Exchange stack & custody under review
MT Exchange inherits classic CEX risk: sessions, API keys, order and balance state, withdraw races, privileged consoles — each demonstrated critical earns $5,000.
In scope: mt.exchange, delegated subdomains, mobile or thin clients they ship.
Exclusions: crime, laundering, harassment — not vendor scope shrinkage.
1️⃣ Kill chain from root cause → exploit steps → measurable loss or integrity break 2️⃣ Proof the attack succeeds (replayed APIs showing balance drift, withdraw replay, admin boundary cross). Narratives without replayable exploits stall below payout threshold.
Why probe MT Exchange?
Flat $5K critical payouts
Validated critical exploits with reproducible payloads earn exactly $5,000 USD — no spreadsheet bingo.
Trading + custody blast radius
Order APIs, WS books, withdraw workers — bugs cash out as silent drift until someone scripts the replay.
No fake micro-scope list
If MT Exchange can patch it — books to wallet workers — escalate until severity lands.
Responsible disclosure halo
Demonstrated chains earn coordinated publication credit after fixes ship.
$5,000 per validated critical
There is exactly one bounty amount on this ledger: validated critical findings pay $5,000 USD each. Novel low-severity items may qualify for goodwill credit but not this stipend. Paid rows require attacker-readable kill chains and replayable exploitation artefacts (Burp exports, parallel withdraw harnesses, WS replay dumps, signing traces…).
Unauthorized withdrawals or balance inflation at scale; forging signed API/withdraw intents; universal read of other users’ positions or deposit history; break-glass access to signing or treasury policy; persisted RCE in trading or custody control plane; SSRF into HSM/KMS bridges MT Exchange exposes.
- Cross-user ledger bleed, margin math desync, or duplicate settlement
- Withdraw/deposit pipeline integrity break exploitable remotely
- SSRF from MT Exchange workers to cloud signing metadata planes
Illustrative map (non-exhaustive)
Rows below do not cap surface. Anything MT Exchange hosts, signs, matches, settles, or withdraws through counts as bounty ground. “Not listed” ≠ “out-of-scope.”
| Surface | Class | Critical payout |
|---|---|---|
mt.exchange, subdomains, trading UI |
Web | $5,000 / validated bug |
| Trade & account APIs · websocket feeds | Backend | $5,000 / validated bug |
| Deposit/withdraw queues · custody | Custody | $5,000 / validated bug |
| Risk / admin consoles | Ops | $5,000 / validated bug |
Everything MT Exchange operates — no exclusions list
Sandbox books or pool clusters, Grafana, bot hooks for risk alerts, partner APIs fronted by MT Exchange — all eligible when critical impact reproduces.
- Vanity domains CNAME’d into MT Exchange edge — show DNS/traffic proof in your write-up.
- Wallet connector SDKs or bookmarklets MT Exchange ships
- Colocated market-making or liquidity pool containers they operate
- Bridge, on-ramp, or pool callbacks verified with MT Exchange-issued secrets
Rules of engagement
- Prove exploitation success. Provide scripts, HARs, parallel request captures, or signing traces showing fund/state impact — not paper analysis alone.
- Number your hops. Session/API primitive → escalation → treasury or book integrity break.
- Minimize real-user blast radius. Prefer mirrors, low-value accounts, and reversible payloads when demonstrating theft-class bugs.
- Private coordination first. Use official intake on mt.exchange before public threads.
- Duplicate fairness. First qualifying PoC wins; followers close acknowledged-only.
How to submit a report
Use the security / vulnerability disclosure contact published on https://mt.exchange/ (security@mt.exchange is a common guess — verify on the live site before emailing). Template below.
# Title
[Critical][Exploit-Proven] <tight title>
# Executive summary — trader/treasury impact in one paragraph
# Severity self-classification → must map to MT Exchange critical definitions above
## Attack chain narrative (numbered, no gaps)
1. Preconditions (session, API key tier, market symbol, account ID)
2. Entry primitive — HTTP/WS line + signature headers
3. Pivot(s) → privilege/order/withdraw escalation
4. Final hop → balance theft / forged payout / infra takeover equivalent
## Successful exploitation evidence
• Scripted replay showing ledger/withdraw impact
• Parallel request traces (race/double-spend)
• Custody or admin log lines proving attacker-forged intent accepted
## Reproduction package
Commands + fixtures + commit/patch SHAs
## Disclosure ack
Private channel only until MT Exchange clears publicationWithdraw race vignette · pair with replay logs
Illustrative parallel withdraw — prove on mt.exchange.
// BUGGY: non-atomic balance check + debit — parallel wins double payout
async function requestWithdraw(userId, amount) {
const bal = await db.getBalance(userId);
if (bal < amount) throw new Error('insufficient');
await db.debit(userId, amount);
await queue.enqueuePayout(userId, amount);
}Frequently asked questions
Is anything “out of scope” besides crime?
No discretionary product carve-outs — only legal/ethical bases. If MT Exchange routes traffic there, document the chain until triage rejects specifics.
Theory-only reports?
No payout. $5K demands reproducible success proof.
Staging fair game?
Yes when MT Exchange operates and labels it; mirror production auth & routing semantics.
Duplicates?
Fastest fully valid PoC wins treasury.
Lower severities?
Not under the $5K critical rubric — escalate impact or accept non-cash acknowledgement.
Critical chain + working exploit = $5,000
No narrow scope appendix — document the attack, prove it lands, file privately.