Wormhole
Generic cross-chain message passing protocol connecting multiple blockchains
ETHSOLBSCMATICARBOPBaseBridgeKYC RequiredPoC Required
Verified ProgramKYC RequiredPoC Required
Max Bounty$5,000,000
Min Bounty$1,000
PayoutUSDC
Findings0
Accepted0
Chains7
Live SinceFeb 2022
7 Audit Reports Available
2023-03-wormhole-securityreview.pdfTrail of Bits
2023-032024-01-10-cyfrin-wormhole-thermae-v2.1.pdfCyfrin
2024-012024-04-09-cyfrin-wormhole-evm-cctp-v2-1.pdfCyfrin
2024-042024-04-11-cyfrin-wormhole-evm-ntt-v2.pdfCyfrin
2024-042024-07-23-cyfrin-wormhole-NTT-Diff-v1.0.pdfCyfrin
2024-072024-10-04-cyfrin-wormhole-multigov-v2.0.pdfCyfrin
2024-102026-02-10-cyfrin-securitize-bridge-wormhole-executor-v2.0.pdfCyfrin
2026-0201Severity & Rewards
02Program Rules
- 01Proof of Concept is required for all submissions. Reports without a working PoC demonstrating the vulnerability will not be considered.
- 02KYC verification is required before bounty payout. Researchers must complete identity verification to receive rewards.
- 03Only previously unreported vulnerabilities are eligible. Duplicate submissions will be closed.
- 04Vulnerabilities must be reported through the WhiteClaws platform. Public disclosure before resolution disqualifies the submission.
- 05Testing must not disrupt live protocol operations. Use mainnet forks or testnets for Proof of Concept execution.
- 06For Critical severity findings, the security team may arrange direct communication for expedited resolution.
โ IN SCOPE
- โCore bridge contracts
- โGuardian verification
- โToken bridge
- โVAA parsing and validation
CRITICAL FUNCTIONS
publishMessage()parseAndVerifyVM()completeTransfer()HIGH FUNCTIONS
submitContractUpgrade()registerChain()updateGuardianSet()โ OUT OF SCOPE
- โFrontend portal
- โOff-chain guardian nodes
- โThird-party relayers
โ Protocol Information
Resources
Bounty program indexed and verified by WhiteClawsProgram data sourced from on-chain analysis and public bounty disclosures.