Announcing Bug Bounties for the dYdX Margin Trading Protocol

Calling on the community and all bug bounty hunters to help identify bugs in our smart contracts

In preparation for a mainnet release, we have completed rigorous testing on all of our smart contracts. Additionally, we’ve open sourced our code and engaged multiple, independent security firms to perform audits — CryptoFin, ZK Labs and Soho Token Labs.

Now, we’re excited to launch our bug bounty program. We take the security of the protocol very seriously and we’re seeking help from the broader community to help us find bugs in the dYdX Margin Trading Protocol in advance of our launch. We hope that an additional layer of rigorous testing by the community will contribute to a secure and safe launch. Below we outline our submission process for the bug bounty program.

Timeline

We will be opening the bug bounty today. Additionally, we’re also releasing our independent audit reports that outline other bugs and exploits already identified. The bug bounty will be open through to September 30, 2018.

Scope

The bounty program applies to smart contracts used in the Margin Trading Protocol housed in the lib and margin folders.

Rules

All bug bounty submissions must be based off the commit hash — 3688a423d193134932234a5dae86316b6c0028f8

We will only consider submissions outlining issues outside of those already identified by the whitepaper or previous audit reports: Cryptofin - Margin, Bucket Lender, ZK Labs - Margin and Soho Token Labs - Bucket Lender.

When duplicates occur, we may only award the first report that was received

Before discussing your findings publicly, please inform us and allow us a reasonable timeframe to fix the vulnerability

Submission

Please send your submission to security@dydx.exchange.

Compensation

Compensation will primarily be based on the severity of the bug found. To determine a bug’s severity, we will use the OWASP risk assessment methodology.

In calculating the payout, we will also consider the quality of the submission. This includes a clear description, a test case, and a provided fix. The payouts are guided by the below estimates, but are determined at the sole discretion of dYdX.

Note: Up to $500 USD

Low: Up to $2,000 USD

Medium: Up to $5,000 USD

High: Up to $20,000 USD

Critical: Up to $50,000 USD

All bounties are payable in USD (or equivalent ETH value at the time of payment).