Scores/Wormhole

Wormhole

DAMASCUS

Bridge / Messaging · Multi-chain · $1B+ TVL · 10 contracts

Confidence 65%Z-Factor 0.72Updated 2026-05-13Cross-chain assessedPublic Score

Public risk assessment — scores are produced with the same methodology as monitored protocols

795

BRI Score

3004756508251000

Security Profile

Access Control
75

Economic Soundness
80

Oracle Integrity
85

Compositional Risk
70

Governance
72

Maturity
68

Resilience
50

Supply Chain
78

Cross-Chain Messaging
62

Op Security
75

Cascade Exposure
96

Access Ctrl
75

Economic
80

Oracle
85

Compos.
70

Govern.
72

Maturity
68

Resilience
50

Supply Ch.
78

X-Chain
62

OpSec
75

Cascade
96

Min

Avg

Max

Audit History

Neodyme

2022-02

OtterSec

2023-09

Trail of Bits

2024-01

Bug Bounty Program

$2,500,000

Max payout on Immunefi

View Program →

Assessment

Dominant cross-chain bridge, connects 30+ chains. $320M exploit (2022) is the defining event - rebuilt with improved security but historical scar permanently impacts D6/D7/D10. Post-exploit improvements are real.

Dimension Breakdown

How scores work →

Access Control

Weight 16%72% conf

Good

19-guardian validator set (improved from 13 post-exploit)
Guardian key management remains centralized risk
Rate limiting and governor contracts added post-exploit
Threshold signature scheme requires 13/19 consensus

Economic Soundness

Weight 12%75% conf

Strong

Token bridge with wrapped asset model
Relayer fee economics for cross-chain delivery
No flash mint surface in bridge contracts
Portal wrapped asset backed 1:1 by locked collateral

Oracle Integrity

Weight 12%80% conf

Strong

VAA (Verifiable Action Approval) verification model
Guardian attestation replaces traditional oracle
No external price feed dependency in core
Verification occurs on destination chain

Battle-Tested Maturity

Weight 11%70% conf

Moderate

Live since August 2021 (57 months)
$320M exploit February 2022 (Guardian key compromise on Solana)
Significant rebuild and security improvements post-exploit
Z-factor: 0.897 from launch, but exploit is 39 months old

Adversarial Resilience

Weight 10%30% conf

Concerning

No validated findings in BlackHart tracker
D7 = 100 (clean protocol per tracker reconciliation)
No validated adversarial findings — score set to neutral baseline

Compositional Risk

Weight 9%68% conf

Good

Connects 30+ blockchains with different security models
Each chain integration adds unique attack surface
NTT (Native Token Transfers) adds new composition
Relayer network introduces liveness dependencies

Governance & Upgradeability

Weight 9%65% conf

Good

Wormhole Foundation controls upgrade authority
Guardian set selection is permissioned
W token governance launching but limited scope
Upgrade process requires guardian consensus

Cross-Chain Messaging

Weight 9%65% conf

Moderate

$320M bridge exploit is defining cross-chain risk event
Guardian key compromise class is bridge-specific
Message verification trust model across heterogeneous chains
Rate limiting added as defense-in-depth post-exploit

Operational Security

Weight 9%72% conf

Good

Dedicated security team formed post-exploit
Guardian operator monitoring and rotation procedures
Improved incident response from lessons learned
Multi-chain deployment complexity remains operational risk

Cascade Exposure

Weight 5%55% conf

Excellent

Appears in 1 cross-protocol cascade chain(s)
Failure cascades to 2 downstream protocol(s)
Member of 1 dependency cluster(s)
Score: 96/100 (higher = more isolated from systemic risk)
Source: cross_protocol_composition.json dependency analysis

Supply Chain

Weight 4%72% conf

Good

Multi-language: Rust (Solana), Solidity (EVM), Move (Aptos/Sui)
Complex cross-chain SDK and relayer infrastructure
Verified contracts across all supported chains
Dependency complexity from multi-chain support

Risk Drivers

Primary risk factors driving this score, ordered by severity.

Adversarial Resilience50

Cross-Chain Messaging62

Battle-Tested Maturity68

Adversarial Risk Signals

Observable security posture indicators. These signals reflect publicly verifiable information and responsible disclosure outcomes. No specific vulnerability details are exposed.

Disclosure HistoryNot Assessed

Remediation VelocityNot Assessed

Bug Bounty ProgramNot Assessed

Audit CoverageNot Assessed

Incident HistoryNot Assessed

Deployed 2021-09-01Z-Factor 0.72011 active dimensions

Score History & Verification

Score provenance tracking begins with the next reassessment.

On-Chain Data

Protocol Slug: "wormhole"
Oracle: BRORegistry (Base)
Evidence: IPFS (pinned)
Staleness Threshold: 24 hours

Read Score

registry.getScore("wormhole")

Reduce exploitable risk

BlackHart Monitoring provides continuous adversarial analysis, vulnerability detection, remediation support, and verified reassessment when your risk posture improves.

View Monitoring Plans How Scores Work

Believe this score contains a factual error? Submit evidence for review →