search

Bug Bounty Program

hashtag
In scope

  • On TxFlow Mainnet, security vulnerabilities that could cause loss of user funds, unauthorized state transitions, incorrect order matching, incorrect liquidation or settlement, node or API outages, state divergence, or logical errors in TxFlow Core are in scope.

  • On TxFlow Testnet, testnet-only features of txflow and their interaction with txflow Core, nodes, and API services are also in scope. Note that bounty payments for testnet-only issues may be lower than a Mainnet issue of the same severity.

  • Other experimental features on TxFlow Testnet are not in scope unless otherwise announced by TxFlow, though reports are still appreciated.

hashtag
Submission process

  • Write a report describing the issue and include:

    • a clear explanation of the bug,

    • impact assessment,

    • detailed reproduction steps, and

    • a proof of concept where applicable.

  • Submit your report to [email protected].

  • If the same issue is reported by multiple individuals or entities, the first valid report received by TxFlow will be eligible for a reward.

  • Rewards, where granted, will be paid for responsible disclosure based on severity.

  • TxFlow agrees not to pursue legal action against security research conducted in good faith and in compliance with this program.

hashtag
Prohibited activity

  • Testing on TxFlow Mainnet or production systems. All testing should be done on txflow Testnet, local forks, or other non-production environments.

  • Phishing or other social engineering attacks.

  • Extended or large-scale DDoS attacks. Testing issues involving improper handling of temporary spikes in load is allowed only to the extent reasonably necessary to demonstrate the issue and without causing material disruption.

  • Testing third-party systems, applications, wallets, browser extensions, or websites unless the reported issue leads directly to a TxFlow vulnerability within scope.

  • Submitting ransom demands or threats.

  • Publicly disclosing a vulnerability before it has been fixed and before TxFlow has authorized disclosure.

  • Threatening to publish or publishing personally identifiable information or other sensitive information without consent.

  • Exploiting vulnerabilities for personal financial gain beyond any reward available under this program.

  • Attempting to bypass these procedures or engaging in unauthorized activity outside the stated scope.

hashtag
Eligibility

  • You must submit your report directly to [email protected]. Do not use external sites unless TxFlow explicitly announces an official bug bounty platform.

  • You must comply with any applicable KYC/KYB, sanctions screening, and payout procedures required by TxFlow.

  • You must be able to receive a reward through a payment method designated by TxFlow.

  • You must maintain confidentiality regarding vulnerabilities and related communications until authorized for disclosure by TxFlow.

  • TxFlow must be able to reproduce your findings. All bounty submissions will be evaluated and paid, if eligible, according to their classification. Classification examples are illustrative and subject to change.

  • Contributors to the development of the affected code are not eligible to participate in the program in relation to that code.

hashtag
Ineligibility

  • Reports that lack sufficient detail, including step-by-step instructions, reproducible examples, or proof of concept.

  • Vulnerabilities that require highly unlikely or unreasonable user behavior to exploit.

  • Vulnerabilities caused by outdated software, unsupported environments, or systems no longer supported by TxFlow.

  • Vulnerabilities that rely on root access, jailbreaking, compromised end-user devices, or operator compromise unrelated to a TxFlow vulnerability.

  • Issues in third-party libraries, extensions, tools, wallets, or applications that do not lead to a direct TxFlow vulnerability.

  • Bugs or errors unrelated to security, including minor performance issues without meaningful security impact.

  • Bugs or errors contingent on extreme or unrealistic market conditions that do not reflect plausible real-world scenarios.

hashtag
General conditions

  • Payment will not be made for submissions that do not meet the program’s requirements or that are excluded under the program’s scope or ineligibility criteria.

  • TxFlow reserves the right to determine the validity, classification, and reward amount of any submission at its sole discretion.

  • All submissions may be used by TxFlow for remediation, testing, and security improvement purposes.

hashtag
Classification examples

  • Critical (up to 150,000 USDC):

    • significant loss of user funds,

    • unauthorized withdrawal or asset transfer,

    • violations of TxFlow Mainnet execution invariants,

    • incorrect order matching, margin accounting, liquidation, or settlement that can result in incorrect final state or financial loss,

    • permanent or repeatable state corruption on TxFlow Mainnet.

  • High (up to 30,000 USDC):

    • mainnet outage,

    • severe TxFlow Core/node/API availability failure,

    • state divergence or processing failure that does not lead to incorrect final state or direct user fund loss.

  • Medium (up to 10,000 USDC):

    • API authentication or authorization issues,

    • material data integrity issues,

    • service degradation with meaningful security impact.

  • Rewards are determined based on both impact and likelihood of occurrence, and payouts may vary within the ranges listed above.

PreviousReferralNextTerms of Use

Last updated