xdapp-book/src/wormhole/security.md

Security

Let's take a moment to pause and spell out the most important security elements of Wormhole before proceeding.

What are the Core Security Assumptions of Wormhole?

• Wormhole's core security primative is its signed messages (signed VAAs).

• The Guardian network is currently secured by a collection of 19 of the world's top validator companies, listed here.

• Guardians produce signed state attestations (signed VAAs), when requested by a Core Contract integrator.

• Every Guardian runs full nodes (rather than light nodes) of every blockchain in the Wormhole network. This means that if a blockchain suffers a consensus attack or hard fork, the blockchain will disconnect from the network, rather than potentially produce invalid signed VAAs.

• Any Signed VAA can be verified as authentic by the Core Contract of any other chain.

• Relayers are considered untrusted in the Wormhole ecosystem.

In summary:

• Core integrators aren't exposed to risk from chains and contracts they don't integrate with.

• You only trust the message signing process and the Core Contracts of the chains you're on.

• Don't accept messages from chains you don't trust, and always be careful when adding new smart contract dependencies.

---

Core assumptions aside, there are many other factors which impact the real-world security of decentralized platforms. Here is more information on additional measures which have been put in place to ensure the security of Wormhole.

Audits & Bug Bounties

Wormhole has been heavily audited, with 16 third-party audits completed and a total of 26 started. Additionally it has two bug bounty programs available - one self-hosted program, and one through Immunifi.

More information about the bug bounty programs, as well as the most up-to-date list of audit reports is available here

Guardian Network

Wormhole is an evolving platform. While the Guardian set currently comprises 19 validators, this is mostly a limitation of current blockchain technology. The aim of Wormhole is that the security of the Guardian Network will expand overtime, and that eventually Guardian signatures will be replaced entirely by state proofs. More info in this previous section.

Governance

Since the launch of Wormhole v2, all Wormhole governance actions and contract upgrades have been managed via Wormhole's on-chain governance system. Guardians manually vote on governance proposals which originate inside the Guardian Network and are then submitted to ecosystem contracts. This means that contract upgrades are held to the same security standard as the rest of the system.

The Governance system is fully open source in the core repository. Here are some relevant contracts:

• Ethereum Core Governance
• Solana Core Governance API

Wormchain & Asset Layer Protections

One of the most powerful aspects of the Wormhole ecosystem is that Guardians effectively have the entire state DeFi available to them.

Wormchain is a Cosmos based blockchain which runs internally to the Guardian network, whereby the Guardians can effectively execute smart contracts against the current state of all blockchains, rather than just one blockchain.

This enables two additional protections for the Wormhole Asset Layer in addition to the core assumptions:

• Governor: The Governor tracks inflows and outflows of all blockchains and delays suspicious transfers which may be indicative of a exploit. More Info
• Global Accountant: The accountant tracks the total circulating supply of all Wormhole assets across all chains and prevents any blockchain from bridging assets which would violate the supply invariant. More Info

Always Open Source

Lastly, Wormhole builds in the open and is always open source.

• Wormhole Core Repository

• Wormhole Foundation Github Organization

• Wormhole Contract Deployments