0x-logo

0x

0x provides DEX aggregation services. These services are made up of API, Web and mobile frontends, and smart contracts. The primary services that are offered include: same chain token swaps, cross-chain swaps, gasless swaps, meta aggregation swaps.

Polygon
Harmony
Polkadot
Avalanche
Defi
DEX
Solidity
Maximum Bounty
$1,000,000
Live Since
30 July 2024
Last Updated
24 July 2025
  • Triaged by Immunefi

  • PoC Required

  • KYC required

  • Arbitration enabled

Select the category you'd like to explore

Assets in Scope

Target
Type
Websites and Applications - DEX Meta Aggregator
Added on
24 July 2025
Target
Primacy Of Impact
Type
Smart Contract
Added on
30 July 2024
Target
Type
Smart Contract - 0x Settler
Added on
30 July 2024
Target
Type
Websites and Applications - Matcha website
Added on
30 July 2024
Target
Type
Websites and Applications - gasless API
Added on
30 July 2024
Target
Type
Websites and Applications - swap API
Added on
30 July 2024

Impacts in Scope

Severity
Critical
Title

Direct theft of any user funds, whether at-rest or in-motion

Severity
Critical
Title

Permanent freezing of funds

Severity
Critical
Title

Execute arbitrary system commands

Severity
Critical
Title

Retrieve sensitive data/files from a running server, such as: /etc/shadow, database passwords, blockchain keys (this does not include non-sensitive environment variables, open source code, or usernames)

Severity
Critical
Title

Taking down the application/website

Severity
Critical
Title

Taking state-modifying authenticated actions (with or without blockchain state interaction) on behalf of other users without any interaction by that user, such as: Changing registration information, Making trades, Withdrawals, etc.

Severity
Critical
Title

Subdomain takeover with already-connected wallet interaction

Severity
Critical
Title

Direct theft of user funds

Severity
Critical
Title

Malicious interactions with an already-connected wallet, such as: Modifying transaction arguments or parameters, Substituting contract addresses, Submitting malicious transactions

Severity
High
Title

Temporary freezing of funds

Severity
High
Title

Injecting/modifying the static content on the target application without JavaScript (persistent), such as: HTML injection without JavaScript, Replacing existing text with arbitrary text, Arbitrary file uploads, etc

Severity
High
Title

Changing sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as: Email, Password of the victim etc.

Out of scope

Default Out of Scope and rules

Smart Contract specific

  • Incorrect data supplied by third party oracles
    • Not to exclude oracle manipulation/flash loan attacks
  • Impacts requiring basic economic and governance attacks (e.g. 51% attack)
  • Lack of liquidity impacts
  • Impacts from Sybil attacks
  • Impacts involving centralization risks

All categories

  • Impacts requiring attacks that the reporter has already exploited themselves, leading to damage
  • Impacts caused by attacks requiring access to leaked keys/credentials
  • Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed
  • Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code
  • Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production
  • Best practice recommendations
  • Feature requests
  • Impacts on test files and configuration files unless stated otherwise in the bug bounty program
  • Impacts requiring phishing or other social engineering attacks against project's employees and/or customers