Severity classification
Severity Level | Impact |
---|---|
Critical | - Network not able to confirm new transactions (total network shutdown) - Unintended permanent chain split requiring hard fork (network partition requiring hard fork) - Direct loss of funds - Permanent freezing of funds (fix requires hard fork) - Manipulation of governance voting results deviating from the voted outcome and resulting in a direct change from the intended effect of original results - Direct theft of any user funds, whether at rest or in-motion, other than unclaimed yield - Direct theft of any user NFTs, whether at-rest or in motion, other than unclaimed royalties - Permanent freezing of NFTs - Unauthorized minting of NFTs - Predictable or manipulable RNG that results in abuse of the principal or NFT - Unintended alteration of what the NFT represents (e.g. token URI, payload, artistic content) - Protocol insolvency |
High | - Unintended chain split (network partition) - Temporary freezing of network transactions by delaying one block by 500% or more of the average block time of the preceding 24 hours beyond standard difficulty adjustments - Causing network processing nodes to process transactions from the mempool beyond set parameters - RPC API crash affecting projects with greater than or equal to 25% of the market capitalization on top of the respective layer - Theft of unclaimed yield - Theft of unclaimed royalties - Permanent freezing of unclaimed yield - Permanent freezing of unclaimed royalties - Temporary freezing of funds - Temporary freezing of NFTs - Complete bypass of transaction fees or gas costs, resulting in free or heavily discounted transactions - Cross-chain attacks causing disruption or instability in interconnected blockchains or networks - Exploitable weaknesses in decentralized governance mechanisms, resulting in unfair voting outcomes or manipulation of governance decisions |
Medium | - Increasing network processing node resource consumption by at least 30% without brute force actions, compared to the preceding 24 hours - Shutdown of greater than or equal to 30% of network processing nodes without brute force actions, but does not shut down the network - A bug in the respective layer 0/1/2 network code that results in unintended smart contract behavior with no concrete funds at direct risk - Smart contract unable to operate due to lack of token funds - Block stuffing - Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol) - Theft of gas - Unbounded gas consumption - Excessive transaction fees due to a bug or miscalculation in the fee calculation mechanism - Vulnerabilities in smart contract logic or tokenomics resulting in suboptimal user experiences or inefficiencies |
Low | - Shutdown of greater than 10% or equal to but less than 30% of network processing nodes without brute force actions but does not shut down the network - Modification of transaction fees outside of design parameters - Contract fails to deliver promised returns but doesn't lose value - Low-risk issues related to documentation, code comments, or code style that do not directly affect security or functionality - Minor inconsistencies in calculations within the smart contract that do not affect critical operations |
Last modified 1mo ago