September 19, 2023

Securing the dYdX Chain: Announcing our Bug Bounty Program

Product
Securing the dYdX Chain: Announcing our Bug Bounty Program

Intro

We are excited to introduce our new bug bounty program! We recently announced that all core dYdX Chain (v4) software GitHub repos have been made public, and are now inviting the community to help us identify any vulnerabilities to improve the security of the dYdX Chain.

Help us make the dYdX Chain even more secure by participating in our bug bounty program today!

Program Rewards

Payments will be paid out in USDC based on the severity of the vulnerability, based on the sole discretion of dYdX, and subject to the terms in this post. Payment ranges for different levels of severity are as follows:

  • Low: $50 - $5,000
    • E.g. Display or event-parsing issues
  • Medium: $5,000 - $50,000
    • E.g. Issues leading to non-core-product failures of the exchange such as staking or governance
  • High:  $50,000 - $150,000
    • E.g. Issues leading to network downtime or liveness failures
  • Critical:  $150,000 - $1,000,000, depending on the potential impact of the critical vulnerability. Extraordinary finds in this category could extend up to $5,000,000.
    • E.g. Issues leading to bugs or attacks resulting in significant loss of funds.

Scope and Timeline

The bug bounty applies to all code found in the protocol and indexer folders of the v4-chain repository, as well as any code in the web and client repos. Please note that reports for read-only functions for the product, especially in the indexer, web front end, and client code, will generally fall under the lower severity levels.

Rewards are offered for the discovery and reporting of bugs and vulnerabilities that significantly impact the operation of the dYdX Chain in a production environment, including effects such as loss of functionality or loss of funds.

Examples of cases ineligible for a bug bounty reward:

  • Vulnerabilities already known to the public or dYdX, including findings disclosed by our auditors and any previous findings from other bug bounty participants
  • Bugs that are not reproducible
  • Unsophisticated or generic DOS attacks
  • Social engineering
  • Any type of physical attack

Please see the Bug Bounty Terms for more information on scope.

Eligibility

In order to be eligible for a bug bounty award, we will require the following:

  • Disclosure to bugbounty@dydx.exchange must be made promptly following the discovery of the vulnerability.
  • Disclosure must be made directly to bugbounty@dydx.exchange and not to any other party, without our explicit consent.
  • The vulnerability and all details must remain confidential between you and dYdX.
  • The vulnerability must be reported without any conditions, demands, or threats.
  • The report must include sufficient detail to allow us to quickly understand and reproduce the vulnerability.

Please review the complete Bug Bounty Terms.

Program Terms

This bug bounty program is subject to the Bug Bounty Program Terms and Conditions (the “Bug Bounty Terms”), v4 Terms of Use and the following terms (these “Terms”). In the event of a conflict between these Terms and the Program Terms, these Terms will prevail, except with respect to Sections 1 (Eligibility), 4 (Payment), and 5 (Administration) of the Bug Bounty Terms that will always prevail.

Thank you

Thank you for helping to make the dYdX Chain more secure! For questions specific to security and the bug bounty program, please contact bugbounty@dydx.exchange.

About dYdX and Terms

Here at dYdX, our mission is to democratize access to financial opportunity. We believe that v4 software will represent notable progress in service of that mission. The events in the global economy that have transpired over the last year have only reinforced the need for open, transparent, and permissionless financial products. We’re excited for v4 software to better meet those needs.

If building the future of a decentralized exchange and open finance is something you’re interested in, check out what it’s like to work at dYdX and our open roles!

To ask additional questions, join the discussion on Discord, participate in the dYdX community, or follow us on Twitter. We’re excited to continue building the dYdX Chain and will continue to release updates over the coming months.

Terms and Conditions: This post is subject to the dYdX Terms of Use.  The dYdX interface and products are not available to persons or entities who reside in, are located in, are incorporated in, or have registered offices in the United States or Canada ("Blocked Persons"), or other Restricted Persons (as defined in the dYdX Terms of Use). dYdX products and services are not intended for, and should not be used by, Blocked Persons or Restricted Persons. Terms of Use specific to v4 software can be found here.

Resources
Help CenterBlogAcademyMarketsBrandTerms of UsePrivacy Policy
Ecosystem
dYdX LabsdYdX FoundationdYdX Operations subDAOdYdX Grants subDAOIntegrate
Legacy Product
ExchangeCommunity
© 2025 dYdX Foundation. All rights reserved.

dYdX is a decentralised, disintermediated and permissionless protocol, and is not available in the U.S. or to U.S. persons as well as in other restricted jurisdictions. The dYdX Foundation does not operate or participate in the operation of any component of the dYdX Chain's infrastructure.

Nothing in this website should be used or considered as legal, financial, tax, or any other advice, nor as an instruction or invitation to act in any way by anyone. You should perform your own research and due diligence before engaging in any activity involving crypto-assets due to high volatility and risks of loss.

Depositing into the MegaVault carries risks. Do your own research and make sure to understand the risks before depositing funds. MegaVault returns are not guaranteed and may fluctuate over time depending on multiple factors. MegaVault returns may be negative and you may lose your entire investment.

The dYdX Foundation does not operate or has control over the MegaVault and has not been involved in the development, deployment and operation of  any component of the dYdX Unlimited software (including the MegaVault).

Crypto-assets can be highly volatile and trading crypto-assets involves risk of loss, particularly when using leverage. Investment into crypto-assets may not be regulated and may not be adequate for retail investors. Do your own research and due diligence before engaging in any activity involving crypto-assets.