Severity classification

Severity LevelImpact

Critical

- Network not able to confirm new transactions (total network shutdown)

- Unintended permanent chain split requiring hard fork (network partition requiring hard fork)

- Direct loss of funds

- Permanent freezing of funds (fix requires hard fork)

- Manipulation of governance voting results deviating from the voted outcome and resulting in a direct change from the intended effect of original results

- Direct theft of any user funds, whether at rest or in-motion, other than unclaimed yield

- Direct theft of any user NFTs, whether at-rest or in motion, other than unclaimed royalties

- Permanent freezing of NFTs

- Unauthorized minting of NFTs

- Predictable or manipulable RNG that results in abuse of the principal or NFT

- Unintended alteration of what the NFT represents (e.g. token URI, payload, artistic content)

- Protocol insolvency

High

- Unintended chain split (network partition)

- Temporary freezing of network transactions by delaying one block by 500% or more of the average block time of the preceding 24 hours beyond standard difficulty adjustments

- Causing network processing nodes to process transactions from the mempool beyond set parameters

- RPC API crash affecting projects with greater than or equal to 25% of the market capitalization on top of the respective layer

- Theft of unclaimed yield

- Theft of unclaimed royalties

- Permanent freezing of unclaimed yield

- Permanent freezing of unclaimed royalties

- Temporary freezing of funds

- Temporary freezing of NFTs

- Complete bypass of transaction fees or gas costs, resulting in free or heavily discounted transactions

- Cross-chain attacks causing disruption or instability in interconnected blockchains or networks

- Exploitable weaknesses in decentralized governance mechanisms, resulting in unfair voting outcomes or manipulation of governance decisions

Medium

- Increasing network processing node resource consumption by at least 30% without brute force actions, compared to the preceding 24 hours

- Shutdown of greater than or equal to 30% of network processing nodes without brute force actions, but does not shut down the network

- A bug in the respective layer 0/1/2 network code that results in unintended smart contract behavior with no concrete funds at direct risk

- Smart contract unable to operate due to lack of token funds

- Block stuffing

- Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)

- Theft of gas

- Unbounded gas consumption

- Excessive transaction fees due to a bug or miscalculation in the fee calculation mechanism

- Vulnerabilities in smart contract logic or tokenomics resulting in suboptimal user experiences or inefficiencies

Low

- Shutdown of greater than 10% or equal to but less than 30% of network processing nodes without brute force actions but does not shut down the network

- Modification of transaction fees outside of design parameters

- Contract fails to deliver promised returns but doesn't lose value

- Low-risk issues related to documentation, code comments, or code style that do not directly affect security or functionality

- Minor inconsistencies in calculations within the smart contract that do not affect critical operations

Note: For our audits we include 'critical' issues within the classification 'high' issues.

Last updated