Reward by Threat Level
How CertiK maps a vulnerability's threat level to a reward, and how feasibility factors in.
This explains how CertiK maps a vulnerability's threat level to a reward, and how feasibility is factored in. It applies to two asset categories: Smart Contracts and Blockchain / DLT. (Web & App scope follows each program's published table.)
Status: Draft framework — the impact taxonomy is still in development. The definitions below are working drafts; concrete, testable criteria will replace them as the taxonomy is finalized. Each program's exact reward figures are published on its own page.
#Principles
- Impact-first. A finding is rated by the real-world consequence of a successful exploit — not by its novelty or the effort to find it.
- Separation of impact and feasibility. What an exploit could do and how practical it is to pull off are scored separately. Potential impact sets the starting threat level; feasibility then downgrades that level to match the realistic impact. The reward always follows from the final threat level — feasibility never reduces a reward directly.
- Bounded and predictable. Every reward is published in advance — a minimum–maximum band for value-scaled smart-contract tiers, or a single flat amount for DLT tiers and the smart-contract Medium tier — so you know the upside and projects can plan the cost.
Threat levels are Critical · High · Medium. There is no Low tier.
#Impact taxonomy (in development)
CertiK is building its own impact taxonomy — the definitive list of which concrete impacts map to each threat level. The definitions below are working drafts. The "Where the line sits" column states the test that separates one tier from the next, so terms like significant or recoverable have a concrete boundary.
#Smart Contracts
| Threat Level | Working definition | Where the line sits |
|---|---|---|
| Critical | Outcomes affecting protocol solvency or the custody of user/protocol assets. | Funds are lost or locked permanently — not recoverable through normal operation, an admin pause, or an upgrade. |
| High | Serious outcomes that are recoverable or bounded in scope. | Loss or lock is temporary or capped — recoverable via admin action or normal operation, or limited to a defined subset (e.g. unclaimed yield), with no permanent loss of principal. |
| Medium | Material disruption that does not put principal at risk. | Function is degraded or a cost is imposed (e.g. griefing, wasted gas), but all assets remain safe and recoverable. |
#Blockchain / DLT
| Threat Level | Working definition | Where the line sits |
|---|---|---|
| Critical | Network-wide failure or irreversible loss at the protocol layer. | The chain halts entirely, requires a hard fork to fix, or permanently loses funds — no self-recovery. |
| High | Significant but recoverable disruption to network operation. | The network returns to normal without a coordinated hard fork, and the disruption is temporary or confined to part of the network. Examples: a consensus stall holding block production at ≥ 3× the recent average block time before clearing; a chain split that reconciles once nodes resynchronise; the crash of an RPC/API layer relied on by services representing ≥ 20% of network value or activity, until restarted. |
| Medium | Localized degradation of network performance or behavior. | A measurable but bounded impact on part of the network — no chain halt, no loss of funds. Examples: a crash taking down ≥ 15% of processing nodes which then recover; node resource use rising ≥ 25%; mempool spam temporarily raising fees or slowing confirmation; block time staying below the 3× High threshold. |
#From threat level to reward
A finding converts to a reward in four steps:
- Impact — what a successful exploit could do.
- Threat level — Critical / High / Medium, assigned from the impact taxonomy.
- Reward model — the value-scaled band (Smart Contracts) or flat rate (DLT) for that tier.
- Feasibility adjustment — the threat level is downgraded where the exploit is less practical than its full potential suggests.
CertiK uses two reward models, chosen by asset type:
- Smart Contracts → value-scaled (a minimum–maximum band), because funds at risk can be measured directly from on-chain state.
- Blockchain / DLT → flat rate per tier, because the value at risk at the network layer cannot be measured reliably.
#Smart Contracts — value-scaled
| Threat Level | Reward basis | Bounds |
|---|---|---|
| Critical | Scaled to the value of assets placed at risk | Published minimum and maximum |
| High | Scaled to value at risk and the extent/duration of impact | Published minimum and maximum |
| Medium | Fixed amount per program | Single value |
Value at risk means the maximum extractable loss — the largest amount an attacker could extract if the bug were exploited to its fullest, not the figure a proof-of-concept happens to show. A bug demonstrated with a small PoC that could scale to drain more is valued at the larger amount and stays Critical. How hard the exploit is to execute is handled separately by feasibility.
Materiality gate. Where the maximum that can ever be lost is below the Critical minimum, the finding's impact type stays "fund theft / Critical," but its final threat level is lowered to the tier whose reward is proportionate to that maximum (down to Medium) — so a program never pays a Critical minimum larger than the funds it actually protected.
#Blockchain / DLT — flat rates
Each tier (Critical / High / Medium) pays a single published amount per program. There is no min–max band and no value-scaling step; the flat rate is the reward for that tier.
Negligible-scope carve-out. A protocol-layer fund-loss or fund-freeze impact that is negligible in scope is rated by magnitude — placed in the tier matching its realistic size rather than awarded the full Critical rate. (This is the DLT counterpart of the smart-contract materiality gate.)
Why DLT uses flat rates: network-layer impacts have no single measurable pool of "funds at risk" — a consensus halt or chain split endangers the entire network's value and operation, not an identifiable balance. A defensible value-at-risk estimate would need heavy, time-sensitive, network-wide simulation that two reviewers could model very differently. A flat rate per tier keeps DLT rewards fast to assess, consistent between reviewers, and predictable, while the taxonomy still places each finding in the correct tier with a coarse threshold check (e.g. "does this affect ≥ 20% of network activity?").
#Feasibility adjustment (the final step)
The earlier steps set a finding's preliminary threat level and reward from its full potential impact. The final step tests how practical the exploit actually is.
Potential impact sets the starting threat level. Feasibility then downgrades that threat level to match how achievable the exploit truly is. When the realistic, achievable impact is materially lower than the theoretical maximum, the finding is moved down one or more tiers (e.g. Critical → High) and paid at the lower tier's rate.
Feasibility has one lever, for both Smart Contracts and DLT: it lowers the threat level — never the reward within a tier, and never upward. A heavily constrained Critical is moved out of Critical, rather than paid the Critical minimum for a barely-exploitable bug. (Within a smart-contract band, position is set by value at risk, not by how hard the exploit is.)
Floor guarantee. Once the final threat level is set — after any feasibility downgrade or materiality-gate adjustment — the payout is never below that tier's published minimum. For fixed tiers (smart-contract Medium and all DLT tiers) the single published amount is that minimum. A finding only reaches Critical if its impact is both genuinely realizable (feasibility) and material in size (materiality gate).
#Worked example
| Element | Value |
|---|---|
| Reported potential loss | $1,000,000,000 |
| Potential impact | $1,000,000,000 — raw magnitude, assessed independently of feasibility |
| Preliminary threat level | Critical (from the potential impact) |
| Practical constraint | Execution requires capital exceeding what exists in the market, so realistic impact is far lower |
| Feasibility adjustment | Threat level downgraded to the tier reflecting the realistic, achievable effect |
| Reward outcome | Still eligible for payment, but paid at the adjusted (lower) tier — not the full Critical amount |
#Summary
| Dimension | Critical | High | Medium |
|---|---|---|---|
| Meaning | Permanent loss/lock or network-wide failure | Temporary or bounded loss; recoverable disruption | Material disruption, no principal at risk |
| Reward (Smart Contracts) | Scaled to value at risk, within min–max | Scaled to value at risk + duration, within min–max | Fixed amount per program |
| Reward (Blockchain / DLT) | Flat rate per tier | Flat rate per tier | Flat rate per tier |
| Feasibility | Downgrades the threat level (SC and DLT) to match realistic impact; never scales within a tier. The final tier pays at least its minimum. | Same | Same |
This is a living document. The impact taxonomy and the smart-contract adjustment parameters are actively being developed and will be versioned as they are finalized. For the exact reward figures, see each program's page; for the general reward rules see Scope & Rewards.