Swap routing & wallet touchpoints worth testing
ETZ Swap concentrates approval modals, client-trusted quotes, affiliate or ref parameters, session state linked to wallets, price APIs, and RPC or relay proxies — natural terrain for routing manipulation, approval-class UX flaws, and cross-account leaks. Each demonstrated critical earns $5,000.
In scope materially: every host on etz-swap.com and delegated subdomains, assets they serve, partner widgets, and workers that compute routes or relay transactions.
Civil exclusions only: laundering, harassment, unrelated theft — not endpoint shrinkage. Prefer testnets where possible.
1️⃣ Kill chain from root cause → exploit steps → measurable loss or integrity break 2️⃣ Proof the attack succeeds (replayed APIs showing balance drift, withdraw replay, admin boundary cross). Narratives without replayable exploits stall below payout threshold.
Why pressure-test ETZ Swap?
Flat $5K critical payouts
Validated critical exploits with reproducible payloads earn exactly $5,000 USD — no spreadsheet bingo.
Trading + custody blast radius
Order APIs, WS books, withdraw workers — bugs cash out as silent drift until someone scripts the replay.
No fake micro-scope list
If ETZ Swap can patch it — bundle JS to quote backends — escalate until severity lands.
Responsible disclosure halo
Demonstrated chains earn coordinated publication credit after fixes ship.
$5,000 per validated critical
There is exactly one bounty amount on this ledger: validated critical findings pay $5,000 USD each. Novel low-severity items may qualify for goodwill credit but not this stipend. Paid rows require attacker-readable kill chains and replayable exploitation artefacts (Burp exports, parallel withdraw harnesses, WS replay dumps, signing traces…).
Unauthorized withdrawals or balance inflation at scale; forging signed API/withdraw intents; universal read of other users’ positions or deposit history; break-glass access to signing or treasury policy; persisted RCE in trading or custody control plane; SSRF into HSM/KMS bridges ETZ Swap exposes.
- Cross-user ledger bleed, margin math desync, or duplicate settlement
- Withdraw/deposit pipeline integrity break exploitable remotely
- SSRF from ETZ Swap workers to cloud signing metadata planes
Illustrative map (non-exhaustive)
Rows below do not cap surface. Anything ETZ Swap hosts, signs, matches, settles, or withdraws through counts as bounty ground. “Not listed” ≠ “out-of-scope.”
| Surface | Class | Critical payout |
|---|---|---|
etz-swap.com, *.etz-swap.com, swap UI & assets |
Web · CDN | $5,000 / validated bug |
| Quote / route / pricing APIs · RPC or relay gateways | Backend | $5,000 / validated bug |
| WalletConnect · signing modals · permit / approval flows | Wallet | $5,000 / validated bug |
| Referral · fee · bridge callbacks | Data | $5,000 / validated bug |
Everything ETZ Swap operates — no exclusions list
Sandbox books or pool clusters, Grafana, bot hooks for risk alerts, partner APIs fronted by ETZ Swap — all eligible when critical impact reproduces.
- Vanity domains CNAME’d into ETZ Swap edge — show DNS/traffic proof in your write-up.
- Wallet connector SDKs or bookmarklets ETZ Swap ships
- Colocated market-making or liquidity pool containers they operate
- Bridge, on-ramp, or pool callbacks verified with ETZ Swap-issued secrets
Rules of engagement
- Prove exploitation success. Provide scripts, HARs, parallel request captures, or signing traces showing fund/state impact — not paper analysis alone.
- Number your hops. Session/API primitive → escalation → treasury or book integrity break.
- Minimize real-user blast radius. Prefer mirrors, low-value accounts, and reversible payloads when demonstrating theft-class bugs.
- Private coordination first. Use official intake on etz-swap.com before public threads.
- Duplicate fairness. First qualifying PoC wins; followers close acknowledged-only.
How to submit a report
Use the security / vulnerability disclosure contact published on https://etz-swap.com/ (security@etz-swap.com is a common guess — verify on the live site before emailing). Template below.
# Title
[Critical][Exploit-Proven] <tight title>
# Executive summary — trader/treasury impact in one paragraph
# Severity self-classification → must map to ETZ Swap critical definitions above
## Attack chain narrative (numbered, no gaps)
1. Preconditions (session, API key tier, market symbol, account ID)
2. Entry primitive — HTTP/WS line + signature headers
3. Pivot(s) → privilege/order/withdraw escalation
4. Final hop → balance theft / forged payout / infra takeover equivalent
## Successful exploitation evidence
• Scripted replay showing ledger/withdraw impact
• Parallel request traces (race/double-spend)
• Custody or admin log lines proving attacker-forged intent accepted
## Reproduction package
Commands + fixtures + commit/patch SHAs
## Disclosure ack
Private channel only until ETZ Swap clears publicationQuote vignette · pair with on-chain replay receipts
Illustrative client-trusted minOut — worthless without traces showing a worse route on etz-swap.com.
// BUGGY: trusts client-supplied minOut without server re-simulation
function buildSwapTx(quote) {
return router.encodeSwap(quote.path, quote.minOutClient);
}Frequently asked questions
Is anything “out of scope” besides crime?
No discretionary product carve-outs — only legal/ethical bases. If ETZ Swap routes traffic there, document the chain until triage rejects specifics.
Theory-only reports?
No payout. $5K demands reproducible success proof.
Staging fair game?
Yes when ETZ Swap operates and labels it; mirror production auth & routing semantics.
Duplicates?
Fastest fully valid PoC wins treasury.
Lower severities?
Not under the $5K critical rubric — escalate impact or accept non-cash acknowledgement.
Critical chain + working exploit = $5,000
No narrow scope appendix — document the attack, prove it lands, file privately.