OKX Labs
Maximum reward
$1,000,000
Severity
Max. Reward
Critical$1,000,000
High$100,000
Medium$10,000
Deposit required
$10
Findings submitted
173
Start date
30 Jan 2026
KYC
Required to join
Please sign in as a researcher to join the bounty.
Log inIntroduction
We are launching OKX Labs’ Onchain Bug Bounty Program to fortify the security of our production-grade smart contracts. We warmly welcome security researchers to responsibly disclose vulnerabilities impacting smart contracts deployed and utilized in our onchain products. Your valuable reports play a critical role in safeguarding user funds and enhancing the resilience of our systems.
Program Details
This program exclusively focuses on onchain components (smart contracts). A vulnerability is eligible for rewards only if the affected contract meets the following criteria:
- Deployed on a mainnet by OKX Labs or an OKX Labs-controlled deployer.
- Serves a genuine production use case (not a proof-of-concept).
Vulnerabilities in off-chain components should be reported via our existing HackerOne bug bounty program.
Prohibited Actions
To ensure the safety of our systems and users, the following actions are strictly prohibited:
- Unauthorized testing on production environments: Do not test exploits on mainnet or public deployments without explicit written authorization. Use local test environments, simulations, or private forks for validation.
- Public disclosure without consent: Do not disclose vulnerability details publicly (including on social media, forums, or technical platforms) before the issue is remediated and you receive written approval from OKX Labs.
- Excessive exploitation beyond proof: Exploit vulnerabilities only to the minimum extent necessary to demonstrate the issue. Data exfiltration, service disruption, or any action that harms users or systems is forbidden.
- Conflict of interest: Current or former OKX Labs employees, as well as contributors to the affected codebase, are ineligible for rewards.
Disclosure Requirements
Please submit vulnerability reports directly through the Spearbit/Cantina platform. Each report must include:
- A clear, detailed description of vulnerability and its potential impact.
- Step-by-step reproduction instructions (a proof-of-concept (PoC) is strongly recommended to accelerate validation).
- Prerequisites, conditions, or specific scenarios required to trigger vulnerability.
- Potential real-world consequences if vulnerability is exploited in production.
Reports should be submitted promptly—ideally within 24 hours of discovering vulnerability.
Eligibility
To qualify for a reward, you must:
- Be the first to report a previously unknown, non-public vulnerability within the program’s scope.
- Provide sufficient technical details to enable our team to reproduce, verify, and fix the issue.
- Refrain from any malicious exploitation of vulnerability.
- Not disclose the vulnerability to third parties before obtaining written permission from OKX Labs.
- Comply with all program rules and applicable laws (including relevant sanctions restrictions).
Severity
Vulnerability severity is assessed based on two core factors: impact (potential harm to users, funds, or systems) and likelihood (ease of exploitation). We classify severity into four levels: Critical, High, Medium, and Low.
Risk Classification Matrix
| Severity Level | Impact: Critical | Impact: High | Impact: Medium | Impact: Low |
|---|---|---|---|---|
| Likelihood: High | Critical | High | Medium | Low |
| Likelihood: Medium | High | High | Medium | Low |
| Likelihood: Low | Medium | Medium | Low | Informational |
Severity Description
| Severity Level | Description |
|---|---|
| Critical | Vulnerabilities that can cause complete loss or control over critical assets or functions. These are fully exploitable by any user, with irreversible, catastrophic consequences, and would have serious reputational or legal implications. Typical exploit types: - Privilege escalation - Reentrancy on core functions - Arbitrary code execution - Authentication bypass - Self-destruction or kill switch exposure |
| High | Vulnerabilities that can cause substantial financial loss or major disruptions, but often require some setup, multiple steps, or favorable timing. They are still dangerous but slightly more constrained. They could have reputational or legal implications. Typical exploit types: - Price oracle manipulation - Flash loan exploits - Access control bypass with constraints - Time-based front-running (MEV-sensitive logic) - Misconfigured deployments - Poor slippage/protection logic |
| Medium | Vulnerabilities that can result in moderate financial impact or affect non-critical features, often exploitable only under certain circumstances or by well-informed actors. Typical exploit types: - Denial-of-Service (DoS) - Griefing attacks - Logic errors in optional or edge-case features - Token standard compliance issues (ERC20/ERC721) - Replay attacks in multi-chain or off-chain contexts |
| Low | Issues with minimal or theoretical impact, not easily exploitable, or that only affect contract quality or developer experience. Typical exploit types: - Significant gas inefficiencies / unoptimized code - Missing event emissions - Unnecessary exposure of internal data - Compiler version issues - Lack of input sanitization where it has no impact |