Bounties

We run an ongoing bug bounty for the 0x Protocol smart contracts! The program is open to anyone and rewards up to $100,000 for critical exploits. The scope and disclosure instructions are below.

Rewards

The severity of reported vulnerabilities will be graded according to the CVSS (Common Vulnerability Scoring Standard). The following table will serve as a guideline for reward decisions:

Exploit Score

Reward

Critical (CVSS 9.0 - 10.0)

$10,000 - $100,000

High (CVSS 7.0 - 8.9)

$2,500 - $10,000

Medium (CVSS 4.0 - 6.9)

$1,000 - $2,500

Low (CVSS 0.0 - 3.9)

$0 - $1,000

Please note that any rewards will ultimately be awarded at the discretion of ZeroEx Intl. All rewards will be paid out in ZRX.

Areas of Interest

Area

Examples

Loss of funds

  • A user loses funds in a way that they did not explicitly authorize (e.g an account is able to gain access to an AssetProxy and drain user funds).

  • A user authorized a transaction or trade but spends more assets than normally expected (e.g an order is allowed to be over-filled).

Unintended contract state

  • A user is able to update the state of a contract such that it is no longer useable (e.g permanently lock a mutex).

  • Any assets get unexpectedly “stuck” in a contract with regular use of the contract’s public methods.

  • An action taken in the staking contracts is applied to an incorrect epoch.

Bypassing time locks

  • The ZeroExGovernor is allowed to bypass the timelock for transactions where it is not explicitly allowed to do so.

  • A user is allowed to bypass the ZeroExGovernor.

Incorrect math

  • Overflows or underflow result in unexpected behavior.

  • The staking reward payouts are incorrect.

Scope

The following contracts are in scope of the bug bounty. Please note that any bugs already reported are considered out of scope. See the Audits page for 3rd party security reports.

Release

Contracts

Commit Hash

Exchange V4

72a74e7c66

Exchange V3

fb8360edfd

Exchange V2.1

ff70c5ecfe

MultiAssetProxy

c4d9ef9f83

ERC1155Proxy

77484dc69e

StaticCallProxy

54f4727adc

ERC20BridgeProxy

281658ba34

ExchangeProxy

7967a8416c

Disclosures

Please e-mail all submissions to security@0x.org with the subject “BUG BOUNTY”. Your submission should include any steps required to reproduce or exploit the vulnerability. Please allow time for the vulnerability to be fixed before discussing any findings publicly. After receiving a submission, we will contact you with expected timelines for a fix to be implemented.