Announcing Bug Bounties for the dYdX Margin Trading Protocol
Calling on the community and all bug bounty hunters to help identify bugs in our smart contracts
In preparation for a mainnet release, we have completed rigorous testing on all of our smart contracts. Additionally, we’ve open sourced our code and engaged multiple, independent security firms to perform audits — CryptoFin, ZK Labs and Soho Token Labs.
Now, we’re excited to launch our bug bounty program. We take the security of the protocol very seriously and we’re seeking help from the broader community to help us find bugs in the dYdX Margin Trading Protocol in advance of our launch. We hope that an additional layer of rigorous testing by the community will contribute to a secure and safe launch. Below we outline our submission process for the bug bounty program.
We will be opening the bug bounty today. Additionally, we’re also releasing our independent audit reports that outline other bugs and exploits already identified. The bug bounty will be open through to September 30, 2018.
- All bug bounty submissions must be based off the commit hash — 3688a423d193134932234a5dae86316b6c0028f8
- We will only consider submissions outlining issues outside of those already identified by the whitepaper or previous audit reports: Cryptofin - Margin, Bucket Lender, ZK Labs - Margin and Soho Token Labs - Bucket Lender.
- When duplicates occur, we may only award the first report that was received
- Before discussing your findings publicly, please inform us and allow us a reasonable timeframe to fix the vulnerability
Please send your submission to firstname.lastname@example.org.
Compensation will primarily be based on the severity of the bug found. To determine a bug’s severity, we will use the OWASP risk assessment methodology.
In calculating the payout, we will also consider the quality of the submission. This includes a clear description, a test case, and a provided fix. The payouts are guided by the below estimates, but are determined at the sole discretion of dYdX.
Note: Up to $500 USD
Low: Up to $2,000 USD
Medium: Up to $5,000 USD
High: Up to $20,000 USD
Critical: Up to $50,000 USD
All bounties are payable in USD (or equivalent ETH value at the time of payment).
If you’d like to help us build the future of finance, take a look at our open roles across engineering, design and operations!