BugHunters — Bug Bounty Platform
    Back to Programs
    Axiom Trade

    Axiom Trade

    Crypto/DeFi

    High-performance Solana trading terminal with advanced order types, limit orders, copy trading, and real-time on-chain execution across major Solana DEXs including Raydium, Orca, and Meteora.

    https://axiom.trade

    Max Reward

    $75,000

    Total Paid

    $155,000

    Resolved

    38

    Avg Response

    1 day

    In-Scope Assets

    *

    Full pentest — all assets, trading APIs, smart contracts, wallet integrations, and backend infrastructure are in scope

    Out of Scope

    None — everything is in scope.

    Severity Levels & Rewards

    Critical

    RCE, authentication bypass, privilege escalation, fund extraction

    High

    Stored XSS, CSRF with impact, API abuse, data manipulation

    Medium

    Reflected XSS, data leakage, logic flaws, information disclosure

    Low

    Verbose errors, minor config issues, low-impact info disclosure

    Active Bounties (8)

    IDTitleSeverityStatusRewardSubmissions
    AXM-001Private key extraction via malicious token metadata in wallet connector
    Critical
    Open
    		$20,000–$75,0000
    AXM-002Order spoofing via unsigned transaction injection in limit order flow
    Critical
    Open
    		$20,000–$75,0000
    AXM-003Front-running attack via MEV exposure in trade execution API
    Critical
    In Review
    		$20,000–$75,0001
    AXM-004IDOR on copy trading — subscribe to private strategy without approval
    High
    Open
    		$5,000–$20,0000
    AXM-005CORS misconfiguration exposes authenticated trade history to third-party origins
    High
    Open
    		$5,000–$20,0000
    AXM-006Slippage bypass via manipulated price oracle in swap router
    Critical
    Open
    		$20,000–$75,0000
    AXM-007API rate limit bypass enabling high-frequency scraping of order book
    Medium
    Open
    		$1,000–$5,0002
    AXM-008XSS via unsanitized token symbol in portfolio P&L display
    High
    Open
    		$5,000–$20,0000

    Rules of Engagement

    • Do not access, modify, or delete data belonging to other users.

    • Do not perform denial-of-service attacks or automated scanning at high volume.

    • Report vulnerabilities promptly and provide sufficient detail to reproduce.

    • Allow reasonable time for fix before public disclosure (90 days).

    • Safe harbor: We will not pursue legal action against researchers acting in good faith within these rules.