Strengthening Security Together: The Dex223 Bug Bounty Program
Security isn’t a checkbox — it’s a collaboration. The Dex223 Bug Bounty Program invites ethical hackers, researchers, and builders to help us harden a DEX built around the ERC-223 standard. Find vulnerabilities, disclose responsibly, and earn D223.
Why a Bug Bounty Program?
Blockchains are permissionless systems where a single overlooked detail can have massive consequences. By running an open bug bounty, Dex223 encourages responsible disclosure and creates a win–win situation:
- Researchers get recognized and rewarded for their skills.
- The community gains a stronger, more secure platform.
- The project benefits from continuous, decentralized review beyond internal audits.
It’s not just about fixing bugs — it’s about building a culture of security-first innovation.
Rewards (primarily paid in D223 tokens)
- Critical – 30M D223
A vulnerability that can completely break the contracts workflow. - High – 7M D223
Severe issue with major impact, but not platform-wide. - Medium – 3M D223
Could lead to loss of funds under specific conditions. - Info – 1M D223
Best practices, docs improvements, low-impact issues.
Payout timelines (target): Critical 1–2 weeks · High 2–4 weeks · Medium 4–8 weeks · Info 6–12 weeks.
All rewards are paid in D223 to a verified wallet.
For full details, check out our Reward Structure.
Quick Start (it’s simple)
- Go to GitHub Issues → https://github.com/rroland10/dex223-bug-bounty/issues
- Click New Issue
- Choose a template: Bug Report, Feature Request, or Question
- Fill in what you found, where it is, and how to reproduce
- Submit — our team reviews in the comments thread
No complex forms, no email templates, no PGP keys — just a GitHub issue.
Scope (what you can test)
In scope
- Smart contracts: All Dex223 contracts on Ethereum mainnet & testnets (Dex223-contracts)
- Web app: https://test-app.dex223.io
- APIs: Public & authenticated endpoints (incl. fiat on/off-ramp)
- Swap interface: https://test-app.dex223.io/en/swap
- Infrastructure: Cloud services & deployment pipelines
Out of scope
- Modules: Dex223MarginModule.sol and Dex223Oracle.sol (work-in-progress, excluded)
- Social engineering (without permission)
- Physical security assessments
- Third-party services not owned by Dex223
- Known vulnerabilities in dependencies
- Denial-of-service attacks
Known issues (don’t report as new)
- Pool creation: Error when one token is ERC-20 Origin and the other is ERC-223 Origin with no existing ERC-20 wrapper.
- Auto-conversion: No auto-conversion of ERC-20 wrapper tokens to ERC-223 Origin in pools that have only ERC-20-side liquidity for an ERC-20/223 pair.
Test Environment Access
- Test App: https://test-app.dex223.io
- Swap: https://test-app.dex223.io/en/swap
- Test tokens: Click “Get free tokens” in test pages
- Sepolia ETH: Use Chainlink or Alchemy faucets
How to Write a Good Report
Include:
- Description: What’s the issue?
- Location: Which component/endpoint/contract?
- Reproduction: Exact steps, inputs, or transactions
- Evidence: PoC code, logs, screenshots, or videos
- Contact: Wallet + how to reach you
Code of Conduct (short version)
- Be respectful & collaborative.
- Stay in scope and minimize impact.
- Document clearly and be truthful.
- Follow coordinated disclosure.
- No harassment, no malicious testing, no unauthorized access.
Violations may lead to warnings, suspension, or removal (zero tolerance for harassment and destructive testing). Positive contributors can receive public recognition and community roles.
Responsible Disclosure
We value ethical security research. To protect the ecosystem:
- Most issues are publicly visible once submitted.
- For sensitive vulnerabilities, please use GitHub Security Advisories for private disclosure.
- Always follow responsible disclosure practices — no exploits in the wild, no harm to users.
FAQ (high-signal answers)
Who can participate?
Anyone except Dex223 staff/contractors, minors, or those directly involved in the reported vulnerability. You must follow applicable laws and sanctions.
How fast do you reply?
We aim to acknowledge quickly; response times vary by severity and availability. Critical issues are prioritized.
Is production testing allowed?
Limited and careful — prefer testnets/staging. Never cause damage. Coordinate immediately if you find something critical.
Can I collaborate?
Yes. List all contributors and agree on split beforehand.
Join the Community
The Bug Bounty Program isn’t just about finding flaws — it’s about building a stronger Dex223 together.
If you’re a developer, security researcher, or DeFi enthusiast, we invite you to participate:
- Submit issues on GitHub
- Connect with us on Telegram or Discord
- Help shape the future of secure, transparent decentralized trading
Security isn’t a one-time checkbox. It’s an ongoing collaboration between developers, auditors, researchers, and the wider community. With the Dex223 Bug Bounty Program, we’re not only reinforcing our platform’s defenses — we’re also rewarding those who share our vision for a safer DeFi ecosystem.
👉 Ready to test your skills and earn rewards? Start today at our Bug Bounty Repository.