Mixer pools & customer routing
Motomix stresses treasury integrity and privacy-set bookkeeping together — critical bugs pay $5,000.
In scope: motomix.cc, APIs, relayers, admin tools.
Legal floor: financial crime — always off-limits.
1️⃣ Kill chain from root cause → exploit steps → measurable loss or integrity break 2️⃣ Proof the attack succeeds (replayed APIs showing balance drift, withdraw replay, admin boundary cross). Narratives without replayable exploits stall below payout threshold.
Why stress-test Motomix?
Flat $5K critical payouts
Validated critical exploits with reproducible payloads earn exactly $5,000 USD — no spreadsheet bingo.
Trading + custody blast radius
Order APIs, WS books, withdraw workers — bugs cash out as silent drift until someone scripts the replay.
No fake micro-scope list
Patch surface spans pool math to payout routers — escalate freely.
Responsible disclosure halo
Demonstrated chains earn coordinated publication credit after fixes ship.
$5,000 per validated critical
There is exactly one bounty amount on this ledger: validated critical findings pay $5,000 USD each. Novel low-severity items may qualify for goodwill credit but not this stipend. Paid rows require attacker-readable kill chains and replayable exploitation artefacts (Burp exports, parallel withdraw harnesses, WS replay dumps, signing traces…).
Unauthorized withdrawals or balance inflation at scale; forging signed API/withdraw intents; universal read of other users’ positions or deposit history; break-glass access to signing or treasury policy; persisted RCE in trading or custody control plane; SSRF into HSM/KMS bridges Motomix exposes.
- Cross-user ledger bleed, margin math desync, or duplicate settlement
- Withdraw/deposit pipeline integrity break exploitable remotely
- SSRF from Motomix workers to cloud signing metadata planes
Illustrative map (non-exhaustive)
Rows below do not cap surface. Anything Motomix hosts, signs, matches, settles, or withdraws through counts as bounty ground. “Not listed” ≠ “out-of-scope.”
| Surface | Class | Critical payout |
|---|---|---|
motomix.cc, subdomains, web app |
Web | $5,000 / validated bug |
| Mixer / exchange APIs | Backend | $5,000 / validated bug |
| Payout orchestration · relayers | Custody | $5,000 / validated bug |
| Admin & support tooling | Ops | $5,000 / validated bug |
Everything Motomix operates — no exclusions list
Sandbox books or pool clusters, Grafana, bot hooks for risk alerts, partner APIs fronted by Motomix — all eligible when critical impact reproduces.
- Vanity domains CNAME’d into Motomix edge — show DNS/traffic proof in your write-up.
- Wallet connector SDKs or bookmarklets Motomix ships
- Colocated market-making or liquidity pool containers they operate
- Bridge, on-ramp, or pool callbacks verified with Motomix-issued secrets
Rules of engagement
- Prove exploitation success. Provide scripts, HARs, parallel request captures, or signing traces showing fund/state impact — not paper analysis alone.
- Number your hops. Session/API primitive → escalation → treasury or book integrity break.
- Minimize real-user blast radius. Prefer mirrors, low-value accounts, and reversible payloads when demonstrating theft-class bugs.
- Private coordination first. Use official intake on motomix.cc before public threads.
- Duplicate fairness. First qualifying PoC wins; followers close acknowledged-only.
How to submit a report
Use the security / vulnerability disclosure contact published on https://motomix.cc/ (security@motomix.cc is a common guess — verify on the live site before emailing). Template below.
# Title
[Critical][Exploit-Proven] <tight title>
# Executive summary — trader/treasury impact in one paragraph
# Severity self-classification → must map to Motomix critical definitions above
## Attack chain narrative (numbered, no gaps)
1. Preconditions (session, API key tier, market symbol, account ID)
2. Entry primitive — HTTP/WS line + signature headers
3. Pivot(s) → privilege/order/withdraw escalation
4. Final hop → balance theft / forged payout / infra takeover equivalent
## Successful exploitation evidence
• Scripted replay showing ledger/withdraw impact
• Parallel request traces (race/double-spend)
• Custody or admin log lines proving attacker-forged intent accepted
## Reproduction package
Commands + fixtures + commit/patch SHAs
## Disclosure ack
Private channel only until Motomix clears publicationPool release race (illustrative)
Attach parallel replay logs from motomix.cc.
// BUGGY: non-atomic balance check + debit — parallel wins double payout
async function requestWithdraw(userId, amount) {
const bal = await db.getBalance(userId);
if (bal < amount) throw new Error('insufficient');
await db.debit(userId, amount);
await queue.enqueuePayout(userId, amount);
}Frequently asked questions
Is anything “out of scope” besides crime?
No discretionary product carve-outs — only legal/ethical bases. If Motomix routes traffic there, document the chain until triage rejects specifics.
Theory-only reports?
No payout. $5K demands reproducible success proof.
Staging fair game?
Yes when Motomix operates and labels it; mirror production auth & routing semantics.
Duplicates?
Fastest fully valid PoC wins treasury.
Lower severities?
Not under the $5K critical rubric — escalate impact or accept non-cash acknowledgement.
Critical chain + working exploit = $5,000
No narrow scope appendix — document the attack, prove it lands, file privately.