dYdX Bug Bounty

dYdX Chain (dYdX v4) is open source software for a decentralized perpetual futures protocol built as an application-specific blockchain using the Cosmos SDK and CometBFT. It runs a fully on-chain orderbook and matching engine, with off-chain Indexer infrastructure feeding the trading frontend. The protocol supports cross-margined perpetual markets, governance, and staking, operated by a network of independent validators. More information is available at https://github.com/dydxprotocol/v4-chain.

This program covers the protocol layer, the indexer, the web client, and the official client SDKs. See the in-scope asset groups for details and per-severity rewards.

Severity Definitions

Severity is assessed based on impact to the network, user funds, and the dYdX Site. Examples by level:

• Critical: Vulnerabilities resulting in significant loss or theft of user funds, large-scale insolvency of the protocol, permanent freezing of funds, or unauthorized minting/printing of value. Extraordinary finds in this category may qualify for elevated rewards ($150k-1m or higher at dYdX's sole discretion).
• High: Network-level downtime or liveness failures (e.g., halting block production, crashing the chain, preventing settlement), or material degradation of the matching engine ($50k-150k).
• Medium: Failures in non-core products such as staking or governance that do not result in fund loss but degrade user experience or protocol guarantees ($5k-50k).
• Low: Display, event-parsing, or Indexer-side issues that mislead users or clients but do not affect on-chain state or funds ($50-5k).

In addition to the above definitions, we will also use the Cantina Bug Bounty Severity Classification Framework to determine severity.

Prohibited Actions

• Testing on mainnet in any way that exploits, drains, or disrupts the network or its users.
• Public disclosure of any vulnerability prior to dYdX issuing a fix and granting written permission to disclose.
• Automated scanning or testing that generates excessive traffic against dYdX infrastructure.
• Accessing, modifying, or destroying data that does not belong to you, including any personal or sensitive information.
• Submitting duplicates of vulnerabilities that have already been reported or paid.
• Conditioning the disclosure of a vulnerability on payment, demanding compensation outside the published reward structure, or making any threats.
• Exploiting a vulnerability for personal benefit beyond what is necessary to demonstrate it.

Eligibility

• You must be of legal age in your jurisdiction and have the capacity to be bound by these terms.
• You must be the first reporter of the vulnerability via the Cantina platform.
• You must provide sufficient detail (reproduction steps and, where possible, a proof of concept) for dYdX to reproduce and remediate the issue.
• Current and former employees, vendors, contractors, and agents of dYdX (within the prior 6 months) are not eligible.
• Individuals or entities subject to U.S. or other applicable sanctions (including OFAC-listed persons) are not eligible.
• Anyone who has previously exploited or publicly disclosed the vulnerability is not eligible.
• Tax forms and identity verification may be required prior to payment.

Other Terms

• Disclosure of any vulnerability must be made via the Cantina platform within 24 hours of discovery.
• Vulnerability details must not be shared with third parties before dYdX has confirmed, fixed, and approved disclosure.
• The categorization and amount of any payment is determined at the sole discretion of dYdX. dYdX reserves the right to amend, suspend, or terminate this program at any time.
• Participation does not constitute an admission or concession of fault or liability by dYdX.
• Reporters are solely responsible for any tax liabilities arising from received rewards.
• Reporters release dYdX from any claims arising from participation in or payment determinations under this program.