Securing the dYdX Chain: Announcing our Bug Bounty Program

Intro

We are excited to introduce our new bug bounty program! We recently announced that all core dYdX Chain (v4) software GitHub repos have been made public, and are now inviting the community to help us identify any vulnerabilities to improve the security of the dYdX Chain.

Help us make the dYdX Chain even more secure by participating in our bug bounty program today!

Program Rewards

Payments will be paid out in USDC based on the severity of the vulnerability, based on the sole discretion of dYdX, and subject to the terms in this post. Payment ranges for different levels of severity are as follows:

Low: $50 - $5,000
- E.g. Display or event-parsing issues
Medium: $5,000 - $50,000
- E.g. Issues leading to non-core-product failures of the exchange such as staking or governance
High: $50,000 - $150,000
- E.g. Issues leading to network downtime or liveness failures
Critical: $150,000 - $1,000,000, depending on the potential impact of the critical vulnerability. Extraordinary finds in this category could extend up to $5,000,000.
- E.g. Issues leading to bugs or attacks resulting in significant loss of funds.

Scope and Timeline

The bug bounty applies to all code found in the protocol and indexer folders of the v4-chain repository, as well as any code in the web and client repos. Please note that reports for read-only functions for the product, especially in the indexer, web front end, and client code, will generally fall under the lower severity levels.

Rewards are offered for the discovery and reporting of bugs and vulnerabilities that significantly impact the operation of the dYdX Chain in a production environment, including effects such as loss of functionality or loss of funds.

Examples of cases ineligible for a bug bounty reward:

Vulnerabilities already known to the public or dYdX, including findings disclosed by our auditors and any previous findings from other bug bounty participants
Bugs that are not reproducible
Unsophisticated or generic DOS attacks
Social engineering
Any type of physical attack

Please see the Bug Bounty Terms for more information on scope.

Eligibility

In order to be eligible for a bug bounty award, we will require the following:

Disclosure to bugbounty@dydx.exchange must be made promptly following the discovery of the vulnerability.
Disclosure must be made directly to bugbounty@dydx.exchange and not to any other party, without our explicit consent.
The vulnerability and all details must remain confidential between you and dYdX.
The vulnerability must be reported without any conditions, demands, or threats.
The report must include sufficient detail to allow us to quickly understand and reproduce the vulnerability.

Please review the complete Bug Bounty Terms.

Program Terms

This bug bounty program is subject to the Bug Bounty Program Terms and Conditions (the “Bug Bounty Terms”), v4 Terms of Use and the following terms (these “Terms”). In the event of a conflict between these Terms and the Program Terms, these Terms will prevail, except with respect to Sections 1 (Eligibility), 4 (Payment), and 5 (Administration) of the Bug Bounty Terms that will always prevail.

Thank you

Thank you for helping to make the dYdX Chain more secure! For questions specific to security and the bug bounty program, please contact bugbounty@dydx.exchange.

Legitimacy and Disclaimer

Crypto-assets can be highly volatile and trading crypto-assets involves risk of loss, particularly when using leverage. Investment into crypto-assets may not be regulated and may not be adequate for retail investors. Do your own research and due diligence before engaging in any activity involving crypto-assets.

dYdX is a decentralised, disintermediated and permissionless protocol, and is not available in the U.S. or to U.S. persons as well as in other restricted jurisdictions. The dYdX Foundation does not operate or participate in the operation of any component of the dYdX Chain’s infrastructure.

The dYdX Foundation’s purpose is to support the current implementation and any future implementations of the dYdX protocol and to foster community-driven growth in the dYdX ecosystem.

The dYdX Chain software is open-source software to be used or implemented by any party in accordance with the applicable license. At no time should the dYdX Chain and/or its software or related components be deemed to be a product or service provided or made available in any way by the dYdX Foundation. Interactions with the dYdX Chain software or any implementation thereof are permissionless and disintermediated, subject to the terms of the applicable licenses and code. Users who interact with the dYdX Chain software (or any implementations thereof) will not be interacting with the dYdX Foundation in any way whatsoever. The dYdX Foundation does not make any representations, warranties or covenants in connection with the dYdX Chain software (or any implementations and/or components thereof), including (without limitation) with regard to their technical properties or performance, as well as their actual or potential usefulness or suitability for any particular purpose, and users agree to rely on the dYdX Chain software (or any implementations and/or components thereof) “AS IS, WHERE IS”.

Nothing in this post should be used or considered as legal, financial, tax, or any other advice, nor as an instruction or invitation to act by anyone. Users should conduct their own research and due diligence before making any decisions. The dYdX Foundation may alter or update any information in this post in the future at its sole discretion and assumes no obligation to publicly disclose any such change. This post is solely based on the information available to the dYdX Foundation at the time it was published and should only be read and taken into consideration at the time it was published and on the basis of the circumstances that surrounded it. The dYdX Foundation makes no guarantees of future performance and is under no obligation to undertake any of the activities contemplated herein.