September 19, 2023
June 4, 2025

Securing the dYdX Chain: Announcing our Bug Bounty Program

Product
Securing the dYdX Chain: Announcing our Bug Bounty ProgramSecuring the dYdX Chain: Announcing our Bug Bounty Program

Intro

We are excited to introduce our new bug bounty program! We recently announced that all core dYdX Chain (v4) software GitHub repos have been made public, and are now inviting the community to help us identify any vulnerabilities to improve the security of the dYdX Chain.

Help us make the dYdX Chain even more secure by participating in our bug bounty program today!

Program Rewards

Payments will be paid out in USDC based on the severity of the vulnerability, based on the sole discretion of dYdX, and subject to the terms in this post. Payment ranges for different levels of severity are as follows:

  • Low: $50 - $5,000
    • E.g. Display or event-parsing issues
  • Medium: $5,000 - $50,000
    • E.g. Issues leading to non-core-product failures of the exchange such as staking or governance
  • High:  $50,000 - $150,000
    • E.g. Issues leading to network downtime or liveness failures
  • Critical:  $150,000 - $1,000,000, depending on the potential impact of the critical vulnerability. Extraordinary finds in this category could extend up to $5,000,000.
    • E.g. Issues leading to bugs or attacks resulting in significant loss of funds.

Scope and Timeline

The bug bounty applies to all code found in the protocol and indexer folders of the v4-chain repository, as well as any code in the web and client repos. Please note that reports for read-only functions for the product, especially in the indexer, web front end, and client code, will generally fall under the lower severity levels.

Rewards are offered for the discovery and reporting of bugs and vulnerabilities that significantly impact the operation of the dYdX Chain in a production environment, including effects such as loss of functionality or loss of funds.

Examples of cases ineligible for a bug bounty reward:

  • Vulnerabilities already known to the public or dYdX, including findings disclosed by our auditors and any previous findings from other bug bounty participants
  • Bugs that are not reproducible
  • Unsophisticated or generic DOS attacks
  • Social engineering
  • Any type of physical attack

Please see the Bug Bounty Terms for more information on scope.

Eligibility

In order to be eligible for a bug bounty award, we will require the following:

  • Disclosure to bugbounty@dydx.exchange must be made promptly following the discovery of the vulnerability.
  • Disclosure must be made directly to bugbounty@dydx.exchange and not to any other party, without our explicit consent.
  • The vulnerability and all details must remain confidential between you and dYdX.
  • The vulnerability must be reported without any conditions, demands, or threats.
  • The report must include sufficient detail to allow us to quickly understand and reproduce the vulnerability.

Please review the complete Bug Bounty Terms.

Program Terms

This bug bounty program is subject to the Bug Bounty Program Terms and Conditions (the “Bug Bounty Terms”), v4 Terms of Use and the following terms (these “Terms”). In the event of a conflict between these Terms and the Program Terms, these Terms will prevail, except with respect to Sections 1 (Eligibility), 4 (Payment), and 5 (Administration) of the Bug Bounty Terms that will always prevail.

Thank you

Thank you for helping to make the dYdX Chain more secure! For questions specific to security and the bug bounty program, please contact bugbounty@dydx.exchange.

Legitimacy and Disclaimer

© 2025 dYdX International Ltd. All rights reserved.

dYdX is a decentralised, disintermediated and permissionless protocol, and is not available in the U.S. or to U.S. persons as well as for Restricted Persons as set out in the dYdX Software Terms of Use, accessible: https://dydx.exchange/v4-terms. dYdX International Ltd (“DI”) does not develop, control or participate in the operation of any component of the dYdX Protocol (including the MegaVault).

The information provided in this website is for general informational purposes only and DI reserves the right to update, modify, or amend any contents herein, at its sole discretion and without prior notice.  Nothing herein should be used or considered as legal, financial, tax, or any other advice, nor as an instruction or invitation to act in any way by anyone.

Engaging in any activity involving crypto-assets (including trading crypto assets and depositing into the MegaVault) is risky due to high volatility. Returns are not guaranteed and may fluctuate over time depending on multiple factors, and you may lose your entire investment, particularly when using leverage. Investment into crypto-assets may not be regulated and may not be suitable for retail investors. You should perform your own research and due diligence before engaging in any activity involving crypto-assets.

In no event will DI be liable for any loss or damage, including without limitation, indirect or consequential loss or damage, arising from or in connection with the use of this website. By continuing to access this website, you agree to the above and accept the possibility of changes in the information provided.

Awarded Institutional DeFi Solution of the Year by Hedgeweek

Learn more

1 Leaderboard, 9 Seasons and $20M on the Line in Rewards

Learn more
Resources
Help CenterBlogAcademyMarketsBrandTerms of UsePrivacy Policy
Ecosystem
dYdX LabsdYdX FoundationdYdX Operations subDAOdYdX Grants subDAOAPINew iOS App
Market Pages
API3-USDBERA-USDNIL-USDNC-USDGAS-USD
Learn More
How To Purchase DYDXHow To Start TradingTrading Competition2024 Annual ReportDYDX BuybackExchangeCommunity
© 2025 dYdX International Ltd. All rights reserved.

dYdX is a decentralised, disintermediated and permissionless protocol, and is not available in the U.S. or to U.S. persons as well as for Restricted Persons as set out in the dYdX Software Terms of Use, accessible: https://dydx.exchange/v4-terms. dYdX International Ltd (“DI”) does not develop, control or participate in the operation of any component of the dYdX Protocol (including the MegaVault).

The information provided in this website is for general informational purposes only and DI reserves the right to update, modify, or amend any contents herein, at its sole discretion and without prior notice.  Nothing herein should be used or considered as legal, financial, tax, or any other advice, nor as an instruction or invitation to act in any way by anyone.

Engaging in any activity involving crypto-assets (including trading crypto assets and depositing into the MegaVault) is risky due to high volatility. Returns are not guaranteed and may fluctuate over time depending on multiple factors, and you may lose your entire investment, particularly when using leverage. Investment into crypto-assets may not be regulated and may not be suitable for retail investors. You should perform your own research and due diligence before engaging in any activity involving crypto-assets.

In no event will DI be liable for any loss or damage, including without limitation, indirect or consequential loss or damage, arising from or in connection with the use of this website. By continuing to access this website, you agree to the above and accept the possibility of changes in the information provided.

Leaving site

By clicking ‘Continue’, you will be leaving https://www.dydx.xyz/ and accessing a website made available by a third party using dYdX v4 open-source software that is independent from and unaffiliated with dYdX International Ltd (“DI”). DI does not deploy or run dYdX v4 open-source software for public use, nor does it operate or control any or all parts of the infrastructure. DI is not responsible for any actions taken by independent third parties or for any codes, materials and contents on any third-party websites, including the one you would access by clicking ‘Continue’.

DI’s contents and services are not available to persons who are residents of, are located or incorporated in, or have a registered office in the U.S., Canada or any Restricted Persons as set out in the dYdX v4 open-source software Terms of Use, accessible here.  More details can be found in our Terms of Use. Learn more about dYdX v4 third-party front end options here.

Continue