Severity Model
Consistent severity classification is critical for effective triage. We use a 5-tier model that accounts for both impact and exploitability.
Critical
Direct loss of funds, protocol takeover, or irreversible damage that can be exploited without special conditions. Requires immediate fix before deployment.
High
Significant financial impact or protocol disruption that requires specific but realistic conditions. Should be fixed before deployment.
Medium
Limited financial impact or requires unlikely conditions. May affect protocol functionality or user experience. Should be addressed.
Low
Minor issues with negligible financial impact. Best practice violations, gas inefficiencies, or code quality concerns.
Informational
Observations, suggestions, and code style notes. No security impact, but addressing them improves code quality and maintainability.
Scoring Methodology
Each finding is scored along two axes: Impact (what happens if exploited) and Likelihood (how realistic the attack is). The combination determines the final severity. We follow industry-standard frameworks aligned with the Ethereum Foundation and Code4rena severity standards, with protocol-specific adjustments for DeFi, NFT, and governance contexts.
See our severity model in action
Browse our public audit reports to see how findings are classified.
View Public Reports