DEX front-end & routing worth breaking
Dex.fo accumulates approval prompts, off-chain quote signatures, affiliate parameters, session state tied to wallets, indexer queries, and RPC proxying — fertile ground for approval-class UX bugs, route or quote manipulation, and cross-account data bleed. Each demonstrated critical earns $5,000.
In scope materially: every host on dex.fo and delegated subdomains, WebSocket channels they terminate, edge bundles, partner widgets, and workers computing quotes or relaying txs.
Civil exclusions only: laundering, harassment, unrelated theft — not endpoint shrinkage. Prefer testnets where possible.
1️⃣ Kill chain from root cause → exploit steps → measurable loss or integrity break 2️⃣ Proof the attack succeeds (replayed APIs showing balance drift, withdraw replay, admin boundary cross). Narratives without replayable exploits stall below payout threshold.
Why hammer Dex.fo?
Flat $5K critical payouts
Validated critical exploits with reproducible payloads earn exactly $5,000 USD — no spreadsheet bingo.
Trading + custody blast radius
Order APIs, WS books, withdraw workers — bugs cash out as silent drift until someone scripts the replay.
No fake micro-scope list
If Dex.fo can patch it — router JS to quote workers — testers escalate until severity lands.
Responsible disclosure halo
Demonstrated chains earn coordinated publication credit after fixes ship.
$5,000 per validated critical
There is exactly one bounty amount on this ledger: validated critical findings pay $5,000 USD each. Novel low-severity items may qualify for goodwill credit but not this stipend. Paid rows require attacker-readable kill chains and replayable exploitation artefacts (Burp exports, parallel withdraw harnesses, WS replay dumps, signing traces…).
Unauthorized withdrawals or balance inflation at scale; forging signed API/withdraw intents; universal read of other users’ positions or deposit history; break-glass access to signing or treasury policy; persisted RCE in trading or custody control plane; SSRF into HSM/KMS bridges Dex.fo exposes.
- Cross-user ledger bleed, margin math desync, or duplicate settlement
- Withdraw/deposit pipeline integrity break exploitable remotely
- SSRF from Dex.fo workers to cloud signing metadata planes
Illustrative map (non-exhaustive)
Rows below do not cap surface. Anything Dex.fo hosts, signs, matches, settles, or withdraws through counts as bounty ground. “Not listed” ≠ “out-of-scope.”
| Surface | Class | Critical payout |
|---|---|---|
dex.fo, *.dex.fo, swap UI & assets |
Web · CDN | $5,000 / validated bug |
| Quote / route APIs · hosted RPC or simulation gateways | Backend | $5,000 / validated bug |
| WalletConnect · signing modals · permit / approval flows | Wallet | $5,000 / validated bug |
| Indexer / referral / fee accounting APIs | Data | $5,000 / validated bug |
Everything Dex.fo operates — no exclusions list
Sandbox books or pool clusters, Grafana, bot hooks for risk alerts, partner APIs fronted by Dex.fo — all eligible when critical impact reproduces.
- Vanity domains CNAME’d into Dex.fo edge — show DNS/traffic proof in your write-up.
- Wallet connector SDKs or bookmarklets Dex.fo ships
- Colocated market-making or liquidity pool containers they operate
- Bridge, on-ramp, or pool callbacks verified with Dex.fo-issued secrets
Rules of engagement
- Prove exploitation success. Provide scripts, HARs, parallel request captures, or signing traces showing fund/state impact — not paper analysis alone.
- Number your hops. Session/API primitive → escalation → treasury or book integrity break.
- Minimize real-user blast radius. Prefer mirrors, low-value accounts, and reversible payloads when demonstrating theft-class bugs.
- Private coordination first. Use official intake on dex.fo before public threads.
- Duplicate fairness. First qualifying PoC wins; followers close acknowledged-only.
How to submit a report
Use the security / vulnerability disclosure contact published on https://dex.fo/ (security@dex.fo is a common guess — verify on the live site before emailing). Template below.
# Title
[Critical][Exploit-Proven] <tight title>
# Executive summary — trader/treasury impact in one paragraph
# Severity self-classification → must map to Dex.fo critical definitions above
## Attack chain narrative (numbered, no gaps)
1. Preconditions (session, API key tier, market symbol, account ID)
2. Entry primitive — HTTP/WS line + signature headers
3. Pivot(s) → privilege/order/withdraw escalation
4. Final hop → balance theft / forged payout / infra takeover equivalent
## Successful exploitation evidence
• Scripted replay showing ledger/withdraw impact
• Parallel request traces (race/double-spend)
• Custody or admin log lines proving attacker-forged intent accepted
## Reproduction package
Commands + fixtures + commit/patch SHAs
## Disclosure ack
Private channel only until Dex.fo clears publicationQuote vignette · pair with on-chain replay receipts
Illustrative client-trusted minOut — worthless without traces showing victim gets a worse route on dex.fo.
// BUGGY: trusts client-supplied minOut without server re-simulation
function buildSwapTx(quote) {
return router.encodeSwap(quote.path, quote.minOutClient);
}Frequently asked questions
Is anything “out of scope” besides crime?
No discretionary product carve-outs — only legal/ethical bases. If Dex.fo routes traffic there, document the chain until triage rejects specifics.
Theory-only reports?
No payout. $5K demands reproducible success proof.
Staging fair game?
Yes when Dex.fo operates and labels it; mirror production auth & routing semantics.
Duplicates?
Fastest fully valid PoC wins treasury.
Lower severities?
Not under the $5K critical rubric — escalate impact or accept non-cash acknowledgement.
Critical chain + working exploit = $5,000
No narrow scope appendix — document the attack, prove it lands, file privately.