Exchange & custody surfaces
Blexch inherits classic CEX risk: sessions, API keys, order and margin state, withdraw races, admin consoles — $5,000 per demonstrated critical.
In scope: b1exch.to and delegated hosts.
Exclusions: crime / laundering / harassment — not SKU fences.
1️⃣ Kill chain from root cause → exploit steps → measurable loss or integrity break 2️⃣ Proof the attack succeeds (replayed APIs showing balance drift, withdraw replay, admin boundary cross). Narratives without replayable exploits stall below payout threshold.
Why probe Blexch?
Flat $5K critical payouts
Validated critical exploits with reproducible payloads earn exactly $5,000 USD — no spreadsheet bingo.
Trading + custody blast radius
Order APIs, WS books, withdraw workers — bugs cash out as silent drift until someone scripts the replay.
No fake micro-scope list
If Blexch can patch it — books to wallet workers — escalate until severity lands.
Responsible disclosure halo
Demonstrated chains earn coordinated publication credit after fixes ship.
$5,000 per validated critical
There is exactly one bounty amount on this ledger: validated critical findings pay $5,000 USD each. Novel low-severity items may qualify for goodwill credit but not this stipend. Paid rows require attacker-readable kill chains and replayable exploitation artefacts (Burp exports, parallel withdraw harnesses, WS replay dumps, signing traces…).
Unauthorized withdrawals or balance inflation at scale; forging signed API/withdraw intents; universal read of other users’ positions or deposit history; break-glass access to signing or treasury policy; persisted RCE in trading or custody control plane; SSRF into HSM/KMS bridges Blexch exposes.
- Cross-user ledger bleed, margin math desync, or duplicate settlement
- Withdraw/deposit pipeline integrity break exploitable remotely
- SSRF from Blexch workers to cloud signing metadata planes
Illustrative map (non-exhaustive)
Rows below do not cap surface. Anything Blexch hosts, signs, matches, settles, or withdraws through counts as bounty ground. “Not listed” ≠ “out-of-scope.”
| Surface | Class | Critical payout |
|---|---|---|
b1exch.to, subdomains, trading UI |
Web | $5,000 / validated bug |
| Trade & account APIs · websocket feeds | Backend | $5,000 / validated bug |
| Deposit/withdraw queues · custody | Custody | $5,000 / validated bug |
| Risk / admin consoles | Ops | $5,000 / validated bug |
Everything Blexch operates — no exclusions list
Sandbox books or pool clusters, Grafana, bot hooks for risk alerts, partner APIs fronted by Blexch — all eligible when critical impact reproduces.
- Vanity domains CNAME’d into Blexch edge — show DNS/traffic proof in your write-up.
- Wallet connector SDKs or bookmarklets Blexch ships
- Colocated market-making or liquidity pool containers they operate
- Bridge, on-ramp, or pool callbacks verified with Blexch-issued secrets
Rules of engagement
- Prove exploitation success. Provide scripts, HARs, parallel request captures, or signing traces showing fund/state impact — not paper analysis alone.
- Number your hops. Session/API primitive → escalation → treasury or book integrity break.
- Minimize real-user blast radius. Prefer mirrors, low-value accounts, and reversible payloads when demonstrating theft-class bugs.
- Private coordination first. Use official intake on b1exch.to before public threads.
- Duplicate fairness. First qualifying PoC wins; followers close acknowledged-only.
How to submit a report
Use the security / vulnerability disclosure contact published on https://b1exch.to/ (security@b1exch.to is a common guess — verify on the live site before emailing). Template below.
# Title
[Critical][Exploit-Proven] <tight title>
# Executive summary — trader/treasury impact in one paragraph
# Severity self-classification → must map to Blexch critical definitions above
## Attack chain narrative (numbered, no gaps)
1. Preconditions (session, API key tier, market symbol, account ID)
2. Entry primitive — HTTP/WS line + signature headers
3. Pivot(s) → privilege/order/withdraw escalation
4. Final hop → balance theft / forged payout / infra takeover equivalent
## Successful exploitation evidence
• Scripted replay showing ledger/withdraw impact
• Parallel request traces (race/double-spend)
• Custody or admin log lines proving attacker-forged intent accepted
## Reproduction package
Commands + fixtures + commit/patch SHAs
## Disclosure ack
Private channel only until Blexch clears publicationWithdraw race vignette · pair with replay logs
Illustrative parallel withdraw — prove on b1exch.to.
// BUGGY: non-atomic balance check + debit — parallel wins double payout
async function requestWithdraw(userId, amount) {
const bal = await db.getBalance(userId);
if (bal < amount) throw new Error('insufficient');
await db.debit(userId, amount);
await queue.enqueuePayout(userId, amount);
}Frequently asked questions
Is anything “out of scope” besides crime?
No discretionary product carve-outs — only legal/ethical bases. If Blexch routes traffic there, document the chain until triage rejects specifics.
Theory-only reports?
No payout. $5K demands reproducible success proof.
Staging fair game?
Yes when Blexch operates and labels it; mirror production auth & routing semantics.
Duplicates?
Fastest fully valid PoC wins treasury.
Lower severities?
Not under the $5K critical rubric — escalate impact or accept non-cash acknowledgement.
Critical chain + working exploit = $5,000
No narrow scope appendix — document the attack, prove it lands, file privately.