Announcing the dYdX Perpetual Contracts Bug Bounty

We recently announced the private alpha launch of BTC–USDC perpetual contracts on dYdX, the first market to make use of our Perpetual Contracts protocol. This protocol consists of a new set of Ethereum smart contracts which we have released as open source on GitHub.

Today, we are launching a bug bounty program to encourage the community at large to review our code in advance of our public launch. We hope this program will supplement the investments in security that we have already made via our audit by OpenZeppelin and our own analysis of the protocol.

Timeline

The bug bounty program begins today and extends through June 2nd, 2020. After that date, we will continue to welcome vulnerability disclosures in accordance with our general security policy.

Risk Rating and Program Rewards

We commit to providing fair compensation to anyone who reports a security vulnerability in accordance with the criteria and requirements described in this article.

Eligibility and reward amounts are determined at the sole discretion of dYdX. In determining a fair amount, we will use the OWASP Risk Rating Methodology as a guideline for assessing the severity of a given vulnerability. In addition to severity, other factors including the quality of the report will be taken into account.

Bounties will be paid in line with the following guidelines:

  • Critical: Up to $50,000 USD
  • High: Up to $20,000 USD
  • Medium: Up to $5,000 USD
  • Low: Up to $2,000 USD
  • Note: Up to $500 USD

These rewards are payable in your choice of USD or ETH (using a conversion rate determined at the time of payment).

Scope

The bug bounty applies to the smart contracts used in the Perpetual Contracts protocol, found in the `protocol` directory. Rewards are offered for the discovery and reporting of bugs and vulnerabilities that significantly impact the operation of the protocol in a production environment—including effects such as loss of functionality of the protocol, or loss or lock-up of funds.

The following are ineligible for a bug bounty reward:

  • Vulnerabilities already known to the public or dYdX, including findings disclosed by our auditors and any previous findings from other bug bounty participants.
  • Bugs that are not reproducible.

Furthermore, vulnerabilities which rely on any of the following are explicitly out of scope and ineligible for the bounty program:

  • Denial-of-service attacks.
  • Compromise of the external price oracle system.
  • Control of an admin key.
  • Social engineering.
  • Any type of physical attack.
  • Attacks which rely on clogging the Ethereum network or colluding with miners.
  • Bugs and vulnerabilities in the application layer (i.e. outside the smart contracts)—although we welcome these outside of the bug bounty in accordance with our general security policy.

Disclosure

In order to be eligible for a bug bounty award, we require the following:

  • Disclosure to security@dydx.exchange must be made promptly following the discovery of the vulnerability.
  • Disclosure must be made directly to security@dydx.exchange and not to any other party, without our explicit consent.
  • The vulnerability and all details must remain confidential between you and dYdX until we have had a reasonable amount of time, up to 30 days, to resolve the issue.
  • The vulnerability must be reported without any conditions, demands, or threats.
  • The report must include sufficient detail to allow us to quickly understand and reproduce the vulnerability.

Other Terms

To qualify for a reward, we require that you:

  • Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing.
  • Are not subject to US sanctions or a resident of a US-embargoed country.
  • Are at least 18 years of age.

If you meet all guidelines above when reporting an issue to us, we commit to:

  • Not pursue or support any legal action related to your findings.
  • Work with you to address the issue safely and quickly, including an initial confirmation of your report within 72 hours of submission.
  • Grant a monetary reward, as described above.

Thank You

Thank you for helping to make our protocol more secure! Stay tuned for our public launch by following us on Twitter or joining the official Telegram group. For questions specific to security and the bug bounty program, please contact security@dydx.exchange.