Fund theft & database & admin access at the core
TradeAdapter is a crypto trading optimizer that aggregates liquidity, executes arbitrage strategies, manages portfolio allocations, and routes orders through connected exchange APIs. The platform concentrates sensitive user funds in hot wallets, maintains extensive database stores of user credentials, API keys, trading histories, and wallet secrets, and exposes powerful admin consoles that can override trades, adjust fees, pause withdrawals, and modify system parameters — making fund theft, database compromise, and admin access escalation the three primary bounty targets. Each demonstrated critical earns $5,000.
In scope materially: tradeadapter.com every HTTP/S host, trading APIs (REST + WebSocket), admin dashboards, database endpoints (including exposed management interfaces), wallet/custody infrastructure, internal ledgers, user KYC/financial data stores, signing services, trade execution bots, monitoring/alerting systems, CI/CD pipelines, cloud metadata endpoints reachable from TradeAdapter workers, and any third-party connectors where TradeAdapter-issued credentials authenticate.
Civil exclusions only: blackmail, extortion, laundering, harming unrelated users — those are universal bans, not surface carve-outs.
Three critical targets, one bounty
Fund theft — #1 target
Hot wallets, withdrawal pipelines, trade settlement, and fee collection are prime attack surfaces. Race conditions in debit/enqueue, signature replay, wallet credential leakage, or swapping destination addresses at the right moment all qualify if proven end-to-end.
Database exploit — #2 target
TradeAdapter stores trading API keys, wallet seeds, user PII, trade history, and internal accounting. SQL injection on platform endpoints, exposed DB management ports (MongoDB/Redis/MySQL without auth), backup leaks, or misconfigured read replicas accessible from the web — demonstrate data exfiltration with row-level proof.
Admin access — #3 target
Privilege escalation to admin panels that control trade overrides, withdrawal approvals, user data exports, system configuration, and hot wallet management. Session hijacking, broken access control, SSRF into admin-only internal services, or horizontal/vertical privilege escalation — map the path from unauthenticated user to admin console control.
No fake micro-scope list
If TradeAdapter can patch it — trade engine glue to wallet cron — testers escalate until severity lands.
$5,000 per validated critical
There is exactly one bounty amount on this ledger: validated critical findings pay $5,000 USD each. Novel low-severity items may qualify for goodwill credit but not this stipend. Paid rows require attacker-readable kill chains and replayable exploitation artefacts (Burp exports, parallel withdraw harnesses, WS replay dumps, signing traces, database query logs showing row-level data exfiltration).
Unauthorized fund withdrawal or balance manipulation at scale; full database dump with credential leakage; admin account takeover with console access; forging signed API/withdraw intents; universal read of other users' trading positions, API keys, or wallet secrets; persisted RCE in trade execution or custodian control plane; SSRF into cloud metadata or HSM/KMS bridges TradeAdapter exposes.
- Hot wallet credential theft enabling direct fund extraction
- SQL injection or NoSQL injection yielding full user/credential tables
- Admin session hijacking or privilege escalation granting console override
- SSRF from TradeAdapter workers to internal database or signing services
Full perimeter, no carve-outs
Every system TradeAdapter operates or whose security depends on TradeAdapter-issued secrets is in scope. Below is the enumerated surface, but this list is indicative not exhaustive — the spirit of the bounty is any critical impact achievable through TradeAdapter's trust boundary.
| Surface / Asset | Category | Payout |
|---|---|---|
tradeadapter.com, subdomains, web UI, dashboard |
Web | $5,000 / validated bug |
| Trading APIs (REST + WebSocket), order routing, arbitrage execution | Backend | $5,000 / validated bug |
| Database stores (SQL/NoSQL) — user data, credentials, wallet secrets, trade history | Database | $5,000 / validated bug |
| Admin consoles — trade overrides, user management, withdrawal approval, system config | Admin | $5,000 / validated bug |
| Hot/cold wallet infrastructure, signing services, key management | Custody | $5,000 / validated bug |
| CI/CD pipelines, deployment secrets, internal monitoring dashboards | Infra | $5,000 / validated bug |
| Third-party exchange/DeFi connectors authenticated with TradeAdapter-issued secrets | Integration | $5,000 / validated bug |
Fund theft race · pair with parallel request logs
Illustrative race condition on debit + enqueue payout — worthless without captures proving you can duplicate withdrawals on tradeadapter.com. The code below sketches the class of bug, not a specific finding.
// BUGGY: non-atomic balance check + debit — parallel requests double payout
async function requestWithdraw(userId, amount) {
const bal = await db.getBalance(userId);
if (bal < amount) throw new Error('insufficient');
await db.debit(userId, amount);
await queue.enqueuePayout(userId, amount);
}
// POC: send 10 parallel withdraw requests for the same user with the same amount
// If the balance check passes for all before any debit completes,
// each request enqueues a payout — draining more than the user's balance.users, api_keys, or wallet_secrets tables via blind injection, that is a validated critical.
/api/admin/users/{id} or JWT with weak/leaked secret allowing privilege escalation from role: user to role: admin. If you can reach the admin dashboard and perform privileged actions, that is a validated critical.
Prove the exploit → Collect $5,000
Send full reports to security@tradeadapter.com. Every submission must contain:
- Attack chain — numbered sequence from attacker starting state to impact, with HTTP request/response pairs, code paths, and preconditions.
- Reproduction script — curl, Python, Burp collection, or HAR proving the exploit works (not a hypothetical).
- Severity justification — why this maps to TradeAdapter critical (fund theft, database breach, admin takeover).
- Suggested remediation — input validation, access control fix, rate limiting, atomic operations.
Ready to hunt?
Email your full kill chain dossier to security@tradeadapter.com
Common questions
What counts as a validated critical for TradeAdapter?
Any bug that leads to fund theft (unauthorized withdrawal or transfer of user/platform assets), database compromise (exfiltration of user credentials, API keys, wallet secrets, or trade data), or admin access escalation (privilege elevation allowing control of the platform's admin functions). The bar is end-to-end proof — not just "this endpoint looks injectable."
Is TradeAdapter's entire third-party connector surface in scope?
If TradeAdapter routes traffic through it or authenticates with TradeAdapter-issued secrets, it is in scope. The key test: does the vulnerability pass through TradeAdapter's trust boundary? If you exploit a connected exchange using credentials TradeAdapter stored, that is valid. If the exchange itself has a vulnerability that has nothing to do with TradeAdapter, that is not.
Does a database access vulnerability require full dump to qualify as critical?
No — demonstrating any user's credentials, wallet secrets, or API keys can be extracted from a database endpoint is sufficient. Extracting trade history or PII at scale also qualifies. Row-level proof that the data came from a live TradeAdapter store is required.
What does a good admin access proof look like?
A screen recording or HAR trace showing the researcher navigating from their standard user session into the admin dashboard, performing a privileged action (e.g., modifying a user's balance, pausing withdrawals, accessing all user data), and HTTP responses confirming the action succeeded. JWT or session token manipulation demonstrating privilege escalation is also valid.
Is KYC required for payout?
Yes, standard tax/compliance KYC will be required before funds are released. This is typical for any USD-denominated bounty program.
Can I test on production infrastructure?
Yes, as long as testing is lawful in your jurisdiction and you use test accounts where possible. Do not perform testing that would cause data loss for other users, DDoS, or social engineering of TradeAdapter staff. If you are unsure about a specific attack vector, email security@tradeadapter.com for clarification before proceeding.
Prove the exploit → Collect $5,000
Full TradeAdapter footprint · Email rails · Mandatory attack chain dossier.