0x Security: Audits, Smart Contract Safety, and the Bug Bounty Program

Security is foundational to how 0x is built and operated. This article covers how 0x keeps its smart contracts safe, what trading through 0x means for custody of your funds, and how to responsibly report vulnerabilities through our bug bounty program.

Smart contract audits

0x smart contracts undergo extensive, independent security review before and during deployment. The 0x Settler contracts have been audited by leading blockchain security firms, with published reports available for anyone to review:

• 0x Settler – Permit2 Payment Summary Report

• 0x Settler – Security Assessment Report

• 0x Settler – Ourovoros Security Report

• 0x Settler – OpenZeppelin Security Report

The full set of audit reports is maintained in the 0x Settler audits directory on GitHub.

You keep custody of your tokens

Unlike a centralized exchange, which can mismanage or lose your tokens, trading through a decentralized exchange retains your custody of your assets throughout the entire trading process. Trades settle on-chain through audited 0x smart contracts, and funds move directly from your wallet as part of the transaction you sign — 0x never takes custody of your assets.

Token allowances

Because swaps move tokens out of your wallet, they rely on token allowances — the on-chain permission that authorizes a contract to spend a specific token on your behalf. Understanding and managing allowances is an important part of trading safely. For details, see How to set your token allowances.

Account security

If you have a 0x Dashboard account, keep it secure and reset your password promptly if you suspect it has been compromised. See Reset your 0x.org Password.

A Note About 0x Bounties

We are committed to maintaining the highest security standards for our smart contracts. That's why we've launched a comprehensive 0x Bug Bounty Program on Immunefi, offering rewards to security researchers who help identify vulnerabilities in the 0x protocol.

0x v2 smart contracts have undergone extensive auditing — four audits conducted by three independent firms: Ourovoros, Trail of Bits, OpenZeppelin, and a second audit by Trail of Bits. In addition, 0x continuously leverages Dedaub's industry-leading security suite to analyze our contracts throughout development.

If you're interested in earning bounties by reporting bugs, please visit:
0x Bug Bounties Documentation

If you experience any issues registering or setting up your account with Immunefi, please contact Immunefi Support:
https://immunefisupport.zendesk.com/hc/en-us/requests/new

The 0x Bug Bounty Program on Immunefi can be found here:
https://immunefi.com/bug-bounty/0x/information/

The reporting process includes the following steps:

1. Triaged by Immunefi

2. Proof of Concept (PoC) required

3. KYC required

4. Arbitration enabled

To submit bug reports, new participants must verify their identity. Immunefi's identity verification process helps maintain trust and prevent spam submissions.

For additional guidance, please review the following Immunefi resources:
A Hacker's Guide to Submitting Bugs on Immunefi
Bug Report Submission Checklist
I've Spotted a Bug
Immunefi Terms of Use

Please note that the 0x Developer Support Team cannot accept security reports submitted outside Immunefi or not following the specified guidelines. We strongly encourage all users to report vulnerabilities according to Immunefi's procedures.

Thank you for helping us keep 0x secure.