Connect

Paradex

ParadexParadex

Details

Scope

My Submission

Paradex Bug Bounty Program

Paradex is an advanced perp DEX built on a ZK-rollup Layer 2, combining self-custodial security with CEX-like performance through deep liquidity, portfolio margin capabilities, and innovative features like trading privacy and retail price improvement. For more information about Paradex, please visit https://www.paradex.trade/

Severity and Rewards

Vulnerabilities are classified using two factors: Impact and Conditions. The combination of these factors determines the severity and guides the reward amount.

Severity Levels

Vulnerabilities will be classified according to the following severity levels:

  • Critical
    • Direct theft of any user funds (or assets), whether at-rest or in-motion, other than unrealized pnl, without limitations of external conditions. The loss must be >=100,000 USD.
    • Permanent freezing of user funds
    • Protocol insolvency due to accounting errors
  • High
    • Direct theft of user funds with moderate conditions. The loss must be >=50,000 USD.
    • Temporary freezing of user funds (>7 days)
    • Theft of unrealized pnl
    • Permanent freezing of unclaimed yield
  • Medium
    • Causes a loss of funds requiring extensive limitations. The loss must be >=10,000 USD.
    • Smart contracts are inoperable due to a lock of funds
    • Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)
    • Block stuffing
  • Low/Informational
    • Causes minor loss of funds, and the losses must be >1,000 USD
    • Issues not directly impacting user funds or protocol operations
    • Contract fails to deliver promised returns, but doesn't lose value

Impact Assessment

The severity level of a vulnerability will be determined based on both its impact and conditions:

  • Impact Factors
    • Amount of funds at risk
    • Number of users affected
    • Duration of the vulnerability's effect
    • Complexity of exploitation
    • Requirement for privileged access
  • Conditional Factors
    • Technical complexity of the exploit
    • Required preconditions for exploitation
    • Opportunity window for exploitation

Reward Structure

Reward Amounts

Rewards will be paid in USDC according to the following structure:

Severity LevelReward Range
Critical25,000 USD - 500,000 USD
High10,000 USD - 15,000 USD
Mediumflat 4,000 USD
Lowflat 2,000 USD
  • Reward Calculation for Critical Vulnerabilities
    • For critical vulnerabilities, the reward amount will be calculated as 10% of the funds directly affected, up to a maximum of 500,000 USD. The calculation of the amount of funds at risk will be based on the time and date the bug report is submitted.
    • A minimum reward of 25,000 USD will be awarded for critical vulnerabilities to incentivize security researchers against withholding bug reports.
  • Reward Calculation for High Severity Vulnerabilities
    • For high-severity vulnerabilities, rewards will be capped at up to 100% of the funds affected, with a maximum of 15,000 USD. In the event of temporary freezing, the reward doubles from the full frozen value for every additional [24h] that the funds are temporarily frozen, up until a max cap of the high reward. This is because as the duration of the freezing lengthens, the potential for greater damage and subsequent reputational harm intensifies. Thus, by increasing the reward proportionally with the frozen duration, the project ensures stronger incentives for bug disclosure of this nature.
    • A minimum reward of 10,000 USD will be awarded for high-severity vulnerabilities to incentivize security researchers against withholding bug reports.

General Notes

  • Sherlock's Criteria for Issue Validity guide can be a helpful resource for more context on out-of-scope issues, etc. but nothing in the guide should overrule the definitions above
  • A coded Proof of Concept (POC) with instructions to run the POC is required
  • If the protocol team has the ability to take measures (upgrade the contract, pause the contract, etc.) against an exploit, the potential damage is limited to a 1-hour exploit period before it is assumed that the protocol team takes measures to prevent further damage

Platform Rules

Please review the Sherlock Bug Bounty Platform Rules before submitting any vulnerability.

Scope

Out of scope

  • External oracles are assumed to operate correctly, remain available, and not deviate from expected behaviour. Incorrect data or pricing information supplied by third-party oracles is out of scope.
  • Vulnerabilities that have already been reported or are known to the protocol team
  • Issues that have been identified in previous audits and are pending fixes
  • Vulnerabilities in the blockchain itself
  • Issues in third-party libraries or dependencies not developed by the protocol team
  • Theoretical vulnerabilities without a working proof of concept
  • Issues requiring privileged access (e.g., governance or admin keys)
  • Economic or tokenomic vulnerabilities that do not result in direct loss of funds
  • Centralization risks inherent to the protocol design
  • UI/UX issues that do not impact security
  • Documentation errors or inconsistencies
  • Spelling or grammar mistakes
  • Issues caused by attacks requiring access to leaked keys/credentials
  • Issues submitted and eligible for rewards in the related Bug Bounty Programs here and here are considered known and out of scope. This means one cannot receive rewards for the same issues in several Bug Bounty Programs.
  • Issues from the previous audit reports (Audit report by Cairo Security Clan)

Disclosure Policy

All vulnerabilities must be reported exclusively through the Sherlock platform and must not be disclosed publicly until:

  1. The vulnerability has been verified by the protocol team
  2. A fix has been implemented and deployed
  3. The protocol team has granted explicit permission for public disclosure
    Premature public disclosure can result in disqualification from the reward.

Testing

When testing for vulnerabilities:

  • Do not test on public mainnet deployments
  • Use local test environments or testnets for all testing
  • Do not attempt to access or modify other users' data
  • Do not perform any actions that could disrupt the normal operation of the protocol
  • Do not use automated scanning tools without manual verification

Prohibited actions

The following actions are strictly prohibited:

  • Attempting to access private user data
  • Social engineering or phishing attacks
  • Denial of service attacks
  • Physical or electronic attempts to access protocol's infrastructure
  • Any testing that violates applicable laws or regulations
  • Threatening or harassing behavior

Additional Context

Chains in scope

Paradex Chain

Tokens

The list of integrated tokens can be found on the website

Protocol Resources

Max Rewards

500,000 USDC

Status

Live since

Last updated

LIVE

Jun 8, 2026, 7:51 PM

Jun 8, 2026, 7:51 PM

Report a bug