GMX, the decentralized exchange (DEX), made headlines in 2022 when it awarded Collider Research a substantial $1 million bug bounty. This generous payout was a testament to the critical bug Collider Research uncovered in GMX’s smart contracts. The bug directly and adversely impacted how the protocol tracked outstanding debt within the system.
However, GMX has been tight-lipped about how this bug was rectified and when the patch was implemented. The bug had significant repercussions, particularly for GMX v1 liquidity providers (LPs). It disrupted the accurate calculation of quotes related to the “fair value of tokens.” More specifically, it wreaked havoc on the Global Liquidity Pool (GLP), causing it to deviate from its intended fair value.
Understanding the gravity of this situation requires a glimpse into GMX’s inner workings. The exchange supports leveraged trading with up to 50X leverage. The system meticulously tracks the debt incurred by traders and the repayment process, all driven by smart contracts. When traders enter leveraged positions, they essentially enter into debt. If market prices move unfavorably, triggering liquidation, the margin securing the leveraged position is transferred back to the protocol.
Disruptions to this mechanism can have dire consequences for GMX. They affect the exchange’s revenue and discourage liquidity providers from participating in the ecosystem.
This vulnerability was tragically exploited in September 2022 when an unidentified attacker made off with over $570,000 from the AVAX/USD marketplace. The flaw in the GLP had a cascading effect, impacting GMX’s “minimal fee” and “zero price impact” features, leading to this significant financial loss.
GMX’s bug bounty program is a critical part of its security strategy. It’s designed to ensure that their smart contracts and applications function without weaknesses, especially considering the trustless nature of swaps. The program’s primary goal is to prevent the theft of user funds through various means, including unauthorized transfers, price manipulation of GLP, freezing, and other potential threat vectors.
Developers who participate in the bug bounty program are rewarded based on the severity of the flaws they uncover. However, their submission must accompany a report demonstrating how the code error impacts the protocol. Importantly, GMX places a cap of 10% on the potential damage caused by all critical smart contract vulnerabilities. The maximum bounty developers can receive for identifying critical code flaws is $5 million.
In conclusion, GMX’s bug bounty program plays a pivotal role in safeguarding the integrity of its platform. It underscores the importance of transparency, security, and continuous improvement in the ever-evolving world of decentralized finance.