We are excited to introduce our new bug bounty program! We recently announced that all core dYdX Chain (v4) software GitHub repos have been made public, and are now inviting the community to help us identify any vulnerabilities to improve the security of the dYdX Chain.
Help us make the dYdX Chain even more secure by participating in our bug bounty program today!
Payments will be paid out in USDC based on the severity of the vulnerability, based on the sole discretion of dYdX, and subject to the terms in this post. Payment ranges for different levels of severity are as follows:
Low: $50 - $5,000
E.g. Display or event-parsing issues
Medium: $5,000 - $50,000
E.g. Issues leading to non-core-product failures of the exchange such as staking or governance
High: $50,000 - $150,000
E.g. Issues leading to network downtime or liveness failures
Critical: $150,000 - $1,000,000, depending on the potential impact of the critical vulnerability. Extraordinary finds in this category could extend up to $5,000,000.
E.g. Issues leading to bugs or attacks resulting in significant loss of funds.
Scope and Timeline
The bug bounty applies to all code found in the protocol and indexer folders of the v4-chain repository, as well as any code in the web and client repos. Please note that reports for read-only functions for the product, especially in the indexer, web front end, and client code, will generally fall under the lower severity levels.
Rewards are offered for the discovery and reporting of bugs and vulnerabilities that significantly impact the operation of the dYdX Chain in a production environment, including effects such as loss of functionality or loss of funds.
Examples of cases ineligible for a bug bounty reward:
Vulnerabilities already known to the public or dYdX, including findings disclosed by our auditors and any previous findings from other bug bounty participants
Bugs that are not reproducible
Unsophisticated or generic DOS attacks
Any type of physical attack
Please see the Bug Bounty Terms for more information on scope.
In order to be eligible for a bug bounty award, we will require the following:
Disclosure to email@example.com must be made promptly following the discovery of the vulnerability.
Disclosure must be made directly to firstname.lastname@example.org and not to any other party, without our explicit consent.
The vulnerability and all details must remain confidential between you and dYdX.
The vulnerability must be reported without any conditions, demands, or threats.
The report must include sufficient detail to allow us to quickly understand and reproduce the vulnerability.
Please review the complete Bug Bounty Terms.
Thank you for helping to make the dYdX Chain more secure! For questions specific to security and the bug bounty program, please contact email@example.com.
About dYdX and General Terms
Here at dYdX, our mission is to democratize access to financial opportunity. We believe the release of v4 software will represent notable progress in service of that mission. The events that have transpired over the last year have only reinforced the need for open, transparent, and permissionless financial products. We’re excited for v4 software to better meet those needs.
To ask additional questions, join the discussion on Discord, participate in the dYdX community, or follow us on Twitter. We’re excited to continue building the dYdX Chain and will continue to release updates over the coming months.