Bug bounty scope gap on highest-TVL contracts

dYdX v4 (dYdX Chain)'s assessment for RD-F-183 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Cantina bounty (launched 2026-05-08) explicitly covers the protocol layer at github.com/dydxprotocol/v4-chain, which includes x/clob, x/perpetuals, x/vault (MegaVault), and all other custom modules. No explicit high-TVL contract exclusions identified. The prior direct bugbounty@dydx.exchange program also covered the chain. The Feb 2026 npm/PyPI compromise affected client SDK packages, not the chain protocol layer — the protocol layer bounty coverage is intact.

Sources #

URL
dYdX Security PolicydYdX security policy docsretrieved 2026-05-17
URL
dYdX Cantina Bug Bounty — protocol layer in scopeCantina dYdX bounty program scoperetrieved 2026-05-17

Methodology #

Determine whether the highest-TVL contracts of this protocol (especially shared primitives: OFT adapters, ZK verifiers, bridge inbox) are explicitly excluded from the protocol's active bug bounty scope.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol dydx-v4 factor RD-F-183 score green collected_at 2026-05-17 09:58:47