P2P exchange & escrow surfaces
LocalCoinSwap concentrates peer-to-peer crypto trading: trade listings, escrow deposits, release authorization, dispute arbitration, fee accounting, chat mediation, and API automation — fertile ground for escrow theft, unauthorized release, dispute manipulation. Each critical earns $5,000.
As a P2P exchange, LocalCoinSwap holds funds in escrow for every trade — deposit tagging, hold ledger, release triggers, dispute overrides, fee splits — every link in that chain is a bounty-relevant attack surface. In scope materially: every host under localcoinswap.com and subdomains for trading, APIs, chat mediation, admin consoles, dispute automation.
Civil exclusions only: theft-as-a-service against counterparties, harassment — society-level bans.
Why pressure-test LocalCoinSwap?
Flat $5K critical payouts
Validated critical exploits earn exactly $5,000 USD.
Full-scope boundary
Every endpoint LocalCoinSwap operates is in-scope.
Real custody risk
Holds P2P escrow funds — every vulnerability that lets funds escape is a critical.
The critical reward benchmark
- Flat rate — no haggling over severity tags
- Payable on kill chain + successful attack reproduction
- First qualified PoC wins
What's in scope
| Target | Category | Reward |
|---|---|---|
localcoinswap.com, subdomains, web UI | Web | $5,000 / validated bug |
| P2P trade & escrow APIs | Backend | $5,000 / validated bug |
| Escrow hold ledger · release triggers | Custody | $5,000 / validated bug |
| Dispute arbitration · admin overrides | Ops | $5,000 / validated bug |
Everything LocalCoinSwap operates — no exclusions list
Sandbox escrow environments, canary wallets, Telegram/bot hooks, partner APIs fronted by LocalCoinSwap — all eligible.
- Vanity domains CNAME'd into LocalCoinSwap edge
- Escrow SDKs or bookmarklets shipped to traders
- On-ramp callbacks verified with LocalCoinSwap secrets
Rules of engagement
- Prove exploitation success. Provide scripts, HARs, parallel request captures.
- Number your hops. Session/API primitive → escrow integrity break.
- Minimize real-user blast radius. Prefer mirrors.
- Private coordination first. Use official intake on localcoinswap.com.
- Duplicate fairness. First qualifying PoC wins.
How to submit a report
Use the security disclosure contact on https://localcoinswap.com/ (security@localcoinswap.com — verify on the live site).
- Summary and type of vulnerability
- Numbered kill chain from entry to impact
- Proof of successful exploitation
Escrow release race · parallel request logs
Illustrative race on escrow release + dispute check — worthless without captures on localcoinswap.com.
// BUGGY: TOCTOU race — dispute check and release are not atomic
async function releaseEscrow(tradeId: string) {
const trade = await db.getTrade(tradeId);
if (trade.status !== 'held') throw new Error('invalid state');
const isDisputed = await db.hasActiveDispute(tradeId);
if (isDisputed) throw new Error('disputed');
await wallet.send(trade.buyerAddress, trade.amount);
await db.updateTrade(tradeId, { status: 'released' });
}Frequently asked questions
Is localcoinswap.com fully in scope?
Yes. Any host or subdomain LocalCoinSwap operates is in scope.
What qualifies as a critical?
Escrow bypass, unauthorized release, dispute manipulation, or admin account takeover.
