Scores/Wormhole

Wormhole

DAMASCUS

Bridge / Messaging · Multi-chain · $1B+ TVL · 10 contracts

Official site: wormhole.com ↗

791

3004756508251000

Confidence65%

Z-Factor0.72

Updated 2026-05-27Public score

Security Profile

Access Control
75

Economic Soundness
80

Oracle Integrity
85

Compositional Risk
70

Governance
72

Maturity
68

Resilience
52

Supply Chain
78

Cross-Chain Messaging
62

Op Security
66

Cascade Exposure
96

Access Ctrl
75

Economic
80

Oracle
85

Compos.
70

Govern.
72

Maturity
68

Resilience
52

Supply Ch.
78

X-Chain
62

OpSec
66

Cascade
96

Min

Avg

Max

Audit History

Neodyme

2022-02

OtterSec

2023-09

Trail of Bits

2024-01

Bug Bounty Program

$1,000,000

Max payout on Immunefi

View Program

Assessment

Dominant cross-chain bridge, connects 30+ chains. $320M exploit (2022) is the defining event - rebuilt with improved security but historical scar permanently impacts D6/D7/D10. Post-exploit improvements are real.

Dimension Breakdown

Methodology

Access Control

Weight 16% · 72% confidence

+2519-guardian validator set (improved from 13 post-exploit)

-25Guardian key management remains centralized risk

+25Rate limiting and governor contracts added post-exploit

+25Threshold signature scheme requires 13/19 consensus

Provenance

Economic Soundness

Weight 12% · 75% confidence

+20Token bridge with wrapped asset model

+20Relayer fee economics for cross-chain delivery

+20No flash mint surface in bridge contracts

+20Portal wrapped asset backed 1:1 by locked collateral

Provenance

Oracle Integrity

Weight 12% · 80% confidence

+21VAA (Verifiable Action Approval) verification model

+21Guardian attestation replaces traditional oracle

+21No external price feed dependency in core

+21Verification occurs on destination chain

Provenance

Battle-Tested Maturity

Weight 11% · 70% confidence

+17Live since August 2021 (57 months)

+17$320M exploit February 2022 (Guardian key compromise on Solana)

+17Significant rebuild and security improvements post-exploit

+17Z-factor: 0.897 from launch, but exploit is 39 months old

Provenance

Adversarial Resilienceredacted

Weight 10% · 32% confidence

No validated findings in BlackHart tracker
D7 = 100 (clean protocol per tracker reconciliation)
No validated adversarial findings — score set to neutral baseline

Provenance

Compositional Risk

Weight 9% · 68% confidence

+23Connects 30+ blockchains with different security models

-30Each chain integration adds unique attack surface

+23NTT (Native Token Transfers) adds new composition

+23Relayer network introduces liveness dependencies

Provenance

Governance & Upgradeability

Weight 9% · 65% confidence

+18Wormhole Foundation controls upgrade authority

+18Guardian set selection is permissioned

+18W token governance launching but limited scope

+18Upgrade process requires guardian consensus

Provenance

Cross-Chain Messaging

Weight 9% · 65% confidence

+16$320M bridge exploit is defining cross-chain risk event

+16Guardian key compromise class is bridge-specific

+16Message verification trust model across heterogeneous chains

+16Rate limiting added as defense-in-depth post-exploit

Provenance

Operational Security

Weight 9% · 60% confidence

-17No branch protection detected

-17CI/CD present but unstable (60% success)

+16Commit signing: 72% verified

+16Strong PR review culture (97% reviewed)

Provenance

Cascade Exposure

Weight 5% · 55% confidence

+32Appears in 1 cross-protocol cascade chain(s)

-4Failure cascades to 2 downstream protocol(s)

+32Member of 1 dependency cluster(s)

+32Source: cross_protocol_composition.json dependency analysis

Provenance

Supply Chain

Weight 4% · 72% confidence

+20Multi-language: Rust (Solana), Solidity (EVM), Move (Aptos/Sui)

+20Complex cross-chain SDK and relayer infrastructure

+20Verified contracts across all supported chains

+20Dependency complexity from multi-chain support

Provenance

Top Score Drivers

Dimensions with the greatest marginal impact on BRI.

Adversarial Resilience

52+33.2 potential

Access Control

75+23.1 potential

19-guardian validator set (improved from 13 post-exploit)

Cross-Chain Messaging

62+21.6 potential

$320M bridge exploit is defining cross-chain risk event

Battle-Tested Maturity

68+21.3 potential

Live since August 2021 (57 months)

Operational Security

66+18.7 potential

No branch protection detected

Adversarial Risk Signals

Publicly verifiable security posture indicators.

Disclosure HistoryNot Assessed

Remediation VelocityNot Assessed

Bug Bounty ProgramNot Assessed

Audit CoverageNot Assessed

Incident HistoryNot Assessed

Deployed 2021-09-0111 dimensionsProvenance Ledger

methodology v2.1formula v1.1weights v1.1evidence sha256:sha256:3...

Score History & Verification

Score provenance tracking begins with the next reassessment.

Full provenance ledger

On-Chain Data

Protocol Slug: "wormhole"
Oracle: BRORegistry (Base)
Evidence: IPFS (pinned)
Staleness Threshold: 24 hours

Read Score

registry.getScore("wormhole")

Reduce exploitable risk

Continuous adversarial analysis, vulnerability detection, and verified reassessment.

View Plans Methodology

Embed this score

Live, updates automatically. Free for any site. Click-through links open the full report on BlackHart.

Public

Style

Theme

Format

Preview

Copy iframe code

<iframe
  src="https://blackhart.io/embed/oracle/wormhole?variant=card&theme=dark"
  title="BlackHart Risk Index: Wormhole"
  width="340"
  height="290"
  frameborder="0"
  loading="lazy"
  style="border:0; max-width:100%;"
></iframe>

Believe this score contains a factual error? Submit evidence for review