional flow have had their risk ceilings lowered via the Governor limits mentioned above.

However, it is much better if we can prevent such classes of bugs at the source. To this end, we have been working with new and existing chains to offer feedback based on our experience on how to grow and improve their security programs, which often starts with being open source, conducting security audits, and establishing a bug bounty program.

Looking Forward

We hope the above has helped demonstrate how the Wormhole Security Program has grown significantly in the past ten months into what it is today. We’re incredibly excited about the program’s growth and how it benefits the safety of Wormhole. Still, we’re also excited to provide even more examples of how we think a best-in-breed web3 security program should operate.

If you have ideas on improving the Wormhole Security Program, we encourage you to submit a discussion on the Wormhole repository. We look forward to connecting with you as a contributor and making those security improvements a reality.