Intro
We are excited to introduce our new bug bounty program! We recently announced that all core dYdX Chain (v4) software GitHub repos have been made public, and are now inviting the community to help us identify any vulnerabilities to improve the security of the dYdX Chain.
Help us make the dYdX Chain even more secure by participating in our bug bounty program today!
Program Rewards
Payments will be paid out in USDC based on the severity of the vulnerability, based on the sole discretion of dYdX, and subject to the terms in this post. Payment ranges for different levels of severity are as follows:
Low: $50 - $5,000
E.g. Display or event-parsing issues
Medium: $5,000 - $50,000
E.g. Issues leading to non-core-product failures of the exchange such as staking or governance
High: $50,000 - $150,000
E.g. Issues leading to network downtime or liveness failures
Critical: $150,000 - $1,000,000, depending on the potential impact of the critical vulnerability. Extraordinary finds in this category could extend up to $5,000,000.
E.g. Issues leading to bugs or attacks resulting in significant loss of funds.
Scope and Timeline
The bug bounty applies to all code found in the protocol and indexer folders of the v4-chain repository, as well as any code in the web and client repos. Please note that reports for read-only functions for the product, especially in the indexer, web front end, and client code, will generally fall under the lower severity levels.
Rewards are offered for the discovery and reporting of bugs and vulnerabilities that significantly impact the operation of the dYdX Chain in a production environment, including effects such as loss of functionality or loss of funds.
Examples of cases ineligible for a bug bounty reward:
Vulnerabilities already known to the public or dYdX, including findings disclosed by our auditors and any previous findings from other bug bounty participants
Bugs that are not reproducible
Unsophisticated or generic DOS attacks
Social engineering
Any type of physical attack
Please see the Bug Bounty Terms for more information on scope.
Eligibility
In order to be eligible for a bug bounty award, we will require the following:
Disclosure to bugbounty@dydx.exchange must be made promptly following the discovery of the vulnerability.
Disclosure must be made directly to bugbounty@dydx.exchange and not to any other party, without our explicit consent.
The vulnerability and all details must remain confidential between you and dYdX.
The vulnerability must be reported without any conditions, demands, or threats.
The report must include sufficient detail to allow us to quickly understand and reproduce the vulnerability.
Please review the complete Bug Bounty Terms.
Program Terms
This bug bounty program is subject to the Bug Bounty Program Terms and Conditions (the “Bug Bounty Terms”), v4 Terms of Use and the following terms (these “Terms”). In the event of a conflict between these Terms and the Program Terms, these Terms will prevail, except with respect to Sections 1 (Eligibility), 4 (Payment), and 5 (Administration) of the Bug Bounty Terms that will always prevail.
Thank you
Thank you for helping to make the dYdX Chain more secure! For questions specific to security and the bug bounty program, please contact bugbounty@dydx.exchange.
About dYdX and General Terms
Here at dYdX, our mission is to democratize access to financial opportunity. We believe the release of v4 software will represent notable progress in service of that mission. The events that have transpired over the last year have only reinforced the need for open, transparent, and permissionless financial products. We’re excited for v4 software to better meet those needs.
If building the future of a decentralized exchange and open finance is something you’re interested in, check out what it’s like to work at dYdX and our open roles!
To ask additional questions, join the discussion on Discord, participate in the dYdX community, or follow us on Twitter. We’re excited to continue building the dYdX Chain and will continue to release updates over the coming months.
Terms and Conditions: This post is subject to the dYdX Terms of Use. The dYdX interface and products are not available to persons or entities who reside in, are located in, are incorporated in, or have registered offices in the United States or Canada ("Blocked Persons"), or other Restricted Persons (as defined in the dYdX Terms of Use). dYdX products and services are not intended for, and should not be used by, Blocked Persons or Restricted Persons. Terms of Use specific to v4 software can be found here.