From b574fd52e17ae0a11761ee706247ac6e856081d7 Mon Sep 17 00:00:00 2001 From: Ilaria Enache Date: Fri, 26 Jul 2024 11:29:20 +0200 Subject: [PATCH 01/30] added security page --- learn/.pages | 1 + learn/security.md | 109 ++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 110 insertions(+) create mode 100644 learn/security.md diff --git a/learn/.pages b/learn/.pages index c5fedc81..52dc4d8e 100644 --- a/learn/.pages +++ b/learn/.pages @@ -2,4 +2,5 @@ title: Learn nav: - index.md - 'Introduction to Wormhole': 'introduction.md' + - 'Security': security.md - infrastructure diff --git a/learn/security.md b/learn/security.md new file mode 100644 index 00000000..117ba5a5 --- /dev/null +++ b/learn/security.md @@ -0,0 +1,109 @@ +# Security + +## Core Security Assumptions + +At the core, Wormhole is secured by a network of **[Guardians](#){target=\_blank}** nodes that validate and sign messages. If a super majority (e.g. 13 out of 19) Guardians sign the same message, it can be considered valid. A smart contract on the target chain will verify the signatures and format of the message before approving any transaction. + +- Wormhole's core security primitive is its signed messages (signed VAAs) +- The Guardian network is currently secured by a collection of 19 of the world's top **[validator companies](https://wormhole-foundation.github.io/wormhole-dashboard/#/?endpoint=Mainnet){target=\_blank}** +- Guardians produce signed state attestations (signed VAAs), when requested by a Core Contract integrator +- Every Guardian runs full nodes (rather than light nodes) of every blockchain in the Wormhole network. This means that if a blockchain suffers a consensus attack or hard fork, the blockchain will disconnect from the network, rather than potentially produce invalid signed VAAs +- Any Signed VAA can be verified as authentic by the Core Contract of any other chain +- Relayers are considered untrusted in the Wormhole ecosystem + +In summary: + +- **Core integrators aren't exposed to risk from chains and contracts they don't integrate with** +- By default, you only trust Wormhole's signing process and the Core Contracts of the chains you're on +- You can expand your contract and chain dependencies as you see fit + +Core assumptions aside, there are many other factors which impact the real-world security of decentralized platforms. Here is more information on additional measures which have been put in place to ensure the security of Wormhole. + +## Guardian Network + +Wormhole is an evolving platform. While the Guardian set currently comprises 19 validators, this is mostly a limitation of current blockchain technology. + +### Governance + +Governance is the process through which contract upgrades happen. Guardians manually vote on governance proposals which originate inside the Guardian Network and are then submitted to ecosystem contracts. + +This means that **governance actions are held to the same security standard** as the rest of the system. A 2/3 super-majority of the Guardians are required to pass any Governance action. + +Governance messages can target any of the various wormhole modules, including the core contracts as well as all currently deployed token bridge contracts. When a guardian signs such a message, its signature implies a vote on the action in question. Once more than 2/3 of the guardians have signed, the message and governance action are considered valid. + +All governance actions and contract upgrades have been managed via Wormhole's **on-chain governance system**. + +Via governance, the Guardians are able to: + +- Change the current Guardian set +- Expand the Guardian set +- Upgrade ecosystem contract implementations + +The Governance system is fully open source in the core repository. See the **[Open Source section](#){target=\_blank}** for contract source. + +## Monitoring + +A key element of Wormhole's defense-in-depth strategy is that each Guardian is a highly-competent validator company with their own in-house processes for running, monitoring, and securing blockchain operations. This heterogeneous approach to monitoring increases the likelihood that fraudulent activity is detected and reduces the number of single failure points in the system. + +Guardians are not just running Wormhole validators, they're running validators for **every blockchain inside of Wormhole** as well, which allows them to perform monitoring **holistically across decentralized computing**, rather than just at a few single points. + +Guardians Monitor: + +- Block Production & Consensus of each blockchain. If a blockchain's consensus is violated it disconnects from the network until the Guardians resolve the issue. +- Smart Contract level data. Via processes like the Governor, Guardians constantly monitor the circulating supply and token movements across all supported blockchains. +- Guardian Level activity. The Guardian Network functions as an autonomous decentralized computing network, complete with its own blockchain (**[Gateway](#){target=\_blank}**). + +## Gateway & Asset Layer Protections + +One of the most powerful aspects of the Wormhole ecosystem is that Guardians effectively have **the entire state DeFi available to them**. + +Gateway is a Cosmos based blockchain which runs internally to the Guardian network, whereby the Guardians can effectively execute smart contracts against the current state of all blockchains, rather than just one blockchain. + +This enables additional protection for the Wormhole Asset Layer in addition to the core assumptions: +- **Global Accountant** - the accountant tracks the total circulating supply of all Wormhole assets across all chains and prevents any blockchain from bridging assets which would violate the supply invariant + +In addition to the Global Accountant, Guardians may only sign transfers that do not violate the requirements of the Governor. The **[Governor](https://github.com/wormhole-foundation/wormhole/blob/main/whitepapers/0007_governor.md){target=\_blank}** tracks inflows and outflows of all blockchains and delays suspicious transfers which may be indicative of a exploit. + +## Open Source + +Wormhole builds in the open and is always open source. + +- **[Wormhole Core Repository](https://github.com/wormhole-foundation/wormhole){target=\_blank}** +- **[Wormhole Foundation Github Organization](https://github.com/wormhole-foundation){target=\_blank}** +- **[Wormhole Contract Deployments](#){target=\_blank}** + +## Audits + +Wormhole has been heavily audited, with **29 third-party audits completed** and more started. + +Wormhole has had audits performed by the following firms, and continues to seek more: + +- Trail of Bits +- Neodyme +- Kudelski +- OtterSec +- Certik +- Hacken +- Zellic +- Coinspect +- Halborn + +**[The most up-to-date list of audits, as well as the final reports](https://github.com/wormhole-foundation/wormhole/blob/main/SECURITY.md#3rd-party-security-audits){target=\blank}**. + +## Bug Bounties + +Wormhole has one of the largest bug bounty programs in all of software development, and has repeatedly shown commitment to engaging with the white hat community. + +Wormhole hosts two bug bounty programs: + +- An **[Immunefi](https://immunefi.com/bug-bounty/wormhole/){target=\blank}** program +- As well as a **[self-hosted program](https://immunefi.com/bug-bounty/wormhole/){target=\blank}** + +Both platforms have a top payout of **2.5 million dollars**. + +If you are interested in helping contribute to Wormhole security, please look at this section for **[Getting started as a White Hat](https://github.com/wormhole-foundation/wormhole/blob/main/SECURITY.md#white-hat-hacking){target=\blank}**, and be sure to follow the **[Wormhole Contributor Guidelines](https://github.com/wormhole-foundation/wormhole/blob/main/CONTRIBUTING.md){target=\blank}**. + +For more information about submitting to the bug bounty programs, **[look here](https://immunefi.com/bug-bounty/wormhole/){target=\blank}** + +## Learn More +The **[SECURITY.md](https://github.com/wormhole-foundation/wormhole/blob/main/SECURITY.md){target=\blank}** from the official repository has the latest security policies and updates. From 7384065a5ba78b0103eb4d8e81733d9ca2c0d28d Mon Sep 17 00:00:00 2001 From: Ilaria Enache Date: Fri, 26 Jul 2024 11:36:44 +0200 Subject: [PATCH 02/30] grammarly check --- learn/security.md | 32 ++++++++++++++++---------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/learn/security.md b/learn/security.md index 117ba5a5..ce5641b7 100644 --- a/learn/security.md +++ b/learn/security.md @@ -2,12 +2,12 @@ ## Core Security Assumptions -At the core, Wormhole is secured by a network of **[Guardians](#){target=\_blank}** nodes that validate and sign messages. If a super majority (e.g. 13 out of 19) Guardians sign the same message, it can be considered valid. A smart contract on the target chain will verify the signatures and format of the message before approving any transaction. +At the core, Wormhole is secured by a network of **[Guardians](#){target=\_blank}** nodes that validate and sign messages. If a super majority (e.g., 13 out of 19) Guardians sign the same message, it can be considered valid. A smart contract on the target chain will verify the signatures and format of the message before approving any transaction. - Wormhole's core security primitive is its signed messages (signed VAAs) - The Guardian network is currently secured by a collection of 19 of the world's top **[validator companies](https://wormhole-foundation.github.io/wormhole-dashboard/#/?endpoint=Mainnet){target=\_blank}** -- Guardians produce signed state attestations (signed VAAs), when requested by a Core Contract integrator -- Every Guardian runs full nodes (rather than light nodes) of every blockchain in the Wormhole network. This means that if a blockchain suffers a consensus attack or hard fork, the blockchain will disconnect from the network, rather than potentially produce invalid signed VAAs +- Guardians produce signed state attestations (signed VAAs) when requested by a Core Contract integrator +- Every Guardian runs full nodes (rather than light nodes) of every blockchain in the Wormhole network, so if a blockchain suffers a consensus attack or hard fork, the blockchain will disconnect from the network rather than potentially produce invalid signed VAAs - Any Signed VAA can be verified as authentic by the Core Contract of any other chain - Relayers are considered untrusted in the Wormhole ecosystem @@ -17,23 +17,23 @@ In summary: - By default, you only trust Wormhole's signing process and the Core Contracts of the chains you're on - You can expand your contract and chain dependencies as you see fit -Core assumptions aside, there are many other factors which impact the real-world security of decentralized platforms. Here is more information on additional measures which have been put in place to ensure the security of Wormhole. +Core assumptions aside, many other factors impact the real-world security of decentralized platforms. Here is more information on additional measures that have been put in place to ensure the security of Wormhole. ## Guardian Network -Wormhole is an evolving platform. While the Guardian set currently comprises 19 validators, this is mostly a limitation of current blockchain technology. +Wormhole is an evolving platform. While the Guardian set currently comprises 19 validators, this is a limitation of current blockchain technology. ### Governance -Governance is the process through which contract upgrades happen. Guardians manually vote on governance proposals which originate inside the Guardian Network and are then submitted to ecosystem contracts. +Governance is the process through which contract upgrades happen. Guardians manually vote on governance proposals that originate inside the Guardian Network and are then submitted to ecosystem contracts. -This means that **governance actions are held to the same security standard** as the rest of the system. A 2/3 super-majority of the Guardians are required to pass any Governance action. +This means that **governance actions are held to the same security standard** as the rest of the system. A 2/3 supermajority of the Guardians is required to pass any Governance action. -Governance messages can target any of the various wormhole modules, including the core contracts as well as all currently deployed token bridge contracts. When a guardian signs such a message, its signature implies a vote on the action in question. Once more than 2/3 of the guardians have signed, the message and governance action are considered valid. +Governance messages can target any of the various wormhole modules, including the core contracts and all currently deployed token bridge contracts. When a guardian signs such a message, its signature implies a vote on the action in question. Once more than 2/3 of the guardians have signed, the message and governance action are considered valid. All governance actions and contract upgrades have been managed via Wormhole's **on-chain governance system**. -Via governance, the Guardians are able to: +Via governance, the Guardians can: - Change the current Guardian set - Expand the Guardian set @@ -43,26 +43,26 @@ The Governance system is fully open source in the core repository. See the **[Op ## Monitoring -A key element of Wormhole's defense-in-depth strategy is that each Guardian is a highly-competent validator company with their own in-house processes for running, monitoring, and securing blockchain operations. This heterogeneous approach to monitoring increases the likelihood that fraudulent activity is detected and reduces the number of single failure points in the system. +A key element of Wormhole's defense-in-depth strategy is that each Guardian is a highly competent validator company with its own in-house processes for running, monitoring, and securing blockchain operations. This heterogeneous approach to monitoring increases the likelihood that fraudulent activity is detected and reduces the number of single failure points in the system. -Guardians are not just running Wormhole validators, they're running validators for **every blockchain inside of Wormhole** as well, which allows them to perform monitoring **holistically across decentralized computing**, rather than just at a few single points. +Guardians are not just running Wormhole validators; they're running validators for **every blockchain inside of Wormhole** as well, which allows them to perform monitoring **holistically across decentralized computing**, rather than just at a few single points. Guardians Monitor: -- Block Production & Consensus of each blockchain. If a blockchain's consensus is violated it disconnects from the network until the Guardians resolve the issue. +- Block Production & Consensus of each blockchain. If a blockchain's consensus is violated it will be disconnected from the network until the Guardians resolve the issue. - Smart Contract level data. Via processes like the Governor, Guardians constantly monitor the circulating supply and token movements across all supported blockchains. -- Guardian Level activity. The Guardian Network functions as an autonomous decentralized computing network, complete with its own blockchain (**[Gateway](#){target=\_blank}**). +- Guardian Level activity. The Guardian Network functions as an autonomous decentralized computing network, complete with its blockchain (**[Gateway](#){target=\_blank}**). ## Gateway & Asset Layer Protections One of the most powerful aspects of the Wormhole ecosystem is that Guardians effectively have **the entire state DeFi available to them**. -Gateway is a Cosmos based blockchain which runs internally to the Guardian network, whereby the Guardians can effectively execute smart contracts against the current state of all blockchains, rather than just one blockchain. +Gateway is a Cosmos-based blockchain that runs internally to the Guardian network, whereby the Guardians can effectively execute smart contracts against the current state of all blockchains rather than just one blockchain. This enables additional protection for the Wormhole Asset Layer in addition to the core assumptions: - **Global Accountant** - the accountant tracks the total circulating supply of all Wormhole assets across all chains and prevents any blockchain from bridging assets which would violate the supply invariant -In addition to the Global Accountant, Guardians may only sign transfers that do not violate the requirements of the Governor. The **[Governor](https://github.com/wormhole-foundation/wormhole/blob/main/whitepapers/0007_governor.md){target=\_blank}** tracks inflows and outflows of all blockchains and delays suspicious transfers which may be indicative of a exploit. +In addition to the Global Accountant, Guardians may only sign transfers that do not violate the requirements of the Governor. The **[Governor](https://github.com/wormhole-foundation/wormhole/blob/main/whitepapers/0007_governor.md){target=\_blank}** tracks inflows and outflows of all blockchains and delays suspicious transfers which may be indicative of an exploit. ## Open Source @@ -92,7 +92,7 @@ Wormhole has had audits performed by the following firms, and continues to seek ## Bug Bounties -Wormhole has one of the largest bug bounty programs in all of software development, and has repeatedly shown commitment to engaging with the white hat community. +Wormhole has one of the largest bug bounty programs in software development, and has repeatedly shown commitment to engaging with the white hat community. Wormhole hosts two bug bounty programs: From 703950d21975b436ed2692878b9c411098d684b7 Mon Sep 17 00:00:00 2001 From: Ilaria Enache Date: Fri, 26 Jul 2024 12:08:31 +0200 Subject: [PATCH 03/30] style check --- learn/security.md | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/learn/security.md b/learn/security.md index ce5641b7..0c69abc8 100644 --- a/learn/security.md +++ b/learn/security.md @@ -1,3 +1,6 @@ + # Security ## Core Security Assumptions @@ -49,9 +52,9 @@ Guardians are not just running Wormhole validators; they're running validators f Guardians Monitor: -- Block Production & Consensus of each blockchain. If a blockchain's consensus is violated it will be disconnected from the network until the Guardians resolve the issue. -- Smart Contract level data. Via processes like the Governor, Guardians constantly monitor the circulating supply and token movements across all supported blockchains. -- Guardian Level activity. The Guardian Network functions as an autonomous decentralized computing network, complete with its blockchain (**[Gateway](#){target=\_blank}**). +- Block Production & Consensus of each blockchain - if a blockchain's consensus is violated it will be disconnected from the network until the Guardians resolve the issue +- Smart Contract level data - via processes like the Governor, Guardians constantly monitor the circulating supply and token movements across all supported blockchains +- Guardian Level activity - the Guardian Network functions as an autonomous decentralized computing network, complete with its blockchain (**[Gateway](#){target=\_blank}**) ## Gateway & Asset Layer Protections From 67738da971fbbcbb464706c4b26941fce2f536d3 Mon Sep 17 00:00:00 2001 From: Ilaria Enache Date: Mon, 29 Jul 2024 11:37:14 +0200 Subject: [PATCH 04/30] deleted intro to avoid conflict --- learn/introduction.md | 70 ------------------------------------------- 1 file changed, 70 deletions(-) delete mode 100644 learn/introduction.md diff --git a/learn/introduction.md b/learn/introduction.md deleted file mode 100644 index 87783f9c..00000000 --- a/learn/introduction.md +++ /dev/null @@ -1,70 +0,0 @@ - -# Introduction to Wormhole - -Wormhole is a generic **message-passing protocol** that enables communication between blockchains. - -![Overview](/wormhole-mkdocs/images/learn/introduction/overview.webp) - -!!! note - The above is an oversimplified illustration of the protocol; details about the architecture and components are available in the **[architecture page](#){target=\_blank}**. - - -This simple message-passing protocol allows developers and users of cross-chain applications to leverage the advantages of multiple ecosystems. - -## What Isn't Wormhole? - -- **Wormhole is _not_ a blockchain** - it provides a means of communication between blockchains or rollups - -- **Wormhole is _not_ a token bridge** - however, there are **[protocols built on Wormhole](https://portalbridge.com/#/transfer){target=\_blank}** that serve this purpose - -## What Can Wormhole Be Used For? - -Consider the following examples of potential applications enabled by Wormhole: - -- **Cross-Chain Exchange** - using **[Wormhole Connect](#){target=\_blank}**, developers can build exchanges that allow deposits from any Wormhole-connected chain, significantly increasing liquidity access -- **Cross-Chain Governance** - NFT collections on different networks can use Wormhole to communicate votes cast on their respective chains to a designated "voting" chain for combined proposals -- **Cross-Chain Game** - games can be developed on a performant network like Solana, with rewards issued as NFTs on another network, such as Ethereum - -## Get Started - -### Quick Start Tutorials - -Tutorials are available to get started quickly and explain the concepts involved. - -- **[Quick Start - Off Chain](#){target=\_blank}** - integrate Wormhole Connect into a new or existing web UI -- **[Quick Start - On Chain](#){target=\_blank}** - send your first cross-chain message - -More tutorials are available **[on github](https://github.com/wormhole-foundation/docs.wormhole.com/blob/main/docs/tutorials/quick-start/README.md){target=\_blank}**. - -## Explore - -Discover more about the Wormhole ecosystem, components, and protocols: - -- **[Architecture](#){target=\_blank}** - explore the components of the protocol -- **[Protocol Specifications](https://github.com/wormhole-foundation/wormhole/tree/main/whitepapers){target=\_blank}** - learn about the protocols built on top of Wormhole - -## Demos - -Demos offer more realistic implementations than tutorials: - -- **[Wormhole Scaffolding](https://github.com/wormhole-foundation/wormhole-scaffolding){target=\_blank}** - quickly set up a project with the Scaffolding repo -- **[xDapp Book Projects](https://github.com/wormhole-foundation/xdapp-book/tree/main/projects){target=\_blank}** - run and learn from example programs - -More demos are available in the **[demos page](#){target=\_blank}**. - -!!! note - ## Wormhole Integration Complete? - - Let us know so we can list your project in our ecosystem directory and introduce you to our global, multichain community! - - **[Reach out now!](https://forms.clickup.com/45049775/f/1aytxf-10244/JKYWRUQ70AUI99F32Q){target=\_blank}** - -## Supported Blockchains - -Wormhole supports a growing number of blockchains. - - \ No newline at end of file From 4316d7e021baab9f134c0fbe1cdeeba83fdeb670 Mon Sep 17 00:00:00 2001 From: Ilaria Enache Date: Mon, 29 Jul 2024 11:44:01 +0200 Subject: [PATCH 05/30] added meta title and description --- learn/security.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/learn/security.md b/learn/security.md index 0c69abc8..fbdcc686 100644 --- a/learn/security.md +++ b/learn/security.md @@ -1,3 +1,7 @@ +--- +title: Security +description: Explore Wormhole's security features, including the Guardian network, governance, monitoring, open-source development, and bug bounty programs. +--- From c33084512fd31effed81d5fd82e05ce68c10590e Mon Sep 17 00:00:00 2001 From: Ilaria <43253244+ilariae@users.noreply.github.com> Date: Mon, 29 Jul 2024 11:47:31 +0200 Subject: [PATCH 06/30] Update learn/security.md Co-authored-by: Erin Shaben --- learn/security.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/learn/security.md b/learn/security.md index fbdcc686..68d7f55f 100644 --- a/learn/security.md +++ b/learn/security.md @@ -9,7 +9,7 @@ some missing links will need to be added when pages are created ## Core Security Assumptions -At the core, Wormhole is secured by a network of **[Guardians](#){target=\_blank}** nodes that validate and sign messages. If a super majority (e.g., 13 out of 19) Guardians sign the same message, it can be considered valid. A smart contract on the target chain will verify the signatures and format of the message before approving any transaction. +At its core, Wormhole is secured by a network of [Guardian](#){target=\_blank} nodes that validate and sign messages. If a super majority (e.g., 13 out of 19) of Guardians sign the same message, it can be considered valid. A smart contract on the target chain will verify the signatures and format of the message before approving any transaction. - Wormhole's core security primitive is its signed messages (signed VAAs) - The Guardian network is currently secured by a collection of 19 of the world's top **[validator companies](https://wormhole-foundation.github.io/wormhole-dashboard/#/?endpoint=Mainnet){target=\_blank}** From a0b25be9b43f66e3d4b7843a6954e0d3f37f9bc0 Mon Sep 17 00:00:00 2001 From: Ilaria <43253244+ilariae@users.noreply.github.com> Date: Mon, 29 Jul 2024 11:47:39 +0200 Subject: [PATCH 07/30] Update learn/security.md Co-authored-by: Erin Shaben --- learn/security.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/learn/security.md b/learn/security.md index 68d7f55f..c6a4dc84 100644 --- a/learn/security.md +++ b/learn/security.md @@ -38,7 +38,7 @@ This means that **governance actions are held to the same security standard** as Governance messages can target any of the various wormhole modules, including the core contracts and all currently deployed token bridge contracts. When a guardian signs such a message, its signature implies a vote on the action in question. Once more than 2/3 of the guardians have signed, the message and governance action are considered valid. -All governance actions and contract upgrades have been managed via Wormhole's **on-chain governance system**. +All governance actions and contract upgrades have been managed via Wormhole's on-chain governance system. Via governance, the Guardians can: From a036203cfe1d5530598d83fb92130e1d73aabe84 Mon Sep 17 00:00:00 2001 From: Ilaria <43253244+ilariae@users.noreply.github.com> Date: Mon, 29 Jul 2024 11:47:53 +0200 Subject: [PATCH 08/30] Update learn/security.md Co-authored-by: Erin Shaben --- learn/security.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/learn/security.md b/learn/security.md index c6a4dc84..13c18f16 100644 --- a/learn/security.md +++ b/learn/security.md @@ -34,7 +34,7 @@ Wormhole is an evolving platform. While the Guardian set currently comprises 19 Governance is the process through which contract upgrades happen. Guardians manually vote on governance proposals that originate inside the Guardian Network and are then submitted to ecosystem contracts. -This means that **governance actions are held to the same security standard** as the rest of the system. A 2/3 supermajority of the Guardians is required to pass any Governance action. +This means that governance actions are held to the same security standard as the rest of the system. A two-thirds supermajority of the Guardians is required to pass any governance action. Governance messages can target any of the various wormhole modules, including the core contracts and all currently deployed token bridge contracts. When a guardian signs such a message, its signature implies a vote on the action in question. Once more than 2/3 of the guardians have signed, the message and governance action are considered valid. From 902a2a880db19f093efc985fcb5f9159078b57ea Mon Sep 17 00:00:00 2001 From: Ilaria <43253244+ilariae@users.noreply.github.com> Date: Mon, 29 Jul 2024 11:48:04 +0200 Subject: [PATCH 09/30] Update learn/security.md Co-authored-by: Erin Shaben --- learn/security.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/learn/security.md b/learn/security.md index 13c18f16..c3589b55 100644 --- a/learn/security.md +++ b/learn/security.md @@ -77,7 +77,7 @@ Wormhole builds in the open and is always open source. - **[Wormhole Core Repository](https://github.com/wormhole-foundation/wormhole){target=\_blank}** - **[Wormhole Foundation Github Organization](https://github.com/wormhole-foundation){target=\_blank}** -- **[Wormhole Contract Deployments](#){target=\_blank}** +- **[Wormhole contract deployments](#){target=\_blank}** ## Audits From 42ac9ea7cb7e5be02fabbc9e3be51713d29a4d13 Mon Sep 17 00:00:00 2001 From: Ilaria <43253244+ilariae@users.noreply.github.com> Date: Mon, 29 Jul 2024 11:48:16 +0200 Subject: [PATCH 10/30] Update learn/security.md Co-authored-by: Erin Shaben --- learn/security.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/learn/security.md b/learn/security.md index c3589b55..9076661f 100644 --- a/learn/security.md +++ b/learn/security.md @@ -36,7 +36,7 @@ Governance is the process through which contract upgrades happen. Guardians manu This means that governance actions are held to the same security standard as the rest of the system. A two-thirds supermajority of the Guardians is required to pass any governance action. -Governance messages can target any of the various wormhole modules, including the core contracts and all currently deployed token bridge contracts. When a guardian signs such a message, its signature implies a vote on the action in question. Once more than 2/3 of the guardians have signed, the message and governance action are considered valid. +Governance messages can target any of the various wormhole modules, including the core contracts and all currently deployed token bridge contracts. When a Guardian signs such a message, its signature implies a vote on the action in question. Once more than two-thirds of the Guardians have signed, the message and governance action are considered valid. All governance actions and contract upgrades have been managed via Wormhole's on-chain governance system. From 1efa3b7091a26e79a0b67bfd53ac63e20a05bd95 Mon Sep 17 00:00:00 2001 From: Ilaria <43253244+ilariae@users.noreply.github.com> Date: Mon, 29 Jul 2024 11:48:23 +0200 Subject: [PATCH 11/30] Update learn/security.md Co-authored-by: Erin Shaben --- learn/security.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/learn/security.md b/learn/security.md index 9076661f..df96b613 100644 --- a/learn/security.md +++ b/learn/security.md @@ -99,7 +99,7 @@ Wormhole has had audits performed by the following firms, and continues to seek ## Bug Bounties -Wormhole has one of the largest bug bounty programs in software development, and has repeatedly shown commitment to engaging with the white hat community. +Wormhole has one of the largest bug bounty programs in software development and has repeatedly shown commitment to engaging with the white hat community. Wormhole hosts two bug bounty programs: From 383b6466a3ba10a935aaaf622f229ce159972ef2 Mon Sep 17 00:00:00 2001 From: Ilaria <43253244+ilariae@users.noreply.github.com> Date: Mon, 29 Jul 2024 11:48:35 +0200 Subject: [PATCH 12/30] Update learn/security.md Co-authored-by: Erin Shaben --- learn/security.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/learn/security.md b/learn/security.md index df96b613..e3eaeac6 100644 --- a/learn/security.md +++ b/learn/security.md @@ -108,7 +108,7 @@ Wormhole hosts two bug bounty programs: Both platforms have a top payout of **2.5 million dollars**. -If you are interested in helping contribute to Wormhole security, please look at this section for **[Getting started as a White Hat](https://github.com/wormhole-foundation/wormhole/blob/main/SECURITY.md#white-hat-hacking){target=\blank}**, and be sure to follow the **[Wormhole Contributor Guidelines](https://github.com/wormhole-foundation/wormhole/blob/main/CONTRIBUTING.md){target=\blank}**. +If you are interested in contributing to Wormhole security, please look at this section for **[Getting Started as a White Hat](https://github.com/wormhole-foundation/wormhole/blob/main/SECURITY.md#white-hat-hacking){target=\blank}**, and follow the **[Wormhole Contributor Guidelines](https://github.com/wormhole-foundation/wormhole/blob/main/CONTRIBUTING.md){target=\blank}**. For more information about submitting to the bug bounty programs, **[look here](https://immunefi.com/bug-bounty/wormhole/){target=\blank}** From fdfd48d29f1bd30f98e4d039ec79688924032cd4 Mon Sep 17 00:00:00 2001 From: Ilaria <43253244+ilariae@users.noreply.github.com> Date: Mon, 29 Jul 2024 11:48:41 +0200 Subject: [PATCH 13/30] Update learn/security.md Co-authored-by: Erin Shaben --- learn/security.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/learn/security.md b/learn/security.md index e3eaeac6..5303aa77 100644 --- a/learn/security.md +++ b/learn/security.md @@ -110,7 +110,7 @@ Both platforms have a top payout of **2.5 million dollars**. If you are interested in contributing to Wormhole security, please look at this section for **[Getting Started as a White Hat](https://github.com/wormhole-foundation/wormhole/blob/main/SECURITY.md#white-hat-hacking){target=\blank}**, and follow the **[Wormhole Contributor Guidelines](https://github.com/wormhole-foundation/wormhole/blob/main/CONTRIBUTING.md){target=\blank}**. -For more information about submitting to the bug bounty programs, **[look here](https://immunefi.com/bug-bounty/wormhole/){target=\blank}** +For more information about submitting to the bug bounty programs, refer to the [Wormhole Immunefi page](https://immunefi.com/bug-bounty/wormhole/){target=\blank}. ## Learn More The **[SECURITY.md](https://github.com/wormhole-foundation/wormhole/blob/main/SECURITY.md){target=\blank}** from the official repository has the latest security policies and updates. From 7d14166bdc0b191f1c72e94f6b56849f2b4bbff8 Mon Sep 17 00:00:00 2001 From: Ilaria <43253244+ilariae@users.noreply.github.com> Date: Mon, 29 Jul 2024 11:48:49 +0200 Subject: [PATCH 14/30] Update learn/security.md Co-authored-by: Erin Shaben --- learn/security.md | 1 + 1 file changed, 1 insertion(+) diff --git a/learn/security.md b/learn/security.md index 5303aa77..09dd8985 100644 --- a/learn/security.md +++ b/learn/security.md @@ -113,4 +113,5 @@ If you are interested in contributing to Wormhole security, please look at this For more information about submitting to the bug bounty programs, refer to the [Wormhole Immunefi page](https://immunefi.com/bug-bounty/wormhole/){target=\blank}. ## Learn More + The **[SECURITY.md](https://github.com/wormhole-foundation/wormhole/blob/main/SECURITY.md){target=\blank}** from the official repository has the latest security policies and updates. From 1025153b40399b32f1a436478f24d6c323895ef3 Mon Sep 17 00:00:00 2001 From: Ilaria <43253244+ilariae@users.noreply.github.com> Date: Mon, 29 Jul 2024 11:49:11 +0200 Subject: [PATCH 15/30] Update learn/security.md Co-authored-by: Erin Shaben --- learn/security.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/learn/security.md b/learn/security.md index 09dd8985..79edc415 100644 --- a/learn/security.md +++ b/learn/security.md @@ -21,7 +21,7 @@ At its core, Wormhole is secured by a network of [Guardian](#){target=\_blank} n In summary: - **Core integrators aren't exposed to risk from chains and contracts they don't integrate with** -- By default, you only trust Wormhole's signing process and the Core Contracts of the chains you're on +- By default, you only trust Wormhole's signing process and the core contracts of the chains you're on - You can expand your contract and chain dependencies as you see fit Core assumptions aside, many other factors impact the real-world security of decentralized platforms. Here is more information on additional measures that have been put in place to ensure the security of Wormhole. From 5865bf3eb1bd7077909f7b7a1735864c962332f2 Mon Sep 17 00:00:00 2001 From: Ilaria <43253244+ilariae@users.noreply.github.com> Date: Mon, 29 Jul 2024 11:49:23 +0200 Subject: [PATCH 16/30] Update learn/security.md Co-authored-by: Erin Shaben --- learn/security.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/learn/security.md b/learn/security.md index 79edc415..9d61966f 100644 --- a/learn/security.md +++ b/learn/security.md @@ -46,7 +46,7 @@ Via governance, the Guardians can: - Expand the Guardian set - Upgrade ecosystem contract implementations -The Governance system is fully open source in the core repository. See the **[Open Source section](#){target=\_blank}** for contract source. +The governance system is fully open source in the core repository. See the **[Open Source section](#){target=\_blank}** for contract source. ## Monitoring From fea029b8d60ce1d9e3a72dd6b5aa867999f0b737 Mon Sep 17 00:00:00 2001 From: Ilaria <43253244+ilariae@users.noreply.github.com> Date: Mon, 29 Jul 2024 11:51:44 +0200 Subject: [PATCH 17/30] Update learn/security.md Co-authored-by: Erin Shaben --- learn/security.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/learn/security.md b/learn/security.md index 9d61966f..1598edf7 100644 --- a/learn/security.md +++ b/learn/security.md @@ -52,7 +52,7 @@ The governance system is fully open source in the core repository. See the **[Op A key element of Wormhole's defense-in-depth strategy is that each Guardian is a highly competent validator company with its own in-house processes for running, monitoring, and securing blockchain operations. This heterogeneous approach to monitoring increases the likelihood that fraudulent activity is detected and reduces the number of single failure points in the system. -Guardians are not just running Wormhole validators; they're running validators for **every blockchain inside of Wormhole** as well, which allows them to perform monitoring **holistically across decentralized computing**, rather than just at a few single points. +Guardians are not just running Wormhole validators; they're running validators for every blockchain inside of Wormhole as well, which allows them to perform monitoring holistically across decentralized computing rather than just at a few single points. Guardians Monitor: From 78081c9a50798cc635abd0305d009c413ab85a44 Mon Sep 17 00:00:00 2001 From: Ilaria Enache Date: Mon, 29 Jul 2024 11:53:12 +0200 Subject: [PATCH 18/30] update security page --- learn/security.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/learn/security.md b/learn/security.md index 9d61966f..ae64470b 100644 --- a/learn/security.md +++ b/learn/security.md @@ -52,7 +52,7 @@ The governance system is fully open source in the core repository. See the **[Op A key element of Wormhole's defense-in-depth strategy is that each Guardian is a highly competent validator company with its own in-house processes for running, monitoring, and securing blockchain operations. This heterogeneous approach to monitoring increases the likelihood that fraudulent activity is detected and reduces the number of single failure points in the system. -Guardians are not just running Wormhole validators; they're running validators for **every blockchain inside of Wormhole** as well, which allows them to perform monitoring **holistically across decentralized computing**, rather than just at a few single points. +Guardians are not just running Wormhole validators; they're running validators for every blockchain inside of Wormhole as well, which allows them to perform monitoring holistically across decentralized computing, rather than just at a few single points. Guardians Monitor: From 9e1ec99a33a397ddfc31b33c7ca91e92d157ab26 Mon Sep 17 00:00:00 2001 From: Ilaria <43253244+ilariae@users.noreply.github.com> Date: Mon, 29 Jul 2024 11:57:37 +0200 Subject: [PATCH 19/30] Update learn/security.md Co-authored-by: Erin Shaben --- learn/security.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/learn/security.md b/learn/security.md index 1598edf7..130ac6fb 100644 --- a/learn/security.md +++ b/learn/security.md @@ -56,7 +56,7 @@ Guardians are not just running Wormhole validators; they're running validators f Guardians Monitor: -- Block Production & Consensus of each blockchain - if a blockchain's consensus is violated it will be disconnected from the network until the Guardians resolve the issue +- Block production and consensus of each blockchain - if a blockchain's consensus is violated, it will be disconnected from the network until the Guardians resolve the issue - Smart Contract level data - via processes like the Governor, Guardians constantly monitor the circulating supply and token movements across all supported blockchains - Guardian Level activity - the Guardian Network functions as an autonomous decentralized computing network, complete with its blockchain (**[Gateway](#){target=\_blank}**) From 8e6d9fb41be62612e0db9ce6f3d85f4770417b56 Mon Sep 17 00:00:00 2001 From: Ilaria <43253244+ilariae@users.noreply.github.com> Date: Mon, 29 Jul 2024 12:00:01 +0200 Subject: [PATCH 20/30] Update learn/security.md Co-authored-by: Erin Shaben --- learn/security.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/learn/security.md b/learn/security.md index c5c084cf..3b467268 100644 --- a/learn/security.md +++ b/learn/security.md @@ -58,7 +58,7 @@ Guardians are not just running Wormhole validators; they're running validators f Guardians are not just running Wormhole validators; they're running validators for every blockchain inside of Wormhole as well, which allows them to perform monitoring holistically across decentralized computing rather than just at a few single points. >>>>>>> fea029b8d60ce1d9e3a72dd6b5aa867999f0b737 -Guardians Monitor: +Guardians monitor: - Block production and consensus of each blockchain - if a blockchain's consensus is violated, it will be disconnected from the network until the Guardians resolve the issue - Smart Contract level data - via processes like the Governor, Guardians constantly monitor the circulating supply and token movements across all supported blockchains From 687739ddae0f288d3131c456177855bb299b52c1 Mon Sep 17 00:00:00 2001 From: Ilaria <43253244+ilariae@users.noreply.github.com> Date: Mon, 29 Jul 2024 12:01:15 +0200 Subject: [PATCH 21/30] Update learn/security.md Co-authored-by: Erin Shaben --- learn/security.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/learn/security.md b/learn/security.md index 3b467268..f7c77983 100644 --- a/learn/security.md +++ b/learn/security.md @@ -61,7 +61,7 @@ Guardians are not just running Wormhole validators; they're running validators f Guardians monitor: - Block production and consensus of each blockchain - if a blockchain's consensus is violated, it will be disconnected from the network until the Guardians resolve the issue -- Smart Contract level data - via processes like the Governor, Guardians constantly monitor the circulating supply and token movements across all supported blockchains +- Smart contract level data - via processes like the Governor, Guardians constantly monitor the circulating supply and token movements across all supported blockchains - Guardian Level activity - the Guardian Network functions as an autonomous decentralized computing network, complete with its blockchain (**[Gateway](#){target=\_blank}**) ## Gateway & Asset Layer Protections From 95499978650bd8de1edfea1c5e0c88347fd80d5f Mon Sep 17 00:00:00 2001 From: Ilaria <43253244+ilariae@users.noreply.github.com> Date: Mon, 29 Jul 2024 12:03:49 +0200 Subject: [PATCH 22/30] Update learn/security.md Co-authored-by: Erin Shaben --- learn/security.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/learn/security.md b/learn/security.md index f7c77983..922d0f20 100644 --- a/learn/security.md +++ b/learn/security.md @@ -62,7 +62,7 @@ Guardians monitor: - Block production and consensus of each blockchain - if a blockchain's consensus is violated, it will be disconnected from the network until the Guardians resolve the issue - Smart contract level data - via processes like the Governor, Guardians constantly monitor the circulating supply and token movements across all supported blockchains -- Guardian Level activity - the Guardian Network functions as an autonomous decentralized computing network, complete with its blockchain (**[Gateway](#){target=\_blank}**) +- Guardian level activity - the Guardian Network functions as an autonomous decentralized computing network, complete with its blockchain (**[Gateway](#){target=\_blank}**) ## Gateway & Asset Layer Protections From 259fbeca63bf18de04c1a7e08ba3052786ca04e1 Mon Sep 17 00:00:00 2001 From: Ilaria Enache Date: Mon, 29 Jul 2024 12:04:43 +0200 Subject: [PATCH 23/30] Resolved conflicts in learn/security.md --- learn/security.md | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/learn/security.md b/learn/security.md index f7c77983..429e4a9f 100644 --- a/learn/security.md +++ b/learn/security.md @@ -52,16 +52,12 @@ The governance system is fully open source in the core repository. See the **[Op A key element of Wormhole's defense-in-depth strategy is that each Guardian is a highly competent validator company with its own in-house processes for running, monitoring, and securing blockchain operations. This heterogeneous approach to monitoring increases the likelihood that fraudulent activity is detected and reduces the number of single failure points in the system. -<<<<<<< HEAD -Guardians are not just running Wormhole validators; they're running validators for every blockchain inside of Wormhole as well, which allows them to perform monitoring holistically across decentralized computing, rather than just at a few single points. -======= Guardians are not just running Wormhole validators; they're running validators for every blockchain inside of Wormhole as well, which allows them to perform monitoring holistically across decentralized computing rather than just at a few single points. ->>>>>>> fea029b8d60ce1d9e3a72dd6b5aa867999f0b737 Guardians monitor: - Block production and consensus of each blockchain - if a blockchain's consensus is violated, it will be disconnected from the network until the Guardians resolve the issue -- Smart contract level data - via processes like the Governor, Guardians constantly monitor the circulating supply and token movements across all supported blockchains +- Smart Contract level data - via processes like the Governor, Guardians constantly monitor the circulating supply and token movements across all supported blockchains - Guardian Level activity - the Guardian Network functions as an autonomous decentralized computing network, complete with its blockchain (**[Gateway](#){target=\_blank}**) ## Gateway & Asset Layer Protections From 0d0f3001afa1cbd5d6fa1f321a98f7a478898bce Mon Sep 17 00:00:00 2001 From: Ilaria <43253244+ilariae@users.noreply.github.com> Date: Mon, 29 Jul 2024 12:06:39 +0200 Subject: [PATCH 24/30] Update learn/security.md Co-authored-by: Erin Shaben --- learn/security.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/learn/security.md b/learn/security.md index 541fe122..cdf9b31a 100644 --- a/learn/security.md +++ b/learn/security.md @@ -60,7 +60,7 @@ Guardians monitor: - Smart contract level data - via processes like the Governor, Guardians constantly monitor the circulating supply and token movements across all supported blockchains - Guardian level activity - the Guardian Network functions as an autonomous decentralized computing network, complete with its blockchain (**[Gateway](#){target=\_blank}**) -## Gateway & Asset Layer Protections +## Gateway And Asset Layer Protections One of the most powerful aspects of the Wormhole ecosystem is that Guardians effectively have **the entire state DeFi available to them**. From d3e560e789c1cc15c94c90376a6b764bb02ae588 Mon Sep 17 00:00:00 2001 From: Ilaria <43253244+ilariae@users.noreply.github.com> Date: Mon, 29 Jul 2024 12:07:01 +0200 Subject: [PATCH 25/30] Update learn/security.md Co-authored-by: Erin Shaben --- learn/security.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/learn/security.md b/learn/security.md index cdf9b31a..c13fda48 100644 --- a/learn/security.md +++ b/learn/security.md @@ -62,7 +62,7 @@ Guardians monitor: ## Gateway And Asset Layer Protections -One of the most powerful aspects of the Wormhole ecosystem is that Guardians effectively have **the entire state DeFi available to them**. +One of the most powerful aspects of the Wormhole ecosystem is that Guardians effectively have the entire state of DeFi available to them. Gateway is a Cosmos-based blockchain that runs internally to the Guardian network, whereby the Guardians can effectively execute smart contracts against the current state of all blockchains rather than just one blockchain. From 66b22e01010439ac665dc3e3d2f4bfd54633e2f0 Mon Sep 17 00:00:00 2001 From: Ilaria <43253244+ilariae@users.noreply.github.com> Date: Mon, 29 Jul 2024 12:07:50 +0200 Subject: [PATCH 26/30] Update learn/security.md Co-authored-by: Erin Shaben --- learn/security.md | 1 + 1 file changed, 1 insertion(+) diff --git a/learn/security.md b/learn/security.md index c13fda48..037e1ef5 100644 --- a/learn/security.md +++ b/learn/security.md @@ -67,6 +67,7 @@ One of the most powerful aspects of the Wormhole ecosystem is that Guardians eff Gateway is a Cosmos-based blockchain that runs internally to the Guardian network, whereby the Guardians can effectively execute smart contracts against the current state of all blockchains rather than just one blockchain. This enables additional protection for the Wormhole Asset Layer in addition to the core assumptions: + - **Global Accountant** - the accountant tracks the total circulating supply of all Wormhole assets across all chains and prevents any blockchain from bridging assets which would violate the supply invariant In addition to the Global Accountant, Guardians may only sign transfers that do not violate the requirements of the Governor. The **[Governor](https://github.com/wormhole-foundation/wormhole/blob/main/whitepapers/0007_governor.md){target=\_blank}** tracks inflows and outflows of all blockchains and delays suspicious transfers which may be indicative of an exploit. From 8fb1f2be9dab6097a6a694a464675b89d1dbdf29 Mon Sep 17 00:00:00 2001 From: Ilaria <43253244+ilariae@users.noreply.github.com> Date: Mon, 29 Jul 2024 12:08:05 +0200 Subject: [PATCH 27/30] Update learn/security.md Co-authored-by: Erin Shaben --- learn/security.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/learn/security.md b/learn/security.md index 037e1ef5..ac4af781 100644 --- a/learn/security.md +++ b/learn/security.md @@ -70,7 +70,7 @@ This enables additional protection for the Wormhole Asset Layer in addition to t - **Global Accountant** - the accountant tracks the total circulating supply of all Wormhole assets across all chains and prevents any blockchain from bridging assets which would violate the supply invariant -In addition to the Global Accountant, Guardians may only sign transfers that do not violate the requirements of the Governor. The **[Governor](https://github.com/wormhole-foundation/wormhole/blob/main/whitepapers/0007_governor.md){target=\_blank}** tracks inflows and outflows of all blockchains and delays suspicious transfers which may be indicative of an exploit. +In addition to the Global Accountant, Guardians may only sign transfers that do not violate the requirements of the Governor. The **[Governor](https://github.com/wormhole-foundation/wormhole/blob/main/whitepapers/0007_governor.md){target=\_blank}** tracks inflows and outflows of all blockchains and delays suspicious transfers that may indicate an exploit. ## Open Source From 642430d9a941130e379f32f1a962595d3bf81535 Mon Sep 17 00:00:00 2001 From: Ilaria <43253244+ilariae@users.noreply.github.com> Date: Mon, 29 Jul 2024 12:08:15 +0200 Subject: [PATCH 28/30] Update learn/security.md Co-authored-by: Erin Shaben --- learn/security.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/learn/security.md b/learn/security.md index ac4af781..e895c18d 100644 --- a/learn/security.md +++ b/learn/security.md @@ -76,7 +76,7 @@ In addition to the Global Accountant, Guardians may only sign transfers that do Wormhole builds in the open and is always open source. -- **[Wormhole Core Repository](https://github.com/wormhole-foundation/wormhole){target=\_blank}** +- **[Wormhole core repository](https://github.com/wormhole-foundation/wormhole){target=\_blank}** - **[Wormhole Foundation Github Organization](https://github.com/wormhole-foundation){target=\_blank}** - **[Wormhole contract deployments](#){target=\_blank}** From 1567c38a42d8b27ac031d1493a7ce1dc123053e6 Mon Sep 17 00:00:00 2001 From: Ilaria <43253244+ilariae@users.noreply.github.com> Date: Mon, 29 Jul 2024 12:08:26 +0200 Subject: [PATCH 29/30] Update learn/security.md Co-authored-by: Erin Shaben --- learn/security.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/learn/security.md b/learn/security.md index e895c18d..2bc9d49f 100644 --- a/learn/security.md +++ b/learn/security.md @@ -77,7 +77,7 @@ In addition to the Global Accountant, Guardians may only sign transfers that do Wormhole builds in the open and is always open source. - **[Wormhole core repository](https://github.com/wormhole-foundation/wormhole){target=\_blank}** -- **[Wormhole Foundation Github Organization](https://github.com/wormhole-foundation){target=\_blank}** +- **[Wormhole Foundation GitHub organization](https://github.com/wormhole-foundation){target=\_blank}** - **[Wormhole contract deployments](#){target=\_blank}** ## Audits From 3114c1e55e851bda80dbb1cd58ad64bcef910a14 Mon Sep 17 00:00:00 2001 From: Ilaria Enache Date: Mon, 29 Jul 2024 12:44:41 +0200 Subject: [PATCH 30/30] update security page --- learn/security.md | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/learn/security.md b/learn/security.md index 2bc9d49f..dada2890 100644 --- a/learn/security.md +++ b/learn/security.md @@ -12,7 +12,7 @@ some missing links will need to be added when pages are created At its core, Wormhole is secured by a network of [Guardian](#){target=\_blank} nodes that validate and sign messages. If a super majority (e.g., 13 out of 19) of Guardians sign the same message, it can be considered valid. A smart contract on the target chain will verify the signatures and format of the message before approving any transaction. - Wormhole's core security primitive is its signed messages (signed VAAs) -- The Guardian network is currently secured by a collection of 19 of the world's top **[validator companies](https://wormhole-foundation.github.io/wormhole-dashboard/#/?endpoint=Mainnet){target=\_blank}** +- The Guardian network is currently secured by a collection of 19 of the world's top [validator companies](https://wormhole-foundation.github.io/wormhole-dashboard/#/?endpoint=Mainnet){target=\_blank} - Guardians produce signed state attestations (signed VAAs) when requested by a Core Contract integrator - Every Guardian runs full nodes (rather than light nodes) of every blockchain in the Wormhole network, so if a blockchain suffers a consensus attack or hard fork, the blockchain will disconnect from the network rather than potentially produce invalid signed VAAs - Any Signed VAA can be verified as authentic by the Core Contract of any other chain @@ -46,7 +46,7 @@ Via governance, the Guardians can: - Expand the Guardian set - Upgrade ecosystem contract implementations -The governance system is fully open source in the core repository. See the **[Open Source section](#){target=\_blank}** for contract source. +The governance system is fully open source in the core repository. See the [Open Source section](#){target=\_blank} for contract source. ## Monitoring @@ -58,7 +58,7 @@ Guardians monitor: - Block production and consensus of each blockchain - if a blockchain's consensus is violated, it will be disconnected from the network until the Guardians resolve the issue - Smart contract level data - via processes like the Governor, Guardians constantly monitor the circulating supply and token movements across all supported blockchains -- Guardian level activity - the Guardian Network functions as an autonomous decentralized computing network, complete with its blockchain (**[Gateway](#){target=\_blank}**) +- Guardian level activity - the Guardian Network functions as an autonomous decentralized computing network, complete with its blockchain ([Gateway](#){target=\_blank}) ## Gateway And Asset Layer Protections @@ -70,7 +70,7 @@ This enables additional protection for the Wormhole Asset Layer in addition to t - **Global Accountant** - the accountant tracks the total circulating supply of all Wormhole assets across all chains and prevents any blockchain from bridging assets which would violate the supply invariant -In addition to the Global Accountant, Guardians may only sign transfers that do not violate the requirements of the Governor. The **[Governor](https://github.com/wormhole-foundation/wormhole/blob/main/whitepapers/0007_governor.md){target=\_blank}** tracks inflows and outflows of all blockchains and delays suspicious transfers that may indicate an exploit. +In addition to the Global Accountant, Guardians may only sign transfers that do not violate the requirements of the Governor. The [Governor](https://github.com/wormhole-foundation/wormhole/blob/main/whitepapers/0007_governor.md){target=\_blank} tracks inflows and outflows of all blockchains and delays suspicious transfers that may indicate an exploit. ## Open Source @@ -82,7 +82,7 @@ Wormhole builds in the open and is always open source. ## Audits -Wormhole has been heavily audited, with **29 third-party audits completed** and more started. +Wormhole has been heavily audited, with _29 third-party audits completed_ and more started. Wormhole has had audits performed by the following firms, and continues to seek more: @@ -96,7 +96,7 @@ Wormhole has had audits performed by the following firms, and continues to seek - Coinspect - Halborn -**[The most up-to-date list of audits, as well as the final reports](https://github.com/wormhole-foundation/wormhole/blob/main/SECURITY.md#3rd-party-security-audits){target=\blank}**. +[The most up-to-date list of audits, as well as the final reports](https://github.com/wormhole-foundation/wormhole/blob/main/SECURITY.md#3rd-party-security-audits){target=\blank}. ## Bug Bounties @@ -104,15 +104,15 @@ Wormhole has one of the largest bug bounty programs in software development and Wormhole hosts two bug bounty programs: -- An **[Immunefi](https://immunefi.com/bug-bounty/wormhole/){target=\blank}** program -- As well as a **[self-hosted program](https://immunefi.com/bug-bounty/wormhole/){target=\blank}** +- An [Immunefi](https://immunefi.com/bug-bounty/wormhole/){target=\blank} program +- As well as a [self-hosted program](https://immunefi.com/bug-bounty/wormhole/){target=\blank} -Both platforms have a top payout of **2.5 million dollars**. +Both platforms have a top payout of _2.5 million dollars_. -If you are interested in contributing to Wormhole security, please look at this section for **[Getting Started as a White Hat](https://github.com/wormhole-foundation/wormhole/blob/main/SECURITY.md#white-hat-hacking){target=\blank}**, and follow the **[Wormhole Contributor Guidelines](https://github.com/wormhole-foundation/wormhole/blob/main/CONTRIBUTING.md){target=\blank}**. +If you are interested in contributing to Wormhole security, please look at this section for [Getting Started as a White Hat](https://github.com/wormhole-foundation/wormhole/blob/main/SECURITY.md#white-hat-hacking){target=\blank}, and follow the [Wormhole Contributor Guidelines](https://github.com/wormhole-foundation/wormhole/blob/main/CONTRIBUTING.md){target=\blank}. For more information about submitting to the bug bounty programs, refer to the [Wormhole Immunefi page](https://immunefi.com/bug-bounty/wormhole/){target=\blank}. ## Learn More -The **[SECURITY.md](https://github.com/wormhole-foundation/wormhole/blob/main/SECURITY.md){target=\blank}** from the official repository has the latest security policies and updates. +The [SECURITY.md](https://github.com/wormhole-foundation/wormhole/blob/main/SECURITY.md){target=\blank} from the official repository has the latest security policies and updates.