GMX

Rewards are distributed according to the impact of the vulnerability based on the Immunefi Vulnerability Severity Classification System V2.2. This is a simplified 5-level scale, with separate scales for websites/apps and smart contracts/blockchains, encompassing everything from consequence of exploitation to privilege required to likelihood of a successful exploit.

All web/app bug reports must come with a PoC with an end-effect impacting an asset-in-scope in order to be considered for a reward. Explanations and statements are not accepted as PoC and code is required.

Critical smart contract vulnerabilities are capped at 10% of economic damage, primarily taking into consideration funds at risk, but also PR and branding aspects, at the discretion of the team. However, there is a minimum reward of USD 50 000.

The following vulnerabilities are not eligible for a reward:

• Exploits that require access to the Timelock admin keys or Fast Price Feed admin keys
• Cases involving risks of losses to the GLP pool in case the assets in the pool decrease in price
• Cases involving price manipulation on exchanges
• Vesting schedules might be slightly faster for multiple deposits
• Vault.includeAmmPrice and Vault.useSwapPricing are not reset to default values for certain cases, these variables will not be used
• Vault.liquidatePosition does not pay the transaction sender for certain cases, this is intentional
• Exploits that are not economically practical to execute
• Exploits due to delays or sizes of price feed updates
• In general, we assume that the fees earned from swaps and leverage trading over a period of a few months will be larger than any potential losses from price updates, we will be analyzing past data to adjust the fees and parameters for this. Additionally, any changes relating to the minimum price movement for profit as well as the cooldown duration for redeeming GLP will only be done after this analysis. This analysis will also consider cases where opening both a long and short position within the minimum price movement may result in a higher probability of profit. Reports relating to these should be excluded.
• Calling Vault.setTokenConfig, Vault.clearTokenConfig, Vault.setTokenConfig on the same token would lead to double counting of the token amounts in GlpManager, Vault.clearTokenConfig will not be used
• GlpManager.getAum may return a slightly higher value until a liquidation occurs
• GlpManager.getAum may return a slightly lower value when there are shorts in profit but the price movement is below the 1.5% threshold
• It is possible for a user to burn and then mint GLP to frontrun price movements, the fees are assumed to be sufficient to prevent this from being profitable
• There will be some deviation of Vault.globalShortAveragePrices from the true average price if users increase their short position while the mark price is within 1.5% of their position’s average price, it is evaluated to not be economical for users to do this intentionally whether in combination with GLP minting or otherwise, GlpManager.setAumAdjustment can be used to correct this drift if required
• Vault.CollectSwapFees (_ token, feeAmount, tokenToUsdMin ( _ token, feeAmount))
• It is expected that liquidators, order executors and other keepers will validate that transactions succeed before sending them to avoid gas griefing attacks
• Exploits due to issues with hosting providers e.g. Netlify, Cloudflare Pages, IPFS and which cannot be fixed by changing any configuration on our side will be given an Informational classification, these exploits should be reported using the bug bounty program of the hosting providers instead

Payouts are handled by the GMX team directly and are denominated in USD. However, payouts are done in ETH or USDC