Wormhole · DeFi Risk

DeploymentsEthereum · $4.3M

Risk profile at a glance

0 red · 2 yellow · 4 green

Categories & evidence

184 factors · 13 categories

Code & audits Green 14 25 of 25

RD-F-001 yellow Audit scope mismatch EVM core bridge and token bridge proxy source is Etherscan-verified with "Exact Match" (Solidity 0.8.4, optimizer 200 runs, Istanbul EVM). The implementation contracts (0x3c3d and 0x3817) are verified. However, no public document links a specific audit report commit SHA to the currently deployed implementation address on all 35+ chains. The most recent EVM core bridge audit was Trail of Bits 2023-04 (follow-on to 2022-09). NTT, MultiGov, CCTP v2.1, and Swap Layer have 2024–2025 audits scoped ... RD-F-002 yellow Audit recency Most recent EVM audit activity: Cyfrin EVM Multi-Gov v2 (2025-02); OtterSec NTT v3 (2025-04-18); Cyfrin Securitize Bridge Wormhole Executor v2.0 (2026-02-10 per Cyfrin repo). The EVM Core Bridge and Token Bridge themselves were last substantively audited by Trail of Bits 2023-04 (~36 months ago) and CertiK 2023-03-08. For these core contracts specifically, audit recency is ~36 months — outside the typical 12-month refresh norm for critical bridge infrastructure. Peripheral products (NTT, Mult... RD-F-003 yellow Resolved-without-proof findings CertiK 2023-03-08 audit: 11 total findings, 7 acknowledged, 4 resolved. 2 major findings (Centralization/Privilege category) are acknowledged-only, not resolved — these relate to admin-key centralization rather than exploitable code bugs in the classic sense, but remain open. No evidence these 2 major-acknowledged items were later patched with an on-chain change. Trail of Bits 2022-09 findings resolution status not directly accessible (PDF required), but no public post-mortem documents unreso... RD-F-006 yellow Audit-to-deploy gap NTT v3 audited by OtterSec 2025-04-18 and 2025-05-05; Cyfrin Multi-Gov v2 completed 2025-02. Deploy timings for these products are not precisely documented, but NTT was launched progressively through 2024–2025 with corresponding audit cadence. Core bridge deploy precedes audit history (launched August 2021; first substantive audit Neodyme 2022-01-10 — ~160 days post-launch for the core). The 160-day gap for the original core bridge launch is the main adverse signal; all subsequent major produ... RD-F-009 yellow Formal verification coverage Runtime Verification conducted a formal verification engagement in May 2023 covering EVM contracts (listed in wormhole-audits as "EVM formal verification"). The scope of invariants covered and % coverage is not publicly documented in the accessible report listing. Certora is not mentioned in the Wormhole audit list. The Runtime Verification engagement exists but coverage metrics are not accessible without the PDF. RD-F-010 yellow Static-analyzer high-severity count No published Slither/Mythril/Semgrep automated output against deployed EVM bytecode found in public sources. CertiK 2023-03-08 used "manual review and static analysis" per CertiK Skynet, with 11 total findings (2 major, 1 medium, 5 minor, 3 informational). The "major" findings (Centralization/Privilege) are governance-related, not direct exploit code patterns like reentrancy or integer overflow. No high-severity code-vulnerability class (reentrancy, overflow, unprotected selfdestruct) identif... RD-F-015 yellow ERC-777/1155/721 hook without reentrancy guard Bridge handles arbitrary ERC-20 tokens through `safeTransfer`/`safeTransferFrom` pattern. NFT Bridge handles ERC-721. ReentrancyGuard in Bridge.sol provides protection. No specific hook-exploitation finding in published audits. However, the breadth of token types supported across 35+ chains creates surface area for edge-case hook interactions not all individually tested. RD-F-023 yellow Constructor calls _disableInitializers() Wormhole EVM implementation contracts do not call `_disableInitializers()` (OZ pattern introduced in OZ 4.6+). They use their own `initializer` modifier pattern instead, which achieves the same end goal by checking the implementation address against a mapping. The custom pattern was the root of the 2022 Immunefi finding (state could be cleared) but is now properly initialized. The absence of `_disableInitializers()` means the OZ canonical defense pattern is not in place; however the functiona... RD-F-183 yellow Bug bounty scope gap on highest-TVL contracts Core Bridge Ethereum (0x98f3c9e6), Token Bridge (0x3ee18B22), and NFT Bridge are the primary value-holding EVM contracts. Immunefi scope states "Ethereum and EVM chains (excluding Circle Bridge)" and includes "Portal Token Bridge." The NFT Bridge is explicitly listed as excluded from scope per the Immunefi scope page. However, the Token Bridge and Core Bridge appear to be in scope. The $1M max payout is active for Tier 1 (extract TVL all chains). One explicit gap: NFT Bridge exclusion is a sc... RD-F-016 gray Divide-before-multiply pattern No published Slither output to confirm presence or absence of `divide-before-multiply` findings. Bridge.sol uses amount normalization/denormalization arithmetic for cross-chain precision. The CertiK audit's minor/informational findings did not call this out as a concern. Cannot confirm with tool run. RD-F-020 n/a EIP-712 domain separator missing chainId Wormhole's VAA-based verification does not use EIP-712 for cross-chain messages — it uses its own custom VAA struct with Guardian signatures via `ecrecover`. The implementation binds messages to `srcChainId` via the `emitterChainId` field in the VAA struct. Chain replay protection is achieved through the Wormhole chain ID scheme, not EIP-712 domain separators. N/A for the core bridge (no EIP-712 in critical path); any EIP-712 usage in NTT/MultiGov peripheral contracts would require separate a... RD-F-021 n/a UUPS _authorizeUpgrade correctly permissioned Wormhole uses EIP-1967 Transparent Proxy, not UUPS. Upgrade authority flows through governance VAAs (not `_authorizeUpgrade`). The transparent proxy pattern delegates upgrade authority to the ProxyAdmin / Guardian governance mechanism, not to the implementation contract's `_authorizeUpgrade` function. UUPS-specific factor does not apply.

RD-F-004 green Audit count 15+ distinct firms across 29+ engagements covering: Neodyme, Kudelski, Trail of Bits, OtterSec, Zellic, Hacken, CertiK, Runtime Verification, Coinspect, Cyfrin, Cantina, Sec3, Code4rena, Sherlock, Halborn. Halborn confirmed via Wormhole's official security docs page (wormhole.com/docs/protocol/security/) listing it as one of the named audit firms; report file may not be public in the wormhole-audits repo. 15 firms is exceptional depth for a bridge protocol.

RD-F-005 green Audit firm tier Trail of Bits (Tier 1), OtterSec (Tier 1 for Solana/Rust), Zellic (Tier 1 emerging), Cyfrin (Tier 2), Cantina (Tier 2), Neodyme (Tier 1 for Rust/Solana), Runtime Verification (Tier 1 for formal methods), CertiK (Tier 2), Sec3 (Tier 1 for Solana), Sherlock (competitive audit platform). Multi-language coverage with appropriate specialist coverage per language (Rust-specialist OtterSec for Solana, ToB for EVM, Zellic for Move/Aptos).

RD-F-007 green Bug bounty presence & max payout Immunefi program active at immunefi.com/bug-bounty/wormhole/. Maximum payout: $1,000,000 for Tier 1 (extract TVL across all chains). Payout structure is tiered ($1M/$500K/$250K). Historical $10M payout confirmed (2022 uninitialized proxy Immunefi disclosure). Scope explicitly includes Portal Token Bridge, EVM chains, Solana, Aptos, Sui, Near, CosmWasm, Algorand, Guardian Nodes. Bounty was active and responsive — $10M payout is the largest single bridge bounty in DeFi history, demonstrating re...

RD-F-008 green Ignored bounty disclosure No evidence of an ignored disclosure. The 2022 $10M payout demonstrates the team actively acted on responsible disclosure. The 2022-02-02 exploit ($320M) originated in Solana program code and was distinct from a prior disclosure (it was a 0-day in production); the uninitialized proxy bug was caught pre-exploit and paid out. No post-mortem documents a "team knew and ignored" pattern.

RD-F-011 green SELFDESTRUCT reachable from non-admin path The 2022 Immunefi uninitialized proxy disclosure described a scenario where an attacker could trigger selfdestruct via: (1) call `initialize()` to take over Guardian set, (2) deploy malicious contract with SELFDESTRUCT, (3) submit governance upgrade to that address. This was an indirect path gated behind taking over the Guardian set first — it required exploiting the uninitialized state as a prerequisite. The fix (properly initializing) was applied before exploit. Current deployed code: Gover...

RD-F-012 green delegatecall with user-controlled target `Governance.sol` contains `newImplementation.delegatecall(abi.encodeWithSignature("initialize()"))` in `upgradeImplementation()`. However, the target is not user-controlled — it is derived from a cryptographically-verified governance VAA requiring 13/19 Guardian signatures. No path allows an arbitrary user to supply the delegatecall target without Guardian consensus.

RD-F-013 green Arbitrary call with user-controlled target `Governance.sol` `submitTransferFees()` performs `recipient.transfer(transfer.amount)` where recipient is extracted from a VAA. This is a native-ETH transfer (not an arbitrary calldata call). `Bridge.sol` uses SafeERC20.safeTransfer() and SafeERC20.safeTransferFrom() for ERC-20 movements; no arbitrary external call with user-controlled calldata found.

RD-F-014 green Reentrancy guard on external-calling functions `Bridge.sol` uses ReentrancyGuard from OpenZeppelin (confirmed via Bridge.sol source inspection showing `ReentrancyGuard` and SafeERC20 patterns). CCTP bridge contracts confirmed to use `nonReentrant` modifier on `transferTokensWithPayload`. The core bridge message publication path does not perform external calls before state writes in the identified code. No reentrancy-related findings in accessible audit summaries.

RD-F-017 green Mixed-decimals math without explicit scaling Bridge.sol implements amount normalization and denormalization to handle 8-decimal bridged amounts consistently across chains (well-known design decision). No mixed-decimals finding in accessible audit summaries.

RD-F-018 green Signed/unsigned arithmetic confusion Solidity 0.8.x (used across EVM contracts) provides built-in overflow/underflow protection eliminating the most common unsigned arithmetic confusion vectors. No signed/unsigned arithmetic finding in accessible audits.

RD-F-019 green ecrecover zero-address return unchecked `Messages.sol` `verifySignatures()` explicitly checks: `require(signatory != address(0), "ecrecover failed with signature")` — the comment in the code states "ecrecover returns 0 for invalid signatures. We explicitly require valid signatures to avoid unexpected behaviour." This is the exact vulnerability pattern the 2022 Solana exploit exposed (on the Rust/Solana side, not EVM), and the EVM side has the guard properly implemented.

RD-F-022 green Public initialize() without initializer modifier `Implementation.sol`: `function initialize() initializer public virtual` — the custom `initializer` modifier checks `!isInitialized(ERC1967Upgrade._getImplementation())` before permitting initialization, storing a flag by implementation address. This effectively prevents re-initialization of any given implementation. `BridgeImplementation.sol` uses the same pattern. The 2022 Immunefi issue ($10M payout) was NOT a missing modifier — it was that the implementation's initialized flag had been cl...

RD-F-024 green Code complexity vs audit coverage Wormhole spans 5 language stacks (Solidity, Rust, Move, Go, Python) across 35+ chains. The total codebase complexity is exceptional for a bridge protocol. However, 29 third-party audit engagements by 14 firms calibrated to each language and component represent very high coverage density relative to complexity. No audit has flagged audit-coverage-inadequacy as a concern for a specific component. Individual components (e.g., EVM core bridge) have had 4+ independent firms cover them.

Governance & admin Gray 0 24 of 24

RD-F-025 gray Admin key custody type Admin key custody type | Hybrid: Guardian-multisig (19 nodes, 13/19 threshold) for Core Bridge upgrades + W token DAO (MultiGov) for protocol parameters. No traditional Gnosis Safe or OZ Timelock. | Governance.sol GitHub; Profile §6; Wormhole Docs guardians page | green RD-F-026 gray Upgrade multisig signer configuration (M/N) Admin address count | Guardian network: 19 separate guardian node operators. No single admin EOA. W token governance: effectively all delegated W holders. Guardian-governed ownership contract ETH: `0x23Fea5514DFC9821479fBE18BA1D7e1A61f6FfCf`. Delegated Guardians contract: `0x1462800febd49232798132e8c8b721aa86c4c209` (ETH). | Wormhole contract-addresses docs; Etherscan | green RD-F-027 gray Single admin EOA Single admin EOA | No single EOA admin. Core Bridge governance requires 13/19 guardian VAA signatures. No owner() EOA found on proxy. | Governance.sol; Etherscan proxy; Profile §6 | **green** RD-F-028 gray Low-threshold multisig vs TVL Low-threshold multisig vs TVL | 13/19 guardian threshold is formally sound (68%), but guardians have no bonded stake (no slashing). Jump Crypto is one of 19 guardians with significant market influence. The 13/19 requirement means a 7-guardian coalition CANNOT forge VAAs; still requires supermajority. For peak TVL of $2.4B, the 13/19 un-bonded structure is weaker than a well-structured Gnosis Safe with known, publicly accountable signers. | Wormhole security docs; Disruption Banking guardian l... RD-F-029 gray Multisig signers co-hosted Multisig signers co-hosted / same custody | 19 guardian operators include Chorus One, Figment, Jump Crypto, Everstake, P2P Validator, Triton.one, Chainode, ChainLayer, Staking Fund, Dokia, 01Node, Moonlet, Inotel, Staking Facilities, HashQuark, Forbole, Syncnode, Certus One, Smith MCF. Diversity of validator entities is high (global custodians). Full co-hosting analysis requires OSINT beyond available data. | Disruption Banking; Wormhole 101 Guardians blog; Profile §6 | gray RD-F-030 gray Hot-wallet signer flag Hot-wallet signer flag on multisig | Guardian key custody is managed by professional staking operators (not web wallets). Individual key security is operator-dependent and not publicly attestable. No public evidence of hot-wallet custody at known guardians. | Wormhole Docs; Guardian operator reputation | gray RD-F-031 gray Signer rotation recency Signer rotation recency | Guardian set was expanded from 13 to 19 historically. No guardian set change has been published in 2024-2025 for the main Ethereum Core Bridge. Guardian set index is stored on-chain; last change date not determinable from available sources without direct chain query. | Etherscan (guardian set index method); Profile §6 note "guardian set has expanded" | gray RD-F-032 gray Timelock duration on upgrades Timelock duration on upgrades (hours) | No traditional timelock contract exists. Guardian VAA signing itself introduces inherent latency (guardians must observe, sign, and aggregate — typically minutes, not hours). Once a valid 13/19 VAA is assembled, execution on `submitContractUpgrade()` is immediate (zero on-chain timelock delay). | Governance.sol (no timelock modifier visible); search results confirming "once a properly signed VAA is submitted, changes execute immediately" | **yellow** RD-F-033 gray Timelock on sensitive actions Timelock presence on sensitive actions | `submitContractUpgrade()`, `submitNewGuardianSet()`, `submitTransferFees()`, `submitSetMessageFee()`, `submitRecoverChainId()` — all require only a valid 13/19 guardian VAA. None are subject to an on-chain timelock delay post-VAA submission. | Governance.sol via GitHub/WebFetch | **yellow** RD-F-034 gray Guardian/pause-keeper distinct from upgrader Guardian / pause-keeper role distinct from upgrader | No separate pause-keeper exists on the Core Bridge (no pause function found). Guardian set is the single authority for all privileged operations. NTT contracts have a distinct `pauser` role. No role separation between pauser and upgrader at the Core Bridge level. | NTT docs; Governance.sol; Bridge.sol analysis | **yellow** RD-F-035 gray Role separation: upgrade ≠ fee ≠ oracle Role separation: upgrade ≠ fee ≠ oracle | All three functions (upgrade, fee transfer, guardian-set change) are executed via the same governance VAA mechanism (13/19 guardian threshold). There is no role segregation — the same guardian set that can change implementations can also drain fees and rotate the guardian set. | Governance.sol function listing (submitContractUpgrade, submitTransferFees, submitNewGuardianSet all gated identically) | **yellow** RD-F-036 gray Flash-loanable voting weight Flash-loanable voting weight | MultiGov uses ERC20Votes checkpoints (OZ Governor); voting weight is snapshotted at proposal-creation block, preventing true flash-loan attacks. However, no lockup or cooldown period exists — "no token lockup when staking for governance, no cool-down period" confirmed by official Wormhole blog. A large holder can acquire W, stake, pass checkpoint, and vote without any capital lock. | Wormhole stake-for-governance blog; architecture docs confirming ERC20Votes + O... RD-F-037 gray Quorum achievable via single-entity flash loan Quorum achievable via single-entity flash loan | W token governance uses checkpoint-based voting (block snapshot), which prevents single-block flash loan quorum attacks. For WIP-1, quorum required ~351M W tokens (inferred: WIP-1 secured 433M in support with "exceeding quorum by over 80M"). With 10B total supply and ~1.8B circulating, single-entity quorum via DEX liquidity is not feasible via true flash loan (checkpoint required). | Wormhole MultiGov docs; WIP-1 vote result (3,428 voters; 433M... RD-F-038 gray Proposal execution delay < 24h Proposal execution delay < 24h | A timelock exists in the MultiGov architecture (described as having a "timelock period between proposal approval and execution") per search results. However, exact delay value (in seconds) could not be determined from available public sources — not published in Wormhole docs. For the Core Bridge (guardian VAA path), execution is effectively immediate post-VAA. | Wormhole MultiGov architecture docs; search result "timelock period between proposal approval and e... RD-F-039 gray delegatecall/call in proposal execution without allowlist `delegatecall`/`call` in proposal execution, no allowlist | MultiGov `SpokeMessageExecutor` → `SpokeAirlock` forwards calldata to target addresses in proposal payloads. The architecture uses `.call()` (not `delegatecall`) according to standard OZ Governor pattern. No explicit target allowlist confirmed in public docs; MultiGov has been audited by Cyfrin (Oct 2024, Feb 2025), Sherlock (Mar 2025), Sec3/Zellic (Feb 2025) without publicly reported critical allowlist-bypass findings. Cannot fully ... RD-F-040 gray Emergency-veto multisig present Emergency-veto multisig present | No evidence of a dedicated emergency-veto multisig on Wormhole Core Bridge. Guardian-based governance is the sole authority. No separate security council or veto mechanism found in public documentation. | Profile §6; Governance.sol; Wormhole security docs | **yellow** RD-F-041 gray Rescue/emergencyWithdraw without timelock Rescue / emergencyWithdraw without timelock | `submitTransferFees()` in Governance.sol can transfer accumulated message fees to an arbitrary recipient immediately upon valid 13/19 guardian VAA. Effectively functions as a fee-drain path without additional timelock beyond the guardian signing requirement. No `rescue` or `emergencyWithdraw` function found on Token Bridge (Bridge.sol analysis). Fee accumulations are not equivalent to total bridge TVL. | Governance.sol WebFetch (confirming submitT... RD-F-042 gray Admin has mint() with unlimited max Admin has `mint(…)` with unlimited max | W token has documented 10B hard cap (confirmed via tokenomics blog). Minting authority assigned to NTT Manager contracts (cross-chain transfers only). Guardian set cannot directly call mint on W token ERC-20 at `0xb0ffa8`. No unlimited mint path via guardian governance found. The W token implementation uses `AccessControlDefaultAdminRulesUpgradeable`; full minter role analysis requires NTT Manager owner verification. | W token Etherscan (proxy note, su... RD-F-043 gray Admin = deployer EOA after 7 days Admin = deployer EOA + no multisig transfer in 7d | Deployer EOA is not the current admin. Guardian-based governance was in effect from launch (August 2021). Etherscan upgrade history shows governance has always been through guardian VAA, not a single deployer EOA. | Etherscan Upgraded events (earliest: Aug 4, 2021, Block 12959638); Governance.sol | **green** RD-F-044 gray Admin wallet interacts with flagged addresses Admin wallet interacts with flagged addresses | No admin EOA wallet to check (guardian-based, not EOA). Guardian operator addresses not individually inspected (out of scope without chain-level querying tool). | Profile §6; out of scope for governance-admin-analyst | gray RD-F-045 gray Constructor args match governance proposal Constructor args match governance-proposal-stated args | No EVM governor-style governance proposals for the Core Bridge upgrades to match against. Guardian VAA payloads are not published as human-readable proposals to a forum with constructor args. This factor is N/A for VAA-based governance model. | Profile §6; Governance.sol mechanism | N-A RD-F-046 gray Contract unverified on Etherscan/Sourcify Contract unverified at launch (no public ABI) | Core Bridge impl `0x3c3d457f1522d3540ab3325aa5f1864e34cba9d0`: verified "Exact Match" on Etherscan. Token Bridge `0x381752f5458282d317d12c30d2bd4d6e1fd8841e`: listed as verified in profile. NFT Bridge impl: listed as verified. W Token proxy: verified (ERC1967 proxy). | Etherscan WebFetch confirming verified status; profile §3 | **green** RD-F-047 gray Governance token concentration (Gini) Governance power concentration (Gini) | W token total supply 10B, circulating ~5.75B (per Etherscan). Wormhole Foundation holds 23.3% treasury allocation. Airdrop distributed to large user base; governance showed 3,428–3,440 voters on WIP-1/2. No Gini coefficient calculation performed (requires holder distribution scan). | Wormhole tokenomics blog; WIP-1/2/3 vote results | gray RD-F-167 gray Deprecated contract paused but pause reversible by live admin Admin retains reversible pause over deprecated surface | Multiple chains deprecated (Terra, Oasis, Aurora, Acala, Karura, Xpla). On deprecated chains, the Core Bridge proxy remains deployed and admin authority (guardian VAA) technically still applies — guardians could resume or modify the deprecated chain contracts. No evidence the deprecated contracts are fully immutable or surrendered. | Wormhole network updates blog; Profile §6 note on deprecations | **yellow**

Oracle & external dependencies Gray 0 17 of 17

RD-F-048 gray Oracle providers used Oracle feed staleness check — not in critical bridge path; not assessed within budget. RD-F-049 gray Oracle role per asset Oracle manipulation resistance — Guardian network (not price oracle) is trust layer; assessment deferred. RD-F-050 gray Dependency graph (protocols depended upon) Oracle fallback mechanism — not applicable to VAA-based bridge; assessment deferred. RD-F-051 gray Fallback behavior on oracle failure Fallback behavior on oracle failure | Core Bridge has no price oracle, so oracle failure is not applicable in the traditional sense. For guardian network: if quorum falls below 13/19, VAA production halts. No documented automated fallback — bridge freezes rather than degrading gracefully to a secondary trust source. For NTT: rate limits queue transfers rather than silently dropping them when limits exceeded. | Profile §7; Wormhole docs on VAA model; NTT rate limiting docs (wormhole.com/docs/p... RD-F-052 gray Breakage analysis per dependency Breakage analysis — what breaks if dep X fails | Core Bridge failure: Token Bridge, NFT Bridge, NTT halt. Guardian quorum loss: all bridge outputs freeze. CCTP attestation failure: USDC cross-chain transfers halt, non-USDC unaffected. Peripheral Chainlink feeds: UI display only. Centralized swap rate updater: relayer swap-amounts stale. | Dependency graph above; wormhole.com/docs; Messages.sol inspection | YELLOW RD-F-053 gray Oracle source = spot DEX pool (no TWAP) Oracle source = spot DEX pool (no TWAP, no fallback) | Not applicable — no DEX spot price is used in any security-critical path. The Guardian network (multisig attestation) is the trust primitive. No DEX pool price is consumed for VAA verification, asset pricing, or fee computation in audited production contracts. | Messages.sol: no DEX oracle calls; Token Bridge whitepaper (0003_token_bridge.md); data cache oracle_feeds attribution to peripheral contracts | GREEN RD-F-054 gray TWAP window duration TWAP window duration | Not applicable — no TWAP oracle used. | Same as F053 | N/A RD-F-055 gray Oracle pool depth (USD) Underlying oracle pool depth | Not applicable — no DEX pool oracle. | Same as F053 | N/A RD-F-056 gray Single-pool oracle (no medianization) Single-pool oracle (no medianization) | Not applicable — no price oracle in critical path. | Same as F053 | N/A RD-F-057 gray Circuit breaker on price deviation Circuit breaker on price deviation | No price-based circuit breaker relevant — no price oracle. NTT does implement outflow rate limits (per-chain token-denominated caps) which function as a quasi-circuit breaker on transfer velocity but not price deviation. | NTT rate limiting docs | YELLOW (NTT transfer rate limit present; no price-deviation circuit breaker possible as there is no price oracle) RD-F-058 gray Max-deviation threshold (bps) Max-deviation threshold (bps) | Not applicable — no price-deviation circuit breaker. | Same as F057 | N/A RD-F-059 gray Oracle staleness check present Oracle staleness check (`updatedAt > now - X`) | No Chainlink `latestRoundData()` staleness check needed in core path — no price feed consumed. For peripheral Chainlink feeds: staleness check status of individual consumer contracts not verified (those contracts are not the audited core bridge). Gap flagged. | Messages.sol: no staleness check (no price feed); peripheral contract sources not inspected | YELLOW RD-F-060 gray Chainlink aggregator min/max bound misconfig Chainlink aggregator min/max bound misconfig | Applicable only to peripheral consumer contracts. Not applicable to Core Bridge. For peripheral feeds (data cache): 19 Chainlink feeds detected across various pairs/chains; whether any consuming contract applies min/max bounds misconfiguration is unknown without inspecting the peripheral contract source. Gap for peripheral contracts only. | Data cache oracle_feeds list; Core Bridge Messages.sol has no Chainlink call | YELLOW (peripheral gap) RD-F-061 gray LP token balanceOf used for pricing Protocol trusts LP token `balanceOf` for pricing | Not applicable — no LP token pricing in any confirmed production contract. | Source inspection; no evidence found | GREEN RD-F-062 gray External keeper/relayer not redundant External keeper/relayer dependency not redundant | Token Bridge Relayer: relies on an off-chain relayer network to submit signed VAAs to destination chains. Wormhole's Standard Relayer (0x27428DD2d3DD32A4D7f7C497eAaa23130d894911, Ethereum) is the protocol-operated relayer. Users can alternatively self-relay by submitting VAAs manually — relay is not the sole mechanism (VAAs are publicly available, so any actor can submit them). This makes the relayer system more redundant than a purely centra... RD-F-180 gray Immutable oracle address Immutable oracle address / no admin-replaceable wrapper | Not applicable to Core Bridge — no oracle address exists in the critical path. For peripheral Token Bridge Relayer swap rates: uses centralized owner-settable rates (no Chainlink address at all — future Pyth proposal per DESIGN.md). NTT: no oracle address. F180 in the EVM immutable-keyword sense: no collateral oracle address is hardcoded as `immutable` in any production contract because no such oracle is used. Substrate-generalized def... RD-F-181 gray Permissionless-pool lending oracle Permissionless-pool lending oracle / isolation-tier config | Not applicable — Wormhole is a bridge protocol, not a lending protocol. No permissionless-pool lending oracle pattern. | Protocol category = BRIDGE | N/A

Economic risk Yellow 22 13 of 13

RD-F-063 green TVL (current + 30d trend) ~$2.5B locked in Portal bridge contracts across 30+ chains. DefiLlama slug `portal` is the correct source; slug `wormhole` returns null. Cumulative messaging volume $70B+.

Operational history Gray 0 15 of 15

RD-F-076 gray Protocol age (days) - Finding: 1,727 days (August 4, 2021 to April 26, 2026; ~56 months). Comfortably exceeds the 12-month A-grade floor. - Light: green RD-F-077 gray Prior exploit count - Finding: 1 confirmed in-sample exploit (Feb 2, 2022 — $320M sysvar bypass). The Feb 24, 2022 Immunefi disclosure was a pre-exploit white-hat report; no user funds lost. Not counted as a separate exploit incident. - Source: hacksdatabase `wormhole-rekt.md`; Halborn post-mortem; Immunefi write-up. - Light: yellow (1 exploit; not zero, but below the chronic threshold of ≥3) RD-F-078 gray Chronic-exploit flag (≥3 incidents) - Finding: FALSE. Only 1 confirmed exploit across 56 months live. Does not meet the ≥3 threshold. - Light: green RD-F-079 gray Same-root-cause repeat exploit - Finding: FALSE. The Feb 2022 exploit (Solana sysvar account confusion) has not recurred. The Feb 2022 Immunefi white-hat disclosure (uninitialized EVM proxy) is a different root-cause class (proxy initialization, not sysvar validation). No repeat of either root cause found. - Light: green RD-F-080 gray Days since last exploit - Finding: ~1,544 days (Feb 2, 2022 to April 26, 2026). No exploit in approximately 48 months. - Light: green RD-F-081 gray Post-exploit response score - Finding: Score 3/5. Breakdown: - Compensation: 5/5 — Jump Trading replenished the full 120,000 ETH within ~19 hours. This is the fastest and largest emergency backstop in DeFi bridge history. No user lost funds. - Transparency (post-mortem quality): 1/5 — No official first-party post-mortem was published by Wormhole, Certus One, or Jump on wormhole.com or GitHub in a timely manner. Third-party analyses exist (Halborn, Chainalysis, Extropy.IO, CertiK, Merkle Science, Kudelski). A Solana team... RD-F-082 gray Post-mortem published within 30 days - Finding: PARTIAL. No confirmed official Wormhole first-party post-mortem published within 30 days of Feb 2, 2022 has been located. Third-party analyses (Halborn, Chainalysis, etc.) appeared within days. A Solana ecosystem post-mortem was referenced for Feb 8, 2022. Wormhole's own documentation of the incident (if any) has not been surfaced via search or wormhole.com/blog. Scored as NO for the purpose of this factor given inability to confirm a first-party document. - Source: Web search for ... RD-F-083 gray Auditor re-engaged after last exploit - Finding: TRUE — extensively. Post-exploit audit engagements from the profile §8: - Neodyme (Jan 2022, pre-exploit; July 2022 post-exploit window), Kudelski Security (Jul and Aug 2022), Trail of Bits (Sep 2022, Apr 2023 follow-on), CertiK (Mar 2023), Runtime Verification (May 2023 — formal verification), OtterSec (multiple from 2022–2025), Zellic (Nov 2022), Cyfrin (multiple 2024), Cantina (Apr 2024), Code4rena (Jul 2024), Sherlock (Mar 2025). 29 total third-party engagements across 4 years ... RD-F-084 gray TVL stability (CoV over 90d) - Finding: Not calculable directly — DefiLlama TVL for slug `wormhole` returns null; `portal` slug shows $4.3M current with a declining trend. TVL collapsed from ~$25M (Nov 2023) to $4.3M (early 2025). Over the trailing 90 days, TVL for Portal is low and relatively flat at depressed levels. Coefficient of variation likely high (TVL is at a historic low after a long decline). The messaging layer's value-in-flight is not captured in TVL and is orders of magnitude higher, but is not measurable h... RD-F-085 gray Incident response time (minutes) - Finding: Approximately 6h 35m from first exploit transaction (Feb 2, 2022, 18:26 UTC) to vulnerability patch deployed (Feb 3, 2022, 00:33 UTC per official Wormhole Twitter). This is 395 minutes. First official team acknowledgment (Twitter post) was within hours of exploit detection. The bridge was offline during this window (not resumed until 13:08 UTC Feb 3), which represents ~18.5 hours downtime. Response time of ~395 minutes to patch deployment is reasonable for a $320M exploit affecting... RD-F-086 gray Pause activations (trailing 12 months) - Finding: The bridge was taken offline following the Feb 2022 exploit (downtime ~18.5 hours). No other confirmed pause events in the trailing 12 months (Apr 2025–Apr 2026) were found via web search. The protocol does not appear to have a traditional on-chain pause mechanism in the OZ Pausable sense — guardian disconnection is the functional equivalent for cross-chain messaging. Scroll deprecation (Apr 21, 2026) involved guardian disconnection but was a planned lifecycle action, not an emerge... RD-F-087 gray Pause > 7 consecutive days - Finding: No confirmed pause exceeding 7 consecutive days in the trailing 12 months. The Feb 2022 pause lasted ~18.5 hours. - Light: green RD-F-088 gray Re-deployed to new addresses in last year - Finding: Core Bridge, Token Bridge, and NFT Bridge addresses on Ethereum (profiled in §3) appear stable — same proxy addresses since deployment. New contracts were deployed for NTT (Native Token Transfers), MultiGov, Settlement, and Swap Layer — all as new product additions, not replacements of existing contract sets. No evidence of a full address-set migration in the last 12 months. - Source: Profile §3; wormhole.com/docs/products/reference/contract-addresses/ - Light: green RD-F-089 gray Insurance coverage active - Finding: No active coverage on Nexus Mutual, Sherlock, or Unslashed specifically for Wormhole was confirmed by web search. The Immunefi bug bounty is not insurance. Wormhole has no documented self-insurance fund disclosed post-Jump backstop (Jump Crypto stepped in voluntarily in 2022 but is not contractually committed to future backstops, especially given the Jan 2023 Jump/Wormhole spin-out). Insurance coverage: NOT CONFIRMED. - Light: yellow RD-F-166 gray Deprecated contracts still holding value - Finding: PARTIAL RISK. Eleven chains have been deprecated (Terra Classic, Terra phoenix-1, Oasis, Karura, Acala, XPLA, Fantom, X Layer, Mantle, Aurora, Scroll). All deprecations were announced with migration windows (grace periods ranging weeks to several months). However: 1. The Scroll deprecation (April 21, 2026) cited "security considerations" — the specific security concern was not disclosed publicly. The migration window was extremely short (unknown start date; deadline 5 days before t...

Real-time signals Green 4 22 of 22

RD-F-098 yellow TVL anomaly — % drop in <1h Partially — Portal bridge TVL trackable under `portal` slug; messaging-layer value-in-flight not captured | Portal TVL ~$4.3M; a drop from $4.3M to $3M would not indicate an exploit of messaging infrastructure; threshold X% is meaningless without messaging-layer monitoring; slug mismatch creates monitoring blind spot | No — methodology gap; signal miscalibrated for pure messaging bridge RD-F-106 yellow Cross-chain bridge unverified mint pattern Yes — this is THE canonical Wormhole attack vector; Feb 2022 exploit was exactly this pattern (120,000 wETH minted on Solana without valid ETH lock on Ethereum) | No current unverified-mint events identified; Guardian signing requirement (13/19) is the defense against this; signal requires cross-chain indexer monitoring | No current firing; signal is highest-priority for Wormhole-class bridge monitoring RD-F-090 gray Mixer withdrawal → protocol interaction Yes | 2022 attacker pre-funded from Tornado Cash (historical); no current fresh mixer→protocol interaction identified in public sources | No (historical; Tier-C advisory only) RD-F-091 gray Partial-drain test transactions Yes — bridge class has pre-drain test-tx patterns documented | No small-value anomalous drain patterns identified in public sources; Portal TVL (~$4.3M) is too small for this to be meaningful as a pre-drain signal | No RD-F-092 gray Unusual mempool pattern from deployer wallet Partially — deployer address unknown (pipeline gap); cannot assess | Unknown; deployer wallet not extracted | Cannot assess RD-F-096 gray New ERC-20 approval to unverified contract from whale Limited — Wormhole is a bridge, not a lending protocol; this signal is more relevant for whale depositors in lending markets | Not applicable to core bridge path; Portal bridge users grant approvals but Portal TVL is ~$4.3M | N/A RD-F-107 gray Admin EOA signing from new geography/device Yes — Guardian node operators have signing keys; a key compromise with unusual geography would indicate insider threat | Off-chain; requires guardian node telemetry; no public visibility into guardian signing geography | Cannot assess — off-chain, requires guardian operator cooperation

RD-F-093 green Abnormal gas-price willingness from attacker wallet Yes | No attacker wallet with ≥5× EMA gas spending identified on Wormhole contracts in public sources | No

RD-F-094 green New contract with similar bytecode to exploit template Yes — bridge exploit contracts are a known attack vector | No contract deployments with bytecode similarity to Wormhole Core Bridge exploitation templates identified in public sources | No

RD-F-095 green Known-exploit function-selector replay Yes — signature verification bypass is the historical vector; selector patterns from Feb 2022 exploit are known | No replay of the 2022 exploit selector pattern identified; Wormhole has patched the `load_instruction_at` vulnerability | No

RD-F-097 green Sybil surge of identical-pattern transactions Yes — could indicate a reconnaissance probe | No sybil surge patterns identified in public sources | No

RD-F-099 green Oracle price deviation >X% from secondary Limited — Chainlink feeds in data cache are Portal UI / peripheral contracts; Core Bridge does not use oracles in VAA verification path | Core Bridge trust is entirely guardian-based; oracle deviation is irrelevant to message validity; 19 Chainlink feed addresses in cache are from Portal UI layer | No — inapplicable to core security path

RD-F-100 green Flash loan >$10M targeting protocol tokens Low — W token governance requires locked stake; Core Bridge has no flash-loanable governance path | No flash-loan interactions with Wormhole Core Bridge identified; W token DAO uses staked-vote weighting (non-flash-loanable) | No

RD-F-101 green Large governance proposal queued Yes — W token Tally governance is active; Guardian governance VAAs are a separate channel | WIP-1 and WIP-2 passed cleanly (May 2025); strategic W token reserve proposal (Blockworks, 2025); no flagged-pattern proposals (admin-role change, delegatecall, fresh-wallet proposer) identified | No

RD-F-102 green Admin/upgrade transaction in mempool Yes — EIP-1967 proxies on Ethereum Core Bridge, Token Bridge, NFT Bridge; Solana programs are upgradeable | No unscheduled admin/upgrade mempool transactions identified; implementation addresses stable per Etherscan records | No

RD-F-103 green Bridge signer-set change proposed/executed Yes — most directly applicable signal; Guardian set is the security primitive | Guardian set stable at 19 / 13-of-19 threshold per public dashboard; no signer rotation events in trailing 90 days; Jump Crypto guardian status post-2023 separation requires on-chain verification | No — posture appears stable; signal wired and applicable; would fire Tier-A instantly if unscheduled rotation detected

RD-F-104 green Stablecoin depeg >2% on shared-LP venue Limited — Core Bridge is not stablecoin-dependent; Portal handles token transfers | No active stablecoin depeg; USDC/USDT within normal ranges | No

RD-F-105 green DNS/CDN/frontend hash drift Yes — wormhole.com, portal.wormhole.com are active frontends; multiple frontend surfaces | No DNS/frontend compromise identified in public sources as of April 2026 | No — currently clean; requires external monitoring stack to wire

RD-F-108 green GitHub force-push to sensitive branch Yes — wormhole-foundation/wormhole repo (last commit 2026-04-24) | No force-push events to main/production branches identified; repo shows normal commit cadence; `security_md_present: true` in data cache | No

RD-F-109 green Social-media impersonation scam spike Yes — wormhole.com is a target for phishing; X account @wormhole is official | No active scam-spike campaign identified in public sources | No

RD-F-110 green Unusual pending/executed proposal ratio Yes — W token Tally governance is active | Tally governance shows foundational proposals (WIP-1, WIP-2); ratio appears normal for an early-stage governance system | No

RD-F-182 green Security-Council threshold reduction (RT) Security-Council threshold reduction signal (batch-24): Guardian threshold at 13/19 (68.4%) — stable. Not firing. Directly applicable given Drift Protocol April 2026 precedent (3/5 SC threshold reduction + timelock removal, 6 days before $285M DPRK exploit).

Dev identity & insider risk Gray 0 16 of 16

RD-F-111 gray Team doxx status Team doxx status | Wormhole Labs C-suite (CEO/CTO/COO) are fully doxxed real-name individuals with prior employer trails. Wormhole Foundation CCO (Robinson Burkey) is doxxed. Original founder (Hendrik Hofstadt) is doxxed. Guardian entities are all named institutional companies — none anonymous. | LinkedIn profiles, IQ.wiki, conference speaker pages, CoinDesk reporting on Certus One acquisition. Source: https://www.linkedin.com/in/robinsonburkey/, https://iq.wiki/wiki/saeed-badreg, https://iq.... RD-F-112 gray Team public accountability surface Team's public accountability surface | Each named team lead has multiple verifiable public trails: LinkedIn history, conference talks, prior employers (Jump, Twitch, Box, DoorDash, Acala), press coverage. OSINT depth score: 4–5/5 per named individual. | Sources above + Disruption Banking, CoinDesk, Blockworks reporting | Green RD-F-113 gray Team other-protocol involvement history Team members' other protocol involvement history | All named team members previously at Jump Crypto / Certus One — large, professionally-run organizations. No prior rug or exit-scam association found. Jump Crypto's regulatory issues (CFTC probe, regulatory scrutiny 2024) are separate from protocol-level fraud pattern. | https://www.coindesk.com/markets/2021/08/03/berlin-based-staking-startup-certus-one-acquired-by-jump-trading, https://blockworks.co/news/wormhole-jump-trading-separate | Green RD-F-114 gray Deployer address prior on-chain history Deployer address prior on-chain history | Deployer `0x5B3899809Ae2c87FdA11280b7c61C06A5F4db1de` was funded by Binance 14 and used exclusively for Wormhole contract deployments and initialization. No prior rug history, no prior protocol deployment with adverse outcome. Category: normal-dev-history. | Etherscan label; Codeslaw deployer attribution; tx history shows only Wormhole contract interactions | Green RD-F-115 gray Prior rug/exit-scam affiliation Prior rug / exit-scam affiliations | No team member found linked to prior rug or exit-scam protocol. Jump Crypto's broader regulatory issues do not constitute a prior rug by DeFi-protocol standards. | OSINT search: no adverse finding | Green RD-F-116 gray Contributor tenure at admin-permissioned PR Contributor tenure at time of admin-permissioned PR | Wormhole-foundation GitHub org shows active long-tenure contributors; protocol is 56 months old with continuous development. Most recent admin-permissioned changes appear to be executed by identifiable, long-term contributors (not fresh or anonymous accounts). Exact tenure of author of most recent admin-permissioned PR not individually verified at this analysis tier. | https://github.com/wormhole-foundation/wormhole (last commit 2026-04-24... RD-F-117 gray ENS/NameStone identity bound to deployer ENS / NameStone identity bound to deployer | No ENS name found for deployer `0x5B3899809Ae2c87FdA11280b7c61C06A5F4db1de` on Etherscan; address is labeled by Etherscan as "Deployer address for Wormhole" which is a platform-assigned tag, not an ENS/NameStone self-binding. Factor is informational absence, not a red flag for an institutional deployer operating organizationally. | Etherscan label check | Gray RD-F-118 gray Handle reuse across failed/rugged projects Handle reuse across failed/rugged projects | No social handle (Twitter, Discord, GitHub) for any Wormhole team member found re-used from a prior rugged project. Certus One brand was clean on acquisition. | OSINT search; no adverse finding | Green RD-F-119 gray Commit timezone consistent with stated geography Repo commit times consistent with stated geography | Wormhole-foundation/wormhole GitHub org shows commits from contributors across US, Europe, Argentina (xLabs), matching stated geographies. Commit time distribution not individually analyzed (requires API call beyond scope), but public contributor list matches stated geographic footprint. DPRK-implant flag: no anomalous timezone cluster observed in public contributor list. | https://github.com/wormhole-foundation/wormhole | Green RD-F-120 gray Video-off/voice-consistency flag Video-off / voice-consistency flag in public interviews | Multiple team members have public video appearances: Robinson Burkey has conference talks (Proof of Talk Summit, Web Summit) and YouTube appearances. Saeed Badreg, Tony Jin public in press. No pattern of video refusal. | https://www.proofoftalk.io/speakers/robinson-burkey, https://www.youtube.com/watch?v=kvfzvXVf9jc | Green RD-F-121 gray Contributor OSINT depth score Contributor OSINT depth score | Named leads score 4–5/5: LinkedIn with multi-year history, prior employers, conference presence, press citations. Guardian organizations score 4/5: all institutional, most have public websites and leadership. Aggregate: above-average accountability surface for a DeFi protocol. | LinkedIn profiles, conference pages, IQ.wiki | Green RD-F-122 gray Contributor paid to DPRK-cluster wallet Contributor paid to wallet routing to known DPRK cluster | No evidence of protocol contributor payment wallet routing to DPRK-labeled cluster. Team compensation was institutional (Jump payroll pre-2023; Wormhole Labs post-2023). No contributor wallet individually attributed and traced. | No adverse finding in available OSINT | Green RD-F-123 gray Sudden admin-rescue/ACL change without discussion Sudden admin-rescue / ACL change absent issue/PR discussion | Wormhole's upgrade path requires 13/19 guardian supermajority via governance VAA — structurally resistant to single-actor admin override. No confirmed instance of an admin-rescue or ACL change executed without preceding discussion in the 180-day window was found. The "one key Wormchain" bug (Jan 2024) was a code vulnerability disclosed responsibly and patched within 48 hours — it was not an admin ACL change. No governance VAA chang... RD-F-124 gray Deployer wallet mixer-funded within 30 days Deployer wallet mixer-funded within 30 days of deploy | Deployer `0x5B3899809Ae2c87FdA11280b7c61C06A5F4db1de` funded by Binance 14 (CEX) approximately on 2021-08-04, the same date as first deploy (Core Bridge deployed 2021-08-04). No Tornado Cash, Railgun, or mixer interaction detected in Etherscan history. 30-day window pre-deploy is clean. | Etherscan: funded by "Binance 14"; tx hash `0xaca498d400f2737160729f8a1f10c3007b218c9c0d6b328f05c9a75658788cb3` | Green RD-F-125 gray Deployer linked within 3 hops to DPRK/Lazarus Deployer address linked within 3 hops to DPRK/Lazarus cluster | No DPRK/Lazarus cluster link found for deployer or any named team member. The 2022 hack attacker is DPRK-attributed but that is an external attacker who exploited the protocol — not a developer or contributor. No contributor wallet is known to have funding from or payment to DPRK-labeled addresses. OFAC SDN: no team member or guardian is listed. Chainalysis Lazarus cluster: not linked to any Wormhole-side address. | https://www.c... RD-F-184 gray Real-capital social-engineering persona Real-capital social-engineering persona (>=\$1M deposits) | No curator-flagged persona with >=\$1M attributed real-capital deposits used to build credibility ahead of a social-engineering attack on Wormhole has been identified. The UNC4736 / Drift Protocol incident pattern (batch-24 reference) involved a different protocol; no analogous pattern detected at Wormhole. Relevant context: Wormhole had significant public community engagement but no identified malicious insider persona with capital-...

Fork / dependency lineage Yellow 22 10 of 10

RD-F-133 yellow Dependency manifest uses unpinned versions `ethereum/package.json` uses `"@openzeppelin/contracts": "^4.3.1"` (caret = unpinned minor/patch). This is a range specifier, not an exact pin. The `^` notation allows automatic updates to OZ within the 4.x major series. For production smart contract code, unpinned ranges carry supply-chain risk: a compromised OZ 4.x.y release could be pulled automatically. However, OZ is a well-maintained library with its own security practices and the version range does not span known-vulnerable OZ versions... RD-F-135 yellow Shared-library version with known-vuln status OZ 4.3.1+ (the floor of the `^4.3.1` range). OpenZeppelin 4.x has had various CVEs and advisories (e.g., GovernorCompatibilityBravo re-entrancy in 4.3.0 — below the floor; ERC777 cross-function re-entrancy in 4.3.x). The `^4.3.1` range potentially includes affected sub-versions depending on lock file. The Wormhole EVM contracts primarily use ERC1967Upgrade, ReentrancyGuard, SafeERC20, and IERC20 from OZ — components that have historically been stable. No current critical CVE affecting these s... RD-F-126 n/a Is-a-fork-of Wormhole is NOT a fork. It is an original implementation created as a Solana-Ethereum bridge collaboration between Certus One and Solana Foundation, announced October 8, 2020. GitHub history and README confirm original authorship. No fork declaration, no bytecode-similarity match to a prior protocol. RD-F-127 n/a Upstream patch not merged Not applicable — no upstream protocol from which Wormhole forked. RD-F-128 n/a Upstream vulnerability disclosure (last 90d) Not applicable — no upstream fork relationship. RD-F-129 n/a Code divergence from upstream (%) Not applicable — no upstream fork. Wormhole itself is the originating protocol. RD-F-130 n/a Fork depth (generations from original audit) 0 — Wormhole is an original protocol, not derived from any prior audited protocol. RD-F-131 n/a Fork retains upstream audit coverage N-A — original implementation. All audits are first-party (commissioning auditor of the original code). RD-F-132 n/a Fork has different economic parameters than upstream N-A — not a fork. No upstream audited-defaults divergence possible.

RD-F-134 green Dependency had malicious-release incident (last 90d) No malicious-release advisory affecting `@openzeppelin/contracts` 4.x or any other Wormhole npm/cargo/pip dependency has been flagged in the trailing 90 days (as of 2026-04-26). No GitHub security advisory for OZ 4.x malicious release found.

Post-deploy hygiene & change mgmt Gray 0 13 of 13

RD-F-136 gray Deployed bytecode matches signed release tag Deployed bytecode matches signed release-tag commit | Core Bridge last deployment September 2022; the github repo shows last commit 2026-04-24 but the deployed implementation has not changed since Sept 2022. No git tag-to-bytecode verification could be confirmed programmatically (foundry_toml_present: false in data cache limits automation). Manual audit chain between GitHub main and deployed impl cannot be confirmed without build artifact. | Data cache (foundry_toml: false); Etherscan impl ad... RD-F-137 gray Upgrade frequency (per 90 days) Upgrade frequency (upgrades per 90d) | Core Bridge: 0 upgrades in the last 90 days (last upgrade September 12, 2022 — 43+ months ago). Token Bridge: no upgrade events found in last 90 days from available sources. NTT contracts: NTT v3 audits (OtterSec April 2025, May 2025) suggest NTT may have recent deployments but separate from Core Bridge. | Etherscan Upgraded events (Core Bridge: 3 total since 2021, last Sept 2022); Profile §8 audit table | green RD-F-138 gray Hot-patch deploys without timelock (last 30 days) Hot-patch deploys without timelock (last 30d) | No Core Bridge upgrades in last 30 days (zero `Upgraded` events since September 2022). For NTT/MultiGov peripheral contracts, full upgrade event history not available from public sources within time budget. | Etherscan events; Profile §3 | green RD-F-139 gray Post-audit code changes without re-audit Post-audit code changes deployed without re-audit | Core Bridge: last upgrade September 2022; Trail of Bits (Sept 2022) and CertiK (March 2023) audits cover this period. No post-September-2022 Core Bridge upgrade without corresponding audit. NTT, MultiGov, Settlement: each major version received dedicated audits prior to deployment (extensive audit table confirms). For NTT v3 specifically: OtterSec audits April 2025 and May 2025. MultiGov v2: Cyfrin Feb 2025. Pattern of re-auditing before maj... RD-F-140 gray Fix-merged-but-not-deployed gap Fix-merged-but-not-deployed gap | The 2022 Immunefi $10M payout bug (uninitialized proxy) was fixed and deployed. No current public evidence of a fix merged in GitHub but not deployed. GitHub issue #1930 "Remove `initialize()` undefined behaviour" exists but status not confirmed. | Immunefi bugfix review; GitHub issue #1930 link in search results (remove initialize undefined behavior) | gray RD-F-141 gray Test-mode parameters in deploy Test-mode parameters left on in deploy | No admin = deployer, no test oracle found on Core Bridge. Guardian-based admin was active from day one. NTT contracts: not assessed (separate codebase). | Profile; Governance.sol analysis | green RD-F-142 gray Storage-layout collision risk across upgrades Storage-layout collision risk across upgrades | Core Bridge has only had 3 implementation versions since 2021 (Aug 2021, Jul 2022, Sept 2022). Wormhole uses a custom Setup pattern rather than OZ Initializable v5, which has a distinct storage model. Trail of Bits 2022 audit covered storage layout. No public OZ Upgrades plugin output available. Risk exists but no evidence of a known collision. | Etherscan Upgraded events; Immunefi bugfix review (storage discussion); Profile §8 | gray RD-F-143 gray Reinitializable implementation (no _disableInitializers) Reinitializable implementation (no `_disableInitializers()`) | Core Bridge implementation `0x3c3d457f1522d3540ab3325aa5f1864e34cba9d0` does NOT call `_disableInitializers()` in its constructor (confirmed via `Implementation.sol` GitHub source). Instead, it uses a custom `initializer` modifier checking `isInitialized(implementation)`. This pattern was the subject of the 2022 $10M Immunefi bounty (uninitialized proxy vulnerability — an attacker was able to call initialize() on a prior implement... RD-F-144 gray CREATE2 factory permits same-address redeploy CREATE2 factory permits redeploy to same address | Wormhole uses BeaconProxy pattern for wrapped tokens (found in Bridge.sol). No evidence of CREATE2 misuse for core contracts. This is a peripheral risk on wrapped token contracts, not the Core Bridge itself. | Bridge.sol analysis (BeaconProxy mention); Profile §3 | gray RD-F-145 gray Deployed bytecode reproducibility Deployed bytecode reproducibility | Foundry/Hardhat config not found at repo root (data cache: foundry_toml: false, hardhat_config_present: false). Profile notes these likely exist in subdirectories (`/ethereum/`). Reproducible build infrastructure likely present but not confirmed from root-level scan. | Data cache; Profile §11 flag for code-security-analyst | gray RD-F-146 gray New contract deploys in last 30 days New deploys in last 30 days (fresh attack surface) | NTT v3 (OtterSec audit April 18, 2025; OtterSec audit May 5, 2025) suggests recent NTT v3 deployment activity. MultiGov went live Q1 2025. Core Bridge: no new deploys. The peripheral contract surface has expanded significantly in 2024-2025. | Profile §8 (OtterSec NTT v3 April/May 2025 audits); Search results (MultiGov live Q1 2025) | **yellow** RD-F-168 gray Stale-approval exposure on deprecated router Stale user approvals on deprecated router | Multiple chains deprecated (Terra, Oasis, Aurora, Acala, Karura, Xpla). User approvals to deprecated Portal Token Bridge contracts on these chains are no longer usable but may persist on-chain. Allowance scan not performed (requires chain-level enumeration across 6+ deprecated chains). | Profile (deprecation list); Wormhole network updates blog | gray RD-F-185 gray Bridge rate-limiter / chain-pause as positive mitigant Bridge rate-limiter / chain-pause as positive mitigant | NTT framework implements configurable per-window outflow rate limiters (24-hour default window, per-chain configurable limits, queueing when limit exceeded). A `pauser` role exists in NTT deployments. Core Bridge (VAA-based messaging) does NOT have a rate limiter — messages are relayed one-by-one with no outflow cap. The positive mitigant applies only to NTT integrations, not the Core Bridge itself. For protocols using NTT (including W ...

Cross-chain & bridge Gray 0 12 of 12

RD-F-147 gray Protocol has bridge surface Protocol uses a cross-chain bridge | YES — Wormhole IS the cross-chain bridge. Core Bridge deployed on 35+ chains. Token Bridge, NFT Bridge, NTT, Settlement, and CCTP integration are all bridge-surface products. | Profile §7; wormhole.com/docs/products/reference/contract-addresses/ | GREEN (gating factor met) RD-F-148 gray Bridge validator count (M) Bridge validator count (M) | 19 Guardian nodes. This is a relatively low count for a bridge securing $54B in cumulative message volume (though Portal locked TVL is currently $4.3M). 19 is above the 13-of-19 quorum. Validator diversity is distributed across major validator companies (Chorus One, Figment, Jump Crypto, Certus One, Everstake, Staked, P2P Validator, etc.). | Profile §6 guardian list; wormhole.com/docs/protocol/infrastructure/guardians/ | YELLOW (count of 19 is not extremely high; ... RD-F-149 gray Bridge validator threshold (k-of-M) Bridge validator threshold (k-of-M) | 13-of-19 (68.4% supermajority). This is above the 2/3 floor. Compromising 13 of 19 geographically distributed, operationally independent validator companies would require an extraordinary multi-org attack. The Jan 2024 expired guardian set key vulnerability demonstrated that a theoretical bypass to 1-key was possible on Wormchain — that specific bug was patched within 48 hours (reward: $50K USDC). No current evidence of threshold-below-quorum vulnerabilit... RD-F-150 gray Bridge validator co-hosting Bridge validator co-hosting (same ASN / datacenter) | 19 guardian organizations span multiple continents and operator types (Chorus One, Figment, Jump Crypto, Certus One, Everstake, Staked, P2P, Triton.one, etc.). Full ASN / datacenter overlap analysis would require OSINT not possible in this session. Profile does not flag any co-hosting concern. General posture appears distributed — these are established validator companies with separate infrastructure. Cannot confirm definitively without AS... RD-F-151 gray Bridge ecrecover checks result ≠ address(0) Bridge signature verification checks ecrecover ≠ address(0) | GREEN — EVM Core Bridge (Messages.sol): `require(signatory != address(0), "ecrecover failed with signature")` with explicit inline documentation. This check is present, correct, and directly addresses the RD-F-151 pattern. The 2022 Wormhole hack was a Solana sysvar account confusion exploit (deprecated `load_instruction_at`), NOT an EVM ecrecover zero-check failure. The Solana exploit was patched on 2022-02-03. Taxonomy labels this... RD-F-152 gray Bridge binds message to srcChainId Bridge binds message to srcChainId | YES — VAA body structure includes `emitter_chain` (u16) identifying the originating chain. This is part of the double-hashed body that all guardians sign. Per-chain separation enforced by the VAA's unique index `(emitter_chain, emitter_address, sequence)`. | VAA docs: wormhole.com/docs/protocol/infrastructure/vaas/ — emitter_chain u16 field | GREEN RD-F-153 gray Bridge tracks nonce-consumed mapping Bridge tracks nonce-consumed mapping | YES — Implemented differently per chain but replay protection is present across the architecture: On Ethereum, Token Bridge maintains `completedTransfers` mapping of processed VAA hashes — any attempt to replay a VAA hash is rejected. On Solana, `Claim` PDA accounts are created at `["Claim", emitter, sequence]` ensuring each `(emitter_address, emitter_chain, sequence)` tuple can only be processed once. The Core Bridge delegates nonce/replay responsibilit... RD-F-154 gray Default bytes32(0) acceptable as valid root Default-value (bytes32(0)) acceptable as valid root | GREEN — Wormhole does not use a Merkle root acceptance model. VAA trust is derived from ECDSA signatures against a known guardian key set (ecrecover with address(0) check). There is no `committedRoot` storage slot analogous to Nomad's `Replica` contract. The double-hash of the VAA body (`keccak256(keccak256(body))`) is the signed message — it is computed from the message content, not loaded from storage. Even if a zero-hash were somehow su... RD-F-155 gray Bridge validator-set rotation recency Bridge validator set rotation recency | Guardian set has been live since 2021 with composition changes over time. The Jan 2024 expired guardian set key vulnerability (patched) was the most recent known rotation-related event. Last confirmed guardian set rotation: no specific date available from public sources, but the vulnerability fix implies the rotation mechanism was exercised in January 2024. Full rotation history requires on-chain inspection of guardian set upgrade governance VAAs. | Jan... RD-F-156 gray Bridge uses same key custody for >30% validators Bridge uses same key custody for >30% of validators | 19 guardians across distinct organizations. Jump Crypto (historically a major actor, was both guardian and financial backer post-2022-hack) status post-2023 spin-out (Wormhole Foundation independence) needs verification. No evidence that any single custodian holds >30% of guardian keys. Most are independent validator companies with their own key management. Cannot confirm definitively without OSINT. | Profile §6 guardian list; profile note... RD-F-157 gray Bridge TVL per validator ratio Bridge TVL per validator ratio (USD) | Portal locked TVL: ~$4.3M (Feb 2025, DefiLlama). TVL / 19 guardians = ~$226K per guardian. This is a low absolute ratio — each guardian is securing only ~$226K in locked TVL. However, the total value-in-flight through the messaging layer (not locked) is orders-of-magnitude higher. Using the $54B cumulative figure is misleading (that's historical flow, not instantaneous TVL). Current locked TVL ratio is extremely low, which implies a low loss-magnitude if... RD-F-179 gray LayerZero OFT DVN config (count, threshold, diversity) LayerZero OFT DVN configuration | NOT APPLICABLE — Wormhole does not use LayerZero for its core bridge architecture. Data cache confirms `layerzero.present: false`. Wormhole is a peer protocol to LayerZero, not an integrator of it. F179 is explicitly scoped to LayerZero OFT integrations. | Data cache: `layerzero.present: false`; Profile §7: "CCIP or LayerZero are not used by Wormhole"; F179 taxonomy: "Cat 10 — populated only for LayerZero OFT integrations" | N/A

Threat intelligence & recon Green 7 8 of 8

RD-F-158 yellow Known-threat-actor cluster has touched protocol Bridge class is DPRK/Lazarus primary target; 2022 Wormhole hack not attributed to DPRK (distinct from Ronin); no current DPRK wallet interaction with Wormhole contracts confirmed in public sources; requires Chainalysis/TRM private cluster feed for definitive assessment | Unconfirmed — requires private TI feed; elevated class-level risk RD-F-160 gray GitHub malicious-dependency incident touching protocol deps wormhole-foundation/wormhole has no `package.json` or `foundry.toml` at repo root per data cache (`package_json_present: false`, `foundry_toml_present: false`); dependency graph for Rust/Go/Move components not assessed by pipeline | Cannot fully assess — pipeline limited to EVM tooling detection; Rust `Cargo.toml` and Go modules not scanned RD-F-163 gray Avg attacker reconnaissance time for peer-class protocols Bridge class reconnaissance: IoTeX attack planned 6–18 months in advance; Drift (2026) was 6-month social engineering operation; Kelp DAO attacker funded 10 hours before exploit (rapid); Ronin had minimal pre-strike reconnaissance. Bridge class shows high variance (10 hours to 18 months). Wormhole 2022 attacker did not exhibit documented extended reconnaissance — exploit appears opportunistic on vulnerability discovery | Class average: 30–180 days; Wormhole-specific historical: minimal observ... RD-F-165 gray Protocol social channel has scam-coordinator flag No Discord (not publicly listed per profile §9) or Telegram channel admins on curator scam-coordinator watchlists identified | No current evidence; Discord not surfaced = cannot assess Discord channel

RD-F-159 green Attacker wallet pre-strike probe (low-gas failing txs) No mempool probing pattern from labeled threat-actor wallets identified in public sources against Wormhole contracts | No current evidence

RD-F-161 green Protocol-impersonator domain registered (typosquat) No typosquat of wormhole.com or portal.wormhole.com identified in public sources within last 90 days | No current evidence

RD-F-162 green Known-exploit-template selector deployed by any address The February 2022 exploit used the deprecated `load_instruction_at` Solana sysvar function; this selector pattern is documented; no new contract deployments with this template identified | No current evidence

RD-F-164 green Leaked credential on paste/sentry site No public credential leaks matching wormhole.com infrastructure identified in paste-site monitors or public breach reports | No current evidence

Tooling / compiler / AI Green 13 5 of 5

RD-F-170 yellow Solc version used (known-bug versions flagged) EVM core bridge and token bridge: compiled with Solidity v0.8.4 (confirmed via Etherscan metadata on proxy addresses 0x98f3c9e6 and 0x3ee18B22). Solidity 0.8.4 carries several known bugs per the Solidity bug list: (1) `KeccakCaching` — optimizer bug where keccak256 of same-size different-content memory treated as equal (severity: medium, fixed in 0.8.3 — so NOT present in 0.8.4); (2) `EmptyByteArrayCopy` — copying empty byte array to storage can corrupt (severity: low/medium); (3) `IncorrectB... RD-F-174 yellow Dependency tree uses EOL Solidity version Solidity 0.8.4 is not EOL — it is a superseded but not unsupported version within the 0.8 series. Solidity 0.8.x security patches are being maintained. The version is old (released April 2021) but not "end of life" in the sense that 0.4.x would be. NTT and newer contracts appear to use more recent 0.8.x versions per their respective foundry configs.

RD-F-171 green Bytecode similarity to audited upstream with behavior deviation Wormhole is an original implementation; no audited upstream exists to compare against. The custom VAA format, Guardian set structure, and chain-ID-keyed initialization pattern are distinct from any known prior protocol. No AI-generated-copy pattern identifiable without tool run.

RD-F-172 green Repo shows AI-tool co-authorship in critical files No GitHub commits in the wormhole-foundation/wormhole repo with "Co-authored-by: GitHub Copilot" or equivalent AI-tool co-authorship attribution were found in public sources. The repo is actively maintained (last commit 2026-04-24 per data cache). No AI-tool disclosure in commit messages or PR descriptions found through searches.

RD-F-173 green Team self-disclosure of AI-generated Solidity No public statement, blog post, tweet, or docs reference from Wormhole Foundation disclosing AI-generated Solidity in security-critical paths found through targeted search.

Response & disclosure hygiene Gray 0 4 of 4

RD-F-175 gray Disclosure channel exists - Finding: YES. Multiple channels: 1. Immunefi bug bounty program: https://immunefi.com/bug-bounty/wormhole/ — primary channel per SECURITY.md 2. SECURITY.md present in GitHub: https://github.com/wormhole-foundation/wormhole/blob/main/SECURITY.md 3. Wormhole Responsible Disclosure Policy: https://wormhole.app/security/disclosure 4. Incident response program documented at https://wormhole.com/docs/protocol/security/ RD-F-176 gray Disclosure SLA public - Finding: PARTIAL. The SECURITY.md delegates policy to Immunefi — no self-published acknowledgment SLA is present in the SECURITY.md itself. A secondary-source reference to "resolving critical issues within ten business days of disclosure" exists (sourced from web search describing Wormhole's Immunefi program terms). This SLA is Immunefi-platform-enforced, not self-declared by Wormhole. A 10-business-day resolution SLA for critical bugs on a $300M/day-throughput protocol is very long. No pub... RD-F-177 gray Prior known-ignored disclosure - Finding: NO evidence found. The Feb 2022 exploit had an unusual aggravating factor: a fix for the exact vulnerability had been committed to the public Wormhole GitHub repo but had not yet been deployed to mainnet. This is not a "known-ignored disclosure" in the sense of a reporter flagging the bug and being dismissed — it appears to be a deployment gap (commit merged but not yet pushed to mainnet). The attacker may have found the bug by reading the undeployed diff. This is a significant pro... RD-F-178 gray CVE/GHSA advisory issued against protocol - Finding: NO confirmed CVE or GHSA identifier was found for Wormhole's 2022 exploit or the uninitialized proxy vulnerability. Web search returned no CVE/GHSA entries against `wormhole-foundation/wormhole`. The 2022 exploit is documented in third-party security analyses (Halborn, Chainalysis, etc.) and the Immunefi write-up, but not in NIST NVD or GitHub Advisory Database with a formal identifier. For a $320M exploit, the absence of a CVE entry is notable but not penalized under RD-F-178 (thi...

rubric_version v1.7.0 graded_at 2026-05-12 04:38:07 factors 184 protocol wormhole