Every smart contract audit report classifies findings by severity. But what makes a finding "Critical" versus "Medium"? What should you fix immediately versus defer to the next release? Understanding severity classification helps you prioritize remediation, communicate risk to stakeholders, and make informed deployment decisions.
Severity Levels in Smart Contract Audits
🔴 Critical
Definition: Direct, exploitable vulnerability that leads to loss of all user funds, protocol takeover, or permanent protocol failure.
Examples: Unprotected admin function, reentrancy leading to fund drain, broken access control on withdrawals.
Action: Do NOT deploy. Fix immediately. Re-audit the fix.
🟠 High
Definition: Vulnerability that can lead to significant fund loss, unauthorized actions, or protocol manipulation under specific conditions.
Examples: Oracle manipulation possible with flash loans, missing slippage protection, governance without voting delay.
Action: Fix before deployment. Document any accepted risk.
🟡 Medium
Definition: Vulnerability with limited exploit impact or requiring unlikely conditions. May lead to partial fund loss or degraded protocol operation.
Examples: Precision loss in fee calculation, missing event emissions, centralization risk with single admin key.
Action: Fix if feasible. Document and monitor if deferred.
🔵 Low
Definition: Minor issues that are unlikely to be exploited but represent suboptimal security practices.
Examples: Floating pragma, unused variables, non-standard naming conventions.
Action: Good practice to fix. Not a deployment blocker.
ℹ️ Informational
Definition: Code quality suggestions, gas optimizations, and best practice recommendations.
Action: Consider for future improvements.
How Vultbase Scores Findings
Our scoring considers three factors:
- Impact: What's the maximum damage if exploited? (Fund loss, DoS, information leak)
- Likelihood: How easy is it to exploit? (Anyone can do it vs. requires specific conditions)
- Scope: Does it affect all users or a subset?
| High Impact | Medium Impact | Low Impact | |
|---|---|---|---|
| High Likelihood | 🔴 Critical | 🟠 High | 🟡 Medium |
| Medium Likelihood | 🟠 High | 🟡 Medium | 🔵 Low |
| Low Likelihood | 🟡 Medium | 🔵 Low | ℹ️ Info |
Communicating Findings to Stakeholders
- ✅ Lead with Critical/High findings — these are deployment blockers
- ✅ Provide clear remediation guidance for each finding
- ✅ Track finding status: Open → In Progress → Fixed → Verified
- ✅ Re-test all Critical/High fixes before considering the issue resolved
Every Vultbase audit report includes severity-scored findings with clear remediation steps. Get your first report and know exactly where your contracts stand.