# Severity classifications {% hint style="warning" %} Code4rena bounties are judged by the sponsor team. As such, the following guidelines are merely general, and may be overridden by the severity criteria established in each bounty's repo `README`. {% endhint %} ## High likelihood A finding with high likelihood is defined as a vulnerability purely exploitable by code without social engineering or privileged access, where 1. the attacker has control over creating the requisite circumstances; *and* 2. requisite circumstances not under control of the attacker can be reasonably expected to occur and can be predicted or anticipated by the attacker using publicly available information. Exploit complexity, sophistication, and expertise are not considered factors in determining likelihood. ## Critical severity A **Critical severity finding** is a high impact issue which has a high likelihood of being exploited, where the impact could result in: * Manipulation of governance voting result deviating from voted outcome and resulting in a direct change from intended effect of original results * Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield * Direct theft of any user NFTs, whether at-rest or in-motion, other than unclaimed royalties * Permanent freezing of funds * Permanent freezing of NFTs * Unauthorized minting of NFTs * Predictable or manipulable RNG that results in abuse of the principal or NFT * Unintended alteration of what the NFT represents (e.g. token URI, payload, artistic content) * Protocol insolvency ## High severity A **High severity finding** is a high impact issue with any likelihood which results in: * Theft of unclaimed yield * Theft of unclaimed royalties * Permanent freezing of unclaimed yield * Permanent freezing of unclaimed royalties * Temporary freezing of funds * Temporary freezing NFTs ## WontFix A **WontFix finding** is an impact issue which has been deemed valid but which the Sponsor chooses not to take action on. ## Out of scope * Impacts requiring attacks that the warden has already exploited themselves, leading to damage * Impacts caused by attacks requiring access to leaked keys/credentials * Impacts caused by attacks requiring access to privileged addresses (governance, strategist) except in such cases where the contracts are intended to have no privileged access to functions that make the attack possible * Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code * Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production * Best practice recommendations * Feature requests * Impacts on test files and configuration files unless stated otherwise in the bug bounty program * Smart Contracts/Blockchain DLT * Incorrect data supplied by third party oracles * Impacts requiring basic economic and governance attacks (e.g. 51% attack) * Lack of liquidity impacts * Impacts from Sybil attacks * Impacts involving centralization risks --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.code4rena.com/bounties/bounty-criteria.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.