dYdX Bug Bounty
Maximum reward
$1,000,000
Severity
Max. Reward
Critical$1,000,000
High$150,000
Medium$50,000
Low$5,000
Deposit required
$30
Findings submitted
85
Start date
8 May 2026
Please sign in as a researcher to join the bounty.
Log inIn scope
Severity
Min and Max Reward
Critical$150,000 to $1,000,000
High
$50,000 to $150,000
Medium
$5,000 to $50,000
Low
$50 to $5,000
All bounty rewards apply across the assets listed below. The payout for an eligible report is determined by severity, not by which asset is affected.
Reward Notes
- Critical findings start at $150,000 and reach $1,000,000. Extraordinary findings in this category may qualify for elevated rewards up to $5,000,000 at dYdX's sole discretion.
- See Severity Classification Framework for severity guidance.
Name | Description | Asset |
|---|---|---|
| v4-chain (protocol) | dYdX Chain protocol modules — Cosmos SDK / CometBFT application logic for the on-chain orderbook, matching engine, perpetual markets, and settlement. | |
| v4-chain (indexer) | Off-chain indexer service that ingests chain events and serves data to the dYdX web client and external integrators. | |
| v4-web | Official dYdX web trading client. | |
| v4-clients | Official client SDKs for interacting with dYdX Chain. | |
| v-4-native-mobile | Native iOS and Android app for dYdX v4. | |
| v4-localization | Localization features for dYdX v4 | |
| v4-documentation | Vocs documentation project for dYdX v4. | |
| v4-infrastructure | Terraform related configs for dYdX Chain used for testing purposes. | |
| v4-latency-scripts | Scripts to understand latency of networks used by dYdX Chain. | |
| v4-abacus | Shared front and and mobile logic. | |
| v4-testnets | Public tesnet for dYdX Chain. |
Out of scope
Out of Scope
The following issues are out of scope and not eligible for rewards.
For generic exclusions, see the Cantina Bug Bounty Out-of-Scope Policy.
Excluded Vulnerability Classes
- Previously known or already-disclosed vulnerabilities, and duplicates of previously paid reports.
- Non-reproducible bugs.
- Unsophisticated or generic DoS / DDoS attacks.
- Social engineering attacks against dYdX, its contributors, or its users.
- Physical attacks against any person or facility.
- Read-only functions, except where they directly enable a higher-severity exploit.
Web / Client Exclusions
- Vulnerabilities in third-party sites or services, unless they directly affect the dYdX Site.
- Issues only reproducible on outdated or unpatched browsers.
- Disclosures originating from third-party libraries with no demonstrated exploit path against dYdX.
- Missing security headers without an accompanying proof of exploitability.
- Front-end bugs limited to visual or cosmetic issues.
- Software version disclosure and other low-impact information disclosures.
- General best-practice suggestions without a concrete vulnerability.
- Phishing attempts, spamming, and findings produced solely by automated tooling without manual validation.
Default Out of Scope
Standard out-of-scope items per the Cantina Bug Bounty Out-of-Scope Policy.