defirisk.co
rubric v1.7.0

Bug bounty scope gap on highest-TVL contracts

Wormhole's assessment for RD-F-183 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Core Bridge Ethereum (0x98f3c9e6), Token Bridge (0x3ee18B22), and NFT Bridge are the primary value-holding EVM contracts. Immunefi scope states "Ethereum and EVM chains (excluding Circle Bridge)" and includes "Portal Token Bridge." The NFT Bridge is explicitly listed as excluded from scope per the Immunefi scope page. However, the Token Bridge and Core Bridge appear to be in scope. The $1M max payout is active for Tier 1 (extract TVL all chains). One explicit gap: NFT Bridge exclusion is a sc...

Sources #

  • Curator note
    Extracted from 01-code-security.md — RD-F-183 finding; no URL cited in originalretrieved 2026-04-28

Methodology #

Determine whether the highest-TVL contracts of this protocol (especially shared primitives: OFT adapters, ZK verifiers, bridge inbox) are explicitly excluded from the protocol's active bug bounty scope.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol wormhole factor RD-F-183 score yellow collected_at 2026-04-28 01:38:43