Ignored bounty disclosure

dYdX v4 (dYdX Chain)'s assessment for RD-F-008 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

No evidence of a disclosed vulnerability ignored before v4 exploitation. Feb 2026 npm/PyPI compromise was a client SDK supply-chain attack (wallet stealer) — not a chain vulnerability disclosure. Socket disclosed responsibly and dYdX responded promptly. No v4 post-mortem documents a disclosure-ignored pattern.

Sources #

URL
Compromised dYdX npm and PyPI Packages — The Hacker News (2026-02)HackerNews report on dYdX supply chainretrieved 2026-05-17
URL
Malicious dYdX Packages — Socket Security (2026-02)Socket blog on npm/PyPI compromiseretrieved 2026-05-17

Methodology #

Determine whether any prior post-mortem documents a disclosed vulnerability that was reported to the team and not actioned before exploit.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol dydx-v4 factor RD-F-008 score green collected_at 2026-05-17 09:58:47