BlackHartBlackHart
Scores/Wormhole

Wormhole

DAMASCUS

Bridge / Messaging · Multi-chain · $1B+ TVL · 10 contracts

Confidence 65%Z-Factor 0.72Updated 2026-05-17Cross-chain assessedPublic Score

Public risk assessment — scores are produced with the same methodology as monitored protocols

789
BRI Score
3004756508251000

Security Profile

Access Ctrl
75
Economic
80
Oracle
85
Compos.
70
Govern.
72
Maturity
68
Resilience
50
Supply Ch.
78
X-Chain
62
OpSec
66
Cascade
96
Min
50
Avg
73
Max
96

Audit History

Neodyme
2022-02
OtterSec
2023-09
Trail of Bits
2024-01

Bug Bounty Program

$2,500,000
Max payout on Immunefi
View Program →

Assessment

Dominant cross-chain bridge, connects 30+ chains. $320M exploit (2022) is the defining event - rebuilt with improved security but historical scar permanently impacts D6/D7/D10. Post-exploit improvements are real.

Dimension Breakdown

How scores work →
Access Control
Weight 16%72% conf
75
Good
arrow_forward
+2519-guardian validator set (improved from 13 post-exploit)
-25Guardian key management remains centralized risk
+25Rate limiting and governor contracts added post-exploit
+25Threshold signature scheme requires 13/19 consensus
receipt_longView provenance chainarrow_forward
Economic Soundness
Weight 12%75% conf
80
Strong
arrow_forward
+27Token bridge with wrapped asset model
+27Relayer fee economics for cross-chain delivery
-20No flash mint surface in bridge contracts
+27Portal wrapped asset backed 1:1 by locked collateral
receipt_longView provenance chainarrow_forward
Oracle Integrity
Weight 12%80% conf
85
Strong
arrow_forward
+28VAA (Verifiable Action Approval) verification model
+28Guardian attestation replaces traditional oracle
-15No external price feed dependency in core
+28Verification occurs on destination chain
receipt_longView provenance chainarrow_forward
Battle-Tested Maturity
Weight 11%70% conf
68
Moderate
arrow_forward
+17Live since August 2021 (57 months)
+17$320M exploit February 2022 (Guardian key compromise on Solana)
+17Significant rebuild and security improvements post-exploit
+17Z-factor: 0.897 from launch, but exploit is 39 months old
receipt_longView provenance chainarrow_forward
Adversarial Resiliencelock
Weight 10%30% conf
50
Concerning
  • No validated findings in BlackHart tracker
  • D7 = 100 (clean protocol per tracker reconciliation)
  • No validated adversarial findings — score set to neutral baseline
Compositional Risk
Weight 9%68% conf
70
Good
arrow_forward
+18Connects 30+ blockchains with different security models
+18Each chain integration adds unique attack surface
+18NTT (Native Token Transfers) adds new composition
+18Relayer network introduces liveness dependencies
receipt_longView provenance chainarrow_forward
Governance & Upgradeability
Weight 9%65% conf
72
Good
arrow_forward
+18Wormhole Foundation controls upgrade authority
+18Guardian set selection is permissioned
+18W token governance launching but limited scope
+18Upgrade process requires guardian consensus
receipt_longView provenance chainarrow_forward
Cross-Chain Messaging
Weight 9%65% conf
62
Moderate
arrow_forward
-38$320M bridge exploit is defining cross-chain risk event
+21Guardian key compromise class is bridge-specific
+21Message verification trust model across heterogeneous chains
+21Rate limiting added as defense-in-depth post-exploit
receipt_longView provenance chainarrow_forward
Operational Security
Weight 9%60% conf
66
Moderate
arrow_forward
-8No branch protection detected
-8CI/CD present but unstable (60% success)
+16Commit signing: 70% verified
+16Strong PR review culture (97% reviewed)
receipt_longView provenance chainarrow_forward
Cascade Exposure
Weight 5%55% conf
96
Excellent
arrow_forward
+24Appears in 1 cross-protocol cascade chain(s)
+24Failure cascades to 2 downstream protocol(s)
+24Member of 1 dependency cluster(s)
-4Score: 96/100 (higher = more isolated from systemic risk)
receipt_longView provenance chainarrow_forward
Supply Chain
Weight 4%72% conf
78
Good
arrow_forward
+20Multi-language: Rust (Solana), Solidity (EVM), Move (Aptos/Sui)
+20Complex cross-chain SDK and relayer infrastructure
+20Verified contracts across all supported chains
+20Dependency complexity from multi-chain support
receipt_longView provenance chainarrow_forward

Risk Drivers

Primary risk factors driving this score, ordered by severity.

Adversarial Resilience50
Cross-Chain Messaging62
Operational Security66

Adversarial Risk Signals

Observable security posture indicators. These signals reflect publicly verifiable information and responsible disclosure outcomes. No specific vulnerability details are exposed.

Disclosure HistoryNot Assessed
Remediation VelocityNot Assessed
Bug Bounty ProgramNot Assessed
Audit CoverageNot Assessed
Incident HistoryNot Assessed
Deployed 2021-09-01Z-Factor 0.72011 active dimensionsreceipt_longProvenance Ledger

Score History & Verification

Score provenance tracking begins with the next reassessment.

receipt_longView full provenance ledger →

On-Chain Data

Protocol Slug
"wormhole"
Oracle
BRORegistry (Base)
Evidence
IPFS (pinned)
Staleness Threshold
24 hours
Read Score
registry.getScore("wormhole")

Reduce exploitable risk

BlackHart Monitoring provides continuous adversarial analysis, vulnerability detection, remediation support, and verified reassessment when your risk posture improves.

View Monitoring PlansHow Scores Work
Believe this score contains a factual error? Submit evidence for review →