HackenProof Docs
  • Welcome
    • HackenProof
      • Services we provide
      • Our resources
    • Integrations
      • Slack
      • Discord
      • Telegram
      • Zapier (Webhook)
        • Zapier -> Lark
        • Zapier -> Linear
        • Zapier -> Jira Service Management
        • Zapier -> PagerDuty
        • Zapier -> Google Chat
        • Zapier -> ClickUp
      • Jira Software
      • GitHub Issue
      • GitLab Issue
      • VDP iFrame
    • FAQ
      • Audit & Bug Bounty (BB)
      • Crowdsourced Audit & BB
      • Penetration testing & BB
    • Emergency
      • Reset 2FA
    • Code of Conduct
    • Referral Program
  • Bug Bounty
    • Bug Bounty process
    • How to start Bug Bounty
    • How to create a VDP
    • Vulnerability classification
      • Web & Mobile
        • Out-of-Scope Bugs
      • Smart contracts
      • Blockchain protocols
    • Reports Basics
      • Points Guide
      • Crafting a well-readable report
  • Dashboard
    • Company dashboard
      • Manage programs
      • Manage reports
      • Share report
      • Labels
      • E2E report encryption
      • Reports decrypting with Mailvelope
      • Users and roles
      • Program/Report Assignee
      • Replenish your balance
      • Integrations
    • Hacker dashboard
      • 👉How to start
      • Submit a report
      • Reports Basics
      • Vulnerability classification
      • 👮‍♂️KYC
      • Сreate a crypto wallet
      • 💸Withdraw bounty
      • Hacker Leaderboard
      • Reset 2FA
      • 🍕HackenProof community
      • Report ID
      • Private Program
      • Contact support
    • Company-Auditor dashboard
      • How to start
      • Add members
      • Submit report
      • Contact support
  • Crowdsourced audit
    • Audit process
    • How to start Audit
    • Supported tech
    • Vulnerability classification
    • Reports Basics
    • Qualified Auditors
    • Judging / Triaging
      • Targets
      • Team
    • Fee & Payments
  • DualDefense Audit
    • What is DualDefence Audit
    • How DualDefence Audit goes
    • DualDefence Audit — researchers' perspective
  • good to know
    • Changelog
    • Branding
    • Vulnerability Disclosure
  • Education
    • Courses
    • Tools
    • Useful sources
Powered by GitBook
On this page
  1. Bug Bounty
  2. Vulnerability classification

Smart contracts

This is a vulnerability classification table for smart contracts (v2.0)

PreviousOut-of-Scope BugsNextBlockchain protocols

Last updated 10 days ago

This table outlines how we categorize smart contract vulnerabilities by severity. Classifications are based on potential financial loss, disruption of core functionality, or manipulation of contract outcomes.

Severity

Example Vulnerabilities

🔴 Critical

- Direct theft of funds or NFTs - Permanent freezing of funds or NFTs - Governance result manipulation (e.g., vote hijacking, quorum bypass) - Protocol insolvency (e.g., under-collateralization, unbacked tokens, critical mispricing) - Unauthorized Minting / Burning of Tokens: If not covered, include direct manipulation of token supply.

🟠 High

- Temporary freezing of funds or NFTs - Theft of unclaimed funds (e.g., yield, royalties) - Permanent freezing of unclaimed funds - Oracle Manipulation (High): Influencing on-chain price feeds or data sources.

🟡 Medium

- Theft of gas (unbounded loops, expensive operations exploitable by attackers) - Gas limit / Out-of-Gas vulnerabilities - Poor gas handling leading to transaction failure, loss of funds, or halted functionality - Denial of Service (DoS) - Gas exhaustion, block stuffing, or malicious state manipulation that disrupts contract availability - No-profit attacks (Griefing) - Attacks that damage the protocol or users without financial gain for the attacker

🟢 Low

- Failure to deliver promised returns (e.g., staking pool advertises fixed APY but underperforms due to bugs or flawed logic) - Uninitialized Storage Variables: Can lead to privilege escalation but often low-risk.

If the issue is not under one of the mentioned vulnerabilities, we use the to assess the severity of your vulnerability.

Common Vulnerability Scoring System